diff --git a/go.mod b/go.mod index 6755d653..6be57fdd 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/alibabacloud-go/sts-20150401 v1.1.0 github.com/alibabacloud-go/tea v1.2.2 github.com/aliyun/alibaba-cloud-sdk-go v1.62.708 - github.com/aliyun/credentials-go v1.3.2 + github.com/aliyun/credentials-go v1.4.3 github.com/briandowns/spinner v1.23.0 github.com/fatih/color v1.18.0 github.com/json-iterator/go v1.1.12 // indirect @@ -38,7 +38,7 @@ require ( require ( github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect - github.com/alibabacloud-go/debug v1.0.0 // indirect + github.com/alibabacloud-go/debug v1.0.1 // indirect github.com/alibabacloud-go/endpoint-util v1.1.0 // indirect github.com/alibabacloud-go/tea-xml v1.1.3 // indirect github.com/clbanning/mxj/v2 v2.5.6 // indirect diff --git a/go.sum b/go.sum index 3ecdbcc8..24243504 100644 --- a/go.sum +++ b/go.sum @@ -19,8 +19,9 @@ github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.6 h1:y1K+zKhpWcxso8zqI03CcY github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.6/go.mod h1:CzQnh+94WDnJOnKZH5YRyouL+OOcdBnXY5VWAf0McgI= github.com/alibabacloud-go/darabonba-string v1.0.0/go.mod h1:93cTfV3vuPhhEwGGpKKqhVW4jLe7tDpo3LUM0i0g6mA= github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68/go.mod h1:6pb/Qy8c+lqua8cFpEy7g39NRRqOWc3rOwAy8m5Y2BY= -github.com/alibabacloud-go/debug v1.0.0 h1:3eIEQWfay1fB24PQIEzXAswlVJtdQok8f3EVN5VrBnA= github.com/alibabacloud-go/debug v1.0.0/go.mod h1:8gfgZCCAC3+SCzjWtY053FrOcd4/qlH6IHTI4QyICOc= +github.com/alibabacloud-go/debug v1.0.1 h1:MsW9SmUtbb1Fnt3ieC6NNZi6aEwrXfDksD4QA6GSbPg= +github.com/alibabacloud-go/debug v1.0.1/go.mod h1:8gfgZCCAC3+SCzjWtY053FrOcd4/qlH6IHTI4QyICOc= github.com/alibabacloud-go/endpoint-util v1.1.0 h1:r/4D3VSw888XGaeNpP994zDUaxdgTSHBbVfZlzf6b5Q= github.com/alibabacloud-go/endpoint-util v1.1.0/go.mod h1:O5FuCALmCKs2Ff7JFJMudHs0I5EBgecXXxZRyswlEjE= github.com/alibabacloud-go/openapi-util v0.0.8/go.mod h1:sQuElr4ywwFRlCCberQwKRFhRzIyG4QTP/P4y1CJ6Ws= @@ -57,8 +58,8 @@ github.com/aliyun/alibaba-cloud-sdk-go v1.62.708 h1:5VYgj4ixzuxrGEKzm6t8TpyjlWeO github.com/aliyun/alibaba-cloud-sdk-go v1.62.708/go.mod h1:SOSDHfe1kX91v3W5QiBsWSLqeLxImobbMX1mxrFHsVQ= github.com/aliyun/credentials-go v1.1.2/go.mod h1:ozcZaMR5kLM7pwtCMEpVmQ242suV6qTJya2bDq4X1Tw= github.com/aliyun/credentials-go v1.3.1/go.mod h1:8jKYhQuDawt8x2+fusqa1Y6mPxemTsBEN04dgcAcYz0= -github.com/aliyun/credentials-go v1.3.2 h1:L4WppI9rctC8PdlMgyTkF8bBsy9pyKQEzBD1bHMRl+g= -github.com/aliyun/credentials-go v1.3.2/go.mod h1:tlpz4uys4Rn7Ik4/piGRrTbXy2uLKvePgQJJduE+Y5c= +github.com/aliyun/credentials-go v1.4.3 h1:N3iHyvHRMyOwY1+0qBLSf3hb5JFiOujVSVuEpgeGttY= +github.com/aliyun/credentials-go v1.4.3/go.mod h1:Jm6d+xIgwJVLVWT561vy67ZRP4lPTQxMbEYRuT2Ti1U= github.com/briandowns/spinner v1.23.0 h1:alDF2guRWqa/FOZZYWjlMIx2L6H0wyewPxo/CH4Pt2A= github.com/briandowns/spinner v1.23.0/go.mod h1:rPG4gmXeN3wQV/TsAY4w8lPdIM6RX3yqeBQJSrbXjuE= github.com/clbanning/mxj/v2 v2.5.5/go.mod h1:hNiWqW14h+kc+MdF9C6/YoRfjEJoR3ou6tn/Qo+ve2s= diff --git a/vendor/github.com/alibabacloud-go/debug/debug/assert.go b/vendor/github.com/alibabacloud-go/debug/debug/assert.go deleted file mode 100644 index 6fca15a6..00000000 --- a/vendor/github.com/alibabacloud-go/debug/debug/assert.go +++ /dev/null @@ -1,12 +0,0 @@ -package debug - -import ( - "reflect" - "testing" -) - -func assertEqual(t *testing.T, a, b interface{}) { - if !reflect.DeepEqual(a, b) { - t.Errorf("%v != %v", a, b) - } -} diff --git a/vendor/github.com/alibabacloud-go/debug/debug/debug.go b/vendor/github.com/alibabacloud-go/debug/debug/debug.go index c977cb8c..c9c8b542 100644 --- a/vendor/github.com/alibabacloud-go/debug/debug/debug.go +++ b/vendor/github.com/alibabacloud-go/debug/debug/debug.go @@ -1,3 +1,22 @@ +// Package debug is a library to display debug info that control by enviroment variable DEBUG +// +// # Example +// +// package main +// // import the package +// import "github.com/alibabacloud-go/debug/debug" +// +// // init a debug method +// var d = debug.Init("sdk") +// +// func main() { +// // try `go run demo.go` +// // and `DEBUG=sdk go run demo.go` +// d("this debug information just print when DEBUG environment variable was set") +// } +// +// When you run application with `DEBUG=sdk go run main.go`, it will display logs. Otherwise +// it do nothing package debug import ( @@ -6,6 +25,8 @@ import ( "strings" ) +// Debug is a method that display logs, it is useful for developer to trace program running +// details when troubleshooting type Debug func(format string, v ...interface{}) var hookGetEnv = func() string { @@ -16,6 +37,7 @@ var hookPrint = func(input string) { fmt.Println(input) } +// Init returns a debug method that based the enviroment variable DEBUG value func Init(flag string) Debug { enable := false diff --git a/vendor/github.com/aliyun/credentials-go/credentials/access_key_credential.go b/vendor/github.com/aliyun/credentials-go/credentials/access_key_credential.go deleted file mode 100644 index 78530e68..00000000 --- a/vendor/github.com/aliyun/credentials-go/credentials/access_key_credential.go +++ /dev/null @@ -1,50 +0,0 @@ -package credentials - -import "github.com/alibabacloud-go/tea/tea" - -// AccessKeyCredential is a kind of credential -type AccessKeyCredential struct { - AccessKeyId string - AccessKeySecret string -} - -func newAccessKeyCredential(accessKeyId, accessKeySecret string) *AccessKeyCredential { - return &AccessKeyCredential{ - AccessKeyId: accessKeyId, - AccessKeySecret: accessKeySecret, - } -} - -func (s *AccessKeyCredential) GetCredential() (*CredentialModel, error) { - credential := &CredentialModel{ - AccessKeyId: tea.String(s.AccessKeyId), - AccessKeySecret: tea.String(s.AccessKeySecret), - Type: tea.String("access_key"), - } - return credential, nil -} - -// GetAccessKeyId reutrns AccessKeyCreential's AccessKeyId -func (a *AccessKeyCredential) GetAccessKeyId() (*string, error) { - return tea.String(a.AccessKeyId), nil -} - -// GetAccessSecret reutrns AccessKeyCreential's AccessKeySecret -func (a *AccessKeyCredential) GetAccessKeySecret() (*string, error) { - return tea.String(a.AccessKeySecret), nil -} - -// GetSecurityToken is useless for AccessKeyCreential -func (a *AccessKeyCredential) GetSecurityToken() (*string, error) { - return tea.String(""), nil -} - -// GetBearerToken is useless for AccessKeyCreential -func (a *AccessKeyCredential) GetBearerToken() *string { - return tea.String("") -} - -// GetType reutrns AccessKeyCreential's type -func (a *AccessKeyCredential) GetType() *string { - return tea.String("access_key") -} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/credential.go b/vendor/github.com/aliyun/credentials-go/credentials/credential.go index 2603dc0c..ad80fc54 100644 --- a/vendor/github.com/aliyun/credentials-go/credentials/credential.go +++ b/vendor/github.com/aliyun/credentials-go/credentials/credential.go @@ -12,9 +12,10 @@ import ( "github.com/alibabacloud-go/debug/debug" "github.com/alibabacloud-go/tea/tea" + "github.com/aliyun/credentials-go/credentials/internal/utils" + "github.com/aliyun/credentials-go/credentials/providers" "github.com/aliyun/credentials-go/credentials/request" "github.com/aliyun/credentials-go/credentials/response" - "github.com/aliyun/credentials-go/credentials/utils" ) var debuglog = debug.Init("credential") @@ -25,8 +26,11 @@ var hookParse = func(err error) error { // Credential is an interface for getting actual credential type Credential interface { + // Deprecated: GetAccessKeyId is deprecated, use GetCredential instead of. GetAccessKeyId() (*string, error) + // Deprecated: GetAccessKeySecret is deprecated, use GetCredential instead of. GetAccessKeySecret() (*string, error) + // Deprecated: GetSecurityToken is deprecated, use GetCredential instead of. GetSecurityToken() (*string, error) GetBearerToken() *string GetType() *string @@ -35,29 +39,50 @@ type Credential interface { // Config is important when call NewCredential type Config struct { - Type *string `json:"type"` - AccessKeyId *string `json:"access_key_id"` - AccessKeySecret *string `json:"access_key_secret"` - OIDCProviderArn *string `json:"oidc_provider_arn"` - OIDCTokenFilePath *string `json:"oidc_token"` - RoleArn *string `json:"role_arn"` - RoleSessionName *string `json:"role_session_name"` - PublicKeyId *string `json:"public_key_id"` - RoleName *string `json:"role_name"` - SessionExpiration *int `json:"session_expiration"` - PrivateKeyFile *string `json:"private_key_file"` - BearerToken *string `json:"bearer_token"` - SecurityToken *string `json:"security_token"` - RoleSessionExpiration *int `json:"role_session_expiratioon"` - Policy *string `json:"policy"` - Host *string `json:"host"` - Timeout *int `json:"timeout"` - ConnectTimeout *int `json:"connect_timeout"` - Proxy *string `json:"proxy"` - InAdvanceScale *float64 `json:"inAdvanceScale"` - Url *string `json:"url"` - STSEndpoint *string `json:"sts_endpoint"` - ExternalId *string `json:"external_id"` + // Credential type, including access_key, sts, bearer, ecs_ram_role, ram_role_arn, rsa_key_pair, oidc_role_arn, credentials_uri + Type *string `json:"type"` + AccessKeyId *string `json:"access_key_id"` + AccessKeySecret *string `json:"access_key_secret"` + SecurityToken *string `json:"security_token"` + BearerToken *string `json:"bearer_token"` + + // Used when the type is ram_role_arn or oidc_role_arn + OIDCProviderArn *string `json:"oidc_provider_arn"` + OIDCTokenFilePath *string `json:"oidc_token"` + RoleArn *string `json:"role_arn"` + RoleSessionName *string `json:"role_session_name"` + RoleSessionExpiration *int `json:"role_session_expiration"` + Policy *string `json:"policy"` + ExternalId *string `json:"external_id"` + STSEndpoint *string `json:"sts_endpoint"` + + // Used when the type is ecs_ram_role + RoleName *string `json:"role_name"` + // Deprecated + EnableIMDSv2 *bool `json:"enable_imds_v2"` + DisableIMDSv1 *bool `json:"disable_imds_v1"` + // Deprecated + MetadataTokenDuration *int `json:"metadata_token_duration"` + + // Used when the type is credentials_uri + Url *string `json:"url"` + + // Deprecated + // Used when the type is rsa_key_pair + SessionExpiration *int `json:"session_expiration"` + PublicKeyId *string `json:"public_key_id"` + PrivateKeyFile *string `json:"private_key_file"` + Host *string `json:"host"` + + // Read timeout, in milliseconds. + // The default value for ecs_ram_role is 1000ms, the default value for ram_role_arn is 5000ms, and the default value for oidc_role_arn is 5000ms. + Timeout *int `json:"timeout"` + // Connection timeout, in milliseconds. + // The default value for ecs_ram_role is 1000ms, the default value for ram_role_arn is 10000ms, and the default value for oidc_role_arn is 10000ms. + ConnectTimeout *int `json:"connect_timeout"` + + Proxy *string `json:"proxy"` + InAdvanceScale *float64 `json:"inAdvanceScale"` } func (s Config) String() string { @@ -103,6 +128,21 @@ func (s *Config) SetRoleName(v string) *Config { return s } +func (s *Config) SetEnableIMDSv2(v bool) *Config { + s.EnableIMDSv2 = &v + return s +} + +func (s *Config) SetDisableIMDSv1(v bool) *Config { + s.DisableIMDSv1 = &v + return s +} + +func (s *Config) SetMetadataTokenDuration(v int) *Config { + s.MetadataTokenDuration = &v + return s +} + func (s *Config) SetSessionExpiration(v int) *Config { s.SessionExpiration = &v return s @@ -176,75 +216,113 @@ func (s *Config) SetSTSEndpoint(v string) *Config { return s } +func (s *Config) SetExternalId(v string) *Config { + s.ExternalId = &v + return s +} + // NewCredential return a credential according to the type in config. -// if config is nil, the function will use default provider chain to get credential. +// if config is nil, the function will use default provider chain to get credentials. // please see README.md for detail. func NewCredential(config *Config) (credential Credential, err error) { if config == nil { - config, err = defaultChain.resolve() - if err != nil { - return - } - return NewCredential(config) + provider := providers.NewDefaultCredentialsProvider() + credential = FromCredentialsProvider("default", provider) + return } switch tea.StringValue(config.Type) { case "credentials_uri": credential = newURLCredential(tea.StringValue(config.Url)) case "oidc_role_arn": - err = checkoutAssumeRamoidc(config) + provider, err := providers.NewOIDCCredentialsProviderBuilder(). + WithRoleArn(tea.StringValue(config.RoleArn)). + WithOIDCTokenFilePath(tea.StringValue(config.OIDCTokenFilePath)). + WithOIDCProviderARN(tea.StringValue(config.OIDCProviderArn)). + WithDurationSeconds(tea.IntValue(config.RoleSessionExpiration)). + WithPolicy(tea.StringValue(config.Policy)). + WithRoleSessionName(tea.StringValue(config.RoleSessionName)). + WithSTSEndpoint(tea.StringValue(config.STSEndpoint)). + WithHttpOptions(&providers.HttpOptions{ + Proxy: tea.StringValue(config.Proxy), + ReadTimeout: tea.IntValue(config.Timeout), + ConnectTimeout: tea.IntValue(config.ConnectTimeout), + }). + Build() + if err != nil { - return + return nil, err } - runtime := &utils.Runtime{ - Host: tea.StringValue(config.Host), - Proxy: tea.StringValue(config.Proxy), - ReadTimeout: tea.IntValue(config.Timeout), - ConnectTimeout: tea.IntValue(config.ConnectTimeout), - STSEndpoint: tea.StringValue(config.STSEndpoint), - } - credential = newOIDCRoleArnCredential(tea.StringValue(config.AccessKeyId), tea.StringValue(config.AccessKeySecret), tea.StringValue(config.RoleArn), tea.StringValue(config.OIDCProviderArn), tea.StringValue(config.OIDCTokenFilePath), tea.StringValue(config.RoleSessionName), tea.StringValue(config.Policy), tea.IntValue(config.RoleSessionExpiration), runtime) + credential = FromCredentialsProvider("oidc_role_arn", provider) case "access_key": - err = checkAccessKey(config) + provider, err := providers.NewStaticAKCredentialsProviderBuilder(). + WithAccessKeyId(tea.StringValue(config.AccessKeyId)). + WithAccessKeySecret(tea.StringValue(config.AccessKeySecret)). + Build() if err != nil { - return + return nil, err } - credential = newAccessKeyCredential(tea.StringValue(config.AccessKeyId), tea.StringValue(config.AccessKeySecret)) + + credential = FromCredentialsProvider("access_key", provider) case "sts": - err = checkSTS(config) + provider, err := providers.NewStaticSTSCredentialsProviderBuilder(). + WithAccessKeyId(tea.StringValue(config.AccessKeyId)). + WithAccessKeySecret(tea.StringValue(config.AccessKeySecret)). + WithSecurityToken(tea.StringValue(config.SecurityToken)). + Build() if err != nil { - return + return nil, err } - credential = newStsTokenCredential(tea.StringValue(config.AccessKeyId), tea.StringValue(config.AccessKeySecret), tea.StringValue(config.SecurityToken)) + + credential = FromCredentialsProvider("sts", provider) case "ecs_ram_role": - checkEcsRAMRole(config) - runtime := &utils.Runtime{ - Host: tea.StringValue(config.Host), - Proxy: tea.StringValue(config.Proxy), - ReadTimeout: tea.IntValue(config.Timeout), - ConnectTimeout: tea.IntValue(config.ConnectTimeout), + provider, err := providers.NewECSRAMRoleCredentialsProviderBuilder(). + WithRoleName(tea.StringValue(config.RoleName)). + WithDisableIMDSv1(tea.BoolValue(config.DisableIMDSv1)). + Build() + + if err != nil { + return nil, err } - credential = newEcsRAMRoleCredential(tea.StringValue(config.RoleName), tea.Float64Value(config.InAdvanceScale), runtime) + + credential = FromCredentialsProvider("ecs_ram_role", provider) case "ram_role_arn": - err = checkRAMRoleArn(config) + var credentialsProvider providers.CredentialsProvider + if config.SecurityToken != nil && *config.SecurityToken != "" { + credentialsProvider, err = providers.NewStaticSTSCredentialsProviderBuilder(). + WithAccessKeyId(tea.StringValue(config.AccessKeyId)). + WithAccessKeySecret(tea.StringValue(config.AccessKeySecret)). + WithSecurityToken(tea.StringValue(config.SecurityToken)). + Build() + } else { + credentialsProvider, err = providers.NewStaticAKCredentialsProviderBuilder(). + WithAccessKeyId(tea.StringValue(config.AccessKeyId)). + WithAccessKeySecret(tea.StringValue(config.AccessKeySecret)). + Build() + } + if err != nil { - return + return nil, err } - runtime := &utils.Runtime{ - Host: tea.StringValue(config.Host), - Proxy: tea.StringValue(config.Proxy), - ReadTimeout: tea.IntValue(config.Timeout), - ConnectTimeout: tea.IntValue(config.ConnectTimeout), - STSEndpoint: tea.StringValue(config.STSEndpoint), + + provider, err := providers.NewRAMRoleARNCredentialsProviderBuilder(). + WithCredentialsProvider(credentialsProvider). + WithRoleArn(tea.StringValue(config.RoleArn)). + WithRoleSessionName(tea.StringValue(config.RoleSessionName)). + WithPolicy(tea.StringValue(config.Policy)). + WithDurationSeconds(tea.IntValue(config.RoleSessionExpiration)). + WithExternalId(tea.StringValue(config.ExternalId)). + WithStsEndpoint(tea.StringValue(config.STSEndpoint)). + WithHttpOptions(&providers.HttpOptions{ + Proxy: tea.StringValue(config.Proxy), + ReadTimeout: tea.IntValue(config.Timeout), + ConnectTimeout: tea.IntValue(config.ConnectTimeout), + }). + Build() + if err != nil { + return nil, err } - credential = newRAMRoleArnWithExternalIdCredential( - tea.StringValue(config.AccessKeyId), - tea.StringValue(config.AccessKeySecret), - tea.StringValue(config.RoleArn), - tea.StringValue(config.RoleSessionName), - tea.StringValue(config.Policy), - tea.IntValue(config.RoleSessionExpiration), - tea.StringValue(config.ExternalId), - runtime) + + credential = FromCredentialsProvider("ram_role_arn", provider) case "rsa_key_pair": err = checkRSAKeyPair(config) if err != nil { @@ -271,7 +349,11 @@ func NewCredential(config *Config) (credential Credential, err error) { ConnectTimeout: tea.IntValue(config.ConnectTimeout), STSEndpoint: tea.StringValue(config.STSEndpoint), } - credential = newRsaKeyPairCredential(privateKey, tea.StringValue(config.PublicKeyId), tea.IntValue(config.SessionExpiration), runtime) + credential = newRsaKeyPairCredential( + privateKey, + tea.StringValue(config.PublicKeyId), + tea.IntValue(config.SessionExpiration), + runtime) case "bearer": if tea.StringValue(config.BearerToken) == "" { err = errors.New("BearerToken cannot be empty") @@ -279,7 +361,7 @@ func NewCredential(config *Config) (credential Credential, err error) { } credential = newBearerTokenCredential(tea.StringValue(config.BearerToken)) default: - err = errors.New("Invalid type option, support: access_key, sts, ecs_ram_role, ram_role_arn, rsa_key_pair") + err = errors.New("invalid type option, support: access_key, sts, bearer, ecs_ram_role, ram_role_arn, rsa_key_pair, oidc_role_arn, credentials_uri") return } return credential, nil @@ -297,70 +379,6 @@ func checkRSAKeyPair(config *Config) (err error) { return } -func checkoutAssumeRamoidc(config *Config) (err error) { - if tea.StringValue(config.RoleArn) == "" { - err = errors.New("RoleArn cannot be empty") - return - } - if tea.StringValue(config.OIDCProviderArn) == "" { - err = errors.New("OIDCProviderArn cannot be empty") - return - } - return -} - -func checkRAMRoleArn(config *Config) (err error) { - if tea.StringValue(config.AccessKeySecret) == "" { - err = errors.New("AccessKeySecret cannot be empty") - return - } - if tea.StringValue(config.RoleArn) == "" { - err = errors.New("RoleArn cannot be empty") - return - } - if tea.StringValue(config.RoleSessionName) == "" { - err = errors.New("RoleSessionName cannot be empty") - return - } - if tea.StringValue(config.AccessKeyId) == "" { - err = errors.New("AccessKeyId cannot be empty") - return - } - return -} - -func checkEcsRAMRole(config *Config) (err error) { - return -} - -func checkSTS(config *Config) (err error) { - if tea.StringValue(config.AccessKeyId) == "" { - err = errors.New("AccessKeyId cannot be empty") - return - } - if tea.StringValue(config.AccessKeySecret) == "" { - err = errors.New("AccessKeySecret cannot be empty") - return - } - if tea.StringValue(config.SecurityToken) == "" { - err = errors.New("SecurityToken cannot be empty") - return - } - return -} - -func checkAccessKey(config *Config) (err error) { - if tea.StringValue(config.AccessKeyId) == "" { - err = errors.New("AccessKeyId cannot be empty") - return - } - if tea.StringValue(config.AccessKeySecret) == "" { - err = errors.New("AccessKeySecret cannot be empty") - return - } - return -} - func doAction(request *request.CommonRequest, runtime *utils.Runtime) (content []byte, err error) { var urlEncoded string if request.BodyParams != nil { @@ -390,12 +408,12 @@ func doAction(request *request.CommonRequest, runtime *utils.Runtime) (content [ return } } - trans := &http.Transport{} + transport := &http.Transport{} if proxy != nil && runtime.Proxy != "" { - trans.Proxy = http.ProxyURL(proxy) + transport.Proxy = http.ProxyURL(proxy) } - trans.DialContext = utils.Timeout(time.Duration(runtime.ConnectTimeout) * time.Second) - httpClient.Transport = trans + transport.DialContext = utils.Timeout(time.Duration(runtime.ConnectTimeout) * time.Second) + httpClient.Transport = transport httpResponse, err := hookDo(httpClient.Do)(httpRequest) if err != nil { return @@ -418,3 +436,70 @@ func doAction(request *request.CommonRequest, runtime *utils.Runtime) (content [ } return resp.GetHTTPContentBytes(), nil } + +type credentialsProviderWrap struct { + typeName string + provider providers.CredentialsProvider +} + +// Deprecated: use GetCredential() instead of +func (cp *credentialsProviderWrap) GetAccessKeyId() (accessKeyId *string, err error) { + cc, err := cp.provider.GetCredentials() + if err != nil { + return + } + accessKeyId = &cc.AccessKeyId + return +} + +// Deprecated: use GetCredential() instead of +func (cp *credentialsProviderWrap) GetAccessKeySecret() (accessKeySecret *string, err error) { + cc, err := cp.provider.GetCredentials() + if err != nil { + return + } + accessKeySecret = &cc.AccessKeySecret + return +} + +// Deprecated: use GetCredential() instead of +func (cp *credentialsProviderWrap) GetSecurityToken() (securityToken *string, err error) { + cc, err := cp.provider.GetCredentials() + if err != nil { + return + } + securityToken = &cc.SecurityToken + return +} + +// Deprecated: don't use it +func (cp *credentialsProviderWrap) GetBearerToken() (bearerToken *string) { + return tea.String("") +} + +// Get credentials +func (cp *credentialsProviderWrap) GetCredential() (cm *CredentialModel, err error) { + c, err := cp.provider.GetCredentials() + if err != nil { + return + } + + cm = &CredentialModel{ + AccessKeyId: &c.AccessKeyId, + AccessKeySecret: &c.AccessKeySecret, + SecurityToken: &c.SecurityToken, + Type: &c.ProviderName, + } + return +} + +func (cp *credentialsProviderWrap) GetType() *string { + return &cp.typeName +} + +func FromCredentialsProvider(typeName string, cp providers.CredentialsProvider) Credential { + return &credentialsProviderWrap{ + typeName: typeName, + provider: cp, + } +} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/doc.go b/vendor/github.com/aliyun/credentials-go/credentials/doc.go new file mode 100644 index 00000000..bfd59e30 --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/doc.go @@ -0,0 +1,2 @@ +// Package credentials is an alibaba cloud official credentials provider implementation +package credentials diff --git a/vendor/github.com/aliyun/credentials-go/credentials/ecs_ram_role.go b/vendor/github.com/aliyun/credentials-go/credentials/ecs_ram_role_credentials_provider.go similarity index 54% rename from vendor/github.com/aliyun/credentials-go/credentials/ecs_ram_role.go rename to vendor/github.com/aliyun/credentials-go/credentials/ecs_ram_role_credentials_provider.go index d86360fc..5a54d7b5 100644 --- a/vendor/github.com/aliyun/credentials-go/credentials/ecs_ram_role.go +++ b/vendor/github.com/aliyun/credentials-go/credentials/ecs_ram_role_credentials_provider.go @@ -3,21 +3,29 @@ package credentials import ( "encoding/json" "fmt" + "strconv" "time" "github.com/alibabacloud-go/tea/tea" + "github.com/aliyun/credentials-go/credentials/internal/utils" "github.com/aliyun/credentials-go/credentials/request" - "github.com/aliyun/credentials-go/credentials/utils" ) var securityCredURL = "http://100.100.100.200/latest/meta-data/ram/security-credentials/" +var securityCredTokenURL = "http://100.100.100.200/latest/api/token" -// EcsRAMRoleCredential is a kind of credential -type EcsRAMRoleCredential struct { +const defaultMetadataTokenDuration = int(21600) + +// ECSRAMRoleCredentialsProvider is a kind of credentials provider +type ECSRAMRoleCredentialsProvider struct { *credentialUpdater - RoleName string - sessionCredential *sessionCredential - runtime *utils.Runtime + RoleName string + EnableIMDSv2 bool + MetadataTokenDuration int + sessionCredential *sessionCredential + runtime *utils.Runtime + metadataToken string + staleTime int64 } type ecsRAMRoleResponse struct { @@ -28,86 +36,85 @@ type ecsRAMRoleResponse struct { Expiration string `json:"Expiration" xml:"Expiration"` } -func newEcsRAMRoleCredential(roleName string, inAdvanceScale float64, runtime *utils.Runtime) *EcsRAMRoleCredential { +func newEcsRAMRoleCredentialWithEnableIMDSv2(roleName string, enableIMDSv2 bool, metadataTokenDuration int, inAdvanceScale float64, runtime *utils.Runtime) *ECSRAMRoleCredentialsProvider { credentialUpdater := new(credentialUpdater) if inAdvanceScale < 1 && inAdvanceScale > 0 { credentialUpdater.inAdvanceScale = inAdvanceScale } - return &EcsRAMRoleCredential{ - RoleName: roleName, - credentialUpdater: credentialUpdater, - runtime: runtime, + return &ECSRAMRoleCredentialsProvider{ + RoleName: roleName, + EnableIMDSv2: enableIMDSv2, + MetadataTokenDuration: metadataTokenDuration, + credentialUpdater: credentialUpdater, + runtime: runtime, } } -func (e *EcsRAMRoleCredential) GetCredential() (*CredentialModel, error) { +func (e *ECSRAMRoleCredentialsProvider) GetCredential() (credentials *CredentialModel, err error) { if e.sessionCredential == nil || e.needUpdateCredential() { - err := e.updateCredential() + err = e.updateCredential() if err != nil { - return nil, err + if e.credentialExpiration > (int(time.Now().Unix()) - int(e.lastUpdateTimestamp)) { + // 虽然有错误,但是已有的 credentials 还有效 + } else { + return + } } } - credential := &CredentialModel{ + + credentials = &CredentialModel{ AccessKeyId: tea.String(e.sessionCredential.AccessKeyId), AccessKeySecret: tea.String(e.sessionCredential.AccessKeySecret), SecurityToken: tea.String(e.sessionCredential.SecurityToken), Type: tea.String("ecs_ram_role"), } - return credential, nil + + return } // GetAccessKeyId reutrns EcsRAMRoleCredential's AccessKeyId // if AccessKeyId is not exist or out of date, the function will update it. -func (e *EcsRAMRoleCredential) GetAccessKeyId() (*string, error) { - if e.sessionCredential == nil || e.needUpdateCredential() { - err := e.updateCredential() - if err != nil { - if e.credentialExpiration > (int(time.Now().Unix()) - int(e.lastUpdateTimestamp)) { - return &e.sessionCredential.AccessKeyId, nil - } - return tea.String(""), err - } +func (e *ECSRAMRoleCredentialsProvider) GetAccessKeyId() (accessKeyId *string, err error) { + c, err := e.GetCredential() + if err != nil { + return } - return tea.String(e.sessionCredential.AccessKeyId), nil + + accessKeyId = c.AccessKeyId + return } // GetAccessSecret reutrns EcsRAMRoleCredential's AccessKeySecret // if AccessKeySecret is not exist or out of date, the function will update it. -func (e *EcsRAMRoleCredential) GetAccessKeySecret() (*string, error) { - if e.sessionCredential == nil || e.needUpdateCredential() { - err := e.updateCredential() - if err != nil { - if e.credentialExpiration > (int(time.Now().Unix()) - int(e.lastUpdateTimestamp)) { - return &e.sessionCredential.AccessKeySecret, nil - } - return tea.String(""), err - } +func (e *ECSRAMRoleCredentialsProvider) GetAccessKeySecret() (accessKeySecret *string, err error) { + c, err := e.GetCredential() + if err != nil { + return } - return tea.String(e.sessionCredential.AccessKeySecret), nil + + accessKeySecret = c.AccessKeySecret + return } // GetSecurityToken reutrns EcsRAMRoleCredential's SecurityToken // if SecurityToken is not exist or out of date, the function will update it. -func (e *EcsRAMRoleCredential) GetSecurityToken() (*string, error) { - if e.sessionCredential == nil || e.needUpdateCredential() { - err := e.updateCredential() - if err != nil { - if e.credentialExpiration > (int(time.Now().Unix()) - int(e.lastUpdateTimestamp)) { - return &e.sessionCredential.SecurityToken, nil - } - return tea.String(""), err - } +func (e *ECSRAMRoleCredentialsProvider) GetSecurityToken() (securityToken *string, err error) { + c, err := e.GetCredential() + if err != nil { + return } - return tea.String(e.sessionCredential.SecurityToken), nil + + securityToken = c.SecurityToken + return } // GetBearerToken is useless for EcsRAMRoleCredential -func (e *EcsRAMRoleCredential) GetBearerToken() *string { +func (e *ECSRAMRoleCredentialsProvider) GetBearerToken() *string { return tea.String("") } // GetType reutrns EcsRAMRoleCredential's type -func (e *EcsRAMRoleCredential) GetType() *string { +func (e *ECSRAMRoleCredentialsProvider) GetType() *string { return tea.String("ecs_ram_role") } @@ -123,7 +130,27 @@ func getRoleName() (string, error) { return string(content), nil } -func (e *EcsRAMRoleCredential) updateCredential() (err error) { +func (e *ECSRAMRoleCredentialsProvider) getMetadataToken() (err error) { + if e.needToRefresh() { + if e.MetadataTokenDuration <= 0 { + e.MetadataTokenDuration = defaultMetadataTokenDuration + } + tmpTime := time.Now().Unix() + int64(e.MetadataTokenDuration*1000) + request := request.NewCommonRequest() + request.URL = securityCredTokenURL + request.Method = "PUT" + request.Headers["X-aliyun-ecs-metadata-token-ttl-seconds"] = strconv.Itoa(e.MetadataTokenDuration) + content, err := doAction(request, e.runtime) + if err != nil { + return err + } + e.staleTime = tmpTime + e.metadataToken = string(content) + } + return +} + +func (e *ECSRAMRoleCredentialsProvider) updateCredential() (err error) { if e.runtime == nil { e.runtime = new(utils.Runtime) } @@ -134,6 +161,13 @@ func (e *EcsRAMRoleCredential) updateCredential() (err error) { return fmt.Errorf("refresh Ecs sts token err: %s", err.Error()) } } + if e.EnableIMDSv2 { + err = e.getMetadataToken() + if err != nil { + return fmt.Errorf("failed to get token from ECS Metadata Service: %s", err.Error()) + } + request.Headers["X-aliyun-ecs-metadata-token"] = e.metadataToken + } request.URL = securityCredURL + e.RoleName request.Method = "GET" content, err := doAction(request, e.runtime) @@ -163,3 +197,8 @@ func (e *EcsRAMRoleCredential) updateCredential() (err error) { return } + +func (e *ECSRAMRoleCredentialsProvider) needToRefresh() (needToRefresh bool) { + needToRefresh = time.Now().Unix() >= e.staleTime + return +} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/env_provider.go b/vendor/github.com/aliyun/credentials-go/credentials/env_provider.go index 89df42f8..c0957728 100644 --- a/vendor/github.com/aliyun/credentials-go/credentials/env_provider.go +++ b/vendor/github.com/aliyun/credentials-go/credentials/env_provider.go @@ -23,7 +23,7 @@ func newEnvProvider() Provider { return &envProvider{} } -func (p *envProvider) resolve() (*Config, error) { +func (p *envProvider) resolve() (config *Config, err error) { accessKeyId, ok1 := os.LookupEnv(EnvVarAccessKeyIdNew) if !ok1 || accessKeyId == "" { accessKeyId, ok1 = os.LookupEnv(EnvVarAccessKeyId) @@ -38,10 +38,24 @@ func (p *envProvider) resolve() (*Config, error) { if accessKeySecret == "" { return nil, errors.New(EnvVarAccessKeySecret + " cannot be empty") } - config := &Config{ + + securityToken := os.Getenv("ALIBABA_CLOUD_SECURITY_TOKEN") + + if securityToken != "" { + config = &Config{ + Type: tea.String("sts"), + AccessKeyId: tea.String(accessKeyId), + AccessKeySecret: tea.String(accessKeySecret), + SecurityToken: tea.String(securityToken), + } + return + } + + config = &Config{ Type: tea.String("access_key"), AccessKeyId: tea.String(accessKeyId), AccessKeySecret: tea.String(accessKeySecret), } - return config, nil + + return } diff --git a/vendor/github.com/aliyun/credentials-go/credentials/instance_provider.go b/vendor/github.com/aliyun/credentials-go/credentials/instance_provider.go index 7e2ea07b..c82091df 100644 --- a/vendor/github.com/aliyun/credentials-go/credentials/instance_provider.go +++ b/vendor/github.com/aliyun/credentials-go/credentials/instance_provider.go @@ -2,6 +2,7 @@ package credentials import ( "os" + "strings" "github.com/alibabacloud-go/tea/tea" ) @@ -19,10 +20,12 @@ func (p *instanceCredentialsProvider) resolve() (*Config, error) { if !ok { return nil, nil } + enableIMDSv2, _ := os.LookupEnv(ENVEcsMetadataIMDSv2Enable) config := &Config{ - Type: tea.String("ecs_ram_role"), - RoleName: tea.String(roleName), + Type: tea.String("ecs_ram_role"), + RoleName: tea.String(roleName), + EnableIMDSv2: tea.Bool(strings.ToLower(enableIMDSv2) == "true"), } return config, nil } diff --git a/vendor/github.com/aliyun/credentials-go/credentials/internal/http/http.go b/vendor/github.com/aliyun/credentials-go/credentials/internal/http/http.go new file mode 100644 index 00000000..6d185980 --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/internal/http/http.go @@ -0,0 +1,142 @@ +package http + +import ( + "context" + "fmt" + "io" + "io/ioutil" + "net" + "net/http" + "net/url" + "strings" + "time" + + "github.com/alibabacloud-go/debug/debug" + "github.com/aliyun/credentials-go/credentials/internal/utils" +) + +type Request struct { + Method string // http request method + URL string // http url + Protocol string // http or https + Host string // http host + ReadTimeout time.Duration + ConnectTimeout time.Duration + Proxy string // http proxy + Form map[string]string // http form + Body []byte // request body for JSON or stream + Path string + Queries map[string]string + Headers map[string]string +} + +func (req *Request) BuildRequestURL() string { + httpUrl := fmt.Sprintf("%s://%s%s", req.Protocol, req.Host, req.Path) + if req.URL != "" { + httpUrl = req.URL + } + + querystring := utils.GetURLFormedMap(req.Queries) + if querystring != "" { + httpUrl = httpUrl + "?" + querystring + } + + return fmt.Sprintf("%s %s", req.Method, httpUrl) +} + +type Response struct { + StatusCode int + Headers map[string]string + Body []byte +} + +var newRequest = http.NewRequest + +type do func(req *http.Request) (*http.Response, error) + +var hookDo = func(fn do) do { + return fn +} + +var debuglog = debug.Init("credential") + +func Do(req *Request) (res *Response, err error) { + querystring := utils.GetURLFormedMap(req.Queries) + // do request + httpUrl := fmt.Sprintf("%s://%s%s?%s", req.Protocol, req.Host, req.Path, querystring) + if req.URL != "" { + httpUrl = req.URL + } + + var body io.Reader + if req.Method == "GET" { + body = strings.NewReader("") + } else { + body = strings.NewReader(utils.GetURLFormedMap(req.Form)) + } + + httpRequest, err := newRequest(req.Method, httpUrl, body) + if err != nil { + return + } + + if req.Form != nil { + httpRequest.Header["Content-Type"] = []string{"application/x-www-form-urlencoded"} + } + + for key, value := range req.Headers { + if value != "" { + debuglog("> %s: %s", key, value) + httpRequest.Header.Set(key, value) + } + } + + httpClient := &http.Client{} + + if req.ReadTimeout != 0 { + httpClient.Timeout = req.ReadTimeout + req.ConnectTimeout + } + + transport := http.DefaultTransport.(*http.Transport).Clone() + if req.Proxy != "" { + var proxy *url.URL + proxy, err = url.Parse(req.Proxy) + if err != nil { + return + } + transport.Proxy = http.ProxyURL(proxy) + } + + if req.ConnectTimeout != 0 { + transport.DialContext = func(ctx context.Context, network, address string) (net.Conn, error) { + return (&net.Dialer{ + Timeout: req.ConnectTimeout, + DualStack: true, + }).DialContext(ctx, network, address) + } + } + + httpClient.Transport = transport + + httpResponse, err := hookDo(httpClient.Do)(httpRequest) + if err != nil { + return + } + + defer httpResponse.Body.Close() + + responseBody, err := ioutil.ReadAll(httpResponse.Body) + if err != nil { + return + } + res = &Response{ + StatusCode: httpResponse.StatusCode, + Headers: make(map[string]string), + Body: responseBody, + } + for key, v := range httpResponse.Header { + res.Headers[key] = v[0] + } + + return +} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/internal/utils/path.go b/vendor/github.com/aliyun/credentials-go/credentials/internal/utils/path.go new file mode 100644 index 00000000..a94088c6 --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/internal/utils/path.go @@ -0,0 +1,18 @@ +package utils + +import ( + "os" + "runtime" +) + +var getOS = func() string { + return runtime.GOOS +} + +func GetHomePath() string { + if getOS() == "windows" { + return os.Getenv("USERPROFILE") + } + + return os.Getenv("HOME") +} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/internal/utils/runtime.go b/vendor/github.com/aliyun/credentials-go/credentials/internal/utils/runtime.go new file mode 100644 index 00000000..432395cf --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/internal/utils/runtime.go @@ -0,0 +1,36 @@ +package utils + +import ( + "context" + "net" + "time" +) + +// Runtime is for setting timeout, proxy and host +type Runtime struct { + ReadTimeout int + ConnectTimeout int + Proxy string + Host string + STSEndpoint string +} + +// NewRuntime returns a Runtime +func NewRuntime(readTimeout, connectTimeout int, proxy string, host string) *Runtime { + return &Runtime{ + ReadTimeout: readTimeout, + ConnectTimeout: connectTimeout, + Proxy: proxy, + Host: host, + } +} + +// Timeout is for connect Timeout +func Timeout(connectTimeout time.Duration) func(cxt context.Context, net, addr string) (c net.Conn, err error) { + return func(ctx context.Context, network, address string) (net.Conn, error) { + return (&net.Dialer{ + Timeout: connectTimeout, + DualStack: true, + }).DialContext(ctx, network, address) + } +} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/internal/utils/utils.go b/vendor/github.com/aliyun/credentials-go/credentials/internal/utils/utils.go new file mode 100644 index 00000000..fffee1ed --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/internal/utils/utils.go @@ -0,0 +1,204 @@ +package utils + +import ( + "bytes" + "crypto" + "crypto/hmac" + "crypto/md5" + "crypto/rand" + "crypto/rsa" + "crypto/sha1" + "crypto/x509" + "encoding/base64" + "encoding/hex" + "fmt" + "hash" + "io" + mathrand "math/rand" + "net/url" + "os" + "runtime" + "strconv" + "sync/atomic" + "time" +) + +type uuid [16]byte + +const letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" + +var hookRead = func(fn func(p []byte) (n int, err error)) func(p []byte) (n int, err error) { + return fn +} + +var hookRSA = func(fn func(rand io.Reader, priv *rsa.PrivateKey, hash crypto.Hash, hashed []byte) ([]byte, error)) func(rand io.Reader, priv *rsa.PrivateKey, hash crypto.Hash, hashed []byte) ([]byte, error) { + return fn +} + +// GetUUID returns a uuid +func GetUUID() (uuidHex string) { + uuid := newUUID() + uuidHex = hex.EncodeToString(uuid[:]) + return +} + +// RandStringBytes returns a rand string +func RandStringBytes(n int) string { + b := make([]byte, n) + for i := range b { + b[i] = letterBytes[mathrand.Intn(len(letterBytes))] + } + return string(b) +} + +// ShaHmac1 return a string which has been hashed +func ShaHmac1(source, secret string) string { + key := []byte(secret) + hmac := hmac.New(sha1.New, key) + hmac.Write([]byte(source)) + signedBytes := hmac.Sum(nil) + signedString := base64.StdEncoding.EncodeToString(signedBytes) + return signedString +} + +// Sha256WithRsa return a string which has been hashed with Rsa +func Sha256WithRsa(source, secret string) string { + decodeString, err := base64.StdEncoding.DecodeString(secret) + if err != nil { + panic(err) + } + private, err := x509.ParsePKCS8PrivateKey(decodeString) + if err != nil { + panic(err) + } + + h := crypto.Hash.New(crypto.SHA256) + h.Write([]byte(source)) + hashed := h.Sum(nil) + signature, err := hookRSA(rsa.SignPKCS1v15)(rand.Reader, private.(*rsa.PrivateKey), + crypto.SHA256, hashed) + if err != nil { + panic(err) + } + + return base64.StdEncoding.EncodeToString(signature) +} + +// GetMD5Base64 returns a string which has been base64 +func GetMD5Base64(bytes []byte) (base64Value string) { + md5Ctx := md5.New() + md5Ctx.Write(bytes) + md5Value := md5Ctx.Sum(nil) + base64Value = base64.StdEncoding.EncodeToString(md5Value) + return +} + +// GetTimeInFormatISO8601 returns a time string +func GetTimeInFormatISO8601() (timeStr string) { + gmt := time.FixedZone("GMT", 0) + + return time.Now().In(gmt).Format("2006-01-02T15:04:05Z") +} + +// GetURLFormedMap returns a url encoded string +func GetURLFormedMap(source map[string]string) (urlEncoded string) { + urlEncoder := url.Values{} + for key, value := range source { + urlEncoder.Add(key, value) + } + urlEncoded = urlEncoder.Encode() + return +} + +func newUUID() uuid { + ns := uuid{} + safeRandom(ns[:]) + u := newFromHash(md5.New(), ns, RandStringBytes(16)) + u[6] = (u[6] & 0x0f) | (byte(2) << 4) + u[8] = (u[8]&(0xff>>2) | (0x02 << 6)) + + return u +} + +func newFromHash(h hash.Hash, ns uuid, name string) uuid { + u := uuid{} + h.Write(ns[:]) + h.Write([]byte(name)) + copy(u[:], h.Sum(nil)) + + return u +} + +func safeRandom(dest []byte) { + if _, err := hookRead(rand.Read)(dest); err != nil { + panic(err) + } +} + +func (u uuid) String() string { + buf := make([]byte, 36) + + hex.Encode(buf[0:8], u[0:4]) + buf[8] = '-' + hex.Encode(buf[9:13], u[4:6]) + buf[13] = '-' + hex.Encode(buf[14:18], u[6:8]) + buf[18] = '-' + hex.Encode(buf[19:23], u[8:10]) + buf[23] = '-' + hex.Encode(buf[24:], u[10:]) + + return string(buf) +} + +var processStartTime int64 = time.Now().UnixNano() / 1e6 +var seqId int64 = 0 + +func getGID() uint64 { + // https://blog.sgmansfield.com/2015/12/goroutine-ids/ + b := make([]byte, 64) + b = b[:runtime.Stack(b, false)] + b = bytes.TrimPrefix(b, []byte("goroutine ")) + b = b[:bytes.IndexByte(b, ' ')] + n, _ := strconv.ParseUint(string(b), 10, 64) + return n +} + +func GetNonce() (uuidHex string) { + routineId := getGID() + currentTime := time.Now().UnixNano() / 1e6 + seq := atomic.AddInt64(&seqId, 1) + randNum := mathrand.Int63() + msg := fmt.Sprintf("%d-%d-%d-%d-%d", processStartTime, routineId, currentTime, seq, randNum) + h := md5.New() + h.Write([]byte(msg)) + return hex.EncodeToString(h.Sum(nil)) +} + +// Get first non-empty value +func GetDefaultString(values ...string) string { + for _, v := range values { + if v != "" { + return v + } + } + + return "" +} + +// set back the memoried enviroment variables +type Rollback func() + +func Memory(keys ...string) Rollback { + // remenber enviroment variables + m := make(map[string]string) + for _, key := range keys { + m[key] = os.Getenv(key) + } + + return func() { + for _, key := range keys { + os.Setenv(key, m[key]) + } + } +} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/oidc_credential.go b/vendor/github.com/aliyun/credentials-go/credentials/oidc_credential.go deleted file mode 100644 index de0acc7f..00000000 --- a/vendor/github.com/aliyun/credentials-go/credentials/oidc_credential.go +++ /dev/null @@ -1,195 +0,0 @@ -package credentials - -import ( - "encoding/json" - "fmt" - "io/ioutil" - "os" - "strconv" - "time" - - "github.com/alibabacloud-go/tea/tea" - "github.com/aliyun/credentials-go/credentials/request" - "github.com/aliyun/credentials-go/credentials/utils" -) - -const defaultOIDCDurationSeconds = 3600 - -// OIDCCredential is a kind of credentials -type OIDCCredential struct { - *credentialUpdater - AccessKeyId string - AccessKeySecret string - RoleArn string - OIDCProviderArn string - OIDCTokenFilePath string - Policy string - RoleSessionName string - RoleSessionExpiration int - sessionCredential *sessionCredential - runtime *utils.Runtime -} - -type OIDCResponse struct { - Credentials *credentialsInResponse `json:"Credentials" xml:"Credentials"` -} - -type OIDCcredentialsInResponse struct { - AccessKeyId string `json:"AccessKeyId" xml:"AccessKeyId"` - AccessKeySecret string `json:"AccessKeySecret" xml:"AccessKeySecret"` - SecurityToken string `json:"SecurityToken" xml:"SecurityToken"` - Expiration string `json:"Expiration" xml:"Expiration"` -} - -func newOIDCRoleArnCredential(accessKeyId, accessKeySecret, roleArn, OIDCProviderArn, OIDCTokenFilePath, RoleSessionName, policy string, RoleSessionExpiration int, runtime *utils.Runtime) *OIDCCredential { - return &OIDCCredential{ - AccessKeyId: accessKeyId, - AccessKeySecret: accessKeySecret, - RoleArn: roleArn, - OIDCProviderArn: OIDCProviderArn, - OIDCTokenFilePath: OIDCTokenFilePath, - RoleSessionName: RoleSessionName, - Policy: policy, - RoleSessionExpiration: RoleSessionExpiration, - credentialUpdater: new(credentialUpdater), - runtime: runtime, - } -} - -func (e *OIDCCredential) GetCredential() (*CredentialModel, error) { - if e.sessionCredential == nil || e.needUpdateCredential() { - err := e.updateCredential() - if err != nil { - return nil, err - } - } - credential := &CredentialModel{ - AccessKeyId: tea.String(e.sessionCredential.AccessKeyId), - AccessKeySecret: tea.String(e.sessionCredential.AccessKeySecret), - SecurityToken: tea.String(e.sessionCredential.SecurityToken), - Type: tea.String("oidc_role_arn"), - } - return credential, nil -} - -// GetAccessKeyId reutrns OIDCCredential's AccessKeyId -// if AccessKeyId is not exist or out of date, the function will update it. -func (r *OIDCCredential) GetAccessKeyId() (*string, error) { - if r.sessionCredential == nil || r.needUpdateCredential() { - err := r.updateCredential() - if err != nil { - return tea.String(""), err - } - } - return tea.String(r.sessionCredential.AccessKeyId), nil -} - -// GetAccessSecret reutrns OIDCCredential's AccessKeySecret -// if AccessKeySecret is not exist or out of date, the function will update it. -func (r *OIDCCredential) GetAccessKeySecret() (*string, error) { - if r.sessionCredential == nil || r.needUpdateCredential() { - err := r.updateCredential() - if err != nil { - return tea.String(""), err - } - } - return tea.String(r.sessionCredential.AccessKeySecret), nil -} - -// GetSecurityToken reutrns OIDCCredential's SecurityToken -// if SecurityToken is not exist or out of date, the function will update it. -func (r *OIDCCredential) GetSecurityToken() (*string, error) { - if r.sessionCredential == nil || r.needUpdateCredential() { - err := r.updateCredential() - if err != nil { - return tea.String(""), err - } - } - return tea.String(r.sessionCredential.SecurityToken), nil -} - -// GetBearerToken is useless OIDCCredential -func (r *OIDCCredential) GetBearerToken() *string { - return tea.String("") -} - -// GetType reutrns OIDCCredential's type -func (r *OIDCCredential) GetType() *string { - return tea.String("oidc_role_arn") -} - -func (r *OIDCCredential) GetOIDCToken(OIDCTokenFilePath string) *string { - tokenPath := OIDCTokenFilePath - _, err := os.Stat(tokenPath) - if os.IsNotExist(err) { - tokenPath = os.Getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE") - if tokenPath == "" { - return nil - } - } - byt, err := ioutil.ReadFile(tokenPath) - if err != nil { - return nil - } - return tea.String(string(byt)) -} - -func (r *OIDCCredential) updateCredential() (err error) { - if r.runtime == nil { - r.runtime = new(utils.Runtime) - } - request := request.NewCommonRequest() - request.Domain = "sts.aliyuncs.com" - if r.runtime.STSEndpoint != "" { - request.Domain = r.runtime.STSEndpoint - } - request.Scheme = "HTTPS" - request.Method = "POST" - request.QueryParams["Timestamp"] = utils.GetTimeInFormatISO8601() - request.QueryParams["Action"] = "AssumeRoleWithOIDC" - request.QueryParams["Format"] = "JSON" - request.BodyParams["RoleArn"] = r.RoleArn - request.BodyParams["OIDCProviderArn"] = r.OIDCProviderArn - token := r.GetOIDCToken(r.OIDCTokenFilePath) - request.BodyParams["OIDCToken"] = tea.StringValue(token) - if r.Policy != "" { - request.QueryParams["Policy"] = r.Policy - } - if r.RoleSessionExpiration > 0 { - request.QueryParams["DurationSeconds"] = strconv.Itoa(r.RoleSessionExpiration) - } - request.QueryParams["RoleSessionName"] = r.RoleSessionName - request.QueryParams["Version"] = "2015-04-01" - request.QueryParams["SignatureNonce"] = utils.GetUUID() - request.Headers["Host"] = request.Domain - request.Headers["Accept-Encoding"] = "identity" - request.Headers["content-type"] = "application/x-www-form-urlencoded" - request.URL = request.BuildURL() - content, err := doAction(request, r.runtime) - if err != nil { - return fmt.Errorf("refresh RoleArn sts token err: %s", err.Error()) - } - var resp *OIDCResponse - err = json.Unmarshal(content, &resp) - if err != nil { - return fmt.Errorf("refresh RoleArn sts token err: Json.Unmarshal fail: %s", err.Error()) - } - if resp == nil || resp.Credentials == nil { - return fmt.Errorf("refresh RoleArn sts token err: Credentials is empty") - } - respCredentials := resp.Credentials - if respCredentials.AccessKeyId == "" || respCredentials.AccessKeySecret == "" || respCredentials.SecurityToken == "" || respCredentials.Expiration == "" { - return fmt.Errorf("refresh RoleArn sts token err: AccessKeyId: %s, AccessKeySecret: %s, SecurityToken: %s, Expiration: %s", respCredentials.AccessKeyId, respCredentials.AccessKeySecret, respCredentials.SecurityToken, respCredentials.Expiration) - } - - expirationTime, err := time.Parse("2006-01-02T15:04:05Z", respCredentials.Expiration) - r.lastUpdateTimestamp = time.Now().Unix() - r.credentialExpiration = int(expirationTime.Unix() - time.Now().Unix()) - r.sessionCredential = &sessionCredential{ - AccessKeyId: respCredentials.AccessKeyId, - AccessKeySecret: respCredentials.AccessKeySecret, - SecurityToken: respCredentials.SecurityToken, - } - - return -} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/oidc_token b/vendor/github.com/aliyun/credentials-go/credentials/oidc_token deleted file mode 100644 index 653e068d..00000000 --- a/vendor/github.com/aliyun/credentials-go/credentials/oidc_token +++ /dev/null @@ -1 +0,0 @@ -test_long_oidc_token_eyJhbGciOiJSUzI1NiIsImtpZCI6ImFQaXlpNEVGSU8wWnlGcFh1V0psQUNWbklZVlJsUkNmM2tlSzNMUlhWT1UifQ.eyJhdWQiOlsic3RzLmFsaXl1bmNzLmNvbSJdLCJleHAiOjE2NDUxMTk3ODAsImlhdCI6MTY0NTA4Mzc4MCwiaXNzIjoiaHR0cHM6Ly9vaWRjLWFjay1jbi1oYW5nemhvdS5vc3MtY24taGFuZ3pob3UtaW50ZXJuYWwuYWxpeXVuY3MuY29tL2NmMWQ4ZGIwMjM0ZDk0YzEyOGFiZDM3MTc4NWJjOWQxNSIsImt1YmVybmV0ZXMuaW8iOnsibmFtZXNwYWNlIjoidGVzdC1ycnNhIiwicG9kIjp7Im5hbWUiOiJydW4tYXMtcm9vdCIsInVpZCI6ImIzMGI0MGY2LWNiZTAtNGY0Yy1hZGYyLWM1OGQ4ZmExZTAxMCJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoidXNlcjEiLCJ1aWQiOiJiZTEyMzdjYS01MTY4LTQyMzYtYWUyMC00NDM1YjhmMGI4YzAifX0sIm5iZiI6MTY0NTA4Mzc4MCwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OnRlc3QtcnJzYTp1c2VyMSJ9.XGP-wgLj-iMiAHjLe0lZLh7y48Qsj9HzsEbNh706WwerBoxnssdsyGFb9lzd2FyM8CssbAOCstr7OuAMWNdJmDZgpiOGGSbQ-KXXmbfnIS4ix-V3pQF6LVBFr7xJlj20J6YY89um3rv_04t0iCGxKWs2ZMUyU1FbZpIPRep24LVKbUz1saiiVGgDBTIZdHA13Z-jUvYAnsxK_Kj5tc1K-IuQQU0IwSKJh5OShMcdPugMV5LwTL3ogCikfB7yljq5vclBhCeF2lXLIibvwF711TOhuJ5lMlh-a2KkIgwBHhANg_U9k4Mt_VadctfUGc4hxlSbBD0w9o9mDGKwgGmW5Q \ No newline at end of file diff --git a/vendor/github.com/aliyun/credentials-go/credentials/profile_provider.go b/vendor/github.com/aliyun/credentials-go/credentials/profile_provider.go index de02c3dc..ff896460 100644 --- a/vendor/github.com/aliyun/credentials-go/credentials/profile_provider.go +++ b/vendor/github.com/aliyun/credentials-go/credentials/profile_provider.go @@ -4,10 +4,10 @@ import ( "errors" "fmt" "os" - "runtime" "strings" "github.com/alibabacloud-go/tea/tea" + "github.com/aliyun/credentials-go/credentials/internal/utils" ini "gopkg.in/ini.v1" ) @@ -17,10 +17,6 @@ type profileProvider struct { var providerProfile = newProfileProvider() -var hookOS = func(goos string) string { - return goos -} - var hookState = func(info os.FileInfo, err error) (os.FileInfo, error) { return info, err } @@ -100,21 +96,21 @@ func (p *profileProvider) resolve() (*Config, error) { } return config, nil default: - return nil, errors.New("Invalid type option, support: access_key, sts, ecs_ram_role, ram_role_arn, rsa_key_pair") + return nil, errors.New("invalid type option, support: access_key, sts, ecs_ram_role, ram_role_arn, rsa_key_pair") } } func getRSAKeyPair(section *ini.Section) (*Config, error) { publicKeyId, err := section.GetKey("public_key_id") if err != nil { - return nil, errors.New("Missing required public_key_id option in profile for rsa_key_pair") + return nil, errors.New("missing required public_key_id option in profile for rsa_key_pair") } if publicKeyId.String() == "" { return nil, errors.New("public_key_id cannot be empty") } privateKeyFile, err := section.GetKey("private_key_file") if err != nil { - return nil, errors.New("Missing required private_key_file option in profile for rsa_key_pair") + return nil, errors.New("missing required private_key_file option in profile for rsa_key_pair") } if privateKeyFile.String() == "" { return nil, errors.New("private_key_file cannot be empty") @@ -143,28 +139,28 @@ func getRSAKeyPair(section *ini.Section) (*Config, error) { func getRAMRoleArn(section *ini.Section) (*Config, error) { accessKeyId, err := section.GetKey("access_key_id") if err != nil { - return nil, errors.New("Missing required access_key_id option in profile for ram_role_arn") + return nil, errors.New("missing required access_key_id option in profile for ram_role_arn") } if accessKeyId.String() == "" { return nil, errors.New("access_key_id cannot be empty") } accessKeySecret, err := section.GetKey("access_key_secret") if err != nil { - return nil, errors.New("Missing required access_key_secret option in profile for ram_role_arn") + return nil, errors.New("missing required access_key_secret option in profile for ram_role_arn") } if accessKeySecret.String() == "" { return nil, errors.New("access_key_secret cannot be empty") } roleArn, err := section.GetKey("role_arn") if err != nil { - return nil, errors.New("Missing required role_arn option in profile for ram_role_arn") + return nil, errors.New("missing required role_arn option in profile for ram_role_arn") } if roleArn.String() == "" { return nil, errors.New("role_arn cannot be empty") } roleSessionName, err := section.GetKey("role_session_name") if err != nil { - return nil, errors.New("Missing required role_session_name option in profile for ram_role_arn") + return nil, errors.New("missing required role_session_name option in profile for ram_role_arn") } if roleSessionName.String() == "" { return nil, errors.New("role_session_name cannot be empty") @@ -210,7 +206,7 @@ func getEcsRAMRole(section *ini.Section) (*Config, error) { func getBearerToken(section *ini.Section) (*Config, error) { bearerToken, err := section.GetKey("bearer_token") if err != nil { - return nil, errors.New("Missing required bearer_token option in profile for bearer") + return nil, errors.New("missing required bearer_token option in profile for bearer") } if bearerToken.String() == "" { return nil, errors.New("bearer_token cannot be empty") @@ -225,21 +221,21 @@ func getBearerToken(section *ini.Section) (*Config, error) { func getSTS(section *ini.Section) (*Config, error) { accesskeyid, err := section.GetKey("access_key_id") if err != nil { - return nil, errors.New("Missing required access_key_id option in profile for sts") + return nil, errors.New("missing required access_key_id option in profile for sts") } if accesskeyid.String() == "" { return nil, errors.New("access_key_id cannot be empty") } accessKeySecret, err := section.GetKey("access_key_secret") if err != nil { - return nil, errors.New("Missing required access_key_secret option in profile for sts") + return nil, errors.New("missing required access_key_secret option in profile for sts") } if accessKeySecret.String() == "" { return nil, errors.New("access_key_secret cannot be empty") } securityToken, err := section.GetKey("security_token") if err != nil { - return nil, errors.New("Missing required security_token option in profile for sts") + return nil, errors.New("missing required security_token option in profile for sts") } if securityToken.String() == "" { return nil, errors.New("security_token cannot be empty") @@ -256,14 +252,14 @@ func getSTS(section *ini.Section) (*Config, error) { func getAccessKey(section *ini.Section) (*Config, error) { accesskeyid, err := section.GetKey("access_key_id") if err != nil { - return nil, errors.New("Missing required access_key_id option in profile for access_key") + return nil, errors.New("missing required access_key_id option in profile for access_key") } if accesskeyid.String() == "" { return nil, errors.New("access_key_id cannot be empty") } accessKeySecret, err := section.GetKey("access_key_secret") if err != nil { - return nil, errors.New("Missing required access_key_secret option in profile for access_key") + return nil, errors.New("missing required access_key_secret option in profile for access_key") } if accessKeySecret.String() == "" { return nil, errors.New("access_key_secret cannot be empty") @@ -289,30 +285,15 @@ func getType(path, profile string) (*ini.Key, *ini.Section, error) { value, err := section.GetKey("type") if err != nil { - return nil, nil, errors.New("Missing required type option " + err.Error()) + return nil, nil, errors.New("missing required type option " + err.Error()) } return value, section, nil } -func getHomePath() string { - if hookOS(runtime.GOOS) == "windows" { - path, ok := os.LookupEnv("USERPROFILE") - if !ok { - return "" - } - return path - } - path, ok := os.LookupEnv("HOME") - if !ok { - return "" - } - return path -} - func checkDefaultPath() (path string, err error) { - path = getHomePath() + path = utils.GetHomePath() if path == "" { - return "", errors.New("The default credential file path is invalid") + return "", errors.New("the default credential file path is invalid") } path = strings.Replace("~/.alibabacloud/credentials", "~", path, 1) _, err = hookState(os.Stat(path)) @@ -333,14 +314,14 @@ func setRuntimeToConfig(config *Config, section *ini.Section) error { if rawConnectTimeout != nil { connectTimeout, err := rawConnectTimeout.Int() if err != nil { - return fmt.Errorf("Please set connect_timeout with an int value") + return fmt.Errorf("please set connect_timeout with an int value") } config.ConnectTimeout = tea.Int(connectTimeout) } if rawTimeout != nil { timeout, err := rawTimeout.Int() if err != nil { - return fmt.Errorf("Please set timeout with an int value") + return fmt.Errorf("please set timeout with an int value") } config.Timeout = tea.Int(timeout) } diff --git a/vendor/github.com/aliyun/credentials-go/credentials/provider.go b/vendor/github.com/aliyun/credentials-go/credentials/provider.go index fe813db3..506e110b 100644 --- a/vendor/github.com/aliyun/credentials-go/credentials/provider.go +++ b/vendor/github.com/aliyun/credentials-go/credentials/provider.go @@ -1,14 +1,15 @@ package credentials -//Environmental virables that may be used by the provider +// Environmental virables that may be used by the provider const ( - ENVCredentialFile = "ALIBABA_CLOUD_CREDENTIALS_FILE" - ENVEcsMetadata = "ALIBABA_CLOUD_ECS_METADATA" - PATHCredentialFile = "~/.alibabacloud/credentials" - ENVRoleArn = "ALIBABA_CLOUD_ROLE_ARN" - ENVOIDCProviderArn = "ALIBABA_CLOUD_OIDC_PROVIDER_ARN" - ENVOIDCTokenFile = "ALIBABA_CLOUD_OIDC_TOKEN_FILE" - ENVRoleSessionName = "ALIBABA_CLOUD_ROLE_SESSION_NAME" + ENVCredentialFile = "ALIBABA_CLOUD_CREDENTIALS_FILE" + ENVEcsMetadata = "ALIBABA_CLOUD_ECS_METADATA" + ENVEcsMetadataIMDSv2Enable = "ALIBABA_CLOUD_ECS_IMDSV2_ENABLE" + PATHCredentialFile = "~/.alibabacloud/credentials" + ENVRoleArn = "ALIBABA_CLOUD_ROLE_ARN" + ENVOIDCProviderArn = "ALIBABA_CLOUD_OIDC_PROVIDER_ARN" + ENVOIDCTokenFile = "ALIBABA_CLOUD_OIDC_TOKEN_FILE" + ENVRoleSessionName = "ALIBABA_CLOUD_ROLE_SESSION_NAME" ) // Provider will be implemented When you want to customize the provider. diff --git a/vendor/github.com/aliyun/credentials-go/credentials/provider_chain.go b/vendor/github.com/aliyun/credentials-go/credentials/provider_chain.go index a694d5cb..e4338861 100644 --- a/vendor/github.com/aliyun/credentials-go/credentials/provider_chain.go +++ b/vendor/github.com/aliyun/credentials-go/credentials/provider_chain.go @@ -27,6 +27,6 @@ func (p *providerChain) resolve() (*Config, error) { } return config, err } - return nil, errors.New("No credential found") + return nil, errors.New("no credential found") } diff --git a/vendor/github.com/aliyun/credentials-go/credentials/providers/cli_profile.go b/vendor/github.com/aliyun/credentials-go/credentials/providers/cli_profile.go new file mode 100644 index 00000000..91897036 --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/providers/cli_profile.go @@ -0,0 +1,230 @@ +package providers + +import ( + "encoding/json" + "errors" + "fmt" + "io/ioutil" + "os" + "path" + "strings" + + "github.com/aliyun/credentials-go/credentials/internal/utils" +) + +type CLIProfileCredentialsProvider struct { + profileName string + innerProvider CredentialsProvider +} + +type CLIProfileCredentialsProviderBuilder struct { + provider *CLIProfileCredentialsProvider +} + +func (b *CLIProfileCredentialsProviderBuilder) WithProfileName(profileName string) *CLIProfileCredentialsProviderBuilder { + b.provider.profileName = profileName + return b +} + +func (b *CLIProfileCredentialsProviderBuilder) Build() (provider *CLIProfileCredentialsProvider, err error) { + // 优先级: + // 1. 使用显示指定的 profileName + // 2. 使用环境变量(ALIBABA_CLOUD_PROFILE)制定的 profileName + // 3. 使用 CLI 配置中的当前 profileName + if b.provider.profileName == "" { + b.provider.profileName = os.Getenv("ALIBABA_CLOUD_PROFILE") + } + + if strings.ToLower(os.Getenv("ALIBABA_CLOUD_CLI_PROFILE_DISABLED")) == "true" { + err = errors.New("the CLI profile is disabled") + return + } + + provider = b.provider + return +} + +func NewCLIProfileCredentialsProviderBuilder() *CLIProfileCredentialsProviderBuilder { + return &CLIProfileCredentialsProviderBuilder{ + provider: &CLIProfileCredentialsProvider{}, + } +} + +type profile struct { + Name string `json:"name"` + Mode string `json:"mode"` + AccessKeyID string `json:"access_key_id"` + AccessKeySecret string `json:"access_key_secret"` + RegionID string `json:"region_id"` + RoleArn string `json:"ram_role_arn"` + RoleSessionName string `json:"ram_session_name"` + DurationSeconds int `json:"expired_seconds"` + StsRegion string `json:"sts_region"` + EnableVpc bool `json:"enable_vpc"` + SourceProfile string `json:"source_profile"` + RoleName string `json:"ram_role_name"` + OIDCTokenFile string `json:"oidc_token_file"` + OIDCProviderARN string `json:"oidc_provider_arn"` + Policy string `json:"policy"` + ExternalId string `json:"external_id"` +} + +type configuration struct { + Current string `json:"current"` + Profiles []*profile `json:"profiles"` +} + +func newConfigurationFromPath(cfgPath string) (conf *configuration, err error) { + bytes, err := ioutil.ReadFile(cfgPath) + if err != nil { + err = fmt.Errorf("reading aliyun cli config from '%s' failed %v", cfgPath, err) + return + } + + conf = &configuration{} + + err = json.Unmarshal(bytes, conf) + if err != nil { + err = fmt.Errorf("unmarshal aliyun cli config from '%s' failed: %s", cfgPath, string(bytes)) + return + } + + if conf.Profiles == nil || len(conf.Profiles) == 0 { + err = fmt.Errorf("no any configured profiles in '%s'", cfgPath) + return + } + + return +} + +func (conf *configuration) getProfile(name string) (profile *profile, err error) { + for _, p := range conf.Profiles { + if p.Name == name { + profile = p + return + } + } + + err = fmt.Errorf("unable to get profile with '%s'", name) + return +} + +func (provider *CLIProfileCredentialsProvider) getCredentialsProvider(conf *configuration, profileName string) (credentialsProvider CredentialsProvider, err error) { + p, err := conf.getProfile(profileName) + if err != nil { + return + } + + switch p.Mode { + case "AK": + credentialsProvider, err = NewStaticAKCredentialsProviderBuilder(). + WithAccessKeyId(p.AccessKeyID). + WithAccessKeySecret(p.AccessKeySecret). + Build() + case "RamRoleArn": + previousProvider, err1 := NewStaticAKCredentialsProviderBuilder(). + WithAccessKeyId(p.AccessKeyID). + WithAccessKeySecret(p.AccessKeySecret). + Build() + if err1 != nil { + return nil, err1 + } + + credentialsProvider, err = NewRAMRoleARNCredentialsProviderBuilder(). + WithCredentialsProvider(previousProvider). + WithRoleArn(p.RoleArn). + WithRoleSessionName(p.RoleSessionName). + WithDurationSeconds(p.DurationSeconds). + WithStsRegionId(p.StsRegion). + WithEnableVpc(p.EnableVpc). + WithPolicy(p.Policy). + WithExternalId(p.ExternalId). + Build() + case "EcsRamRole": + credentialsProvider, err = NewECSRAMRoleCredentialsProviderBuilder().WithRoleName(p.RoleName).Build() + case "OIDC": + credentialsProvider, err = NewOIDCCredentialsProviderBuilder(). + WithOIDCTokenFilePath(p.OIDCTokenFile). + WithOIDCProviderARN(p.OIDCProviderARN). + WithRoleArn(p.RoleArn). + WithStsRegionId(p.StsRegion). + WithEnableVpc(p.EnableVpc). + WithDurationSeconds(p.DurationSeconds). + WithRoleSessionName(p.RoleSessionName). + WithPolicy(p.Policy). + Build() + case "ChainableRamRoleArn": + previousProvider, err1 := provider.getCredentialsProvider(conf, p.SourceProfile) + if err1 != nil { + err = fmt.Errorf("get source profile failed: %s", err1.Error()) + return + } + credentialsProvider, err = NewRAMRoleARNCredentialsProviderBuilder(). + WithCredentialsProvider(previousProvider). + WithRoleArn(p.RoleArn). + WithRoleSessionName(p.RoleSessionName). + WithDurationSeconds(p.DurationSeconds). + WithStsRegionId(p.StsRegion). + WithEnableVpc(p.EnableVpc). + WithPolicy(p.Policy). + WithExternalId(p.ExternalId). + Build() + default: + err = fmt.Errorf("unsupported profile mode '%s'", p.Mode) + } + + return +} + +// 默认设置为 GetHomePath,测试时便于 mock +var getHomePath = utils.GetHomePath + +func (provider *CLIProfileCredentialsProvider) GetCredentials() (cc *Credentials, err error) { + if provider.innerProvider == nil { + homedir := getHomePath() + if homedir == "" { + err = fmt.Errorf("cannot found home dir") + return + } + + cfgPath := path.Join(homedir, ".aliyun/config.json") + + conf, err1 := newConfigurationFromPath(cfgPath) + if err1 != nil { + err = err1 + return + } + + if provider.profileName == "" { + provider.profileName = conf.Current + } + + provider.innerProvider, err = provider.getCredentialsProvider(conf, provider.profileName) + if err != nil { + return + } + } + + innerCC, err := provider.innerProvider.GetCredentials() + if err != nil { + return + } + + providerName := innerCC.ProviderName + if providerName == "" { + providerName = provider.innerProvider.GetProviderName() + } + + cc = &Credentials{ + AccessKeyId: innerCC.AccessKeyId, + AccessKeySecret: innerCC.AccessKeySecret, + SecurityToken: innerCC.SecurityToken, + ProviderName: fmt.Sprintf("%s/%s", provider.GetProviderName(), providerName), + } + + return +} + +func (provider *CLIProfileCredentialsProvider) GetProviderName() string { + return "cli_profile" +} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/providers/credentials.go b/vendor/github.com/aliyun/credentials-go/credentials/providers/credentials.go new file mode 100644 index 00000000..26592fd2 --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/providers/credentials.go @@ -0,0 +1,22 @@ +package providers + +// 下一版本 Credentials 包 +// - 分离 bearer token +// - 从 config 传递迁移到真正的 credentials provider 模式 +// - 删除 GetAccessKeyId()/GetAccessKeySecret()/GetSecurityToken() 方法,只保留 GetCredentials() + +// The credentials struct +type Credentials struct { + AccessKeyId string + AccessKeySecret string + SecurityToken string + ProviderName string +} + +// The credentials provider interface, return credentials and provider name +type CredentialsProvider interface { + // Get credentials + GetCredentials() (*Credentials, error) + // Get credentials provider name + GetProviderName() string +} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/providers/default.go b/vendor/github.com/aliyun/credentials-go/credentials/providers/default.go new file mode 100644 index 00000000..4f130ffe --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/providers/default.go @@ -0,0 +1,113 @@ +package providers + +import ( + "fmt" + "os" + "strings" +) + +type DefaultCredentialsProvider struct { + providerChain []CredentialsProvider + lastUsedProvider CredentialsProvider +} + +func NewDefaultCredentialsProvider() (provider *DefaultCredentialsProvider) { + providers := []CredentialsProvider{} + + // Add static ak or sts credentials provider + envProvider, err := NewEnvironmentVariableCredentialsProviderBuilder().Build() + if err == nil { + providers = append(providers, envProvider) + } + + // oidc check + oidcProvider, err := NewOIDCCredentialsProviderBuilder().Build() + if err == nil { + providers = append(providers, oidcProvider) + } + + // cli credentials provider + cliProfileProvider, err := NewCLIProfileCredentialsProviderBuilder().Build() + if err == nil { + providers = append(providers, cliProfileProvider) + } + + // profile credentials provider + profileProvider, err := NewProfileCredentialsProviderBuilder().Build() + if err == nil { + providers = append(providers, profileProvider) + } + + // Add IMDS + ecsRamRoleProvider, err := NewECSRAMRoleCredentialsProviderBuilder().Build() + if err == nil { + providers = append(providers, ecsRamRoleProvider) + } + + // credentials uri + if os.Getenv("ALIBABA_CLOUD_CREDENTIALS_URI") != "" { + credentialsUriProvider, err := NewURLCredentialsProviderBuilderBuilder().Build() + if err == nil { + providers = append(providers, credentialsUriProvider) + } + } + + return &DefaultCredentialsProvider{ + providerChain: providers, + } +} + +func (provider *DefaultCredentialsProvider) GetCredentials() (cc *Credentials, err error) { + if provider.lastUsedProvider != nil { + inner, err1 := provider.lastUsedProvider.GetCredentials() + if err1 != nil { + err = err1 + return + } + + providerName := inner.ProviderName + if providerName == "" { + providerName = provider.lastUsedProvider.GetProviderName() + } + + cc = &Credentials{ + AccessKeyId: inner.AccessKeyId, + AccessKeySecret: inner.AccessKeySecret, + SecurityToken: inner.SecurityToken, + ProviderName: fmt.Sprintf("%s/%s", provider.GetProviderName(), providerName), + } + return + } + + errors := []string{} + for _, p := range provider.providerChain { + provider.lastUsedProvider = p + inner, errInLoop := p.GetCredentials() + if errInLoop != nil { + errors = append(errors, errInLoop.Error()) + // 如果有错误,进入下一个获取过程 + continue + } + + if inner != nil { + providerName := inner.ProviderName + if providerName == "" { + providerName = p.GetProviderName() + } + cc = &Credentials{ + AccessKeyId: inner.AccessKeyId, + AccessKeySecret: inner.AccessKeySecret, + SecurityToken: inner.SecurityToken, + ProviderName: fmt.Sprintf("%s/%s", provider.GetProviderName(), providerName), + } + return + } + } + + err = fmt.Errorf("unable to get credentials from any of the providers in the chain: %s", strings.Join(errors, ", ")) + return +} + +func (provider *DefaultCredentialsProvider) GetProviderName() string { + return "default" +} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/providers/ecs_ram_role.go b/vendor/github.com/aliyun/credentials-go/credentials/providers/ecs_ram_role.go new file mode 100644 index 00000000..9a917b2b --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/providers/ecs_ram_role.go @@ -0,0 +1,283 @@ +package providers + +import ( + "encoding/json" + "errors" + "fmt" + "os" + "strconv" + "strings" + "time" + + httputil "github.com/aliyun/credentials-go/credentials/internal/http" +) + +type ECSRAMRoleCredentialsProvider struct { + roleName string + disableIMDSv1 bool + // for sts + session *sessionCredentials + expirationTimestamp int64 + // for http options + httpOptions *HttpOptions +} + +type ECSRAMRoleCredentialsProviderBuilder struct { + provider *ECSRAMRoleCredentialsProvider +} + +func NewECSRAMRoleCredentialsProviderBuilder() *ECSRAMRoleCredentialsProviderBuilder { + return &ECSRAMRoleCredentialsProviderBuilder{ + provider: &ECSRAMRoleCredentialsProvider{}, + } +} + +func (builder *ECSRAMRoleCredentialsProviderBuilder) WithRoleName(roleName string) *ECSRAMRoleCredentialsProviderBuilder { + builder.provider.roleName = roleName + return builder +} + +func (builder *ECSRAMRoleCredentialsProviderBuilder) WithDisableIMDSv1(disableIMDSv1 bool) *ECSRAMRoleCredentialsProviderBuilder { + builder.provider.disableIMDSv1 = disableIMDSv1 + return builder +} + +func (builder *ECSRAMRoleCredentialsProviderBuilder) WithHttpOptions(httpOptions *HttpOptions) *ECSRAMRoleCredentialsProviderBuilder { + builder.provider.httpOptions = httpOptions + return builder +} + +const defaultMetadataTokenDuration = 21600 // 6 hours + +func (builder *ECSRAMRoleCredentialsProviderBuilder) Build() (provider *ECSRAMRoleCredentialsProvider, err error) { + + if strings.ToLower(os.Getenv("ALIBABA_CLOUD_ECS_METADATA_DISABLED")) == "true" { + err = errors.New("IMDS credentials is disabled") + return + } + + // 设置 roleName 默认值 + if builder.provider.roleName == "" { + builder.provider.roleName = os.Getenv("ALIBABA_CLOUD_ECS_METADATA") + } + + if !builder.provider.disableIMDSv1 { + builder.provider.disableIMDSv1 = strings.ToLower(os.Getenv("ALIBABA_CLOUD_IMDSV1_DISABLED")) == "true" + } + + provider = builder.provider + return +} + +type ecsRAMRoleResponse struct { + Code *string `json:"Code"` + AccessKeyId *string `json:"AccessKeyId"` + AccessKeySecret *string `json:"AccessKeySecret"` + SecurityToken *string `json:"SecurityToken"` + LastUpdated *string `json:"LastUpdated"` + Expiration *string `json:"Expiration"` +} + +func (provider *ECSRAMRoleCredentialsProvider) needUpdateCredential() bool { + if provider.expirationTimestamp == 0 { + return true + } + + return provider.expirationTimestamp-time.Now().Unix() <= 180 +} + +func (provider *ECSRAMRoleCredentialsProvider) getRoleName() (roleName string, err error) { + req := &httputil.Request{ + Method: "GET", + Protocol: "http", + Host: "100.100.100.200", + Path: "/latest/meta-data/ram/security-credentials/", + Headers: map[string]string{}, + } + + connectTimeout := 1 * time.Second + readTimeout := 1 * time.Second + + if provider.httpOptions != nil && provider.httpOptions.ConnectTimeout > 0 { + connectTimeout = time.Duration(provider.httpOptions.ConnectTimeout) * time.Millisecond + } + if provider.httpOptions != nil && provider.httpOptions.ReadTimeout > 0 { + readTimeout = time.Duration(provider.httpOptions.ReadTimeout) * time.Millisecond + } + if provider.httpOptions != nil && provider.httpOptions.Proxy != "" { + req.Proxy = provider.httpOptions.Proxy + } + req.ConnectTimeout = connectTimeout + req.ReadTimeout = readTimeout + + metadataToken, err := provider.getMetadataToken() + if err != nil { + return "", err + } + if metadataToken != "" { + req.Headers["x-aliyun-ecs-metadata-token"] = metadataToken + } + + res, err := httpDo(req) + if err != nil { + err = fmt.Errorf("get role name failed: %s", err.Error()) + return + } + + if res.StatusCode != 200 { + err = fmt.Errorf("get role name failed: %s %d", req.BuildRequestURL(), res.StatusCode) + return + } + + roleName = strings.TrimSpace(string(res.Body)) + return +} + +func (provider *ECSRAMRoleCredentialsProvider) getCredentials() (session *sessionCredentials, err error) { + roleName := provider.roleName + if roleName == "" { + roleName, err = provider.getRoleName() + if err != nil { + return + } + } + + req := &httputil.Request{ + Method: "GET", + Protocol: "http", + Host: "100.100.100.200", + Path: "/latest/meta-data/ram/security-credentials/" + roleName, + Headers: map[string]string{}, + } + + connectTimeout := 1 * time.Second + readTimeout := 1 * time.Second + + if provider.httpOptions != nil && provider.httpOptions.ConnectTimeout > 0 { + connectTimeout = time.Duration(provider.httpOptions.ConnectTimeout) * time.Millisecond + } + if provider.httpOptions != nil && provider.httpOptions.ReadTimeout > 0 { + readTimeout = time.Duration(provider.httpOptions.ReadTimeout) * time.Millisecond + } + if provider.httpOptions != nil && provider.httpOptions.Proxy != "" { + req.Proxy = provider.httpOptions.Proxy + } + req.ConnectTimeout = connectTimeout + req.ReadTimeout = readTimeout + + metadataToken, err := provider.getMetadataToken() + if err != nil { + return nil, err + } + if metadataToken != "" { + req.Headers["x-aliyun-ecs-metadata-token"] = metadataToken + } + + res, err := httpDo(req) + if err != nil { + err = fmt.Errorf("refresh Ecs sts token err: %s", err.Error()) + return + } + + if res.StatusCode != 200 { + err = fmt.Errorf("refresh Ecs sts token err, httpStatus: %d, message = %s", res.StatusCode, string(res.Body)) + return + } + + var data ecsRAMRoleResponse + err = json.Unmarshal(res.Body, &data) + if err != nil { + err = fmt.Errorf("refresh Ecs sts token err, json.Unmarshal fail: %s", err.Error()) + return + } + + if data.AccessKeyId == nil || data.AccessKeySecret == nil || data.SecurityToken == nil { + err = fmt.Errorf("refresh Ecs sts token err, fail to get credentials") + return + } + + if *data.Code != "Success" { + err = fmt.Errorf("refresh Ecs sts token err, Code is not Success") + return + } + + session = &sessionCredentials{ + AccessKeyId: *data.AccessKeyId, + AccessKeySecret: *data.AccessKeySecret, + SecurityToken: *data.SecurityToken, + Expiration: *data.Expiration, + } + return +} + +func (provider *ECSRAMRoleCredentialsProvider) GetCredentials() (cc *Credentials, err error) { + if provider.session == nil || provider.needUpdateCredential() { + session, err1 := provider.getCredentials() + if err1 != nil { + return nil, err1 + } + + provider.session = session + expirationTime, err2 := time.Parse("2006-01-02T15:04:05Z", session.Expiration) + if err2 != nil { + return nil, err2 + } + provider.expirationTimestamp = expirationTime.Unix() + } + + cc = &Credentials{ + AccessKeyId: provider.session.AccessKeyId, + AccessKeySecret: provider.session.AccessKeySecret, + SecurityToken: provider.session.SecurityToken, + ProviderName: provider.GetProviderName(), + } + return +} + +func (provider *ECSRAMRoleCredentialsProvider) GetProviderName() string { + return "ecs_ram_role" +} + +func (provider *ECSRAMRoleCredentialsProvider) getMetadataToken() (metadataToken string, err error) { + // PUT http://100.100.100.200/latest/api/token + req := &httputil.Request{ + Method: "PUT", + Protocol: "http", + Host: "100.100.100.200", + Path: "/latest/api/token", + Headers: map[string]string{ + "X-aliyun-ecs-metadata-token-ttl-seconds": strconv.Itoa(defaultMetadataTokenDuration), + }, + } + + connectTimeout := 1 * time.Second + readTimeout := 1 * time.Second + + if provider.httpOptions != nil && provider.httpOptions.ConnectTimeout > 0 { + connectTimeout = time.Duration(provider.httpOptions.ConnectTimeout) * time.Millisecond + } + if provider.httpOptions != nil && provider.httpOptions.ReadTimeout > 0 { + readTimeout = time.Duration(provider.httpOptions.ReadTimeout) * time.Millisecond + } + if provider.httpOptions != nil && provider.httpOptions.Proxy != "" { + req.Proxy = provider.httpOptions.Proxy + } + req.ConnectTimeout = connectTimeout + req.ReadTimeout = readTimeout + + res, _err := httpDo(req) + if _err != nil { + if provider.disableIMDSv1 { + err = fmt.Errorf("get metadata token failed: %s", _err.Error()) + } + return + } + if res.StatusCode != 200 { + if provider.disableIMDSv1 { + err = fmt.Errorf("refresh Ecs sts token err, httpStatus: %d, message = %s", res.StatusCode, string(res.Body)) + } + return + } + metadataToken = string(res.Body) + return +} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/providers/env.go b/vendor/github.com/aliyun/credentials-go/credentials/providers/env.go new file mode 100644 index 00000000..27fe33b9 --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/providers/env.go @@ -0,0 +1,55 @@ +package providers + +import ( + "fmt" + "os" +) + +type EnvironmentVariableCredentialsProvider struct { +} + +type EnvironmentVariableCredentialsProviderBuilder struct { + provider *EnvironmentVariableCredentialsProvider +} + +func NewEnvironmentVariableCredentialsProviderBuilder() *EnvironmentVariableCredentialsProviderBuilder { + return &EnvironmentVariableCredentialsProviderBuilder{ + provider: &EnvironmentVariableCredentialsProvider{}, + } +} + +func (builder *EnvironmentVariableCredentialsProviderBuilder) Build() (provider *EnvironmentVariableCredentialsProvider, err error) { + provider = builder.provider + return +} + +func (provider *EnvironmentVariableCredentialsProvider) GetCredentials() (cc *Credentials, err error) { + accessKeyId := os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID") + + if accessKeyId == "" { + err = fmt.Errorf("unable to get credentials from enviroment variables, Access key ID must be specified via environment variable (ALIBABA_CLOUD_ACCESS_KEY_ID)") + return + } + + accessKeySecret := os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET") + + if accessKeySecret == "" { + err = fmt.Errorf("unable to get credentials from enviroment variables, Access key secret must be specified via environment variable (ALIBABA_CLOUD_ACCESS_KEY_SECRET)") + return + } + + securityToken := os.Getenv("ALIBABA_CLOUD_SECURITY_TOKEN") + + cc = &Credentials{ + AccessKeyId: accessKeyId, + AccessKeySecret: accessKeySecret, + SecurityToken: securityToken, + ProviderName: provider.GetProviderName(), + } + + return +} + +func (provider *EnvironmentVariableCredentialsProvider) GetProviderName() string { + return "env" +} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/providers/hook.go b/vendor/github.com/aliyun/credentials-go/credentials/providers/hook.go new file mode 100644 index 00000000..6839abd3 --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/providers/hook.go @@ -0,0 +1,7 @@ +package providers + +import ( + httputil "github.com/aliyun/credentials-go/credentials/internal/http" +) + +var httpDo = httputil.Do diff --git a/vendor/github.com/aliyun/credentials-go/credentials/providers/oidc.go b/vendor/github.com/aliyun/credentials-go/credentials/providers/oidc.go new file mode 100644 index 00000000..ae7194c2 --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/providers/oidc.go @@ -0,0 +1,278 @@ +package providers + +import ( + "encoding/json" + "errors" + "fmt" + "io/ioutil" + "net/http" + "os" + "strconv" + "strings" + "time" + + httputil "github.com/aliyun/credentials-go/credentials/internal/http" + "github.com/aliyun/credentials-go/credentials/internal/utils" +) + +type OIDCCredentialsProvider struct { + oidcProviderARN string + oidcTokenFilePath string + roleArn string + roleSessionName string + durationSeconds int + policy string + // for sts endpoint + stsRegionId string + enableVpc bool + stsEndpoint string + + lastUpdateTimestamp int64 + expirationTimestamp int64 + sessionCredentials *sessionCredentials + // for http options + httpOptions *HttpOptions +} + +type OIDCCredentialsProviderBuilder struct { + provider *OIDCCredentialsProvider +} + +func NewOIDCCredentialsProviderBuilder() *OIDCCredentialsProviderBuilder { + return &OIDCCredentialsProviderBuilder{ + provider: &OIDCCredentialsProvider{}, + } +} + +func (b *OIDCCredentialsProviderBuilder) WithOIDCProviderARN(oidcProviderArn string) *OIDCCredentialsProviderBuilder { + b.provider.oidcProviderARN = oidcProviderArn + return b +} + +func (b *OIDCCredentialsProviderBuilder) WithOIDCTokenFilePath(oidcTokenFilePath string) *OIDCCredentialsProviderBuilder { + b.provider.oidcTokenFilePath = oidcTokenFilePath + return b +} + +func (b *OIDCCredentialsProviderBuilder) WithRoleArn(roleArn string) *OIDCCredentialsProviderBuilder { + b.provider.roleArn = roleArn + return b +} + +func (b *OIDCCredentialsProviderBuilder) WithRoleSessionName(roleSessionName string) *OIDCCredentialsProviderBuilder { + b.provider.roleSessionName = roleSessionName + return b +} + +func (b *OIDCCredentialsProviderBuilder) WithDurationSeconds(durationSeconds int) *OIDCCredentialsProviderBuilder { + b.provider.durationSeconds = durationSeconds + return b +} + +func (b *OIDCCredentialsProviderBuilder) WithStsRegionId(regionId string) *OIDCCredentialsProviderBuilder { + b.provider.stsRegionId = regionId + return b +} + +func (b *OIDCCredentialsProviderBuilder) WithEnableVpc(enableVpc bool) *OIDCCredentialsProviderBuilder { + b.provider.enableVpc = enableVpc + return b +} + +func (b *OIDCCredentialsProviderBuilder) WithPolicy(policy string) *OIDCCredentialsProviderBuilder { + b.provider.policy = policy + return b +} + +func (b *OIDCCredentialsProviderBuilder) WithSTSEndpoint(stsEndpoint string) *OIDCCredentialsProviderBuilder { + b.provider.stsEndpoint = stsEndpoint + return b +} + +func (b *OIDCCredentialsProviderBuilder) WithHttpOptions(httpOptions *HttpOptions) *OIDCCredentialsProviderBuilder { + b.provider.httpOptions = httpOptions + return b +} + +func (b *OIDCCredentialsProviderBuilder) Build() (provider *OIDCCredentialsProvider, err error) { + if b.provider.roleSessionName == "" { + b.provider.roleSessionName = "credentials-go-" + strconv.FormatInt(time.Now().UnixNano()/1000, 10) + } + + if b.provider.oidcTokenFilePath == "" { + b.provider.oidcTokenFilePath = os.Getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE") + } + + if b.provider.oidcTokenFilePath == "" { + err = errors.New("the OIDCTokenFilePath is empty") + return + } + + if b.provider.oidcProviderARN == "" { + b.provider.oidcProviderARN = os.Getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN") + } + + if b.provider.oidcProviderARN == "" { + err = errors.New("the OIDCProviderARN is empty") + return + } + + if b.provider.roleArn == "" { + b.provider.roleArn = os.Getenv("ALIBABA_CLOUD_ROLE_ARN") + } + + if b.provider.roleArn == "" { + err = errors.New("the RoleArn is empty") + return + } + + if b.provider.durationSeconds == 0 { + b.provider.durationSeconds = 3600 + } + + if b.provider.durationSeconds < 900 { + err = errors.New("the Assume Role session duration should be in the range of 15min - max duration seconds") + } + + if b.provider.stsEndpoint == "" { + if !b.provider.enableVpc { + b.provider.enableVpc = strings.ToLower(os.Getenv("ALIBABA_CLOUD_VPC_ENDPOINT_ENABLED")) == "true" + } + prefix := "sts" + if b.provider.enableVpc { + prefix = "sts-vpc" + } + if b.provider.stsRegionId != "" { + b.provider.stsEndpoint = fmt.Sprintf("%s.%s.aliyuncs.com", prefix, b.provider.stsRegionId) + } else if region := os.Getenv("ALIBABA_CLOUD_STS_REGION"); region != "" { + b.provider.stsEndpoint = fmt.Sprintf("%s.%s.aliyuncs.com", prefix, region) + } else { + b.provider.stsEndpoint = "sts.aliyuncs.com" + } + } + + provider = b.provider + return +} + +func (provider *OIDCCredentialsProvider) getCredentials() (session *sessionCredentials, err error) { + req := &httputil.Request{ + Method: "POST", + Protocol: "https", + Host: provider.stsEndpoint, + Headers: map[string]string{}, + } + + connectTimeout := 5 * time.Second + readTimeout := 10 * time.Second + + if provider.httpOptions != nil && provider.httpOptions.ConnectTimeout > 0 { + connectTimeout = time.Duration(provider.httpOptions.ConnectTimeout) * time.Millisecond + } + if provider.httpOptions != nil && provider.httpOptions.ReadTimeout > 0 { + readTimeout = time.Duration(provider.httpOptions.ReadTimeout) * time.Millisecond + } + if provider.httpOptions != nil && provider.httpOptions.Proxy != "" { + req.Proxy = provider.httpOptions.Proxy + } + req.ConnectTimeout = connectTimeout + req.ReadTimeout = readTimeout + + queries := make(map[string]string) + queries["Version"] = "2015-04-01" + queries["Action"] = "AssumeRoleWithOIDC" + queries["Format"] = "JSON" + queries["Timestamp"] = utils.GetTimeInFormatISO8601() + req.Queries = queries + + bodyForm := make(map[string]string) + bodyForm["RoleArn"] = provider.roleArn + bodyForm["OIDCProviderArn"] = provider.oidcProviderARN + token, err := ioutil.ReadFile(provider.oidcTokenFilePath) + if err != nil { + return + } + + bodyForm["OIDCToken"] = string(token) + if provider.policy != "" { + bodyForm["Policy"] = provider.policy + } + + bodyForm["RoleSessionName"] = provider.roleSessionName + bodyForm["DurationSeconds"] = strconv.Itoa(provider.durationSeconds) + req.Form = bodyForm + + // set headers + req.Headers["Accept-Encoding"] = "identity" + res, err := httpDo(req) + if err != nil { + return + } + + if res.StatusCode != http.StatusOK { + message := "get session token failed: " + err = errors.New(message + string(res.Body)) + return + } + var data assumeRoleResponse + err = json.Unmarshal(res.Body, &data) + if err != nil { + err = fmt.Errorf("get oidc sts token err, json.Unmarshal fail: %s", err.Error()) + return + } + if data.Credentials == nil { + err = fmt.Errorf("get oidc sts token err, fail to get credentials") + return + } + + if data.Credentials.AccessKeyId == nil || data.Credentials.AccessKeySecret == nil || data.Credentials.SecurityToken == nil { + err = fmt.Errorf("refresh RoleArn sts token err, fail to get credentials") + return + } + + session = &sessionCredentials{ + AccessKeyId: *data.Credentials.AccessKeyId, + AccessKeySecret: *data.Credentials.AccessKeySecret, + SecurityToken: *data.Credentials.SecurityToken, + Expiration: *data.Credentials.Expiration, + } + return +} + +func (provider *OIDCCredentialsProvider) needUpdateCredential() (result bool) { + if provider.expirationTimestamp == 0 { + return true + } + + return provider.expirationTimestamp-time.Now().Unix() <= 180 +} + +func (provider *OIDCCredentialsProvider) GetCredentials() (cc *Credentials, err error) { + if provider.sessionCredentials == nil || provider.needUpdateCredential() { + sessionCredentials, err1 := provider.getCredentials() + if err1 != nil { + return nil, err1 + } + + provider.sessionCredentials = sessionCredentials + expirationTime, err2 := time.Parse("2006-01-02T15:04:05Z", sessionCredentials.Expiration) + if err2 != nil { + return nil, err2 + } + + provider.lastUpdateTimestamp = time.Now().Unix() + provider.expirationTimestamp = expirationTime.Unix() + } + + cc = &Credentials{ + AccessKeyId: provider.sessionCredentials.AccessKeyId, + AccessKeySecret: provider.sessionCredentials.AccessKeySecret, + SecurityToken: provider.sessionCredentials.SecurityToken, + ProviderName: provider.GetProviderName(), + } + return +} + +func (provider *OIDCCredentialsProvider) GetProviderName() string { + return "oidc_role_arn" +} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/providers/profile.go b/vendor/github.com/aliyun/credentials-go/credentials/providers/profile.go new file mode 100644 index 00000000..c26548e3 --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/providers/profile.go @@ -0,0 +1,169 @@ +package providers + +import ( + "errors" + "fmt" + "os" + "path" + + "github.com/aliyun/credentials-go/credentials/internal/utils" + "gopkg.in/ini.v1" +) + +type ProfileCredentialsProvider struct { + profileName string + innerProvider CredentialsProvider +} + +type ProfileCredentialsProviderBuilder struct { + provider *ProfileCredentialsProvider +} + +func NewProfileCredentialsProviderBuilder() (builder *ProfileCredentialsProviderBuilder) { + return &ProfileCredentialsProviderBuilder{ + provider: &ProfileCredentialsProvider{}, + } +} + +func (b *ProfileCredentialsProviderBuilder) WithProfileName(profileName string) *ProfileCredentialsProviderBuilder { + b.provider.profileName = profileName + return b +} + +func (b *ProfileCredentialsProviderBuilder) Build() (provider *ProfileCredentialsProvider, err error) { + // 优先级: + // 1. 使用显示指定的 profileName + // 2. 使用环境变量(ALIBABA_CLOUD_PROFILE)指定的 profileName + // 3. 兜底使用 default 作为 profileName + b.provider.profileName = utils.GetDefaultString(b.provider.profileName, os.Getenv("ALIBABA_CLOUD_PROFILE"), "default") + + provider = b.provider + return +} + +func (provider *ProfileCredentialsProvider) getCredentialsProvider(ini *ini.File) (credentialsProvider CredentialsProvider, err error) { + section, err := ini.GetSection(provider.profileName) + if err != nil { + err = errors.New("ERROR: Can not load section" + err.Error()) + return + } + + value, err := section.GetKey("type") + if err != nil { + err = errors.New("ERROR: Can not find credential type" + err.Error()) + return + } + + switch value.String() { + case "access_key": + value1, err1 := section.GetKey("access_key_id") + value2, err2 := section.GetKey("access_key_secret") + if err1 != nil || err2 != nil { + err = errors.New("ERROR: Failed to get value") + return + } + + if value1.String() == "" || value2.String() == "" { + err = errors.New("ERROR: Value can't be empty") + return + } + + credentialsProvider, err = NewStaticAKCredentialsProviderBuilder(). + WithAccessKeyId(value1.String()). + WithAccessKeySecret(value2.String()). + Build() + case "ecs_ram_role": + value1, err1 := section.GetKey("role_name") + if err1 != nil { + err = errors.New("ERROR: Failed to get value") + return + } + credentialsProvider, err = NewECSRAMRoleCredentialsProviderBuilder().WithRoleName(value1.String()).Build() + case "ram_role_arn": + value1, err1 := section.GetKey("access_key_id") + value2, err2 := section.GetKey("access_key_secret") + value3, err3 := section.GetKey("role_arn") + value4, err4 := section.GetKey("role_session_name") + if err1 != nil || err2 != nil || err3 != nil || err4 != nil { + err = errors.New("ERROR: Failed to get value") + return + } + if value1.String() == "" || value2.String() == "" || value3.String() == "" || value4.String() == "" { + err = errors.New("ERROR: Value can't be empty") + return + } + previous, err5 := NewStaticAKCredentialsProviderBuilder(). + WithAccessKeyId(value1.String()). + WithAccessKeySecret(value2.String()). + Build() + if err5 != nil { + err = errors.New("get previous credentials provider failed") + return + } + rawPolicy, _ := section.GetKey("policy") + policy := "" + if rawPolicy != nil { + policy = rawPolicy.String() + } + + credentialsProvider, err = NewRAMRoleARNCredentialsProviderBuilder(). + WithCredentialsProvider(previous). + WithRoleArn(value3.String()). + WithRoleSessionName(value4.String()). + WithPolicy(policy). + WithDurationSeconds(3600). + Build() + default: + err = errors.New("ERROR: Failed to get credential") + } + return +} + +func (provider *ProfileCredentialsProvider) GetCredentials() (cc *Credentials, err error) { + if provider.innerProvider == nil { + sharedCfgPath := os.Getenv("ALIBABA_CLOUD_CREDENTIALS_FILE") + if sharedCfgPath == "" { + homeDir := getHomePath() + if homeDir == "" { + err = fmt.Errorf("cannot found home dir") + return + } + + sharedCfgPath = path.Join(homeDir, ".alibabacloud/credentials") + } + + ini, err1 := ini.Load(sharedCfgPath) + if err1 != nil { + err = errors.New("ERROR: Can not open file" + err1.Error()) + return + } + + provider.innerProvider, err = provider.getCredentialsProvider(ini) + if err != nil { + return + } + } + + innerCC, err := provider.innerProvider.GetCredentials() + if err != nil { + return + } + + providerName := innerCC.ProviderName + if providerName == "" { + providerName = provider.innerProvider.GetProviderName() + } + + cc = &Credentials{ + AccessKeyId: innerCC.AccessKeyId, + AccessKeySecret: innerCC.AccessKeySecret, + SecurityToken: innerCC.SecurityToken, + ProviderName: fmt.Sprintf("%s/%s", provider.GetProviderName(), providerName), + } + + return +} + +func (provider *ProfileCredentialsProvider) GetProviderName() string { + return "profile" +} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/providers/ram_role_arn.go b/vendor/github.com/aliyun/credentials-go/credentials/providers/ram_role_arn.go new file mode 100644 index 00000000..969e271e --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/providers/ram_role_arn.go @@ -0,0 +1,375 @@ +package providers + +import ( + "encoding/json" + "errors" + "fmt" + "net/http" + "net/url" + "os" + "strconv" + "strings" + "time" + + httputil "github.com/aliyun/credentials-go/credentials/internal/http" + "github.com/aliyun/credentials-go/credentials/internal/utils" +) + +type assumedRoleUser struct { +} + +type credentials struct { + SecurityToken *string `json:"SecurityToken"` + Expiration *string `json:"Expiration"` + AccessKeySecret *string `json:"AccessKeySecret"` + AccessKeyId *string `json:"AccessKeyId"` +} + +type assumeRoleResponse struct { + RequestID *string `json:"RequestId"` + AssumedRoleUser *assumedRoleUser `json:"AssumedRoleUser"` + Credentials *credentials `json:"Credentials"` +} + +type sessionCredentials struct { + AccessKeyId string + AccessKeySecret string + SecurityToken string + Expiration string +} + +type HttpOptions struct { + Proxy string + // Connection timeout, in milliseconds. + ConnectTimeout int + // Read timeout, in milliseconds. + ReadTimeout int +} + +type RAMRoleARNCredentialsProvider struct { + // for previous credentials + accessKeyId string + accessKeySecret string + securityToken string + credentialsProvider CredentialsProvider + + roleArn string + roleSessionName string + durationSeconds int + policy string + externalId string + // for sts endpoint + stsRegionId string + enableVpc bool + stsEndpoint string + // for http options + httpOptions *HttpOptions + // inner + expirationTimestamp int64 + lastUpdateTimestamp int64 + previousProviderName string + sessionCredentials *sessionCredentials +} + +type RAMRoleARNCredentialsProviderBuilder struct { + provider *RAMRoleARNCredentialsProvider +} + +func NewRAMRoleARNCredentialsProviderBuilder() *RAMRoleARNCredentialsProviderBuilder { + return &RAMRoleARNCredentialsProviderBuilder{ + provider: &RAMRoleARNCredentialsProvider{}, + } +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithAccessKeyId(accessKeyId string) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.accessKeyId = accessKeyId + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithAccessKeySecret(accessKeySecret string) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.accessKeySecret = accessKeySecret + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithSecurityToken(securityToken string) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.securityToken = securityToken + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithCredentialsProvider(credentialsProvider CredentialsProvider) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.credentialsProvider = credentialsProvider + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithRoleArn(roleArn string) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.roleArn = roleArn + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithStsRegionId(regionId string) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.stsRegionId = regionId + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithEnableVpc(enableVpc bool) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.enableVpc = enableVpc + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithStsEndpoint(endpoint string) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.stsEndpoint = endpoint + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithRoleSessionName(roleSessionName string) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.roleSessionName = roleSessionName + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithPolicy(policy string) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.policy = policy + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithExternalId(externalId string) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.externalId = externalId + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithDurationSeconds(durationSeconds int) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.durationSeconds = durationSeconds + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithHttpOptions(httpOptions *HttpOptions) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.httpOptions = httpOptions + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) Build() (provider *RAMRoleARNCredentialsProvider, err error) { + if builder.provider.credentialsProvider == nil { + if builder.provider.accessKeyId != "" && builder.provider.accessKeySecret != "" && builder.provider.securityToken != "" { + builder.provider.credentialsProvider, err = NewStaticSTSCredentialsProviderBuilder(). + WithAccessKeyId(builder.provider.accessKeyId). + WithAccessKeySecret(builder.provider.accessKeySecret). + WithSecurityToken(builder.provider.securityToken). + Build() + if err != nil { + return + } + } else if builder.provider.accessKeyId != "" && builder.provider.accessKeySecret != "" { + builder.provider.credentialsProvider, err = NewStaticAKCredentialsProviderBuilder(). + WithAccessKeyId(builder.provider.accessKeyId). + WithAccessKeySecret(builder.provider.accessKeySecret). + Build() + if err != nil { + return + } + } else { + err = errors.New("must specify a previous credentials provider to assume role") + return + } + } + + if builder.provider.roleArn == "" { + if roleArn := os.Getenv("ALIBABA_CLOUD_ROLE_ARN"); roleArn != "" { + builder.provider.roleArn = roleArn + } else { + err = errors.New("the RoleArn is empty") + return + } + } + + if builder.provider.roleSessionName == "" { + if roleSessionName := os.Getenv("ALIBABA_CLOUD_ROLE_SESSION_NAME"); roleSessionName != "" { + builder.provider.roleSessionName = roleSessionName + } else { + builder.provider.roleSessionName = "credentials-go-" + strconv.FormatInt(time.Now().UnixNano()/1000, 10) + } + } + + // duration seconds + if builder.provider.durationSeconds == 0 { + // default to 3600 + builder.provider.durationSeconds = 3600 + } + + if builder.provider.durationSeconds < 900 { + err = errors.New("session duration should be in the range of 900s - max session duration") + return + } + + // sts endpoint + if builder.provider.stsEndpoint == "" { + if !builder.provider.enableVpc { + builder.provider.enableVpc = strings.ToLower(os.Getenv("ALIBABA_CLOUD_VPC_ENDPOINT_ENABLED")) == "true" + } + prefix := "sts" + if builder.provider.enableVpc { + prefix = "sts-vpc" + } + if builder.provider.stsRegionId != "" { + builder.provider.stsEndpoint = fmt.Sprintf("%s.%s.aliyuncs.com", prefix, builder.provider.stsRegionId) + } else if region := os.Getenv("ALIBABA_CLOUD_STS_REGION"); region != "" { + builder.provider.stsEndpoint = fmt.Sprintf("%s.%s.aliyuncs.com", prefix, region) + } else { + builder.provider.stsEndpoint = "sts.aliyuncs.com" + } + } + + provider = builder.provider + return +} + +func (provider *RAMRoleARNCredentialsProvider) getCredentials(cc *Credentials) (session *sessionCredentials, err error) { + method := "POST" + req := &httputil.Request{ + Method: method, + Protocol: "https", + Host: provider.stsEndpoint, + Headers: map[string]string{}, + } + + queries := make(map[string]string) + queries["Version"] = "2015-04-01" + queries["Action"] = "AssumeRole" + queries["Format"] = "JSON" + queries["Timestamp"] = utils.GetTimeInFormatISO8601() + queries["SignatureMethod"] = "HMAC-SHA1" + queries["SignatureVersion"] = "1.0" + queries["SignatureNonce"] = utils.GetNonce() + queries["AccessKeyId"] = cc.AccessKeyId + + if cc.SecurityToken != "" { + queries["SecurityToken"] = cc.SecurityToken + } + + bodyForm := make(map[string]string) + bodyForm["RoleArn"] = provider.roleArn + if provider.policy != "" { + bodyForm["Policy"] = provider.policy + } + if provider.externalId != "" { + bodyForm["ExternalId"] = provider.externalId + } + bodyForm["RoleSessionName"] = provider.roleSessionName + bodyForm["DurationSeconds"] = strconv.Itoa(provider.durationSeconds) + req.Form = bodyForm + + // caculate signature + signParams := make(map[string]string) + for key, value := range queries { + signParams[key] = value + } + for key, value := range bodyForm { + signParams[key] = value + } + + stringToSign := utils.GetURLFormedMap(signParams) + stringToSign = strings.Replace(stringToSign, "+", "%20", -1) + stringToSign = strings.Replace(stringToSign, "*", "%2A", -1) + stringToSign = strings.Replace(stringToSign, "%7E", "~", -1) + stringToSign = url.QueryEscape(stringToSign) + stringToSign = method + "&%2F&" + stringToSign + secret := cc.AccessKeySecret + "&" + queries["Signature"] = utils.ShaHmac1(stringToSign, secret) + + req.Queries = queries + + // set headers + req.Headers["Accept-Encoding"] = "identity" + req.Headers["Content-Type"] = "application/x-www-form-urlencoded" + req.Headers["x-acs-credentials-provider"] = cc.ProviderName + + connectTimeout := 5 * time.Second + readTimeout := 10 * time.Second + + if provider.httpOptions != nil && provider.httpOptions.ConnectTimeout > 0 { + connectTimeout = time.Duration(provider.httpOptions.ConnectTimeout) * time.Millisecond + } + if provider.httpOptions != nil && provider.httpOptions.ReadTimeout > 0 { + readTimeout = time.Duration(provider.httpOptions.ReadTimeout) * time.Millisecond + } + if provider.httpOptions != nil && provider.httpOptions.Proxy != "" { + req.Proxy = provider.httpOptions.Proxy + } + req.ConnectTimeout = connectTimeout + req.ReadTimeout = readTimeout + + res, err := httpDo(req) + if err != nil { + return + } + + if res.StatusCode != http.StatusOK { + err = errors.New("refresh session token failed: " + string(res.Body)) + return + } + var data assumeRoleResponse + err = json.Unmarshal(res.Body, &data) + if err != nil { + err = fmt.Errorf("refresh RoleArn sts token err, json.Unmarshal fail: %s", err.Error()) + return + } + if data.Credentials == nil { + err = fmt.Errorf("refresh RoleArn sts token err, fail to get credentials") + return + } + + if data.Credentials.AccessKeyId == nil || data.Credentials.AccessKeySecret == nil || data.Credentials.SecurityToken == nil { + err = fmt.Errorf("refresh RoleArn sts token err, fail to get credentials") + return + } + + session = &sessionCredentials{ + AccessKeyId: *data.Credentials.AccessKeyId, + AccessKeySecret: *data.Credentials.AccessKeySecret, + SecurityToken: *data.Credentials.SecurityToken, + Expiration: *data.Credentials.Expiration, + } + return +} + +func (provider *RAMRoleARNCredentialsProvider) needUpdateCredential() (result bool) { + if provider.expirationTimestamp == 0 { + return true + } + + return provider.expirationTimestamp-time.Now().Unix() <= 180 +} + +func (provider *RAMRoleARNCredentialsProvider) GetCredentials() (cc *Credentials, err error) { + if provider.sessionCredentials == nil || provider.needUpdateCredential() { + // 获取前置凭证 + previousCredentials, err1 := provider.credentialsProvider.GetCredentials() + if err1 != nil { + return nil, err1 + } + sessionCredentials, err2 := provider.getCredentials(previousCredentials) + if err2 != nil { + return nil, err2 + } + + expirationTime, err := time.Parse("2006-01-02T15:04:05Z", sessionCredentials.Expiration) + if err != nil { + return nil, err + } + + provider.expirationTimestamp = expirationTime.Unix() + provider.lastUpdateTimestamp = time.Now().Unix() + provider.previousProviderName = previousCredentials.ProviderName + provider.sessionCredentials = sessionCredentials + } + + cc = &Credentials{ + AccessKeyId: provider.sessionCredentials.AccessKeyId, + AccessKeySecret: provider.sessionCredentials.AccessKeySecret, + SecurityToken: provider.sessionCredentials.SecurityToken, + ProviderName: fmt.Sprintf("%s/%s", provider.GetProviderName(), provider.previousProviderName), + } + return +} + +func (provider *RAMRoleARNCredentialsProvider) GetProviderName() string { + return "ram_role_arn" +} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/providers/static_ak.go b/vendor/github.com/aliyun/credentials-go/credentials/providers/static_ak.go new file mode 100644 index 00000000..bd3660cc --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/providers/static_ak.go @@ -0,0 +1,67 @@ +package providers + +import ( + "errors" + "os" +) + +type StaticAKCredentialsProvider struct { + accessKeyId string + accessKeySecret string +} + +type StaticAKCredentialsProviderBuilder struct { + provider *StaticAKCredentialsProvider +} + +func NewStaticAKCredentialsProviderBuilder() *StaticAKCredentialsProviderBuilder { + return &StaticAKCredentialsProviderBuilder{ + provider: &StaticAKCredentialsProvider{}, + } +} + +func (builder *StaticAKCredentialsProviderBuilder) WithAccessKeyId(accessKeyId string) *StaticAKCredentialsProviderBuilder { + builder.provider.accessKeyId = accessKeyId + return builder +} + +func (builder *StaticAKCredentialsProviderBuilder) WithAccessKeySecret(accessKeySecret string) *StaticAKCredentialsProviderBuilder { + builder.provider.accessKeySecret = accessKeySecret + return builder +} + +func (builder *StaticAKCredentialsProviderBuilder) Build() (provider *StaticAKCredentialsProvider, err error) { + if builder.provider.accessKeyId == "" { + builder.provider.accessKeyId = os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID") + } + + if builder.provider.accessKeyId == "" { + err = errors.New("the access key id is empty") + return + } + + if builder.provider.accessKeySecret == "" { + builder.provider.accessKeySecret = os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET") + } + + if builder.provider.accessKeySecret == "" { + err = errors.New("the access key secret is empty") + return + } + + provider = builder.provider + return +} + +func (provider *StaticAKCredentialsProvider) GetCredentials() (cc *Credentials, err error) { + cc = &Credentials{ + AccessKeyId: provider.accessKeyId, + AccessKeySecret: provider.accessKeySecret, + ProviderName: provider.GetProviderName(), + } + return +} + +func (provider *StaticAKCredentialsProvider) GetProviderName() string { + return "static_ak" +} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/providers/static_sts.go b/vendor/github.com/aliyun/credentials-go/credentials/providers/static_sts.go new file mode 100644 index 00000000..ad571518 --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/providers/static_sts.go @@ -0,0 +1,83 @@ +package providers + +import ( + "errors" + "os" +) + +type StaticSTSCredentialsProvider struct { + accessKeyId string + accessKeySecret string + securityToken string +} + +type StaticSTSCredentialsProviderBuilder struct { + provider *StaticSTSCredentialsProvider +} + +func NewStaticSTSCredentialsProviderBuilder() *StaticSTSCredentialsProviderBuilder { + return &StaticSTSCredentialsProviderBuilder{ + provider: &StaticSTSCredentialsProvider{}, + } +} + +func (builder *StaticSTSCredentialsProviderBuilder) WithAccessKeyId(accessKeyId string) *StaticSTSCredentialsProviderBuilder { + builder.provider.accessKeyId = accessKeyId + return builder +} + +func (builder *StaticSTSCredentialsProviderBuilder) WithAccessKeySecret(accessKeySecret string) *StaticSTSCredentialsProviderBuilder { + builder.provider.accessKeySecret = accessKeySecret + return builder +} + +func (builder *StaticSTSCredentialsProviderBuilder) WithSecurityToken(securityToken string) *StaticSTSCredentialsProviderBuilder { + builder.provider.securityToken = securityToken + return builder +} + +func (builder *StaticSTSCredentialsProviderBuilder) Build() (provider *StaticSTSCredentialsProvider, err error) { + if builder.provider.accessKeyId == "" { + builder.provider.accessKeyId = os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID") + } + + if builder.provider.accessKeyId == "" { + err = errors.New("the access key id is empty") + return + } + + if builder.provider.accessKeySecret == "" { + builder.provider.accessKeySecret = os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET") + } + + if builder.provider.accessKeySecret == "" { + err = errors.New("the access key secret is empty") + return + } + + if builder.provider.securityToken == "" { + builder.provider.securityToken = os.Getenv("ALIBABA_CLOUD_SECURITY_TOKEN") + } + + if builder.provider.securityToken == "" { + err = errors.New("the security token is empty") + return + } + + provider = builder.provider + return +} + +func (provider *StaticSTSCredentialsProvider) GetCredentials() (cc *Credentials, err error) { + cc = &Credentials{ + AccessKeyId: provider.accessKeyId, + AccessKeySecret: provider.accessKeySecret, + SecurityToken: provider.securityToken, + ProviderName: provider.GetProviderName(), + } + return +} + +func (provider *StaticSTSCredentialsProvider) GetProviderName() string { + return "static_sts" +} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/providers/uri.go b/vendor/github.com/aliyun/credentials-go/credentials/providers/uri.go new file mode 100644 index 00000000..65728055 --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/providers/uri.go @@ -0,0 +1,152 @@ +package providers + +import ( + "encoding/json" + "errors" + "fmt" + "net/http" + "os" + "time" + + httputil "github.com/aliyun/credentials-go/credentials/internal/http" +) + +type URLCredentialsProvider struct { + url string + // for sts + sessionCredentials *sessionCredentials + // for http options + httpOptions *HttpOptions + // inner + expirationTimestamp int64 +} + +type URLCredentialsProviderBuilder struct { + provider *URLCredentialsProvider +} + +func NewURLCredentialsProviderBuilderBuilder() *URLCredentialsProviderBuilder { + return &URLCredentialsProviderBuilder{ + provider: &URLCredentialsProvider{}, + } +} + +func (builder *URLCredentialsProviderBuilder) WithUrl(url string) *URLCredentialsProviderBuilder { + builder.provider.url = url + return builder +} + +func (builder *URLCredentialsProviderBuilder) WithHttpOptions(httpOptions *HttpOptions) *URLCredentialsProviderBuilder { + builder.provider.httpOptions = httpOptions + return builder +} + +func (builder *URLCredentialsProviderBuilder) Build() (provider *URLCredentialsProvider, err error) { + + if builder.provider.url == "" { + builder.provider.url = os.Getenv("ALIBABA_CLOUD_CREDENTIALS_URI") + } + + if builder.provider.url == "" { + err = errors.New("the url is empty") + return + } + + provider = builder.provider + return +} + +type urlResponse struct { + AccessKeyId *string `json:"AccessKeyId"` + AccessKeySecret *string `json:"AccessKeySecret"` + SecurityToken *string `json:"SecurityToken"` + Expiration *string `json:"Expiration"` +} + +func (provider *URLCredentialsProvider) getCredentials() (session *sessionCredentials, err error) { + req := &httputil.Request{ + Method: "GET", + URL: provider.url, + } + + connectTimeout := 5 * time.Second + readTimeout := 10 * time.Second + + if provider.httpOptions != nil && provider.httpOptions.ConnectTimeout > 0 { + connectTimeout = time.Duration(provider.httpOptions.ConnectTimeout) * time.Millisecond + } + if provider.httpOptions != nil && provider.httpOptions.ReadTimeout > 0 { + readTimeout = time.Duration(provider.httpOptions.ReadTimeout) * time.Millisecond + } + if provider.httpOptions != nil && provider.httpOptions.Proxy != "" { + req.Proxy = provider.httpOptions.Proxy + } + req.ConnectTimeout = connectTimeout + req.ReadTimeout = readTimeout + + res, err := httpDo(req) + if err != nil { + return + } + + if res.StatusCode != http.StatusOK { + err = fmt.Errorf("get credentials from %s failed: %s", req.BuildRequestURL(), string(res.Body)) + return + } + + var resp urlResponse + err = json.Unmarshal(res.Body, &resp) + if err != nil { + err = fmt.Errorf("get credentials from %s failed with error, json unmarshal fail: %s", req.BuildRequestURL(), err.Error()) + return + } + + if resp.AccessKeyId == nil || resp.AccessKeySecret == nil || resp.SecurityToken == nil || resp.Expiration == nil { + err = fmt.Errorf("refresh credentials from %s failed: %s", req.BuildRequestURL(), string(res.Body)) + return + } + + session = &sessionCredentials{ + AccessKeyId: *resp.AccessKeyId, + AccessKeySecret: *resp.AccessKeySecret, + SecurityToken: *resp.SecurityToken, + Expiration: *resp.Expiration, + } + return +} + +func (provider *URLCredentialsProvider) needUpdateCredential() (result bool) { + if provider.expirationTimestamp == 0 { + return true + } + + return provider.expirationTimestamp-time.Now().Unix() <= 180 +} + +func (provider *URLCredentialsProvider) GetCredentials() (cc *Credentials, err error) { + if provider.sessionCredentials == nil || provider.needUpdateCredential() { + sessionCredentials, err1 := provider.getCredentials() + if err1 != nil { + return nil, err1 + } + + provider.sessionCredentials = sessionCredentials + expirationTime, err2 := time.Parse("2006-01-02T15:04:05Z", sessionCredentials.Expiration) + if err2 != nil { + return nil, err2 + } + provider.expirationTimestamp = expirationTime.Unix() + } + + cc = &Credentials{ + AccessKeyId: provider.sessionCredentials.AccessKeyId, + AccessKeySecret: provider.sessionCredentials.AccessKeySecret, + SecurityToken: provider.sessionCredentials.SecurityToken, + ProviderName: provider.GetProviderName(), + } + return +} + +func (provider *URLCredentialsProvider) GetProviderName() string { + return "credential_uri" +} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/sts_role_arn_credential.go b/vendor/github.com/aliyun/credentials-go/credentials/ram_role_arn_credentials_provider.go similarity index 70% rename from vendor/github.com/aliyun/credentials-go/credentials/sts_role_arn_credential.go rename to vendor/github.com/aliyun/credentials-go/credentials/ram_role_arn_credentials_provider.go index 3ddf32fa..71ae0040 100644 --- a/vendor/github.com/aliyun/credentials-go/credentials/sts_role_arn_credential.go +++ b/vendor/github.com/aliyun/credentials-go/credentials/ram_role_arn_credentials_provider.go @@ -8,17 +8,18 @@ import ( "time" "github.com/alibabacloud-go/tea/tea" + "github.com/aliyun/credentials-go/credentials/internal/utils" "github.com/aliyun/credentials-go/credentials/request" - "github.com/aliyun/credentials-go/credentials/utils" ) const defaultDurationSeconds = 3600 -// RAMRoleArnCredential is a kind of credentials -type RAMRoleArnCredential struct { +// RAMRoleArnCredentialsProvider is a kind of credentials +type RAMRoleArnCredentialsProvider struct { *credentialUpdater AccessKeyId string AccessKeySecret string + SecurityToken string RoleArn string RoleSessionName string RoleSessionExpiration int @@ -39,8 +40,23 @@ type credentialsInResponse struct { Expiration string `json:"Expiration" xml:"Expiration"` } -func newRAMRoleArnCredential(accessKeyId, accessKeySecret, roleArn, roleSessionName, policy string, roleSessionExpiration int, runtime *utils.Runtime) *RAMRoleArnCredential { - return &RAMRoleArnCredential{ +func newRAMRoleArnl(accessKeyId, accessKeySecret, securityToken, roleArn, roleSessionName, policy string, roleSessionExpiration int, externalId string, runtime *utils.Runtime) *RAMRoleArnCredentialsProvider { + return &RAMRoleArnCredentialsProvider{ + AccessKeyId: accessKeyId, + AccessKeySecret: accessKeySecret, + SecurityToken: securityToken, + RoleArn: roleArn, + RoleSessionName: roleSessionName, + RoleSessionExpiration: roleSessionExpiration, + Policy: policy, + ExternalId: externalId, + credentialUpdater: new(credentialUpdater), + runtime: runtime, + } +} + +func newRAMRoleArnCredential(accessKeyId, accessKeySecret, roleArn, roleSessionName, policy string, roleSessionExpiration int, runtime *utils.Runtime) *RAMRoleArnCredentialsProvider { + return &RAMRoleArnCredentialsProvider{ AccessKeyId: accessKeyId, AccessKeySecret: accessKeySecret, RoleArn: roleArn, @@ -52,8 +68,8 @@ func newRAMRoleArnCredential(accessKeyId, accessKeySecret, roleArn, roleSessionN } } -func newRAMRoleArnWithExternalIdCredential(accessKeyId, accessKeySecret, roleArn, roleSessionName, policy string, roleSessionExpiration int, externalId string, runtime *utils.Runtime) *RAMRoleArnCredential { - return &RAMRoleArnCredential{ +func newRAMRoleArnWithExternalIdCredential(accessKeyId, accessKeySecret, roleArn, roleSessionName, policy string, roleSessionExpiration int, externalId string, runtime *utils.Runtime) *RAMRoleArnCredentialsProvider { + return &RAMRoleArnCredentialsProvider{ AccessKeyId: accessKeyId, AccessKeySecret: accessKeySecret, RoleArn: roleArn, @@ -66,7 +82,7 @@ func newRAMRoleArnWithExternalIdCredential(accessKeyId, accessKeySecret, roleArn } } -func (e *RAMRoleArnCredential) GetCredential() (*CredentialModel, error) { +func (e *RAMRoleArnCredentialsProvider) GetCredential() (*CredentialModel, error) { if e.sessionCredential == nil || e.needUpdateCredential() { err := e.updateCredential() if err != nil { @@ -82,53 +98,53 @@ func (e *RAMRoleArnCredential) GetCredential() (*CredentialModel, error) { return credential, nil } -// GetAccessKeyId reutrns RamRoleArnCredential's AccessKeyId +// GetAccessKeyId reutrns RAMRoleArnCredentialsProvider's AccessKeyId // if AccessKeyId is not exist or out of date, the function will update it. -func (r *RAMRoleArnCredential) GetAccessKeyId() (*string, error) { - if r.sessionCredential == nil || r.needUpdateCredential() { - err := r.updateCredential() - if err != nil { - return tea.String(""), err - } +func (r *RAMRoleArnCredentialsProvider) GetAccessKeyId() (accessKeyId *string, err error) { + c, err := r.GetCredential() + if err != nil { + return } - return tea.String(r.sessionCredential.AccessKeyId), nil + + accessKeyId = c.AccessKeyId + return } -// GetAccessSecret reutrns RamRoleArnCredential's AccessKeySecret +// GetAccessSecret reutrns RAMRoleArnCredentialsProvider's AccessKeySecret // if AccessKeySecret is not exist or out of date, the function will update it. -func (r *RAMRoleArnCredential) GetAccessKeySecret() (*string, error) { - if r.sessionCredential == nil || r.needUpdateCredential() { - err := r.updateCredential() - if err != nil { - return tea.String(""), err - } +func (r *RAMRoleArnCredentialsProvider) GetAccessKeySecret() (accessKeySecret *string, err error) { + c, err := r.GetCredential() + if err != nil { + return } - return tea.String(r.sessionCredential.AccessKeySecret), nil + + accessKeySecret = c.AccessKeySecret + return } -// GetSecurityToken reutrns RamRoleArnCredential's SecurityToken +// GetSecurityToken reutrns RAMRoleArnCredentialsProvider's SecurityToken // if SecurityToken is not exist or out of date, the function will update it. -func (r *RAMRoleArnCredential) GetSecurityToken() (*string, error) { - if r.sessionCredential == nil || r.needUpdateCredential() { - err := r.updateCredential() - if err != nil { - return tea.String(""), err - } +func (r *RAMRoleArnCredentialsProvider) GetSecurityToken() (securityToken *string, err error) { + c, err := r.GetCredential() + if err != nil { + return } - return tea.String(r.sessionCredential.SecurityToken), nil + + securityToken = c.SecurityToken + return } -// GetBearerToken is useless RamRoleArnCredential -func (r *RAMRoleArnCredential) GetBearerToken() *string { +// GetBearerToken is useless RAMRoleArnCredentialsProvider +func (r *RAMRoleArnCredentialsProvider) GetBearerToken() *string { return tea.String("") } -// GetType reutrns RamRoleArnCredential's type -func (r *RAMRoleArnCredential) GetType() *string { +// GetType reutrns RAMRoleArnCredentialsProvider's type +func (r *RAMRoleArnCredentialsProvider) GetType() *string { return tea.String("ram_role_arn") } -func (r *RAMRoleArnCredential) updateCredential() (err error) { +func (r *RAMRoleArnCredentialsProvider) updateCredential() (err error) { if r.runtime == nil { r.runtime = new(utils.Runtime) } @@ -140,6 +156,9 @@ func (r *RAMRoleArnCredential) updateCredential() (err error) { request.Scheme = "HTTPS" request.Method = "GET" request.QueryParams["AccessKeyId"] = r.AccessKeyId + if r.SecurityToken != "" { + request.QueryParams["SecurityToken"] = r.SecurityToken + } request.QueryParams["Action"] = "AssumeRole" request.QueryParams["Format"] = "JSON" if r.RoleSessionExpiration > 0 { diff --git a/vendor/github.com/aliyun/credentials-go/credentials/request/doc.go b/vendor/github.com/aliyun/credentials-go/credentials/request/doc.go new file mode 100644 index 00000000..7ec0952b --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/request/doc.go @@ -0,0 +1,3 @@ +// Package request is used for internal. +// You should not depend on it directly, breaking changes can and will be introducted to it. +package request diff --git a/vendor/github.com/aliyun/credentials-go/credentials/response/doc.go b/vendor/github.com/aliyun/credentials-go/credentials/response/doc.go new file mode 100644 index 00000000..2279570e --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/response/doc.go @@ -0,0 +1,3 @@ +// Package request is used for internal. +// You should not depend on it directly, breaking changes can and will be introducted to it. +package response diff --git a/vendor/github.com/aliyun/credentials-go/credentials/rsa_key_pair_credential.go b/vendor/github.com/aliyun/credentials-go/credentials/rsa_key_pair_credentials_provider.go similarity index 82% rename from vendor/github.com/aliyun/credentials-go/credentials/rsa_key_pair_credential.go rename to vendor/github.com/aliyun/credentials-go/credentials/rsa_key_pair_credentials_provider.go index 82988eca..1d86f296 100644 --- a/vendor/github.com/aliyun/credentials-go/credentials/rsa_key_pair_credential.go +++ b/vendor/github.com/aliyun/credentials-go/credentials/rsa_key_pair_credentials_provider.go @@ -8,12 +8,13 @@ import ( "time" "github.com/alibabacloud-go/tea/tea" + "github.com/aliyun/credentials-go/credentials/internal/utils" "github.com/aliyun/credentials-go/credentials/request" - "github.com/aliyun/credentials-go/credentials/utils" ) -// RsaKeyPairCredential is a kind of credentials -type RsaKeyPairCredential struct { +// Deprecated: no more recommend to use it +// RsaKeyPairCredentialsProvider is a kind of credentials provider +type RsaKeyPairCredentialsProvider struct { *credentialUpdater PrivateKey string PublicKeyId string @@ -32,8 +33,8 @@ type sessionAccessKey struct { Expiration string `json:"Expiration" xml:"Expiration"` } -func newRsaKeyPairCredential(privateKey, publicKeyId string, sessionExpiration int, runtime *utils.Runtime) *RsaKeyPairCredential { - return &RsaKeyPairCredential{ +func newRsaKeyPairCredential(privateKey, publicKeyId string, sessionExpiration int, runtime *utils.Runtime) *RsaKeyPairCredentialsProvider { + return &RsaKeyPairCredentialsProvider{ PrivateKey: privateKey, PublicKeyId: publicKeyId, SessionExpiration: sessionExpiration, @@ -42,7 +43,7 @@ func newRsaKeyPairCredential(privateKey, publicKeyId string, sessionExpiration i } } -func (e *RsaKeyPairCredential) GetCredential() (*CredentialModel, error) { +func (e *RsaKeyPairCredentialsProvider) GetCredential() (*CredentialModel, error) { if e.sessionCredential == nil || e.needUpdateCredential() { err := e.updateCredential() if err != nil { @@ -60,44 +61,42 @@ func (e *RsaKeyPairCredential) GetCredential() (*CredentialModel, error) { // GetAccessKeyId reutrns RsaKeyPairCredential's AccessKeyId // if AccessKeyId is not exist or out of date, the function will update it. -func (r *RsaKeyPairCredential) GetAccessKeyId() (*string, error) { - if r.sessionCredential == nil || r.needUpdateCredential() { - err := r.updateCredential() - if err != nil { - return tea.String(""), err - } +func (r *RsaKeyPairCredentialsProvider) GetAccessKeyId() (accessKeyId *string, err error) { + c, err := r.GetCredential() + if err != nil { + return } - return tea.String(r.sessionCredential.AccessKeyId), nil + accessKeyId = c.AccessKeyId + return } // GetAccessSecret reutrns RsaKeyPairCredential's AccessKeySecret // if AccessKeySecret is not exist or out of date, the function will update it. -func (r *RsaKeyPairCredential) GetAccessKeySecret() (*string, error) { - if r.sessionCredential == nil || r.needUpdateCredential() { - err := r.updateCredential() - if err != nil { - return tea.String(""), err - } +func (r *RsaKeyPairCredentialsProvider) GetAccessKeySecret() (accessKeySecret *string, err error) { + c, err := r.GetCredential() + if err != nil { + return } - return tea.String(r.sessionCredential.AccessKeySecret), nil + accessKeySecret = c.AccessKeySecret + return } // GetSecurityToken is useless RsaKeyPairCredential -func (r *RsaKeyPairCredential) GetSecurityToken() (*string, error) { +func (r *RsaKeyPairCredentialsProvider) GetSecurityToken() (*string, error) { return tea.String(""), nil } // GetBearerToken is useless for RsaKeyPairCredential -func (r *RsaKeyPairCredential) GetBearerToken() *string { +func (r *RsaKeyPairCredentialsProvider) GetBearerToken() *string { return tea.String("") } // GetType reutrns RsaKeyPairCredential's type -func (r *RsaKeyPairCredential) GetType() *string { +func (r *RsaKeyPairCredentialsProvider) GetType() *string { return tea.String("rsa_key_pair") } -func (r *RsaKeyPairCredential) updateCredential() (err error) { +func (r *RsaKeyPairCredentialsProvider) updateCredential() (err error) { if r.runtime == nil { r.runtime = new(utils.Runtime) } diff --git a/vendor/github.com/aliyun/credentials-go/credentials/sts_credential.go b/vendor/github.com/aliyun/credentials-go/credentials/sts_credential.go deleted file mode 100644 index 5a9973f2..00000000 --- a/vendor/github.com/aliyun/credentials-go/credentials/sts_credential.go +++ /dev/null @@ -1,53 +0,0 @@ -package credentials - -import "github.com/alibabacloud-go/tea/tea" - -// StsTokenCredential is a kind of credentials -type StsTokenCredential struct { - AccessKeyId string - AccessKeySecret string - SecurityToken string -} - -func newStsTokenCredential(accessKeyId, accessKeySecret, securityToken string) *StsTokenCredential { - return &StsTokenCredential{ - AccessKeyId: accessKeyId, - AccessKeySecret: accessKeySecret, - SecurityToken: securityToken, - } -} - -func (s *StsTokenCredential) GetCredential() (*CredentialModel, error) { - credential := &CredentialModel{ - AccessKeyId: tea.String(s.AccessKeyId), - AccessKeySecret: tea.String(s.AccessKeySecret), - SecurityToken: tea.String(s.SecurityToken), - Type: tea.String("sts"), - } - return credential, nil -} - -// GetAccessKeyId reutrns StsTokenCredential's AccessKeyId -func (s *StsTokenCredential) GetAccessKeyId() (*string, error) { - return tea.String(s.AccessKeyId), nil -} - -// GetAccessSecret reutrns StsTokenCredential's AccessKeySecret -func (s *StsTokenCredential) GetAccessKeySecret() (*string, error) { - return tea.String(s.AccessKeySecret), nil -} - -// GetSecurityToken reutrns StsTokenCredential's SecurityToken -func (s *StsTokenCredential) GetSecurityToken() (*string, error) { - return tea.String(s.SecurityToken), nil -} - -// GetBearerToken is useless StsTokenCredential -func (s *StsTokenCredential) GetBearerToken() *string { - return tea.String("") -} - -// GetType reutrns StsTokenCredential's type -func (s *StsTokenCredential) GetType() *string { - return tea.String("sts") -} diff --git a/vendor/github.com/aliyun/credentials-go/credentials/uri_credential.go b/vendor/github.com/aliyun/credentials-go/credentials/uri_credential.go index d03006c9..56da5965 100644 --- a/vendor/github.com/aliyun/credentials-go/credentials/uri_credential.go +++ b/vendor/github.com/aliyun/credentials-go/credentials/uri_credential.go @@ -7,12 +7,12 @@ import ( "time" "github.com/alibabacloud-go/tea/tea" + "github.com/aliyun/credentials-go/credentials/internal/utils" "github.com/aliyun/credentials-go/credentials/request" - "github.com/aliyun/credentials-go/credentials/utils" ) // URLCredential is a kind of credential -type URLCredential struct { +type URLCredentialsProvider struct { URL string *credentialUpdater *sessionCredential @@ -26,18 +26,18 @@ type URLResponse struct { Expiration string `json:"Expiration" xml:"Expiration"` } -func newURLCredential(URL string) *URLCredential { +func newURLCredential(URL string) *URLCredentialsProvider { credentialUpdater := new(credentialUpdater) if URL == "" { URL = os.Getenv("ALIBABA_CLOUD_CREDENTIALS_URI") } - return &URLCredential{ + return &URLCredentialsProvider{ URL: URL, credentialUpdater: credentialUpdater, } } -func (e *URLCredential) GetCredential() (*CredentialModel, error) { +func (e *URLCredentialsProvider) GetCredential() (*CredentialModel, error) { if e.sessionCredential == nil || e.needUpdateCredential() { err := e.updateCredential() if err != nil { @@ -55,60 +55,48 @@ func (e *URLCredential) GetCredential() (*CredentialModel, error) { // GetAccessKeyId reutrns URLCredential's AccessKeyId // if AccessKeyId is not exist or out of date, the function will update it. -func (e *URLCredential) GetAccessKeyId() (*string, error) { - if e.sessionCredential == nil || e.needUpdateCredential() { - err := e.updateCredential() - if err != nil { - if e.credentialExpiration > (int(time.Now().Unix()) - int(e.lastUpdateTimestamp)) { - return &e.sessionCredential.AccessKeyId, nil - } - return tea.String(""), err - } +func (e *URLCredentialsProvider) GetAccessKeyId() (accessKeyId *string, err error) { + c, err := e.GetCredential() + if err != nil { + return } - return tea.String(e.sessionCredential.AccessKeyId), nil + accessKeyId = c.AccessKeyId + return } // GetAccessSecret reutrns URLCredential's AccessKeySecret // if AccessKeySecret is not exist or out of date, the function will update it. -func (e *URLCredential) GetAccessKeySecret() (*string, error) { - if e.sessionCredential == nil || e.needUpdateCredential() { - err := e.updateCredential() - if err != nil { - if e.credentialExpiration > (int(time.Now().Unix()) - int(e.lastUpdateTimestamp)) { - return &e.sessionCredential.AccessKeySecret, nil - } - return tea.String(""), err - } +func (e *URLCredentialsProvider) GetAccessKeySecret() (accessKeySecret *string, err error) { + c, err := e.GetCredential() + if err != nil { + return } - return tea.String(e.sessionCredential.AccessKeySecret), nil + accessKeySecret = c.AccessKeySecret + return } // GetSecurityToken reutrns URLCredential's SecurityToken // if SecurityToken is not exist or out of date, the function will update it. -func (e *URLCredential) GetSecurityToken() (*string, error) { - if e.sessionCredential == nil || e.needUpdateCredential() { - err := e.updateCredential() - if err != nil { - if e.credentialExpiration > (int(time.Now().Unix()) - int(e.lastUpdateTimestamp)) { - return &e.sessionCredential.SecurityToken, nil - } - return tea.String(""), err - } +func (e *URLCredentialsProvider) GetSecurityToken() (securityToken *string, err error) { + c, err := e.GetCredential() + if err != nil { + return } - return tea.String(e.sessionCredential.SecurityToken), nil + securityToken = c.SecurityToken + return } // GetBearerToken is useless for URLCredential -func (e *URLCredential) GetBearerToken() *string { +func (e *URLCredentialsProvider) GetBearerToken() *string { return tea.String("") } // GetType reutrns URLCredential's type -func (e *URLCredential) GetType() *string { +func (e *URLCredentialsProvider) GetType() *string { return tea.String("credential_uri") } -func (e *URLCredential) updateCredential() (err error) { +func (e *URLCredentialsProvider) updateCredential() (err error) { if e.runtime == nil { e.runtime = new(utils.Runtime) } @@ -117,15 +105,15 @@ func (e *URLCredential) updateCredential() (err error) { request.Method = "GET" content, err := doAction(request, e.runtime) if err != nil { - return fmt.Errorf("refresh Ecs sts token err: %s", err.Error()) + return fmt.Errorf("get credentials from %s failed with error: %s", e.URL, err.Error()) } var resp *URLResponse err = json.Unmarshal(content, &resp) if err != nil { - return fmt.Errorf("refresh Ecs sts token err: Json Unmarshal fail: %s", err.Error()) + return fmt.Errorf("get credentials from %s failed with error, json unmarshal fail: %s", e.URL, err.Error()) } if resp.AccessKeyId == "" || resp.AccessKeySecret == "" || resp.SecurityToken == "" || resp.Expiration == "" { - return fmt.Errorf("refresh Ecs sts token err: AccessKeyId: %s, AccessKeySecret: %s, SecurityToken: %s, Expiration: %s", resp.AccessKeyId, resp.AccessKeySecret, resp.SecurityToken, resp.Expiration) + return fmt.Errorf("get credentials failed: AccessKeyId: %s, AccessKeySecret: %s, SecurityToken: %s, Expiration: %s", resp.AccessKeyId, resp.AccessKeySecret, resp.SecurityToken, resp.Expiration) } expirationTime, err := time.Parse("2006-01-02T15:04:05Z", resp.Expiration) diff --git a/vendor/github.com/aliyun/credentials-go/credentials/utils/doc.go b/vendor/github.com/aliyun/credentials-go/credentials/utils/doc.go new file mode 100644 index 00000000..d8566ff7 --- /dev/null +++ b/vendor/github.com/aliyun/credentials-go/credentials/utils/doc.go @@ -0,0 +1,3 @@ +// Package request is used for internal. +// You should not depend on it directly, breaking changes can and will be introducted to it. +package utils diff --git a/vendor/github.com/aliyun/credentials-go/credentials/utils/runtime.go b/vendor/github.com/aliyun/credentials-go/credentials/utils/runtime.go index 432395cf..43830cdb 100644 --- a/vendor/github.com/aliyun/credentials-go/credentials/utils/runtime.go +++ b/vendor/github.com/aliyun/credentials-go/credentials/utils/runtime.go @@ -7,6 +7,7 @@ import ( ) // Runtime is for setting timeout, proxy and host +// Deprecated: it was used for internal type Runtime struct { ReadTimeout int ConnectTimeout int @@ -16,6 +17,7 @@ type Runtime struct { } // NewRuntime returns a Runtime +// Deprecated: it was used for internal func NewRuntime(readTimeout, connectTimeout int, proxy string, host string) *Runtime { return &Runtime{ ReadTimeout: readTimeout, @@ -26,6 +28,7 @@ func NewRuntime(readTimeout, connectTimeout int, proxy string, host string) *Run } // Timeout is for connect Timeout +// Deprecated: it was used for internal func Timeout(connectTimeout time.Duration) func(cxt context.Context, net, addr string) (c net.Conn, err error) { return func(ctx context.Context, network, address string) (net.Conn, error) { return (&net.Dialer{ diff --git a/vendor/github.com/aliyun/credentials-go/credentials/utils/utils.go b/vendor/github.com/aliyun/credentials-go/credentials/utils/utils.go index 7468407f..66457c3f 100644 --- a/vendor/github.com/aliyun/credentials-go/credentials/utils/utils.go +++ b/vendor/github.com/aliyun/credentials-go/credentials/utils/utils.go @@ -30,6 +30,7 @@ var hookRSA = func(fn func(rand io.Reader, priv *rsa.PrivateKey, hash crypto.Has } // GetUUID returns a uuid +// Deprecated: it was used for internal func GetUUID() (uuidHex string) { uuid := newUUID() uuidHex = hex.EncodeToString(uuid[:]) @@ -46,6 +47,7 @@ func RandStringBytes(n int) string { } // ShaHmac1 return a string which has been hashed +// Deprecated: it was used for internal func ShaHmac1(source, secret string) string { key := []byte(secret) hmac := hmac.New(sha1.New, key) @@ -56,6 +58,7 @@ func ShaHmac1(source, secret string) string { } // Sha256WithRsa return a string which has been hashed with Rsa +// Deprecated: it was used for internal func Sha256WithRsa(source, secret string) string { decodeString, err := base64.StdEncoding.DecodeString(secret) if err != nil { @@ -79,6 +82,7 @@ func Sha256WithRsa(source, secret string) string { } // GetMD5Base64 returns a string which has been base64 +// Deprecated: it was used for internal func GetMD5Base64(bytes []byte) (base64Value string) { md5Ctx := md5.New() md5Ctx.Write(bytes) @@ -88,6 +92,7 @@ func GetMD5Base64(bytes []byte) (base64Value string) { } // GetTimeInFormatISO8601 returns a time string +// Deprecated: it was used for internal func GetTimeInFormatISO8601() (timeStr string) { gmt := time.FixedZone("GMT", 0) @@ -95,6 +100,7 @@ func GetTimeInFormatISO8601() (timeStr string) { } // GetURLFormedMap returns a url encoded string +// Deprecated: it was used for internal func GetURLFormedMap(source map[string]string) (urlEncoded string) { urlEncoder := url.Values{} for key, value := range source { diff --git a/vendor/modules.txt b/vendor/modules.txt index 0ee07a71..da4beaf7 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -18,7 +18,7 @@ github.com/alibabacloud-go/darabonba-openapi/client # github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.6 ## explicit; go 1.14 github.com/alibabacloud-go/darabonba-openapi/v2/client -# github.com/alibabacloud-go/debug v1.0.0 +# github.com/alibabacloud-go/debug v1.0.1 ## explicit; go 1.18 github.com/alibabacloud-go/debug/debug # github.com/alibabacloud-go/endpoint-util v1.1.0 @@ -54,9 +54,12 @@ github.com/aliyun/alibaba-cloud-sdk-go/sdk/errors github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests github.com/aliyun/alibaba-cloud-sdk-go/sdk/responses github.com/aliyun/alibaba-cloud-sdk-go/sdk/utils -# github.com/aliyun/credentials-go v1.3.2 +# github.com/aliyun/credentials-go v1.4.3 ## explicit; go 1.14 github.com/aliyun/credentials-go/credentials +github.com/aliyun/credentials-go/credentials/internal/http +github.com/aliyun/credentials-go/credentials/internal/utils +github.com/aliyun/credentials-go/credentials/providers github.com/aliyun/credentials-go/credentials/request github.com/aliyun/credentials-go/credentials/response github.com/aliyun/credentials-go/credentials/utils