feat: extract some configs from access to apply logic
This commit is contained in:
Fu Diwei
@@ -18,16 +18,6 @@ import (
|
||||
"github.com/usual2970/certimate/internal/repository"
|
||||
)
|
||||
|
||||
type applyConfig struct {
|
||||
Domains string
|
||||
ContactEmail string
|
||||
AccessConfig string
|
||||
KeyAlgorithm string
|
||||
Nameservers string
|
||||
PropagationTimeout int32
|
||||
DisableFollowCNAME bool
|
||||
}
|
||||
|
||||
type ApplyCertResult struct {
|
||||
Certificate string
|
||||
PrivateKey string
|
||||
@@ -41,6 +31,18 @@ type Applicant interface {
|
||||
Apply() (*ApplyCertResult, error)
|
||||
}
|
||||
|
||||
type applicantOptions struct {
|
||||
Domains []string
|
||||
ContactEmail string
|
||||
Provider domain.ApplyDNSProviderType
|
||||
ProviderAccessConfig map[string]any
|
||||
ProviderApplyConfig map[string]any
|
||||
KeyAlgorithm string
|
||||
Nameservers []string
|
||||
PropagationTimeout int32
|
||||
DisableFollowCNAME bool
|
||||
}
|
||||
|
||||
func NewWithApplyNode(node *domain.WorkflowNode) (Applicant, error) {
|
||||
if node.Type != domain.WorkflowNodeTypeApply {
|
||||
return nil, fmt.Errorf("node type is not apply")
|
||||
@@ -53,29 +55,35 @@ func NewWithApplyNode(node *domain.WorkflowNode) (Applicant, error) {
|
||||
return nil, fmt.Errorf("failed to get access #%s record: %w", accessId, err)
|
||||
}
|
||||
|
||||
applyProvider := node.GetConfigString("provider")
|
||||
applyConfig := &applyConfig{
|
||||
Domains: node.GetConfigString("domains"),
|
||||
ContactEmail: node.GetConfigString("contactEmail"),
|
||||
AccessConfig: access.Config,
|
||||
KeyAlgorithm: node.GetConfigString("keyAlgorithm"),
|
||||
Nameservers: node.GetConfigString("nameservers"),
|
||||
PropagationTimeout: node.GetConfigInt32("propagationTimeout"),
|
||||
DisableFollowCNAME: node.GetConfigBool("disableFollowCNAME"),
|
||||
accessConfig, err := access.UnmarshalConfigToMap()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to unmarshal access config: %w", err)
|
||||
}
|
||||
|
||||
challengeProvider, err := createChallengeProvider(domain.ApplyDNSProviderType(applyProvider), access.Config, applyConfig)
|
||||
options := &applicantOptions{
|
||||
Domains: strings.Split(node.GetConfigString("domains"), ";"),
|
||||
ContactEmail: node.GetConfigString("contactEmail"),
|
||||
Provider: domain.ApplyDNSProviderType(node.GetConfigString("provider")),
|
||||
ProviderAccessConfig: accessConfig,
|
||||
ProviderApplyConfig: node.GetConfigMap("providerConfig"),
|
||||
KeyAlgorithm: node.GetConfigString("keyAlgorithm"),
|
||||
Nameservers: strings.Split(node.GetConfigString("nameservers"), ";"),
|
||||
PropagationTimeout: node.GetConfigInt32("propagationTimeout"),
|
||||
DisableFollowCNAME: node.GetConfigBool("disableFollowCNAME"),
|
||||
}
|
||||
|
||||
applicant, err := createApplicant(options)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &proxyApplicant{
|
||||
applicant: challengeProvider,
|
||||
applyConfig: applyConfig,
|
||||
applicant: applicant,
|
||||
options: options,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func apply(challengeProvider challenge.Provider, applyConfig *applyConfig) (*ApplyCertResult, error) {
|
||||
func apply(challengeProvider challenge.Provider, options *applicantOptions) (*ApplyCertResult, error) {
|
||||
settingsRepo := repository.NewSettingsRepository()
|
||||
settings, _ := settingsRepo.GetByName(context.Background(), "sslProvider")
|
||||
|
||||
@@ -93,20 +101,20 @@ func apply(challengeProvider challenge.Provider, applyConfig *applyConfig) (*App
|
||||
sslProviderConfig.Provider = defaultSSLProvider
|
||||
}
|
||||
|
||||
myUser, err := newAcmeUser(sslProviderConfig.Provider, applyConfig.ContactEmail)
|
||||
myUser, err := newAcmeUser(sslProviderConfig.Provider, options.ContactEmail)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Some unified lego environment variables are configured here.
|
||||
// link: https://github.com/go-acme/lego/issues/1867
|
||||
os.Setenv("LEGO_DISABLE_CNAME_SUPPORT", strconv.FormatBool(applyConfig.DisableFollowCNAME))
|
||||
os.Setenv("LEGO_DISABLE_CNAME_SUPPORT", strconv.FormatBool(options.DisableFollowCNAME))
|
||||
|
||||
config := lego.NewConfig(myUser)
|
||||
|
||||
// This CA URL is configured for a local dev instance of Boulder running in Docker in a VM.
|
||||
config.CADirURL = sslProviderUrls[sslProviderConfig.Provider]
|
||||
config.Certificate.KeyType = parseKeyAlgorithm(applyConfig.KeyAlgorithm)
|
||||
config.Certificate.KeyType = parseKeyAlgorithm(options.KeyAlgorithm)
|
||||
|
||||
// A client facilitates communication with the CA server.
|
||||
client, err := lego.NewClient(config)
|
||||
@@ -115,8 +123,8 @@ func apply(challengeProvider challenge.Provider, applyConfig *applyConfig) (*App
|
||||
}
|
||||
|
||||
challengeOptions := make([]dns01.ChallengeOption, 0)
|
||||
if len(applyConfig.Nameservers) > 0 {
|
||||
challengeOptions = append(challengeOptions, dns01.AddRecursiveNameservers(dns01.ParseNameservers(strings.Split(applyConfig.Nameservers, ";"))))
|
||||
if len(options.Nameservers) > 0 {
|
||||
challengeOptions = append(challengeOptions, dns01.AddRecursiveNameservers(dns01.ParseNameservers(options.Nameservers)))
|
||||
challengeOptions = append(challengeOptions, dns01.DisableAuthoritativeNssPropagationRequirement())
|
||||
}
|
||||
|
||||
@@ -132,7 +140,7 @@ func apply(challengeProvider challenge.Provider, applyConfig *applyConfig) (*App
|
||||
}
|
||||
|
||||
certRequest := certificate.ObtainRequest{
|
||||
Domains: strings.Split(applyConfig.Domains, ";"),
|
||||
Domains: options.Domains,
|
||||
Bundle: true,
|
||||
}
|
||||
certResource, err := client.Certificate.Obtain(certRequest)
|
||||
@@ -144,9 +152,9 @@ func apply(challengeProvider challenge.Provider, applyConfig *applyConfig) (*App
|
||||
PrivateKey: string(certResource.PrivateKey),
|
||||
Certificate: string(certResource.Certificate),
|
||||
IssuerCertificate: string(certResource.IssuerCertificate),
|
||||
CSR: string(certResource.CSR),
|
||||
ACMECertUrl: certResource.CertURL,
|
||||
ACMECertStableUrl: certResource.CertStableURL,
|
||||
CSR: string(certResource.CSR),
|
||||
}, nil
|
||||
}
|
||||
|
||||
@@ -171,10 +179,10 @@ func parseKeyAlgorithm(algo string) certcrypto.KeyType {
|
||||
|
||||
// TODO: 暂时使用代理模式以兼容之前版本代码,后续重新实现此处逻辑
|
||||
type proxyApplicant struct {
|
||||
applicant challenge.Provider
|
||||
applyConfig *applyConfig
|
||||
applicant challenge.Provider
|
||||
options *applicantOptions
|
||||
}
|
||||
|
||||
func (d *proxyApplicant) Apply() (*ApplyCertResult, error) {
|
||||
return apply(d.applicant, d.applyConfig)
|
||||
return apply(d.applicant, d.options)
|
||||
}
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
package applicant
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
|
||||
"github.com/go-acme/lego/v4/challenge"
|
||||
@@ -18,19 +17,20 @@ import (
|
||||
providerPowerDNS "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/powerdns"
|
||||
providerTencentCloud "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/tencentcloud"
|
||||
providerVolcEngine "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/volcengine"
|
||||
"github.com/usual2970/certimate/internal/pkg/utils/maps"
|
||||
)
|
||||
|
||||
func createChallengeProvider(provider domain.ApplyDNSProviderType, accessConfig string, applyConfig *applyConfig) (challenge.Provider, error) {
|
||||
func createApplicant(options *applicantOptions) (challenge.Provider, error) {
|
||||
/*
|
||||
注意:如果追加新的常量值,请保持以 ASCII 排序。
|
||||
NOTICE: If you add new constant, please keep ASCII order.
|
||||
*/
|
||||
switch provider {
|
||||
switch options.Provider {
|
||||
case domain.ApplyDNSProviderTypeACMEHttpReq:
|
||||
{
|
||||
access := &domain.AccessConfigForACMEHttpReq{}
|
||||
if err := json.Unmarshal([]byte(accessConfig), access); err != nil {
|
||||
return nil, fmt.Errorf("failed to unmarshal access config: %w", err)
|
||||
access := domain.AccessConfigForACMEHttpReq{}
|
||||
if err := maps.Decode(options.ProviderAccessConfig, &access); err != nil {
|
||||
return nil, fmt.Errorf("failed to decode provider access config: %w", err)
|
||||
}
|
||||
|
||||
applicant, err := providerACMEHttpReq.NewChallengeProvider(&providerACMEHttpReq.ACMEHttpReqApplicantConfig{
|
||||
@@ -38,162 +38,162 @@ func createChallengeProvider(provider domain.ApplyDNSProviderType, accessConfig
|
||||
Mode: access.Mode,
|
||||
Username: access.Username,
|
||||
Password: access.Password,
|
||||
PropagationTimeout: applyConfig.PropagationTimeout,
|
||||
PropagationTimeout: options.PropagationTimeout,
|
||||
})
|
||||
return applicant, err
|
||||
}
|
||||
|
||||
case domain.ApplyDNSProviderTypeAliyun, domain.ApplyDNSProviderTypeAliyunDNS:
|
||||
{
|
||||
access := &domain.AccessConfigForAliyun{}
|
||||
if err := json.Unmarshal([]byte(accessConfig), access); err != nil {
|
||||
return nil, fmt.Errorf("failed to unmarshal access config: %w", err)
|
||||
access := domain.AccessConfigForAliyun{}
|
||||
if err := maps.Decode(options.ProviderAccessConfig, &access); err != nil {
|
||||
return nil, fmt.Errorf("failed to decode provider access config: %w", err)
|
||||
}
|
||||
|
||||
applicant, err := providerAliyun.NewChallengeProvider(&providerAliyun.AliyunApplicantConfig{
|
||||
AccessKeyId: access.AccessKeyId,
|
||||
AccessKeySecret: access.AccessKeySecret,
|
||||
PropagationTimeout: applyConfig.PropagationTimeout,
|
||||
PropagationTimeout: options.PropagationTimeout,
|
||||
})
|
||||
return applicant, err
|
||||
}
|
||||
|
||||
case domain.ApplyDNSProviderTypeAWS, domain.ApplyDNSProviderTypeAWSRoute53:
|
||||
{
|
||||
access := &domain.AccessConfigForAWS{}
|
||||
if err := json.Unmarshal([]byte(accessConfig), access); err != nil {
|
||||
return nil, fmt.Errorf("failed to unmarshal access config: %w", err)
|
||||
access := domain.AccessConfigForAWS{}
|
||||
if err := maps.Decode(options.ProviderAccessConfig, &access); err != nil {
|
||||
return nil, fmt.Errorf("failed to decode provider access config: %w", err)
|
||||
}
|
||||
|
||||
applicant, err := providerAWS.NewChallengeProvider(&providerAWS.AWSApplicantConfig{
|
||||
AccessKeyId: access.AccessKeyId,
|
||||
SecretAccessKey: access.SecretAccessKey,
|
||||
Region: access.Region,
|
||||
HostedZoneId: access.HostedZoneId,
|
||||
PropagationTimeout: applyConfig.PropagationTimeout,
|
||||
Region: maps.GetValueAsString(options.ProviderApplyConfig, "region"),
|
||||
HostedZoneId: maps.GetValueAsString(options.ProviderApplyConfig, "hostedZoneId"),
|
||||
PropagationTimeout: options.PropagationTimeout,
|
||||
})
|
||||
return applicant, err
|
||||
}
|
||||
|
||||
case domain.ApplyDNSProviderTypeCloudflare:
|
||||
{
|
||||
access := &domain.AccessConfigForCloudflare{}
|
||||
if err := json.Unmarshal([]byte(accessConfig), access); err != nil {
|
||||
return nil, fmt.Errorf("failed to unmarshal access config: %w", err)
|
||||
access := domain.AccessConfigForCloudflare{}
|
||||
if err := maps.Decode(options.ProviderAccessConfig, &access); err != nil {
|
||||
return nil, fmt.Errorf("failed to decode provider access config: %w", err)
|
||||
}
|
||||
|
||||
applicant, err := providerCloudflare.NewChallengeProvider(&providerCloudflare.CloudflareApplicantConfig{
|
||||
DnsApiToken: access.DnsApiToken,
|
||||
PropagationTimeout: applyConfig.PropagationTimeout,
|
||||
PropagationTimeout: options.PropagationTimeout,
|
||||
})
|
||||
return applicant, err
|
||||
}
|
||||
|
||||
case domain.ApplyDNSProviderTypeGoDaddy:
|
||||
{
|
||||
access := &domain.AccessConfigForGoDaddy{}
|
||||
if err := json.Unmarshal([]byte(accessConfig), access); err != nil {
|
||||
return nil, fmt.Errorf("failed to unmarshal access config: %w", err)
|
||||
access := domain.AccessConfigForGoDaddy{}
|
||||
if err := maps.Decode(options.ProviderAccessConfig, &access); err != nil {
|
||||
return nil, fmt.Errorf("failed to decode provider access config: %w", err)
|
||||
}
|
||||
|
||||
applicant, err := providerGoDaddy.NewChallengeProvider(&providerGoDaddy.GoDaddyApplicantConfig{
|
||||
ApiKey: access.ApiKey,
|
||||
ApiSecret: access.ApiSecret,
|
||||
PropagationTimeout: applyConfig.PropagationTimeout,
|
||||
PropagationTimeout: options.PropagationTimeout,
|
||||
})
|
||||
return applicant, err
|
||||
}
|
||||
|
||||
case domain.ApplyDNSProviderTypeHuaweiCloud, domain.ApplyDNSProviderTypeHuaweiCloudDNS:
|
||||
{
|
||||
access := &domain.AccessConfigForHuaweiCloud{}
|
||||
if err := json.Unmarshal([]byte(accessConfig), access); err != nil {
|
||||
return nil, fmt.Errorf("failed to unmarshal access config: %w", err)
|
||||
access := domain.AccessConfigForHuaweiCloud{}
|
||||
if err := maps.Decode(options.ProviderAccessConfig, &access); err != nil {
|
||||
return nil, fmt.Errorf("failed to decode provider access config: %w", err)
|
||||
}
|
||||
|
||||
applicant, err := providerHuaweiCloud.NewChallengeProvider(&providerHuaweiCloud.HuaweiCloudApplicantConfig{
|
||||
AccessKeyId: access.AccessKeyId,
|
||||
SecretAccessKey: access.SecretAccessKey,
|
||||
Region: access.Region,
|
||||
PropagationTimeout: applyConfig.PropagationTimeout,
|
||||
Region: maps.GetValueAsString(options.ProviderApplyConfig, "region"),
|
||||
PropagationTimeout: options.PropagationTimeout,
|
||||
})
|
||||
return applicant, err
|
||||
}
|
||||
|
||||
case domain.ApplyDNSProviderTypeNameDotCom:
|
||||
{
|
||||
access := &domain.AccessConfigForNameDotCom{}
|
||||
if err := json.Unmarshal([]byte(accessConfig), access); err != nil {
|
||||
return nil, fmt.Errorf("failed to unmarshal access config: %w", err)
|
||||
access := domain.AccessConfigForNameDotCom{}
|
||||
if err := maps.Decode(options.ProviderAccessConfig, &access); err != nil {
|
||||
return nil, fmt.Errorf("failed to decode provider access config: %w", err)
|
||||
}
|
||||
|
||||
applicant, err := providerNameDotCom.NewChallengeProvider(&providerNameDotCom.NameDotComApplicantConfig{
|
||||
Username: access.Username,
|
||||
ApiToken: access.ApiToken,
|
||||
PropagationTimeout: applyConfig.PropagationTimeout,
|
||||
PropagationTimeout: options.PropagationTimeout,
|
||||
})
|
||||
return applicant, err
|
||||
}
|
||||
|
||||
case domain.ApplyDNSProviderTypeNameSilo:
|
||||
{
|
||||
access := &domain.AccessConfigForNameSilo{}
|
||||
if err := json.Unmarshal([]byte(accessConfig), access); err != nil {
|
||||
return nil, fmt.Errorf("failed to unmarshal access config: %w", err)
|
||||
access := domain.AccessConfigForNameSilo{}
|
||||
if err := maps.Decode(options.ProviderAccessConfig, &access); err != nil {
|
||||
return nil, fmt.Errorf("failed to decode provider access config: %w", err)
|
||||
}
|
||||
|
||||
applicant, err := providerNameSilo.NewChallengeProvider(&providerNameSilo.NameSiloApplicantConfig{
|
||||
ApiKey: access.ApiKey,
|
||||
PropagationTimeout: applyConfig.PropagationTimeout,
|
||||
PropagationTimeout: options.PropagationTimeout,
|
||||
})
|
||||
return applicant, err
|
||||
}
|
||||
|
||||
case domain.ApplyDNSProviderTypePowerDNS:
|
||||
{
|
||||
access := &domain.AccessConfigForPowerDNS{}
|
||||
if err := json.Unmarshal([]byte(accessConfig), access); err != nil {
|
||||
return nil, fmt.Errorf("failed to unmarshal access config: %w", err)
|
||||
access := domain.AccessConfigForPowerDNS{}
|
||||
if err := maps.Decode(options.ProviderAccessConfig, &access); err != nil {
|
||||
return nil, fmt.Errorf("failed to decode provider access config: %w", err)
|
||||
}
|
||||
|
||||
applicant, err := providerPowerDNS.NewChallengeProvider(&providerPowerDNS.PowerDNSApplicantConfig{
|
||||
ApiUrl: access.ApiUrl,
|
||||
ApiKey: access.ApiKey,
|
||||
PropagationTimeout: applyConfig.PropagationTimeout,
|
||||
PropagationTimeout: options.PropagationTimeout,
|
||||
})
|
||||
return applicant, err
|
||||
}
|
||||
|
||||
case domain.ApplyDNSProviderTypeTencentCloud, domain.ApplyDNSProviderTypeTencentCloudDNS:
|
||||
{
|
||||
access := &domain.AccessConfigForTencentCloud{}
|
||||
if err := json.Unmarshal([]byte(accessConfig), access); err != nil {
|
||||
return nil, fmt.Errorf("failed to unmarshal access config: %w", err)
|
||||
access := domain.AccessConfigForTencentCloud{}
|
||||
if err := maps.Decode(options.ProviderAccessConfig, &access); err != nil {
|
||||
return nil, fmt.Errorf("failed to decode provider access config: %w", err)
|
||||
}
|
||||
|
||||
applicant, err := providerTencentCloud.NewChallengeProvider(&providerTencentCloud.TencentCloudApplicantConfig{
|
||||
SecretId: access.SecretId,
|
||||
SecretKey: access.SecretKey,
|
||||
PropagationTimeout: applyConfig.PropagationTimeout,
|
||||
PropagationTimeout: options.PropagationTimeout,
|
||||
})
|
||||
return applicant, err
|
||||
}
|
||||
|
||||
case domain.ApplyDNSProviderTypeVolcEngine, domain.ApplyDNSProviderTypeVolcEngineDNS:
|
||||
{
|
||||
access := &domain.AccessConfigForVolcEngine{}
|
||||
if err := json.Unmarshal([]byte(accessConfig), access); err != nil {
|
||||
return nil, fmt.Errorf("failed to unmarshal access config: %w", err)
|
||||
access := domain.AccessConfigForVolcEngine{}
|
||||
if err := maps.Decode(options.ProviderAccessConfig, &access); err != nil {
|
||||
return nil, fmt.Errorf("failed to decode provider access config: %w", err)
|
||||
}
|
||||
|
||||
applicant, err := providerVolcEngine.NewChallengeProvider(&providerVolcEngine.VolcEngineApplicantConfig{
|
||||
AccessKeyId: access.AccessKeyId,
|
||||
SecretAccessKey: access.SecretAccessKey,
|
||||
PropagationTimeout: applyConfig.PropagationTimeout,
|
||||
PropagationTimeout: options.PropagationTimeout,
|
||||
})
|
||||
return applicant, err
|
||||
}
|
||||
}
|
||||
|
||||
return nil, fmt.Errorf("unsupported applicant provider: %s", provider)
|
||||
return nil, fmt.Errorf("unsupported applicant provider: %s", string(options.Provider))
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user