From 8cdd248c5978aec692bc09aa604ea0c993df26ee Mon Sep 17 00:00:00 2001 From: Jackson Tian Date: Thu, 18 Apr 2024 16:58:59 +0800 Subject: [PATCH] create client by new credential --- config/profile.go | 202 +++++++---------------------------------- config/profile_test.go | 56 ------------ 2 files changed, 35 insertions(+), 223 deletions(-) diff --git a/config/profile.go b/config/profile.go index 7dced9239..013298e03 100644 --- a/config/profile.go +++ b/config/profile.go @@ -27,6 +27,7 @@ import ( "time" "github.com/aliyun/alibaba-cloud-sdk-go/sdk" + "github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth" "github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials" "github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests" "github.com/aliyun/alibaba-cloud-sdk-go/sdk/responses" @@ -401,8 +402,34 @@ func (cp *Profile) GetCredential(ctx *cli.Context) (cred credentialsv2.Credentia return credentialsv2.NewCredential(config) } -func (cp *Profile) GetClient(ctx *cli.Context) (*sdk.Client, error) { +func (cp *Profile) GetClient(ctx *cli.Context) (client *sdk.Client, err error) { + credential, err := cp.GetCredential(ctx) + if err != nil { + return + } + model, err := credential.GetCredential() + if err != nil { + return + } + + var cred auth.Credential + if model.SecurityToken != nil { + cred = credentials.NewStsTokenCredential(*model.AccessKeyId, *model.AccessKeySecret, *model.SecurityToken) + } else { + cred = credentials.NewAccessKeyCredential(*model.AccessKeyId, *model.AccessKeySecret) + } + + if cp.RegionId == "" { + err = fmt.Errorf("default RegionId is empty! run `aliyun configure` first") + return + } + config := sdk.NewConfig() + client, err = sdk.NewClientWithOptions(cp.RegionId, config, cred) + if err != nil { + return + } + // get UserAgent from env config.UserAgent = os.Getenv("ALIYUN_USER_AGENT") @@ -411,81 +438,18 @@ func (cp *Profile) GetClient(ctx *cli.Context) (*sdk.Client, error) { config.WithAutoRetry(true) config.WithMaxRetryTime(cp.RetryCount) } - var client *sdk.Client - var err error - switch cp.Mode { - case AK: - client, err = cp.GetClientByAK(config) - case StsToken: - client, err = cp.GetClientBySts(config) - case RamRoleArn: - client, err = cp.GetClientByRoleArn(config) - case EcsRamRole: - client, err = cp.GetClientByEcsRamRole(config) - case RsaKeyPair: - client, err = cp.GetClientByPrivateKey(config) - case RamRoleArnWithEcs: - client, err = cp.GetClientByRamRoleArnWithEcs(config) - case ChainableRamRoleArn: - return cp.GetClientByChainableRamRoleArn(config, ctx) - case External: - return cp.GetClientByExternal(config, ctx) - case CredentialsURI: - return cp.GetClientByCredentialsURI(config, ctx) - default: - client, err = nil, fmt.Errorf("unexcepted certificate mode: %s", cp.Mode) - } - if client != nil { - if cp.ReadTimeout > 0 { - client.SetReadTimeout(time.Duration(cp.ReadTimeout) * time.Second) - } - if cp.ConnectTimeout > 0 { - client.SetConnectTimeout(time.Duration(cp.ConnectTimeout) * time.Second) - } - if SkipSecureVerify(ctx.Flags()).IsAssigned() { - client.SetHTTPSInsecure(true) - } + if cp.ReadTimeout > 0 { + client.SetReadTimeout(time.Duration(cp.ReadTimeout) * time.Second) } - return client, err -} - -func (cp *Profile) GetClientByAK(config *sdk.Config) (*sdk.Client, error) { - if cp.AccessKeyId == "" || cp.AccessKeySecret == "" { - return nil, fmt.Errorf("AccessKeyId/AccessKeySecret is empty! run `aliyun configure` first") + if cp.ConnectTimeout > 0 { + client.SetConnectTimeout(time.Duration(cp.ConnectTimeout) * time.Second) } - if cp.RegionId == "" { - return nil, fmt.Errorf("default RegionId is empty! run `aliyun configure` first") + if SkipSecureVerify(ctx.Flags()).IsAssigned() { + client.SetHTTPSInsecure(true) } - cred := credentials.NewAccessKeyCredential(cp.AccessKeyId, cp.AccessKeySecret) - client, err := sdk.NewClientWithOptions(cp.RegionId, config, cred) - return client, err -} - -func (cp *Profile) GetClientBySts(config *sdk.Config) (*sdk.Client, error) { - cred := credentials.NewStsTokenCredential(cp.AccessKeyId, cp.AccessKeySecret, cp.StsToken) - client, err := sdk.NewClientWithOptions(cp.RegionId, config, cred) - return client, err -} -func (cp *Profile) GetClientByRoleArn(config *sdk.Config) (*sdk.Client, error) { - cred := credentials.NewRamRoleArnCredential(cp.AccessKeyId, cp.AccessKeySecret, cp.RamRoleArn, cp.RoleSessionName, cp.ExpiredSeconds) - cred.StsRegion = cp.StsRegion - client, err := sdk.NewClientWithOptions(cp.RegionId, config, cred) - return client, err -} - -func (cp *Profile) GetClientByRamRoleArnWithEcs(config *sdk.Config) (*sdk.Client, error) { - client, err := cp.GetClientByEcsRamRole(config) - if err != nil { - return nil, err - } - accessKeyID, accessKeySecret, StsToken, err := cp.GetSessionCredential(client) - if err != nil { - return nil, err - } - cred := credentials.NewStsTokenCredential(accessKeyID, accessKeySecret, StsToken) - return sdk.NewClientWithOptions(cp.RegionId, config, cred) + return } func (cp *Profile) GetSessionCredential(client *sdk.Client) (string, string, string, error) { @@ -523,102 +487,6 @@ func (cp *Profile) GetSessionCredential(client *sdk.Client) (string, string, str return accessKeyID.(string), accessKeySecret.(string), StsToken.(string), nil } -func (cp *Profile) GetClientByEcsRamRole(config *sdk.Config) (*sdk.Client, error) { - cred := credentials.NewEcsRamRoleCredential(cp.RamRoleName) - client, err := sdk.NewClientWithOptions(cp.RegionId, config, cred) - return client, err -} - -func (cp *Profile) GetClientByPrivateKey(config *sdk.Config) (*sdk.Client, error) { - cred := credentials.NewRsaKeyPairCredential(cp.PrivateKey, cp.KeyPairName, cp.ExpiredSeconds) - client, err := sdk.NewClientWithOptions(cp.RegionId, config, cred) - return client, err -} - -func (cp *Profile) GetClientByExternal(config *sdk.Config, ctx *cli.Context) (*sdk.Client, error) { - args := strings.Fields(cp.ProcessCommand) - cmd := exec.Command(args[0], args[1:]...) - buf, err := cmd.CombinedOutput() - if err != nil { - return nil, err - } - err = json.Unmarshal(buf, cp) - if err != nil { - fmt.Println(cp.ProcessCommand) - fmt.Println(string(buf)) - return nil, err - } - return cp.GetClient(ctx) -} - -func (cp *Profile) GetClientByCredentialsURI(config *sdk.Config, ctx *cli.Context) (*sdk.Client, error) { - uri := cp.CredentialsURI - - if uri == "" { - uri = os.Getenv("ALIBABA_CLOUD_CREDENTIALS_URI") - } - - if uri == "" { - return nil, fmt.Errorf("invalid credentials uri") - } - - res, err := http.Get(uri) - if err != nil { - return nil, err - } - - if res.StatusCode != 200 { - return nil, fmt.Errorf("get credentials from %s failed, status code %d", uri, res.StatusCode) - } - - body, err := io.ReadAll(res.Body) - res.Body.Close() - if err != nil { - return nil, err - } - - type Response struct { - Code string - AccessKeyId string - AccessKeySecret string - SecurityToken string - Expiration string - } - var response Response - err = json.Unmarshal(body, &response) - if err != nil { - return nil, fmt.Errorf("unmarshal credentials failed, the body %s", string(body)) - } - - if response.Code != "Success" { - return nil, fmt.Errorf("get sts token err, Code is not Success") - } - - cred := credentials.NewStsTokenCredential(response.AccessKeyId, response.AccessKeySecret, response.SecurityToken) - return sdk.NewClientWithOptions(cp.RegionId, config, cred) -} - -func (cp *Profile) GetClientByChainableRamRoleArn(config *sdk.Config, ctx *cli.Context) (*sdk.Client, error) { - profileName := cp.SourceProfile - - // 从 configuration 中重新获取 source profile - source, loaded := cp.parent.GetProfile(profileName) - if !loaded { - return nil, fmt.Errorf("can not load the source profile: " + profileName) - } - - client, err := source.GetClient(ctx) - if err != nil { - return nil, err - } - accessKeyID, accessKeySecret, StsToken, err := cp.GetSessionCredential(client) - if err != nil { - return nil, err - } - cred := credentials.NewStsTokenCredential(accessKeyID, accessKeySecret, StsToken) - return sdk.NewClientWithOptions(cp.RegionId, config, cred) -} - func IsRegion(region string) bool { if match, _ := regexp.MatchString("^[a-zA-Z0-9-]*$", region); !match { return false diff --git a/config/profile_test.go b/config/profile_test.go index c2a44daaa..d959c7325 100644 --- a/config/profile_test.go +++ b/config/profile_test.go @@ -18,8 +18,6 @@ import ( "os" "testing" - "github.com/aliyun/alibaba-cloud-sdk-go/sdk" - "github.com/aliyun/aliyun-cli/cli" "github.com/stretchr/testify/assert" @@ -389,59 +387,6 @@ func TestGetClient(t *testing.T) { assert.True(t, client.GetHTTPSInsecure()) } -func TestGetClientByAK(t *testing.T) { - actual := newProfile() - config := sdk.NewConfig() - - actual.AccessKeyId = "accessKeyId" - client, err := actual.GetClientByAK(config) - assert.Nil(t, client) - assert.EqualError(t, err, "AccessKeyId/AccessKeySecret is empty! run `aliyun configure` first") - - actual.AccessKeySecret = "accessKeySecret" - client, err = actual.GetClientByAK(config) - assert.Nil(t, client) - assert.EqualError(t, err, "default RegionId is empty! run `aliyun configure` first") - - actual.RegionId = "cn-hangzhou" - client, err = actual.GetClientByAK(config) - assert.Nil(t, err) - assert.NotNil(t, client) -} - -func TestGetClientWithNoError(t *testing.T) { - actual := newProfile() - config := sdk.NewConfig() - - // GetClientBySts - client, err := actual.GetClientBySts(config) - assert.Nil(t, err) - assert.NotNil(t, client) - - // GetClientByRoleArn - client, err = actual.GetClientByRoleArn(config) - assert.Nil(t, err) - assert.NotNil(t, client) - - // GetClientByEcsRamRole - client, err = actual.GetClientByEcsRamRole(config) - assert.Nil(t, err) - assert.NotNil(t, client) - - // GetClientByPrivateKey - client, err = actual.GetClientByPrivateKey(config) - assert.Nil(t, err) - assert.NotNil(t, client) -} - -func TestGetClientByRamRoleArnWithEcs(t *testing.T) { - actual := newProfile() - config := sdk.NewConfig() - client, err := actual.GetClientByRamRoleArnWithEcs(config) - assert.Nil(t, client) - assert.NotNil(t, err) -} - func TestValidateAk(t *testing.T) { actual := newProfile() err := actual.ValidateAK() @@ -484,5 +429,4 @@ func TestAutoModeRecognition(t *testing.T) { p = &Profile{AccessKeyId: "accessKeyID", AccessKeySecret: "accessKeySecret", StsToken: "stsToken", Mode: AK} AutoModeRecognition(p) assert.Equal(t, AK, p.Mode) - }