feat: 域名验证方法支持CNAME间接方式，此方式支持所有域名注册商，且无需提供Access授权，但是需要手动添加cname解析

2026-05-16 05:07:32 +08:00 · 2024-10-07 03:21:16 +08:00
parent 0c8e83e125
commit f3d35084ed
123 changed files with 2373 additions and 456 deletions
@@ -1,6 +1,6 @@
 import { Autoload, Config, Init, Inject, Scope, ScopeEnum } from '@midwayjs/core';
 import { logger } from '@certd/pipeline';
-import { UserService } from '../authority/service/user-service.js';
+import { UserService } from '../sys/authority/service/user-service.js';
 import { PlusService, SysSettingsService } from '@certd/lib-server';
 import { nanoid } from 'nanoid';
 import { SysInstallInfo, SysPrivateSettings } from '@certd/lib-server';
@@ -13,7 +13,7 @@ export class FileController extends BaseController {
  @Inject()
  fileService: FileService;

-  @Post('/upload', { summary: 'sys:settings:view' })
+  @Post('/upload', { summary: Constants.per.authOnly })
  async upload(@Files() files: UploadFileInfo<string>[], @Fields() fields: any) {
    console.log('files', files, fields);
    const cacheKey = uploadTmpFileCacheKey + nanoid();
@@ -0,0 +1,27 @@
+import { ALL, Body, Controller, Inject, Post, Provide } from '@midwayjs/core';
+import { BaseController, Constants } from '@certd/lib-server';
+import { CnameRecordService } from '../service/cname-record-service.js';
+import { CnameProviderService } from '../../sys/cname/service/cname-provider-service.js';
+
+/**
+ * 授权
+ */
+@Provide()
+@Controller('/api/cname/provider')
+export class CnameProviderController extends BaseController {
+  @Inject()
+  service: CnameRecordService;
+  @Inject()
+  providerService: CnameProviderService;
+
+  getService(): CnameRecordService {
+    return this.service;
+  }
+
+  @Post('/list', { summary: Constants.per.authOnly })
+  async list(@Body(ALL) body: any) {
+    body.userId = this.ctx.user.id;
+    const res = await this.providerService.find({});
+    return this.ok(res);
+  }
+}
@@ -0,0 +1,61 @@
+import { ALL, Body, Controller, Inject, Post, Provide, Query } from '@midwayjs/core';
+import { Constants, CrudController } from '@certd/lib-server';
+import { CnameRecordService } from '../service/cname-record-service.js';
+
+/**
+ * 授权
+ */
+@Provide()
+@Controller('/api/cname/record')
+export class CnameRecordController extends CrudController<CnameRecordService> {
+  @Inject()
+  service: CnameRecordService;
+
+  getService(): CnameRecordService {
+    return this.service;
+  }
+
+  @Post('/page', { summary: Constants.per.authOnly })
+  async page(@Body(ALL) body: any) {
+    body.query = body.query ?? {};
+    body.query.userId = this.ctx.user.id;
+    return await super.page(body);
+  }
+
+  @Post('/list', { summary: Constants.per.authOnly })
+  async list(@Body(ALL) body: any) {
+    body.userId = this.ctx.user.id;
+    return super.list(body);
+  }
+
+  @Post('/add', { summary: Constants.per.authOnly })
+  async add(@Body(ALL) bean: any) {
+    bean.userId = this.ctx.user.id;
+    return super.add(bean);
+  }
+
+  @Post('/update', { summary: Constants.per.authOnly })
+  async update(@Body(ALL) bean: any) {
+    await this.service.checkUserId(bean.id, this.ctx.user.id);
+    return super.update(bean);
+  }
+
+  @Post('/info', { summary: Constants.per.authOnly })
+  async info(@Query('id') id: number) {
+    await this.service.checkUserId(id, this.ctx.user.id);
+    return super.info(id);
+  }
+
+  @Post('/delete', { summary: Constants.per.authOnly })
+  async delete(@Query('id') id: number) {
+    await this.service.checkUserId(id, this.ctx.user.id);
+    return super.delete(id);
+  }
+
+  @Post('/getByDomain', { summary: Constants.per.authOnly })
+  async getByDomain(@Body(ALL) body: { domain: string; createOnNotFound: boolean }) {
+    const userId = this.ctx.user.id;
+    const res = await this.service.getByDomain(body.domain, userId, body.createOnNotFound);
+    return this.ok(res);
+  }
+}
@@ -0,0 +1,41 @@
+import { Column, Entity, PrimaryGeneratedColumn } from 'typeorm';
+
+/**
+ * cname record配置
+ */
+@Entity('cd_cname_record')
+export class CnameRecordEntity {
+  @PrimaryGeneratedColumn()
+  id: number;
+
+  @Column({ comment: '用户ID', name: 'user_id' })
+  userId: number;
+
+  @Column({ comment: '证书申请域名', length: 100 })
+  domain: string;
+
+  @Column({ comment: '主机记录', name: 'host_record', length: 100 })
+  hostRecord: string;
+
+  @Column({ comment: '记录值', name: 'record_value', length: 200 })
+  recordValue: string;
+
+  @Column({ comment: 'CNAME提供者', name: 'cname_provider_id' })
+  cnameProviderId: number;
+
+  @Column({ comment: '验证状态', length: 20 })
+  status: string;
+
+  @Column({
+    comment: '创建时间',
+    name: 'create_time',
+    default: () => 'CURRENT_TIMESTAMP',
+  })
+  createTime: Date;
+  @Column({
+    comment: '修改时间',
+    name: 'update_time',
+    default: () => 'CURRENT_TIMESTAMP',
+  })
+  updateTime: Date;
+}
@@ -0,0 +1,133 @@
+import { Inject, Provide, Scope, ScopeEnum } from '@midwayjs/core';
+import { InjectEntityModel } from '@midwayjs/typeorm';
+import { Repository } from 'typeorm';
+import { BaseService, ValidateException } from '@certd/lib-server';
+import { CnameRecordEntity } from '../entity/cname-record.js';
+import { v4 as uuidv4 } from 'uuid';
+import { CnameProviderService } from '../../sys/cname/service/cname-provider-service.js';
+import { CnameProviderEntity } from '../../sys/cname/entity/cname_provider.js';
+import { parseDomain } from '@certd/plugin-cert';
+
+/**
+ * 授权
+ */
+@Provide()
+@Scope(ScopeEnum.Singleton)
+export class CnameRecordService extends BaseService<CnameRecordEntity> {
+  @InjectEntityModel(CnameRecordEntity)
+  repository: Repository<CnameRecordEntity>;
+
+  @Inject()
+  cnameProviderService: CnameProviderService;
+  getRepository() {
+    return this.repository;
+  }
+  /**
+   * 新增
+   * @param param 数据
+   */
+  async add(param: any): Promise<CnameRecordEntity> {
+    if (!param.domain) {
+      throw new ValidateException('域名不能为空');
+    }
+    if (!param.userId) {
+      throw new ValidateException('userId不能为空');
+    }
+    if (param.domain.startsWith('*.')) {
+      param.domain = param.domain.substring(2);
+    }
+    const info = await this.getRepository().findOne({ where: { domain: param.domain } });
+    if (info) {
+      return info;
+    }
+
+    let cnameProvider: CnameProviderEntity = null;
+    if (!param.cnameProviderId) {
+      //获取默认的cnameProviderId
+      cnameProvider = await this.cnameProviderService.getByPriority();
+      if (cnameProvider == null) {
+        throw new ValidateException('找不到CNAME服务，请先联系管理员添加CNAME服务');
+      }
+    } else {
+      cnameProvider = await this.cnameProviderService.info(param.cnameProviderId);
+    }
+    this.cnameProviderChanged(param, cnameProvider);
+
+    param.status = 'cname';
+    const { id } = await super.add(param);
+    return await this.info(id);
+  }
+
+  private cnameProviderChanged(param: any, cnameProvider: CnameProviderEntity) {
+    param.cnameProviderId = cnameProvider.id;
+
+    const realDomain = parseDomain(param.domain);
+    const prefix = param.domain.replace(realDomain, '');
+    let hostRecord = `_acme-challenge.${prefix}`;
+    if (hostRecord.endsWith('.')) {
+      hostRecord = hostRecord.substring(0, hostRecord.length - 1);
+    }
+    param.hostRecord = hostRecord;
+
+    const cnameKey = uuidv4().replaceAll('-', '');
+    param.recordValue = `${cnameKey}.${cnameProvider.domain}`;
+  }
+
+  async update(param: any) {
+    if (!param.id) {
+      throw new ValidateException('id不能为空');
+    }
+
+    const old = await this.info(param.id);
+    if (!old) {
+      throw new ValidateException('数据不存在');
+    }
+    if (old.domain !== param.domain) {
+      throw new ValidateException('域名不允许修改');
+    }
+    if (old.cnameProviderId !== param.cnameProviderId) {
+      const cnameProvider = await this.cnameProviderService.info(param.cnameProviderId);
+      this.cnameProviderChanged(param, cnameProvider);
+      param.status = 'cname';
+    }
+    return await super.update(param);
+  }
+
+  async validate(id: number) {
+    const info = await this.info(id);
+    if (info.status === 'success') {
+      return true;
+    }
+
+    //开始校验
+    // 1.  dnsProvider
+    // 2.  添加txt记录
+    // 3.  检查原域名是否有cname记录
+  }
+
+  async getByDomain(domain: string, userId: number, createOnNotFound = true) {
+    if (!domain) {
+      throw new ValidateException('domain不能为空');
+    }
+    if (userId == null) {
+      throw new ValidateException('userId不能为空');
+    }
+    let record = await this.getRepository().findOne({ where: { domain, userId } });
+    if (record == null) {
+      if (createOnNotFound) {
+        record = await this.add({ domain, userId });
+      } else {
+        throw new ValidateException(`找不到${domain}的CNAME记录`);
+      }
+    }
+    const provider = await this.cnameProviderService.info(record.cnameProviderId);
+    if (provider == null) {
+      throw new ValidateException(`找不到${domain}的CNAME服务`);
+    }
+
+    return {
+      ...record,
+      cnameProvider: provider,
+    };
+  }
+}
@@ -1,8 +1,8 @@
 import { ALL, Body, Controller, Inject, Post, Provide } from '@midwayjs/core';
 import { BaseController } from '@certd/lib-server';
 import { Constants } from '@certd/lib-server';
-import { UserService } from '../../authority/service/user-service.js';
-import { UserEntity } from '../../authority/entity/user.js';
+import { UserService } from '../../sys/authority/service/user-service.js';
+import { UserEntity } from '../../sys/authority/entity/user.js';
 import { SysSettingsService } from '@certd/lib-server';

 /**
@@ -1,9 +1,9 @@
 import { Config, Inject, Provide } from '@midwayjs/core';
-import { UserService } from '../../authority/service/user-service.js';
+import { UserService } from '../../sys/authority/service/user-service.js';
 import jwt from 'jsonwebtoken';
 import { CommonException } from '@certd/lib-server';
-import { RoleService } from '../../authority/service/role-service.js';
-import { UserEntity } from '../../authority/entity/user.js';
+import { RoleService } from '../../sys/authority/service/role-service.js';
+import { UserEntity } from '../../sys/authority/entity/user.js';
 import { SysSettingsService } from '@certd/lib-server';
 import { SysPrivateSettings } from '@certd/lib-server';

@@ -1,7 +1,7 @@
 import { ALL, Body, Controller, Inject, Post, Provide } from '@midwayjs/core';
 import { BaseController, Constants } from '@certd/lib-server';
-import { UserService } from '../../authority/service/user-service.js';
-import { RoleService } from '../../authority/service/role-service.js';
+import { UserService } from '../../sys/authority/service/user-service.js';
+import { RoleService } from '../../sys/authority/service/role-service.js';

 /**
 */
@@ -1,12 +1,4 @@
-import {
-  ALL,
-  Body,
-  Controller,
-  Inject,
-  Post,
-  Provide,
-  Query,
-} from '@midwayjs/core';
+import { ALL, Body, Controller, Inject, Post, Provide, Query } from '@midwayjs/core';
 import { CrudController } from '@certd/lib-server';
 import { Constants } from '@certd/lib-server';
 import { UserSettingsService } from '../service/user-settings-service.js';
@@ -8,7 +8,7 @@ import { HistoryLogEntity } from '../entity/history-log.js';
 import { PipelineService } from '../service/pipeline-service.js';
 import * as fs from 'fs';
 import { logger } from '@certd/pipeline';
-import { AuthService } from '../../authority/service/auth-service.js';
+import { AuthService } from '../../sys/authority/service/auth-service.js';
 import { SysSettingsService } from '@certd/lib-server';
 import { In } from 'typeorm';

@@ -4,7 +4,7 @@ import { PipelineService } from '../service/pipeline-service.js';
 import { PipelineEntity } from '../entity/pipeline.js';
 import { Constants } from '@certd/lib-server';
 import { HistoryService } from '../service/history-service.js';
-import { AuthService } from '../../authority/service/auth-service.js';
+import { AuthService } from '../../sys/authority/service/auth-service.js';
 import { SysSettingsService } from '@certd/lib-server';

 /**
@@ -0,0 +1,14 @@
+import { IAccessService } from '@certd/pipeline';
+
+export class AccessGetter implements IAccessService {
+  userId: number;
+  getter: <T>(id: any, userId?: number) => Promise<T>;
+  constructor(userId: number, getter: (id: any, userId: number) => Promise<any>) {
+    this.userId = userId;
+    this.getter = getter;
+  }
+
+  async getById<T = any>(id: any) {
+    return await this.getter<T>(id, this.userId);
+  }
+}
@@ -1,18 +1,17 @@
 import { Inject, Provide, Scope, ScopeEnum } from '@midwayjs/core';
 import { InjectEntityModel } from '@midwayjs/typeorm';
 import { Repository } from 'typeorm';
-import { BaseService } from '@certd/lib-server';
+import { BaseService, PermissionException, ValidateException } from '@certd/lib-server';
 import { AccessEntity } from '../entity/access.js';
-import { AccessDefine, accessRegistry, IAccessService, newAccess } from '@certd/pipeline';
+import { AccessDefine, accessRegistry, newAccess } from '@certd/pipeline';
 import { EncryptService } from './encrypt-service.js';
-import { ValidateException } from '@certd/lib-server';

 /**
 * 授权
 */
@Provide()
@Scope(ScopeEnum.Singleton)
-export class AccessService extends BaseService<AccessEntity> implements IAccessService {
+export class AccessService extends BaseService<AccessEntity> {
  @InjectEntityModel(AccessEntity)
  repository: Repository<AccessEntity>;

@@ -102,11 +101,14 @@ export class AccessService extends BaseService<AccessEntity> implements IAccessS
    return await super.update(param);
  }

-  async getById(id: any): Promise<any> {
+  async getById(id: any, userId?: number): Promise<any> {
    const entity = await this.info(id);
    if (entity == null) {
      throw new Error(`该授权配置不存在,请确认是否已被删除:id=${id}`);
    }
+    if (userId !== entity.userId) {
+      throw new PermissionException('您对该授权无访问权限');
+    }
    // const access = accessRegistry.get(entity.type);
    const setting = this.decryptAccessEntity(entity);
    const input = {
@@ -0,0 +1,14 @@
+import { CnameRecord, ICnameProxyService } from '@certd/pipeline';
+
+export class CnameProxyService implements ICnameProxyService {
+  userId: number;
+  getter: <T>(domain: string, userId?: number) => Promise<T>;
+  constructor(userId: number, getter: (domain: string, userId: number) => Promise<any>) {
+    this.userId = userId;
+    this.getter = getter;
+  }
+
+  getByDomain(domain: string): Promise<CnameRecord> {
+    return this.getter<CnameRecord>(domain, this.userId);
+  }
+}
@@ -16,7 +16,10 @@ import { HistoryLogService } from './history-log-service.js';
 import { logger } from '@certd/pipeline';
 import { EmailService } from '../../basic/service/email-service.js';
 import { NeedVIPException } from '@certd/lib-server';
-import { UserService } from '../../authority/service/user-service.js';
+import { UserService } from '../../sys/authority/service/user-service.js';
+import { AccessGetter } from './access-getter.js';
+import { CnameRecordService } from '../../cname/service/cname-record-service.js';
+import { CnameProxyService } from './cname-proxy-service.js';

 const runningTasks: Map<string | number, Executor> = new Map();
 const freeCount = 10;
@@ -34,6 +37,8 @@ export class PipelineService extends BaseService<PipelineEntity> {
  @Inject()
  accessService: AccessService;
  @Inject()
+  cnameRecordService: CnameRecordService;
+  @Inject()
  storageService: StorageService;
  @Inject()
  historyService: HistoryService;
@@ -341,11 +346,14 @@ export class PipelineService extends BaseService<PipelineEntity> {
      id: userId,
      role: userIsAdmin ? 'admin' : 'user',
    };
+    const accessGetter = new AccessGetter(userId, this.accessService.getById.bind(this.accessService));
+    const cnameProxyService = new CnameProxyService(userId, this.cnameRecordService.getByDomain.bind(this.cnameRecordService));
    const executor = new Executor({
      user,
      pipeline,
      onChanged,
-      accessService: this.accessService,
+      accessService: accessGetter,
+      cnameProxyService,
      storage: new DbStorage(userId, this.storageService),
      emailService: this.emailService,
      fileRootDir: this.certdConfig.fileRootDir,
@@ -14,7 +14,7 @@ import { UserRoleEntity } from '../entity/user-role.js';
 import bcrypt from 'bcryptjs';
 import { SysSettingsService } from '@certd/lib-server';
 import { SysInstallInfo } from '@certd/lib-server';
-import { RandomUtil } from '../../../utils/random.js';
+import { RandomUtil } from '../../../../utils/random.js';

 /**
 * 系统用户
@@ -0,0 +1,66 @@
+import { ALL, Body, Controller, Inject, Post, Provide, Query } from '@midwayjs/core';
+import { CrudController } from '@certd/lib-server';
+import { CnameProviderService } from '../service/cname-provider-service.js';
+import { merge } from 'lodash-es';
+
+/**
+ * 授权
+ */
+@Provide()
+@Controller('/api/sys/cname/provider')
+export class CnameRecordController extends CrudController<CnameProviderService> {
+  @Inject()
+  service: CnameProviderService;
+
+  getService(): CnameProviderService {
+    return this.service;
+  }
+
+  @Post('/page', { summary: 'sys:settings:view' })
+  async page(@Body(ALL) body: any) {
+    body.query = body.query ?? {};
+    return await super.page(body);
+  }
+
+  @Post('/list', { summary: 'sys:settings:view' })
+  async list(@Body(ALL) body: any) {
+    return super.list(body);
+  }
+
+  @Post('/add', { summary: 'sys:settings:edit' })
+  async add(@Body(ALL) bean: any) {
+    const def: any = {
+      isDefault: false,
+      disabled: false,
+    };
+    merge(bean, def);
+    return super.add(bean);
+  }
+
+  @Post('/update', { summary: 'sys:settings:edit' })
+  async update(@Body(ALL) bean: any) {
+    return super.update(bean);
+  }
+
+  @Post('/info', { summary: 'sys:settings:view' })
+  async info(@Query('id') id: number) {
+    return super.info(id);
+  }
+
+  @Post('/delete', { summary: 'sys:settings:edit' })
+  async delete(@Query('id') id: number) {
+    return super.delete(id);
+  }
+
+  @Post('/setDefault', { summary: 'sys:settings:edit' })
+  async setDefault(@Body('id') id: number) {
+    await this.service.setDefault(id);
+    return this.ok();
+  }
+
+  @Post('/setDisabled', { summary: 'sys:settings:edit' })
+  async setDisabled(@Body('id') id: number, @Body('disabled') disabled: boolean) {
+    await this.service.setDisabled(id, disabled);
+    return this.ok();
+  }
+}
@@ -0,0 +1,35 @@
+import { Column, Entity, PrimaryGeneratedColumn } from 'typeorm';
+
+/**
+ * cname配置
+ */
+@Entity('cd_cname_provider')
+export class CnameProviderEntity {
+  @PrimaryGeneratedColumn()
+  id: number;
+  @Column({ comment: '域名', length: 100 })
+  domain: string;
+  @Column({ comment: 'DNS提供商类型', name: 'dns_provider_type', length: 20 })
+  dnsProviderType: string;
+  @Column({ comment: 'DNS授权Id', name: 'access_id' })
+  accessId: number;
+  @Column({ comment: '是否默认', name: 'is_default' })
+  isDefault: boolean;
+  @Column({ comment: '是否禁用', name: 'disabled' })
+  disabled: boolean;
+  @Column({ comment: '备注', length: 200 })
+  remark: string;
+
+  @Column({
+    comment: '创建时间',
+    name: 'create_time',
+    default: () => 'CURRENT_TIMESTAMP',
+  })
+  createTime: Date;
+  @Column({
+    comment: '修改时间',
+    name: 'update_time',
+    default: () => 'CURRENT_TIMESTAMP',
+  })
+  updateTime: Date;
+}
@@ -0,0 +1,85 @@
+import { Provide, Scope, ScopeEnum } from '@midwayjs/core';
+import { InjectEntityModel } from '@midwayjs/typeorm';
+import { Repository } from 'typeorm';
+import { BaseService, ValidateException } from '@certd/lib-server';
+import { CnameProviderEntity } from '../entity/cname_provider.js';
+
+/**
+ * 授权
+ */
+@Provide()
+@Scope(ScopeEnum.Singleton)
+export class CnameProviderService extends BaseService<CnameProviderEntity> {
+  @InjectEntityModel(CnameProviderEntity)
+  repository: Repository<CnameProviderEntity>;
+
+  getRepository() {
+    return this.repository;
+  }
+
+  async getDefault() {
+    return await this.repository.findOne({ where: { isDefault: true } });
+  }
+  /**
+   * 新增
+   * @param param 数据
+   */
+  async add(param: any) {
+    const def = await this.getDefault();
+    if (!def) {
+      param.isDefault = true;
+    }
+    const res = await super.add(param);
+    if (param.isDefault) {
+      await this.setDefault(res.id);
+    }
+    return res;
+  }
+
+  /**
+   * 修改
+   * @param param 数据
+   */
+  async update(param: any) {
+    await super.update(param);
+    if (param.isDefault) {
+      await this.setDefault(param.id);
+    }
+  }
+
+  async delete(ids: any) {
+    if (!(ids instanceof Array)) {
+      ids = [ids];
+    }
+    for (const id of ids) {
+      const info = await this.info(id);
+      if (info.isDefault) {
+        throw new ValidateException('默认的CNAME服务不能删除，请先修改为非默认值');
+      }
+    }
+    await super.delete(ids);
+  }
+
+  async setDefault(id: number) {
+    await this.transaction(async em => {
+      await em.getRepository(CnameProviderEntity).update({ isDefault: true }, { isDefault: false });
+      await em.getRepository(CnameProviderEntity).update({ id }, { isDefault: true });
+    });
+  }
+
+  async setDisabled(id: number, disabled: boolean) {
+    await this.repository.update({ id }, { disabled });
+  }
+
+  async getByPriority() {
+    const def = await this.getDefault();
+    if (def) {
+      return def;
+    }
+    const found = await this.repository.findOne({ order: { createTime: 'DESC' } });
+    if (found) {
+      return found;
+    }
+    return null;
+  }
+}
@@ -4,7 +4,7 @@ import { SysSettingsService } from '@certd/lib-server';
 import { SysSettingsEntity } from '../entity/sys-settings.js';
 import { SysPublicSettings } from '@certd/lib-server';
 import * as _ from 'lodash-es';
-import { PipelineService } from '../../pipeline/service/pipeline-service.js';
+import { PipelineService } from '../../../pipeline/service/pipeline-service.js';

 /**
 */