-
Notifications
You must be signed in to change notification settings - Fork 15
Expand file tree
/
Copy pathcli_profile.go
More file actions
506 lines (435 loc) · 15.5 KB
/
cli_profile.go
File metadata and controls
506 lines (435 loc) · 15.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
package providers
import (
"encoding/json"
"errors"
"fmt"
"io/ioutil"
"os"
"path"
"strconv"
"strings"
"sync"
"time"
"github.com/aliyun/credentials-go/credentials/internal/utils"
)
type CLIProfileCredentialsProvider struct {
profileFile string
profileName string
innerProvider CredentialsProvider
// 文件锁,用于并发安全
fileMutex sync.RWMutex
}
type CLIProfileCredentialsProviderBuilder struct {
provider *CLIProfileCredentialsProvider
}
func (b *CLIProfileCredentialsProviderBuilder) WithProfileFile(profileFile string) *CLIProfileCredentialsProviderBuilder {
b.provider.profileFile = profileFile
return b
}
func (b *CLIProfileCredentialsProviderBuilder) WithProfileName(profileName string) *CLIProfileCredentialsProviderBuilder {
b.provider.profileName = profileName
return b
}
func (b *CLIProfileCredentialsProviderBuilder) Build() (provider *CLIProfileCredentialsProvider, err error) {
// 优先级:
// 1. 使用显示指定的 profileFile
// 2. 使用环境变量(ALIBABA_CLOUD_CONFIG_FILE)指定的 profileFile
// 3. 兜底使用 path.Join(homeDir, ".aliyun/config") 作为 profileFile
if b.provider.profileFile == "" {
b.provider.profileFile = os.Getenv("ALIBABA_CLOUD_CONFIG_FILE")
}
// 优先级:
// 1. 使用显示指定的 profileName
// 2. 使用环境变量(ALIBABA_CLOUD_PROFILE)制定的 profileName
// 3. 使用 CLI 配置中的当前 profileName
if b.provider.profileName == "" {
b.provider.profileName = os.Getenv("ALIBABA_CLOUD_PROFILE")
}
if strings.ToLower(os.Getenv("ALIBABA_CLOUD_CLI_PROFILE_DISABLED")) == "true" {
err = errors.New("the CLI profile is disabled")
return
}
provider = b.provider
return
}
func NewCLIProfileCredentialsProviderBuilder() *CLIProfileCredentialsProviderBuilder {
return &CLIProfileCredentialsProviderBuilder{
provider: &CLIProfileCredentialsProvider{},
}
}
type profile struct {
Name string `json:"name"`
Mode string `json:"mode"`
AccessKeyID string `json:"access_key_id"`
AccessKeySecret string `json:"access_key_secret"`
SecurityToken string `json:"sts_token"`
RegionID string `json:"region_id"`
RoleArn string `json:"ram_role_arn"`
RoleSessionName string `json:"ram_session_name"`
DurationSeconds int `json:"expired_seconds"`
StsRegion string `json:"sts_region"`
EnableVpc bool `json:"enable_vpc"`
SourceProfile string `json:"source_profile"`
RoleName string `json:"ram_role_name"`
OIDCTokenFile string `json:"oidc_token_file"`
OIDCProviderARN string `json:"oidc_provider_arn"`
Policy string `json:"policy"`
ExternalId string `json:"external_id"`
SignInUrl string `json:"cloud_sso_sign_in_url"`
AccountId string `json:"cloud_sso_account_id"`
AccessConfig string `json:"cloud_sso_access_config"`
AccessToken string `json:"access_token"`
AccessTokenExpire int64 `json:"cloud_sso_access_token_expire"`
OauthSiteType string `json:"oauth_site_type"`
OauthRefreshToken string `json:"oauth_refresh_token"`
OauthAccessToken string `json:"oauth_access_token"`
OauthAccessTokenExpire int64 `json:"oauth_access_token_expire"`
StsExpire int64 `json:"sts_expiration"`
ProcessCommand string `json:"process_command"`
}
type configuration struct {
Current string `json:"current"`
Profiles []*profile `json:"profiles"`
}
func newConfigurationFromPath(cfgPath string) (conf *configuration, err error) {
bytes, err := ioutil.ReadFile(cfgPath)
if err != nil {
err = fmt.Errorf("reading aliyun cli config from '%s' failed %v", cfgPath, err)
return
}
conf = &configuration{}
err = json.Unmarshal(bytes, conf)
if err != nil {
err = fmt.Errorf("unmarshal aliyun cli config from '%s' failed: %s", cfgPath, string(bytes))
return
}
if conf.Profiles == nil || len(conf.Profiles) == 0 {
err = fmt.Errorf("no any configured profiles in '%s'", cfgPath)
return
}
return
}
func (conf *configuration) getProfile(name string) (profile *profile, err error) {
for _, p := range conf.Profiles {
if p.Name == name {
profile = p
return
}
}
err = fmt.Errorf("unable to get profile with '%s'", name)
return
}
var oauthBaseUrlMap = map[string]string{
"CN": "https://oauth.aliyun.com",
"INTL": "https://oauth.alibabacloud.com",
}
var oauthClientMap = map[string]string{
"CN": "4038181954557748008",
"INTL": "4103531455503354461",
}
func (provider *CLIProfileCredentialsProvider) getCredentialsProvider(conf *configuration, profileName string) (credentialsProvider CredentialsProvider, err error) {
p, err := conf.getProfile(profileName)
if err != nil {
return
}
switch p.Mode {
case "AK":
credentialsProvider, err = NewStaticAKCredentialsProviderBuilder().
WithAccessKeyId(p.AccessKeyID).
WithAccessKeySecret(p.AccessKeySecret).
Build()
case "StsToken":
credentialsProvider, err = NewStaticSTSCredentialsProviderBuilder().
WithAccessKeyId(p.AccessKeyID).
WithAccessKeySecret(p.AccessKeySecret).
WithSecurityToken(p.SecurityToken).
Build()
case "RamRoleArn":
previousProvider, err1 := NewStaticAKCredentialsProviderBuilder().
WithAccessKeyId(p.AccessKeyID).
WithAccessKeySecret(p.AccessKeySecret).
Build()
if err1 != nil {
return nil, err1
}
credentialsProvider, err = NewRAMRoleARNCredentialsProviderBuilder().
WithCredentialsProvider(previousProvider).
WithRoleArn(p.RoleArn).
WithRoleSessionName(p.RoleSessionName).
WithDurationSeconds(p.DurationSeconds).
WithStsRegionId(p.StsRegion).
WithEnableVpc(p.EnableVpc).
WithPolicy(p.Policy).
WithExternalId(p.ExternalId).
Build()
case "EcsRamRole":
credentialsProvider, err = NewECSRAMRoleCredentialsProviderBuilder().WithRoleName(p.RoleName).Build()
case "OIDC":
credentialsProvider, err = NewOIDCCredentialsProviderBuilder().
WithOIDCTokenFilePath(p.OIDCTokenFile).
WithOIDCProviderARN(p.OIDCProviderARN).
WithRoleArn(p.RoleArn).
WithStsRegionId(p.StsRegion).
WithEnableVpc(p.EnableVpc).
WithDurationSeconds(p.DurationSeconds).
WithRoleSessionName(p.RoleSessionName).
WithPolicy(p.Policy).
Build()
case "ChainableRamRoleArn":
previousProvider, err1 := provider.getCredentialsProvider(conf, p.SourceProfile)
if err1 != nil {
err = fmt.Errorf("get source profile failed: %s", err1.Error())
return
}
credentialsProvider, err = NewRAMRoleARNCredentialsProviderBuilder().
WithCredentialsProvider(previousProvider).
WithRoleArn(p.RoleArn).
WithRoleSessionName(p.RoleSessionName).
WithDurationSeconds(p.DurationSeconds).
WithStsRegionId(p.StsRegion).
WithEnableVpc(p.EnableVpc).
WithPolicy(p.Policy).
WithExternalId(p.ExternalId).
Build()
case "CloudSSO":
credentialsProvider, err = NewCloudSSOCredentialsProviderBuilder().
WithSignInUrl(p.SignInUrl).
WithAccountId(p.AccountId).
WithAccessConfig(p.AccessConfig).
WithAccessToken(p.AccessToken).
WithAccessTokenExpire(p.AccessTokenExpire).
Build()
case "OAuth":
siteType := strings.ToUpper(p.OauthSiteType)
signInUrl := oauthBaseUrlMap[siteType]
if signInUrl == "" {
err = fmt.Errorf("invalid site type, support CN or INTL")
return
}
clientId := oauthClientMap[siteType]
credentialsProvider, err = NewOAuthCredentialsProviderBuilder().
WithSignInUrl(signInUrl).
WithClientId(clientId).
WithRefreshToken(p.OauthRefreshToken).
WithAccessToken(p.OauthAccessToken).
WithAccessTokenExpire(p.OauthAccessTokenExpire).
WithTokenUpdateCallback(provider.getOAuthTokenUpdateCallback()).
Build()
case "External":
credentialsProvider, err = NewExternalCredentialsProviderBuilder().
WithProcessCommand(p.ProcessCommand).
WithCredentialUpdateCallback(provider.getExternalCredentialUpdateCallback()).
Build()
default:
err = fmt.Errorf("unsupported profile mode '%s'", p.Mode)
}
return
}
// 默认设置为 GetHomePath,测试时便于 mock
var getHomePath = utils.GetHomePath
func (provider *CLIProfileCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
if provider.innerProvider == nil {
cfgPath := provider.profileFile
if cfgPath == "" {
homeDir := getHomePath()
if homeDir == "" {
err = fmt.Errorf("cannot found home dir")
return
}
cfgPath = path.Join(homeDir, ".aliyun/config.json")
provider.profileFile = cfgPath
}
conf, err1 := newConfigurationFromPath(cfgPath)
if err1 != nil {
err = err1
return
}
if provider.profileName == "" {
provider.profileName = conf.Current
}
provider.innerProvider, err = provider.getCredentialsProvider(conf, provider.profileName)
if err != nil {
return
}
}
innerCC, err := provider.innerProvider.GetCredentials()
if err != nil {
return
}
providerName := innerCC.ProviderName
if providerName == "" {
providerName = provider.innerProvider.GetProviderName()
}
cc = &Credentials{
AccessKeyId: innerCC.AccessKeyId,
AccessKeySecret: innerCC.AccessKeySecret,
SecurityToken: innerCC.SecurityToken,
ProviderName: fmt.Sprintf("%s/%s", provider.GetProviderName(), providerName),
}
return
}
func (provider *CLIProfileCredentialsProvider) GetProviderName() string {
return "cli_profile"
}
// findSourceOAuthProfile 递归查找 OAuth source profile
func (conf *configuration) findSourceOAuthProfile(profileName string) (*profile, error) {
profile, err := conf.getProfile(profileName)
if err != nil {
return nil, fmt.Errorf("unable to get profile with name '%s' from cli credentials file: %v", profileName, err)
}
if profile.Mode == "OAuth" {
return profile, nil
}
if profile.SourceProfile != "" {
return conf.findSourceOAuthProfile(profile.SourceProfile)
}
return nil, fmt.Errorf("unable to get OAuth profile with name '%s' from cli credentials file", profileName)
}
// updateOAuthTokens 更新OAuth令牌并写回配置文件
func (provider *CLIProfileCredentialsProvider) updateOAuthTokens(refreshToken, accessToken, accessKey, secret, securityToken string, accessTokenExpire, stsExpire int64) error {
provider.fileMutex.Lock()
defer provider.fileMutex.Unlock()
cfgPath := provider.profileFile
conf, err := newConfigurationFromPath(cfgPath)
if err != nil {
return fmt.Errorf("failed to read config file: %v", err)
}
profileName := provider.profileName
if profileName == "" {
profileName = conf.Current
}
if profileName == "" {
return fmt.Errorf("unable to get profile to update")
}
// 递归查找真正的 OAuth source profile
sourceProfile, err := conf.findSourceOAuthProfile(profileName)
if err != nil {
return fmt.Errorf("failed to find OAuth source profile: %v", err)
}
// update OAuth tokens
sourceProfile.OauthRefreshToken = refreshToken
sourceProfile.OauthAccessToken = accessToken
sourceProfile.OauthAccessTokenExpire = accessTokenExpire
// update STS credentials
sourceProfile.AccessKeyID = accessKey
sourceProfile.AccessKeySecret = secret
sourceProfile.SecurityToken = securityToken
sourceProfile.StsExpire = stsExpire
// write back with file lock
return provider.writeConfigurationToFileWithLock(cfgPath, conf)
}
// writeConfigurationToFile 将配置写入文件,使用原子写入确保数据完整性
func (provider *CLIProfileCredentialsProvider) writeConfigurationToFile(cfgPath string, conf *configuration) error {
// 获取原文件权限(如果存在)
fileMode := os.FileMode(0644)
if stat, err := os.Stat(cfgPath); err == nil {
fileMode = stat.Mode()
}
// 创建唯一临时文件
tempFile := cfgPath + ".tmp-" + strconv.FormatInt(time.Now().UnixNano(), 10)
// 写入临时文件
err := provider.writeConfigFile(tempFile, fileMode, conf)
if err != nil {
return fmt.Errorf("failed to write temp file: %v", err)
}
// 原子性重命名,确保文件完整性
err = os.Rename(tempFile, cfgPath)
if err != nil {
// 清理临时文件
os.Remove(tempFile)
return fmt.Errorf("failed to rename temp file: %v", err)
}
return nil
}
// writeConfigFile 写入配置文件
func (provider *CLIProfileCredentialsProvider) writeConfigFile(filename string, fileMode os.FileMode, conf *configuration) error {
f, err := os.OpenFile(filename, os.O_CREATE|os.O_TRUNC|os.O_RDWR, fileMode)
if err != nil {
return fmt.Errorf("failed to create config file: %w", err)
}
defer func() {
closeErr := f.Close()
if err == nil && closeErr != nil {
err = fmt.Errorf("failed to close config file: %w", closeErr)
}
}()
encoder := json.NewEncoder(f)
encoder.SetIndent("", " ")
if err = encoder.Encode(conf); err != nil {
return fmt.Errorf("failed to serialize config: %w", err)
}
return nil
}
// writeConfigurationToFileWithLock 使用操作系统级别的文件锁写入配置文件
func (provider *CLIProfileCredentialsProvider) writeConfigurationToFileWithLock(cfgPath string, conf *configuration) error {
// 获取原文件权限(如果存在)
fileMode := os.FileMode(0644)
if stat, err := os.Stat(cfgPath); err == nil {
fileMode = stat.Mode()
}
// 打开文件用于锁定
file, err := os.OpenFile(cfgPath, os.O_RDWR|os.O_CREATE, fileMode)
if err != nil {
return fmt.Errorf("failed to open config file: %v", err)
}
// 获取独占锁(阻塞其他进程)
err = lockFile(int(file.Fd()))
if err != nil {
file.Close()
return fmt.Errorf("failed to acquire file lock: %v", err)
}
// 创建唯一临时文件
tempFile := cfgPath + ".tmp-" + strconv.FormatInt(time.Now().UnixNano(), 10)
err = provider.writeConfigFile(tempFile, fileMode, conf)
if err != nil {
unlockFile(int(file.Fd()))
file.Close()
return fmt.Errorf("failed to write temp file: %v", err)
}
// 关闭并解锁原文件,以便在Windows上可以重命名
unlockFile(int(file.Fd()))
file.Close()
// 原子性重命名
err = os.Rename(tempFile, cfgPath)
if err != nil {
os.Remove(tempFile)
return fmt.Errorf("failed to rename temp file: %v", err)
}
return nil
}
// getOAuthTokenUpdateCallback 获取OAuth令牌更新回调函数
func (provider *CLIProfileCredentialsProvider) getOAuthTokenUpdateCallback() OAuthTokenUpdateCallback {
return func(refreshToken, accessToken, accessKey, secret, securityToken string, accessTokenExpire, stsExpire int64) error {
return provider.updateOAuthTokens(refreshToken, accessToken, accessKey, secret, securityToken, accessTokenExpire, stsExpire)
}
}
// getExternalCredentialUpdateCallback 获取External凭证更新回调函数
func (provider *CLIProfileCredentialsProvider) getExternalCredentialUpdateCallback() ExternalCredentialUpdateCallback {
return func(accessKeyId, accessKeySecret, securityToken string, expiration int64) error {
return provider.updateExternalCredentials(accessKeyId, accessKeySecret, securityToken, expiration)
}
}
// updateExternalCredentials 更新External凭证并写回配置文件
func (provider *CLIProfileCredentialsProvider) updateExternalCredentials(accessKeyId, accessKeySecret, securityToken string, expiration int64) error {
provider.fileMutex.Lock()
defer provider.fileMutex.Unlock()
cfgPath := provider.profileFile
conf, err := newConfigurationFromPath(cfgPath)
if err != nil {
return fmt.Errorf("failed to read config file: %v", err)
}
profileName := provider.profileName
profile, err := conf.getProfile(profileName)
if err != nil {
return fmt.Errorf("failed to get profile %s: %v", profileName, err)
}
// update
profile.AccessKeyID = accessKeyId
profile.AccessKeySecret = accessKeySecret
profile.SecurityToken = securityToken
if expiration > 0 {
profile.StsExpire = expiration
}
// write back with file lock
return provider.writeConfigurationToFileWithLock(cfgPath, conf)
}