refactor(aliyun): 增强阿里云提供商支持 CAS 和 ESA 服务

Author: orange-juzipi

README.md

@@ -56,6 +56,8 @@ provider:
     auth:
       accessKeyId: "your-aliyun-access-key-id"
       accessKeySecret: "your-aliyun-access-key-secret"
+      # ESA 业务专用字段（仅在执行 ESA 业务时使用）
+      esaSiteId: "your-esa-site-id"
 
   - name: "qiniu"
     remark: "七牛云"
@@ -74,10 +76,15 @@ provider:
 >
 > | 服务商 |    name 值     |           认证字段           |
 > | :----: | :------------: | :--------------------------: |
-> | 阿里云 |    `aliyun`    | accessKeyId, accessKeySecret |
+> | 阿里云 |    `aliyun`    | accessKeyId, accessKeySecret（ESA可选：esaSiteId） |
 > | 七牛云 |    `qiniu`     |   accessKey, accessSecret    |
 > | 腾讯云 | `cloudTencent` |     secretId, secretKey      |
 
+> #### 阿里云 CAS/ESA 业务分离（无自动识别）
+>
+> - 选择“阿里云-CAS 上传证书”业务：调用 CAS `UploadUserCertificate`
+> - 选择“阿里云-ESA 上传证书”业务：调用 ESA `SetCertificate`（需要 `esaSiteId`）
+
 ### 3. 配置 Nginx
 
 添加 HTTP-01 验证反向代理（用于证书申请）：

go.mod

@@ -3,9 +3,7 @@ module github.com/https-cert/deploy
 go 1.26
 
 require (
-	github.com/alibabacloud-go/cas-20200407/v4 v4.1.0
 	github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.15
-	github.com/alibabacloud-go/tea v1.4.0
 	github.com/alibabacloud-go/tea-utils/v2 v2.0.9
 	github.com/coder/websocket v1.8.14
 	github.com/qiniu/go-sdk/v7 v7.25.6
@@ -18,6 +16,7 @@ require (
 	github.com/BurntSushi/toml v1.6.0 // indirect
 	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect
 	github.com/alibabacloud-go/debug v1.0.1 // indirect
+	github.com/alibabacloud-go/tea v1.4.0 // indirect
 	github.com/aliyun/credentials-go v1.4.11 // indirect
 	github.com/clbanning/mxj/v2 v2.7.0 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect

go.sum

@@ -9,15 +9,12 @@ github.com/alibabacloud-go/alibabacloud-gateway-pop v0.0.6/go.mod h1:4EUIoxs/do2
 github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc=
 github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 h1:zE8vH9C7JiZLNJJQ5OwjU9mSi4T9ef9u3BURT6LCLC8=
 github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5/go.mod h1:tWnyE9AjF8J8qqLk645oUmVUnFybApTQWklQmi5tY6g=
-github.com/alibabacloud-go/cas-20200407/v4 v4.1.0 h1:JldJ1EtKHzqZMQJkZaGKz4pI6TtbKCKTXNO/v2bVJ30=
-github.com/alibabacloud-go/cas-20200407/v4 v4.1.0/go.mod h1:q7X8C3NE71dRxR3YLwz/NESvE5X56RI2tGTJqODe7Zs=
 github.com/alibabacloud-go/darabonba-array v0.1.0 h1:vR8s7b1fWAQIjEjWnuF0JiKsCvclSRTfDzZHTYqfufY=
 github.com/alibabacloud-go/darabonba-array v0.1.0/go.mod h1:BLKxr0brnggqOJPqT09DFJ8g3fsDshapUD3C3aOEFaI=
 github.com/alibabacloud-go/darabonba-encode-util v0.0.2 h1:1uJGrbsGEVqWcWxrS9MyC2NG0Ax+GpOM5gtupki31XE=
 github.com/alibabacloud-go/darabonba-encode-util v0.0.2/go.mod h1:JiW9higWHYXm7F4PKuMgEUETNZasrDM6vqVr/Can7H8=
 github.com/alibabacloud-go/darabonba-map v0.0.2 h1:qvPnGB4+dJbJIxOOfawxzF3hzMnIpjmafa0qOTp6udc=
 github.com/alibabacloud-go/darabonba-map v0.0.2/go.mod h1:28AJaX8FOE/ym8OUFWga+MtEzBunJwQGceGQlvaPGPc=
-github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.14/go.mod h1:lxFGfobinVsQ49ntjpgWghXmIF0/Sm4+wvBJ1h5RtaE=
 github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.15 h1:Mubp9hXZMTPWZK+WxrR+kKOVFp4Q/PDZrIIM7ByXI9Y=
 github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.15/go.mod h1:lxFGfobinVsQ49ntjpgWghXmIF0/Sm4+wvBJ1h5RtaE=
 github.com/alibabacloud-go/darabonba-signature-util v0.0.7 h1:UzCnKvsjPFzApvODDNEYqBHMFt1w98wC7FOo0InLyxg=

internal/client/business_executor.go

@@ -50,12 +50,23 @@ func (be *BusinessExecutor) ExecuteBusiness(providerName string, executeBusinesT
 			return fmt.Errorf("不支持的业务类型: %d", executeBusinesType)
 		}
 
-	case "aliyun", "qiniu":
+	case "aliyun":
+		// 阿里云 CAS 与 ESA 业务显式分离，不做自动识别
+		switch executeBusinesType {
+		case deployPB.ExecuteBusinesType_EXECUTE_BUSINES_UPLOAD_CERT:
+			return be.handleAliyunCertificateProvider(domain, remark, cert, key, aliyun.ServiceCAS)
+		case deployPB.ExecuteBusinesType_EXECUTE_BUSINES_OSS:
+			return be.handleAliyunCertificateProvider(domain, remark, cert, key, aliyun.ServiceESA)
+		default:
+			return fmt.Errorf("不支持的业务类型: %d", executeBusinesType)
+		}
+
+	case "qiniu":
 		// 上传证书到云服务商
 		if executeBusinesType != deployPB.ExecuteBusinesType_EXECUTE_BUSINES_UPLOAD_CERT {
 			return fmt.Errorf("不支持的业务类型: %d", executeBusinesType)
 		}
-		return be.handleCertificateProvider(providerName, remark, cert, key)
+		return be.handleCertificateProvider(providerName, domain, remark, cert, key)
 
 	default:
 		logger.Warn("不支持的提供商", "provider", providerName)
@@ -144,7 +155,7 @@ func (be *BusinessExecutor) handle1PanelCertificateDeploy(domain, downloadURL st
 }
 
 // handleCertificateProvider 处理证书提供商的上传操作
-func (be *BusinessExecutor) handleCertificateProvider(providerName, remark, cert, key string) error {
+func (be *BusinessExecutor) handleCertificateProvider(providerName, domain, remark, cert, key string) error {
 	// 获取 provider 实例
 	providerHandler, err := be.getProviderHandler(providerName)
 	if err != nil {
@@ -153,15 +164,51 @@ func (be *BusinessExecutor) handleCertificateProvider(providerName, remark, cert
 	}
 
 	// 上传证书
-	if err := providerHandler.UploadCertificate(remark, cert, key); err != nil {
+	if err := providerHandler.UploadCertificate(remark, domain, cert, key); err != nil {
 		logger.Error("上传证书失败", "provider", providerName, "error", err)
 		return err
 	}
 
-	logger.Info("证书上传成功", "provider", providerName, "remark", remark)
+	logger.Info("证书上传成功", "provider", providerName, "remark", remark, "domain", domain)
+	return nil
+}
+
+// handleAliyunCertificateProvider 处理阿里云证书上传（CAS/ESA 显式分离）
+func (be *BusinessExecutor) handleAliyunCertificateProvider(domain, remark, cert, key, service string) error {
+	providerHandler, err := be.getAliyunProvider(service)
+	if err != nil {
+		logger.Error("创建阿里云提供商实例失败", "service", service, "error", err)
+		return err
+	}
+
+	if err := providerHandler.UploadCertificate(remark, domain, cert, key); err != nil {
+		logger.Error("上传阿里云证书失败", "service", service, "error", err)
+		return err
+	}
+
+	logger.Info("阿里云证书上传成功", "service", service, "remark", remark, "domain", domain)
 	return nil
 }
 
+func (be *BusinessExecutor) getAliyunProvider(service string) (providers.ProviderHandler, error) {
+	providerConfig := config.GetProvider("aliyun")
+	if providerConfig == nil {
+		return nil, fmt.Errorf("未配置【阿里云】提供商配置")
+	}
+
+	accessKeyId := providerConfig.GetAccessKeyId()
+	accessKeySecret := providerConfig.GetAccessKeySecret()
+	if accessKeyId == "" || accessKeySecret == "" {
+		return nil, fmt.Errorf("阿里云配置不完整: accessKeyId 或 accessKeySecret 为空")
+	}
+
+	options := &aliyun.Options{
+		Service:   service,
+		ESASiteID: providerConfig.GetESASiteID(),
+	}
+	return aliyun.New(accessKeyId, accessKeySecret, options)
+}
+
 // getProviderHandler 根据提供商名称获取对应的 handler
 func (be *BusinessExecutor) getProviderHandler(providerName string) (providers.ProviderHandler, error) {
 	providerConfig := config.GetProvider(providerName)
@@ -170,14 +217,6 @@ func (be *BusinessExecutor) getProviderHandler(providerName string) (providers.P
 	}
 
 	switch providerName {
-	case "aliyun":
-		accessKeyId := providerConfig.GetAccessKeyId()
-		accessKeySecret := providerConfig.GetAccessKeySecret()
-		if accessKeyId == "" || accessKeySecret == "" {
-			return nil, fmt.Errorf("阿里云配置不完整: accessKeyId 或 accessKeySecret 为空")
-		}
-		return aliyun.New(accessKeyId, accessKeySecret)
-
 	case "qiniu":
 		accessKey := providerConfig.GetAccessKey()
 		accessSecret := providerConfig.GetAccessSecret()

internal/client/provider.go

@@ -40,7 +40,47 @@ func TestProviderConnection(providerName string) (bool, error) {
 			return false, fmt.Errorf("未配置【阿里云】提供商配置")
 		}
 
-		provider, err := aliyun.New(providerConfig.GetAccessKeyId(), providerConfig.GetAccessKeySecret())
+		casProvider, err := aliyun.New(providerConfig.GetAccessKeyId(), providerConfig.GetAccessKeySecret(), &aliyun.Options{
+			Service: aliyun.ServiceCAS,
+		})
+		if err != nil {
+			return false, fmt.Errorf("创建阿里云提供商实例失败: %w", err)
+		}
+		success, err := casProvider.TestConnection()
+		if err == nil {
+			return success, nil
+		}
+
+		// CAS 测试失败时，如果配置了 ESA SiteId，补测 ESA 连接
+		if providerConfig.GetESASiteID() != "" {
+			esaProvider, esaErr := aliyun.New(providerConfig.GetAccessKeyId(), providerConfig.GetAccessKeySecret(), &aliyun.Options{
+				Service:   aliyun.ServiceESA,
+				ESASiteID: providerConfig.GetESASiteID(),
+			})
+			if esaErr == nil {
+				success, esaErr = esaProvider.TestConnection()
+				if esaErr == nil {
+					return success, nil
+				}
+			}
+			return false, fmt.Errorf("阿里云连接测试失败(CAS: %v, ESA: %v)", err, esaErr)
+		}
+
+		return false, fmt.Errorf("阿里云连接测试失败: %w", err)
+
+	case "aliyunEsa":
+		providerConfig := config.GetProvider("aliyunEsa")
+		if providerConfig == nil {
+			providerConfig = config.GetProvider("aliyun")
+		}
+		if providerConfig == nil {
+			return false, fmt.Errorf("未配置【阿里云 ESA】提供商配置")
+		}
+
+		provider, err := aliyun.New(providerConfig.GetAccessKeyId(), providerConfig.GetAccessKeySecret(), &aliyun.Options{
+			Service:   aliyun.ServiceESA,
+			ESASiteID: providerConfig.GetESASiteID(),
+		})
 		if err != nil {
 			return false, fmt.Errorf("创建阿里云提供商实例失败: %w", err)
 		}