credentials/oidc_credentials_provider.go - Code Metrics - Inspection of "improve test cases for OIDC provider" - aliyun/credentials-go - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( 10e109...9e570d )

by Jackson

created 2024-07-29 06:03 UTC

credentials/oidc_credentials_provider.go A

↳ Parent: Project

Size/Duplication

Total Lines	205
Duplicated Lines	0 %

Importance

Changes

Metric	Value
cc	32
eloc	139
dl	0
loc	205
rs	9.84
c	0
b	0
f	0

8 Methods

Rating	Name	Size	Complexity
A	credentials.*OIDCCredentialsProvider.GetCredential	14	4
A	credentials.*OIDCCredentialsProvider.GetAccessKeyId	8	2
A	credentials.*OIDCCredentialsProvider.GetSecurityToken	8	2
A	credentials.*OIDCCredentialsProvider.GetAccessKeySecret	8	2
A	credentials.*OIDCCredentialsProvider.GetBearerToken	2	1
A	credentials.*OIDCCredentialsProvider.GetType	2	1
F	credentials.*OIDCCredentialsProvider.updateCredential	62	14
A	credentials.newOIDCRoleArnCredential	23	3

package credentials

import (
	"encoding/json"
	"errors"
	"fmt"
	"io/ioutil"
	"os"
	"strconv"
	"time"

	"github.com/alibabacloud-go/tea/tea"
	"github.com/aliyun/credentials-go/credentials/request"
	"github.com/aliyun/credentials-go/credentials/utils"
)

// OIDCCredential is a kind of credentials
type OIDCCredentialsProvider struct {
	*credentialUpdater
	AccessKeyId           string
	AccessKeySecret       string
	RoleArn               string
	OIDCProviderArn       string
	OIDCTokenFilePath     string
	Policy                string
	RoleSessionName       string
	RoleSessionExpiration int
	sessionCredential     *sessionCredential
	runtime               *utils.Runtime
}

type OIDCResponse struct {
	Credentials *credentialsInResponse `json:"Credentials" xml:"Credentials"`
}

type OIDCcredentialsInResponse struct {
	AccessKeyId     string `json:"AccessKeyId" xml:"AccessKeyId"`
	AccessKeySecret string `json:"AccessKeySecret" xml:"AccessKeySecret"`
	SecurityToken   string `json:"SecurityToken" xml:"SecurityToken"`
	Expiration      string `json:"Expiration" xml:"Expiration"`
}

func newOIDCRoleArnCredential(accessKeyId, accessKeySecret, roleArn, OIDCProviderArn, OIDCTokenFilePath, RoleSessionName, policy string, RoleSessionExpiration int, runtime *utils.Runtime) (provider *OIDCCredentialsProvider, err error) {
	if OIDCTokenFilePath == "" {
		OIDCTokenFilePath = os.Getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE")
	}

	if OIDCTokenFilePath == "" {
		err = errors.New("the OIDC token file path is empty")
		return
	}

	provider = &OIDCCredentialsProvider{
		AccessKeyId:           accessKeyId,
		AccessKeySecret:       accessKeySecret,
		RoleArn:               roleArn,
		OIDCProviderArn:       OIDCProviderArn,
		OIDCTokenFilePath:     OIDCTokenFilePath,
		RoleSessionName:       RoleSessionName,
		Policy:                policy,
		RoleSessionExpiration: RoleSessionExpiration,
		credentialUpdater:     new(credentialUpdater),
		runtime:               runtime,
	}
	return
}

func (e *OIDCCredentialsProvider) GetCredential() (*CredentialModel, error) {
	if e.sessionCredential == nil || e.needUpdateCredential() {
		err := e.updateCredential()
		if err != nil {
			return nil, err
		}
	}
	credential := &CredentialModel{
		AccessKeyId:     tea.String(e.sessionCredential.AccessKeyId),
		AccessKeySecret: tea.String(e.sessionCredential.AccessKeySecret),
		SecurityToken:   tea.String(e.sessionCredential.SecurityToken),
		Type:            tea.String("oidc_role_arn"),
	}
	return credential, nil
}

// GetAccessKeyId reutrns OIDCCredential's AccessKeyId
// if AccessKeyId is not exist or out of date, the function will update it.
func (r *OIDCCredentialsProvider) GetAccessKeyId() (accessKeyId *string, err error) {
	c, err := r.GetCredential()
	if err != nil {
		return
	}

	accessKeyId = c.AccessKeyId
	return
}

// GetAccessSecret reutrns OIDCCredential's AccessKeySecret
// if AccessKeySecret is not exist or out of date, the function will update it.
func (r *OIDCCredentialsProvider) GetAccessKeySecret() (accessKeySecret *string, err error) {
	c, err := r.GetCredential()
	if err != nil {
		return
	}

	accessKeySecret = c.AccessKeySecret
	return
}

// GetSecurityToken reutrns OIDCCredential's SecurityToken
// if SecurityToken is not exist or out of date, the function will update it.
func (r *OIDCCredentialsProvider) GetSecurityToken() (securityToken *string, err error) {
	c, err := r.GetCredential()
	if err != nil {
		return
	}

	securityToken = c.SecurityToken
	return
}

// GetBearerToken is useless OIDCCredential
func (r *OIDCCredentialsProvider) GetBearerToken() *string {
	return tea.String("")
}

// GetType reutrns OIDCCredential's type
func (r *OIDCCredentialsProvider) GetType() *string {
	return tea.String("oidc_role_arn")
}

var getFileContent = func(filePath string) (content string, err error) {
	bytes, err := ioutil.ReadFile(filePath)
	if err != nil {
		return
	}

	if len(bytes) == 0 {
		err = fmt.Errorf("the content of %s is empty", filePath)
	}

	content = string(bytes)
	return
}

func (r *OIDCCredentialsProvider) updateCredential() (err error) {
	if r.runtime == nil {
		r.runtime = new(utils.Runtime)
	}
	request := request.NewCommonRequest()
	request.Domain = "sts.aliyuncs.com"
	if r.runtime.STSEndpoint != "" {
		request.Domain = r.runtime.STSEndpoint
	}
	request.Scheme = "HTTPS"
	request.Method = "POST"
	request.QueryParams["Timestamp"] = utils.GetTimeInFormatISO8601()
	request.QueryParams["Action"] = "AssumeRoleWithOIDC"
	request.QueryParams["Format"] = "JSON"
	request.BodyParams["RoleArn"] = r.RoleArn
	request.BodyParams["OIDCProviderArn"] = r.OIDCProviderArn
	token, err := getFileContent(r.OIDCTokenFilePath)
	if err != nil {
		return fmt.Errorf("read oidc token file failed: %s", err.Error())
	}

	request.BodyParams["OIDCToken"] = token
	if r.Policy != "" {
		request.QueryParams["Policy"] = r.Policy
	}
	if r.RoleSessionExpiration > 0 {
		request.QueryParams["DurationSeconds"] = strconv.Itoa(r.RoleSessionExpiration)
	}
	request.QueryParams["RoleSessionName"] = r.RoleSessionName
	request.QueryParams["Version"] = "2015-04-01"
	request.QueryParams["SignatureNonce"] = utils.GetUUID()
	request.Headers["Host"] = request.Domain
	request.Headers["Accept-Encoding"] = "identity"
	request.Headers["content-type"] = "application/x-www-form-urlencoded"
	request.URL = request.BuildURL()
	content, err := doAction(request, r.runtime)
	if err != nil {
		return fmt.Errorf("get sts token failed with: %s", err.Error())
	}
	var resp *OIDCResponse
	err = json.Unmarshal(content, &resp)
	if err != nil {
		return fmt.Errorf("get sts token failed with: Json.Unmarshal fail: %s", err.Error())
	}
	if resp == nil || resp.Credentials == nil {
		return fmt.Errorf("get sts token failed with: credentials is empty")
	}
	respCredentials := resp.Credentials
	if respCredentials.AccessKeyId == "" || respCredentials.AccessKeySecret == "" || respCredentials.SecurityToken == "" || respCredentials.Expiration == "" {
		return fmt.Errorf("get sts token failed with: AccessKeyId: %s, AccessKeySecret: %s, SecurityToken: %s, Expiration: %s", respCredentials.AccessKeyId, respCredentials.AccessKeySecret, respCredentials.SecurityToken, respCredentials.Expiration)
	}

	expirationTime, err := time.Parse("2006-01-02T15:04:05Z", respCredentials.Expiration)
	r.lastUpdateTimestamp = time.Now().Unix()
	r.credentialExpiration = int(expirationTime.Unix() - time.Now().Unix())
	r.sessionCredential = &sessionCredential{
		AccessKeyId:     respCredentials.AccessKeyId,
		AccessKeySecret: respCredentials.AccessKeySecret,
		SecurityToken:   respCredentials.SecurityToken,
	}

	return
}


1			package credentials
2
3			import (
4			"encoding/json"
5			"errors"
6			"fmt"
7			"io/ioutil"
8			"os"
9			"strconv"
10			"time"
11
12			"github.com/alibabacloud-go/tea/tea"
13			"github.com/aliyun/credentials-go/credentials/request"
14			"github.com/aliyun/credentials-go/credentials/utils"
15			)
16
17			// OIDCCredential is a kind of credentials
18			type OIDCCredentialsProvider struct {
19			*credentialUpdater
20			AccessKeyId string
21			AccessKeySecret string
22			RoleArn string
23			OIDCProviderArn string
24			OIDCTokenFilePath string
25			Policy string
26			RoleSessionName string
27			RoleSessionExpiration int
28			sessionCredential *sessionCredential
29			runtime *utils.Runtime
30			}
31
32			type OIDCResponse struct {
33			Credentials *credentialsInResponse `json:"Credentials" xml:"Credentials"`
34			}
35
36			type OIDCcredentialsInResponse struct {
37			AccessKeyId string `json:"AccessKeyId" xml:"AccessKeyId"`
38			AccessKeySecret string `json:"AccessKeySecret" xml:"AccessKeySecret"`
39			SecurityToken string `json:"SecurityToken" xml:"SecurityToken"`
40			Expiration string `json:"Expiration" xml:"Expiration"`
41			}
42
43			func newOIDCRoleArnCredential(accessKeyId, accessKeySecret, roleArn, OIDCProviderArn, OIDCTokenFilePath, RoleSessionName, policy string, RoleSessionExpiration int, runtime utils.Runtime) (provider OIDCCredentialsProvider, err error) {
44			if OIDCTokenFilePath == "" {
45			OIDCTokenFilePath = os.Getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE")
46			}
47
48			if OIDCTokenFilePath == "" {
49			err = errors.New("the OIDC token file path is empty")
50			return
51			}
52
53			provider = &OIDCCredentialsProvider{
54			AccessKeyId: accessKeyId,
55			AccessKeySecret: accessKeySecret,
56			RoleArn: roleArn,
57			OIDCProviderArn: OIDCProviderArn,
58			OIDCTokenFilePath: OIDCTokenFilePath,
59			RoleSessionName: RoleSessionName,
60			Policy: policy,
61			RoleSessionExpiration: RoleSessionExpiration,
62			credentialUpdater: new(credentialUpdater),
63			runtime: runtime,
64			}
65			return
66			}
67
68			func (e OIDCCredentialsProvider) GetCredential() (CredentialModel, error) {
69			if e.sessionCredential == nil \|\| e.needUpdateCredential() {
70			err := e.updateCredential()
71			if err != nil {
72			return nil, err
73			}
74			}
75			credential := &CredentialModel{
76			AccessKeyId: tea.String(e.sessionCredential.AccessKeyId),
77			AccessKeySecret: tea.String(e.sessionCredential.AccessKeySecret),
78			SecurityToken: tea.String(e.sessionCredential.SecurityToken),
79			Type: tea.String("oidc_role_arn"),
80			}
81			return credential, nil
82			}
83
84			// GetAccessKeyId reutrns OIDCCredential's AccessKeyId
85			// if AccessKeyId is not exist or out of date, the function will update it.
86			func (r OIDCCredentialsProvider) GetAccessKeyId() (accessKeyId string, err error) {
87			c, err := r.GetCredential()
88			if err != nil {
89			return
90			}
91
92			accessKeyId = c.AccessKeyId
93			return
94			}
95
96			// GetAccessSecret reutrns OIDCCredential's AccessKeySecret
97			// if AccessKeySecret is not exist or out of date, the function will update it.
98			func (r OIDCCredentialsProvider) GetAccessKeySecret() (accessKeySecret string, err error) {
99			c, err := r.GetCredential()
100			if err != nil {
101			return
102			}
103
104			accessKeySecret = c.AccessKeySecret
105			return
106			}
107
108			// GetSecurityToken reutrns OIDCCredential's SecurityToken
109			// if SecurityToken is not exist or out of date, the function will update it.
110			func (r OIDCCredentialsProvider) GetSecurityToken() (securityToken string, err error) {
111			c, err := r.GetCredential()
112			if err != nil {
113			return
114			}
115
116			securityToken = c.SecurityToken
117			return
118			}
119
120			// GetBearerToken is useless OIDCCredential
121			func (r OIDCCredentialsProvider) GetBearerToken() string {
122			return tea.String("")
123			}
124
125			// GetType reutrns OIDCCredential's type
126			func (r OIDCCredentialsProvider) GetType() string {
127			return tea.String("oidc_role_arn")
128			}
129
130			var getFileContent = func(filePath string) (content string, err error) {
131			bytes, err := ioutil.ReadFile(filePath)
132			if err != nil {
133			return
134			}
135
136			if len(bytes) == 0 {
137			err = fmt.Errorf("the content of %s is empty", filePath)
138			}
139
140			content = string(bytes)
141			return
142			}
143
144			func (r *OIDCCredentialsProvider) updateCredential() (err error) {
145			if r.runtime == nil {
146			r.runtime = new(utils.Runtime)
147			}
148			request := request.NewCommonRequest()
149			request.Domain = "sts.aliyuncs.com"
150			if r.runtime.STSEndpoint != "" {
151			request.Domain = r.runtime.STSEndpoint
152			}
153			request.Scheme = "HTTPS"
154			request.Method = "POST"
155			request.QueryParams["Timestamp"] = utils.GetTimeInFormatISO8601()
156			request.QueryParams["Action"] = "AssumeRoleWithOIDC"
157			request.QueryParams["Format"] = "JSON"
158			request.BodyParams["RoleArn"] = r.RoleArn
159			request.BodyParams["OIDCProviderArn"] = r.OIDCProviderArn
160			token, err := getFileContent(r.OIDCTokenFilePath)
161			if err != nil {
162			return fmt.Errorf("read oidc token file failed: %s", err.Error())
163			}
164
165			request.BodyParams["OIDCToken"] = token
166			if r.Policy != "" {
167			request.QueryParams["Policy"] = r.Policy
168			}
169			if r.RoleSessionExpiration > 0 {
170			request.QueryParams["DurationSeconds"] = strconv.Itoa(r.RoleSessionExpiration)
171			}
172			request.QueryParams["RoleSessionName"] = r.RoleSessionName
173			request.QueryParams["Version"] = "2015-04-01"
174			request.QueryParams["SignatureNonce"] = utils.GetUUID()
175			request.Headers["Host"] = request.Domain
176			request.Headers["Accept-Encoding"] = "identity"
177			request.Headers["content-type"] = "application/x-www-form-urlencoded"
178			request.URL = request.BuildURL()
179			content, err := doAction(request, r.runtime)
180			if err != nil {
181			return fmt.Errorf("get sts token failed with: %s", err.Error())
182			}
183			var resp *OIDCResponse
184			err = json.Unmarshal(content, &resp)
185			if err != nil {
186			return fmt.Errorf("get sts token failed with: Json.Unmarshal fail: %s", err.Error())
187			}
188			if resp == nil \|\| resp.Credentials == nil {
189			return fmt.Errorf("get sts token failed with: credentials is empty")
190			}
191			respCredentials := resp.Credentials
192			if respCredentials.AccessKeyId == "" \|\| respCredentials.AccessKeySecret == "" \|\| respCredentials.SecurityToken == "" \|\| respCredentials.Expiration == "" {
193			return fmt.Errorf("get sts token failed with: AccessKeyId: %s, AccessKeySecret: %s, SecurityToken: %s, Expiration: %s", respCredentials.AccessKeyId, respCredentials.AccessKeySecret, respCredentials.SecurityToken, respCredentials.Expiration)
194			}
195
196			expirationTime, err := time.Parse("2006-01-02T15:04:05Z", respCredentials.Expiration)
197			r.lastUpdateTimestamp = time.Now().Unix()
198			r.credentialExpiration = int(expirationTime.Unix() - time.Now().Unix())
199			r.sessionCredential = &sessionCredential{
200			AccessKeyId: respCredentials.AccessKeyId,
201			AccessKeySecret: respCredentials.AccessKeySecret,
202			SecurityToken: respCredentials.SecurityToken,
203			}
204
205			return
206			}
207

aliyun / credentials-go

GitHub Access Token became invalid

Push — master ( 10e109...9e570d )

credentials/oidc_credentials_provider.go A

Size/Duplication

Importance

8 Methods

Duplication Side-by-Side

Filter issues like