aliyun · JacksonTian · Jul 29, 2024 · Jul 29, 2024
diff --git a/credentials/credential.go b/credentials/credential.go
@@ -217,7 +217,7 @@ func NewCredential(config *Config) (credential Credential, err error) {
 			ConnectTimeout: tea.IntValue(config.ConnectTimeout),
 			STSEndpoint:    tea.StringValue(config.STSEndpoint),
 		}
-		credential = newOIDCRoleArnCredential(
+		credential, err = newOIDCRoleArnCredential(
 			tea.StringValue(config.AccessKeyId),
 			tea.StringValue(config.AccessKeySecret),
 			tea.StringValue(config.RoleArn),
@@ -227,6 +227,9 @@ func NewCredential(config *Config) (credential Credential, err error) {
 			tea.StringValue(config.Policy),
 			tea.IntValue(config.RoleSessionExpiration),
 			runtime)
+		if err != nil {
+			return
+		}
 	case "access_key":
 		err = checkAccessKey(config)
 		if err != nil {

diff --git a/credentials/credential_test.go b/credentials/credential_test.go
@@ -219,6 +219,13 @@ func TestNewCredentialWithOIDC(t *testing.T) {
 	assert.Equal(t, "OIDCProviderArn cannot be empty", err.Error())
 	assert.Nil(t, cred)
 
+	config.SetOIDCProviderArn("oidc_provider_arn_test").
+		SetRoleArn("role_arn_test")
+	cred, err = NewCredential(config)
+	assert.NotNil(t, err)
+	assert.Equal(t, "the OIDC token file path is empty", err.Error())
+	assert.Nil(t, cred)
+
 	config.SetOIDCProviderArn("oidc_provider_arn_test").
 		SetOIDCTokenFilePath("oidc_token_file_path_test").
 		SetRoleArn("role_arn_test")

diff --git a/credentials/oidc_credentials_provider.go b/credentials/oidc_credentials_provider.go
@@ -2,6 +2,7 @@ package credentials
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -39,8 +40,17 @@ type OIDCcredentialsInResponse struct {
 	Expiration      string `json:"Expiration" xml:"Expiration"`
 }
 
-func newOIDCRoleArnCredential(accessKeyId, accessKeySecret, roleArn, OIDCProviderArn, OIDCTokenFilePath, RoleSessionName, policy string, RoleSessionExpiration int, runtime *utils.Runtime) *OIDCCredentialsProvider {
-	return &OIDCCredentialsProvider{
+func newOIDCRoleArnCredential(accessKeyId, accessKeySecret, roleArn, OIDCProviderArn, OIDCTokenFilePath, RoleSessionName, policy string, RoleSessionExpiration int, runtime *utils.Runtime) (provider *OIDCCredentialsProvider, err error) {
+	if OIDCTokenFilePath == "" {
+		OIDCTokenFilePath = os.Getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE")
+	}
+
+	if OIDCTokenFilePath == "" {
+		err = errors.New("the OIDC token file path is empty")
+		return
+	}
+
+	provider = &OIDCCredentialsProvider{
 		AccessKeyId:           accessKeyId,
 		AccessKeySecret:       accessKeySecret,
 		RoleArn:               roleArn,
@@ -52,6 +62,7 @@ func newOIDCRoleArnCredential(accessKeyId, accessKeySecret, roleArn, OIDCProvide
 		credentialUpdater:     new(credentialUpdater),
 		runtime:               runtime,
 	}
+	return
 }
 
 func (e *OIDCCredentialsProvider) GetCredential() (*CredentialModel, error) {
@@ -116,19 +127,18 @@ func (r *OIDCCredentialsProvider) GetType() *string {
 	return tea.String("oidc_role_arn")
 }
 
-func getOIDCToken(tokenFilePath string) *string {
-	_, err := os.Stat(tokenFilePath)
-	if os.IsNotExist(err) {
-		tokenFilePath = os.Getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE")
-		if tokenFilePath == "" {
-			return nil
-		}
-	}
-	byt, err := ioutil.ReadFile(tokenFilePath)
+var getFileContent = func(filePath string) (content string, err error) {
+	bytes, err := ioutil.ReadFile(filePath)
 	if err != nil {
-		return nil
+		return
+	}
+
+	if len(bytes) == 0 {
+		err = fmt.Errorf("the content of %s is empty", filePath)
 	}
-	return tea.String(string(byt))
+
+	content = string(bytes)
+	return
 }
 
 func (r *OIDCCredentialsProvider) updateCredential() (err error) {
@@ -147,8 +157,12 @@ func (r *OIDCCredentialsProvider) updateCredential() (err error) {
 	request.QueryParams["Format"] = "JSON"
 	request.BodyParams["RoleArn"] = r.RoleArn
 	request.BodyParams["OIDCProviderArn"] = r.OIDCProviderArn
-	token := getOIDCToken(r.OIDCTokenFilePath)
-	request.BodyParams["OIDCToken"] = tea.StringValue(token)
+	token, err := getFileContent(r.OIDCTokenFilePath)
+	if err != nil {
+		return fmt.Errorf("read oidc token file failed: %s", err.Error())
+	}
+
+	request.BodyParams["OIDCToken"] = token
 	if r.Policy != "" {
 		request.QueryParams["Policy"] = r.Policy
 	}
@@ -164,19 +178,19 @@ func (r *OIDCCredentialsProvider) updateCredential() (err error) {
 	request.URL = request.BuildURL()
 	content, err := doAction(request, r.runtime)
 	if err != nil {
-		return fmt.Errorf("refresh RoleArn sts token err: %s", err.Error())
+		return fmt.Errorf("get sts token failed with: %s", err.Error())
 	}
 	var resp *OIDCResponse
 	err = json.Unmarshal(content, &resp)
 	if err != nil {
-		return fmt.Errorf("refresh RoleArn sts token err: Json.Unmarshal fail: %s", err.Error())
+		return fmt.Errorf("get sts token failed with: Json.Unmarshal fail: %s", err.Error())
 	}
 	if resp == nil || resp.Credentials == nil {
-		return fmt.Errorf("refresh RoleArn sts token err: Credentials is empty")
+		return fmt.Errorf("get sts token failed with: credentials is empty")
 	}
 	respCredentials := resp.Credentials
 	if respCredentials.AccessKeyId == "" || respCredentials.AccessKeySecret == "" || respCredentials.SecurityToken == "" || respCredentials.Expiration == "" {
-		return fmt.Errorf("refresh RoleArn sts token err: AccessKeyId: %s, AccessKeySecret: %s, SecurityToken: %s, Expiration: %s", respCredentials.AccessKeyId, respCredentials.AccessKeySecret, respCredentials.SecurityToken, respCredentials.Expiration)
+		return fmt.Errorf("get sts token failed with: AccessKeyId: %s, AccessKeySecret: %s, SecurityToken: %s, Expiration: %s", respCredentials.AccessKeyId, respCredentials.AccessKeySecret, respCredentials.SecurityToken, respCredentials.Expiration)
 	}
 
 	expirationTime, err := time.Parse("2006-01-02T15:04:05Z", respCredentials.Expiration)

diff --git a/credentials/oidc_credentials_provider_test.go b/credentials/oidc_credentials_provider_test.go
@@ -4,74 +4,195 @@ import (
 	"errors"
 	"net/http"
 	"os"
+	"path"
 	"testing"
 
-	"github.com/aliyun/credentials-go/credentials/utils"
 	"github.com/stretchr/testify/assert"
+
+	"github.com/aliyun/credentials-go/credentials/utils"
 )
 
+func TestNewOidcCredentialsProvider(t *testing.T) {
+	_, err := newOIDCRoleArnCredential("accessKeyId", "accessKeySecret", "RoleArn", "OIDCProviderArn", "", "roleSessionName", "Policy", 3600, nil)
+	assert.NotNil(t, err)
+	assert.Equal(t, "the OIDC token file path is empty", err.Error())
+
+	// get oidc token path from env
+	os.Setenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE", "/path/to/oidc_token")
+	provider, err := newOIDCRoleArnCredential("accessKeyId", "accessKeySecret", "RoleArn", "OIDCProviderArn", "", "roleSessionName", "Policy", 3600, nil)
+	assert.Nil(t, err)
+	assert.Equal(t, "/path/to/oidc_token", provider.OIDCTokenFilePath)
+
+	os.Unsetenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE")
+	provider, err = newOIDCRoleArnCredential("accessKeyId", "accessKeySecret", "RoleArn", "OIDCProviderArn", "/path/to/oidc_token_args", "roleSessionName", "Policy", 3600, nil)
+	assert.Nil(t, err)
+	assert.Equal(t, "/path/to/oidc_token_args", provider.OIDCTokenFilePath)
+}
+
 func Test_oidcCredential_updateCredential(t *testing.T) {
-	oidcCredential := newOIDCRoleArnCredential("accessKeyId", "accessKeySecret", "RoleArn", "OIDCProviderArn", "tokenFilePath", "roleSessionName", "Policy", 3600, nil)
+	oidcCredential, err := newOIDCRoleArnCredential("accessKeyId", "accessKeySecret", "RoleArn", "OIDCProviderArn", "/path/to/tokenFilePath", "roleSessionName", "Policy", 3600, nil)
+	assert.Nil(t, err)
+
+	c, err := oidcCredential.GetCredential()
+	assert.NotNil(t, err)
+	assert.Equal(t, "read oidc token file failed: open /path/to/tokenFilePath: no such file or directory", err.Error())
+	assert.Nil(t, c)
+
+	accessKeyId, err := oidcCredential.GetAccessKeyId()
+	assert.NotNil(t, err)
+	assert.Equal(t, "read oidc token file failed: open /path/to/tokenFilePath: no such file or directory", err.Error())
+	assert.Nil(t, accessKeyId)
+
+	accessKeySecret, err := oidcCredential.GetAccessKeySecret()
+	assert.NotNil(t, err)
+	assert.Equal(t, "read oidc token file failed: open /path/to/tokenFilePath: no such file or directory", err.Error())
+	assert.Nil(t, accessKeySecret)
+
+	securityToken, err := oidcCredential.GetSecurityToken()
+	assert.NotNil(t, err)
+	assert.Equal(t, "read oidc token file failed: open /path/to/tokenFilePath: no such file or directory", err.Error())
+	assert.Nil(t, securityToken)
+
+	originGetFileContent := getFileContent
+	defer func() {
+		getFileContent = originGetFileContent
+	}()
+	getFileContent = func(filePath string) (content string, err error) {
+		return "token", nil
+	}
+	// mock server error
 	hookDo = func(fn func(req *http.Request) (*http.Response, error)) func(req *http.Request) (*http.Response, error) {
 		return func(req *http.Request) (*http.Response, error) {
-			return mockResponse(300, ``, errors.New("sdk test"))
+			return mockResponse(500, ``, errors.New("mock server error"))
 		}
 	}
-	accesskeyId, err := oidcCredential.GetAccessKeyId()
+	c, err = oidcCredential.GetCredential()
 	assert.NotNil(t, err)
-	assert.Equal(t, "refresh RoleArn sts token err: sdk test", err.Error())
-	assert.Nil(t, accesskeyId)
+	assert.Equal(t, "get sts token failed with: mock server error", err.Error())
+	assert.Nil(t, c)
+	// mock unmarshal error
+	hookDo = func(fn func(req *http.Request) (*http.Response, error)) func(req *http.Request) (*http.Response, error) {
+		return func(req *http.Request) (*http.Response, error) {
+			return mockResponse(200, `invalid json`, nil)
+		}
+	}
+	c, err = oidcCredential.GetCredential()
+	assert.NotNil(t, err)
+	assert.Equal(t, "get sts token failed with: Json.Unmarshal fail: invalid character 'i' looking for beginning of value", err.Error())
+	assert.Nil(t, c)
 
-	assert.Equal(t, "oidc_role_arn", *oidcCredential.GetType())
+	// mock null response
+	hookDo = func(fn func(req *http.Request) (*http.Response, error)) func(req *http.Request) (*http.Response, error) {
+		return func(req *http.Request) (*http.Response, error) {
+			return mockResponse(200, `null`, nil)
+		}
+	}
+	c, err = oidcCredential.GetCredential()
+	assert.NotNil(t, err)
+	assert.Equal(t, "get sts token failed with: credentials is empty", err.Error())
+	assert.Nil(t, c)
 
 	hookDo = func(fn func(req *http.Request) (*http.Response, error)) func(req *http.Request) (*http.Response, error) {
 		return func(req *http.Request) (*http.Response, error) {
-			return mockResponse(200, `{"Credentials":{"AccessKeyId":"accessKeyId","AccessKeySecret":"accessKeySecret","SecurityToken":"securitytoken","Expiration":"2020-01-02T15:04:05Z"}}`, nil)
+			return mockResponse(200, `{}`, nil)
 		}
 	}
+	c, err = oidcCredential.GetCredential()
+	assert.NotNil(t, err)
+	assert.Equal(t, "get sts token failed with: credentials is empty", err.Error())
+	assert.Nil(t, c)
+
+	// mock empty ak
+	hookDo = func(fn func(req *http.Request) (*http.Response, error)) func(req *http.Request) (*http.Response, error) {
+		return func(req *http.Request) (*http.Response, error) {
+			return mockResponse(200, `{"Credentials": {}}`, nil)
+		}
+	}
+	c, err = oidcCredential.GetCredential()
+	assert.NotNil(t, err)
+	assert.Equal(t, "get sts token failed with: AccessKeyId: , AccessKeySecret: , SecurityToken: , Expiration: ", err.Error())
+	assert.Nil(t, c)
 
-	accesskeyId, err = oidcCredential.GetAccessKeyId()
+	// mock normal credentials
+	hookDo = func(fn func(req *http.Request) (*http.Response, error)) func(req *http.Request) (*http.Response, error) {
+		return func(req *http.Request) (*http.Response, error) {
+			return mockResponse(200, `{"Credentials": {"AccessKeyId":"akid","AccessKeySecret":"aksecret","SecurityToken":"ststoken","Expiration":"2006-01-02T15:04:05Z"}}`, nil)
+		}
+	}
+	c, err = oidcCredential.GetCredential()
 	assert.Nil(t, err)
-	assert.Equal(t, "accessKeyId", *accesskeyId)
+	assert.NotNil(t, c)
+	assert.Equal(t, "akid", *c.AccessKeyId)
+	assert.Equal(t, "aksecret", *c.AccessKeySecret)
+	assert.Equal(t, "ststoken", *c.SecurityToken)
 
-	accesskeySecret, err := oidcCredential.GetAccessKeySecret()
+	akid, err := oidcCredential.GetAccessKeyId()
 	assert.Nil(t, err)
-	assert.Equal(t, "accessKeySecret", *accesskeySecret)
+	assert.Equal(t, "akid", *akid)
+
+	secret, err := oidcCredential.GetAccessKeySecret()
+	assert.Nil(t, err)
+	assert.Equal(t, "aksecret", *secret)
 
 	ststoken, err := oidcCredential.GetSecurityToken()
 	assert.Nil(t, err)
-	assert.Equal(t, "securitytoken", *ststoken)
+	assert.Equal(t, "ststoken", *ststoken)
+}
+
+func TestOIDCCredentialsProviderGetBearerToken(t *testing.T) {
+	provider, err := newOIDCRoleArnCredential("accessKeyId", "accessKeySecret", "RoleArn", "OIDCProviderArn", "tokenFilePath", "roleSessionName", "Policy", 3600, nil)
+	assert.Nil(t, err)
+	assert.Equal(t, "", *provider.GetBearerToken())
+}
+
+func TestOIDCCredentialsProviderGetType(t *testing.T) {
+	provider, err := newOIDCRoleArnCredential("accessKeyId", "accessKeySecret", "RoleArn", "OIDCProviderArn", "tokenFilePath", "roleSessionName", "Policy", 3600, nil)
+	assert.Nil(t, err)
+	assert.Equal(t, "oidc_role_arn", *provider.GetType())
+}
 
-	cred, err := oidcCredential.GetCredential()
+func Test_getFileContent(t *testing.T) {
+	wd, _ := os.Getwd()
+	// read a normal token
+	token, err := getFileContent(path.Join(wd, "../test_fixtures/oidc_token"))
 	assert.Nil(t, err)
-	assert.Equal(t, "accessKeyId", *cred.AccessKeyId)
-	assert.Equal(t, "accessKeySecret", *cred.AccessKeySecret)
-	assert.Equal(t, "securitytoken", *cred.SecurityToken)
-	assert.Nil(t, cred.BearerToken)
-	assert.Equal(t, "oidc_role_arn", *cred.Type)
-
-	os.Setenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE", "")
-	token := getOIDCToken("/test")
-	assert.Nil(t, token)
-	path, _ := os.Getwd()
-	os.Setenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE", path+"/oidc_token")
-	token = getOIDCToken("/test")
-	assert.Equal(t, "test_long_oidc_token_eyJhbGciOiJSUzI1NiIsImtpZCI6ImFQaXlpNEVGSU8wWnlGcFh1V0psQUNWbklZVlJsUkNmM2tlSzNMUlhWT1UifQ.eyJhdWQiOlsic3RzLmFsaXl1bmNzLmNvbSJdLCJleHAiOjE2NDUxMTk3ODAsImlhdCI6MTY0NTA4Mzc4MCwiaXNzIjoiaHR0cHM6Ly9vaWRjLWFjay1jbi1oYW5nemhvdS5vc3MtY24taGFuZ3pob3UtaW50ZXJuYWwuYWxpeXVuY3MuY29tL2NmMWQ4ZGIwMjM0ZDk0YzEyOGFiZDM3MTc4NWJjOWQxNSIsImt1YmVybmV0ZXMuaW8iOnsibmFtZXNwYWNlIjoidGVzdC1ycnNhIiwicG9kIjp7Im5hbWUiOiJydW4tYXMtcm9vdCIsInVpZCI6ImIzMGI0MGY2LWNiZTAtNGY0Yy1hZGYyLWM1OGQ4ZmExZTAxMCJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoidXNlcjEiLCJ1aWQiOiJiZTEyMzdjYS01MTY4LTQyMzYtYWUyMC00NDM1YjhmMGI4YzAifX0sIm5iZiI6MTY0NTA4Mzc4MCwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OnRlc3QtcnJzYTp1c2VyMSJ9.XGP-wgLj-iMiAHjLe0lZLh7y48Qsj9HzsEbNh706WwerBoxnssdsyGFb9lzd2FyM8CssbAOCstr7OuAMWNdJmDZgpiOGGSbQ-KXXmbfnIS4ix-V3pQF6LVBFr7xJlj20J6YY89um3rv_04t0iCGxKWs2ZMUyU1FbZpIPRep24LVKbUz1saiiVGgDBTIZdHA13Z-jUvYAnsxK_Kj5tc1K-IuQQU0IwSKJh5OShMcdPugMV5LwTL3ogCikfB7yljq5vclBhCeF2lXLIibvwF711TOhuJ5lMlh-a2KkIgwBHhANg_U9k4Mt_VadctfUGc4hxlSbBD0w9o9mDGKwgGmW5Q", *token)
-	os.Setenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE", "")
-	token = getOIDCToken(path + "/oidc_token")
-	assert.Equal(t, 1027, len(*token))
-	assert.Equal(t, "test_long_oidc_token_eyJhbGciOiJSUzI1NiIsImtpZCI6ImFQaXlpNEVGSU8wWnlGcFh1V0psQUNWbklZVlJsUkNmM2tlSzNMUlhWT1UifQ.eyJhdWQiOlsic3RzLmFsaXl1bmNzLmNvbSJdLCJleHAiOjE2NDUxMTk3ODAsImlhdCI6MTY0NTA4Mzc4MCwiaXNzIjoiaHR0cHM6Ly9vaWRjLWFjay1jbi1oYW5nemhvdS5vc3MtY24taGFuZ3pob3UtaW50ZXJuYWwuYWxpeXVuY3MuY29tL2NmMWQ4ZGIwMjM0ZDk0YzEyOGFiZDM3MTc4NWJjOWQxNSIsImt1YmVybmV0ZXMuaW8iOnsibmFtZXNwYWNlIjoidGVzdC1ycnNhIiwicG9kIjp7Im5hbWUiOiJydW4tYXMtcm9vdCIsInVpZCI6ImIzMGI0MGY2LWNiZTAtNGY0Yy1hZGYyLWM1OGQ4ZmExZTAxMCJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoidXNlcjEiLCJ1aWQiOiJiZTEyMzdjYS01MTY4LTQyMzYtYWUyMC00NDM1YjhmMGI4YzAifX0sIm5iZiI6MTY0NTA4Mzc4MCwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OnRlc3QtcnJzYTp1c2VyMSJ9.XGP-wgLj-iMiAHjLe0lZLh7y48Qsj9HzsEbNh706WwerBoxnssdsyGFb9lzd2FyM8CssbAOCstr7OuAMWNdJmDZgpiOGGSbQ-KXXmbfnIS4ix-V3pQF6LVBFr7xJlj20J6YY89um3rv_04t0iCGxKWs2ZMUyU1FbZpIPRep24LVKbUz1saiiVGgDBTIZdHA13Z-jUvYAnsxK_Kj5tc1K-IuQQU0IwSKJh5OShMcdPugMV5LwTL3ogCikfB7yljq5vclBhCeF2lXLIibvwF711TOhuJ5lMlh-a2KkIgwBHhANg_U9k4Mt_VadctfUGc4hxlSbBD0w9o9mDGKwgGmW5Q", *token)
-
-	oidcCredential = newOIDCRoleArnCredential("accessKeyId", "accessKeySecret", "RoleArn", "OIDCProviderArn", "tokenFilePath", "roleSessionName", "Policy", 7200, &utils.Runtime{STSEndpoint: "www.aliyun.com"})
+	assert.Equal(t, "test_long_oidc_token_eyJhbGciOiJSUzI1NiIsImtpZCI6ImFQaXlpNEVGSU8wWnlGcFh1V0psQUNWbklZVlJsUkNmM2tlSzNMUlhWT1UifQ.eyJhdWQiOlsic3RzLmFsaXl1bmNzLmNvbSJdLCJleHAiOjE2NDUxMTk3ODAsImlhdCI6MTY0NTA4Mzc4MCwiaXNzIjoiaHR0cHM6Ly9vaWRjLWFjay1jbi1oYW5nemhvdS5vc3MtY24taGFuZ3pob3UtaW50ZXJuYWwuYWxpeXVuY3MuY29tL2NmMWQ4ZGIwMjM0ZDk0YzEyOGFiZDM3MTc4NWJjOWQxNSIsImt1YmVybmV0ZXMuaW8iOnsibmFtZXNwYWNlIjoidGVzdC1ycnNhIiwicG9kIjp7Im5hbWUiOiJydW4tYXMtcm9vdCIsInVpZCI6ImIzMGI0MGY2LWNiZTAtNGY0Yy1hZGYyLWM1OGQ4ZmExZTAxMCJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoidXNlcjEiLCJ1aWQiOiJiZTEyMzdjYS01MTY4LTQyMzYtYWUyMC00NDM1YjhmMGI4YzAifX0sIm5iZiI6MTY0NTA4Mzc4MCwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OnRlc3QtcnJzYTp1c2VyMSJ9.XGP-wgLj-iMiAHjLe0lZLh7y48Qsj9HzsEbNh706WwerBoxnssdsyGFb9lzd2FyM8CssbAOCstr7OuAMWNdJmDZgpiOGGSbQ-KXXmbfnIS4ix-V3pQF6LVBFr7xJlj20J6YY89um3rv_04t0iCGxKWs2ZMUyU1FbZpIPRep24LVKbUz1saiiVGgDBTIZdHA13Z-jUvYAnsxK_Kj5tc1K-IuQQU0IwSKJh5OShMcdPugMV5LwTL3ogCikfB7yljq5vclBhCeF2lXLIibvwF711TOhuJ5lMlh-a2KkIgwBHhANg_U9k4Mt_VadctfUGc4hxlSbBD0w9o9mDGKwgGmW5Q", token)
+
+	// read a empty token
+	_, err = getFileContent(path.Join(wd, "../test_fixtures/empty_oidc_token"))
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "the content of ")
+	assert.Contains(t, err.Error(), "/test_fixtures/empty_oidc_token is empty")
+
+	// read a inexist token
+	_, err = getFileContent(path.Join(wd, "../test_fixtures/inexist_oidc_token"))
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "no such file or directory")
+}
+
+func TestSTSEndpoint(t *testing.T) {
+	originGetFileContent := getFileContent
+	defer func() {
+		getFileContent = originGetFileContent
+	}()
+	getFileContent = func(filePath string) (content string, err error) {
+		return "token", nil
+	}
+	// mock server error
 	hookDo = func(fn func(req *http.Request) (*http.Response, error)) func(req *http.Request) (*http.Response, error) {
 		return func(req *http.Request) (*http.Response, error) {
-			assert.Equal(t, "www.aliyun.com", req.Host)
-			assert.Contains(t, req.URL.RawQuery, "DurationSeconds=7200")
-			return mockResponse(400, ``, errors.New("sdk test"))
+			assert.Equal(t, "sts.cn-beijing.aliyuncs.com", req.Host)
+			return mockResponse(500, ``, errors.New("mock server error"))
 		}
 	}
-	accesskeyId, err = oidcCredential.GetAccessKeyId()
+
+	runtime := &utils.Runtime{
+		STSEndpoint: "sts.cn-beijing.aliyuncs.com",
+	}
+	provider, err := newOIDCRoleArnCredential("accessKeyId", "accessKeySecret", "RoleArn", "OIDCProviderArn", "tokenFilePath", "roleSessionName", "Policy", 3600, runtime)
+	assert.Nil(t, err)
+	c, err := provider.GetCredential()
 	assert.NotNil(t, err)
-	assert.Equal(t, "refresh RoleArn sts token err: sdk test", err.Error())
-	assert.Nil(t, accesskeyId)
+	assert.Equal(t, "get sts token failed with: mock server error", err.Error())
+	assert.Nil(t, c)
 }
diff --git a/test_fixtures/empty_oidc_token b/test_fixtures/empty_oidc_token
diff --git a/credentials/oidc_token → test_fixtures/oidc_token b/credentials/oidc_token → test_fixtures/oidc_token
diff --git a/test_fixtures/pk.pem b/test_fixtures/pk.pem
@@ -0,0 +1,2 @@
+----
+this is privatekey