feat: allow insecure connections in cdnfly, goedge, powerdns

2025-10-04 21:44:54 +00:00 · 2025-05-09 16:35:58 +08:00
parent 5abdb577fb
commit 26359b9d16
25 changed files with 147 additions and 86 deletions
--- a/internal/applicant/providers.go
+++ b/internal/applicant/providers.go
@@ -441,10 +441,11 @@ func createApplicantProvider(options *applicantProviderOptions) (challenge.Provi
 			}

 			applicant, err := pPowerDNS.NewChallengeProvider(&pPowerDNS.ChallengeProviderConfig{
-				ApiUrl:                access.ApiUrl,
-				ApiKey:                access.ApiKey,
-				DnsPropagationTimeout: options.DnsPropagationTimeout,
-				DnsTTL:                options.DnsTTL,
+				ApiUrl:                   access.ApiUrl,
+				ApiKey:                   access.ApiKey,
+				AllowInsecureConnections: access.AllowInsecureConnections,
+				DnsPropagationTimeout:    options.DnsPropagationTimeout,
+				DnsTTL:                   options.DnsTTL,
 			})
 			return applicant, err
 		}
--- a/internal/deployer/providers.go
+++ b/internal/deployer/providers.go
@@ -509,12 +509,13 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 			}

 			deployer, err := pCdnfly.NewDeployer(&pCdnfly.DeployerConfig{
-				ApiUrl:        access.ApiUrl,
-				ApiKey:        access.ApiKey,
-				ApiSecret:     access.ApiSecret,
-				ResourceType:  pCdnfly.ResourceType(maputil.GetOrDefaultString(options.ProviderExtendedConfig, "resourceType", string(pCdnfly.RESOURCE_TYPE_SITE))),
-				SiteId:        maputil.GetString(options.ProviderExtendedConfig, "siteId"),
-				CertificateId: maputil.GetString(options.ProviderExtendedConfig, "certificateId"),
+				ApiUrl:                   access.ApiUrl,
+				ApiKey:                   access.ApiKey,
+				ApiSecret:                access.ApiSecret,
+				AllowInsecureConnections: access.AllowInsecureConnections,
+				ResourceType:             pCdnfly.ResourceType(maputil.GetOrDefaultString(options.ProviderExtendedConfig, "resourceType", string(pCdnfly.RESOURCE_TYPE_SITE))),
+				SiteId:                   maputil.GetString(options.ProviderExtendedConfig, "siteId"),
+				CertificateId:            maputil.GetString(options.ProviderExtendedConfig, "certificateId"),
 			})
 			return deployer, err
 		}
@@ -577,11 +578,12 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 			}

 			deployer, err := pGoEdge.NewDeployer(&pGoEdge.DeployerConfig{
-				ApiUrl:        access.ApiUrl,
-				AccessKeyId:   access.AccessKeyId,
-				AccessKey:     access.AccessKey,
-				ResourceType:  pGoEdge.ResourceType(maputil.GetString(options.ProviderExtendedConfig, "resourceType")),
-				CertificateId: maputil.GetInt64(options.ProviderExtendedConfig, "certificateId"),
+				ApiUrl:                   access.ApiUrl,
+				AccessKeyId:              access.AccessKeyId,
+				AccessKey:                access.AccessKey,
+				AllowInsecureConnections: access.AllowInsecureConnections,
+				ResourceType:             pGoEdge.ResourceType(maputil.GetString(options.ProviderExtendedConfig, "resourceType")),
+				CertificateId:            maputil.GetInt64(options.ProviderExtendedConfig, "certificateId"),
 			})
 			return deployer, err
 		}
--- a/internal/domain/access.go
+++ b/internal/domain/access.go
@@ -74,9 +74,10 @@ type AccessConfigForCacheFly struct {
 }

 type AccessConfigForCdnfly struct {
-	ApiUrl    string `json:"apiUrl"`
-	ApiKey    string `json:"apiKey"`
-	ApiSecret string `json:"apiSecret"`
+	ApiUrl                   string `json:"apiUrl"`
+	ApiKey                   string `json:"apiKey"`
+	ApiSecret                string `json:"apiSecret"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
 }

 type AccessConfigForCloudflare struct {
@@ -147,9 +148,10 @@ type AccessConfigForGoDaddy struct {
 }

 type AccessConfigForGoEdge struct {
-	ApiUrl      string `json:"apiUrl"`
-	AccessKeyId string `json:"accessKeyId"`
-	AccessKey   string `json:"accessKey"`
+	ApiUrl                   string `json:"apiUrl"`
+	AccessKeyId              string `json:"accessKeyId"`
+	AccessKey                string `json:"accessKey"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
 }

 type AccessConfigForGoogleTrustServices struct {
@@ -206,8 +208,9 @@ type AccessConfigForPorkbun struct {
 }

 type AccessConfigForPowerDNS struct {
-	ApiUrl string `json:"apiUrl"`
-	ApiKey string `json:"apiKey"`
+	ApiUrl                   string `json:"apiUrl"`
+	ApiKey                   string `json:"apiKey"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
 }

 type AccessConfigForQiniu struct {
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/powerdns/powerdns.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/powerdns/powerdns.go
@@ -1,6 +1,8 @@
 package powerdns

 import (
+	"crypto/tls"
+	"net/http"
 	"net/url"
 	"time"

@@ -9,10 +11,11 @@ import (
 )

 type ChallengeProviderConfig struct {
-	ApiUrl                string `json:"apiUrl"`
-	ApiKey                string `json:"apiKey"`
-	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
-	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+	ApiUrl                   string `json:"apiUrl"`
+	ApiKey                   string `json:"apiKey"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
+	DnsPropagationTimeout    int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                   int32  `json:"dnsTTL,omitempty"`
 }

 func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
@@ -24,6 +27,13 @@ func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider,
 	providerConfig := pdns.NewDefaultConfig()
 	providerConfig.Host = host
 	providerConfig.APIKey = config.ApiKey
+	if config.AllowInsecureConnections {
+		providerConfig.HTTPClient.Transport = &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+			},
+		}
+	}
 	if config.DnsPropagationTimeout != 0 {
 		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
 	}
--- a/internal/pkg/core/deployer/providers/1panel-console/1panel_console.go
+++ b/internal/pkg/core/deployer/providers/1panel-console/1panel_console.go
@@ -79,7 +79,7 @@ func (d *DeployerProvider) Deploy(ctx context.Context, certPEM string, privkeyPE
 	return &deployer.DeployResult{}, nil
 }

-func createSdkClient(apiUrl, apiKey string, allowInsecure bool) (*opsdk.Client, error) {
+func createSdkClient(apiUrl, apiKey string, skipTlsVerify bool) (*opsdk.Client, error) {
 	if _, err := url.Parse(apiUrl); err != nil {
 		return nil, errors.New("invalid 1panel api url")
 	}
@@ -89,7 +89,7 @@ func createSdkClient(apiUrl, apiKey string, allowInsecure bool) (*opsdk.Client,
 	}

 	client := opsdk.NewClient(apiUrl, apiKey)
-	if allowInsecure {
+	if skipTlsVerify {
 		client.WithTLSConfig(&tls.Config{InsecureSkipVerify: true})
 	}

--- a/internal/pkg/core/deployer/providers/1panel-site/1panel_site.go
+++ b/internal/pkg/core/deployer/providers/1panel-site/1panel_site.go
@@ -173,7 +173,7 @@ func (d *DeployerProvider) deployToCertificate(ctx context.Context, certPEM stri
 	return nil
 }

-func createSdkClient(apiUrl, apiKey string, allowInsecure bool) (*opsdk.Client, error) {
+func createSdkClient(apiUrl, apiKey string, skipTlsVerify bool) (*opsdk.Client, error) {
 	if _, err := url.Parse(apiUrl); err != nil {
 		return nil, errors.New("invalid 1panel api url")
 	}
@@ -183,7 +183,7 @@ func createSdkClient(apiUrl, apiKey string, allowInsecure bool) (*opsdk.Client,
 	}

 	client := opsdk.NewClient(apiUrl, apiKey)
-	if allowInsecure {
+	if skipTlsVerify {
 		client.WithTLSConfig(&tls.Config{InsecureSkipVerify: true})
 	}

--- a/internal/pkg/core/deployer/providers/baotapanel-console/baotapanel_console.go
+++ b/internal/pkg/core/deployer/providers/baotapanel-console/baotapanel_console.go
@@ -82,7 +82,7 @@ func (d *DeployerProvider) Deploy(ctx context.Context, certPEM string, privkeyPE
 	return &deployer.DeployResult{}, nil
 }

-func createSdkClient(apiUrl, apiKey string, allowInsecure bool) (*btsdk.Client, error) {
+func createSdkClient(apiUrl, apiKey string, skipTlsVerify bool) (*btsdk.Client, error) {
 	if _, err := url.Parse(apiUrl); err != nil {
 		return nil, errors.New("invalid baota api url")
 	}
@@ -92,7 +92,7 @@ func createSdkClient(apiUrl, apiKey string, allowInsecure bool) (*btsdk.Client,
 	}

 	client := btsdk.NewClient(apiUrl, apiKey)
-	if allowInsecure {
+	if skipTlsVerify {
 		client.WithTLSConfig(&tls.Config{InsecureSkipVerify: true})
 	}

--- a/internal/pkg/core/deployer/providers/baotapanel-site/baotapanel_site.go
+++ b/internal/pkg/core/deployer/providers/baotapanel-site/baotapanel_site.go
@@ -124,7 +124,7 @@ func (d *DeployerProvider) Deploy(ctx context.Context, certPEM string, privkeyPE
 	return &deployer.DeployResult{}, nil
 }

-func createSdkClient(apiUrl, apiKey string, allowInsecure bool) (*btsdk.Client, error) {
+func createSdkClient(apiUrl, apiKey string, skipTlsVerify bool) (*btsdk.Client, error) {
 	if _, err := url.Parse(apiUrl); err != nil {
 		return nil, errors.New("invalid baota api url")
 	}
@@ -134,7 +134,7 @@ func createSdkClient(apiUrl, apiKey string, allowInsecure bool) (*btsdk.Client,
 	}

 	client := btsdk.NewClient(apiUrl, apiKey)
-	if allowInsecure {
+	if skipTlsVerify {
 		client.WithTLSConfig(&tls.Config{InsecureSkipVerify: true})
 	}

--- a/internal/pkg/core/deployer/providers/cdnfly/cdnfly.go
+++ b/internal/pkg/core/deployer/providers/cdnfly/cdnfly.go
@@ -2,6 +2,7 @@ package cdnfly

 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -20,6 +21,8 @@ type DeployerConfig struct {
 	ApiKey string `json:"apiKey"`
 	// Cdnfly 用户端 API Secret。
 	ApiSecret string `json:"apiSecret"`
+	// 是否允许不安全的连接。
+	AllowInsecureConnections bool `json:"allowInsecureConnections,omitempty"`
 	// 部署资源类型。
 	ResourceType ResourceType `json:"resourceType"`
 	// 网站 ID。
@@ -43,7 +46,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 		panic("config is nil")
 	}

-	client, err := createSdkClient(config.ApiUrl, config.ApiKey, config.ApiSecret)
+	client, err := createSdkClient(config.ApiUrl, config.ApiKey, config.ApiSecret, config.AllowInsecureConnections)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create sdk client: %w", err)
 	}
@@ -157,7 +160,7 @@ func (d *DeployerProvider) deployToCertificate(ctx context.Context, certPEM stri
 	return nil
 }

-func createSdkClient(apiUrl, apiKey, apiSecret string) (*cfsdk.Client, error) {
+func createSdkClient(apiUrl, apiKey, apiSecret string, skipTlsVerify bool) (*cfsdk.Client, error) {
 	if _, err := url.Parse(apiUrl); err != nil {
 		return nil, errors.New("invalid cachefly api url")
 	}
@@ -171,5 +174,9 @@ func createSdkClient(apiUrl, apiKey, apiSecret string) (*cfsdk.Client, error) {
 	}

 	client := cfsdk.NewClient(apiUrl, apiKey, apiSecret)
+	if skipTlsVerify {
+		client.WithTLSConfig(&tls.Config{InsecureSkipVerify: true})
+	}
+
 	return client, nil
 }
--- a/internal/pkg/core/deployer/providers/cdnfly/cdnfly_test.go
+++ b/internal/pkg/core/deployer/providers/cdnfly/cdnfly_test.go
@@ -57,11 +57,12 @@ func TestDeploy(t *testing.T) {
 		}, "\n"))

 		deployer, err := provider.NewDeployer(&provider.DeployerConfig{
-			ApiUrl:        fApiUrl,
-			ApiKey:        fApiKey,
-			ApiSecret:     fApiSecret,
-			ResourceType:  provider.RESOURCE_TYPE_CERTIFICATE,
-			CertificateId: fCertificateId,
+			ApiUrl:                   fApiUrl,
+			ApiKey:                   fApiKey,
+			ApiSecret:                fApiSecret,
+			AllowInsecureConnections: true,
+			ResourceType:             provider.RESOURCE_TYPE_CERTIFICATE,
+			CertificateId:            fCertificateId,
 		})
 		if err != nil {
 			t.Errorf("err: %+v", err)
--- a/internal/pkg/core/deployer/providers/goedge/goedge.go
+++ b/internal/pkg/core/deployer/providers/goedge/goedge.go
@@ -2,6 +2,7 @@ package goedge

 import (
 	"context"
+	"crypto/tls"
 	"encoding/base64"
 	"errors"
 	"fmt"
@@ -21,6 +22,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// GoEdge 用户 AccessKey。
 	AccessKey string `json:"accessKey"`
+	// 是否允许不安全的连接。
+	AllowInsecureConnections bool `json:"allowInsecureConnections,omitempty"`
 	// 部署资源类型。
 	ResourceType ResourceType `json:"resourceType"`
 	// 证书 ID。
@@ -41,7 +44,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 		panic("config is nil")
 	}

-	client, err := createSdkClient(config.ApiUrl, config.AccessKeyId, config.AccessKey)
+	client, err := createSdkClient(config.ApiUrl, config.AccessKeyId, config.AccessKey, config.AllowInsecureConnections)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create sdk client: %w", err)
 	}
@@ -113,7 +116,7 @@ func (d *DeployerProvider) deployToCertificate(ctx context.Context, certPEM stri
 	return nil
 }

-func createSdkClient(apiUrl, accessKeyId, accessKey string) (*goedgesdk.Client, error) {
+func createSdkClient(apiUrl, accessKeyId, accessKey string, skipTlsVerify bool) (*goedgesdk.Client, error) {
 	if _, err := url.Parse(apiUrl); err != nil {
 		return nil, errors.New("invalid goedge api url")
 	}
@@ -127,5 +130,9 @@ func createSdkClient(apiUrl, accessKeyId, accessKey string) (*goedgesdk.Client,
 	}

 	client := goedgesdk.NewClient(apiUrl, "user", accessKeyId, accessKey)
+	if skipTlsVerify {
+		client.WithTLSConfig(&tls.Config{InsecureSkipVerify: true})
+	}
+
 	return client, nil
 }
--- a/internal/pkg/core/deployer/providers/goedge/goedge_test.go
+++ b/internal/pkg/core/deployer/providers/goedge/goedge_test.go
@@ -57,11 +57,12 @@ func TestDeploy(t *testing.T) {
 		}, "\n"))

 		deployer, err := provider.NewDeployer(&provider.DeployerConfig{
-			ApiUrl:        fApiUrl,
-			AccessKeyId:   fAccessKeyId,
-			AccessKey:     fAccessKey,
-			ResourceType:  provider.RESOURCE_TYPE_CERTIFICATE,
-			CertificateId: int64(fCertificateId),
+			ApiUrl:                   fApiUrl,
+			AccessKeyId:              fAccessKeyId,
+			AccessKey:                fAccessKey,
+			AllowInsecureConnections: true,
+			ResourceType:             provider.RESOURCE_TYPE_CERTIFICATE,
+			CertificateId:            int64(fCertificateId),
 		})
 		if err != nil {
 			t.Errorf("err: %+v", err)
--- a/internal/pkg/core/deployer/providers/safeline/safeline.go
+++ b/internal/pkg/core/deployer/providers/safeline/safeline.go
@@ -98,7 +98,7 @@ func (d *DeployerProvider) deployToCertificate(ctx context.Context, certPEM stri
 	return nil
 }

-func createSdkClient(apiUrl, apiToken string, allowInsecure bool) (*safelinesdk.Client, error) {
+func createSdkClient(apiUrl, apiToken string, skipTlsVerify bool) (*safelinesdk.Client, error) {
 	if _, err := url.Parse(apiUrl); err != nil {
 		return nil, errors.New("invalid safeline api url")
 	}
@@ -108,7 +108,7 @@ func createSdkClient(apiUrl, apiToken string, allowInsecure bool) (*safelinesdk.
 	}

 	client := safelinesdk.NewClient(apiUrl, apiToken)
-	if allowInsecure {
+	if skipTlsVerify {
 		client.WithTLSConfig(&tls.Config{InsecureSkipVerify: true})
 	}

--- a/internal/pkg/sdk3rd/cdnfly/client.go
+++ b/internal/pkg/sdk3rd/cdnfly/client.go
@@ -1,6 +1,7 @@
 package cdnflysdk

 import (
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -34,6 +35,11 @@ func (c *Client) WithTimeout(timeout time.Duration) *Client {
 	return c
 }

+func (c *Client) WithTLSConfig(config *tls.Config) *Client {
+	c.client.SetTLSClientConfig(config)
+	return c
+}
+
 func (c *Client) sendRequest(method string, path string, params interface{}) (*resty.Response, error) {
 	req := c.client.R()
 	req.Method = method
--- a/internal/pkg/sdk3rd/goedge/client.go
+++ b/internal/pkg/sdk3rd/goedge/client.go
@@ -1,6 +1,7 @@
 package goedge

 import (
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -41,6 +42,11 @@ func (c *Client) WithTimeout(timeout time.Duration) *Client {
 	return c
 }

+func (c *Client) WithTLSConfig(config *tls.Config) *Client {
+	c.client.SetTLSClientConfig(config)
+	return c
+}
+
 func (c *Client) sendRequest(method string, path string, params interface{}) (*resty.Response, error) {
 	req := c.client.R().SetBasicAuth(c.accessKeyId, c.accessKey)
 	req.Method = method