credentials.newEcsRAMRoleCredentialWithEnableIMDSv2 - Code Metrics - Inspection of "docs: update IMDSv2 doc for ecs ram role" - aliyun/credentials-go - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( 461384...5f7217 )

unknown

created 2024-05-24 03:59 UTC

edentialWithEnableIMDSv2 A

↳ Parent: credentials/ecs_ram_role.go

Complexity

Conditions

Size

Total Lines	11
Code Lines	10

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	3
eloc	10
nop	5
dl	0
loc	11
rs	9.9
c	0
b	0
f	0

package credentials

import (
	"encoding/json"
	"fmt"
	"strconv"
	"time"

	"github.com/alibabacloud-go/tea/tea"
	"github.com/aliyun/credentials-go/credentials/request"
	"github.com/aliyun/credentials-go/credentials/utils"
)

var securityCredURL = "http://100.100.100.200/latest/meta-data/ram/security-credentials/"
var securityCredTokenURL = "http://100.100.100.200/latest/api/token"

const defaultMetadataTokenDuration = int(21600)

// EcsRAMRoleCredential is a kind of credential
type EcsRAMRoleCredential struct {
	*credentialUpdater
	RoleName              string
	EnableIMDSv2          bool
	MetadataTokenDuration int
	sessionCredential     *sessionCredential
	runtime               *utils.Runtime
	metadataToken         string
	staleTime             int64
}

type ecsRAMRoleResponse struct {
	Code            string `json:"Code" xml:"Code"`
	AccessKeyId     string `json:"AccessKeyId" xml:"AccessKeyId"`
	AccessKeySecret string `json:"AccessKeySecret" xml:"AccessKeySecret"`
	SecurityToken   string `json:"SecurityToken" xml:"SecurityToken"`
	Expiration      string `json:"Expiration" xml:"Expiration"`
}

func newEcsRAMRoleCredential(roleName string, inAdvanceScale float64, runtime *utils.Runtime) *EcsRAMRoleCredential {
	credentialUpdater := new(credentialUpdater)
	if inAdvanceScale < 1 && inAdvanceScale > 0 {
		credentialUpdater.inAdvanceScale = inAdvanceScale
	}
	return &EcsRAMRoleCredential{
		RoleName:          roleName,
		credentialUpdater: credentialUpdater,
		runtime:           runtime,
	}
}

func newEcsRAMRoleCredentialWithEnableIMDSv2(roleName string, enableIMDSv2 bool, metadataTokenDuration int, inAdvanceScale float64, runtime *utils.Runtime) *EcsRAMRoleCredential {
	credentialUpdater := new(credentialUpdater)
	if inAdvanceScale < 1 && inAdvanceScale > 0 {
		credentialUpdater.inAdvanceScale = inAdvanceScale
	}
	return &EcsRAMRoleCredential{
		RoleName:              roleName,
		EnableIMDSv2:          enableIMDSv2,
		MetadataTokenDuration: metadataTokenDuration,
		credentialUpdater:     credentialUpdater,
		runtime:               runtime,
	}
}

func (e *EcsRAMRoleCredential) GetCredential() (*CredentialModel, error) {
	if e.sessionCredential == nil || e.needUpdateCredential() {
		err := e.updateCredential()
		if err != nil {
			return nil, err
		}
	}
	credential := &CredentialModel{
		AccessKeyId:     tea.String(e.sessionCredential.AccessKeyId),
		AccessKeySecret: tea.String(e.sessionCredential.AccessKeySecret),
		SecurityToken:   tea.String(e.sessionCredential.SecurityToken),
		Type:            tea.String("ecs_ram_role"),
	}
	return credential, nil
}

// GetAccessKeyId reutrns  EcsRAMRoleCredential's AccessKeyId
// if AccessKeyId is not exist or out of date, the function will update it.
func (e *EcsRAMRoleCredential) GetAccessKeyId() (*string, error) {
	if e.sessionCredential == nil || e.needUpdateCredential() {
		err := e.updateCredential()
		if err != nil {
			if e.credentialExpiration > (int(time.Now().Unix()) - int(e.lastUpdateTimestamp)) {
				return &e.sessionCredential.AccessKeyId, nil
			}
			return tea.String(""), err
		}
	}
	return tea.String(e.sessionCredential.AccessKeyId), nil
}

// GetAccessSecret reutrns  EcsRAMRoleCredential's AccessKeySecret
// if AccessKeySecret is not exist or out of date, the function will update it.
func (e *EcsRAMRoleCredential) GetAccessKeySecret() (*string, error) {
	if e.sessionCredential == nil || e.needUpdateCredential() {
		err := e.updateCredential()
		if err != nil {
			if e.credentialExpiration > (int(time.Now().Unix()) - int(e.lastUpdateTimestamp)) {
				return &e.sessionCredential.AccessKeySecret, nil
			}
			return tea.String(""), err
		}
	}
	return tea.String(e.sessionCredential.AccessKeySecret), nil
}

// GetSecurityToken reutrns  EcsRAMRoleCredential's SecurityToken
// if SecurityToken is not exist or out of date, the function will update it.
func (e *EcsRAMRoleCredential) GetSecurityToken() (*string, error) {
	if e.sessionCredential == nil || e.needUpdateCredential() {
		err := e.updateCredential()
		if err != nil {
			if e.credentialExpiration > (int(time.Now().Unix()) - int(e.lastUpdateTimestamp)) {
				return &e.sessionCredential.SecurityToken, nil
			}
			return tea.String(""), err
		}
	}
	return tea.String(e.sessionCredential.SecurityToken), nil
}

// GetBearerToken is useless for EcsRAMRoleCredential
func (e *EcsRAMRoleCredential) GetBearerToken() *string {
	return tea.String("")
}

// GetType reutrns  EcsRAMRoleCredential's type
func (e *EcsRAMRoleCredential) GetType() *string {
	return tea.String("ecs_ram_role")
}

func getRoleName() (string, error) {
	runtime := utils.NewRuntime(1, 1, "", "")
	request := request.NewCommonRequest()
	request.URL = securityCredURL
	request.Method = "GET"
	content, err := doAction(request, runtime)
	if err != nil {
		return "", err
	}
	return string(content), nil
}

func (e *EcsRAMRoleCredential) getMetadataToken() (err error) {
	if e.needToRefresh() {
		if e.MetadataTokenDuration <= 0 {
			e.MetadataTokenDuration = defaultMetadataTokenDuration
		}
		tmpTime := time.Now().Unix() + int64(e.MetadataTokenDuration*1000)
		request := request.NewCommonRequest()
		request.URL = securityCredTokenURL
		request.Method = "PUT"
		request.Headers["X-aliyun-ecs-metadata-token-ttl-seconds"] = strconv.Itoa(e.MetadataTokenDuration)
		content, err := doAction(request, e.runtime)
		if err != nil {
			return err
		}
		e.staleTime = tmpTime
		e.metadataToken = string(content)
	}
	return
}

func (e *EcsRAMRoleCredential) updateCredential() (err error) {
	if e.runtime == nil {
		e.runtime = new(utils.Runtime)
	}
	request := request.NewCommonRequest()
	if e.RoleName == "" {
		e.RoleName, err = getRoleName()
		if err != nil {
			return fmt.Errorf("refresh Ecs sts token err: %s", err.Error())
		}
	}
	if e.EnableIMDSv2 {
		err = e.getMetadataToken()
		if err != nil {
			return fmt.Errorf("Failed to get token from ECS Metadata Service: %s", err.Error())
		}
		request.Headers["X-aliyun-ecs-metadata-token"] = e.metadataToken
	}
	request.URL = securityCredURL + e.RoleName
	request.Method = "GET"
	content, err := doAction(request, e.runtime)
	if err != nil {
		return fmt.Errorf("refresh Ecs sts token err: %s", err.Error())
	}
	var resp *ecsRAMRoleResponse
	err = json.Unmarshal(content, &resp)
	if err != nil {
		return fmt.Errorf("refresh Ecs sts token err: Json Unmarshal fail: %s", err.Error())
	}
	if resp.Code != "Success" {
		return fmt.Errorf("refresh Ecs sts token err: Code is not Success")
	}
	if resp.AccessKeyId == "" || resp.AccessKeySecret == "" || resp.SecurityToken == "" || resp.Expiration == "" {
		return fmt.Errorf("refresh Ecs sts token err: AccessKeyId: %s, AccessKeySecret: %s, SecurityToken: %s, Expiration: %s", resp.AccessKeyId, resp.AccessKeySecret, resp.SecurityToken, resp.Expiration)
	}

	expirationTime, err := time.Parse("2006-01-02T15:04:05Z", resp.Expiration)
	e.lastUpdateTimestamp = time.Now().Unix()
	e.credentialExpiration = int(expirationTime.Unix() - time.Now().Unix())
	e.sessionCredential = &sessionCredential{
		AccessKeyId:     resp.AccessKeyId,
		AccessKeySecret: resp.AccessKeySecret,
		SecurityToken:   resp.SecurityToken,
	}

	return
}

func (e *EcsRAMRoleCredential) needToRefresh() (needToRefresh bool) {
	needToRefresh = time.Now().Unix() >= e.staleTime
	return
}


1			package credentials
2
3			import (
4			"encoding/json"
5			"fmt"
6			"strconv"
7			"time"
8
9			"github.com/alibabacloud-go/tea/tea"
10			"github.com/aliyun/credentials-go/credentials/request"
11			"github.com/aliyun/credentials-go/credentials/utils"
12			)
13
14			var securityCredURL = "http://100.100.100.200/latest/meta-data/ram/security-credentials/"
15			var securityCredTokenURL = "http://100.100.100.200/latest/api/token"
16
17			const defaultMetadataTokenDuration = int(21600)
18
19			// EcsRAMRoleCredential is a kind of credential
20			type EcsRAMRoleCredential struct {
21			*credentialUpdater
22			RoleName string
23			EnableIMDSv2 bool
24			MetadataTokenDuration int
25			sessionCredential *sessionCredential
26			runtime *utils.Runtime
27			metadataToken string
28			staleTime int64
29			}
30
31			type ecsRAMRoleResponse struct {
32			Code string `json:"Code" xml:"Code"`
33			AccessKeyId string `json:"AccessKeyId" xml:"AccessKeyId"`
34			AccessKeySecret string `json:"AccessKeySecret" xml:"AccessKeySecret"`
35			SecurityToken string `json:"SecurityToken" xml:"SecurityToken"`
36			Expiration string `json:"Expiration" xml:"Expiration"`
37			}
38
39			func newEcsRAMRoleCredential(roleName string, inAdvanceScale float64, runtime utils.Runtime) EcsRAMRoleCredential {
40			credentialUpdater := new(credentialUpdater)
41			if inAdvanceScale < 1 && inAdvanceScale > 0 {
42			credentialUpdater.inAdvanceScale = inAdvanceScale
43			}
44			return &EcsRAMRoleCredential{
45			RoleName: roleName,
46			credentialUpdater: credentialUpdater,
47			runtime: runtime,
48			}
49			}
50
51			func newEcsRAMRoleCredentialWithEnableIMDSv2(roleName string, enableIMDSv2 bool, metadataTokenDuration int, inAdvanceScale float64, runtime utils.Runtime) EcsRAMRoleCredential {
52			credentialUpdater := new(credentialUpdater)
53			if inAdvanceScale < 1 && inAdvanceScale > 0 {
54			credentialUpdater.inAdvanceScale = inAdvanceScale
55			}
56			return &EcsRAMRoleCredential{
57			RoleName: roleName,
58			EnableIMDSv2: enableIMDSv2,
59			MetadataTokenDuration: metadataTokenDuration,
60			credentialUpdater: credentialUpdater,
61			runtime: runtime,
62			}
63			}
64
65			func (e EcsRAMRoleCredential) GetCredential() (CredentialModel, error) {
66			if e.sessionCredential == nil \|\| e.needUpdateCredential() {
67			err := e.updateCredential()
68			if err != nil {
69			return nil, err
70			}
71			}
72			credential := &CredentialModel{
73			AccessKeyId: tea.String(e.sessionCredential.AccessKeyId),
74			AccessKeySecret: tea.String(e.sessionCredential.AccessKeySecret),
75			SecurityToken: tea.String(e.sessionCredential.SecurityToken),
76			Type: tea.String("ecs_ram_role"),
77			}
78			return credential, nil
79			}
80
81			// GetAccessKeyId reutrns EcsRAMRoleCredential's AccessKeyId
82			// if AccessKeyId is not exist or out of date, the function will update it.
83			func (e EcsRAMRoleCredential) GetAccessKeyId() (string, error) {
84			if e.sessionCredential == nil \|\| e.needUpdateCredential() {
85			err := e.updateCredential()
86			if err != nil {
87			if e.credentialExpiration > (int(time.Now().Unix()) - int(e.lastUpdateTimestamp)) {
88			return &e.sessionCredential.AccessKeyId, nil
89			}
90			return tea.String(""), err
91			}
92			}
93			return tea.String(e.sessionCredential.AccessKeyId), nil
94			}
95
96			// GetAccessSecret reutrns EcsRAMRoleCredential's AccessKeySecret
97			// if AccessKeySecret is not exist or out of date, the function will update it.
98			func (e EcsRAMRoleCredential) GetAccessKeySecret() (string, error) {
99			if e.sessionCredential == nil \|\| e.needUpdateCredential() {
100			err := e.updateCredential()
101			if err != nil {
102			if e.credentialExpiration > (int(time.Now().Unix()) - int(e.lastUpdateTimestamp)) {
103			return &e.sessionCredential.AccessKeySecret, nil
104			}
105			return tea.String(""), err
106			}
107			}
108			return tea.String(e.sessionCredential.AccessKeySecret), nil
109			}
110
111			// GetSecurityToken reutrns EcsRAMRoleCredential's SecurityToken
112			// if SecurityToken is not exist or out of date, the function will update it.
113			func (e EcsRAMRoleCredential) GetSecurityToken() (string, error) {
114			if e.sessionCredential == nil \|\| e.needUpdateCredential() {
115			err := e.updateCredential()
116			if err != nil {
117			if e.credentialExpiration > (int(time.Now().Unix()) - int(e.lastUpdateTimestamp)) {
118			return &e.sessionCredential.SecurityToken, nil
119			}
120			return tea.String(""), err
121			}
122			}
123			return tea.String(e.sessionCredential.SecurityToken), nil
124			}
125
126			// GetBearerToken is useless for EcsRAMRoleCredential
127			func (e EcsRAMRoleCredential) GetBearerToken() string {
128			return tea.String("")
129			}
130
131			// GetType reutrns EcsRAMRoleCredential's type
132			func (e EcsRAMRoleCredential) GetType() string {
133			return tea.String("ecs_ram_role")
134			}
135
136			func getRoleName() (string, error) {
137			runtime := utils.NewRuntime(1, 1, "", "")
138			request := request.NewCommonRequest()
139			request.URL = securityCredURL
140			request.Method = "GET"
141			content, err := doAction(request, runtime)
142			if err != nil {
143			return "", err
144			}
145			return string(content), nil
146			}
147
148			func (e *EcsRAMRoleCredential) getMetadataToken() (err error) {
149			if e.needToRefresh() {
150			if e.MetadataTokenDuration <= 0 {
151			e.MetadataTokenDuration = defaultMetadataTokenDuration
152			}
153			tmpTime := time.Now().Unix() + int64(e.MetadataTokenDuration*1000)
154			request := request.NewCommonRequest()
155			request.URL = securityCredTokenURL
156			request.Method = "PUT"
157			request.Headers["X-aliyun-ecs-metadata-token-ttl-seconds"] = strconv.Itoa(e.MetadataTokenDuration)
158			content, err := doAction(request, e.runtime)
159			if err != nil {
160			return err
161			}
162			e.staleTime = tmpTime
163			e.metadataToken = string(content)
164			}
165			return
166			}
167
168			func (e *EcsRAMRoleCredential) updateCredential() (err error) {
169			if e.runtime == nil {
170			e.runtime = new(utils.Runtime)
171			}
172			request := request.NewCommonRequest()
173			if e.RoleName == "" {
174			e.RoleName, err = getRoleName()
175			if err != nil {
176			return fmt.Errorf("refresh Ecs sts token err: %s", err.Error())
177			}
178			}
179			if e.EnableIMDSv2 {
180			err = e.getMetadataToken()
181			if err != nil {
182			return fmt.Errorf("Failed to get token from ECS Metadata Service: %s", err.Error())
183			}
184			request.Headers["X-aliyun-ecs-metadata-token"] = e.metadataToken
185			}
186			request.URL = securityCredURL + e.RoleName
187			request.Method = "GET"
188			content, err := doAction(request, e.runtime)
189			if err != nil {
190			return fmt.Errorf("refresh Ecs sts token err: %s", err.Error())
191			}
192			var resp *ecsRAMRoleResponse
193			err = json.Unmarshal(content, &resp)
194			if err != nil {
195			return fmt.Errorf("refresh Ecs sts token err: Json Unmarshal fail: %s", err.Error())
196			}
197			if resp.Code != "Success" {
198			return fmt.Errorf("refresh Ecs sts token err: Code is not Success")
199			}
200			if resp.AccessKeyId == "" \|\| resp.AccessKeySecret == "" \|\| resp.SecurityToken == "" \|\| resp.Expiration == "" {
201			return fmt.Errorf("refresh Ecs sts token err: AccessKeyId: %s, AccessKeySecret: %s, SecurityToken: %s, Expiration: %s", resp.AccessKeyId, resp.AccessKeySecret, resp.SecurityToken, resp.Expiration)
202			}
203
204			expirationTime, err := time.Parse("2006-01-02T15:04:05Z", resp.Expiration)
205			e.lastUpdateTimestamp = time.Now().Unix()
206			e.credentialExpiration = int(expirationTime.Unix() - time.Now().Unix())
207			e.sessionCredential = &sessionCredential{
208			AccessKeyId: resp.AccessKeyId,
209			AccessKeySecret: resp.AccessKeySecret,
210			SecurityToken: resp.SecurityToken,
211			}
212
213			return
214			}
215
216			func (e *EcsRAMRoleCredential) needToRefresh() (needToRefresh bool) {
217			needToRefresh = time.Now().Unix() >= e.staleTime
218			return
219			}
220

aliyun / credentials-go

GitHub Access Token became invalid

Push — master ( 461384...5f7217 )

edentialWithEnableIMDSv2 A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like