github
/
certd
mirror of https://github.com/certd/certd
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/v2-dev' into v2-dev

pull/229/head
xiaojunnuo 2024-10-28 21:34:14 +08:00
parent 3e290f057f 5575c83970
commit 5c992c3214
21 changed files with 335 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
docker/run/docker-compose.yaml
View File

@ -28,18 +28,14 @@ services:
# 设置环境变量即可自定义certd配置 # 设置环境变量即可自定义certd配置
# 配置项见: packages/ui/certd-server/src/config/config.default.ts # 配置项见: packages/ui/certd-server/src/config/config.default.ts
# 配置规则: certd_ + 配置项, 点号用_代替 # 配置规则: certd_ + 配置项, 点号用_代替
# ↓↓↓↓ ------------------------------------ 这里可以设置http代理
#- HTTPS_PROXY=http://xxxxxx:xx
#- HTTP_PROXY=http://xxxxxx:xx
# ↓↓↓↓ ----------------------------- 如果忘记管理员密码可以设置为true重启之后管理员密码将改成123456然后请及时修改回false # ↓↓↓↓ ----------------------------- 如果忘记管理员密码可以设置为true重启之后管理员密码将改成123456然后请及时修改回false
- certd_system_resetAdminPasswd=false - certd_system_resetAdminPasswd=false
# ↓↓↓↓ -------------------------- 如果设置为true启动后所有配置了cron的流水线任务都将被立即触发一次 # ↓↓↓↓ -------------------------------- 默认同时启动httpshttps访问地址https://your.domain:7002
- certd_cron_immediateTriggerOnce=false #- certd_https_key=./data/ssl/cert.key
# ↓↓↓↓ -------------------------------- 配置证书和key则表示https方式启动使用https协议访问https://your.domain:7001 #- certd_https_cert=./data/ssl/cert.crt
#- certd_koa_key=./data/ssl/cert.key #- certd_https_enabled=true
#- certd_koa_cert=./data/ssl/cert.crt #- certd_https_port=7002
-
# ↓↓↓↓ ------------------------------- 使用postgresql数据库 # ↓↓↓↓ ------------------------------- 使用postgresql数据库
# - certd_flyway_scriptDir=./db/migration-pg # 升级脚本目录 # - certd_flyway_scriptDir=./db/migration-pg # 升级脚本目录
# - certd_typeorm_dataSource_default_type=postgres # 数据库类型 # - certd_typeorm_dataSource_default_type=postgres # 数据库类型

BIN
docs/guide/use/tencent/images/delete.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

BIN
docs/guide/use/tencent/images/delete2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

13
docs/guide/use/tencent/index.md
View File

@ -6,3 +6,16 @@
打开 https://console.cloud.tencent.com/cam/capi 打开 https://console.cloud.tencent.com/cam/capi
然后按如下方式获取腾讯云的API密钥 然后按如下方式获取腾讯云的API密钥
![](./tencent-access.png) ![](./tencent-access.png)
## 如何避免收到腾讯云证书过期邮件
腾讯云在证书有效期还剩28天时会发送过期通知邮件
您可以通过配置“腾讯云过期证书删除”任务来避免收到此类邮件。
![](./images/delete.png)
注意点:
> 1. 选择腾讯云授权,需授权`服务角色SSL_QCSLinkedRoleInReplaceLoadCertificate`权限
> 2. `1.26.14`版本之前Certd创建的证书流水线默认是到期前20天才更新证书需要将之前创建的证书申请任务的更新天数修改为35天保证删除之前就已经替换掉即将过期证书
![](./images/delete2.png)

6
packages/core/pipeline/src/plugin/api.ts
View File

@ -111,6 +111,12 @@ export abstract class AbstractTaskPlugin implements ITaskPlugin {
return this._result.files; return this._result.files;
} }
checkSignal() {
if (this.ctx.signal && this.ctx.signal.aborted) {
throw new Error("用户取消");
}
}
setCtx(ctx: TaskInstanceContext) { setCtx(ctx: TaskInstanceContext) {
this.ctx = ctx; this.ctx = ctx;
this.logger = ctx.logger; this.logger = ctx.logger;

4
packages/plugins/plugin-cert/src/plugin/cert-plugin/base.ts
View File

@ -61,7 +61,7 @@ export abstract class CertApplyBasePlugin extends AbstractTaskPlugin {
@TaskInput({ @TaskInput({
title: "更新天数", title: "更新天数",
value: 20, value: 35,
component: { component: {
name: "a-input-number", name: "a-input-number",
vModel: "value", vModel: "value",
@ -212,7 +212,7 @@ export abstract class CertApplyBasePlugin extends AbstractTaskPlugin {
this.logger.info("input hash 有变更,检查是否需要重新申请证书"); this.logger.info("input hash 有变更,检查是否需要重新申请证书");
//判断域名有没有变更 //判断域名有没有变更
/** /**
* "renewDays": 20, * "renewDays": 35,
* "certApplyPlugin": "CertApply", * "certApplyPlugin": "CertApply",
* "sslProvider": "letsencrypt", * "sslProvider": "letsencrypt",
* "privateKeyType": "rsa_2048_pkcs1", * "privateKeyType": "rsa_2048_pkcs1",

2
packages/plugins/plugin-cert/src/plugin/cert-plugin/index.ts
View File

@ -33,7 +33,7 @@ export type DomainsVerifyPlanInput = {
desc: "免费通配符域名证书申请,支持多个域名打到同一个证书上", desc: "免费通配符域名证书申请,支持多个域名打到同一个证书上",
default: { default: {
input: { input: {
renewDays: 20, renewDays: 35,
forceUpdate: false, forceUpdate: false,
}, },
strategy: { strategy: {

2
packages/plugins/plugin-cert/src/plugin/cert-plugin/lego/index.ts
View File

@ -17,7 +17,7 @@ export type { CertInfo };
desc: "支持海量DNS解析提供商推荐使用一样的免费通配符域名证书申请支持多个域名打到同一个证书上", desc: "支持海量DNS解析提供商推荐使用一样的免费通配符域名证书申请支持多个域名打到同一个证书上",
default: { default: {
input: { input: {
renewDays: 20, renewDays: 35,
forceUpdate: false, forceUpdate: false,
}, },
strategy: { strategy: {

BIN
packages/ui/certd-client/public/static/images/logo/logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

2
packages/ui/certd-client/src/layout/layout-framework.vue
View File

@ -252,8 +252,6 @@ const { token } = useToken();
justify-content: flex-end; justify-content: flex-end;
align-items: center; align-items: center;
display: flex; display: flex;
}
.header-menu {
flex: 1; flex: 1;
} }
} }

8
packages/ui/certd-client/src/style/common.less
View File

@ -178,6 +178,14 @@ h1, h2, h3, h4, h5, h6 {
color: #1890ff; color: #1890ff;
} }
.color-red {
color: red;
}
.color-green {
color: green;
}
.iconify{ .iconify{
//font-size: 16px; //font-size: 16px;
} }

32
packages/ui/certd-client/src/views/certd/access/access-selector/access/secret-plain-getter.vue Normal file
View File

@ -0,0 +1,32 @@
<template>
<a-button class="cd-secret-plain-getter ml-5">
<fs-icon class="pointer" :icon="computedIcon" @click="showPlain" />
</a-button>
</template>
<script lang="ts" setup>
import { computed, inject, ref } from "vue";
defineOptions({
name: "SecretPlainGetter"
});
const props = defineProps<{
modelValue?: string;
accessId?: number;
inputKey: string;
}>();
const emit = defineEmits(["update:modelValue"]);
const showRef = ref(false);
const computedIcon = computed(() => {
return showRef.value ? "ion:eye-outline" : "ion:eye-off-outline";
});
const accessApi: any = inject("accessApi");
async function showPlain() {
showRef.value = true;
if (props.accessId) {
const plain = await accessApi.GetSecretPlain(props.accessId, props.inputKey);
emit("update:modelValue", plain);
}
}
</script>
<style lang="less"></style>

8
packages/ui/certd-client/src/views/certd/access/api.ts
View File

@ -43,6 +43,14 @@ export function createAccessApi(from = "user") {
}); });
}, },
async GetSecretPlain(id: number, key: string) {
return await request({
url: apiPrefix + "/getSecretPlain",
method: "post",
data: { id, key }
});
},
async GetProviderDefine(type: string) { async GetProviderDefine(type: string) {
return await request({ return await request({
url: apiPrefix + "/define", url: apiPrefix + "/define",

11
packages/ui/certd-client/src/views/certd/access/common.tsx
View File

@ -1,9 +1,11 @@
import { ColumnCompositionProps, dict } from "@fast-crud/fast-crud"; import { ColumnCompositionProps, dict } from "@fast-crud/fast-crud";
import { computed, ref, toRef } from "vue"; import { computed, provide, ref, toRef } from "vue";
import { useReference } from "/@/use/use-refrence"; import { useReference } from "/@/use/use-refrence";
import { forEach, get, merge, set } from "lodash-es"; import { forEach, get, merge, set } from "lodash-es";
import SecretPlainGetter from "/@/views/certd/access/access-selector/access/secret-plain-getter.vue";
export function getCommonColumnDefine(crudExpose: any, typeRef: any, api: any) { export function getCommonColumnDefine(crudExpose: any, typeRef: any, api: any) {
provide("accessApi", api);
const AccessTypeDictRef = dict({ const AccessTypeDictRef = dict({
url: "/pi/access/accessTypeDict" url: "/pi/access/accessTypeDict"
}); });
@ -32,6 +34,13 @@ export function getCommonColumnDefine(crudExpose: any, typeRef: any, api: any) {
}; };
const column = merge({ title: key }, defaultPluginConfig, field); const column = merge({ title: key }, defaultPluginConfig, field);
if (value.encrypt === true) {
column.suffixRender = (scope: { form: any; key: string }) => {
const { form, key } = scope;
const inputKey = scope.key.replace("access.", "");
return <SecretPlainGetter accessId={form.id} inputKey={inputKey} v-model={form[key]} />;
};
}
//eval //eval
useReference(column); useReference(column);

2
packages/ui/certd-client/src/views/certd/pipeline/crud.tsx
View File

@ -124,7 +124,7 @@ export default function ({ crudExpose, context: { certdFormRef } }: CreateCrudOp
{ {
title: "申请证书", title: "申请证书",
input: { input: {
renewDays: 20, renewDays: 35,
...form ...form
}, },
strategy: { strategy: {

6
packages/ui/certd-server/src/controller/pipeline/access-controller.ts
View File

@ -67,6 +67,12 @@ export class AccessController extends CrudController<AccessService> {
return this.ok(access); return this.ok(access);
} }
@Post('/getSecretPlain', { summary: Constants.per.authOnly })
async getSecretPlain(@Body(ALL) body: { id: number; key: string }) {
const value = await this.service.getById(body.id, this.getUserId());
return this.ok(value[body.key]);
}
@Post('/accessTypeDict', { summary: Constants.per.authOnly }) @Post('/accessTypeDict', { summary: Constants.per.authOnly })
async getAccessTypeDict() { async getAccessTypeDict() {
const list = this.service.getDefineList(); const list = this.service.getDefineList();

1
packages/ui/certd-server/src/middleware/reset-passwd/middleware.ts
View File

@ -30,6 +30,7 @@ export class ResetPasswdMiddleware implements IWebMiddleware {
logger.info('开始重置1号管理员用户的密码'); logger.info('开始重置1号管理员用户的密码');
const newPasswd = '123456'; const newPasswd = '123456';
await this.userService.resetPassword(1, newPasswd); await this.userService.resetPassword(1, newPasswd);
await this.userService.updateStatus(1, 1);
logger.info(`重置1号管理员用户的密码完成新密码为${newPasswd}`); logger.info(`重置1号管理员用户的密码完成新密码为${newPasswd}`);
} }
} }

20
packages/ui/certd-server/src/modules/sys/authority/service/user-service.ts
View File

@ -198,6 +198,9 @@ export class UserService extends BaseService<UserEntity> {
} }
async resetPassword(userId: any, newPasswd: string) { async resetPassword(userId: any, newPasswd: string) {
if (!userId) {
throw new CommonException('userId不能为空');
}
const param = { const param = {
id: userId, id: userId,
password: newPasswd, password: newPasswd,
@ -210,15 +213,19 @@ export class UserService extends BaseService<UserEntity> {
ids = ids.split(','); ids = ids.split(',');
ids = ids.map(id => parseInt(id)); ids = ids.map(id => parseInt(id));
} }
if (ids instanceof Array) { if (ids.length === 0) {
return;
}
if (ids.includes(1)) { if (ids.includes(1)) {
throw new CommonException('不能删除管理员'); throw new CommonException('不能删除管理员');
} }
}
await super.delete(ids); await super.delete(ids);
} }
async isAdmin(userId: any) { async isAdmin(userId: any) {
if (!userId) {
throw new CommonException('userId不能为空');
}
const userRoles = await this.userRoleService.find({ const userRoles = await this.userRoleService.find({
where: { where: {
userId, userId,
@ -229,4 +236,13 @@ export class UserService extends BaseService<UserEntity> {
return true; return true;
} }
} }
async updateStatus(id: number, status: number) {
if (!id) {
throw new CommonException('userId不能为空');
}
await this.repository.update(id, {
status,
});
}
} }

17
packages/ui/certd-server/src/plugins/plugin-tencent/lib/index.ts
View File

@ -55,4 +55,21 @@ export class TencentSslClient {
this.checkRet(res); this.checkRet(res);
return res; return res;
} }
async DescribeCertificates(params: any) {
const client = await this.getSslClient();
const res = await client.DescribeCertificates(params);
this.checkRet(res);
return res;
}
async doRequest(action: string, params: any) {
const client = await this.getSslClient();
if (!client[action]) {
throw new Error(`action ${action} not found`);
}
const res = await client[action](params);
this.checkRet(res);
return res;
}
} }

202
packages/ui/certd-server/src/plugins/plugin-tencent/plugin/delete-expiring-cert/index.ts Normal file
View File

@ -0,0 +1,202 @@
import { IsTaskPlugin, pluginGroups, RunStrategy, TaskInput } from '@certd/pipeline';
import { AbstractPlusTaskPlugin, TencentAccess } from '@certd/plugin-plus';
import { TencentSslClient } from '../../lib/index.js';
import dayjs from 'dayjs';
import { remove } from 'lodash-es';
@IsTaskPlugin({
name: 'TencentDeleteExpiringCert',
title: '删除腾讯云即将过期证书',
icon: 'svg:icon-tencentcloud',
group: pluginGroups.tencent.key,
desc: '仅删除未使用的证书',
default: {
strategy: {
runStrategy: RunStrategy.AlwaysRun,
},
},
needPlus: true,
})
export class TencentDeleteExpiringCert extends AbstractPlusTaskPlugin {
@TaskInput({
title: 'Access提供者',
helper: 'access 授权',
component: {
name: 'access-selector',
type: 'tencent',
},
required: true,
})
accessId!: string;
@TaskInput({
title: '关键字筛选',
helper: '仅匹配ID、备注名称、域名包含关键字的证书可以不填',
required: false,
component: {
name: 'a-input',
},
})
searchKey!: string;
@TaskInput({
title: '最大删除数量',
helper: '单次运行最大删除数量',
value: 100,
component: {
name: 'a-input-number',
vModel: 'value',
},
required: true,
})
maxCount!: number;
@TaskInput({
title: '即将过期天数',
helper:
'仅删除有效期小于此天数的证书,\n<span class="color-red">注意:`1.26.14`版本之前Certd创建的证书流水线默认是到期前20天才更新证书需要将之前创建的证书申请任务的更新天数改为35天保证删除之前就已经替换掉即将过期证书</span>',
value: 30,
component: {
name: 'a-input-number',
vModel: 'value',
},
required: true,
})
expiringDays!: number;
@TaskInput({
title: '检查超时时间',
helper: '检查删除任务结果超时时间,单位分钟',
value: 10,
component: {
name: 'a-input-number',
vModel: 'value',
},
required: true,
})
checkTimeout!: number;
async onInstance() {}
async execute(): Promise<void> {
const access = await this.accessService.getById<TencentAccess>(this.accessId);
const sslClient = new TencentSslClient({
access,
logger: this.logger,
});
const params = {
Limit: this.maxCount ?? 100,
SearchKey: this.searchKey,
ExpirationSort: 'ASC',
FilterSource: 'upload',
// FilterExpiring: 1,
};
const res = await sslClient.DescribeCertificates(params);
let certificates = res?.Certificates;
if (!certificates && !certificates.length) {
this.logger.info('没有找到证书');
return;
}
certificates = certificates.filter((item: any) => {
const endTime = item.CertEndTime;
return dayjs(endTime).add(this.expiringDays, 'day').isBefore(dayjs());
});
for (const certificate of certificates) {
this.logger.info(`证书ID:${certificate.CertificateId}, 过期时间:${certificate.CertEndTime}Alias:${certificate.Alias},证书域名:${certificate.Domain}`);
}
this.logger.info(`即将过期的证书数量:${certificates.length}`);
if (certificates.length === 0) {
this.logger.info('没有即将过期的证书, 无需删除');
return;
}
const certIds = certificates.map((cert: any) => cert.CertificateId);
const deleteRes = await sslClient.doRequest('DeleteCertificates', {
CertificateIds: certIds,
IsSync: true,
});
this.logger.info('删除任务已提交: ', JSON.stringify(deleteRes));
const ids = deleteRes?.CertTaskIds;
if (!ids && !ids.length) {
this.logger.error('没有找到任务ID');
return;
}
const taskIds = ids.map((id: any) => id.TaskId);
const startTime = Date.now();
const results = {};
const statusCount = {
success: 0,
failed: 0,
unauthorized: 0,
unbind: 0,
timeout: 0,
};
const total = taskIds.length;
while (Date.now() < startTime + this.checkTimeout * 60 * 1000) {
this.checkSignal();
const taskResultRes = await sslClient.doRequest('DescribeDeleteCertificatesTaskResult', {
TaskIds: taskIds,
});
const result = taskResultRes.DeleteTaskResult;
if (!result || result.length === 0) {
this.logger.info('暂未获取到有效的任务结果');
continue;
}
for (const item of result) {
//遍历结果
const status = item.Status;
if (status !== 0) {
remove(taskIds, id => id === item.TaskId);
}
// Status : 0表示任务进行中、 1表示任务成功、 2表示任务失败、3表示未授权服务角色导致任务失败、4表示有未解绑的云资源导致任务失败、5表示查询关联云资源超时导致任务失败
if (status === 0) {
this.logger.info(`任务${item.TaskId}<${item.CertId}>: 进行中`);
} else if (status === 1) {
this.logger.info(`任务${item.TaskId}<${item.CertId}>: 成功`);
results[item.TaskId] = '成功';
statusCount.success++;
} else if (status === 2) {
this.logger.error(`任务${item.TaskId}<${item.CertId}>: 失败`);
results[item.TaskId] = '失败';
statusCount.failed++;
} else if (status === 3) {
this.logger.error(`任务${item.TaskId}<${item.CertId}>: 未授权服务角色导致任务失败`);
results[item.TaskId] = '未授权服务角色导致任务失败';
statusCount.unauthorized++;
} else if (status === 4) {
this.logger.error(`任务${item.TaskId}<${item.CertId}>: 有未解绑的云资源导致任务失败`);
results[item.TaskId] = '有未解绑的云资源导致任务失败';
statusCount.unbind++;
} else if (status === 5) {
this.logger.error(`任务${item.TaskId}<${item.CertId}>: 查询关联云资源超时导致任务失败`);
results[item.TaskId] = '查询关联云资源超时导致任务失败';
statusCount.timeout++;
} else {
this.logger.info(`任务${item.TaskId}<${item.CertId}>: 未知状态:${status}`);
statusCount.failed++;
}
}
this.logger.info(
// eslint-disable-next-line max-len
`任务总数:${total}, 进行中:${taskIds.length} 成功:${statusCount.success}, 未授权服务角色导致失败:${statusCount.unauthorized}, 未解绑关联资源失败:${statusCount.unbind}, 查询关联资源超时:${statusCount.timeout},未知原因失败:${statusCount.failed}`
);
if (taskIds.length === 0) {
this.logger.info('任务已全部完成');
if (statusCount.unauthorized > 0) {
throw new Error('有未授权服务角色导致任务失败需给Access授权服务角色SSL_QCSLinkedRoleInReplaceLoadCertificate');
}
return;
}
await this.ctx.utils.sleep(10000);
}
this.logger.error('检查任务结果超时', JSON.stringify(results));
}
}
new TencentDeleteExpiringCert();

1
packages/ui/certd-server/src/plugins/plugin-tencent/plugin/index.ts
View File

@ -5,3 +5,4 @@ export * from './deploy-to-cdn-v2/index.js';
export * from './upload-to-tencent/index.js'; export * from './upload-to-tencent/index.js';
export * from './deploy-to-cos/index.js'; export * from './deploy-to-cos/index.js';
export * from './deploy-to-eo/index.js'; export * from './deploy-to-eo/index.js';
export * from './delete-expiring-cert/index.js';