kubernetes-sigs · mowangdk · Feb 27, 2024 · Feb 26, 2024
diff --git a/pkg/utils/auth.go b/pkg/utils/auth.go
@@ -18,14 +18,11 @@ package utils
 
 import (
 	"bytes"
-	"crypto/aes"
-	"crypto/cipher"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
 	"errors"
@@ -36,6 +33,7 @@ import (
 	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials/provider"
 	"github.com/emirpasic/gods/sets/hashset"
 	oidc "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/auth"
+	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils/crypto"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/credentials"
 	"io/ioutil"
@@ -380,7 +378,7 @@ func getStsToken() AccessControl {
 
 // GetManagedToken get ak from csi secret
 func getManagedToken() (tokens ManageTokens) {
-	var akInfo AKInfo
+	var akInfo crypto.RamToken
 	if _, err := os.Stat(ConfigPath); err == nil {
 		encodeTokenCfg, err := ioutil.ReadFile(ConfigPath)
 		if err != nil {
@@ -389,89 +387,21 @@ func getManagedToken() (tokens ManageTokens) {
 		}
 		err = json.Unmarshal(encodeTokenCfg, &akInfo)
 		if err != nil {
-			log.Errorf("error unmarshal token config: %v", err)
+			log.Errorf("failed to unmarshal token config: %v", err)
 			return ManageTokens{}
 		}
-		keyring := akInfo.Keyring
-		ak, err := Decrypt(akInfo.AccessKeyID, []byte(keyring))
+		newToken, err := crypto.RamTokenDecrypt(&akInfo)
 		if err != nil {
-			log.Errorf("failed to decode ak, err: %v", err)
+			log.Errorf("failed to decrypt new token: %v", err)
 			return ManageTokens{}
 		}
-
-		sk, err := Decrypt(akInfo.AccessKeySecret, []byte(keyring))
-		if err != nil {
-			log.Errorf("failed to decode sk, err: %v", err)
-			return ManageTokens{}
-		}
-
-		token, err := Decrypt(akInfo.SecurityToken, []byte(keyring))
-		if err != nil {
-			log.Errorf("failed to decode token, err: %v", err)
-			return ManageTokens{}
-		}
-		layout := "2006-01-02T15:04:05Z"
-		t, err := time.Parse(layout, akInfo.Expiration)
-		if err != nil {
-			log.Errorf("Parse expiration error: %s", err.Error())
-		}
-		if t.Before(time.Now()) {
-			log.Errorf("invalid token which is expired, expiration as: %s", akInfo.Expiration)
-		}
-		tokens.AccessKeyID = string(ak)
-		tokens.AccessKeySecret = string(sk)
-		tokens.SecurityToken = string(token)
-
-		if akInfo.RoleAccessKeyID != "" && akInfo.RoleAccessKeySecret != "" {
-			roleAK, err := Decrypt(akInfo.RoleAccessKeyID, []byte(keyring))
-			if err != nil {
-				log.Errorf("failed to decode role ak, err: %v", err)
-				return ManageTokens{}
-			}
-			roleSK, err := Decrypt(akInfo.RoleAccessKeySecret, []byte(keyring))
-			if err != nil {
-				log.Errorf("failed to decode role sk, err : %v", err)
-				return ManageTokens{}
-			}
-			tokens.RoleAccessKeyID = string(roleAK)
-			tokens.RoleAccessKeySecret = string(roleSK)
-		}
-		tokens.RoleArn = akInfo.RoleArn
+		tokens.AccessKeyID = newToken.AccessKeyId
+		tokens.AccessKeySecret = newToken.AccessKeySecret
+		tokens.SecurityToken = newToken.SecurityToken
 	}
 	return tokens
 }
 
-// PKCS5UnPadding get pkc
-func PKCS5UnPadding(origData []byte) []byte {
-	length := len(origData)
-	unpadding := int(origData[length-1])
-	return origData[:(length - unpadding)]
-}
-
-// Decrypt secret Decrypt
-func Decrypt(s string, keyring []byte) ([]byte, error) {
-	cdata, err := base64.StdEncoding.DecodeString(s)
-	if err != nil {
-		log.Errorf("failed to decode base64 string, err: %v", err)
-		return nil, err
-	}
-	block, err := aes.NewCipher(keyring)
-	if err != nil {
-		log.Errorf("failed to new cipher, err: %v", err)
-		return nil, err
-	}
-	blockSize := block.BlockSize()
-
-	iv := cdata[:blockSize]
-	blockMode := cipher.NewCBCDecrypter(block, iv)
-	origData := make([]byte, len(cdata)-blockSize)
-
-	blockMode.CryptBlocks(origData, cdata[blockSize:])
-
-	origData = PKCS5UnPadding(origData)
-	return origData, nil
-}
-
 // GetDefaultRoleAK  返回角色扮演账号AK, SK, role arn
 func GetDefaultRoleAK() AccessControl {
 	roleAccessKeyID, roleAccessKeySecret, roleArn := os.Getenv("ROLE_ACCESS_KEY_ID"), os.Getenv("ROLE_ACCESS_KEY_SECRET"), os.Getenv("ROLE_ARN")

diff --git a/pkg/utils/crypto/aes.go b/pkg/utils/crypto/aes.go
@@ -0,0 +1,31 @@
+package crypto
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+)
+
+func Decrypt(cdata []byte, keyring []byte) ([]byte, error) {
+
+	block, err := aes.NewCipher(keyring)
+
+	if err != nil {
+		return nil, err
+	}
+	blockSize := block.BlockSize()
+
+	iv := cdata[:blockSize]
+	blockMode := cipher.NewCBCDecrypter(block, iv)
+	origData := make([]byte, len(cdata)-blockSize)
+
+	blockMode.CryptBlocks(origData, cdata[blockSize:])
+
+	origData = PKCS5UnPadding(origData)
+	return origData, nil
+}
+
+func PKCS5UnPadding(origData []byte) []byte {
+	length := len(origData)
+	unpadding := int(origData[length-1])
+	return origData[:(length - unpadding)]
+}
diff --git a/pkg/utils/crypto/ramtoken.go b/pkg/utils/crypto/ramtoken.go
@@ -0,0 +1,63 @@
+package crypto
+
+import (
+	"encoding/base64"
+	"errors"
+)
+
+type RamToken struct {
+	AccessKeyId     string `json:"access.key.id"`
+	AccessKeySecret string `json:"access.key.secret"`
+	SecurityToken   string `json:"security.token"`
+	Expiration      string `json:"expiration"`
+	Keyring         string `json:"keyring"`
+	ClusterType     string `json:"cluster.type"`
+}
+
+func RamTokenDecrypt(token *RamToken) (*RamToken, error) {
+	if token == nil || token.AccessKeyId == "" || token.AccessKeySecret == "" || token.Keyring == "" {
+		return nil, errors.New("invalid token")
+	}
+	rk := token.Keyring
+	var err error
+	newToken := &RamToken{
+		Keyring:     token.Keyring,
+		ClusterType: token.ClusterType,
+		Expiration:  token.Expiration,
+	}
+
+	// accessKeyId
+	encryptedAccessKeyId, err := base64.StdEncoding.DecodeString(token.AccessKeyId)
+	if err != nil {
+		return nil, err
+	}
+	accessKeyIdData, err := Decrypt(encryptedAccessKeyId, []byte(rk))
+	if err != nil {
+		return nil, err
+	}
+	newToken.AccessKeyId = string(accessKeyIdData)
+
+	// accessKeySecret
+	encryptedAccessKeySecret, err := base64.StdEncoding.DecodeString(token.AccessKeySecret)
+	if err != nil {
+		return nil, err
+	}
+	accessKeySecretData, err := Decrypt(encryptedAccessKeySecret, []byte(rk))
+	if err != nil {
+		return nil, err
+	}
+	newToken.AccessKeySecret = string(accessKeySecretData)
+
+	// securityToken
+	encryptedSecurityToken, err := base64.StdEncoding.DecodeString(token.SecurityToken)
+	if err != nil {
+		return nil, err
+	}
+	securityTokenData, err := Decrypt(encryptedSecurityToken, []byte(rk))
+	if err != nil {
+		return nil, err
+	}
+	newToken.SecurityToken = string(securityTokenData)
+
+	return newToken, nil
+}