use internal static_ak/static_sts credentials provider

aliyun · Aug 19, 2024 · cd6b32d · cd6b32d
1 parent 3589f7b
commit cd6b32d
Show file tree

Hide file tree

Showing 11 changed files with 386 additions and 214 deletions.
diff --git a/credentials/credential.go b/credentials/credential.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/alibabacloud-go/debug/debug"
 	"github.com/alibabacloud-go/tea/tea"
+	"github.com/aliyun/credentials-go/credentials/internal/providers"
 	"github.com/aliyun/credentials-go/credentials/internal/utils"
 	"github.com/aliyun/credentials-go/credentials/request"
 	"github.com/aliyun/credentials-go/credentials/response"
@@ -231,22 +232,26 @@ func NewCredential(config *Config) (credential Credential, err error) {
 			return
 		}
 	case "access_key":
-		err = checkAccessKey(config)
+		provider, err := providers.NewStaticAKCredentialsProviderBuilder().
+			WithAccessKeyId(tea.StringValue(config.AccessKeyId)).
+			WithAccessKeySecret(tea.StringValue(config.AccessKeySecret)).
+			Build()
 		if err != nil {
-			return
+			return nil, err
 		}
-		credential = newAccessKeyCredential(
-			tea.StringValue(config.AccessKeyId),
-			tea.StringValue(config.AccessKeySecret))
+
+		credential = fromCredentialsProvider("access_key", provider)
 	case "sts":
-		err = checkSTS(config)
+		provider, err := providers.NewStaticSTSCredentialsProviderBuilder().
+			WithAccessKeyId(tea.StringValue(config.AccessKeyId)).
+			WithAccessKeySecret(tea.StringValue(config.AccessKeySecret)).
+			WithSecurityToken(tea.StringValue(config.SecurityToken)).
+			Build()
 		if err != nil {
-			return
+			return nil, err
 		}
-		credential = NewStaticSTSCredentialsProvider(
-			tea.StringValue(config.AccessKeyId),
-			tea.StringValue(config.AccessKeySecret),
-			tea.StringValue(config.SecurityToken))
+
+		credential = fromCredentialsProvider("sts", provider)
 	case "ecs_ram_role":
 		runtime := &utils.Runtime{
 			Host:           tea.StringValue(config.Host),
@@ -373,34 +378,6 @@ func checkRAMRoleArn(config *Config) (err error) {
 	return
 }
 
-func checkSTS(config *Config) (err error) {
-	if tea.StringValue(config.AccessKeyId) == "" {
-		err = errors.New("AccessKeyId cannot be empty")
-		return
-	}
-	if tea.StringValue(config.AccessKeySecret) == "" {
-		err = errors.New("AccessKeySecret cannot be empty")
-		return
-	}
-	if tea.StringValue(config.SecurityToken) == "" {
-		err = errors.New("SecurityToken cannot be empty")
-		return
-	}
-	return
-}
-
-func checkAccessKey(config *Config) (err error) {
-	if tea.StringValue(config.AccessKeyId) == "" {
-		err = errors.New("AccessKeyId cannot be empty")
-		return
-	}
-	if tea.StringValue(config.AccessKeySecret) == "" {
-		err = errors.New("AccessKeySecret cannot be empty")
-		return
-	}
-	return
-}
-
 func doAction(request *request.CommonRequest, runtime *utils.Runtime) (content []byte, err error) {
 	var urlEncoded string
 	if request.BodyParams != nil {
@@ -458,3 +435,65 @@ func doAction(request *request.CommonRequest, runtime *utils.Runtime) (content [
 	}
 	return resp.GetHTTPContentBytes(), nil
 }
+
+type credentialsProviderWrap struct {
+	typeName string
+	provider providers.CredentialsProvider
+}
+
+func (cp *credentialsProviderWrap) GetAccessKeyId() (accessKeyId *string, err error) {
+	cc, err := cp.provider.GetCredentials()
+	if err != nil {
+		return
+	}
+	accessKeyId = &cc.AccessKeyId
+	return
+}
+
+func (cp *credentialsProviderWrap) GetAccessKeySecret() (accessKeySecret *string, err error) {
+	cc, err := cp.provider.GetCredentials()
+	if err != nil {
+		return
+	}
+	accessKeySecret = &cc.AccessKeySecret
+	return
+}
+
+func (cp *credentialsProviderWrap) GetSecurityToken() (securityToken *string, err error) {
+	cc, err := cp.provider.GetCredentials()
+	if err != nil {
+		return
+	}
+	securityToken = &cc.SecurityToken
+	return
+}
+
+func (cp *credentialsProviderWrap) GetBearerToken() (bearerToken *string) {
+	return tea.String("")
+}
+
+func (cp *credentialsProviderWrap) GetCredential() (cm *CredentialModel, err error) {
+	c, err := cp.provider.GetCredentials()
+	if err != nil {
+		return
+	}
+
+	cm = &CredentialModel{
+		AccessKeyId:     &c.AccessKeyId,
+		AccessKeySecret: &c.AccessKeySecret,
+		SecurityToken:   &c.SecurityToken,
+		Type:            &c.ProviderName,
+	}
+	return
+}
+
+func (cp *credentialsProviderWrap) GetType() *string {
+	return &cp.typeName
+}
+
+func fromCredentialsProvider(typeName string, cp providers.CredentialsProvider) Credential {
+	return &credentialsProviderWrap{
+		typeName: typeName,
+		provider: cp,
+	}
+}
diff --git a/credentials/credential_test.go b/credentials/credential_test.go
@@ -47,14 +47,23 @@ func TestNewCredentialWithAK(t *testing.T) {
 	config.SetType("access_key")
 	cred, err := NewCredential(config)
 	assert.NotNil(t, err)
-	assert.Equal(t, "AccessKeyId cannot be empty", err.Error())
+	assert.Equal(t, "the access key id is empty", err.Error())
 	assert.Nil(t, cred)
 
 	config.SetAccessKeyId("AccessKeyId")
 	cred, err = NewCredential(config)
 	assert.NotNil(t, err)
-	assert.Equal(t, "AccessKeySecret cannot be empty", err.Error())
+	assert.Equal(t, "the access key secret is empty", err.Error())
 	assert.Nil(t, cred)
+
+	config.SetAccessKeySecret("AccessKeySecret")
+	cred, err = NewCredential(config)
+	assert.Nil(t, err)
+	cm, err := cred.GetCredential()
+	assert.Nil(t, err)
+	assert.Equal(t, "AccessKeyId", *cm.AccessKeyId)
+	assert.Equal(t, "AccessKeySecret", *cm.AccessKeySecret)
+	assert.Equal(t, "", *cm.SecurityToken)
 }
 
 func TestNewCredentialWithSts(t *testing.T) {
@@ -64,19 +73,19 @@ func TestNewCredentialWithSts(t *testing.T) {
 	config.SetAccessKeyId("")
 	cred, err := NewCredential(config)
 	assert.NotNil(t, err)
-	assert.Equal(t, "AccessKeyId cannot be empty", err.Error())
+	assert.Equal(t, "the access key id is empty", err.Error())
 	assert.Nil(t, cred)
 
 	config.SetAccessKeyId("akid")
 	cred, err = NewCredential(config)
 	assert.NotNil(t, err)
-	assert.Equal(t, "AccessKeySecret cannot be empty", err.Error())
+	assert.Equal(t, "the access key secret is empty", err.Error())
 	assert.Nil(t, cred)
 
 	config.SetAccessKeySecret("aksecret")
 	cred, err = NewCredential(config)
 	assert.NotNil(t, err)
-	assert.Equal(t, "SecurityToken cannot be empty", err.Error())
+	assert.Equal(t, "the security token is empty", err.Error())
 	assert.Nil(t, cred)
 
 	config.SetSecurityToken("SecurityToken")

diff --git a/credentials/internal/providers/credentials.go b/credentials/internal/providers/credentials.go
@@ -0,0 +1,22 @@
+package providers
+
+// 下一版本 Credentials 包
+// - 分离 bearer token
+// - 从 config 传递迁移到真正的 credentials provider 模式
+// - 删除 GetAccessKeyId()/GetAccessKeySecret()/GetSecurityToken() 方法，只保留 GetCredentials()
+
+// The credentials struct
+type Credentials struct {
+	AccessKeyId     string
+	AccessKeySecret string
+	SecurityToken   string
+	ProviderName    string
+}
+
+// The credentials provider interface, return credentials and provider name
+type CredentialsProvider interface {
+	// Get credentials
+	GetCredentials() (*Credentials, error)
+	// Get credentials provider name
+	GetProviderName() string
+}
diff --git a/credentials/internal/providers/static_ak.go b/credentials/internal/providers/static_ak.go
@@ -0,0 +1,67 @@
+package providers
+
+import (
+	"errors"
+	"os"
+)
+
+type StaticAKCredentialsProvider struct {
+	accessKeyId     string
+	accessKeySecret string
+}
+
+type StaticAKCredentialsProviderBuilder struct {
+	provider *StaticAKCredentialsProvider
+}
+
+func NewStaticAKCredentialsProviderBuilder() *StaticAKCredentialsProviderBuilder {
+	return &StaticAKCredentialsProviderBuilder{
+		provider: &StaticAKCredentialsProvider{},
+	}
+}
+
+func (builder *StaticAKCredentialsProviderBuilder) WithAccessKeyId(accessKeyId string) *StaticAKCredentialsProviderBuilder {
+	builder.provider.accessKeyId = accessKeyId
+	return builder
+}
+
+func (builder *StaticAKCredentialsProviderBuilder) WithAccessKeySecret(accessKeySecret string) *StaticAKCredentialsProviderBuilder {
+	builder.provider.accessKeySecret = accessKeySecret
+	return builder
+}
+
+func (builder *StaticAKCredentialsProviderBuilder) Build() (provider *StaticAKCredentialsProvider, err error) {
+	if builder.provider.accessKeyId == "" {
+		builder.provider.accessKeyId = os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")
+	}
+
+	if builder.provider.accessKeyId == "" {
+		err = errors.New("the access key id is empty")
+		return
+	}
+
+	if builder.provider.accessKeySecret == "" {
+		builder.provider.accessKeySecret = os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")
+	}
+
+	if builder.provider.accessKeySecret == "" {
+		err = errors.New("the access key secret is empty")
+		return
+	}
+
+	provider = builder.provider
+	return
+}
+
+func (provider *StaticAKCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
+	cc = &Credentials{
+		AccessKeyId:     provider.accessKeyId,
+		AccessKeySecret: provider.accessKeySecret,
+		ProviderName:    provider.GetProviderName(),
+	}
+	return
+}
+
+func (provider *StaticAKCredentialsProvider) GetProviderName() string {
+	return "static_ak"
+}
diff --git a/credentials/internal/providers/static_ak_test.go b/credentials/internal/providers/static_ak_test.go
@@ -0,0 +1,56 @@
+package providers
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestStaticAKCredentialsProvider(t *testing.T) {
+	_, err := NewStaticAKCredentialsProviderBuilder().
+		Build()
+	assert.EqualError(t, err, "the access key id is empty")
+
+	_, err = NewStaticAKCredentialsProviderBuilder().
+		WithAccessKeyId("akid").
+		Build()
+	assert.EqualError(t, err, "the access key secret is empty")
+
+	provider, err := NewStaticAKCredentialsProviderBuilder().
+		WithAccessKeyId("accessKeyId").
+		WithAccessKeySecret("accessKeySecret").
+		Build()
+	assert.Nil(t, err)
+	assert.Equal(t, "static_ak", provider.GetProviderName())
+
+	cred, err := provider.GetCredentials()
+	assert.Nil(t, err)
+	assert.Equal(t, "accessKeyId", cred.AccessKeyId)
+	assert.Equal(t, "accessKeySecret", cred.AccessKeySecret)
+	assert.Equal(t, "", cred.SecurityToken)
+	assert.Equal(t, "static_ak", cred.ProviderName)
+}
+
+func TestStaticAKCredentialsProviderWithEnv(t *testing.T) {
+	originAKID := os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")
+	originAKSecret := os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")
+	defer func() {
+		os.Setenv("ALIBABA_CLOUD_ACCESS_KEY_ID", originAKID)
+		os.Setenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET", originAKSecret)
+	}()
+
+	os.Setenv("ALIBABA_CLOUD_ACCESS_KEY_ID", "akid_from_env")
+	os.Setenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET", "aksecret_from_env")
+	provider, err := NewStaticAKCredentialsProviderBuilder().
+		Build()
+	assert.Nil(t, err)
+	assert.Equal(t, "static_ak", provider.GetProviderName())
+
+	cred, err := provider.GetCredentials()
+	assert.Nil(t, err)
+	assert.Equal(t, "akid_from_env", cred.AccessKeyId)
+	assert.Equal(t, "aksecret_from_env", cred.AccessKeySecret)
+	assert.Equal(t, "", cred.SecurityToken)
+	assert.Equal(t, "static_ak", cred.ProviderName)
+}