credentials/oidc_credential.go - Code Metrics - Inspection of "feat: support GetCredential() to solve the inconsi..." - aliyun/credentials-go - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( b62427...a0b73a )

unknown

created 2023-07-07 03:20 UTC

credentials/oidc_credential.go A

↳ Parent: Project

Size/Duplication

Total Lines	190
Duplicated Lines	0 %

Importance

Changes

Metric	Value
cc	35
eloc	131
dl	0
loc	190
rs	9.6
c	0
b	0
f	0

9 Methods

Rating	Name	Size	Complexity
A	credentials.newOIDCRoleArnCredential	12	1
A	credentials.*OIDCCredential.GetBearerToken	2	1
A	credentials.*OIDCCredential.GetSecurityToken	8	4
A	credentials.*OIDCCredential.GetAccessKeySecret	8	4
A	credentials.*OIDCCredential.GetAccessKeyId	8	4
D	credentials.*OIDCCredential.updateCredential	55	12
A	credentials.*OIDCCredential.GetCredential	14	4
A	credentials.*OIDCCredential.GetType	2	1
A	credentials.*OIDCCredential.GetOIDCToken	14	4

package credentials

import (
	"encoding/json"
	"fmt"
	"io/ioutil"
	"os"
	"time"

	"github.com/alibabacloud-go/tea/tea"
	"github.com/aliyun/credentials-go/credentials/request"
	"github.com/aliyun/credentials-go/credentials/utils"
)

const defaultOIDCDurationSeconds = 3600

// OIDCCredential is a kind of credentials
type OIDCCredential struct {
	*credentialUpdater
	AccessKeyId           string
	AccessKeySecret       string
	RoleArn               string
	OIDCProviderArn       string
	OIDCTokenFilePath     string
	Policy                string
	RoleSessionName       string
	RoleSessionExpiration int
	sessionCredential     *sessionCredential
	runtime               *utils.Runtime
}

type OIDCResponse struct {
	Credentials *credentialsInResponse `json:"Credentials" xml:"Credentials"`
}

type OIDCcredentialsInResponse struct {
	AccessKeyId     string `json:"AccessKeyId" xml:"AccessKeyId"`
	AccessKeySecret string `json:"AccessKeySecret" xml:"AccessKeySecret"`
	SecurityToken   string `json:"SecurityToken" xml:"SecurityToken"`
	Expiration      string `json:"Expiration" xml:"Expiration"`
}

func newOIDCRoleArnCredential(accessKeyId, accessKeySecret, roleArn, OIDCProviderArn, OIDCTokenFilePath, RoleSessionName, policy string, RoleSessionExpiration int, runtime *utils.Runtime) *OIDCCredential {
	return &OIDCCredential{
		AccessKeyId:           accessKeyId,
		AccessKeySecret:       accessKeySecret,
		RoleArn:               roleArn,
		OIDCProviderArn:       OIDCProviderArn,
		OIDCTokenFilePath:     OIDCTokenFilePath,
		RoleSessionName:       RoleSessionName,
		Policy:                policy,
		RoleSessionExpiration: RoleSessionExpiration,
		credentialUpdater:     new(credentialUpdater),
		runtime:               runtime,
	}
}

func (e *OIDCCredential) GetCredential() (*CredentialModel, error) {
	if e.sessionCredential == nil || e.needUpdateCredential() {
		err := e.updateCredential()
		if err != nil {
			return nil, err
		}
	}
	credential := &CredentialModel{
		AccessKeyId:     tea.String(e.sessionCredential.AccessKeyId),
		AccessKeySecret: tea.String(e.sessionCredential.AccessKeySecret),
		SecurityToken:   tea.String(e.sessionCredential.SecurityToken),
		Type:            tea.String("oidc_role_arn"),
	}
	return credential, nil
}

// GetAccessKeyId reutrns OIDCCredential's AccessKeyId
// if AccessKeyId is not exist or out of date, the function will update it.
func (r *OIDCCredential) GetAccessKeyId() (*string, error) {
	if r.sessionCredential == nil || r.needUpdateCredential() {
		err := r.updateCredential()
		if err != nil {
			return tea.String(""), err
		}
	}
	return tea.String(r.sessionCredential.AccessKeyId), nil
}

// GetAccessSecret reutrns OIDCCredential's AccessKeySecret
// if AccessKeySecret is not exist or out of date, the function will update it.
func (r *OIDCCredential) GetAccessKeySecret() (*string, error) {
	if r.sessionCredential == nil || r.needUpdateCredential() {
		err := r.updateCredential()
		if err != nil {
			return tea.String(""), err
		}
	}
	return tea.String(r.sessionCredential.AccessKeySecret), nil
}

// GetSecurityToken reutrns OIDCCredential's SecurityToken
// if SecurityToken is not exist or out of date, the function will update it.
func (r *OIDCCredential) GetSecurityToken() (*string, error) {
	if r.sessionCredential == nil || r.needUpdateCredential() {
		err := r.updateCredential()
		if err != nil {
			return tea.String(""), err
		}
	}
	return tea.String(r.sessionCredential.SecurityToken), nil
}

// GetBearerToken is useless OIDCCredential
func (r *OIDCCredential) GetBearerToken() *string {
	return tea.String("")
}

// GetType reutrns OIDCCredential's type
func (r *OIDCCredential) GetType() *string {
	return tea.String("oidc_role_arn")
}

func (r *OIDCCredential) GetOIDCToken(OIDCTokenFilePath string) *string {
	tokenPath := OIDCTokenFilePath
	_, err := os.Stat(tokenPath)
	if os.IsNotExist(err) {
		tokenPath = os.Getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE")
		if tokenPath == "" {
			return nil
		}
	}
	byt, err := ioutil.ReadFile(tokenPath)
	if err != nil {
		return nil
	}
	return tea.String(string(byt))
}

func (r *OIDCCredential) updateCredential() (err error) {
	if r.runtime == nil {
		r.runtime = new(utils.Runtime)
	}
	request := request.NewCommonRequest()
	request.Domain = "sts.aliyuncs.com"
	if r.runtime.STSEndpoint != "" {
		request.Domain = r.runtime.STSEndpoint
	}
	request.Scheme = "HTTPS"
	request.Method = "POST"
	request.QueryParams["Timestamp"] = utils.GetTimeInFormatISO8601()
	request.QueryParams["Action"] = "AssumeRoleWithOIDC"
	request.QueryParams["Format"] = "JSON"
	request.BodyParams["RoleArn"] = r.RoleArn
	request.BodyParams["OIDCProviderArn"] = r.OIDCProviderArn
	token := r.GetOIDCToken(r.OIDCTokenFilePath)
	request.BodyParams["OIDCToken"] = tea.StringValue(token)
	if r.Policy != "" {
		request.QueryParams["Policy"] = r.Policy
	}
	request.QueryParams["RoleSessionName"] = r.RoleSessionName
	request.QueryParams["Version"] = "2015-04-01"
	request.QueryParams["SignatureNonce"] = utils.GetUUID()
	request.Headers["Host"] = request.Domain
	request.Headers["Accept-Encoding"] = "identity"
	request.Headers["content-type"] = "application/x-www-form-urlencoded"
	request.URL = request.BuildURL()
	content, err := doAction(request, r.runtime)
	if err != nil {
		return fmt.Errorf("refresh RoleArn sts token err: %s", err.Error())
	}
	var resp *OIDCResponse
	err = json.Unmarshal(content, &resp)
	if err != nil {
		return fmt.Errorf("refresh RoleArn sts token err: Json.Unmarshal fail: %s", err.Error())
	}
	if resp == nil || resp.Credentials == nil {
		return fmt.Errorf("refresh RoleArn sts token err: Credentials is empty")
	}
	respCredentials := resp.Credentials
	if respCredentials.AccessKeyId == "" || respCredentials.AccessKeySecret == "" || respCredentials.SecurityToken == "" || respCredentials.Expiration == "" {
		return fmt.Errorf("refresh RoleArn sts token err: AccessKeyId: %s, AccessKeySecret: %s, SecurityToken: %s, Expiration: %s", respCredentials.AccessKeyId, respCredentials.AccessKeySecret, respCredentials.SecurityToken, respCredentials.Expiration)
	}

	expirationTime, err := time.Parse("2006-01-02T15:04:05Z", respCredentials.Expiration)
	r.lastUpdateTimestamp = time.Now().Unix()
	r.credentialExpiration = int(expirationTime.Unix() - time.Now().Unix())
	r.sessionCredential = &sessionCredential{
		AccessKeyId:     respCredentials.AccessKeyId,
		AccessKeySecret: respCredentials.AccessKeySecret,
		SecurityToken:   respCredentials.SecurityToken,
	}

	return
}


1			package credentials
2
3			import (
4			"encoding/json"
5			"fmt"
6			"io/ioutil"
7			"os"
8			"time"
9
10			"github.com/alibabacloud-go/tea/tea"
11			"github.com/aliyun/credentials-go/credentials/request"
12			"github.com/aliyun/credentials-go/credentials/utils"
13			)
14
15			const defaultOIDCDurationSeconds = 3600
16
17			// OIDCCredential is a kind of credentials
18			type OIDCCredential struct {
19			*credentialUpdater
20			AccessKeyId string
21			AccessKeySecret string
22			RoleArn string
23			OIDCProviderArn string
24			OIDCTokenFilePath string
25			Policy string
26			RoleSessionName string
27			RoleSessionExpiration int
28			sessionCredential *sessionCredential
29			runtime *utils.Runtime
30			}
31
32			type OIDCResponse struct {
33			Credentials *credentialsInResponse `json:"Credentials" xml:"Credentials"`
34			}
35
36			type OIDCcredentialsInResponse struct {
37			AccessKeyId string `json:"AccessKeyId" xml:"AccessKeyId"`
38			AccessKeySecret string `json:"AccessKeySecret" xml:"AccessKeySecret"`
39			SecurityToken string `json:"SecurityToken" xml:"SecurityToken"`
40			Expiration string `json:"Expiration" xml:"Expiration"`
41			}
42
43			func newOIDCRoleArnCredential(accessKeyId, accessKeySecret, roleArn, OIDCProviderArn, OIDCTokenFilePath, RoleSessionName, policy string, RoleSessionExpiration int, runtime utils.Runtime) OIDCCredential {
44			return &OIDCCredential{
45			AccessKeyId: accessKeyId,
46			AccessKeySecret: accessKeySecret,
47			RoleArn: roleArn,
48			OIDCProviderArn: OIDCProviderArn,
49			OIDCTokenFilePath: OIDCTokenFilePath,
50			RoleSessionName: RoleSessionName,
51			Policy: policy,
52			RoleSessionExpiration: RoleSessionExpiration,
53			credentialUpdater: new(credentialUpdater),
54			runtime: runtime,
55			}
56			}
57
58			func (e OIDCCredential) GetCredential() (CredentialModel, error) {
59			if e.sessionCredential == nil \|\| e.needUpdateCredential() {
60			err := e.updateCredential()
61			if err != nil {
62			return nil, err
63			}
64			}
65			credential := &CredentialModel{
66			AccessKeyId: tea.String(e.sessionCredential.AccessKeyId),
67			AccessKeySecret: tea.String(e.sessionCredential.AccessKeySecret),
68			SecurityToken: tea.String(e.sessionCredential.SecurityToken),
69			Type: tea.String("oidc_role_arn"),
70			}
71			return credential, nil
72			}
73
74			// GetAccessKeyId reutrns OIDCCredential's AccessKeyId
75			// if AccessKeyId is not exist or out of date, the function will update it.
76			func (r OIDCCredential) GetAccessKeyId() (string, error) {
77			if r.sessionCredential == nil \|\| r.needUpdateCredential() {
78			err := r.updateCredential()
79			if err != nil {
80			return tea.String(""), err
81			}
82			}
83			return tea.String(r.sessionCredential.AccessKeyId), nil
84			}
85
86			// GetAccessSecret reutrns OIDCCredential's AccessKeySecret
87			// if AccessKeySecret is not exist or out of date, the function will update it.
88			func (r OIDCCredential) GetAccessKeySecret() (string, error) {
89			if r.sessionCredential == nil \|\| r.needUpdateCredential() {
90			err := r.updateCredential()
91			if err != nil {
92			return tea.String(""), err
93			}
94			}
95			return tea.String(r.sessionCredential.AccessKeySecret), nil
96			}
97
98			// GetSecurityToken reutrns OIDCCredential's SecurityToken
99			// if SecurityToken is not exist or out of date, the function will update it.
100			func (r OIDCCredential) GetSecurityToken() (string, error) {
101			if r.sessionCredential == nil \|\| r.needUpdateCredential() {
102			err := r.updateCredential()
103			if err != nil {
104			return tea.String(""), err
105			}
106			}
107			return tea.String(r.sessionCredential.SecurityToken), nil
108			}
109
110			// GetBearerToken is useless OIDCCredential
111			func (r OIDCCredential) GetBearerToken() string {
112			return tea.String("")
113			}
114
115			// GetType reutrns OIDCCredential's type
116			func (r OIDCCredential) GetType() string {
117			return tea.String("oidc_role_arn")
118			}
119
120			func (r OIDCCredential) GetOIDCToken(OIDCTokenFilePath string) string {
121			tokenPath := OIDCTokenFilePath
122			_, err := os.Stat(tokenPath)
123			if os.IsNotExist(err) {
124			tokenPath = os.Getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE")
125			if tokenPath == "" {
126			return nil
127			}
128			}
129			byt, err := ioutil.ReadFile(tokenPath)
130			if err != nil {
131			return nil
132			}
133			return tea.String(string(byt))
134			}
135
136			func (r *OIDCCredential) updateCredential() (err error) {
137			if r.runtime == nil {
138			r.runtime = new(utils.Runtime)
139			}
140			request := request.NewCommonRequest()
141			request.Domain = "sts.aliyuncs.com"
142			if r.runtime.STSEndpoint != "" {
143			request.Domain = r.runtime.STSEndpoint
144			}
145			request.Scheme = "HTTPS"
146			request.Method = "POST"
147			request.QueryParams["Timestamp"] = utils.GetTimeInFormatISO8601()
148			request.QueryParams["Action"] = "AssumeRoleWithOIDC"
149			request.QueryParams["Format"] = "JSON"
150			request.BodyParams["RoleArn"] = r.RoleArn
151			request.BodyParams["OIDCProviderArn"] = r.OIDCProviderArn
152			token := r.GetOIDCToken(r.OIDCTokenFilePath)
153			request.BodyParams["OIDCToken"] = tea.StringValue(token)
154			if r.Policy != "" {
155			request.QueryParams["Policy"] = r.Policy
156			}
157			request.QueryParams["RoleSessionName"] = r.RoleSessionName
158			request.QueryParams["Version"] = "2015-04-01"
159			request.QueryParams["SignatureNonce"] = utils.GetUUID()
160			request.Headers["Host"] = request.Domain
161			request.Headers["Accept-Encoding"] = "identity"
162			request.Headers["content-type"] = "application/x-www-form-urlencoded"
163			request.URL = request.BuildURL()
164			content, err := doAction(request, r.runtime)
165			if err != nil {
166			return fmt.Errorf("refresh RoleArn sts token err: %s", err.Error())
167			}
168			var resp *OIDCResponse
169			err = json.Unmarshal(content, &resp)
170			if err != nil {
171			return fmt.Errorf("refresh RoleArn sts token err: Json.Unmarshal fail: %s", err.Error())
172			}
173			if resp == nil \|\| resp.Credentials == nil {
174			return fmt.Errorf("refresh RoleArn sts token err: Credentials is empty")
175			}
176			respCredentials := resp.Credentials
177			if respCredentials.AccessKeyId == "" \|\| respCredentials.AccessKeySecret == "" \|\| respCredentials.SecurityToken == "" \|\| respCredentials.Expiration == "" {
178			return fmt.Errorf("refresh RoleArn sts token err: AccessKeyId: %s, AccessKeySecret: %s, SecurityToken: %s, Expiration: %s", respCredentials.AccessKeyId, respCredentials.AccessKeySecret, respCredentials.SecurityToken, respCredentials.Expiration)
179			}
180
181			expirationTime, err := time.Parse("2006-01-02T15:04:05Z", respCredentials.Expiration)
182			r.lastUpdateTimestamp = time.Now().Unix()
183			r.credentialExpiration = int(expirationTime.Unix() - time.Now().Unix())
184			r.sessionCredential = &sessionCredential{
185			AccessKeyId: respCredentials.AccessKeyId,
186			AccessKeySecret: respCredentials.AccessKeySecret,
187			SecurityToken: respCredentials.SecurityToken,
188			}
189
190			return
191			}
192

aliyun / credentials-go

GitHub Access Token became invalid

Push — master ( b62427...a0b73a )

credentials/oidc_credential.go A

Size/Duplication

Importance

9 Methods

Duplication Side-by-Side

Filter issues like