providers.*OIDCCredentialsProviderBuilder.WithPolicy - Code Metrics - Inspection of "refine the OIDC credentials provider" - aliyun/credentials-go - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( 412f4e...f5d62c )

by Jackson

created 2024-08-20 07:58 UTC

der.WithPolicy A

↳ Parent: credentials/internal/providers/oidc.go

Complexity

Conditions

Size

Total Lines	3
Code Lines	3

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	1
eloc	3
nop	1
dl	0
loc	3
rs	10
c	0
b	0
f	0

package providers

import (
	"encoding/json"
	"errors"
	"fmt"
	"io/ioutil"
	"net/http"
	"os"
	"strconv"
	"strings"
	"time"

	"github.com/aliyun/credentials-go/credentials/internal/utils"
)

type OIDCCredentialsProvider struct {
	oidcProviderARN     string
	oidcTokenFilePath   string
	roleArn             string
	roleSessionName     string
	durationSeconds     int
	policy              string
	stsRegionId         string
	stsEndpoint         string
	lastUpdateTimestamp int64
	expirationTimestamp int64
	sessionCredentials  *sessionCredentials
	runtime             *utils.Runtime
}

type OIDCCredentialsProviderBuilder struct {
	provider *OIDCCredentialsProvider
}

func NewOIDCCredentialsProviderBuilder() *OIDCCredentialsProviderBuilder {
	return &OIDCCredentialsProviderBuilder{
		provider: &OIDCCredentialsProvider{},
	}
}

func (b *OIDCCredentialsProviderBuilder) WithOIDCProviderARN(oidcProviderArn string) *OIDCCredentialsProviderBuilder {
	b.provider.oidcProviderARN = oidcProviderArn
	return b
}

func (b *OIDCCredentialsProviderBuilder) WithOIDCTokenFilePath(oidcTokenFilePath string) *OIDCCredentialsProviderBuilder {
	b.provider.oidcTokenFilePath = oidcTokenFilePath
	return b
}

func (b *OIDCCredentialsProviderBuilder) WithRoleArn(roleArn string) *OIDCCredentialsProviderBuilder {
	b.provider.roleArn = roleArn
	return b
}

func (b *OIDCCredentialsProviderBuilder) WithRoleSessionName(roleSessionName string) *OIDCCredentialsProviderBuilder {
	b.provider.roleSessionName = roleSessionName
	return b
}

func (b *OIDCCredentialsProviderBuilder) WithDurationSeconds(durationSeconds int) *OIDCCredentialsProviderBuilder {
	b.provider.durationSeconds = durationSeconds
	return b
}

func (b *OIDCCredentialsProviderBuilder) WithStsRegionId(regionId string) *OIDCCredentialsProviderBuilder {
	b.provider.stsRegionId = regionId
	return b
}

func (b *OIDCCredentialsProviderBuilder) WithPolicy(policy string) *OIDCCredentialsProviderBuilder {
	b.provider.policy = policy
	return b
}

func (b *OIDCCredentialsProviderBuilder) WithSTSEndpoint(stsEndpoint string) *OIDCCredentialsProviderBuilder {
	b.provider.stsEndpoint = stsEndpoint
	return b
}

func (b *OIDCCredentialsProviderBuilder) WithRuntime(runtime *utils.Runtime) *OIDCCredentialsProviderBuilder {
	b.provider.runtime = runtime
	return b
}

func (b *OIDCCredentialsProviderBuilder) Build() (provider *OIDCCredentialsProvider, err error) {
	if b.provider.roleSessionName == "" {
		b.provider.roleSessionName = "credentials-go-" + strconv.FormatInt(time.Now().UnixNano()/1000, 10)
	}

	if b.provider.oidcTokenFilePath == "" {
		b.provider.oidcTokenFilePath = os.Getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE")
	}

	if b.provider.oidcTokenFilePath == "" {
		err = errors.New("the OIDCTokenFilePath is empty")
		return
	}

	if b.provider.oidcProviderARN == "" {
		b.provider.oidcProviderARN = os.Getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN")
	}

	if b.provider.oidcProviderARN == "" {
		err = errors.New("the OIDCProviderARN is empty")
		return
	}

	if b.provider.roleArn == "" {
		b.provider.roleArn = os.Getenv("ALIBABA_CLOUD_ROLE_ARN")
	}

	if b.provider.roleArn == "" {
		err = errors.New("the RoleArn is empty")
		return
	}

	if b.provider.durationSeconds == 0 {
		b.provider.durationSeconds = 3600
	}

	if b.provider.durationSeconds < 900 {
		err = errors.New("the Assume Role session duration should be in the range of 15min - max duration seconds")
	}

	if b.provider.stsEndpoint == "" {
		if b.provider.stsRegionId != "" {
			b.provider.stsEndpoint = fmt.Sprintf("sts.%s.aliyuncs.com", b.provider.stsRegionId)
		} else {
			b.provider.stsEndpoint = "sts.aliyuncs.com"
		}
	}

	provider = b.provider
	return
}

func (provider *OIDCCredentialsProvider) getCredentials() (session *sessionCredentials, err error) {
	method := "POST"
	host := provider.stsEndpoint
	queries := make(map[string]string)
	queries["Version"] = "2015-04-01"
	queries["Action"] = "AssumeRoleWithOIDC"
	queries["Format"] = "JSON"
	queries["Timestamp"] = utils.GetTimeInFormatISO8601()

	bodyForm := make(map[string]string)
	bodyForm["RoleArn"] = provider.roleArn
	bodyForm["OIDCProviderArn"] = provider.oidcProviderARN
	token, err := ioutil.ReadFile(provider.oidcTokenFilePath)
	if err != nil {
		return
	}

	bodyForm["OIDCToken"] = string(token)
	if provider.policy != "" {
		bodyForm["Policy"] = provider.policy
	}

	bodyForm["RoleSessionName"] = provider.roleSessionName
	bodyForm["DurationSeconds"] = strconv.Itoa(provider.durationSeconds)

	// caculate signature
	signParams := make(map[string]string)
	for key, value := range queries {
		signParams[key] = value
	}
	for key, value := range bodyForm {
		signParams[key] = value
	}

	querystring := utils.GetURLFormedMap(queries)
	// do request
	httpUrl := fmt.Sprintf("https://%s/?%s", host, querystring)

	body := utils.GetURLFormedMap(bodyForm)

	httpRequest, err := hookNewRequest(http.NewRequest)(method, httpUrl, strings.NewReader(body))
	if err != nil {
		return
	}

	// set headers
	httpRequest.Header["Accept-Encoding"] = []string{"identity"}
	httpRequest.Header["Content-Type"] = []string{"application/x-www-form-urlencoded"}
	httpClient := &http.Client{}

	httpResponse, err := hookDo(httpClient.Do)(httpRequest)
	if err != nil {
		return
	}

	defer httpResponse.Body.Close()

	responseBody, err := ioutil.ReadAll(httpResponse.Body)
	if err != nil {
		return
	}

	if httpResponse.StatusCode != http.StatusOK {
		message := "get session token failed: "
		err = errors.New(message + string(responseBody))
		return
	}
	var data assumeRoleResponse
	err = json.Unmarshal(responseBody, &data)
	if err != nil {
		err = fmt.Errorf("get oidc sts token err, json.Unmarshal fail: %s", err.Error())
		return
	}
	if data.Credentials == nil {
		err = fmt.Errorf("get oidc sts token err, fail to get credentials")
		return
	}

	if data.Credentials.AccessKeyId == nil || data.Credentials.AccessKeySecret == nil || data.Credentials.SecurityToken == nil {
		err = fmt.Errorf("refresh RoleArn sts token err, fail to get credentials")
		return
	}

	session = &sessionCredentials{
		AccessKeyId:     *data.Credentials.AccessKeyId,
		AccessKeySecret: *data.Credentials.AccessKeySecret,
		SecurityToken:   *data.Credentials.SecurityToken,
		Expiration:      *data.Credentials.Expiration,
	}
	return
}

func (provider *OIDCCredentialsProvider) needUpdateCredential() (result bool) {
	if provider.expirationTimestamp == 0 {
		return true
	}

	return provider.expirationTimestamp-time.Now().Unix() <= 180
}

func (provider *OIDCCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
	if provider.sessionCredentials == nil || provider.needUpdateCredential() {
		sessionCredentials, err1 := provider.getCredentials()
		if err1 != nil {
			return nil, err1
		}

		provider.sessionCredentials = sessionCredentials
		expirationTime, err2 := time.Parse("2006-01-02T15:04:05Z", sessionCredentials.Expiration)
		if err2 != nil {
			return nil, err2
		}

		provider.lastUpdateTimestamp = time.Now().Unix()
		provider.expirationTimestamp = expirationTime.Unix()
	}

	cc = &Credentials{
		AccessKeyId:     provider.sessionCredentials.AccessKeyId,
		AccessKeySecret: provider.sessionCredentials.AccessKeySecret,
		SecurityToken:   provider.sessionCredentials.SecurityToken,
		ProviderName:    provider.GetProviderName(),
	}
	return
}

func (provider *OIDCCredentialsProvider) GetProviderName() string {
	return "oidc"
}


1			package providers
2
3			import (
4			"encoding/json"
5			"errors"
6			"fmt"
7			"io/ioutil"
8			"net/http"
9			"os"
10			"strconv"
11			"strings"
12			"time"
13
14			"github.com/aliyun/credentials-go/credentials/internal/utils"
15			)
16
17			type OIDCCredentialsProvider struct {
18			oidcProviderARN string
19			oidcTokenFilePath string
20			roleArn string
21			roleSessionName string
22			durationSeconds int
23			policy string
24			stsRegionId string
25			stsEndpoint string
26			lastUpdateTimestamp int64
27			expirationTimestamp int64
28			sessionCredentials *sessionCredentials
29			runtime *utils.Runtime
30			}
31
32			type OIDCCredentialsProviderBuilder struct {
33			provider *OIDCCredentialsProvider
34			}
35
36			func NewOIDCCredentialsProviderBuilder() *OIDCCredentialsProviderBuilder {
37			return &OIDCCredentialsProviderBuilder{
38			provider: &OIDCCredentialsProvider{},
39			}
40			}
41
42			func (b OIDCCredentialsProviderBuilder) WithOIDCProviderARN(oidcProviderArn string) OIDCCredentialsProviderBuilder {
43			b.provider.oidcProviderARN = oidcProviderArn
44			return b
45			}
46
47			func (b OIDCCredentialsProviderBuilder) WithOIDCTokenFilePath(oidcTokenFilePath string) OIDCCredentialsProviderBuilder {
48			b.provider.oidcTokenFilePath = oidcTokenFilePath
49			return b
50			}
51
52			func (b OIDCCredentialsProviderBuilder) WithRoleArn(roleArn string) OIDCCredentialsProviderBuilder {
53			b.provider.roleArn = roleArn
54			return b
55			}
56
57			func (b OIDCCredentialsProviderBuilder) WithRoleSessionName(roleSessionName string) OIDCCredentialsProviderBuilder {
58			b.provider.roleSessionName = roleSessionName
59			return b
60			}
61
62			func (b OIDCCredentialsProviderBuilder) WithDurationSeconds(durationSeconds int) OIDCCredentialsProviderBuilder {
63			b.provider.durationSeconds = durationSeconds
64			return b
65			}
66
67			func (b OIDCCredentialsProviderBuilder) WithStsRegionId(regionId string) OIDCCredentialsProviderBuilder {
68			b.provider.stsRegionId = regionId
69			return b
70			}
71
72			func (b OIDCCredentialsProviderBuilder) WithPolicy(policy string) OIDCCredentialsProviderBuilder {
73			b.provider.policy = policy
74			return b
75			}
76
77			func (b OIDCCredentialsProviderBuilder) WithSTSEndpoint(stsEndpoint string) OIDCCredentialsProviderBuilder {
78			b.provider.stsEndpoint = stsEndpoint
79			return b
80			}
81
82			func (b OIDCCredentialsProviderBuilder) WithRuntime(runtime utils.Runtime) *OIDCCredentialsProviderBuilder {
83			b.provider.runtime = runtime
84			return b
85			}
86
87			func (b OIDCCredentialsProviderBuilder) Build() (provider OIDCCredentialsProvider, err error) {
88			if b.provider.roleSessionName == "" {
89			b.provider.roleSessionName = "credentials-go-" + strconv.FormatInt(time.Now().UnixNano()/1000, 10)
90			}
91
92			if b.provider.oidcTokenFilePath == "" {
93			b.provider.oidcTokenFilePath = os.Getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE")
94			}
95
96			if b.provider.oidcTokenFilePath == "" {
97			err = errors.New("the OIDCTokenFilePath is empty")
98			return
99			}
100
101			if b.provider.oidcProviderARN == "" {
102			b.provider.oidcProviderARN = os.Getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN")
103			}
104
105			if b.provider.oidcProviderARN == "" {
106			err = errors.New("the OIDCProviderARN is empty")
107			return
108			}
109
110			if b.provider.roleArn == "" {
111			b.provider.roleArn = os.Getenv("ALIBABA_CLOUD_ROLE_ARN")
112			}
113
114			if b.provider.roleArn == "" {
115			err = errors.New("the RoleArn is empty")
116			return
117			}
118
119			if b.provider.durationSeconds == 0 {
120			b.provider.durationSeconds = 3600
121			}
122
123			if b.provider.durationSeconds < 900 {
124			err = errors.New("the Assume Role session duration should be in the range of 15min - max duration seconds")
125			}
126
127			if b.provider.stsEndpoint == "" {
128			if b.provider.stsRegionId != "" {
129			b.provider.stsEndpoint = fmt.Sprintf("sts.%s.aliyuncs.com", b.provider.stsRegionId)
130			} else {
131			b.provider.stsEndpoint = "sts.aliyuncs.com"
132			}
133			}
134
135			provider = b.provider
136			return
137			}
138
139			func (provider OIDCCredentialsProvider) getCredentials() (session sessionCredentials, err error) {
140			method := "POST"
141			host := provider.stsEndpoint
142			queries := make(map[string]string)
143			queries["Version"] = "2015-04-01"
144			queries["Action"] = "AssumeRoleWithOIDC"
145			queries["Format"] = "JSON"
146			queries["Timestamp"] = utils.GetTimeInFormatISO8601()
147
148			bodyForm := make(map[string]string)
149			bodyForm["RoleArn"] = provider.roleArn
150			bodyForm["OIDCProviderArn"] = provider.oidcProviderARN
151			token, err := ioutil.ReadFile(provider.oidcTokenFilePath)
152			if err != nil {
153			return
154			}
155
156			bodyForm["OIDCToken"] = string(token)
157			if provider.policy != "" {
158			bodyForm["Policy"] = provider.policy
159			}
160
161			bodyForm["RoleSessionName"] = provider.roleSessionName
162			bodyForm["DurationSeconds"] = strconv.Itoa(provider.durationSeconds)
163
164			// caculate signature
165			signParams := make(map[string]string)
166			for key, value := range queries {
167			signParams[key] = value
168			}
169			for key, value := range bodyForm {
170			signParams[key] = value
171			}
172
173			querystring := utils.GetURLFormedMap(queries)
174			// do request
175			httpUrl := fmt.Sprintf("https://%s/?%s", host, querystring)
176
177			body := utils.GetURLFormedMap(bodyForm)
178
179			httpRequest, err := hookNewRequest(http.NewRequest)(method, httpUrl, strings.NewReader(body))
180			if err != nil {
181			return
182			}
183
184			// set headers
185			httpRequest.Header["Accept-Encoding"] = []string{"identity"}
186			httpRequest.Header["Content-Type"] = []string{"application/x-www-form-urlencoded"}
187			httpClient := &http.Client{}
188
189			httpResponse, err := hookDo(httpClient.Do)(httpRequest)
190			if err != nil {
191			return
192			}
193
194			defer httpResponse.Body.Close()
195
196			responseBody, err := ioutil.ReadAll(httpResponse.Body)
197			if err != nil {
198			return
199			}
200
201			if httpResponse.StatusCode != http.StatusOK {
202			message := "get session token failed: "
203			err = errors.New(message + string(responseBody))
204			return
205			}
206			var data assumeRoleResponse
207			err = json.Unmarshal(responseBody, &data)
208			if err != nil {
209			err = fmt.Errorf("get oidc sts token err, json.Unmarshal fail: %s", err.Error())
210			return
211			}
212			if data.Credentials == nil {
213			err = fmt.Errorf("get oidc sts token err, fail to get credentials")
214			return
215			}
216
217			if data.Credentials.AccessKeyId == nil \|\| data.Credentials.AccessKeySecret == nil \|\| data.Credentials.SecurityToken == nil {
218			err = fmt.Errorf("refresh RoleArn sts token err, fail to get credentials")
219			return
220			}
221
222			session = &sessionCredentials{
223			AccessKeyId: *data.Credentials.AccessKeyId,
224			AccessKeySecret: *data.Credentials.AccessKeySecret,
225			SecurityToken: *data.Credentials.SecurityToken,
226			Expiration: *data.Credentials.Expiration,
227			}
228			return
229			}
230
231			func (provider *OIDCCredentialsProvider) needUpdateCredential() (result bool) {
232			if provider.expirationTimestamp == 0 {
233			return true
234			}
235
236			return provider.expirationTimestamp-time.Now().Unix() <= 180
237			}
238
239			func (provider OIDCCredentialsProvider) GetCredentials() (cc Credentials, err error) {
240			if provider.sessionCredentials == nil \|\| provider.needUpdateCredential() {
241			sessionCredentials, err1 := provider.getCredentials()
242			if err1 != nil {
243			return nil, err1
244			}
245
246			provider.sessionCredentials = sessionCredentials
247			expirationTime, err2 := time.Parse("2006-01-02T15:04:05Z", sessionCredentials.Expiration)
248			if err2 != nil {
249			return nil, err2
250			}
251
252			provider.lastUpdateTimestamp = time.Now().Unix()
253			provider.expirationTimestamp = expirationTime.Unix()
254			}
255
256			cc = &Credentials{
257			AccessKeyId: provider.sessionCredentials.AccessKeyId,
258			AccessKeySecret: provider.sessionCredentials.AccessKeySecret,
259			SecurityToken: provider.sessionCredentials.SecurityToken,
260			ProviderName: provider.GetProviderName(),
261			}
262			return
263			}
264
265			func (provider *OIDCCredentialsProvider) GetProviderName() string {
266			return "oidc"
267			}
268

aliyun / credentials-go

GitHub Access Token became invalid

Push — master ( 412f4e...f5d62c )

der.WithPolicy A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like