Add real credentials provider

aliyun · Jul 30, 2024 · 5c982e0 · 5c982e0
1 parent 521f688
commit 5c982e0
Show file tree

Hide file tree

Showing 10 changed files with 314 additions and 79 deletions.
diff --git a/sdk/auth/credential.go b/sdk/auth/credential.go
@@ -14,5 +14,65 @@
 
 package auth
 
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials"
+	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/errors"
+)
+
 type Credential interface {
 }
+
+func ToCredentialsProvider(credential Credential) (provider credentials.CredentialsProvider, err error) {
+	switch instance := credential.(type) {
+	case *credentials.AccessKeyCredential:
+		{
+			provider = credentials.NewStaticAKCredentialsProvider(instance.AccessKeyId, instance.AccessKeySecret)
+			return
+		}
+	case *credentials.StsTokenCredential:
+		{
+			provider = credentials.NewStaticSTSCredentialsProvider(instance.AccessKeyId, instance.AccessKeySecret, instance.AccessKeyStsToken)
+			return
+		}
+	case *credentials.BearerTokenCredential:
+		{
+			provider = credentials.NewBearerTokenCredentialsProvider(instance.BearerToken)
+			return
+		}
+	case *credentials.RamRoleArnCredential:
+		{
+			preProvider := credentials.NewStaticAKCredentialsProvider(instance.AccessKeyId, instance.AccessKeySecret)
+			provider = credentials.NewRAMRoleARNCredentialsProvider(
+				preProvider,
+				instance.RoleArn,
+				instance.RoleSessionName,
+				instance.RoleSessionExpiration,
+				instance.Policy,
+				instance.StsRegion,
+				instance.ExternalId)
+			return
+		}
+	case *credentials.RsaKeyPairCredential:
+		{
+			provider = credentials.NewRSAKeyPairCredentialsProvider(instance.PublicKeyId, instance.PrivateKey, instance.SessionExpiration)
+			return
+		}
+	case *credentials.EcsRamRoleCredential:
+		{
+			provider = credentials.NewECSRAMRoleCredentialsProvider(instance.RoleName)
+			return
+		}
+	case credentials.CredentialsProvider:
+		{
+			provider = instance
+			return
+		}
+	default:
+		message := fmt.Sprintf(errors.UnsupportedCredentialErrorMessage, reflect.TypeOf(credential))
+		err = errors.NewClientError(errors.UnsupportedCredentialErrorCode, message, nil)
+	}
+	return
+}
diff --git a/sdk/auth/credentials/credentials.go b/sdk/auth/credentials/credentials.go
@@ -0,0 +1,139 @@
+package credentials
+
+type Credentials struct {
+	AccessKeyId     string
+	AccessKeySecret string
+	SecurityToken   string
+	BearerToken     string
+}
+
+type CredentialsProvider interface {
+	GetCredentials() (cc *Credentials, err error)
+}
+
+type StaticAKCredentialsProvider struct {
+	AccessKeyId     string
+	AccessKeySecret string
+}
+
+func NewStaticAKCredentialsProvider(accessKeyId, accessKeySecret string) *StaticAKCredentialsProvider {
+	return &StaticAKCredentialsProvider{
+		AccessKeyId:     accessKeyId,
+		AccessKeySecret: accessKeySecret,
+	}
+}
+
+func (provider *StaticAKCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
+	cc = &Credentials{
+		AccessKeyId:     provider.AccessKeyId,
+		AccessKeySecret: provider.AccessKeySecret,
+	}
+	return
+}
+
+type StaticSTSCredentialsProvider struct {
+	AccessKeyId     string
+	AccessKeySecret string
+	SecurityToken   string
+}
+
+func NewStaticSTSCredentialsProvider(accessKeyId, accessKeySecret, securityToken string) *StaticSTSCredentialsProvider {
+	return &StaticSTSCredentialsProvider{
+		AccessKeyId:     accessKeyId,
+		AccessKeySecret: accessKeySecret,
+		SecurityToken:   securityToken,
+	}
+}
+
+func (provider *StaticSTSCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
+	cc = &Credentials{
+		AccessKeyId:     provider.AccessKeyId,
+		AccessKeySecret: provider.AccessKeySecret,
+		SecurityToken:   provider.SecurityToken,
+	}
+	return
+}
+
+type BearerTokenCredentialsProvider struct {
+	BearerToken string
+}
+
+func NewBearerTokenCredentialsProvider(bearerToken string) *BearerTokenCredentialsProvider {
+	return &BearerTokenCredentialsProvider{
+		BearerToken: bearerToken,
+	}
+}
+
+func (provider *BearerTokenCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
+	cc = &Credentials{
+		BearerToken: provider.BearerToken,
+	}
+	return
+}
+
+type RSAKeyPairCredentialsProvider struct {
+	PublicKeyId       string
+	PrivateKeyId      string
+	sessionExpiration int
+}
+
+func NewRSAKeyPairCredentialsProvider(publicKeyId, privateKeyId string, sessionExpiration int) *RSAKeyPairCredentialsProvider {
+	return &RSAKeyPairCredentialsProvider{
+		PublicKeyId:       publicKeyId,
+		PrivateKeyId:      privateKeyId,
+		sessionExpiration: sessionExpiration,
+	}
+}
+
+func (provider *RSAKeyPairCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
+	cc = &Credentials{
+		// TODO:
+	}
+	return
+}
+
+type RAMRoleARNCredentialsProvider struct {
+	credentialsProvider   CredentialsProvider
+	RoleArn               string
+	RoleSessionName       string
+	RoleSessionExpiration int
+	Policy                string
+	StsRegion             string
+	ExternalId            string
+}
+
+func NewRAMRoleARNCredentialsProvider(credentialsProvider CredentialsProvider, roleArn, roleSessionName string, roleSessionExpiration int, policy, stsRegion, externalId string) *RAMRoleARNCredentialsProvider {
+	return &RAMRoleARNCredentialsProvider{
+		credentialsProvider:   credentialsProvider,
+		RoleArn:               roleArn,
+		RoleSessionName:       roleSessionName,
+		RoleSessionExpiration: roleSessionExpiration,
+		Policy:                policy,
+		StsRegion:             stsRegion,
+		ExternalId:            externalId,
+	}
+}
+
+func (provider *RAMRoleARNCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
+	cc = &Credentials{
+		// TODO:
+	}
+	return
+}
+
+type ECSRAMRoleCredentialsProvider struct {
+	RoleName string
+}
+
+func NewECSRAMRoleCredentialsProvider(roleName string) *ECSRAMRoleCredentialsProvider {
+	return &ECSRAMRoleCredentialsProvider{
+		RoleName: roleName,
+	}
+}
+
+func (provider *ECSRAMRoleCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
+	cc = &Credentials{
+		// TODO:
+	}
+	return
+}
diff --git a/sdk/auth/roa_signature_composer.go b/sdk/auth/roa_signature_composer.go
@@ -19,6 +19,7 @@ import (
 	"sort"
 	"strings"
 
+	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials"
 	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests"
 	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/utils"
 )
@@ -33,43 +34,35 @@ func init() {
 	debug = utils.Init("sdk")
 }
 
-func signRoaRequest(request requests.AcsRequest, signer Signer) (err error) {
+func signRoaRequest(request requests.AcsRequest, signer Signer, credentialsProvider credentials.CredentialsProvider) (err error) {
 	// 先获取 accesskey，确保刷新 credential
-	accessKeyId, err := signer.GetAccessKeyId()
+	cc, err := credentialsProvider.GetCredentials()
 	if err != nil {
 		return err
 	}
 
-	completeROASignParams(request, signer)
+	completeROASignParams(request, signer, cc)
 	stringToSign := buildRoaStringToSign(request)
 	request.SetStringToSign(stringToSign)
 
 	signature := signer.Sign(stringToSign, "")
-	request.GetHeaders()["Authorization"] = "acs " + accessKeyId + ":" + signature
+	request.GetHeaders()["Authorization"] = "acs " + cc.AccessKeyId + ":" + signature
 
 	return
 }
 
-func completeROASignParams(request requests.AcsRequest, signer Signer) {
+func completeROASignParams(request requests.AcsRequest, signer Signer, cc *credentials.Credentials) {
 	headerParams := request.GetHeaders()
 
 	// complete query params
-	queryParams := request.GetQueryParams()
-	//if _, ok := queryParams["RegionId"]; !ok {
-	//	queryParams["RegionId"] = regionId
-	//}
-	if extraParam := signer.GetExtraParam(); extraParam != nil {
-		for key, value := range extraParam {
-			if key == "SecurityToken" {
-				headerParams["x-acs-security-token"] = value
-				continue
-			}
-			if key == "BearerToken" {
-				headerParams["x-acs-bearer-token"] = value
-				continue
-			}
-			queryParams[key] = value
-		}
+	request.GetQueryParams()
+
+	if cc.SecurityToken != "" {
+		headerParams["x-acs-security-token"] = cc.SecurityToken
+	}
+
+	if cc.BearerToken != "" {
+		headerParams["x-acs-bearer-token"] = cc.BearerToken
 	}
 
 	// complete header params

diff --git a/sdk/auth/roa_signature_composer_test.go b/sdk/auth/roa_signature_composer_test.go
@@ -46,7 +46,10 @@ func TestRoaSignatureComposer(t *testing.T) {
 	origTestHookGetDate := hookGetDate
 	defer func() { hookGetDate = origTestHookGetDate }()
 	hookGetDate = mockDate
-	signRoaRequest(request, signer)
+
+	provider, err := ToCredentialsProvider(c)
+	assert.Nil(t, err)
+	signRoaRequest(request, signer, provider)
 	assert.Equal(t, "mock date", request.GetHeaders()["Date"])
 	assert.Equal(t, "acs accessKeyId:degLHXLEN6rMojj+bOlK74U9iic=", request.GetHeaders()["Authorization"])
 }
@@ -63,7 +66,10 @@ func TestRoaSignatureComposer2(t *testing.T) {
 	origTestHookLookupIP := hookGetDate
 	defer func() { hookGetDate = origTestHookLookupIP }()
 	hookGetDate = mockDate
-	signRoaRequest(request, signer)
+
+	provider, err := ToCredentialsProvider(c)
+	assert.Nil(t, err)
+	signRoaRequest(request, signer, provider)
 	assert.Equal(t, "application/x-www-form-urlencoded", request.GetHeaders()["Content-Type"])
 	assert.Equal(t, "mock date", request.GetHeaders()["Date"])
 	assert.Equal(t, "application/xml", request.GetHeaders()["Accept"])
@@ -81,20 +87,34 @@ func TestRoaSignatureComposer3(t *testing.T) {
 	origTestHookGetDate := hookGetDate
 	defer func() { hookGetDate = origTestHookGetDate }()
 	hookGetDate = mockDate
-	signRoaRequest(request, signer)
+
+	provider, err := ToCredentialsProvider(c)
+	assert.Nil(t, err)
+	signRoaRequest(request, signer, provider)
 	assert.Equal(t, "mock date", request.GetHeaders()["Date"])
 }
 
 func TestCompleteROASignParams(t *testing.T) {
 	req := requests.NewCommonRequest()
 	req.TransToAcsRequest()
-	sign := signers.NewBearerTokenSigner(credentials.NewBearerTokenCredential("Bearer.Token"))
-	completeROASignParams(req, sign)
+	c := credentials.NewBearerTokenCredential("Bearer.Token")
+	sign := signers.NewBearerTokenSigner(c)
+	provider, err := ToCredentialsProvider(c)
+	assert.Nil(t, err)
+	cc, err := provider.GetCredentials()
+	assert.Nil(t, err)
+
+	completeROASignParams(req, sign, cc)
 	head := req.GetHeaders()
 	assert.Equal(t, "Bearer.Token", head["x-acs-bearer-token"])
 
-	sign1 := signers.NewStsTokenSigner(credentials.NewStsTokenCredential("accessKeyId", "accessKeySecret", "accessKeyStsToken"))
-	completeROASignParams(req, sign1)
+	stc := credentials.NewStsTokenCredential("accessKeyId", "accessKeySecret", "accessKeyStsToken")
+	sign1 := signers.NewStsTokenSigner(stc)
+	provider, err = ToCredentialsProvider(stc)
+	assert.Nil(t, err)
+	cc, err = provider.GetCredentials()
+	assert.Nil(t, err)
+	completeROASignParams(req, sign1, cc)
 	head = req.GetHeaders()
 	assert.Equal(t, "accessKeyStsToken", head["x-acs-security-token"])
 }