From e085793a393bbb27156e104644cea082a756e774 Mon Sep 17 00:00:00 2001
From: Jackson Tian <shyvo1987@gmail.com>
Date: Thu, 22 Aug 2024 11:52:14 +0800
Subject: [PATCH] Add ProviderName

---
 .../cli_profile_credentials_provider.go       | 26 +++++++++----
 .../cli_profile_credentials_provider_test.go  | 17 +++++++-
 sdk/auth/credentials/credentials.go           | 39 ++++++++++++++++++-
 sdk/auth/credentials/credentials_test.go      |  3 ++
 .../default_credentials_provider.go           | 13 ++++++-
 .../default_credentials_provider_test.go      | 16 +++++++-
 .../credentials/env_credentials_provider.go   | 21 +++++-----
 .../env_credentials_provider_test.go          |  2 +
 .../profile_credentials_provider.go           | 34 ++++++++++++----
 .../profile_credentials_provider_test.go      | 30 ++++++++++++--
 10 files changed, 165 insertions(+), 36 deletions(-)

diff --git a/sdk/auth/credentials/cli_profile_credentials_provider.go b/sdk/auth/credentials/cli_profile_credentials_provider.go
index bf1a16c1a0..4e439cf6c3 100644
--- a/sdk/auth/credentials/cli_profile_credentials_provider.go
+++ b/sdk/auth/credentials/cli_profile_credentials_provider.go
@@ -122,9 +122,10 @@ func (provider *CLIProfileCredentialsProvider) getCredentialsProvider(conf *conf
 			WithRoleSessionName(p.RoleSessionName).
 			Build()
 	case "ChainableRamRoleArn":
-		previousProvider, err1 := provider.getCredentialsProvider(conf, p.SourceProfile)
-		if err1 != nil {
-			err = fmt.Errorf("get source profile failed: %s", err1.Error())
+		var previousProvider CredentialsProvider
+		previousProvider, err = provider.getCredentialsProvider(conf, p.SourceProfile)
+		if err != nil {
+			err = fmt.Errorf("get source profile failed: %s", err.Error())
 			return
 		}
 		credentialsProvider, err = NewRAMRoleARNCredentialsProvider(previousProvider, p.RoleArn, p.RoleSessionName, p.DurationSeconds, "", p.StsRegion, "")
@@ -147,10 +148,9 @@ func (provider *CLIProfileCredentialsProvider) GetCredentials() (cc *Credentials
 		}
 
 		cfgPath := path.Join(homedir, ".aliyun/config.json")
-
-		conf, err1 := newConfigurationFromPath(cfgPath)
-		if err1 != nil {
-			err = err1
+		var conf *configuration
+		conf, err = newConfigurationFromPath(cfgPath)
+		if err != nil {
 			return
 		}
 
@@ -164,5 +164,15 @@ func (provider *CLIProfileCredentialsProvider) GetCredentials() (cc *Credentials
 		}
 	}
 
-	return provider.innerProvider.GetCredentials()
+	cc, err = provider.innerProvider.GetCredentials()
+	if err != nil {
+		return
+	}
+
+	cc.ProviderName = fmt.Sprintf("%s/%s", provider.GetProviderName(), provider.innerProvider.GetProviderName())
+	return
+}
+
+func (provider *CLIProfileCredentialsProvider) GetProviderName() string {
+	return "cli_provider"
 }
diff --git a/sdk/auth/credentials/cli_profile_credentials_provider_test.go b/sdk/auth/credentials/cli_profile_credentials_provider_test.go
index 3932692fe8..5f3fd1bd7c 100644
--- a/sdk/auth/credentials/cli_profile_credentials_provider_test.go
+++ b/sdk/auth/credentials/cli_profile_credentials_provider_test.go
@@ -124,7 +124,7 @@ func TestCLIProfileCredentialsProvider_getCredentialsProvider(t *testing.T) {
 	assert.True(t, ok)
 	cc, err := akcp.GetCredentials()
 	assert.Nil(t, err)
-	assert.Equal(t, cc, &Credentials{AccessKeyId: "akid", AccessKeySecret: "secret", SecurityToken: ""})
+	assert.Equal(t, cc, &Credentials{AccessKeyId: "akid", AccessKeySecret: "secret", SecurityToken: "", ProviderName: "static_ak"})
 	// RamRoleArn
 	cp, err = provider.getCredentialsProvider(conf, "RamRoleArn")
 	assert.Nil(t, err)
@@ -184,9 +184,22 @@ func TestCLIProfileCredentialsProvider_GetCredentials(t *testing.T) {
 	provider = NewCLIProfileCredentialsProviderBuilder().Build()
 	cc, err := provider.GetCredentials()
 	assert.Nil(t, err)
-	assert.Equal(t, &Credentials{AccessKeyId: "akid", AccessKeySecret: "secret", SecurityToken: "", BearerToken: ""}, cc)
+	assert.Equal(t, &Credentials{
+		AccessKeyId:     "akid",
+		AccessKeySecret: "secret",
+		SecurityToken:   "",
+		BearerToken:     "",
+		ProviderName:    "cli_provider/static_ak",
+	}, cc)
 
 	provider = NewCLIProfileCredentialsProviderBuilder().WithProfileName("inexist").Build()
 	_, err = provider.GetCredentials()
 	assert.EqualError(t, err, "unable to get profile with 'inexist'")
+
+	// get credentials with RamRoleArn profile
+	// the previous credentials is invalid
+	provider = NewCLIProfileCredentialsProviderBuilder().WithProfileName("RamRoleArn").Build()
+	_, err = provider.GetCredentials()
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "InvalidAccessKeyId.NotFound")
 }
diff --git a/sdk/auth/credentials/credentials.go b/sdk/auth/credentials/credentials.go
index 818d543fce..a1ad8f763e 100644
--- a/sdk/auth/credentials/credentials.go
+++ b/sdk/auth/credentials/credentials.go
@@ -64,6 +64,7 @@ type Credentials struct {
 	AccessKeySecret string
 	SecurityToken   string
 	BearerToken     string
+	ProviderName    string
 }
 
 type do func(req *http.Request) (*http.Response, error)
@@ -80,6 +81,7 @@ var hookNewRequest = func(fn newReuqest) newReuqest {
 
 type CredentialsProvider interface {
 	GetCredentials() (cc *Credentials, err error)
+	GetProviderName() string
 }
 
 type StaticAKCredentialsProvider struct {
@@ -98,10 +100,15 @@ func (provider *StaticAKCredentialsProvider) GetCredentials() (cc *Credentials,
 	cc = &Credentials{
 		AccessKeyId:     provider.accessKeyId,
 		AccessKeySecret: provider.accessKeySecret,
+		ProviderName:    provider.GetProviderName(),
 	}
 	return
 }
 
+func (provider *StaticAKCredentialsProvider) GetProviderName() string {
+	return "static_ak"
+}
+
 type StaticSTSCredentialsProvider struct {
 	accessKeyId     string
 	accessKeySecret string
@@ -121,10 +128,15 @@ func (provider *StaticSTSCredentialsProvider) GetCredentials() (cc *Credentials,
 		AccessKeyId:     provider.accessKeyId,
 		AccessKeySecret: provider.accessKeySecret,
 		SecurityToken:   provider.securityToken,
+		ProviderName:    provider.GetProviderName(),
 	}
 	return
 }
 
+func (provider *StaticSTSCredentialsProvider) GetProviderName() string {
+	return "static_sts"
+}
+
 type BearerTokenCredentialsProvider struct {
 	bearerToken string
 }
@@ -137,11 +149,16 @@ func NewBearerTokenCredentialsProvider(bearerToken string) *BearerTokenCredentia
 
 func (provider *BearerTokenCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
 	cc = &Credentials{
-		BearerToken: provider.bearerToken,
+		BearerToken:  provider.bearerToken,
+		ProviderName: provider.GetProviderName(),
 	}
 	return
 }
 
+func (provider *BearerTokenCredentialsProvider) GetProviderName() string {
+	return "bearer_token"
+}
+
 // Deprecated: the RSA key pair credentials is deprecated
 type RSAKeyPairCredentialsProvider struct {
 	PublicKeyId         string
@@ -193,6 +210,7 @@ func (provider *RSAKeyPairCredentialsProvider) GetCredentials() (cc *Credentials
 	cc = &Credentials{
 		AccessKeyId:     *provider.sessionAccessKey.SessionAccessKeyId,
 		AccessKeySecret: *provider.sessionAccessKey.SessionAccessKeySecret,
+		ProviderName:    provider.GetProviderName(),
 	}
 	return
 }
@@ -296,6 +314,10 @@ func (provider *RSAKeyPairCredentialsProvider) getCredentials() (sessionAK *sess
 	return
 }
 
+func (provider *RSAKeyPairCredentialsProvider) GetProviderName() string {
+	return "rsa_key_pair"
+}
+
 type RAMRoleARNCredentialsProvider struct {
 	credentialsProvider CredentialsProvider
 	roleArn             string
@@ -482,10 +504,15 @@ func (provider *RAMRoleARNCredentialsProvider) GetCredentials() (cc *Credentials
 		AccessKeyId:     provider.sessionCredentials.AccessKeyId,
 		AccessKeySecret: provider.sessionCredentials.AccessKeySecret,
 		SecurityToken:   provider.sessionCredentials.SecurityToken,
+		ProviderName:    fmt.Sprintf("%s/%s", provider.GetProviderName(), provider.credentialsProvider.GetProviderName()),
 	}
 	return
 }
 
+func (provider *RAMRoleARNCredentialsProvider) GetProviderName() string {
+	return "ram_role_arn"
+}
+
 type ECSRAMRoleCredentialsProvider struct {
 	roleName            string
 	sessionCredentials  *SessionCredentials
@@ -619,10 +646,15 @@ func (provider *ECSRAMRoleCredentialsProvider) GetCredentials() (cc *Credentials
 		AccessKeyId:     provider.sessionCredentials.AccessKeyId,
 		AccessKeySecret: provider.sessionCredentials.AccessKeySecret,
 		SecurityToken:   provider.sessionCredentials.SecurityToken,
+		ProviderName:    provider.GetProviderName(),
 	}
 	return
 }
 
+func (provider *ECSRAMRoleCredentialsProvider) GetProviderName() string {
+	return "ecs_ram_role"
+}
+
 type OIDCCredentialsProvider struct {
 	oidcProviderARN     string
 	oidcTokenFilePath   string
@@ -853,6 +885,11 @@ func (provider *OIDCCredentialsProvider) GetCredentials() (cc *Credentials, err
 		AccessKeyId:     provider.sessionCredentials.AccessKeyId,
 		AccessKeySecret: provider.sessionCredentials.AccessKeySecret,
 		SecurityToken:   provider.sessionCredentials.SecurityToken,
+		ProviderName:    provider.GetProviderName(),
 	}
 	return
 }
+
+func (provider *OIDCCredentialsProvider) GetProviderName() string {
+	return "oidc_role_arn"
+}
diff --git a/sdk/auth/credentials/credentials_test.go b/sdk/auth/credentials/credentials_test.go
index bc79a5438c..80ffa84a24 100644
--- a/sdk/auth/credentials/credentials_test.go
+++ b/sdk/auth/credentials/credentials_test.go
@@ -476,6 +476,9 @@ func (p *errorCredentialsProvider) GetCredentials() (cc *Credentials, err error)
 	return
 }
 
+func (p *errorCredentialsProvider) GetProviderName() string {
+	return "error_mock"
+}
 func TestRAMRoleARNCredentialsProviderGetCredentials(t *testing.T) {
 	originDo := hookDo
 	defer func() { hookDo = originDo }()
diff --git a/sdk/auth/credentials/default_credentials_provider.go b/sdk/auth/credentials/default_credentials_provider.go
index cf5ab18f85..8a404d8a42 100644
--- a/sdk/auth/credentials/default_credentials_provider.go
+++ b/sdk/auth/credentials/default_credentials_provider.go
@@ -45,13 +45,19 @@ func NewDefaultCredentialsProvider() (provider *DefaultCredentialsProvider) {
 
 func (provider *DefaultCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
 	if provider.lastUsedProvider != nil {
-		return provider.lastUsedProvider.GetCredentials()
+		cc, err = provider.lastUsedProvider.GetCredentials()
+		if err != nil {
+			return
+		}
+		cc.ProviderName = fmt.Sprintf("%s/%s", provider.GetProviderName(), provider.lastUsedProvider.GetProviderName())
+		return
 	}
 
 	errors := []string{}
 	for _, p := range provider.providerChain {
 		provider.lastUsedProvider = p
 		cc, err = p.GetCredentials()
+
 		if err != nil {
 			errors = append(errors, err.Error())
 			// 如果有错误，进入下一个获取过程
@@ -59,6 +65,7 @@ func (provider *DefaultCredentialsProvider) GetCredentials() (cc *Credentials, e
 		}
 
 		if cc != nil {
+			cc.ProviderName = fmt.Sprintf("%s/%s", provider.GetProviderName(), p.GetProviderName())
 			return
 		}
 	}
@@ -66,3 +73,7 @@ func (provider *DefaultCredentialsProvider) GetCredentials() (cc *Credentials, e
 	err = fmt.Errorf("unable to get credentials from any of the providers in the chain: %s", strings.Join(errors, ", "))
 	return
 }
+
+func (provider *DefaultCredentialsProvider) GetProviderName() string {
+	return "default"
+}
diff --git a/sdk/auth/credentials/default_credentials_provider_test.go b/sdk/auth/credentials/default_credentials_provider_test.go
index 6a030bb31f..37589e72a8 100644
--- a/sdk/auth/credentials/default_credentials_provider_test.go
+++ b/sdk/auth/credentials/default_credentials_provider_test.go
@@ -94,9 +94,21 @@ func TestDefaultCredentialsProvider_GetCredentials(t *testing.T) {
 	assert.Len(t, provider.providerChain, 3)
 	cc, err := provider.GetCredentials()
 	assert.Nil(t, err)
-	assert.Equal(t, &Credentials{AccessKeyId: "akid", AccessKeySecret: "aksecret", SecurityToken: "", BearerToken: ""}, cc)
+	assert.Equal(t, &Credentials{
+		AccessKeyId:     "akid",
+		AccessKeySecret: "aksecret",
+		SecurityToken:   "",
+		BearerToken:     "",
+		ProviderName:    "default/env",
+	}, cc)
 	// get again
 	cc, err = provider.GetCredentials()
 	assert.Nil(t, err)
-	assert.Equal(t, &Credentials{AccessKeyId: "akid", AccessKeySecret: "aksecret", SecurityToken: "", BearerToken: ""}, cc)
+	assert.Equal(t, &Credentials{
+		AccessKeyId:     "akid",
+		AccessKeySecret: "aksecret",
+		SecurityToken:   "",
+		BearerToken:     "",
+		ProviderName:    "default/env",
+	}, cc)
 }
diff --git a/sdk/auth/credentials/env_credentials_provider.go b/sdk/auth/credentials/env_credentials_provider.go
index 7403c34f68..bda1ae823a 100644
--- a/sdk/auth/credentials/env_credentials_provider.go
+++ b/sdk/auth/credentials/env_credentials_provider.go
@@ -29,17 +29,16 @@ func (provider *EnvironmentVariableCredentialsProvider) GetCredentials() (cc *Cr
 
 	securityToken := os.Getenv("ALIBABA_CLOUD_SECURITY_TOKEN")
 
-	if securityToken == "" {
-		cc = &Credentials{
-			AccessKeyId:     accessKeyId,
-			AccessKeySecret: accessKeySecret,
-		}
-	} else {
-		cc = &Credentials{
-			AccessKeyId:     accessKeyId,
-			AccessKeySecret: accessKeySecret,
-			SecurityToken:   securityToken,
-		}
+	cc = &Credentials{
+		AccessKeyId:     accessKeyId,
+		AccessKeySecret: accessKeySecret,
+		SecurityToken:   securityToken,
+		ProviderName:    provider.GetProviderName(),
 	}
+
 	return
 }
+
+func (provider *EnvironmentVariableCredentialsProvider) GetProviderName() string {
+	return "env"
+}
diff --git a/sdk/auth/credentials/env_credentials_provider_test.go b/sdk/auth/credentials/env_credentials_provider_test.go
index b89311dcd4..9e34b84c9f 100644
--- a/sdk/auth/credentials/env_credentials_provider_test.go
+++ b/sdk/auth/credentials/env_credentials_provider_test.go
@@ -35,4 +35,6 @@ func TestEnvironmentVariableCredentialsProvider(t *testing.T) {
 	assert.Equal(t, "aksecret", cc.AccessKeySecret)
 	assert.Equal(t, "token", cc.SecurityToken)
 	assert.Equal(t, "", cc.BearerToken)
+
+	assert.Equal(t, "env", cc.ProviderName)
 }
diff --git a/sdk/auth/credentials/profile_credentials_provider.go b/sdk/auth/credentials/profile_credentials_provider.go
index cbfe465e36..c66eb9ef75 100644
--- a/sdk/auth/credentials/profile_credentials_provider.go
+++ b/sdk/auth/credentials/profile_credentials_provider.go
@@ -97,11 +97,7 @@ func (provider *ProfileCredentialsProvider) getCredentialsProvider(ini *ini.File
 	return
 }
 
-func (provider *ProfileCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
-	if provider.innerProvider != nil {
-		return provider.innerProvider.GetCredentials()
-	}
-
+func (provider *ProfileCredentialsProvider) getIni() (iniInfo *ini.File, err error) {
 	sharedCfgPath := os.Getenv("ALIBABA_CLOUD_CREDENTIALS_FILE")
 	if sharedCfgPath == "" {
 		homeDir := getHomePath()
@@ -113,16 +109,38 @@ func (provider *ProfileCredentialsProvider) GetCredentials() (cc *Credentials, e
 		sharedCfgPath = path.Join(homeDir, ".alibabacloud/credentials")
 	}
 
-	ini, err := ini.Load(sharedCfgPath)
+	iniInfo, err = ini.Load(sharedCfgPath)
 	if err != nil {
 		err = errors.New("ERROR: Can not open file" + err.Error())
 		return
 	}
 
-	provider.innerProvider, err = provider.getCredentialsProvider(ini)
+	return
+}
+
+func (provider *ProfileCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
+	if provider.innerProvider == nil {
+		var iniInfo *ini.File
+		iniInfo, err = provider.getIni()
+		if err != nil {
+			return
+		}
+
+		provider.innerProvider, err = provider.getCredentialsProvider(iniInfo)
+		if err != nil {
+			return
+		}
+	}
+
+	cc, err = provider.innerProvider.GetCredentials()
 	if err != nil {
 		return
 	}
 
-	return provider.innerProvider.GetCredentials()
+	cc.ProviderName = fmt.Sprintf("%s/%s", provider.GetProviderName(), provider.innerProvider.GetProviderName())
+	return
+}
+
+func (provider ProfileCredentialsProvider) GetProviderName() string {
+	return "profile"
 }
diff --git a/sdk/auth/credentials/profile_credentials_provider_test.go b/sdk/auth/credentials/profile_credentials_provider_test.go
index 20d3d845ca..1f1149c845 100644
--- a/sdk/auth/credentials/profile_credentials_provider_test.go
+++ b/sdk/auth/credentials/profile_credentials_provider_test.go
@@ -142,7 +142,13 @@ func TestProfileCredentialsProvider_getCredentialsProvider(t *testing.T) {
 	assert.True(t, ok)
 	cc, err := akcp.GetCredentials()
 	assert.Nil(t, err)
-	assert.Equal(t, &Credentials{AccessKeyId: "foo", AccessKeySecret: "bar", SecurityToken: "", BearerToken: ""}, cc)
+	assert.Equal(t, &Credentials{
+		AccessKeyId:     "foo",
+		AccessKeySecret: "bar",
+		SecurityToken:   "",
+		BearerToken:     "",
+		ProviderName:    "static_ak"},
+		cc)
 
 	// ecs_ram_role without rolename
 	provider = NewProfileCredentialsProviderBuilder().WithProfileName("noecs").Build()
@@ -223,10 +229,28 @@ func TestProfileCredentialsProviderGetCredentials(t *testing.T) {
 	provider = NewProfileCredentialsProviderBuilder().Build()
 	cc, err := provider.GetCredentials()
 	assert.Nil(t, err)
-	assert.Equal(t, &Credentials{AccessKeyId: "foo", AccessKeySecret: "bar", SecurityToken: "", BearerToken: ""}, cc)
+	assert.Equal(t, &Credentials{
+		AccessKeyId:     "foo",
+		AccessKeySecret: "bar",
+		SecurityToken:   "",
+		BearerToken:     "",
+		ProviderName:    "profile/static_ak",
+	}, cc)
 
 	// get credentials again
 	cc, err = provider.GetCredentials()
 	assert.Nil(t, err)
-	assert.Equal(t, &Credentials{AccessKeyId: "foo", AccessKeySecret: "bar", SecurityToken: "", BearerToken: ""}, cc)
+	assert.Equal(t, &Credentials{
+		AccessKeyId:     "foo",
+		AccessKeySecret: "bar",
+		SecurityToken:   "",
+		BearerToken:     "",
+		ProviderName:    "profile/static_ak",
+	}, cc)
+
+	// the profile ram with invalid ak
+	provider = NewProfileCredentialsProviderBuilder().WithProfileName("ram").Build()
+	_, err = provider.GetCredentials()
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "InvalidAccessKeyId.NotFound")
 }