@certd/plugin-cert 1.0.0

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "@certd/plugin-cert",
+  "private": false,
+  "version": "1.0.0",
+  "main": "./dist/plugin-cert.umd.js",
+  "module": "./dist/plugin-cert.mjs",
+  "types": "./dist/es/plugin-cert.d.ts",
+  "dependencies": {
+    "@certd/acme-client": "^1.0.0",
+    "@certd/pipeline": "^1.0.0",
+    "node-forge": "^0.10.0"
+  },
+  "devDependencies": {
+    "@alicloud/cs20151215": "^3.0.3",
+    "@alicloud/openapi-client": "^0.4.0",
+    "@alicloud/pop-core": "^1.7.10",
+    "@midwayjs/core": "^3.0.0",
+    "@midwayjs/decorator": "^3.0.0",
+    "@types/chai": "^4.3.3",
+    "@types/lodash": "^4.14.186",
+    "@types/mocha": "^10.0.0",
+    "@types/node-forge": "^1.3.0",
+    "@typescript-eslint/eslint-plugin": "^5.38.1",
+    "@typescript-eslint/parser": "^5.38.1",
+    "chai": "^4.3.6",
+    "dayjs": "^1.11.6",
+    "eslint": "^8.24.0",
+    "eslint-config-prettier": "^8.5.0",
+    "eslint-plugin-import": "^2.26.0",
+    "eslint-plugin-node": "^11.1.0",
+    "eslint-plugin-prettier": "^4.2.1",
+    "lodash": "^4.17.21",
+    "log4js": "^6.7.1",
+    "mocha": "^10.1.0",
+    "ts-node": "^10.9.1",
+    "typescript": "^4.8.4",
+    "vite": "^3.1.0",
+    "vue-tsc": "^0.38.9"
+  },
+  "gitHead": "5950e1cae7cf30ebfc5128c15c7d1b0d101cbbb8",
+  "scripts": {
+    "dev": "vite",
+    "build": "vue-tsc --noEmit && vite build",
+    "preview": "vite preview"
+  }
+}

package/src/dns-provider/api.ts

@@ -0,0 +1,23 @@
+import { Registrable } from "@certd/pipeline";
+
+export type DnsProviderDefine = Registrable & {
+  accessType: string;
+  autowire?: {
+    [key: string]: any;
+  };
+};
+
+export type CreateRecordOptions = {
+  fullRecord: string;
+  type: string;
+  value: any;
+};
+export type RemoveRecordOptions = CreateRecordOptions & {
+  record: any;
+};
+
+export interface IDnsProvider {
+  onInstance(): Promise<void>;
+  createRecord(options: CreateRecordOptions): Promise<any>;
+  removeRecord(options: RemoveRecordOptions): Promise<any>;
+}

package/src/dns-provider/decorator.ts

@@ -0,0 +1,30 @@
+import { dnsProviderRegistry } from "./registry";
+import { DnsProviderDefine } from "./api";
+import { Decorator, AUTOWIRE_KEY } from "@certd/pipeline";
+import _ from "lodash";
+
+// 提供一个唯一 key
+export const DNS_PROVIDER_CLASS_KEY = "pipeline:dns-provider";
+
+export function IsDnsProvider(define: DnsProviderDefine): ClassDecorator {
+  return (target: any) => {
+    target = Decorator.target(target);
+    const autowires: any = {};
+    const properties = Decorator.getClassProperties(target);
+    for (const property in properties) {
+      const autowire = Reflect.getMetadata(AUTOWIRE_KEY, target, property);
+      if (autowire) {
+        autowires[property] = autowire;
+      }
+    }
+    _.merge(define, { autowire: autowires });
+
+    Reflect.defineMetadata(DNS_PROVIDER_CLASS_KEY, define, target);
+
+    target.define = define;
+    dnsProviderRegistry.register(define.name, {
+      define,
+      target,
+    });
+  };
+}

package/src/dns-provider/index.ts

@@ -0,0 +1,3 @@
+export * from "./api";
+export * from "./registry";
+export * from "./decorator";

package/src/dns-provider/registry.ts

@@ -0,0 +1,3 @@
+import { Registry } from "@certd/pipeline";
+
+export const dnsProviderRegistry = new Registry();

package/src/index.ts

@@ -0,0 +1,2 @@
+export * from "./plugin";
+export * from "./dns-provider";

package/src/plugin/cert-plugin/acme.ts

@@ -0,0 +1,205 @@
+// @ts-ignore
+import * as acme from "@certd/acme-client";
+import _ from "lodash";
+import { Challenge } from "@certd/acme-client/types/rfc8555";
+import { Logger } from "log4js";
+import { IContext } from "@certd/pipeline/src/core/context";
+import { IDnsProvider } from "../../dns-provider";
+export type CertInfo = {
+  crt: string;
+  key: string;
+  csr: string;
+};
+export class AcmeService {
+  userContext: IContext;
+  logger: Logger;
+  constructor(options: { userContext: IContext; logger: Logger }) {
+    this.userContext = options.userContext;
+    this.logger = options.logger;
+    acme.setLogger((text: string) => {
+      this.logger.info(text);
+    });
+  }
+
+  async getAccountConfig(email: string): Promise<any> {
+    return (await this.userContext.getObj(this.buildAccountKey(email))) || {};
+  }
+
+  buildAccountKey(email: string) {
+    return "acme.config." + email;
+  }
+
+  async saveAccountConfig(email: string, conf: any) {
+    await this.userContext.setObj(this.buildAccountKey(email), conf);
+  }
+
+  async getAcmeClient(email: string, isTest = false): Promise<acme.Client> {
+    const conf = await this.getAccountConfig(email);
+    if (conf.key == null) {
+      conf.key = await this.createNewKey();
+      await this.saveAccountConfig(email, conf);
+    }
+    const client = new acme.Client({
+      directoryUrl: isTest ? acme.directory.letsencrypt.staging : acme.directory.letsencrypt.production,
+      accountKey: conf.key,
+      accountUrl: conf.accountUrl,
+      backoffAttempts: 20,
+      backoffMin: 5000,
+      backoffMax: 10000,
+    });
+
+    if (conf.accountUrl == null) {
+      const accountPayload = {
+        termsOfServiceAgreed: true,
+        contact: [`mailto:${email}`],
+      };
+      await client.createAccount(accountPayload);
+      conf.accountUrl = client.getAccountUrl();
+      await this.saveAccountConfig(email, conf);
+    }
+    return client;
+  }
+
+  async createNewKey() {
+    const key = await acme.forge.createPrivateKey();
+    return key.toString();
+  }
+
+  async challengeCreateFn(authz: any, challenge: any, keyAuthorization: string, dnsProvider: IDnsProvider) {
+    this.logger.info("Triggered challengeCreateFn()");
+
+    /* http-01 */
+    if (challenge.type === "http-01") {
+      const filePath = `/var/www/html/.well-known/acme-challenge/${challenge.token}`;
+      const fileContents = keyAuthorization;
+
+      this.logger.info(`Creating challenge response for ${authz.identifier.value} at path: ${filePath}`);
+
+      /* Replace this */
+      this.logger.info(`Would write "${fileContents}" to path "${filePath}"`);
+      // await fs.writeFileAsync(filePath, fileContents);
+    } else if (challenge.type === "dns-01") {
+      /* dns-01 */
+      const dnsRecord = `_acme-challenge.${authz.identifier.value}`;
+      const recordValue = keyAuthorization;
+
+      this.logger.info(`Creating TXT record for ${authz.identifier.value}: ${dnsRecord}`);
+
+      /* Replace this */
+      this.logger.info(`Would create TXT record "${dnsRecord}" with value "${recordValue}"`);
+
+      return await dnsProvider.createRecord({
+        fullRecord: dnsRecord,
+        type: "TXT",
+        value: recordValue,
+      });
+    }
+  }
+
+  /**
+   * Function used to remove an ACME challenge response
+   *
+   * @param {object} authz Authorization object
+   * @param {object} challenge Selected challenge
+   * @param {string} keyAuthorization Authorization key
+   * @param recordItem  challengeCreateFn create record item
+   * @param dnsProvider dnsProvider
+   * @returns {Promise}
+   */
+
+  async challengeRemoveFn(authz: any, challenge: any, keyAuthorization: string, recordItem: any, dnsProvider: IDnsProvider) {
+    this.logger.info("Triggered challengeRemoveFn()");
+
+    /* http-01 */
+    if (challenge.type === "http-01") {
+      const filePath = `/var/www/html/.well-known/acme-challenge/${challenge.token}`;
+
+      this.logger.info(`Removing challenge response for ${authz.identifier.value} at path: ${filePath}`);
+
+      /* Replace this */
+      this.logger.info(`Would remove file on path "${filePath}"`);
+      // await fs.unlinkAsync(filePath);
+    } else if (challenge.type === "dns-01") {
+      const dnsRecord = `_acme-challenge.${authz.identifier.value}`;
+      const recordValue = keyAuthorization;
+
+      this.logger.info(`Removing TXT record for ${authz.identifier.value}: ${dnsRecord}`);
+
+      /* Replace this */
+      this.logger.info(`Would remove TXT record "${dnsRecord}" with value "${recordValue}"`);
+      try {
+        await dnsProvider.removeRecord({
+          fullRecord: dnsRecord,
+          type: "TXT",
+          value: keyAuthorization,
+          record: recordItem,
+        });
+      } catch (e) {
+        this.logger.error("删除解析记录出错：", e);
+        throw e;
+      }
+    }
+  }
+
+  async order(options: { email: string; domains: string | string[]; dnsProvider: any; csrInfo: any; isTest?: boolean }) {
+    const { email, isTest, domains, csrInfo, dnsProvider } = options;
+    const client: acme.Client = await this.getAcmeClient(email, isTest);
+
+    /* Create CSR */
+    const { commonName, altNames } = this.buildCommonNameByDomains(domains);
+
+    const [key, csr] = await acme.forge.createCsr({
+      commonName,
+      ...csrInfo,
+      altNames,
+    });
+    if (dnsProvider == null) {
+      throw new Error("dnsProvider 不能为空");
+    }
+    /* 自动申请证书 */
+    const crt = await client.auto({
+      csr,
+      email: email,
+      termsOfServiceAgreed: true,
+      challengePriority: ["dns-01"],
+      challengeCreateFn: async (authz: acme.Authorization, challenge: Challenge, keyAuthorization: string): Promise<any> => {
+        return await this.challengeCreateFn(authz, challenge, keyAuthorization, dnsProvider);
+      },
+      challengeRemoveFn: async (authz: acme.Authorization, challenge: Challenge, keyAuthorization: string, recordItem: any): Promise<any> => {
+        return await this.challengeRemoveFn(authz, challenge, keyAuthorization, recordItem, dnsProvider);
+      },
+    });
+
+    const cert: CertInfo = {
+      crt: crt.toString(),
+      key: key.toString(),
+      csr: csr.toString(),
+    };
+    /* Done */
+    this.logger.debug(`CSR:\n${cert.csr}`);
+    this.logger.debug(`Certificate:\n${cert.crt}`);
+    this.logger.info("证书申请成功");
+    return cert;
+  }
+
+  buildCommonNameByDomains(domains: string | string[]): {
+    commonName: string;
+    altNames: string[] | undefined;
+  } {
+    if (typeof domains === "string") {
+      domains = domains.split(",");
+    }
+    if (domains.length === 0) {
+      throw new Error("domain can not be empty");
+    }
+    const commonName = domains[0];
+    let altNames: undefined | string[] = undefined;
+    if (domains.length > 1) {
+      altNames = _.slice(domains, 1);
+    }
+    return {
+      commonName,
+      altNames,
+    };
+  }
+}

package/src/plugin/cert-plugin/cert-reader.ts

@@ -0,0 +1,52 @@
+import { CertInfo } from "./acme";
+import fs from "fs";
+import os from "os";
+import forge from "node-forge";
+import path from "path";
+export class CertReader implements CertInfo {
+  crt: string;
+  key: string;
+  csr: string;
+
+  detail: any;
+  expires: number;
+  constructor(certInfo: CertInfo) {
+    this.crt = certInfo.crt;
+    this.key = certInfo.key;
+    this.csr = certInfo.csr;
+
+    const { detail, expires } = this.getCrtDetail(this.crt);
+    this.detail = detail;
+    this.expires = expires.getTime();
+  }
+
+  toCertInfo(): CertInfo {
+    return {
+      crt: this.crt,
+      key: this.key,
+      csr: this.csr,
+    };
+  }
+
+  getCrtDetail(crt: string) {
+    const pki = forge.pki;
+    const detail = pki.certificateFromPem(crt.toString());
+    const expires = detail.validity.notAfter;
+    return { detail, expires };
+  }
+
+  saveToFile(type: "crt" | "key", filepath?: string) {
+    if (filepath == null) {
+      //写入临时目录
+      filepath = path.join(os.tmpdir(), "/certd/tmp/", Math.floor(Math.random() * 1000000) + "", `cert.${type}`);
+    }
+
+    const dir = path.dirname(filepath);
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+
+    fs.writeFileSync(filepath, this[type]);
+    return filepath;
+  }
+}

package/src/plugin/cert-plugin/index.ts

@@ -0,0 +1,276 @@
+import { AbstractTaskPlugin, Autowire, HttpClient, IAccessService, IContext, IsTaskPlugin, RunStrategy, Step, TaskInput, TaskOutput } from "@certd/pipeline";
+import dayjs from "dayjs";
+import { AcmeService, CertInfo } from "./acme";
+import _ from "lodash";
+import { Logger } from "log4js";
+import { Decorator } from "@certd/pipeline/src/decorator";
+import { DnsProviderDefine, dnsProviderRegistry } from "../../dns-provider";
+import { CertReader } from "./cert-reader";
+
+export { CertReader };
+export type { CertInfo };
+
+@IsTaskPlugin({
+  name: "CertApply",
+  title: "证书申请",
+  desc: "免费通配符域名证书申请，支持多个域名打到同一个证书上",
+  default: {
+    input: {
+      renewDays: 20,
+      forceUpdate: false,
+    },
+    strategy: {
+      runStrategy: RunStrategy.AlwaysRun,
+    },
+  },
+})
+export class CertApplyPlugin extends AbstractTaskPlugin {
+  @TaskInput({
+    title: "域名",
+    component: {
+      name: "a-select",
+      vModel: "value",
+      mode: "tags",
+      open: false,
+    },
+    required: true,
+    col: {
+      span: 24,
+    },
+    helper:
+      "支持通配符域名，例如： *.foo.com 、 *.test.handsfree.work\n" +
+      "支持多个域名、多个子域名、多个通配符域名打到一个证书上（域名必须是在同一个DNS提供商解析）\n" +
+      "多级子域名要分成多个域名输入（*.foo.com的证书不能用于xxx.yyy.foo.com）\n" +
+      "输入一个回车之后，再输入下一个",
+  })
+  domains!: string;
+
+  @TaskInput({
+    title: "邮箱",
+    component: {
+      name: "a-input",
+      vModel: "value",
+    },
+    required: true,
+    helper: "请输入邮箱",
+  })
+  email!: string;
+
+  @TaskInput({
+    title: "DNS提供商",
+    component: {
+      name: "pi-dns-provider-selector",
+    },
+    required: true,
+    helper: "请选择dns解析提供商",
+  })
+  dnsProviderType!: string;
+
+  @TaskInput({
+    title: "DNS解析授权",
+    component: {
+      name: "pi-access-selector",
+    },
+    required: true,
+    helper: "请选择dns解析提供商授权",
+  })
+  dnsProviderAccess!: string;
+
+  @TaskInput({
+    title: "更新天数",
+    component: {
+      name: "a-input-number",
+      vModel: "value",
+    },
+    required: true,
+    helper: "到期前多少天后更新证书",
+  })
+  renewDays!: number;
+
+  @TaskInput({
+    title: "强制更新",
+    component: {
+      name: "a-switch",
+      vModel: "checked",
+    },
+    helper: "是否强制重新申请证书",
+  })
+  forceUpdate!: string;
+
+  @TaskInput({
+    title: "CsrInfo",
+  })
+  csrInfo: any;
+
+  // @ts-ignore
+  acme: AcmeService;
+
+  @Autowire()
+  logger!: Logger;
+
+  @Autowire()
+  userContext!: IContext;
+
+  @Autowire()
+  accessService!: IAccessService;
+
+  @Autowire()
+  http!: HttpClient;
+
+  @Autowire()
+  lastStatus!: Step;
+
+  @TaskOutput({
+    title: "域名证书",
+  })
+  cert?: CertInfo;
+
+  async onInstance() {
+    this.acme = new AcmeService({ userContext: this.userContext, logger: this.logger });
+  }
+
+  async execute(): Promise<void> {
+    const oldCert = await this.condition();
+    if (oldCert != null) {
+      return this.output(oldCert);
+    }
+    const cert = await this.doCertApply();
+    if (cert != null) {
+      this.output(cert.toCertInfo());
+      //清空后续任务的状态，让后续任务能够重新执行
+      this.clearLastStatus();
+    } else {
+      throw new Error("申请证书失败");
+    }
+  }
+
+  output(cert: CertInfo) {
+    this.cert = cert;
+  }
+
+  /**
+   * 是否更新证书
+   * @param input
+   */
+  async condition() {
+    if (this.forceUpdate) {
+      return null;
+    }
+
+    let inputChanged = false;
+    const oldInput = JSON.stringify(this.lastStatus?.input?.domains);
+    const thisInput = JSON.stringify(this.domains);
+    if (oldInput !== thisInput) {
+      inputChanged = true;
+    }
+
+    let oldCert: CertReader | undefined = undefined;
+    try {
+      oldCert = await this.readLastCert();
+    } catch (e) {
+      this.logger.warn("读取cert失败：", e);
+    }
+    if (oldCert == null) {
+      this.logger.info("还未申请过，准备申请新证书");
+      return null;
+    }
+
+    if (inputChanged) {
+      this.logger.info("输入参数变更，申请新证书");
+      return null;
+    }
+
+    const ret = this.isWillExpire(oldCert.expires, this.renewDays);
+    if (!ret.isWillExpire) {
+      this.logger.info(`证书还未过期：过期时间${dayjs(oldCert.expires).format("YYYY-MM-DD HH:mm:ss")},剩余${ret.leftDays}天`);
+      return oldCert;
+    }
+    this.logger.info("即将过期，开始更新证书");
+    return null;
+  }
+
+  async doCertApply() {
+    const email = this["email"];
+    const domains = this["domains"];
+    const dnsProviderType = this["dnsProviderType"];
+    const dnsProviderAccessId = this["dnsProviderAccess"];
+    const csrInfo = _.merge(
+      {
+        country: "CN",
+        state: "GuangDong",
+        locality: "ShengZhen",
+        organization: "CertD Org.",
+        organizationUnit: "IT Department",
+        emailAddress: email,
+      },
+      this.csrInfo
+    );
+    this.logger.info("开始申请证书,", email, domains);
+
+    const dnsProviderPlugin = dnsProviderRegistry.get(dnsProviderType);
+    const DnsProviderClass = dnsProviderPlugin.target;
+    const dnsProviderDefine = dnsProviderPlugin.define as DnsProviderDefine;
+    const access = await this.accessService.getById(dnsProviderAccessId);
+
+    // @ts-ignore
+    const dnsProvider: IDnsProvider = new DnsProviderClass();
+    const context = { access, logger: this.logger, http: this.http };
+    Decorator.inject(dnsProviderDefine.autowire, dnsProvider, context);
+    await dnsProvider.onInstance();
+
+    const cert = await this.acme.order({
+      email,
+      domains,
+      dnsProvider,
+      csrInfo,
+      isTest: false,
+    });
+
+    const certInfo = this.formatCerts(cert);
+    return new CertReader(certInfo);
+  }
+
+  formatCert(pem: string) {
+    pem = pem.replace(/\r/g, "");
+    pem = pem.replace(/\n\n/g, "\n");
+    pem = pem.replace(/\n$/g, "");
+    return pem;
+  }
+
+  formatCerts(cert: { crt: string; key: string; csr: string }) {
+    const newCert: CertInfo = {
+      crt: this.formatCert(cert.crt),
+      key: this.formatCert(cert.key),
+      csr: this.formatCert(cert.csr),
+    };
+    return newCert;
+  }
+
+  async readLastCert(): Promise<CertReader | undefined> {
+    const cert = this.lastStatus?.status?.output?.cert;
+    if (cert == null) {
+      return undefined;
+    }
+    return new CertReader(cert);
+  }
+
+  /**
+   * 检查是否过期，默认提前20天
+   * @param expires
+   * @param maxDays
+   * @returns {boolean}
+   */
+  isWillExpire(expires: number, maxDays = 20) {
+    if (expires == null) {
+      throw new Error("过期时间不能为空");
+    }
+    // 检查有效期
+    const leftDays = dayjs(expires).diff(dayjs(), "day");
+    return {
+      isWillExpire: leftDays < maxDays,
+      leftDays,
+    };
+  }
+}
+
+new CertApplyPlugin();

package/src/plugin/index.ts

@@ -0,0 +1,2 @@
+export * from "./cert-plugin";
+

package/tsconfig.json

@@ -0,0 +1,19 @@
+{
+  "compilerOptions": {
+    "noImplicitAny": true,
+    "target": "ESNext",
+    "useDefineForClassFields": true,
+    "module": "commonjs",
+    "moduleResolution": "Node",
+    "strict": true,
+    "jsx": "preserve",
+    "sourceMap": true,
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "esModuleInterop": true,
+    "lib": ["ESNext", "DOM"],
+    "skipLibCheck": true,
+    "experimentalDecorators": true
+  },
+  "include": ["src/**/*.ts", "src/**/*.d.ts", "src/**/*.tsx", "src/**/*.vue","test/**/*.ts"],
+}

package/vite.config.ts

@@ -0,0 +1,24 @@
+import { defineConfig } from "vite";
+// https://vitejs.dev/config/
+export default defineConfig({
+  plugins: [],
+  build: {
+    lib: {
+      entry: "src/index.ts",
+      name: "pipeline",
+    },
+    rollupOptions: {
+      external: ["vue", "lodash", "dayjs", "@fast-crud/fast-crud"],
+      output: {
+        // Provide global variables to use in the UMD build
+        // for externalized deps
+        globals: {
+          vue: "Vue",
+          "lodash": "_",
+          dayjs: "dayjs",
+          "@fast-crud/fast-crud": "FastCrud",
+        },
+      },
+    },
+  },
+});