Skip to content

Commit

Permalink
Add real credentials provider
Browse files Browse the repository at this point in the history
  • Loading branch information
JacksonTian committed Jul 30, 2024
1 parent 521f688 commit 5c982e0
Show file tree
Hide file tree
Showing 10 changed files with 314 additions and 79 deletions.
60 changes: 60 additions & 0 deletions sdk/auth/credential.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,65 @@

package auth

import (
"fmt"
"reflect"

"github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials"
"github.com/aliyun/alibaba-cloud-sdk-go/sdk/errors"
)

type Credential interface {
}

func ToCredentialsProvider(credential Credential) (provider credentials.CredentialsProvider, err error) {
switch instance := credential.(type) {
case *credentials.AccessKeyCredential:
{
provider = credentials.NewStaticAKCredentialsProvider(instance.AccessKeyId, instance.AccessKeySecret)
return
}
case *credentials.StsTokenCredential:
{
provider = credentials.NewStaticSTSCredentialsProvider(instance.AccessKeyId, instance.AccessKeySecret, instance.AccessKeyStsToken)
return
}
case *credentials.BearerTokenCredential:
{
provider = credentials.NewBearerTokenCredentialsProvider(instance.BearerToken)
return
}
case *credentials.RamRoleArnCredential:
{
preProvider := credentials.NewStaticAKCredentialsProvider(instance.AccessKeyId, instance.AccessKeySecret)
provider = credentials.NewRAMRoleARNCredentialsProvider(
preProvider,
instance.RoleArn,
instance.RoleSessionName,
instance.RoleSessionExpiration,
instance.Policy,
instance.StsRegion,
instance.ExternalId)
return
}
case *credentials.RsaKeyPairCredential:
{
provider = credentials.NewRSAKeyPairCredentialsProvider(instance.PublicKeyId, instance.PrivateKey, instance.SessionExpiration)
return
}
case *credentials.EcsRamRoleCredential:
{
provider = credentials.NewECSRAMRoleCredentialsProvider(instance.RoleName)
return
}
case credentials.CredentialsProvider:
{
provider = instance
return
}
default:
message := fmt.Sprintf(errors.UnsupportedCredentialErrorMessage, reflect.TypeOf(credential))
err = errors.NewClientError(errors.UnsupportedCredentialErrorCode, message, nil)
}
return
}
139 changes: 139 additions & 0 deletions sdk/auth/credentials/credentials.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,139 @@
package credentials

type Credentials struct {
AccessKeyId string
AccessKeySecret string
SecurityToken string
BearerToken string
}

type CredentialsProvider interface {
GetCredentials() (cc *Credentials, err error)
}

type StaticAKCredentialsProvider struct {
AccessKeyId string
AccessKeySecret string
}

func NewStaticAKCredentialsProvider(accessKeyId, accessKeySecret string) *StaticAKCredentialsProvider {
return &StaticAKCredentialsProvider{
AccessKeyId: accessKeyId,
AccessKeySecret: accessKeySecret,
}
}

func (provider *StaticAKCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
cc = &Credentials{
AccessKeyId: provider.AccessKeyId,
AccessKeySecret: provider.AccessKeySecret,
}
return
}

type StaticSTSCredentialsProvider struct {
AccessKeyId string
AccessKeySecret string
SecurityToken string
}

func NewStaticSTSCredentialsProvider(accessKeyId, accessKeySecret, securityToken string) *StaticSTSCredentialsProvider {
return &StaticSTSCredentialsProvider{
AccessKeyId: accessKeyId,
AccessKeySecret: accessKeySecret,
SecurityToken: securityToken,
}
}

func (provider *StaticSTSCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
cc = &Credentials{
AccessKeyId: provider.AccessKeyId,
AccessKeySecret: provider.AccessKeySecret,
SecurityToken: provider.SecurityToken,
}
return
}

type BearerTokenCredentialsProvider struct {
BearerToken string
}

func NewBearerTokenCredentialsProvider(bearerToken string) *BearerTokenCredentialsProvider {
return &BearerTokenCredentialsProvider{
BearerToken: bearerToken,
}
}

func (provider *BearerTokenCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
cc = &Credentials{
BearerToken: provider.BearerToken,
}
return
}

type RSAKeyPairCredentialsProvider struct {
PublicKeyId string
PrivateKeyId string
sessionExpiration int
}

func NewRSAKeyPairCredentialsProvider(publicKeyId, privateKeyId string, sessionExpiration int) *RSAKeyPairCredentialsProvider {
return &RSAKeyPairCredentialsProvider{
PublicKeyId: publicKeyId,
PrivateKeyId: privateKeyId,
sessionExpiration: sessionExpiration,
}
}

func (provider *RSAKeyPairCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
cc = &Credentials{
// TODO:
}
return
}

type RAMRoleARNCredentialsProvider struct {
credentialsProvider CredentialsProvider
RoleArn string
RoleSessionName string
RoleSessionExpiration int
Policy string
StsRegion string
ExternalId string
}

func NewRAMRoleARNCredentialsProvider(credentialsProvider CredentialsProvider, roleArn, roleSessionName string, roleSessionExpiration int, policy, stsRegion, externalId string) *RAMRoleARNCredentialsProvider {
return &RAMRoleARNCredentialsProvider{
credentialsProvider: credentialsProvider,
RoleArn: roleArn,
RoleSessionName: roleSessionName,
RoleSessionExpiration: roleSessionExpiration,
Policy: policy,
StsRegion: stsRegion,
ExternalId: externalId,
}
}

func (provider *RAMRoleARNCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
cc = &Credentials{
// TODO:
}
return
}

type ECSRAMRoleCredentialsProvider struct {
RoleName string
}

func NewECSRAMRoleCredentialsProvider(roleName string) *ECSRAMRoleCredentialsProvider {
return &ECSRAMRoleCredentialsProvider{
RoleName: roleName,
}
}

func (provider *ECSRAMRoleCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
cc = &Credentials{
// TODO:
}
return
}
35 changes: 14 additions & 21 deletions sdk/auth/roa_signature_composer.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
"sort"
"strings"

"github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials"
"github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests"
"github.com/aliyun/alibaba-cloud-sdk-go/sdk/utils"
)
Expand All @@ -33,43 +34,35 @@ func init() {
debug = utils.Init("sdk")
}

func signRoaRequest(request requests.AcsRequest, signer Signer) (err error) {
func signRoaRequest(request requests.AcsRequest, signer Signer, credentialsProvider credentials.CredentialsProvider) (err error) {
// 先获取 accesskey,确保刷新 credential
accessKeyId, err := signer.GetAccessKeyId()
cc, err := credentialsProvider.GetCredentials()
if err != nil {
return err
}

completeROASignParams(request, signer)
completeROASignParams(request, signer, cc)
stringToSign := buildRoaStringToSign(request)
request.SetStringToSign(stringToSign)

signature := signer.Sign(stringToSign, "")
request.GetHeaders()["Authorization"] = "acs " + accessKeyId + ":" + signature
request.GetHeaders()["Authorization"] = "acs " + cc.AccessKeyId + ":" + signature

return
}

func completeROASignParams(request requests.AcsRequest, signer Signer) {
func completeROASignParams(request requests.AcsRequest, signer Signer, cc *credentials.Credentials) {
headerParams := request.GetHeaders()

// complete query params
queryParams := request.GetQueryParams()
//if _, ok := queryParams["RegionId"]; !ok {
// queryParams["RegionId"] = regionId
//}
if extraParam := signer.GetExtraParam(); extraParam != nil {
for key, value := range extraParam {
if key == "SecurityToken" {
headerParams["x-acs-security-token"] = value
continue
}
if key == "BearerToken" {
headerParams["x-acs-bearer-token"] = value
continue
}
queryParams[key] = value
}
request.GetQueryParams()

if cc.SecurityToken != "" {
headerParams["x-acs-security-token"] = cc.SecurityToken
}

if cc.BearerToken != "" {
headerParams["x-acs-bearer-token"] = cc.BearerToken
}

// complete header params
Expand Down
34 changes: 27 additions & 7 deletions sdk/auth/roa_signature_composer_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,10 @@ func TestRoaSignatureComposer(t *testing.T) {
origTestHookGetDate := hookGetDate
defer func() { hookGetDate = origTestHookGetDate }()
hookGetDate = mockDate
signRoaRequest(request, signer)

provider, err := ToCredentialsProvider(c)
assert.Nil(t, err)
signRoaRequest(request, signer, provider)
assert.Equal(t, "mock date", request.GetHeaders()["Date"])
assert.Equal(t, "acs accessKeyId:degLHXLEN6rMojj+bOlK74U9iic=", request.GetHeaders()["Authorization"])
}
Expand All @@ -63,7 +66,10 @@ func TestRoaSignatureComposer2(t *testing.T) {
origTestHookLookupIP := hookGetDate
defer func() { hookGetDate = origTestHookLookupIP }()
hookGetDate = mockDate
signRoaRequest(request, signer)

provider, err := ToCredentialsProvider(c)
assert.Nil(t, err)
signRoaRequest(request, signer, provider)
assert.Equal(t, "application/x-www-form-urlencoded", request.GetHeaders()["Content-Type"])
assert.Equal(t, "mock date", request.GetHeaders()["Date"])
assert.Equal(t, "application/xml", request.GetHeaders()["Accept"])
Expand All @@ -81,20 +87,34 @@ func TestRoaSignatureComposer3(t *testing.T) {
origTestHookGetDate := hookGetDate
defer func() { hookGetDate = origTestHookGetDate }()
hookGetDate = mockDate
signRoaRequest(request, signer)

provider, err := ToCredentialsProvider(c)
assert.Nil(t, err)
signRoaRequest(request, signer, provider)
assert.Equal(t, "mock date", request.GetHeaders()["Date"])
}

func TestCompleteROASignParams(t *testing.T) {
req := requests.NewCommonRequest()
req.TransToAcsRequest()
sign := signers.NewBearerTokenSigner(credentials.NewBearerTokenCredential("Bearer.Token"))
completeROASignParams(req, sign)
c := credentials.NewBearerTokenCredential("Bearer.Token")
sign := signers.NewBearerTokenSigner(c)
provider, err := ToCredentialsProvider(c)
assert.Nil(t, err)
cc, err := provider.GetCredentials()
assert.Nil(t, err)

completeROASignParams(req, sign, cc)
head := req.GetHeaders()
assert.Equal(t, "Bearer.Token", head["x-acs-bearer-token"])

sign1 := signers.NewStsTokenSigner(credentials.NewStsTokenCredential("accessKeyId", "accessKeySecret", "accessKeyStsToken"))
completeROASignParams(req, sign1)
stc := credentials.NewStsTokenCredential("accessKeyId", "accessKeySecret", "accessKeyStsToken")
sign1 := signers.NewStsTokenSigner(stc)
provider, err = ToCredentialsProvider(stc)
assert.Nil(t, err)
cc, err = provider.GetCredentials()
assert.Nil(t, err)
completeROASignParams(req, sign1, cc)
head = req.GetHeaders()
assert.Equal(t, "accessKeyStsToken", head["x-acs-security-token"])
}
Loading

0 comments on commit 5c982e0

Please sign in to comment.