【新增】【部署】阿里云WAF

2026-03-08 07:41:10 +08:00 · 2025-05-22 11:30:19 +08:00
parent 74c9d1e5c2
commit 3da1042187
8 changed files with 468 additions and 5 deletions
--- a/backend/internal/cert/deploy/client/aliyun/aliyunCas.go
+++ b/backend/internal/cert/deploy/client/aliyun/aliyunCas.go
@@ -0,0 +1,42 @@
+package aliyun
+
+import (
+	aliyuncas "github.com/alibabacloud-go/cas-20200407/v4/client"
+	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
+	"github.com/alibabacloud-go/tea/tea"
+)
+
+type ClientAliCas struct {
+	aliyuncas.Client
+}
+
+func NewClientAliCas(accessKey, accessSecret string) (_result *ClientAliCas, err error) {
+	config := &openapi.Config{
+		AccessKeyId:     tea.String(accessKey),
+		AccessKeySecret: tea.String(accessSecret),
+		Endpoint:        tea.String("cas.aliyuncs.com"),
+	}
+	casClient, err := aliyuncas.NewClient(config)
+	if err != nil {
+		return nil, err
+	}
+	
+	client := &ClientAliCas{
+		Client: *casClient,
+	}
+	return client, nil
+}
+
+func (c *ClientAliCas) UploadCert(certName, certContent, certKey string) (*int64, error) {
+	certificateRequest := &aliyuncas.UploadUserCertificateRequest{
+		Cert: tea.String(certContent),
+		Key:  tea.String(certKey),
+		Name: tea.String(certName),
+	}
+	uploadUserCertificateResp, err := c.UploadUserCertificate(certificateRequest)
+	if err != nil {
+		return nil, err
+	}
+	
+	return uploadUserCertificateResp.Body.CertId, nil
+}
--- a/backend/internal/cert/deploy/client/aliyun/aliyunWaf.go
+++ b/backend/internal/cert/deploy/client/aliyun/aliyunWaf.go
@@ -0,0 +1,282 @@
+package aliyun
+
+import (
+	"fmt"
+	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
+	openapiutil "github.com/alibabacloud-go/openapi-util/service"
+	util "github.com/alibabacloud-go/tea-utils/v2/service"
+	"github.com/alibabacloud-go/tea/tea"
+	aliyunwaf "github.com/alibabacloud-go/waf-openapi-20211001/v5/client"
+)
+
+type AliyunWafClient struct {
+	aliyunwaf.Client
+	accessKey    string
+	accessSecret string
+	region       string
+}
+
+func ClientAliWaf(accessKey, accessSecret, region string) (_result *AliyunWafClient, err error) {
+	//region:[cn-hangzhou,ap-southeast-1]
+	
+	config := &openapi.Config{
+		AccessKeyId:     tea.String(accessKey),
+		AccessKeySecret: tea.String(accessSecret),
+		Endpoint:        tea.String(fmt.Sprintf("wafopenapi.%s.aliyuncs.com", region)),
+	}
+	client, err := aliyunwaf.NewClient(config)
+	if err != nil {
+		return nil, err
+	}
+	
+	aliyunwafClient := &AliyunWafClient{
+		Client:       *client,
+		accessKey:    accessKey,
+		accessSecret: accessSecret,
+		region:       region,
+	}
+	return aliyunwafClient, nil
+}
+
+type CreateCertsResponseBody struct {
+	CertIdentifier *string `json:"CertIdentifier,omitempty" xml:"DomainInfo,omitempty"`
+	RequestId      *string `json:"RequestId,omitempty" xml:"RequestId,omitempty"`
+}
+
+type CreateCertsResponse struct {
+	Headers    map[string]*string       `json:"headers,omitempty" xml:"headers,omitempty"`
+	StatusCode *int32                   `json:"statusCode,omitempty" xml:"statusCode,omitempty"`
+	Body       *CreateCertsResponseBody `json:"body,omitempty" xml:"body,omitempty"`
+}
+
+func (client *AliyunWafClient) ICreateCerts(certName, certContent, certKey, instanceId string) (certId *string, _err error) {
+	query := map[string]interface{}{
+		"CertName":    certName,
+		"CertContent": certContent,
+		"CertKey":     certKey,
+		"InstanceId":  instanceId,
+	}
+	
+	req := &openapi.OpenApiRequest{
+		Query: openapiutil.Query(query),
+	}
+	params := &openapi.Params{
+		Action:      tea.String("CreateCerts"),
+		Version:     tea.String("2021-10-01"),
+		Protocol:    tea.String("HTTPS"),
+		Pathname:    tea.String("/"),
+		Method:      tea.String("POST"),
+		AuthType:    tea.String("AK"),
+		Style:       tea.String("RPC"),
+		ReqBodyType: tea.String("formData"),
+		BodyType:    tea.String("json"),
+	}
+	
+	createCertsResponse := &CreateCertsResponse{}
+	runtime := &util.RuntimeOptions{}
+	_body, _err := client.CallApi(params, req, runtime)
+	if _err != nil {
+		return nil, _err
+	}
+	_err = tea.Convert(_body, &createCertsResponse)
+	certId = createCertsResponse.Body.CertIdentifier
+	return certId, _err
+}
+
+func (client *AliyunWafClient) IGetInstanceId() (instanceId *string, _err error) {
+	req := &aliyunwaf.DescribeInstanceRequest{
+		RegionId: tea.String(client.region),
+	}
+	response, _err := client.DescribeInstance(req)
+	instanceId = response.Body.InstanceId
+	
+	return instanceId, _err
+}
+
+func (client *AliyunWafClient) IDescribeDomainDetail(instanceId, domain string) (describeDomainDetailResponseBody *aliyunwaf.DescribeDomainDetailResponseBody, _err error) {
+	req := &aliyunwaf.DescribeDomainDetailRequest{
+		InstanceId: tea.String(instanceId),
+		RegionId:   tea.String(client.region),
+		Domain:     tea.String(domain),
+	}
+	response, _err := client.DescribeDomainDetail(req)
+	describeDomainDetailResponseBody = response.Body
+	
+	return describeDomainDetailResponseBody, _err
+}
+
+func (client *AliyunWafClient) IUpdateDomain(domainDesc *aliyunwaf.DescribeDomainDetailResponseBody, instanceId, certId string) error {
+	modifyDomainReq := &aliyunwaf.ModifyDomainRequest{
+		InstanceId: tea.String(instanceId),
+		RegionId:   tea.String(client.region),
+		Domain:     domainDesc.Domain,
+		Listen:     &aliyunwaf.ModifyDomainRequestListen{CertId: tea.String(certId)},
+	}
+	assignDomain(domainDesc, modifyDomainReq)
+	_, err := client.ModifyDomain(modifyDomainReq)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func assignDomain(from *aliyunwaf.DescribeDomainDetailResponseBody, to *aliyunwaf.ModifyDomainRequest) *aliyunwaf.ModifyDomainRequest {
+	if from == nil {
+		return to
+	}
+	
+	if from.Listen != nil {
+		if to.Listen == nil {
+			to.Listen = &aliyunwaf.ModifyDomainRequestListen{}
+		}
+		
+		if from.Listen.CipherSuite != nil {
+			to.Listen.CipherSuite = tea.Int32(int32(*from.Listen.CipherSuite))
+		}
+		
+		if from.Listen.CustomCiphers != nil {
+			to.Listen.CustomCiphers = from.Listen.CustomCiphers
+		}
+		
+		if from.Listen.EnableTLSv3 != nil {
+			to.Listen.EnableTLSv3 = from.Listen.EnableTLSv3
+		}
+		
+		if from.Listen.ExclusiveIp != nil {
+			to.Listen.ExclusiveIp = from.Listen.ExclusiveIp
+		}
+		
+		if from.Listen.FocusHttps != nil {
+			to.Listen.FocusHttps = from.Listen.FocusHttps
+		}
+		
+		if from.Listen.Http2Enabled != nil {
+			to.Listen.Http2Enabled = from.Listen.Http2Enabled
+		}
+		
+		if from.Listen.IPv6Enabled != nil {
+			to.Listen.IPv6Enabled = from.Listen.IPv6Enabled
+		}
+		
+		if from.Listen.ProtectionResource != nil {
+			to.Listen.ProtectionResource = from.Listen.ProtectionResource
+		}
+		
+		if from.Listen.TLSVersion != nil {
+			to.Listen.TLSVersion = from.Listen.TLSVersion
+		}
+		
+		if from.Listen.XffHeaderMode != nil {
+			to.Listen.XffHeaderMode = tea.Int32(int32(*from.Listen.XffHeaderMode))
+		}
+		
+		if from.Listen.XffHeaders != nil {
+			to.Listen.XffHeaders = from.Listen.XffHeaders
+		}
+		
+		if from.Listen.HttpPorts != nil {
+			to.Listen.HttpPorts = make([]*int32, len(from.Listen.HttpPorts))
+			for i, port := range from.Listen.HttpPorts {
+				if port != nil {
+					to.Listen.HttpPorts[i] = tea.Int32(int32(*port))
+				}
+			}
+		}
+		
+		if from.Listen.HttpsPorts != nil {
+			to.Listen.HttpsPorts = make([]*int32, len(from.Listen.HttpsPorts))
+			for i, port := range from.Listen.HttpsPorts {
+				if port != nil {
+					to.Listen.HttpsPorts[i] = tea.Int32(int32(*port))
+				}
+			}
+		}
+		
+	}
+	
+	if from.Redirect != nil {
+		if to.Redirect == nil {
+			to.Redirect = &aliyunwaf.ModifyDomainRequestRedirect{}
+		}
+		
+		if from.Redirect.ConnectTimeout != nil {
+			to.Redirect.ConnectTimeout = from.Redirect.ConnectTimeout
+		}
+		
+		if from.Redirect.FocusHttpBackend != nil {
+			to.Redirect.FocusHttpBackend = from.Redirect.FocusHttpBackend
+		}
+		
+		if from.Redirect.Keepalive != nil {
+			to.Redirect.Keepalive = from.Redirect.Keepalive
+		}
+		
+		if from.Redirect.KeepaliveRequests != nil {
+			to.Redirect.KeepaliveRequests = from.Redirect.KeepaliveRequests
+		}
+		
+		if from.Redirect.KeepaliveTimeout != nil {
+			to.Redirect.KeepaliveTimeout = from.Redirect.KeepaliveTimeout
+		}
+		
+		if from.Redirect.Loadbalance != nil {
+			to.Redirect.Loadbalance = from.Redirect.Loadbalance
+		}
+		
+		if from.Redirect.ReadTimeout != nil {
+			to.Redirect.ReadTimeout = from.Redirect.ReadTimeout
+		}
+		
+		if from.Redirect.Retry != nil {
+			to.Redirect.Retry = from.Redirect.Retry
+		}
+		
+		if from.Redirect.SniEnabled != nil {
+			to.Redirect.SniEnabled = from.Redirect.SniEnabled
+		}
+		
+		if from.Redirect.SniHost != nil {
+			to.Redirect.SniHost = from.Redirect.SniHost
+		}
+		
+		if from.Redirect.WriteTimeout != nil {
+			to.Redirect.WriteTimeout = from.Redirect.WriteTimeout
+		}
+		
+		if from.Redirect.XffProto != nil {
+			to.Redirect.XffProto = from.Redirect.XffProto
+		}
+		
+		if from.Redirect.Backends != nil {
+			to.Redirect.Backends = make([]*string, len(from.Redirect.Backends))
+			for i, backend := range from.Redirect.Backends {
+				if backend != nil {
+					to.Redirect.Backends[i] = backend.Backend
+				}
+			}
+		}
+		
+		if from.Redirect.BackupBackends != nil {
+			to.Redirect.BackupBackends = make([]*string, len(from.Redirect.BackupBackends))
+			for i, backend := range from.Redirect.BackupBackends {
+				if backend != nil {
+					to.Redirect.BackupBackends[i] = backend.Backend
+				}
+			}
+		}
+		
+		if from.Redirect.RequestHeaders != nil {
+			to.Redirect.RequestHeaders = make([]*aliyunwaf.ModifyDomainRequestRedirectRequestHeaders, len(from.Redirect.RequestHeaders))
+			for i, header := range from.Redirect.RequestHeaders {
+				if header != nil {
+					to.Redirect.RequestHeaders[i] = &aliyunwaf.ModifyDomainRequestRedirectRequestHeaders{
+						Key:   header.Key,
+						Value: header.Value,
+					}
+				}
+			}
+		}
+	}
+	
+	return to
+}
--- a/backend/internal/cert/deploy/client/aliyun/aliyunWaf_test.go
+++ b/backend/internal/cert/deploy/client/aliyun/aliyunWaf_test.go