mirror of
https://github.com/usual2970/certimate.git
synced 2025-07-21 10:27:59 +00:00
feat: enhance certificate model
This commit is contained in:
Fu Diwei
@@ -3,7 +3,6 @@ package nodeprocessor
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"golang.org/x/exp/maps"
|
||||
@@ -30,89 +29,79 @@ func NewApplyNode(node *domain.WorkflowNode) *applyNode {
|
||||
}
|
||||
}
|
||||
|
||||
// 申请节点根据申请类型执行不同的操作
|
||||
func (a *applyNode) Run(ctx context.Context) error {
|
||||
a.AddOutput(ctx, a.node.Name, "开始执行")
|
||||
func (n *applyNode) Run(ctx context.Context) error {
|
||||
n.AddOutput(ctx, n.node.Name, "开始执行")
|
||||
|
||||
// 查询上次执行结果
|
||||
lastOutput, err := a.outputRepo.GetByNodeId(ctx, a.node.Id)
|
||||
lastOutput, err := n.outputRepo.GetByNodeId(ctx, n.node.Id)
|
||||
if err != nil && !domain.IsRecordNotFoundError(err) {
|
||||
a.AddOutput(ctx, a.node.Name, "查询申请记录失败", err.Error())
|
||||
n.AddOutput(ctx, n.node.Name, "查询申请记录失败", err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
// 检测是否可以跳过本次执行
|
||||
if skippable, skipReason := a.checkCanSkip(ctx, lastOutput); skippable {
|
||||
a.AddOutput(ctx, a.node.Name, skipReason)
|
||||
if skippable, skipReason := n.checkCanSkip(ctx, lastOutput); skippable {
|
||||
n.AddOutput(ctx, n.node.Name, skipReason)
|
||||
return nil
|
||||
}
|
||||
|
||||
// 初始化申请器
|
||||
applicant, err := applicant.NewWithApplyNode(a.node)
|
||||
applicant, err := applicant.NewWithApplyNode(n.node)
|
||||
if err != nil {
|
||||
a.AddOutput(ctx, a.node.Name, "获取申请对象失败", err.Error())
|
||||
n.AddOutput(ctx, n.node.Name, "获取申请对象失败", err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
// 申请证书
|
||||
applyResult, err := applicant.Apply()
|
||||
if err != nil {
|
||||
a.AddOutput(ctx, a.node.Name, "申请失败", err.Error())
|
||||
n.AddOutput(ctx, n.node.Name, "申请失败", err.Error())
|
||||
return err
|
||||
}
|
||||
a.AddOutput(ctx, a.node.Name, "申请成功")
|
||||
n.AddOutput(ctx, n.node.Name, "申请成功")
|
||||
|
||||
// 解析证书并生成实体
|
||||
certX509, err := certs.ParseCertificateFromPEM(applyResult.CertificateFullChain)
|
||||
if err != nil {
|
||||
a.AddOutput(ctx, a.node.Name, "解析证书失败", err.Error())
|
||||
n.AddOutput(ctx, n.node.Name, "解析证书失败", err.Error())
|
||||
return err
|
||||
}
|
||||
certificate := &domain.Certificate{
|
||||
Source: domain.CertificateSourceTypeWorkflow,
|
||||
SubjectAltNames: strings.Join(certX509.DNSNames, ";"),
|
||||
Certificate: applyResult.CertificateFullChain,
|
||||
PrivateKey: applyResult.PrivateKey,
|
||||
IssuerCertificate: applyResult.IssuerCertificate,
|
||||
ACMEAccountUrl: applyResult.ACMEAccountUrl,
|
||||
ACMECertUrl: applyResult.ACMECertUrl,
|
||||
ACMECertStableUrl: applyResult.ACMECertStableUrl,
|
||||
EffectAt: certX509.NotBefore,
|
||||
ExpireAt: certX509.NotAfter,
|
||||
WorkflowId: getContextWorkflowId(ctx),
|
||||
WorkflowNodeId: a.node.Id,
|
||||
}
|
||||
certificate.PopulateFromX509(certX509)
|
||||
|
||||
// 保存执行结果
|
||||
// TODO: 先保持一个节点始终只有一个输出,后续增加版本控制
|
||||
currentOutput := &domain.WorkflowOutput{
|
||||
WorkflowId: getContextWorkflowId(ctx),
|
||||
NodeId: a.node.Id,
|
||||
Node: a.node,
|
||||
NodeId: n.node.Id,
|
||||
Node: n.node,
|
||||
Succeeded: true,
|
||||
Outputs: a.node.Outputs,
|
||||
Outputs: n.node.Outputs,
|
||||
}
|
||||
if lastOutput != nil {
|
||||
currentOutput.Id = lastOutput.Id
|
||||
}
|
||||
if err := a.outputRepo.Save(ctx, currentOutput, certificate, func(id string) error {
|
||||
if certificate != nil {
|
||||
certificate.WorkflowOutputId = id
|
||||
}
|
||||
|
||||
return nil
|
||||
}); err != nil {
|
||||
a.AddOutput(ctx, a.node.Name, "保存申请记录失败", err.Error())
|
||||
if _, err := n.outputRepo.SaveWithCertificate(ctx, currentOutput, certificate); err != nil {
|
||||
n.AddOutput(ctx, n.node.Name, "保存申请记录失败", err.Error())
|
||||
return err
|
||||
}
|
||||
a.AddOutput(ctx, a.node.Name, "保存申请记录成功")
|
||||
n.AddOutput(ctx, n.node.Name, "保存申请记录成功")
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (a *applyNode) checkCanSkip(ctx context.Context, lastOutput *domain.WorkflowOutput) (skip bool, reason string) {
|
||||
func (n *applyNode) checkCanSkip(ctx context.Context, lastOutput *domain.WorkflowOutput) (skip bool, reason string) {
|
||||
if lastOutput != nil && lastOutput.Succeeded {
|
||||
// 比较和上次申请时的关键配置(即影响证书签发的)参数是否一致
|
||||
currentNodeConfig := a.node.GetConfigForApply()
|
||||
currentNodeConfig := n.node.GetConfigForApply()
|
||||
lastNodeConfig := lastOutput.Node.GetConfigForApply()
|
||||
if currentNodeConfig.Domains != lastNodeConfig.Domains {
|
||||
return false, "配置项变化:域名"
|
||||
@@ -130,7 +119,7 @@ func (a *applyNode) checkCanSkip(ctx context.Context, lastOutput *domain.Workflo
|
||||
return false, "配置项变化:数字签名算法"
|
||||
}
|
||||
|
||||
lastCertificate, _ := a.certRepo.GetByWorkflowNodeId(ctx, a.node.Id)
|
||||
lastCertificate, _ := n.certRepo.GetByWorkflowNodeId(ctx, n.node.Id)
|
||||
renewalInterval := time.Duration(currentNodeConfig.SkipBeforeExpiryDays) * time.Hour * 24
|
||||
expirationTime := time.Until(lastCertificate.ExpireAt)
|
||||
if lastCertificate != nil && expirationTime > renewalInterval {
|
||||
|
||||
@@ -18,11 +18,9 @@ func NewConditionNode(node *domain.WorkflowNode) *conditionNode {
|
||||
}
|
||||
}
|
||||
|
||||
// 条件节点没有任何操作
|
||||
func (c *conditionNode) Run(ctx context.Context) error {
|
||||
c.AddOutput(ctx,
|
||||
c.node.Name,
|
||||
"完成",
|
||||
)
|
||||
func (n *conditionNode) Run(ctx context.Context) error {
|
||||
// 此类型节点不需要执行任何操作,直接返回
|
||||
n.AddOutput(ctx, n.node.Name, "完成")
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -27,81 +27,81 @@ func NewDeployNode(node *domain.WorkflowNode) *deployNode {
|
||||
}
|
||||
}
|
||||
|
||||
func (d *deployNode) Run(ctx context.Context) error {
|
||||
d.AddOutput(ctx, d.node.Name, "开始执行")
|
||||
func (n *deployNode) Run(ctx context.Context) error {
|
||||
n.AddOutput(ctx, n.node.Name, "开始执行")
|
||||
|
||||
// 查询上次执行结果
|
||||
lastOutput, err := d.outputRepo.GetByNodeId(ctx, d.node.Id)
|
||||
lastOutput, err := n.outputRepo.GetByNodeId(ctx, n.node.Id)
|
||||
if err != nil && !domain.IsRecordNotFoundError(err) {
|
||||
d.AddOutput(ctx, d.node.Name, "查询部署记录失败", err.Error())
|
||||
n.AddOutput(ctx, n.node.Name, "查询部署记录失败", err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
// 获取前序节点输出证书
|
||||
previousNodeOutputCertificateSource := d.node.GetConfigForDeploy().Certificate
|
||||
previousNodeOutputCertificateSource := n.node.GetConfigForDeploy().Certificate
|
||||
previousNodeOutputCertificateSourceSlice := strings.Split(previousNodeOutputCertificateSource, "#")
|
||||
if len(previousNodeOutputCertificateSourceSlice) != 2 {
|
||||
d.AddOutput(ctx, d.node.Name, "证书来源配置错误", previousNodeOutputCertificateSource)
|
||||
n.AddOutput(ctx, n.node.Name, "证书来源配置错误", previousNodeOutputCertificateSource)
|
||||
return fmt.Errorf("证书来源配置错误: %s", previousNodeOutputCertificateSource)
|
||||
}
|
||||
certificate, err := d.certRepo.GetByWorkflowNodeId(ctx, previousNodeOutputCertificateSourceSlice[0])
|
||||
certificate, err := n.certRepo.GetByWorkflowNodeId(ctx, previousNodeOutputCertificateSourceSlice[0])
|
||||
if err != nil {
|
||||
d.AddOutput(ctx, d.node.Name, "获取证书失败", err.Error())
|
||||
n.AddOutput(ctx, n.node.Name, "获取证书失败", err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
// 检测是否可以跳过本次执行
|
||||
if skippable, skipReason := d.checkCanSkip(ctx, lastOutput); skippable {
|
||||
if skippable, skipReason := n.checkCanSkip(ctx, lastOutput); skippable {
|
||||
if certificate.CreatedAt.Before(lastOutput.UpdatedAt) {
|
||||
d.AddOutput(ctx, d.node.Name, "已部署过且证书未更新")
|
||||
n.AddOutput(ctx, n.node.Name, "已部署过且证书未更新")
|
||||
} else {
|
||||
d.AddOutput(ctx, d.node.Name, skipReason)
|
||||
n.AddOutput(ctx, n.node.Name, skipReason)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// 初始化部署器
|
||||
deploy, err := deployer.NewWithDeployNode(d.node, struct {
|
||||
deploy, err := deployer.NewWithDeployNode(n.node, struct {
|
||||
Certificate string
|
||||
PrivateKey string
|
||||
}{Certificate: certificate.Certificate, PrivateKey: certificate.PrivateKey})
|
||||
if err != nil {
|
||||
d.AddOutput(ctx, d.node.Name, "获取部署对象失败", err.Error())
|
||||
n.AddOutput(ctx, n.node.Name, "获取部署对象失败", err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
// 部署证书
|
||||
if err := deploy.Deploy(ctx); err != nil {
|
||||
d.AddOutput(ctx, d.node.Name, "部署失败", err.Error())
|
||||
n.AddOutput(ctx, n.node.Name, "部署失败", err.Error())
|
||||
return err
|
||||
}
|
||||
d.AddOutput(ctx, d.node.Name, "部署成功")
|
||||
n.AddOutput(ctx, n.node.Name, "部署成功")
|
||||
|
||||
// 保存执行结果
|
||||
// TODO: 先保持一个节点始终只有一个输出,后续增加版本控制
|
||||
currentOutput := &domain.WorkflowOutput{
|
||||
Meta: domain.Meta{},
|
||||
WorkflowId: getContextWorkflowId(ctx),
|
||||
NodeId: d.node.Id,
|
||||
Node: d.node,
|
||||
NodeId: n.node.Id,
|
||||
Node: n.node,
|
||||
Succeeded: true,
|
||||
}
|
||||
if lastOutput != nil {
|
||||
currentOutput.Id = lastOutput.Id
|
||||
}
|
||||
if err := d.outputRepo.Save(ctx, currentOutput, nil, nil); err != nil {
|
||||
d.AddOutput(ctx, d.node.Name, "保存部署记录失败", err.Error())
|
||||
if _, err := n.outputRepo.Save(ctx, currentOutput); err != nil {
|
||||
n.AddOutput(ctx, n.node.Name, "保存部署记录失败", err.Error())
|
||||
return err
|
||||
}
|
||||
d.AddOutput(ctx, d.node.Name, "保存部署记录成功")
|
||||
n.AddOutput(ctx, n.node.Name, "保存部署记录成功")
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *deployNode) checkCanSkip(ctx context.Context, lastOutput *domain.WorkflowOutput) (skip bool, reason string) {
|
||||
func (n *deployNode) checkCanSkip(ctx context.Context, lastOutput *domain.WorkflowOutput) (skip bool, reason string) {
|
||||
if lastOutput != nil && lastOutput.Succeeded {
|
||||
// 比较和上次部署时的关键配置(即影响证书部署的)参数是否一致
|
||||
currentNodeConfig := d.node.GetConfigForDeploy()
|
||||
currentNodeConfig := n.node.GetConfigForDeploy()
|
||||
lastNodeConfig := lastOutput.Node.GetConfigForDeploy()
|
||||
if currentNodeConfig.ProviderAccessId != lastNodeConfig.ProviderAccessId {
|
||||
return false, "配置项变化:主机提供商授权"
|
||||
|
||||
@@ -18,10 +18,9 @@ func NewExecuteFailureNode(node *domain.WorkflowNode) *executeFailureNode {
|
||||
}
|
||||
}
|
||||
|
||||
func (e *executeFailureNode) Run(ctx context.Context) error {
|
||||
e.AddOutput(ctx,
|
||||
e.node.Name,
|
||||
"进入执行失败分支",
|
||||
)
|
||||
func (n *executeFailureNode) Run(ctx context.Context) error {
|
||||
// 此类型节点不需要执行任何操作,直接返回
|
||||
n.AddOutput(ctx, n.node.Name, "进入执行失败分支")
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -18,10 +18,9 @@ func NewExecuteSuccessNode(node *domain.WorkflowNode) *executeSuccessNode {
|
||||
}
|
||||
}
|
||||
|
||||
func (e *executeSuccessNode) Run(ctx context.Context) error {
|
||||
e.AddOutput(ctx,
|
||||
e.node.Name,
|
||||
"进入执行成功分支",
|
||||
)
|
||||
func (n *executeSuccessNode) Run(ctx context.Context) error {
|
||||
// 此类型节点不需要执行任何操作,直接返回
|
||||
n.AddOutput(ctx, n.node.Name, "进入执行成功分支")
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -23,8 +23,9 @@ type certificateRepository interface {
|
||||
}
|
||||
|
||||
type workflowOutputRepository interface {
|
||||
GetByNodeId(ctx context.Context, nodeId string) (*domain.WorkflowOutput, error)
|
||||
Save(ctx context.Context, output *domain.WorkflowOutput, certificate *domain.Certificate, cb func(id string) error) error
|
||||
GetByNodeId(ctx context.Context, workflowNodeId string) (*domain.WorkflowOutput, error)
|
||||
Save(ctx context.Context, workflowOutput *domain.WorkflowOutput) (*domain.WorkflowOutput, error)
|
||||
SaveWithCertificate(ctx context.Context, workflowOutput *domain.WorkflowOutput, certificate *domain.Certificate) (*domain.WorkflowOutput, error)
|
||||
}
|
||||
|
||||
type settingsRepository interface {
|
||||
|
||||
@@ -18,9 +18,9 @@ func NewStartNode(node *domain.WorkflowNode) *startNode {
|
||||
}
|
||||
}
|
||||
|
||||
func (s *startNode) Run(ctx context.Context) error {
|
||||
// 开始节点没有任何操作
|
||||
s.AddOutput(ctx, s.node.Name, "完成")
|
||||
func (n *startNode) Run(ctx context.Context) error {
|
||||
// 此类型节点不需要执行任何操作,直接返回
|
||||
n.AddOutput(ctx, n.node.Name, "完成")
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -3,7 +3,6 @@ package nodeprocessor
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/usual2970/certimate/internal/domain"
|
||||
@@ -28,43 +27,34 @@ func NewUploadNode(node *domain.WorkflowNode) *uploadNode {
|
||||
// Run 上传证书节点执行
|
||||
// 包含上传证书的工作流,理论上应该手动执行,如果每天定时执行,也只是重新保存一下
|
||||
func (n *uploadNode) Run(ctx context.Context) error {
|
||||
n.AddOutput(ctx,
|
||||
n.node.Name,
|
||||
"进入上传证书节点",
|
||||
)
|
||||
n.AddOutput(ctx, n.node.Name, "进入上传证书节点")
|
||||
|
||||
config := n.node.GetConfigForUpload()
|
||||
nodeConfig := n.node.GetConfigForUpload()
|
||||
|
||||
// 检查证书是否过期
|
||||
// 如果证书过期,则直接返回错误
|
||||
certX509, err := certs.ParseCertificateFromPEM(config.Certificate)
|
||||
if err != nil {
|
||||
n.AddOutput(ctx,
|
||||
n.node.Name,
|
||||
"解析证书失败",
|
||||
)
|
||||
// 查询上次执行结果
|
||||
lastOutput, err := n.outputRepo.GetByNodeId(ctx, n.node.Id)
|
||||
if err != nil && !domain.IsRecordNotFoundError(err) {
|
||||
n.AddOutput(ctx, n.node.Name, "查询申请记录失败", err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
// 检查证书是否过期
|
||||
// 如果证书过期,则直接返回错误
|
||||
certX509, err := certs.ParseCertificateFromPEM(nodeConfig.Certificate)
|
||||
if err != nil {
|
||||
n.AddOutput(ctx, n.node.Name, "解析证书失败")
|
||||
return err
|
||||
}
|
||||
if time.Now().After(certX509.NotAfter) {
|
||||
n.AddOutput(ctx,
|
||||
n.node.Name,
|
||||
"证书已过期",
|
||||
)
|
||||
n.AddOutput(ctx, n.node.Name, "证书已过期")
|
||||
return errors.New("certificate is expired")
|
||||
}
|
||||
|
||||
// 生成实体
|
||||
certificate := &domain.Certificate{
|
||||
Source: domain.CertificateSourceTypeUpload,
|
||||
SubjectAltNames: strings.Join(certX509.DNSNames, ";"),
|
||||
Certificate: config.Certificate,
|
||||
PrivateKey: config.PrivateKey,
|
||||
|
||||
EffectAt: certX509.NotBefore,
|
||||
ExpireAt: certX509.NotAfter,
|
||||
WorkflowId: getContextWorkflowId(ctx),
|
||||
WorkflowNodeId: n.node.Id,
|
||||
Source: domain.CertificateSourceTypeUpload,
|
||||
}
|
||||
certificate.PopulateFromPEM(nodeConfig.Certificate, nodeConfig.PrivateKey)
|
||||
|
||||
// 保存执行结果
|
||||
// TODO: 先保持一个节点始终只有一个输出,后续增加版本控制
|
||||
@@ -75,23 +65,10 @@ func (n *uploadNode) Run(ctx context.Context) error {
|
||||
Succeeded: true,
|
||||
Outputs: n.node.Outputs,
|
||||
}
|
||||
|
||||
// 查询上次执行结果
|
||||
lastOutput, err := n.outputRepo.GetByNodeId(ctx, n.node.Id)
|
||||
if err != nil && !domain.IsRecordNotFoundError(err) {
|
||||
n.AddOutput(ctx, n.node.Name, "查询上传记录失败", err.Error())
|
||||
return err
|
||||
}
|
||||
if lastOutput != nil {
|
||||
currentOutput.Id = lastOutput.Id
|
||||
}
|
||||
if err := n.outputRepo.Save(ctx, currentOutput, certificate, func(id string) error {
|
||||
if certificate != nil {
|
||||
certificate.WorkflowOutputId = id
|
||||
}
|
||||
|
||||
return nil
|
||||
}); err != nil {
|
||||
if _, err := n.outputRepo.SaveWithCertificate(ctx, currentOutput, certificate); err != nil {
|
||||
n.AddOutput(ctx, n.node.Name, "保存上传记录失败", err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user