Add Synology DSM certificate deployer integration

Author: Masterain98

go.mod

@@ -58,6 +58,7 @@ require (
 	github.com/pocketbase/dbx v1.11.0
 	github.com/pocketbase/pocketbase v0.35.0
 	github.com/povsister/scp v0.0.0-20250701154629-777cf82de5df
+	github.com/pquerna/otp v1.5.0
 	github.com/qiniu/go-sdk/v7 v7.25.5
 	github.com/samber/lo v1.52.0
 	github.com/spf13/cobra v1.10.2
@@ -194,6 +195,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.12 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.5 // indirect
 	github.com/aws/smithy-go v1.24.0 // indirect
+	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/clbanning/mxj/v2 v2.7.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect

go.sum

@@ -247,6 +247,8 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/buger/goterm v1.0.4 h1:Z9YvGmOih81P0FbVtEYTFF6YsSgxSUKEhf/f9bTMXbY=
 github.com/buger/goterm v1.0.4/go.mod h1:HiFWV3xnkolgrBV3mY8m0X0Pumt4zg4QhbdOzQtB8tE=
 github.com/byteplus-sdk/byteplus-sdk-golang v1.0.61 h1:IJHXAInb/ALRosopHPzXH/x2mt7LyfaawILEHYZHRRo=
@@ -764,6 +766,8 @@ github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndr
 github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s=
 github.com/povsister/scp v0.0.0-20250701154629-777cf82de5df h1:zEgSHrxo8f6hGG1xCaqunfBq8hlfDmFd1JM0QXiQi7o=
 github.com/povsister/scp v0.0.0-20250701154629-777cf82de5df/go.mod h1:CiJNEeV6v0tUCNul/+gTjl+FgjfImoiuptJB9AEzqjE=
+github.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=
+github.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU=

internal/certmgmt/deployers/sp_synologydsm.go

@@ -0,0 +1,30 @@
+package deployers
+
+import (
+	"fmt"
+
+	"github.com/certimate-go/certimate/internal/domain"
+	"github.com/certimate-go/certimate/pkg/core/deployer"
+	"github.com/certimate-go/certimate/pkg/core/deployer/providers/synologydsm"
+	xmaps "github.com/certimate-go/certimate/pkg/utils/maps"
+)
+
+func init() {
+	Registries.MustRegister(domain.DeploymentProviderTypeSynologyDSM, func(options *ProviderFactoryOptions) (deployer.Provider, error) {
+		credentials := domain.AccessConfigForSynologyDSM{}
+		if err := xmaps.Populate(options.ProviderAccessConfig, &credentials); err != nil {
+			return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+		}
+
+		provider, err := synologydsm.NewDeployer(&synologydsm.DeployerConfig{
+			ServerUrl:                  credentials.ServerUrl,
+			Username:                   credentials.Username,
+			Password:                   credentials.Password,
+			TotpSecret:                 credentials.TotpSecret,
+			AllowInsecureConnections:   credentials.AllowInsecureConnections,
+			CertificateIdOrDescription: xmaps.GetString(options.ProviderExtendedConfig, "certificateIdOrDesc"),
+			IsDefault:                  xmaps.GetBool(options.ProviderExtendedConfig, "isDefault"),
+		})
+		return provider, err
+	})
+}

internal/domain/access.go

@@ -516,6 +516,14 @@ type AccessConfigForSSLCom struct {
 	AccessConfigForACMEExternalAccountBinding
 }
 
+type AccessConfigForSynologyDSM struct {
+	ServerUrl                string `json:"serverUrl"`
+	Username                 string `json:"username"`
+	Password                 string `json:"password"`
+	TotpSecret               string `json:"totpSecret,omitempty"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
+}
+
 type AccessConfigForTechnitiumDNS struct {
 	ServerUrl                string `json:"serverUrl"`
 	ApiToken                 string `json:"apiToken"`

internal/domain/provider.go

@@ -103,6 +103,7 @@ const (
 	AccessProviderTypeSpaceship           = AccessProviderType("spaceship")
 	AccessProviderTypeSSH                 = AccessProviderType("ssh")
 	AccessProviderTypeSSLCOM              = AccessProviderType("sslcom")
+	AccessProviderTypeSynologyDSM         = AccessProviderType("synologydsm")
 	AccessProviderTypeTechnitiumDNS       = AccessProviderType("technitiumdns")
 	AccessProviderTypeTelegramBot         = AccessProviderType("telegrambot")
 	AccessProviderTypeTencentCloud        = AccessProviderType("tencentcloud")
@@ -330,6 +331,7 @@ const (
 	DeploymentProviderTypeRatPanelConsole       = DeploymentProviderType(AccessProviderTypeRatPanel + "-console")
 	DeploymentProviderTypeSafeLine              = DeploymentProviderType(AccessProviderTypeSafeLine)
 	DeploymentProviderTypeSSH                   = DeploymentProviderType(AccessProviderTypeSSH)
+	DeploymentProviderTypeSynologyDSM           = DeploymentProviderType(AccessProviderTypeSynologyDSM)
 	DeploymentProviderTypeTencentCloudCDN       = DeploymentProviderType(AccessProviderTypeTencentCloud + "-cdn")
 	DeploymentProviderTypeTencentCloudCLB       = DeploymentProviderType(AccessProviderTypeTencentCloud + "-clb")
 	DeploymentProviderTypeTencentCloudCOS       = DeploymentProviderType(AccessProviderTypeTencentCloud + "-cos")

pkg/core/deployer/providers/synologydsm/synologydsm.go

@@ -0,0 +1,232 @@
+package synologydsm
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"log/slog"
+	"time"
+
+	"github.com/pquerna/otp/totp"
+	"github.com/samber/lo"
+
+	"github.com/certimate-go/certimate/pkg/core/deployer"
+	dsmsdk "github.com/certimate-go/certimate/pkg/sdk3rd/synologydsm"
+	xcert "github.com/certimate-go/certimate/pkg/utils/cert"
+	xwait "github.com/certimate-go/certimate/pkg/utils/wait"
+)
+
+type DeployerConfig struct {
+	// 群晖 DSM 服务地址。
+	ServerUrl string `json:"serverUrl"`
+	// 群晖 DSM 用户名。
+	Username string `json:"username"`
+	// 群晖 DSM 用户密码。
+	Password string `json:"password"`
+	// 群晖 DSM 2FA TOTP 密钥。
+	TotpSecret string `json:"totpSecret,omitempty"`
+	// 是否允许不安全的连接。
+	AllowInsecureConnections bool `json:"allowInsecureConnections,omitempty"`
+	// 证书 ID 或描述。
+	// 选填。零值时表示新建证书；否则表示更新证书。
+	CertificateIdOrDescription string `json:"certificateIdOrDesc,omitempty"`
+	// 是否设为默认证书。
+	IsDefault bool `json:"isDefault,omitempty"`
+}
+
+type Deployer struct {
+	config    *DeployerConfig
+	logger    *slog.Logger
+	sdkClient *dsmsdk.Client
+}
+
+var _ deployer.Provider = (*Deployer)(nil)
+
+func NewDeployer(config *DeployerConfig) (*Deployer, error) {
+	if config == nil {
+		return nil, errors.New("the configuration of the deployer provider is nil")
+	}
+
+	client, err := createSDKClient(config.ServerUrl, config.AllowInsecureConnections)
+	if err != nil {
+		return nil, fmt.Errorf("could not create client: %w", err)
+	}
+
+	return &Deployer{
+		config:    config,
+		logger:    slog.Default(),
+		sdkClient: client,
+	}, nil
+}
+
+func (d *Deployer) SetLogger(logger *slog.Logger) {
+	if logger == nil {
+		d.logger = slog.Default()
+	} else {
+		d.logger = logger
+	}
+}
+
+func (d *Deployer) Deploy(ctx context.Context, certPEM string, privkeyPEM string) (*deployer.DeployResult, error) {
+	// 提取服务器证书和中间证书
+	serverCertPEM, intermediateCertPEM, err := xcert.ExtractCertificatesFromPEM(certPEM)
+	if err != nil {
+		return nil, fmt.Errorf("failed to extract certs: %w", err)
+	}
+
+	// 如果启用了 TOTP，则等到下一个时间窗口后生成 OTP 动态密码
+	var otpCode string
+	if d.config.TotpSecret != "" {
+		now := time.Now()
+		wait := time.Duration(30-now.Unix()%30) * time.Second
+		if wait > 0 {
+			wait = wait + 1*time.Second
+			d.logger.Info("waiting for the next TOTP time step ...", slog.Int("wait", int(wait.Seconds())))
+			xwait.DelayWithContext(ctx, wait)
+		}
+
+		now = time.Now()
+		otpCodeStr, err := totp.GenerateCode(d.config.TotpSecret, now)
+		if err != nil {
+			return nil, fmt.Errorf("failed to generate TOTP code: %w", err)
+		}
+
+		otpCode = otpCodeStr
+	}
+
+	// 登录到群晖 DSM
+	loginReq := &dsmsdk.LoginRequest{
+		Account:  d.config.Username,
+		Password: d.config.Password,
+		OtpCode:  otpCode,
+	}
+	loginResp, err := d.sdkClient.Login(loginReq)
+	d.logger.Debug("sdk request 'SYNO.API.Auth:login'", slog.Any("request", loginReq), slog.Any("response", loginResp))
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute sdk request 'SYNO.API.Auth:login': %w", err)
+	}
+	defer func() {
+		logoutResp, _ := d.sdkClient.Logout()
+		d.logger.Debug("sdk request 'SYNO.API.Auth:logout'", slog.Any("response", logoutResp))
+	}()
+
+	// 如果原证书 ID 或描述为空，则创建证书；否则更新证书。
+	if d.config.CertificateIdOrDescription == "" {
+		// 导入证书
+		importCertificateReq := &dsmsdk.ImportCertificateRequest{
+			ID:          "",
+			Description: fmt.Sprintf("certimate-%d", time.Now().UnixMilli()),
+			Key:         privkeyPEM,
+			Cert:        serverCertPEM,
+			InterCert:   intermediateCertPEM,
+			AsDefault:   d.config.IsDefault,
+		}
+		importCertificateResp, err := d.sdkClient.ImportCertificate(importCertificateReq)
+		d.logger.Debug("sdk request 'SYNO.Core.Certificate:import'", slog.Any("request", importCertificateReq), slog.Any("response", importCertificateResp))
+		if err != nil {
+			return nil, fmt.Errorf("failed to execute sdk request 'SYNO.Core.Certificate:import': %w", err)
+		}
+	} else {
+		// 查找证书列表，找到已有证书
+		var certInfo *dsmsdk.CertificateInfo
+		listCertificatesResp, err := d.sdkClient.ListCertificates()
+		d.logger.Debug("sdk request 'SYNO.Core.Certificate.CRT:list'", slog.Any("response", listCertificatesResp))
+		if err != nil {
+			return nil, fmt.Errorf("failed to execute sdk request 'SYNO.Core.Certificate.CRT:list': %w", err)
+		} else {
+			matchedCerts := lo.Filter(listCertificatesResp.Data.Certificates, func(certItem *dsmsdk.CertificateInfo, _ int) bool {
+				return certItem.ID == d.config.CertificateIdOrDescription
+			})
+			if len(matchedCerts) == 0 {
+				matchedCerts = lo.Filter(listCertificatesResp.Data.Certificates, func(certItem *dsmsdk.CertificateInfo, _ int) bool {
+					return certItem.Description == d.config.CertificateIdOrDescription
+				})
+			}
+			if len(matchedCerts) == 0 {
+				return nil, fmt.Errorf("could not find certificate '%s'", d.config.CertificateIdOrDescription)
+			} else {
+				if len(matchedCerts) > 1 {
+					d.logger.Warn("found several certificates matched '%s', using the first one")
+				}
+				certInfo = matchedCerts[0]
+			}
+		}
+
+		// 导入证书
+		importCertificateReq := &dsmsdk.ImportCertificateRequest{
+			ID:          certInfo.ID,
+			Description: certInfo.Description,
+			Key:         privkeyPEM,
+			Cert:        serverCertPEM,
+			InterCert:   intermediateCertPEM,
+			AsDefault:   d.config.IsDefault || certInfo.IsDefault,
+		}
+		importCertificateResp, err := d.sdkClient.ImportCertificate(importCertificateReq)
+		d.logger.Debug("sdk request 'SYNO.Core.Certificate:import'", slog.Any("request", importCertificateReq), slog.Any("response", importCertificateResp))
+		if err != nil {
+			return nil, fmt.Errorf("failed to execute sdk request 'SYNO.Core.Certificate:import': %w", err)
+		}
+	}
+
+	if d.config.IsDefault {
+		// 查找证书列表，找到默认证书
+		listCertificatesResp, err := d.sdkClient.ListCertificates()
+		d.logger.Debug("sdk request 'SYNO.Core.Certificate.CRT:list'", slog.Any("response", listCertificatesResp))
+		if err != nil {
+			return nil, fmt.Errorf("failed to execute sdk request 'SYNO.Core.Certificate.CRT:list': %w", err)
+		} else {
+			var defaultCertId string
+			for _, certItem := range listCertificatesResp.Data.Certificates {
+				if certItem.IsDefault {
+					defaultCertId = certItem.ID
+					break
+				}
+			}
+
+			if defaultCertId != "" {
+				settings := make([]*dsmsdk.ServiceCertificateSetting, 0)
+				for _, certItem := range listCertificatesResp.Data.Certificates {
+					if certItem.ID == defaultCertId {
+						continue
+					}
+
+					for _, service := range certItem.Services {
+						settings = append(settings, &dsmsdk.ServiceCertificateSetting{
+							Service:   service,
+							CertID:    defaultCertId,
+							OldCertID: certItem.ID,
+						})
+					}
+				}
+
+				// 应用到所有服务并重启
+				if len(settings) > 0 {
+					setServiceCertificateReq := &dsmsdk.SetServiceCertificateRequest{
+						Settings: settings,
+					}
+					setServiceCertificateResp, err := d.sdkClient.SetServiceCertificate(setServiceCertificateReq)
+					d.logger.Debug("sdk request 'SYNO.Core.Certificate.Service:set'", slog.Any("request", setServiceCertificateReq), slog.Any("response", setServiceCertificateResp))
+					if err != nil {
+						return nil, fmt.Errorf("failed to execute sdk request 'SYNO.Core.Certificate.Service:set': %w", err)
+					}
+				}
+			}
+		}
+	}
+
+	return &deployer.DeployResult{}, nil
+}
+
+func createSDKClient(serverUrl string, skipTlsVerify bool) (*dsmsdk.Client, error) {
+	client, err := dsmsdk.NewClient(serverUrl)
+	if err != nil {
+		return nil, err
+	}
+
+	if skipTlsVerify {
+		client.SetTLSConfig(&tls.Config{InsecureSkipVerify: true})
+	}
+
+	return client, nil
+}