feat: support larkbot with secret

2026-06-22 21:05:48 +08:00 · 2025-10-30 20:18:15 +08:00 · 2025-10-30 20:18:15 +08:00 · ae18f64d35
commit ae18f64d35
parent 091c3db520
8 changed files with 59 additions and 14 deletions
--- a/internal/domain/access.go
+++ b/internal/domain/access.go
@ -159,7 +159,7 @@ type AccessConfigForDigitalOcean struct {

 type AccessConfigForDingTalkBot struct {
 	WebhookUrl string `json:"webhookUrl"`
-	Secret     string `json:"secret"`
+	Secret     string `json:"secret,omitempty"`
 }

 type AccessConfigForDiscordBot struct {
@ -279,6 +279,7 @@ type AccessConfigForKubernetes struct {

 type AccessConfigForLarkBot struct {
 	WebhookUrl string `json:"webhookUrl"`
+	Secret     string `json:"secret,omitempty"`
 }

 type AccessConfigForLeCDN struct {
--- a/internal/notify/notifiers/sp_larkbot.go
+++ b/internal/notify/notifiers/sp_larkbot.go
@ -18,6 +18,7 @@ func init() {

 		provider, err := larkbot.NewNotifierProvider(&larkbot.NotifierProviderConfig{
 			WebhookUrl: credentials.WebhookUrl,
+			Secret:     credentials.Secret,
 		})
 		return provider, err
 	}); err != nil {
--- a/pkg/core/notifier/providers/larkbot/larkbot.go
+++ b/pkg/core/notifier/providers/larkbot/larkbot.go
@ -2,11 +2,15 @@ package larkbot

 import (
 	"context"
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"log/slog"
 	"net/url"
+	"time"

 	"github.com/go-resty/resty/v2"

@ -16,6 +20,8 @@ import (
 type NotifierProviderConfig struct {
 	// 飞书机器人 Webhook 地址。
 	WebhookUrl string `json:"webhookUrl"`
+	// 飞书机器人的 Secret。
+	Secret string `json:"secret"`
 }

 type NotifierProvider struct {
@ -62,6 +68,23 @@ func (n *NotifierProvider) Notify(ctx context.Context, subject string, message s
 		}
 	}

+	payload := map[string]any{
+		"msg_type": "text",
+		"content": map[string]string{
+			"text": subject + "\n\n" + message,
+		},
+	}
+	if n.config.Secret != "" {
+		timestamp := fmt.Sprintf("%d", time.Now().UnixMilli())
+
+		h := hmac.New(sha256.New, []byte(n.config.Secret))
+		h.Write([]byte(fmt.Sprintf("%s\n%s", timestamp, n.config.Secret)))
+		sign := base64.StdEncoding.EncodeToString(h.Sum(nil))
+
+		payload["timestamp"] = timestamp
+		payload["sign"] = sign
+	}
+
 	// REF: https://open.feishu.cn/document/client-docs/bot-v3/add-custom-bot
 	// REF: https://open.larksuite.com/document/client-docs/bot-v3/add-custom-bot
 	var result struct {
@ -70,12 +93,7 @@ func (n *NotifierProvider) Notify(ctx context.Context, subject string, message s
 	}
 	req := n.httpClient.R().
 		SetContext(ctx).
-		SetBody(map[string]any{
-			"msg_type": "text",
-			"content": map[string]string{
-				"text": subject + "\n\n" + message,
-			},
-		})
+		SetBody(payload)
 	resp, err := req.Post(webhookUrl.String())
 	if err != nil {
 		return nil, fmt.Errorf("lark api error: failed to send request: %w", err)
--- a/pkg/core/notifier/providers/larkbot/larkbot_test.go
+++ b/pkg/core/notifier/providers/larkbot/larkbot_test.go
@ -15,19 +15,24 @@ const (
 	mockMessage = "test_message"
 )

-var fWebhookUrl string
+var (
+	fWebhookUrl string
+	fSecret     string
+)

 func init() {
 	argsPrefix := "CERTIMATE_NOTIFIER_LARKBOT_"

 	flag.StringVar(&fWebhookUrl, argsPrefix+"WEBHOOKURL", "", "")
+	flag.StringVar(&fSecret, argsPrefix+"SECRET", "", "")
 }

 /*
 Shell command to run this test:

 	go test -v ./larkbot_test.go -args \
-	--CERTIMATE_NOTIFIER_LARKBOT_WEBHOOKURL="https://example.com/your-webhook-url"
+	--CERTIMATE_NOTIFIER_LARKBOT_WEBHOOKURL="https://example.com/your-webhook-url" \
+	--CERTIMATE_NOTIFIER_LARKBOT_SECRET="your-secret"
 */
 func TestNotify(t *testing.T) {
 	flag.Parse()
@ -36,10 +41,12 @@ func TestNotify(t *testing.T) {
 		t.Log(strings.Join([]string{
 			"args:",
 			fmt.Sprintf("WEBHOOKURL: %v", fWebhookUrl),
+			fmt.Sprintf("SECRET: %v", fSecret),
 		}, "\n"))

 		notifier, err := provider.NewNotifierProvider(&provider.NotifierProviderConfig{
 			WebhookUrl: fWebhookUrl,
+			Secret:     fSecret,
 		})
 		if err != nil {
 			t.Errorf("err: %+v", err)
--- a/ui/src/components/access/forms/AccessConfigFieldsProviderDingTalkBot.tsx
+++ b/ui/src/components/access/forms/AccessConfigFieldsProviderDingTalkBot.tsx
@ -52,7 +52,7 @@ const getSchema = ({ i18n = getI18n() }: { i18n: ReturnType<typeof getI18n> }) =

  return z.object({
    webhookUrl: z.url(t("common.errmsg.url_invalid")),
-    secret: z.string().nonempty(t("access.form.dingtalkbot_secret.placeholder")),
+    secret: z.string().nullish(),
  });
 };

--- a/ui/src/components/access/forms/AccessConfigFieldsProviderLarkBot.tsx
+++ b/ui/src/components/access/forms/AccessConfigFieldsProviderLarkBot.tsx
@ -26,6 +26,16 @@ const AccessConfigFormFieldsProviderLarkBot = () => {
      >
        <Input placeholder={t("access.form.larkbot_webhook_url.placeholder")} />
      </Form.Item>
+
+      <Form.Item
+        name={[parentNamePath, "secret"]}
+        initialValue={initialValues.secret}
+        label={t("access.form.larkbot_secret.label")}
+        rules={[formRule]}
+        tooltip={<span dangerouslySetInnerHTML={{ __html: t("access.form.larkbot_secret.tooltip") }}></span>}
+      >
+        <Input.Password autoComplete="new-password" placeholder={t("access.form.larkbot_secret.placeholder")} />
+      </Form.Item>
    </>
  );
 };
@ -33,6 +43,7 @@ const AccessConfigFormFieldsProviderLarkBot = () => {
 const getInitialValues = (): Nullish<z.infer<ReturnType<typeof getSchema>>> => {
  return {
    webhookUrl: "",
+    secret: "",
  };
 };

@ -41,6 +52,7 @@ const getSchema = ({ i18n = getI18n() }: { i18n: ReturnType<typeof getI18n> }) =

  return z.object({
    webhookUrl: z.url(t("common.errmsg.url_invalid")),
+    secret: z.string().nullish(),
  });
 };

--- a/ui/src/i18n/locales/en/nls.access.json
+++ b/ui/src/i18n/locales/en/nls.access.json
@ -331,7 +331,10 @@
  "access.form.kong_api_token.tooltip": "For more information, see <a href=\"https://developer.konghq.com/admin-api/\" target=\"_blank\">https://developer.konghq.com/admin-api/</a>",
  "access.form.larkbot_webhook_url.label": "Lark bot Webhook URL",
  "access.form.larkbot_webhook_url.placeholder": "Please enter Lark bot Webhook URL",
-  "access.form.larkbot_webhook_url.tooltip": "For more information, see <a href=\"https://www.feishu.cn/hc/en-US/articles/807992406756\" target=\"_blank\">https://www.feishu.cn/hc/en-US/articles/807992406756</a>",
+  "access.form.larkbot_webhook_url.tooltip": "For more information, see <a href=\"https://open.larksuite.com/document/client-docs/bot-v3/add-custom-bot\" target=\"_blank\">https://open.larksuite.com/document/client-docs/bot-v3/add-custom-bot</a>",
+  "access.form.larkbot_secret.label": "Lark bot secret",
+  "access.form.larkbot_secret.placeholder": "Please enter Lark bot secret",
+  "access.form.larkbot_secret.tooltip": "For more information, see <a href=\"hhttps://open.larksuite.com/document/client-docs/bot-v3/add-custom-bot\" target=\"_blank\">https://open.larksuite.com/document/client-docs/bot-v3/add-custom-bot</a>",
  "access.form.lecdn_server_url.label": "LeCDN server URL",
  "access.form.lecdn_server_url.placeholder": "Please enter LeCDN server URL",
  "access.form.lecdn_api_version.label": "LeCDN version",
--- a/ui/src/i18n/locales/zh/nls.access.json
+++ b/ui/src/i18n/locales/zh/nls.access.json
@ -204,8 +204,8 @@
  "access.form.dingtalkbot_webhook_url.label": "钉钉群机器人 Webhook 地址",
  "access.form.dingtalkbot_webhook_url.placeholder": "请输入钉钉群机器人 Webhook 地址",
  "access.form.dingtalkbot_webhook_url.tooltip": "这是什么？请参阅 <a href=\"https://open.dingtalk.com/document/orgapp/obtain-the-webhook-address-of-a-custom-robot\" target=\"_blank\">https://open.dingtalk.com/document/orgapp/obtain-the-webhook-address-of-a-custom-robot</a>",
-  "access.form.dingtalkbot_secret.label": "钉钉群机器人加签密钥",
-  "access.form.dingtalkbot_secret.placeholder": "请输入钉钉群机器人加签密钥",
+  "access.form.dingtalkbot_secret.label": "钉钉群机器人签名密钥（可选）",
+  "access.form.dingtalkbot_secret.placeholder": "请输入钉钉群机器人签名密钥",
  "access.form.dingtalkbot_secret.tooltip": "这是什么？请参阅 <a href=\"https://open.dingtalk.com/document/orgapp/customize-robot-security-settings\" target=\"_blank\">https://open.dingtalk.com/document/orgapp/customize-robot-security-settings</a>",
  "access.form.discordbot_token.label": "Discord 机器人 API Token",
  "access.form.discordbot_token.placeholder": "请输入 Discord 机器人 API Token",
@ -330,7 +330,10 @@
  "access.form.kong_api_token.tooltip": "这是什么？请参阅 <a href=\"https://developer.konghq.com/admin-api/\" target=\"_blank\">https://developer.konghq.com/admin-api/</a>",
  "access.form.larkbot_webhook_url.label": "飞书群机器人 Webhook 地址",
  "access.form.larkbot_webhook_url.placeholder": "请输入飞书群机器人 Webhook 地址",
-  "access.form.larkbot_webhook_url.tooltip": "这是什么？请参阅 <a href=\"https://www.feishu.cn/hc/zh-CN/articles/807992406756\" target=\"_blank\">https://www.feishu.cn/hc/zh-CN/articles/807992406756</a>",
+  "access.form.larkbot_webhook_url.tooltip": "这是什么？请参阅 <a href=\"https://open.feishu.cn/document/client-docs/bot-v3/add-custom-bot\" target=\"_blank\">https://open.feishu.cn/document/client-docs/bot-v3/add-custom-bot</a>",
+  "access.form.larkbot_secret.label": "飞书群机器人签名密钥（可选）",
+  "access.form.larkbot_secret.placeholder": "请输入飞书群机器人签名密钥",
+  "access.form.larkbot_secret.tooltip": "这是什么？请参阅 <a href=\"https://open.feishu.cn/document/client-docs/bot-v3/add-custom-bot\" target=\"_blank\">https://open.feishu.cn/document/client-docs/bot-v3/add-custom-bot</a>",
  "access.form.lecdn_server_url.label": "LeCDN 服务地址",
  "access.form.lecdn_server_url.placeholder": "请输入 LeCDN 服务地址",
  "access.form.lecdn_api_version.label": "LeCDN 版本",