From 09e2c68ba91779016e7c05c2a48af64889ac4ea8 Mon Sep 17 00:00:00 2001 From: Jackson Tian Date: Mon, 19 Aug 2024 17:40:12 +0800 Subject: [PATCH] refine RAM role arn credentials provider --- credentials/internal/providers/hook.go | 22 ++ credentials/internal/providers/http.go | 90 +++++ .../internal/providers/ram_role_arn.go | 274 ++++++++++++++ .../internal/providers/ram_role_arn_test.go | 355 ++++++++++++++++++ credentials/internal/utils/utils.go | 33 +- 5 files changed, 772 insertions(+), 2 deletions(-) create mode 100644 credentials/internal/providers/hook.go create mode 100644 credentials/internal/providers/http.go create mode 100644 credentials/internal/providers/ram_role_arn.go create mode 100644 credentials/internal/providers/ram_role_arn_test.go diff --git a/credentials/internal/providers/hook.go b/credentials/internal/providers/hook.go new file mode 100644 index 0000000..8248138 --- /dev/null +++ b/credentials/internal/providers/hook.go @@ -0,0 +1,22 @@ +package providers + +import ( + "io" + "net/http" +) + +type newReuqest func(method, url string, body io.Reader) (*http.Request, error) + +var hookNewRequest = func(fn newReuqest) newReuqest { + return fn +} + +type do func(req *http.Request) (*http.Response, error) + +var hookDo = func(fn do) do { + return fn +} + +var hookParse = func(err error) error { + return err +} diff --git a/credentials/internal/providers/http.go b/credentials/internal/providers/http.go new file mode 100644 index 0000000..643cee6 --- /dev/null +++ b/credentials/internal/providers/http.go @@ -0,0 +1,90 @@ +package providers + +import ( + "bytes" + "fmt" + "io/ioutil" + "net/http" + "net/url" + "strconv" + "strings" + "time" + + "github.com/alibabacloud-go/debug/debug" + "github.com/aliyun/credentials-go/credentials/internal/utils" + "github.com/aliyun/credentials-go/credentials/request" + "github.com/aliyun/credentials-go/credentials/response" +) + +var debuglog = debug.Init("credential") + +func mockResponse(statusCode int, content string) (res *http.Response) { + status := strconv.Itoa(statusCode) + res = &http.Response{ + Proto: "HTTP/1.1", + ProtoMajor: 1, + Header: map[string][]string{"sdk": {"test"}}, + StatusCode: statusCode, + Status: status + " " + http.StatusText(statusCode), + } + res.Body = ioutil.NopCloser(bytes.NewReader([]byte(content))) + return +} + +func doAction(request *request.CommonRequest, runtime *utils.Runtime) (content []byte, err error) { + var urlEncoded string + if request.BodyParams != nil { + urlEncoded = utils.GetURLFormedMap(request.BodyParams) + } + httpRequest, err := http.NewRequest(request.Method, request.URL, strings.NewReader(urlEncoded)) + if err != nil { + return + } + httpRequest.Proto = "HTTP/1.1" + httpRequest.Host = request.Domain + debuglog("> %s %s %s", httpRequest.Method, httpRequest.URL.RequestURI(), httpRequest.Proto) + debuglog("> Host: %s", httpRequest.Host) + for key, value := range request.Headers { + if value != "" { + debuglog("> %s: %s", key, value) + httpRequest.Header[key] = []string{value} + } + } + debuglog(">") + httpClient := &http.Client{} + httpClient.Timeout = time.Duration(runtime.ReadTimeout) * time.Second + proxy := &url.URL{} + if runtime.Proxy != "" { + proxy, err = url.Parse(runtime.Proxy) + if err != nil { + return + } + } + trans := &http.Transport{} + if proxy != nil && runtime.Proxy != "" { + trans.Proxy = http.ProxyURL(proxy) + } + trans.DialContext = utils.Timeout(time.Duration(runtime.ConnectTimeout) * time.Second) + httpClient.Transport = trans + httpResponse, err := hookDo(httpClient.Do)(httpRequest) + if err != nil { + return + } + debuglog("< %s %s", httpResponse.Proto, httpResponse.Status) + for key, value := range httpResponse.Header { + debuglog("< %s: %v", key, strings.Join(value, "")) + } + debuglog("<") + + resp := &response.CommonResponse{} + err = hookParse(resp.ParseFromHTTPResponse(httpResponse)) + if err != nil { + return + } + debuglog("%s", resp.GetHTTPContentString()) + if resp.GetHTTPStatus() != http.StatusOK { + err = fmt.Errorf("httpStatus: %d, message = %s", resp.GetHTTPStatus(), resp.GetHTTPContentString()) + return + } + return resp.GetHTTPContentBytes(), nil +} diff --git a/credentials/internal/providers/ram_role_arn.go b/credentials/internal/providers/ram_role_arn.go new file mode 100644 index 0000000..810abe7 --- /dev/null +++ b/credentials/internal/providers/ram_role_arn.go @@ -0,0 +1,274 @@ +package providers + +import ( + "encoding/json" + "errors" + "fmt" + "io/ioutil" + "net/http" + "net/url" + "strconv" + "strings" + "time" + + "github.com/aliyun/credentials-go/credentials/internal/utils" +) + +type assumedRoleUser struct { +} + +type credentials struct { + SecurityToken *string `json:"SecurityToken"` + Expiration *string `json:"Expiration"` + AccessKeySecret *string `json:"AccessKeySecret"` + AccessKeyId *string `json:"AccessKeyId"` +} + +type assumeRoleResponse struct { + RequestID *string `json:"RequestId"` + AssumedRoleUser *assumedRoleUser `json:"AssumedRoleUser"` + Credentials *credentials `json:"Credentials"` +} + +type sessionCredentials struct { + AccessKeyId string + AccessKeySecret string + SecurityToken string + Expiration string +} + +type RAMRoleARNCredentialsProvider struct { + credentialsProvider CredentialsProvider + roleArn string + roleSessionName string + durationSeconds int + policy string + stsRegion string + externalId string + // inner + expirationTimestamp int64 + lastUpdateTimestamp int64 + sessionCredentials *sessionCredentials +} + +type RAMRoleARNCredentialsProviderBuilder struct { + provider *RAMRoleARNCredentialsProvider +} + +func NewRAMRoleARNCredentialsProviderBuilder() *RAMRoleARNCredentialsProviderBuilder { + return &RAMRoleARNCredentialsProviderBuilder{ + provider: &RAMRoleARNCredentialsProvider{}, + } +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithCredentialsProvider(credentialsProvider CredentialsProvider) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.credentialsProvider = credentialsProvider + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithRoleArn(roleArn string) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.roleArn = roleArn + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithStsRegion(regionId string) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.stsRegion = regionId + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithRoleSessionName(roleSessionName string) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.roleSessionName = roleSessionName + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithPolicy(policy string) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.policy = policy + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithExternalId(externalId string) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.externalId = externalId + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithDurationSeconds(durationSeconds int) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.durationSeconds = durationSeconds + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) Build() (provider *RAMRoleARNCredentialsProvider, err error) { + if builder.provider.credentialsProvider == nil { + err = errors.New("must specify a previous credentials provider to asssume role") + return + } + + if builder.provider.roleArn == "" { + err = errors.New("the RoleArn is empty") + return + } + + if builder.provider.roleSessionName == "" { + builder.provider.roleSessionName = "credentials-go-" + strconv.FormatInt(time.Now().UnixNano()/1000, 10) + } + + // duration seconds + if builder.provider.durationSeconds == 0 { + // default to 3600 + builder.provider.durationSeconds = 3600 + } + + if builder.provider.durationSeconds < 900 { + err = errors.New("session duration should be in the range of 900s - max session duration") + return + } + + provider = builder.provider + return +} + +func (provider *RAMRoleARNCredentialsProvider) getCredentials(cc *Credentials) (session *sessionCredentials, err error) { + method := "POST" + var host string + if provider.stsRegion != "" { + host = fmt.Sprintf("sts.%s.aliyuncs.com", provider.stsRegion) + } else { + host = "sts.aliyuncs.com" + } + + queries := make(map[string]string) + queries["Version"] = "2015-04-01" + queries["Action"] = "AssumeRole" + queries["Format"] = "JSON" + queries["Timestamp"] = utils.GetTimeInFormatISO8601() + queries["SignatureMethod"] = "HMAC-SHA1" + queries["SignatureVersion"] = "1.0" + queries["SignatureNonce"] = utils.GetNonce() + queries["AccessKeyId"] = cc.AccessKeyId + if cc.SecurityToken != "" { + queries["SecurityToken"] = cc.SecurityToken + } + + bodyForm := make(map[string]string) + bodyForm["RoleArn"] = provider.roleArn + if provider.policy != "" { + bodyForm["Policy"] = provider.policy + } + if provider.externalId != "" { + bodyForm["ExternalId"] = provider.externalId + } + bodyForm["RoleSessionName"] = provider.roleSessionName + bodyForm["DurationSeconds"] = strconv.Itoa(provider.durationSeconds) + + // caculate signature + signParams := make(map[string]string) + for key, value := range queries { + signParams[key] = value + } + for key, value := range bodyForm { + signParams[key] = value + } + + stringToSign := utils.GetURLFormedMap(signParams) + stringToSign = strings.Replace(stringToSign, "+", "%20", -1) + stringToSign = strings.Replace(stringToSign, "*", "%2A", -1) + stringToSign = strings.Replace(stringToSign, "%7E", "~", -1) + stringToSign = url.QueryEscape(stringToSign) + stringToSign = method + "&%2F&" + stringToSign + secret := cc.AccessKeySecret + "&" + queries["Signature"] = utils.ShaHmac1(stringToSign, secret) + + querystring := utils.GetURLFormedMap(queries) + // do request + httpUrl := fmt.Sprintf("https://%s/?%s", host, querystring) + + body := utils.GetURLFormedMap(bodyForm) + + httpRequest, err := hookNewRequest(http.NewRequest)(method, httpUrl, strings.NewReader(body)) + if err != nil { + return + } + + // set headers + httpRequest.Header["Accept-Encoding"] = []string{"identity"} + httpRequest.Header["Content-Type"] = []string{"application/x-www-form-urlencoded"} + httpRequest.Header["x-credentials-provider"] = []string{cc.ProviderName} + httpClient := &http.Client{} + + httpResponse, err := hookDo(httpClient.Do)(httpRequest) + if err != nil { + return + } + + defer httpResponse.Body.Close() + + responseBody, err := ioutil.ReadAll(httpResponse.Body) + if err != nil { + return + } + + if httpResponse.StatusCode != http.StatusOK { + err = errors.New("refresh session token failed: " + string(responseBody)) + return + } + var data assumeRoleResponse + err = json.Unmarshal(responseBody, &data) + if err != nil { + err = fmt.Errorf("refresh RoleArn sts token err, json.Unmarshal fail: %s", err.Error()) + return + } + if data.Credentials == nil { + err = fmt.Errorf("refresh RoleArn sts token err, fail to get credentials") + return + } + + if data.Credentials.AccessKeyId == nil || data.Credentials.AccessKeySecret == nil || data.Credentials.SecurityToken == nil { + err = fmt.Errorf("refresh RoleArn sts token err, fail to get credentials") + return + } + + session = &sessionCredentials{ + AccessKeyId: *data.Credentials.AccessKeyId, + AccessKeySecret: *data.Credentials.AccessKeySecret, + SecurityToken: *data.Credentials.SecurityToken, + Expiration: *data.Credentials.Expiration, + } + return +} + +func (provider *RAMRoleARNCredentialsProvider) needUpdateCredential() (result bool) { + if provider.expirationTimestamp == 0 { + return true + } + + return provider.expirationTimestamp-time.Now().Unix() <= 180 +} + +func (provider *RAMRoleARNCredentialsProvider) GetCredentials() (cc *Credentials, err error) { + if provider.sessionCredentials == nil || provider.needUpdateCredential() { + // 获取前置凭证 + previousCredentials, err1 := provider.credentialsProvider.GetCredentials() + if err1 != nil { + return nil, err1 + } + sessionCredentials, err2 := provider.getCredentials(previousCredentials) + if err2 != nil { + return nil, err2 + } + + expirationTime, err := time.Parse("2006-01-02T15:04:05Z", sessionCredentials.Expiration) + if err != nil { + return nil, err + } + + provider.expirationTimestamp = expirationTime.Unix() + provider.lastUpdateTimestamp = time.Now().Unix() + provider.sessionCredentials = sessionCredentials + } + + cc = &Credentials{ + AccessKeyId: provider.sessionCredentials.AccessKeyId, + AccessKeySecret: provider.sessionCredentials.AccessKeySecret, + SecurityToken: provider.sessionCredentials.SecurityToken, + } + return +} diff --git a/credentials/internal/providers/ram_role_arn_test.go b/credentials/internal/providers/ram_role_arn_test.go new file mode 100644 index 0000000..0e0bf4d --- /dev/null +++ b/credentials/internal/providers/ram_role_arn_test.go @@ -0,0 +1,355 @@ +package providers + +import ( + "errors" + "io" + "io/ioutil" + "net/http" + "strconv" + "strings" + "testing" + "time" + + "github.com/stretchr/testify/assert" +) + +type errorReader struct { +} + +func (r *errorReader) Read(p []byte) (n int, err error) { + err = errors.New("read failed") + return +} + +func TestNewRAMRoleARNCredentialsProvider(t *testing.T) { + // case 1: no credentials provider + _, err := NewRAMRoleARNCredentialsProviderBuilder(). + Build() + assert.EqualError(t, err, "must specify a previous credentials provider to asssume role") + + // case 2: no role arn + akProvider, err := NewStaticAKCredentialsProviderBuilder(). + WithAccessKeyId("akid"). + WithAccessKeySecret("aksecret"). + Build() + assert.Nil(t, err) + _, err = NewRAMRoleARNCredentialsProviderBuilder(). + WithCredentialsProvider(akProvider). + Build() + assert.EqualError(t, err, "the RoleArn is empty") + + // case 3: check default role session name + p, err := NewRAMRoleARNCredentialsProviderBuilder(). + WithCredentialsProvider(akProvider). + WithRoleArn("roleArn"). + Build() + assert.Nil(t, err) + assert.True(t, strings.HasPrefix(p.roleSessionName, "credentials-go-")) + + // case 4: check default duration seconds + p, err = NewRAMRoleARNCredentialsProviderBuilder(). + WithCredentialsProvider(akProvider). + WithRoleArn("roleArn").Build() + assert.Nil(t, err) + assert.Equal(t, 3600, p.durationSeconds) + + // case 5: check invalid duration seconds + _, err = NewRAMRoleARNCredentialsProviderBuilder(). + WithCredentialsProvider(akProvider). + WithRoleArn("roleArn"). + WithDurationSeconds(100). + Build() + assert.EqualError(t, err, "session duration should be in the range of 900s - max session duration") + + // case 6: check all duration seconds + p, err = NewRAMRoleARNCredentialsProviderBuilder(). + WithCredentialsProvider(akProvider). + WithRoleArn("roleArn"). + WithStsRegion("cn-hangzhou"). + WithPolicy("policy"). + WithExternalId("externalId"). + WithRoleSessionName("rsn"). + WithDurationSeconds(1000). + Build() + assert.Nil(t, err) + assert.Equal(t, "rsn", p.roleSessionName) + assert.Equal(t, "roleArn", p.roleArn) + assert.Equal(t, "policy", p.policy) + assert.Equal(t, "externalId", p.externalId) + assert.Equal(t, "cn-hangzhou", p.stsRegion) + assert.Equal(t, 1000, p.durationSeconds) +} + +func TestRAMRoleARNCredentialsProvider_getCredentials(t *testing.T) { + akProvider, err := NewStaticAKCredentialsProviderBuilder(). + WithAccessKeyId("akid"). + WithAccessKeySecret("aksecret"). + Build() + assert.Nil(t, err) + p, err := NewRAMRoleARNCredentialsProviderBuilder(). + WithCredentialsProvider(akProvider). + WithRoleArn("roleArn"). + WithRoleSessionName("rsn"). + WithDurationSeconds(1000). + Build() + assert.Nil(t, err) + + cc, err := akProvider.GetCredentials() + assert.Nil(t, err) + + originNewRequest := hookNewRequest + defer func() { hookNewRequest = originNewRequest }() + + // case 1: mock new http request failed + hookNewRequest = func(fn newReuqest) newReuqest { + return func(method, url string, body io.Reader) (*http.Request, error) { + return nil, errors.New("new http request failed") + } + } + _, err = p.getCredentials(cc) + assert.NotNil(t, err) + assert.Equal(t, "new http request failed", err.Error()) + // reset new request + hookNewRequest = originNewRequest + + originDo := hookDo + defer func() { hookDo = originDo }() + + // case 2: server error + hookDo = func(fn do) do { + return func(req *http.Request) (res *http.Response, err error) { + err = errors.New("mock server error") + return + } + } + _, err = p.getCredentials(cc) + assert.NotNil(t, err) + assert.Equal(t, "mock server error", err.Error()) + + // case 3: mock read response error + hookDo = func(fn do) do { + return func(req *http.Request) (res *http.Response, err error) { + status := strconv.Itoa(200) + res = &http.Response{ + Proto: "HTTP/1.1", + ProtoMajor: 1, + Header: map[string][]string{}, + StatusCode: 200, + Status: status + " " + http.StatusText(200), + } + res.Body = ioutil.NopCloser(&errorReader{}) + return + } + } + _, err = p.getCredentials(cc) + assert.NotNil(t, err) + assert.Equal(t, "read failed", err.Error()) + + // case 4: 4xx error + hookDo = func(fn do) do { + return func(req *http.Request) (res *http.Response, err error) { + res = mockResponse(400, "4xx error") + return + } + } + _, err = p.getCredentials(cc) + assert.NotNil(t, err) + assert.Equal(t, "refresh session token failed: 4xx error", err.Error()) + + // case 5: invalid json + hookDo = func(fn do) do { + return func(req *http.Request) (res *http.Response, err error) { + res = mockResponse(200, "invalid json") + return + } + } + _, err = p.getCredentials(cc) + assert.NotNil(t, err) + assert.Equal(t, "refresh RoleArn sts token err, json.Unmarshal fail: invalid character 'i' looking for beginning of value", err.Error()) + + // case 6: empty response json + hookDo = func(fn do) do { + return func(req *http.Request) (res *http.Response, err error) { + res = mockResponse(200, "null") + return + } + } + _, err = p.getCredentials(cc) + assert.NotNil(t, err) + assert.Equal(t, "refresh RoleArn sts token err, fail to get credentials", err.Error()) + + // case 7: empty session ak response json + hookDo = func(fn do) do { + return func(req *http.Request) (res *http.Response, err error) { + res = mockResponse(200, `{"Credentials": {}}`) + return + } + } + _, err = p.getCredentials(cc) + assert.NotNil(t, err) + assert.Equal(t, "refresh RoleArn sts token err, fail to get credentials", err.Error()) + + // case 8: mock ok value + hookDo = func(fn do) do { + return func(req *http.Request) (res *http.Response, err error) { + res = mockResponse(200, `{"Credentials": {"AccessKeyId":"saki","AccessKeySecret":"saks","Expiration":"2021-10-20T04:27:09Z","SecurityToken":"token"}}`) + return + } + } + creds, err := p.getCredentials(cc) + assert.Nil(t, err) + assert.Equal(t, "saki", creds.AccessKeyId) + assert.Equal(t, "saks", creds.AccessKeySecret) + assert.Equal(t, "token", creds.SecurityToken) + assert.Equal(t, "2021-10-20T04:27:09Z", creds.Expiration) + + // needUpdateCredential + assert.True(t, p.needUpdateCredential()) + p.expirationTimestamp = time.Now().Unix() + assert.True(t, p.needUpdateCredential()) + + p.expirationTimestamp = time.Now().Unix() + 300 + assert.False(t, p.needUpdateCredential()) +} + +func TestRAMRoleARNCredentialsProvider_getCredentialsWithRequestCheck(t *testing.T) { + originDo := hookDo + defer func() { hookDo = originDo }() + + stsProvider, err := NewStaticSTSCredentialsProviderBuilder(). + WithAccessKeyId("akid"). + WithAccessKeySecret("aksecret"). + WithSecurityToken("ststoken"). + Build() + assert.Nil(t, err) + p, err := NewRAMRoleARNCredentialsProviderBuilder(). + WithCredentialsProvider(stsProvider). + WithRoleArn("roleArn"). + WithRoleSessionName("rsn"). + WithDurationSeconds(1000). + WithPolicy("policy"). + WithStsRegion("cn-beijing"). + WithExternalId("externalId"). + Build() + assert.Nil(t, err) + + // case 1: server error + hookDo = func(fn do) do { + return func(req *http.Request) (res *http.Response, err error) { + assert.Equal(t, "sts.cn-beijing.aliyuncs.com", req.Host) + assert.Contains(t, req.URL.String(), "SecurityToken=ststoken") + body, err := ioutil.ReadAll(req.Body) + assert.Nil(t, err) + bodyString := string(body) + assert.Contains(t, bodyString, "Policy=policy") + assert.Contains(t, bodyString, "RoleArn=roleArn") + assert.Contains(t, bodyString, "RoleSessionName=rsn") + assert.Contains(t, bodyString, "DurationSeconds=1000") + + err = errors.New("mock server error") + return + } + } + + cc, err := stsProvider.GetCredentials() + assert.Nil(t, err) + _, err = p.getCredentials(cc) + assert.NotNil(t, err) + assert.Equal(t, "mock server error", err.Error()) +} + +type errorCredentialsProvider struct { +} + +func (p *errorCredentialsProvider) GetCredentials() (cc *Credentials, err error) { + err = errors.New("get credentials failed") + return +} + +func (p *errorCredentialsProvider) GetProviderName() string { + return "error_credentials_provider" +} + +func TestRAMRoleARNCredentialsProviderGetCredentials(t *testing.T) { + originDo := hookDo + defer func() { hookDo = originDo }() + + // case 0: get previous credentials failed + p, err := NewRAMRoleARNCredentialsProviderBuilder(). + WithCredentialsProvider(&errorCredentialsProvider{}). + WithRoleArn("roleArn"). + WithRoleSessionName("rsn"). + WithDurationSeconds(1000). + Build() + assert.Nil(t, err) + _, err = p.GetCredentials() + assert.Equal(t, "get credentials failed", err.Error()) + + akProvider, err := NewStaticAKCredentialsProviderBuilder(). + WithAccessKeyId("akid"). + WithAccessKeySecret("aksecret"). + Build() + assert.Nil(t, err) + + p, err = NewRAMRoleARNCredentialsProviderBuilder(). + WithCredentialsProvider(akProvider). + WithRoleArn("roleArn"). + WithRoleSessionName("rsn"). + WithDurationSeconds(1000). + Build() + assert.Nil(t, err) + + // case 1: get credentials failed + hookDo = func(fn do) do { + return func(req *http.Request) (res *http.Response, err error) { + err = errors.New("mock server error") + return + } + } + _, err = p.GetCredentials() + assert.NotNil(t, err) + assert.Equal(t, "mock server error", err.Error()) + + // case 2: get invalid expiration + hookDo = func(fn do) do { + return func(req *http.Request) (res *http.Response, err error) { + res = mockResponse(200, `{"Credentials": {"AccessKeyId":"akid","AccessKeySecret":"aksecret","Expiration":"invalidexpiration","SecurityToken":"ststoken"}}`) + return + } + } + _, err = p.GetCredentials() + assert.NotNil(t, err) + assert.Equal(t, "parsing time \"invalidexpiration\" as \"2006-01-02T15:04:05Z\": cannot parse \"invalidexpiration\" as \"2006\"", err.Error()) + + // case 3: happy result + hookDo = func(fn do) do { + return func(req *http.Request) (res *http.Response, err error) { + res = mockResponse(200, `{"Credentials": {"AccessKeyId":"akid","AccessKeySecret":"aksecret","Expiration":"2021-10-20T04:27:09Z","SecurityToken":"ststoken"}}`) + return + } + } + cc, err := p.GetCredentials() + assert.Nil(t, err) + assert.Equal(t, "akid", cc.AccessKeyId) + assert.Equal(t, "aksecret", cc.AccessKeySecret) + assert.Equal(t, "ststoken", cc.SecurityToken) + assert.True(t, p.needUpdateCredential()) +} + +func TestRAMRoleARNCredentialsProviderGetCredentialsWithError(t *testing.T) { + akProvider, err := NewStaticAKCredentialsProviderBuilder(). + WithAccessKeyId("akid"). + WithAccessKeySecret("aksecret"). + Build() + assert.Nil(t, err) + p, err := NewRAMRoleARNCredentialsProviderBuilder(). + WithCredentialsProvider(akProvider). + WithRoleArn("roleArn"). + WithRoleSessionName("rsn"). + WithDurationSeconds(1000). + Build() + assert.Nil(t, err) + _, err = p.GetCredentials() + assert.NotNil(t, err) + assert.Contains(t, err.Error(), "InvalidAccessKeyId.NotFound") +} diff --git a/credentials/internal/utils/utils.go b/credentials/internal/utils/utils.go index 7468407..3337750 100644 --- a/credentials/internal/utils/utils.go +++ b/credentials/internal/utils/utils.go @@ -1,6 +1,7 @@ package utils import ( + "bytes" "crypto" "crypto/hmac" "crypto/md5" @@ -10,10 +11,14 @@ import ( "crypto/x509" "encoding/base64" "encoding/hex" + "fmt" "hash" "io" - rand2 "math/rand" + mathrand "math/rand" "net/url" + "runtime" + "strconv" + "sync/atomic" "time" ) @@ -40,7 +45,7 @@ func GetUUID() (uuidHex string) { func RandStringBytes(n int) string { b := make([]byte, n) for i := range b { - b[i] = letterBytes[rand2.Intn(len(letterBytes))] + b[i] = letterBytes[mathrand.Intn(len(letterBytes))] } return string(b) } @@ -144,3 +149,27 @@ func (u uuid) String() string { return string(buf) } + +var processStartTime int64 = time.Now().UnixNano() / 1e6 +var seqId int64 = 0 + +func getGID() uint64 { + // https://blog.sgmansfield.com/2015/12/goroutine-ids/ + b := make([]byte, 64) + b = b[:runtime.Stack(b, false)] + b = bytes.TrimPrefix(b, []byte("goroutine ")) + b = b[:bytes.IndexByte(b, ' ')] + n, _ := strconv.ParseUint(string(b), 10, 64) + return n +} + +func GetNonce() (uuidHex string) { + routineId := getGID() + currentTime := time.Now().UnixNano() / 1e6 + seq := atomic.AddInt64(&seqId, 1) + randNum := mathrand.Int63() + msg := fmt.Sprintf("%d-%d-%d-%d-%d", processStartTime, routineId, currentTime, seq, randNum) + h := md5.New() + h.Write([]byte(msg)) + return hex.EncodeToString(h.Sum(nil)) +}