chore: move '/internal/pkg' to '/pkg'

pkg/core/ssl-deployer/providers/aws-acm/aws_acm.go

@@ -0,0 +1,122 @@
+package awsacm
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log/slog"
+
+	aws "github.com/aws/aws-sdk-go-v2/aws"
+	awscfg "github.com/aws/aws-sdk-go-v2/config"
+	awscred "github.com/aws/aws-sdk-go-v2/credentials"
+	awsacm "github.com/aws/aws-sdk-go-v2/service/acm"
+
+	"github.com/usual2970/certimate/pkg/core"
+	sslmgrsp "github.com/usual2970/certimate/pkg/core/ssl-manager/providers/aws-acm"
+	xcert "github.com/usual2970/certimate/pkg/utils/cert"
+)
+
+type SSLDeployerProviderConfig struct {
+	// AWS AccessKeyId。
+	AccessKeyId string `json:"accessKeyId"`
+	// AWS SecretAccessKey。
+	SecretAccessKey string `json:"secretAccessKey"`
+	// AWS 区域。
+	Region string `json:"region"`
+	// ACM 证书 ARN。
+	// 选填。零值时表示新建证书；否则表示更新证书。
+	CertificateArn string `json:"certificateArn,omitempty"`
+}
+
+type SSLDeployerProvider struct {
+	config     *SSLDeployerProviderConfig
+	logger     *slog.Logger
+	sdkClient  *awsacm.Client
+	sslManager core.SSLManager
+}
+
+var _ core.SSLDeployer = (*SSLDeployerProvider)(nil)
+
+func NewSSLDeployerProvider(config *SSLDeployerProviderConfig) (*SSLDeployerProvider, error) {
+	if config == nil {
+		return nil, errors.New("the configuration of the ssl deployer provider is nil")
+	}
+
+	client, err := createSDKClient(config.AccessKeyId, config.SecretAccessKey, config.Region)
+	if err != nil {
+		return nil, fmt.Errorf("could not create sdk client: %w", err)
+	}
+
+	sslmgr, err := sslmgrsp.NewSSLManagerProvider(&sslmgrsp.SSLManagerProviderConfig{
+		AccessKeyId:     config.AccessKeyId,
+		SecretAccessKey: config.SecretAccessKey,
+		Region:          config.Region,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("could not create ssl manager: %w", err)
+	}
+
+	return &SSLDeployerProvider{
+		config:     config,
+		logger:     slog.Default(),
+		sdkClient:  client,
+		sslManager: sslmgr,
+	}, nil
+}
+
+func (d *SSLDeployerProvider) SetLogger(logger *slog.Logger) {
+	if logger == nil {
+		d.logger = slog.New(slog.DiscardHandler)
+	} else {
+		d.logger = logger
+	}
+
+	d.sslManager.SetLogger(logger)
+}
+
+func (d *SSLDeployerProvider) Deploy(ctx context.Context, certPEM string, privkeyPEM string) (*core.SSLDeployResult, error) {
+	if d.config.CertificateArn == "" {
+		// 上传证书
+		upres, err := d.sslManager.Upload(ctx, certPEM, privkeyPEM)
+		if err != nil {
+			return nil, fmt.Errorf("failed to upload certificate file: %w", err)
+		} else {
+			d.logger.Info("ssl certificate uploaded", slog.Any("result", upres))
+		}
+	} else {
+		// 提取服务器证书
+		serverCertPEM, intermediaCertPEM, err := xcert.ExtractCertificatesFromPEM(certPEM)
+		if err != nil {
+			return nil, fmt.Errorf("failed to extract certs: %w", err)
+		}
+
+		// 导入证书
+		// REF: https://docs.aws.amazon.com/en_us/acm/latest/APIReference/API_ImportCertificate.html
+		importCertificateReq := &awsacm.ImportCertificateInput{
+			CertificateArn:   aws.String(d.config.CertificateArn),
+			Certificate:      ([]byte)(serverCertPEM),
+			CertificateChain: ([]byte)(intermediaCertPEM),
+			PrivateKey:       ([]byte)(privkeyPEM),
+		}
+		importCertificateResp, err := d.sdkClient.ImportCertificate(context.TODO(), importCertificateReq)
+		d.logger.Debug("sdk request 'acm.ImportCertificate'", slog.Any("request", importCertificateReq), slog.Any("response", importCertificateResp))
+		if err != nil {
+			return nil, fmt.Errorf("failed to execute sdk request 'acm.ImportCertificate': %w", err)
+		}
+	}
+
+	return &core.SSLDeployResult{}, nil
+}
+
+func createSDKClient(accessKeyId, secretAccessKey, region string) (*awsacm.Client, error) {
+	cfg, err := awscfg.LoadDefaultConfig(context.TODO())
+	if err != nil {
+		return nil, err
+	}
+
+	client := awsacm.NewFromConfig(cfg, func(o *awsacm.Options) {
+		o.Region = region
+		o.Credentials = aws.NewCredentialsCache(awscred.NewStaticCredentialsProvider(accessKeyId, secretAccessKey, ""))
+	})
+	return client, nil
+}