Merge branch 'v2-dev' of https://github.com/certd/certd into v2-dev

2026-05-15 04:27:31 +08:00 · 2026-03-25 12:48:56 +08:00
parent b1eb706925 5a01634ca3
commit c5d285f755
53 changed files with 783 additions and 152 deletions
@@ -0,0 +1,159 @@
+import { IsTaskPlugin, pluginGroups, RunStrategy, TaskInput } from '@certd/pipeline';
+import { AbstractPlusTaskPlugin } from "@certd/plugin-plus";
+import dayjs from 'dayjs';
+import { AliyunAccess } from '../../../plugin-lib/aliyun/access/index.js';
+import { AliyunSslClient } from '../../../plugin-lib/aliyun/lib/index.js';
+
+@IsTaskPlugin({
+  name: 'AliyunDeleteExpiringCert',
+  title: '阿里云-删除即将过期证书',
+  icon: 'ant-design:aliyun-outlined',
+  group: pluginGroups.aliyun.key,
+  desc: '仅删除未使用的证书',
+  default: {
+    strategy: {
+      runStrategy: RunStrategy.AlwaysRun,
+    },
+  },
+  needPlus: true,
+})
+export class AliyunDeleteExpiringCert extends AbstractPlusTaskPlugin {
+  @TaskInput({
+    title: 'Access提供者',
+    helper: 'access 授权',
+    component: {
+      name: 'access-selector',
+      type: 'aliyun',
+    },
+    required: true,
+  })
+  accessId!: string;
+
+  @TaskInput({
+    title: '地域',
+    helper: '阿里云CAS证书服务地域',
+    component: {
+      name: 'a-select',
+      options: [
+        { value: 'cas.aliyuncs.com', label: '中国大陆' },
+        { value: 'cas.ap-southeast-1.aliyuncs.com', label: '新加坡' },
+      ],
+    },
+    required: true,
+    value: 'cas.aliyuncs.com',
+  })
+  endpoint!: string;
+
+  // @TaskInput({
+  //   title: '关键字筛选',
+  //   helper: '仅匹配证书名称、域名包含关键字的证书，可以不填',
+  //   required: false,
+  //   component: {
+  //     name: 'a-input',
+  //   },
+  // })
+  // searchKey!: string;
+
+  @TaskInput({
+    title: '最大删除数量',
+    helper: '单次运行最大删除数量',
+    value: 100,
+    component: {
+      name: 'a-input-number',
+      vModel: 'value',
+    },
+    required: true,
+  })
+  maxCount!: number;
+
+  @TaskInput({
+    title: '即将过期天数',
+    helper: '仅删除有效期小于此天数的证书,0表示完全过期时才删除',
+    value: 0,
+    component: {
+      name: 'a-input-number',
+      vModel: 'value',
+    },
+    required: true,
+  })
+  expiringDays!: number;
+
+  @TaskInput({
+    title: '检查超时时间',
+    helper: '检查删除任务结果超时时间,单位分钟',
+    value: 10,
+    component: {
+      name: 'a-input-number',
+      vModel: 'value',
+    },
+    required: true,
+  })
+  checkTimeout!: number;
+
+  async onInstance() {}
+
+  async execute(): Promise<void> {
+    const access = await this.getAccess<AliyunAccess>(this.accessId);
+    const sslClient = new AliyunSslClient({
+      access,
+      logger: this.logger,
+      endpoint: this.endpoint,
+    });
+
+    const params = {
+      ShowSize: 100,
+      CurrentPage: 1,
+      // Keyword: this.searchKey,
+    };
+    const certificates: any[] = [];
+    while(true){
+      const res = await sslClient.doRequest('ListCertificates', params, {
+          method: 'POST',
+        });
+      let list = res?.CertificateList;
+      if (!list || list.length === 0) {
+        break;
+      }
+      this.logger.info(`查询第${params.CurrentPage}页，每页${params.ShowSize}个证书，当前页共${list.length}个证书`);
+
+      const lastDay = dayjs().add(this.expiringDays, 'day');
+      list = list.filter((item: any) => {
+        const notAfter = item.NotAfter;
+        const usingProducts = item.UsingProductList;
+        return dayjs(notAfter).isBefore(lastDay) && (!usingProducts || usingProducts.length === 0);
+      });
+      for (const item of list) {
+        this.logger.info(`证书ID:${item.CertificateId}, 过期时间:${item.NotAfter}，名称:${item.CertificateName}，证书域名:${item.Domain}`);
+        certificates.push(item);
+      }
+      params.CurrentPage++;
+    }
+
+    this.logger.info(`即将过期的证书数量:${certificates.length}`);
+    if (certificates.length === 0) {
+      this.logger.info('没有即将过期的证书, 无需删除');
+      return;
+    }
+    this.logger.info(`开始删除证书，共${certificates.length}个证书`);
+    let successCount = 0;
+    let failedCount = 0;
+
+    for (const certificate of certificates) {
+      try {
+        const deleteRes = await sslClient.doRequest('DeleteUserCertificate', {
+          CertId: certificate.CertificateId,
+        }, { method: 'POST' });
+        this.logger.info(`删除证书成功，证书ID:${certificate.CertificateId}, 名称:${certificate.CertificateName}, requestId:${deleteRes?.RequestId}`);
+        successCount++;
+
+      } catch (error: any) {
+        this.logger.error(`删除证书失败，证书ID:${certificate.CertificateId}, 名称:${certificate.CertificateName}, 错误:${error.message}`);
+        failedCount++;
+      }
+    }
+
+    this.logger.info(`证书删除完成，成功:${successCount}, 失败:${failedCount}`);
+  }
+}
+
+new AliyunDeleteExpiringCert();
@@ -13,4 +13,5 @@ export * from './deploy-to-vod/index.js';
 export * from './deploy-to-apigateway/index.js';
 export * from './deploy-to-apig/index.js';
 export * from './deploy-to-ack/index.js';
-export * from './deploy-to-all/index.js';
+export * from './deploy-to-all/index.js';
+export * from './delete-expiring-cert/index.js';
@@ -3,6 +3,7 @@ import { createCertDomainGetterInputDefine, createRemoteSelectInputDefine } from
 import { CertApplyPluginNames, CertInfo } from "@certd/plugin-cert";
 import { VolcengineAccess } from "../access.js";
 import { VolcengineClient } from "../ve-client.js";
+import dayjs from "dayjs";

@IsTaskPlugin({
  name: "VolcengineDeployToALB",
@@ -32,6 +33,7 @@ export class VolcengineDeployToALB extends AbstractTaskPlugin {
  certDomains!: string[];


+
  @TaskInput({
    title: "Access授权",
    helper: "火山引擎AccessKeyId、AccessKeySecret",
@@ -126,6 +128,22 @@ export class VolcengineDeployToALB extends AbstractTaskPlugin {
  listenerList!: string | string[];


+  @TaskInput({
+    title: "证书部署类型",
+    helper: "选择部署默认证书还是扩展证书",
+    component: {
+      name: "a-select",
+      options: [
+        { label: "默认证书", value: "default" },
+        { label: "扩展证书", value: "extension" }
+      ]
+    },
+    value: "default",
+    required: true
+  })
+  certType!: string;
+
+
  async onInstance() {
  }

@@ -149,20 +167,101 @@ export class VolcengineDeployToALB extends AbstractTaskPlugin {
    const service = await this.getAlbService();
    for (const listener of this.listenerList) {
      this.logger.info(`开始部署监听器${listener}证书`);
-      await service.request({
-        action: "ModifyListenerAttributes",
-        query: {
-          ListenerId: listener,
-          CertificateSource: "cert_center",
-          CertCenterCertificateId: certId
-        }
-      });
-      this.logger.info(`部署监听器${listener}证书成功`);
+      if (this.certType === "default") {
+        // 部署默认证书
+        const res = await service.request({
+          action: "ModifyListenerAttributes",
+          query: {
+            ListenerId: listener,
+            CertificateSource: "cert_center",
+            CertCenterCertificateId: certId
+          }
+        });
+        this.logger.info(`部署监听器${listener}默认证书成功，res:${JSON.stringify(res)}`);
+      } else {
+        // 部署扩展证书
+        await this.deployExtensionCertificate(service, listener, certId as string);
+      }
+      await this.ctx.utils.sleep(5000);
    }

    this.logger.info("部署完成");
  }

+  private async deployExtensionCertificate(service: any, listenerId: string, certId: string) {
+    // 获取监听器当前的扩展证书列表
+    const domainExtensions = await this.getListenerDomainExtensions(service, listenerId);
+    
+    // 删除过期的扩展证书
+    try {
+      await this.deleteExpiredExtensions(service, listenerId, domainExtensions);
+    } catch (error) {
+      this.logger.error(`删除过期扩展证书失败:${error.message ||error}`);
+    }
+
+    // 新增扩展证书
+    const query: any = {
+      ListenerId: listenerId,
+      "DomainExtensions.1.Action": "create",
+      "DomainExtensions.1.CertificateSource": "cert_center",
+      "DomainExtensions.1.CertCenterCertificateId": certId
+    };
+
+    // 如果有证书域名信息，添加到扩展证书中
+    if (this.certDomains && this.certDomains.length > 0) {
+      query["DomainExtensions.1.Domain"] = this.certDomains[0];
+    }
+
+    await service.request({
+      action: "ModifyListenerAttributes",
+      query: query
+    });
+    this.logger.info(`部署监听器${listenerId}扩展证书成功`);
+  }
+
+  private async getListenerDomainExtensions(service: any, listenerId: string): Promise<any[]> {
+    const res = await service.request({
+      action: "DescribeListenerAttributes",
+      method: "GET",
+      query: {
+        ListenerId: listenerId
+      }
+    });
+    
+    return res.Result.DomainExtensions || [];
+  }
+
+  private async deleteExpiredExtensions(service: any, listenerId: string, domainExtensions: any[]) {
+    const expiredExtensions = [];
+    for (const ext of domainExtensions) {
+      if (!await this.isCertificateExpired(ext)) {
+        expiredExtensions.push(ext);
+      }
+    }
+    if (expiredExtensions.length === 0) {
+      this.logger.info(`没有过期的扩展证书，跳过删除`);
+      return;
+    }
+
+    const query: any = {
+      ListenerId: listenerId
+    };
+    expiredExtensions.forEach((ext, index) => {
+      const idx = index + 1;
+      query[`DomainExtensions.${idx}.Action`] = "delete";
+      query[`DomainExtensions.${idx}.DomainExtensionId`] = ext.DomainExtensionId;
+    });
+    
+    this.logger.info(`准备删除过期扩展证书，数量：${expiredExtensions.length}个，query:${JSON.stringify(query)}`);
+
+    await service.request({
+      action: "ModifyListenerAttributes",
+      query: query
+    });
+    this.logger.info(`删除${expiredExtensions.length}个过期扩展证书成功`);
+     await this.ctx.utils.sleep(5000);
+  }
+

  private async getCertService(access: VolcengineAccess) {
    const client = new VolcengineClient({
@@ -189,6 +288,54 @@ export class VolcengineDeployToALB extends AbstractTaskPlugin {
    return service;
  }

+  private async isCertificateExpired(extension: any): Promise<boolean> {
+    try {
+      let certificateId: string;
+      
+      // 根据证书来源获取证书ID
+      if (extension.CertificateSource === "cert_center") {
+        certificateId = extension.CertCenterCertificateId;
+      } else if (extension.CertificateSource === "alb") {
+        this.logger.warn(`ALB证书不支持过期检查，跳过`);
+        return false;
+      } else if (extension.CertificateSource === "pca_leaf") {
+        this.logger.warn(`PCA Leaf证书不支持过期检查，跳过`);
+        return false;
+      } else {
+        this.logger.warn(`未知的证书来源: ${extension.CertificateSource}，跳过`);
+        return false;
+      }
+      
+      if (!certificateId) {
+        this.logger.warn(`证书ID为空，跳过`);
+        return false;
+      }
+      
+      // 获取证书服务
+      const access = await this.getAccess<VolcengineAccess>(this.accessId);
+      const certService = await this.getCertService(access);
+      
+      // 获取证书详情
+      const certDetail = await certService.GetCertificateDetail(certificateId);
+      
+      // 判断证书是否过期
+      if (certDetail.NotAfter) {
+        const expireTime = dayjs(certDetail.NotAfter);
+        const now = dayjs();
+        const isExpired = expireTime.isBefore(now);
+        if (isExpired) {
+          this.logger.info(`证书 ${certificateId} 已过期，过期时间: ${expireTime.toISOString()}`);
+        }
+        return isExpired;
+      }
+      
+      return false;
+    } catch (error) {
+      this.logger.error(`检查证书是否过期失败: ${error.message || error}`);
+      return false;
+    }
+  }
+
  async onGetListenerList(data: any) {
    if (!this.accessId) {
      throw new Error("请选择Access授权");
@@ -42,6 +42,17 @@ export class VolcengineClient {
      });
      return res.Result.InstanceId || res.Result.RepeatId;
    };
+
+    service.GetCertificateDetail = async (certificateId: string) => {
+      const res = await service.request({
+        action: "CertificateGetInstance",
+        method: "POST",
+        body: {
+          InstanceId: certificateId
+        }
+      });
+      return res.Result;
+    };
    return service;
  }