credentials.*OIDCCredentialsProvider.GetAccessKeyId - Code Metrics - Inspection of "rename to OIDCCredentialsProvider" - aliyun/credentials-go - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( 20bc66...10e109 )

by Jackson

created 2024-07-29 02:26 UTC

AccessKeyId A

↳ Parent: credentials/oidc_credentials_provider.go

Complexity

Conditions

Size

Total Lines	8
Code Lines	6

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	2
eloc	6
nop	0
dl	0
loc	8
rs	10
c	0
b	0
f	0

package credentials

import (
	"encoding/json"
	"fmt"
	"io/ioutil"
	"os"
	"strconv"
	"time"

	"github.com/alibabacloud-go/tea/tea"
	"github.com/aliyun/credentials-go/credentials/request"
	"github.com/aliyun/credentials-go/credentials/utils"
)

// OIDCCredential is a kind of credentials
type OIDCCredentialsProvider struct {
	*credentialUpdater
	AccessKeyId           string
	AccessKeySecret       string
	RoleArn               string
	OIDCProviderArn       string
	OIDCTokenFilePath     string
	Policy                string
	RoleSessionName       string
	RoleSessionExpiration int
	sessionCredential     *sessionCredential
	runtime               *utils.Runtime
}

type OIDCResponse struct {
	Credentials *credentialsInResponse `json:"Credentials" xml:"Credentials"`
}

type OIDCcredentialsInResponse struct {
	AccessKeyId     string `json:"AccessKeyId" xml:"AccessKeyId"`
	AccessKeySecret string `json:"AccessKeySecret" xml:"AccessKeySecret"`
	SecurityToken   string `json:"SecurityToken" xml:"SecurityToken"`
	Expiration      string `json:"Expiration" xml:"Expiration"`
}

func newOIDCRoleArnCredential(accessKeyId, accessKeySecret, roleArn, OIDCProviderArn, OIDCTokenFilePath, RoleSessionName, policy string, RoleSessionExpiration int, runtime *utils.Runtime) *OIDCCredentialsProvider {
	return &OIDCCredentialsProvider{
		AccessKeyId:           accessKeyId,
		AccessKeySecret:       accessKeySecret,
		RoleArn:               roleArn,
		OIDCProviderArn:       OIDCProviderArn,
		OIDCTokenFilePath:     OIDCTokenFilePath,
		RoleSessionName:       RoleSessionName,
		Policy:                policy,
		RoleSessionExpiration: RoleSessionExpiration,
		credentialUpdater:     new(credentialUpdater),
		runtime:               runtime,
	}
}

func (e *OIDCCredentialsProvider) GetCredential() (*CredentialModel, error) {
	if e.sessionCredential == nil || e.needUpdateCredential() {
		err := e.updateCredential()
		if err != nil {
			return nil, err
		}
	}
	credential := &CredentialModel{
		AccessKeyId:     tea.String(e.sessionCredential.AccessKeyId),
		AccessKeySecret: tea.String(e.sessionCredential.AccessKeySecret),
		SecurityToken:   tea.String(e.sessionCredential.SecurityToken),
		Type:            tea.String("oidc_role_arn"),
	}
	return credential, nil
}

// GetAccessKeyId reutrns OIDCCredential's AccessKeyId
// if AccessKeyId is not exist or out of date, the function will update it.
func (r *OIDCCredentialsProvider) GetAccessKeyId() (accessKeyId *string, err error) {
	c, err := r.GetCredential()
	if err != nil {
		return
	}

	accessKeyId = c.AccessKeyId
	return
}

// GetAccessSecret reutrns OIDCCredential's AccessKeySecret
// if AccessKeySecret is not exist or out of date, the function will update it.
func (r *OIDCCredentialsProvider) GetAccessKeySecret() (accessKeySecret *string, err error) {
	c, err := r.GetCredential()
	if err != nil {
		return
	}

	accessKeySecret = c.AccessKeySecret
	return
}

// GetSecurityToken reutrns OIDCCredential's SecurityToken
// if SecurityToken is not exist or out of date, the function will update it.
func (r *OIDCCredentialsProvider) GetSecurityToken() (securityToken *string, err error) {
	c, err := r.GetCredential()
	if err != nil {
		return
	}

	securityToken = c.SecurityToken
	return
}

// GetBearerToken is useless OIDCCredential
func (r *OIDCCredentialsProvider) GetBearerToken() *string {
	return tea.String("")
}

// GetType reutrns OIDCCredential's type
func (r *OIDCCredentialsProvider) GetType() *string {
	return tea.String("oidc_role_arn")
}

func getOIDCToken(tokenFilePath string) *string {
	_, err := os.Stat(tokenFilePath)
	if os.IsNotExist(err) {
		tokenFilePath = os.Getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE")
		if tokenFilePath == "" {
			return nil
		}
	}
	byt, err := ioutil.ReadFile(tokenFilePath)
	if err != nil {
		return nil
	}
	return tea.String(string(byt))
}

func (r *OIDCCredentialsProvider) updateCredential() (err error) {
	if r.runtime == nil {
		r.runtime = new(utils.Runtime)
	}
	request := request.NewCommonRequest()
	request.Domain = "sts.aliyuncs.com"
	if r.runtime.STSEndpoint != "" {
		request.Domain = r.runtime.STSEndpoint
	}
	request.Scheme = "HTTPS"
	request.Method = "POST"
	request.QueryParams["Timestamp"] = utils.GetTimeInFormatISO8601()
	request.QueryParams["Action"] = "AssumeRoleWithOIDC"
	request.QueryParams["Format"] = "JSON"
	request.BodyParams["RoleArn"] = r.RoleArn
	request.BodyParams["OIDCProviderArn"] = r.OIDCProviderArn
	token := getOIDCToken(r.OIDCTokenFilePath)
	request.BodyParams["OIDCToken"] = tea.StringValue(token)
	if r.Policy != "" {
		request.QueryParams["Policy"] = r.Policy
	}
	if r.RoleSessionExpiration > 0 {
		request.QueryParams["DurationSeconds"] = strconv.Itoa(r.RoleSessionExpiration)
	}
	request.QueryParams["RoleSessionName"] = r.RoleSessionName
	request.QueryParams["Version"] = "2015-04-01"
	request.QueryParams["SignatureNonce"] = utils.GetUUID()
	request.Headers["Host"] = request.Domain
	request.Headers["Accept-Encoding"] = "identity"
	request.Headers["content-type"] = "application/x-www-form-urlencoded"
	request.URL = request.BuildURL()
	content, err := doAction(request, r.runtime)
	if err != nil {
		return fmt.Errorf("refresh RoleArn sts token err: %s", err.Error())
	}
	var resp *OIDCResponse
	err = json.Unmarshal(content, &resp)
	if err != nil {
		return fmt.Errorf("refresh RoleArn sts token err: Json.Unmarshal fail: %s", err.Error())
	}
	if resp == nil || resp.Credentials == nil {
		return fmt.Errorf("refresh RoleArn sts token err: Credentials is empty")
	}
	respCredentials := resp.Credentials
	if respCredentials.AccessKeyId == "" || respCredentials.AccessKeySecret == "" || respCredentials.SecurityToken == "" || respCredentials.Expiration == "" {
		return fmt.Errorf("refresh RoleArn sts token err: AccessKeyId: %s, AccessKeySecret: %s, SecurityToken: %s, Expiration: %s", respCredentials.AccessKeyId, respCredentials.AccessKeySecret, respCredentials.SecurityToken, respCredentials.Expiration)
	}

	expirationTime, err := time.Parse("2006-01-02T15:04:05Z", respCredentials.Expiration)
	r.lastUpdateTimestamp = time.Now().Unix()
	r.credentialExpiration = int(expirationTime.Unix() - time.Now().Unix())
	r.sessionCredential = &sessionCredential{
		AccessKeyId:     respCredentials.AccessKeyId,
		AccessKeySecret: respCredentials.AccessKeySecret,
		SecurityToken:   respCredentials.SecurityToken,
	}

	return
}


1			package credentials
2
3			import (
4			"encoding/json"
5			"fmt"
6			"io/ioutil"
7			"os"
8			"strconv"
9			"time"
10
11			"github.com/alibabacloud-go/tea/tea"
12			"github.com/aliyun/credentials-go/credentials/request"
13			"github.com/aliyun/credentials-go/credentials/utils"
14			)
15
16			// OIDCCredential is a kind of credentials
17			type OIDCCredentialsProvider struct {
18			*credentialUpdater
19			AccessKeyId string
20			AccessKeySecret string
21			RoleArn string
22			OIDCProviderArn string
23			OIDCTokenFilePath string
24			Policy string
25			RoleSessionName string
26			RoleSessionExpiration int
27			sessionCredential *sessionCredential
28			runtime *utils.Runtime
29			}
30
31			type OIDCResponse struct {
32			Credentials *credentialsInResponse `json:"Credentials" xml:"Credentials"`
33			}
34
35			type OIDCcredentialsInResponse struct {
36			AccessKeyId string `json:"AccessKeyId" xml:"AccessKeyId"`
37			AccessKeySecret string `json:"AccessKeySecret" xml:"AccessKeySecret"`
38			SecurityToken string `json:"SecurityToken" xml:"SecurityToken"`
39			Expiration string `json:"Expiration" xml:"Expiration"`
40			}
41
42			func newOIDCRoleArnCredential(accessKeyId, accessKeySecret, roleArn, OIDCProviderArn, OIDCTokenFilePath, RoleSessionName, policy string, RoleSessionExpiration int, runtime utils.Runtime) OIDCCredentialsProvider {
43			return &OIDCCredentialsProvider{
44			AccessKeyId: accessKeyId,
45			AccessKeySecret: accessKeySecret,
46			RoleArn: roleArn,
47			OIDCProviderArn: OIDCProviderArn,
48			OIDCTokenFilePath: OIDCTokenFilePath,
49			RoleSessionName: RoleSessionName,
50			Policy: policy,
51			RoleSessionExpiration: RoleSessionExpiration,
52			credentialUpdater: new(credentialUpdater),
53			runtime: runtime,
54			}
55			}
56
57			func (e OIDCCredentialsProvider) GetCredential() (CredentialModel, error) {
58			if e.sessionCredential == nil \|\| e.needUpdateCredential() {
59			err := e.updateCredential()
60			if err != nil {
61			return nil, err
62			}
63			}
64			credential := &CredentialModel{
65			AccessKeyId: tea.String(e.sessionCredential.AccessKeyId),
66			AccessKeySecret: tea.String(e.sessionCredential.AccessKeySecret),
67			SecurityToken: tea.String(e.sessionCredential.SecurityToken),
68			Type: tea.String("oidc_role_arn"),
69			}
70			return credential, nil
71			}
72
73			// GetAccessKeyId reutrns OIDCCredential's AccessKeyId
74			// if AccessKeyId is not exist or out of date, the function will update it.
75			func (r OIDCCredentialsProvider) GetAccessKeyId() (accessKeyId string, err error) {
76			c, err := r.GetCredential()
77			if err != nil {
78			return
79			}
80
81			accessKeyId = c.AccessKeyId
82			return
83			}
84
85			// GetAccessSecret reutrns OIDCCredential's AccessKeySecret
86			// if AccessKeySecret is not exist or out of date, the function will update it.
87			func (r OIDCCredentialsProvider) GetAccessKeySecret() (accessKeySecret string, err error) {
88			c, err := r.GetCredential()
89			if err != nil {
90			return
91			}
92
93			accessKeySecret = c.AccessKeySecret
94			return
95			}
96
97			// GetSecurityToken reutrns OIDCCredential's SecurityToken
98			// if SecurityToken is not exist or out of date, the function will update it.
99			func (r OIDCCredentialsProvider) GetSecurityToken() (securityToken string, err error) {
100			c, err := r.GetCredential()
101			if err != nil {
102			return
103			}
104
105			securityToken = c.SecurityToken
106			return
107			}
108
109			// GetBearerToken is useless OIDCCredential
110			func (r OIDCCredentialsProvider) GetBearerToken() string {
111			return tea.String("")
112			}
113
114			// GetType reutrns OIDCCredential's type
115			func (r OIDCCredentialsProvider) GetType() string {
116			return tea.String("oidc_role_arn")
117			}
118
119			func getOIDCToken(tokenFilePath string) *string {
120			_, err := os.Stat(tokenFilePath)
121			if os.IsNotExist(err) {
122			tokenFilePath = os.Getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE")
123			if tokenFilePath == "" {
124			return nil
125			}
126			}
127			byt, err := ioutil.ReadFile(tokenFilePath)
128			if err != nil {
129			return nil
130			}
131			return tea.String(string(byt))
132			}
133
134			func (r *OIDCCredentialsProvider) updateCredential() (err error) {
135			if r.runtime == nil {
136			r.runtime = new(utils.Runtime)
137			}
138			request := request.NewCommonRequest()
139			request.Domain = "sts.aliyuncs.com"
140			if r.runtime.STSEndpoint != "" {
141			request.Domain = r.runtime.STSEndpoint
142			}
143			request.Scheme = "HTTPS"
144			request.Method = "POST"
145			request.QueryParams["Timestamp"] = utils.GetTimeInFormatISO8601()
146			request.QueryParams["Action"] = "AssumeRoleWithOIDC"
147			request.QueryParams["Format"] = "JSON"
148			request.BodyParams["RoleArn"] = r.RoleArn
149			request.BodyParams["OIDCProviderArn"] = r.OIDCProviderArn
150			token := getOIDCToken(r.OIDCTokenFilePath)
151			request.BodyParams["OIDCToken"] = tea.StringValue(token)
152			if r.Policy != "" {
153			request.QueryParams["Policy"] = r.Policy
154			}
155			if r.RoleSessionExpiration > 0 {
156			request.QueryParams["DurationSeconds"] = strconv.Itoa(r.RoleSessionExpiration)
157			}
158			request.QueryParams["RoleSessionName"] = r.RoleSessionName
159			request.QueryParams["Version"] = "2015-04-01"
160			request.QueryParams["SignatureNonce"] = utils.GetUUID()
161			request.Headers["Host"] = request.Domain
162			request.Headers["Accept-Encoding"] = "identity"
163			request.Headers["content-type"] = "application/x-www-form-urlencoded"
164			request.URL = request.BuildURL()
165			content, err := doAction(request, r.runtime)
166			if err != nil {
167			return fmt.Errorf("refresh RoleArn sts token err: %s", err.Error())
168			}
169			var resp *OIDCResponse
170			err = json.Unmarshal(content, &resp)
171			if err != nil {
172			return fmt.Errorf("refresh RoleArn sts token err: Json.Unmarshal fail: %s", err.Error())
173			}
174			if resp == nil \|\| resp.Credentials == nil {
175			return fmt.Errorf("refresh RoleArn sts token err: Credentials is empty")
176			}
177			respCredentials := resp.Credentials
178			if respCredentials.AccessKeyId == "" \|\| respCredentials.AccessKeySecret == "" \|\| respCredentials.SecurityToken == "" \|\| respCredentials.Expiration == "" {
179			return fmt.Errorf("refresh RoleArn sts token err: AccessKeyId: %s, AccessKeySecret: %s, SecurityToken: %s, Expiration: %s", respCredentials.AccessKeyId, respCredentials.AccessKeySecret, respCredentials.SecurityToken, respCredentials.Expiration)
180			}
181
182			expirationTime, err := time.Parse("2006-01-02T15:04:05Z", respCredentials.Expiration)
183			r.lastUpdateTimestamp = time.Now().Unix()
184			r.credentialExpiration = int(expirationTime.Unix() - time.Now().Unix())
185			r.sessionCredential = &sessionCredential{
186			AccessKeyId: respCredentials.AccessKeyId,
187			AccessKeySecret: respCredentials.AccessKeySecret,
188			SecurityToken: respCredentials.SecurityToken,
189			}
190
191			return
192			}
193

aliyun / credentials-go

GitHub Access Token became invalid

Push — master ( 20bc66...10e109 )

AccessKeyId A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like