support OIDC

aliyun · Apr 23, 2024 · b3eb7f0 · b3eb7f0
1 parent 5a11958
commit b3eb7f0
Show file tree

Hide file tree

Showing 6 changed files with 88 additions and 2 deletions.
diff --git a/config/configure.go b/config/configure.go
@@ -122,6 +122,9 @@ func doConfigure(ctx *cli.Context, profileName string, mode string) error {
 		case CredentialsURI:
 			cp.Mode = CredentialsURI
 			configureCredentialsURI(w, &cp)
+		case OIDC:
+			cp.Mode = OIDC
+			configureOIDC(w, &cp)
 		default:
 			return fmt.Errorf("unexcepted authenticate mode: %s", mode)
 		}
@@ -268,6 +271,19 @@ func configureCredentialsURI(w io.Writer, cp *Profile) error {
 	return nil
 }
 
+func configureOIDC(w io.Writer, cp *Profile) error {
+	cli.Printf(w, "OIDC Provider ARN [%s]: ", cp.OIDCProviderARN)
+	cp.OIDCProviderARN = ReadInput(cp.OIDCProviderARN)
+	cli.Printf(w, "OIDC Token File [%s]: ", cp.OIDCTokenFile)
+	cp.OIDCTokenFile = ReadInput(cp.OIDCTokenFile)
+	cli.Printf(w, "RAM Role ARN [%s]: ", cp.RamRoleArn)
+	cp.RamRoleArn = ReadInput(cp.RamRoleArn)
+	cli.Printf(w, "Role Session Name [%s]: ", cp.RoleSessionName)
+	cp.RoleSessionName = ReadInput(cp.RoleSessionName)
+	cp.ExpiredSeconds = 3600
+	return nil
+}
+
 func ReadInput(defaultValue string) string {
 	var s string
 	scanner := bufio.NewScanner(os.Stdin)

diff --git a/config/configure_get_test.go b/config/configure_get_test.go
@@ -4,7 +4,7 @@
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
-//     http://www.apache.org/licenses/LICENSE-2.0
+//	http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ -88,7 +88,7 @@ func TestDoConfigureGet(t *testing.T) {
 	ctx.Flags().Get("profile").SetAssigned(true)
 	ctx.Flags().Get("profile").SetValue("default")
 	doConfigureGet(ctx, []string{})
-	assert.Equal(t, "{\n\t\"name\": \"default\",\n\t\"mode\": \"AK\",\n\t\"access_key_id\": \"default_aliyun_access_key_id\",\n\t\"access_key_secret\": \"default_aliyun_access_key_secret\",\n\t\"sts_token\": \"\",\n\t\"sts_region\": \"\",\n\t\"ram_role_name\": \"\",\n\t\"ram_role_arn\": \"\",\n\t\"ram_session_name\": \"\",\n\t\"source_profile\": \"\",\n\t\"private_key\": \"\",\n\t\"key_pair_name\": \"\",\n\t\"expired_seconds\": 0,\n\t\"verified\": \"\",\n\t\"region_id\": \"\",\n\t\"output_format\": \"json\",\n\t\"language\": \"\",\n\t\"site\": \"\",\n\t\"retry_timeout\": 0,\n\t\"connect_timeout\": 0,\n\t\"retry_count\": 0,\n\t\"process_command\": \"\",\n\t\"credentials_uri\": \"\"\n}\n\n", w.String())
+	assert.Equal(t, "{\n\t\"name\": \"default\",\n\t\"mode\": \"AK\",\n\t\"access_key_id\": \"default_aliyun_access_key_id\",\n\t\"access_key_secret\": \"default_aliyun_access_key_secret\",\n\t\"sts_token\": \"\",\n\t\"sts_region\": \"\",\n\t\"ram_role_name\": \"\",\n\t\"ram_role_arn\": \"\",\n\t\"ram_session_name\": \"\",\n\t\"source_profile\": \"\",\n\t\"private_key\": \"\",\n\t\"key_pair_name\": \"\",\n\t\"expired_seconds\": 0,\n\t\"verified\": \"\",\n\t\"region_id\": \"\",\n\t\"output_format\": \"json\",\n\t\"language\": \"\",\n\t\"site\": \"\",\n\t\"retry_timeout\": 0,\n\t\"connect_timeout\": 0,\n\t\"retry_count\": 0,\n\t\"process_command\": \"\",\n\t\"credentials_uri\": \"\",\n\t\"oidc_provider_arn\": \"\",\n\t\"oidc_token_file\": \"\"\n}\n\n", w.String())
 
 	//testcase 5
 	hookLoadConfiguration = func(fn func(path string) (*Configuration, error)) func(path string) (*Configuration, error) {

diff --git a/config/configure_list.go b/config/configure_list.go
@@ -73,6 +73,8 @@ func doConfigureList(w io.Writer) {
 			cred = "ProcessCommand:" + pf.ProcessCommand
 		case CredentialsURI:
 			cred = "CredentialsURI:" + pf.CredentialsURI
+		case OIDC:
+			cred = "OIDC:" + "***" + GetLastChars(pf.OIDCProviderARN, 5) + "@***" + GetLastChars(pf.OIDCTokenFile, 5) + "@" + pf.RamRoleArn
 		}
 		fmt.Fprintf(tw, "%s\t| %s\t| %s\t| %s\t| %s\n", name, cred, valid, pf.RegionId, pf.Language)
 	}

diff --git a/config/configure_set.go b/config/configure_set.go
@@ -104,7 +104,14 @@ func doConfigureSet(w io.Writer, flags *cli.FlagSet) {
 		profile.KeyPairName = KeyPairNameFlag(flags).GetStringOrDefault(profile.KeyPairName)
 	case External:
 		profile.ProcessCommand = ProcessCommandFlag(flags).GetStringOrDefault(profile.ProcessCommand)
+	case OIDC:
+		profile.OIDCProviderARN = OIDCProviderARNFlag(flags).GetStringOrDefault(profile.OIDCProviderARN)
+		profile.OIDCTokenFile = OIDCTokenFileFlag(flags).GetStringOrDefault(profile.OIDCTokenFile)
+		profile.RamRoleArn = RamRoleArnFlag(flags).GetStringOrDefault(profile.RamRoleArn)
+		profile.RoleSessionName = RoleSessionNameFlag(flags).GetStringOrDefault(profile.RoleSessionName)
+		profile.ExpiredSeconds = ExpiredSecondsFlag(flags).GetIntegerOrDefault(profile.ExpiredSeconds)
 	}
+
 	profile.RegionId = RegionFlag(flags).GetStringOrDefault(profile.RegionId)
 	profile.Language = LanguageFlag(flags).GetStringOrDefault(profile.Language)
 	profile.OutputFormat = "json" // "output", profile.OutputFormat)

diff --git a/config/flags.go b/config/flags.go
@@ -41,6 +41,8 @@ const (
 	ConfigurePathFlagName   = "config-path"
 	ExpiredSecondsFlagName  = "expired-seconds"
 	ProcessCommandFlagName  = "process-command"
+	OIDCProviderARNFlagName = "oidc-provider-arn"
+	OIDCTokenFileFlagName   = "oidc-token-file"
 )
 
 func AddFlags(fs *cli.FlagSet) {
@@ -65,6 +67,8 @@ func AddFlags(fs *cli.FlagSet) {
 	fs.Add(NewSkipSecureVerify())
 	fs.Add(NewExpiredSecondsFlag())
 	fs.Add(NewProcessCommandFlag())
+	fs.Add(NewOIDCProviderARNFlag())
+	fs.Add(NewOIDCTokenFileFlag())
 }
 
 func ConnectTimeoutFlag(fs *cli.FlagSet) *cli.Flag {
@@ -155,6 +159,14 @@ func ProcessCommandFlag(fs *cli.FlagSet) *cli.Flag {
 	return fs.Get(ProcessCommandFlagName)
 }
 
+func OIDCProviderARNFlag(fs *cli.FlagSet) *cli.Flag {
+	return fs.Get(OIDCProviderARNFlagName)
+}
+
+func OIDCTokenFileFlag(fs *cli.FlagSet) *cli.Flag {
+	return fs.Get(OIDCTokenFileFlagName)
+}
+
 func NewProfileFlag() *cli.Flag {
 	return &cli.Flag{
 		Category:     "config",
@@ -300,6 +312,28 @@ func NewProcessCommandFlag() *cli.Flag {
 	}
 }
 
+func NewOIDCProviderARNFlag() *cli.Flag {
+	return &cli.Flag{
+		Category:     "config",
+		Name:         OIDCProviderARNFlagName,
+		AssignedMode: cli.AssignedOnce,
+		Short: i18n.T(
+			"use `--oidc-provider-arn <OIDCProviderARN>` to assign OIDC provider ARN",
+			"使用 `--oidc-provider-arn <OIDCProviderARN>` 来指定 OIDC 提供者 ARN"),
+	}
+}
+
+func NewOIDCTokenFileFlag() *cli.Flag {
+	return &cli.Flag{
+		Category:     "config",
+		Name:         OIDCTokenFileFlagName,
+		AssignedMode: cli.AssignedOnce,
+		Short: i18n.T(
+			"use `--oidc-token-file <OIDCTokenFile>` to assign OIDC token file path",
+			"使用 `--oidc-token-file <OIDCTokenFile>` 来指定 OIDC Token 文件路径"),
+	}
+}
+
 func NewRegionFlag() *cli.Flag {
 	return &cli.Flag{
 		Category:     "config",

diff --git a/config/profile.go b/config/profile.go
@@ -41,6 +41,7 @@ const (
 	ChainableRamRoleArn = AuthenticateMode("ChainableRamRoleArn")
 	External            = AuthenticateMode("External")
 	CredentialsURI      = AuthenticateMode("CredentialsURI")
+	OIDC                = AuthenticateMode("OIDC")
 )
 
 type Profile struct {
@@ -67,6 +68,8 @@ type Profile struct {
 	RetryCount      int              `json:"retry_count"`
 	ProcessCommand  string           `json:"process_command"`
 	CredentialsURI  string           `json:"credentials_uri"`
+	OIDCProviderARN string           `json:"oidc_provider_arn"`
+	OIDCTokenFile   string           `json:"oidc_token_file"`
 	parent          *Configuration   //`json:"-"`
 }
 
@@ -130,6 +133,19 @@ func (cp *Profile) Validate() error {
 		if cp.CredentialsURI == "" {
 			return fmt.Errorf("invalid credentials_uri")
 		}
+	case OIDC:
+		if cp.OIDCProviderARN == "" {
+			return fmt.Errorf("invalid oidc_provider_arn")
+		}
+		if cp.OIDCTokenFile == "" {
+			return fmt.Errorf("invalid oidc_token_file")
+		}
+		if cp.RamRoleArn == "" {
+			return fmt.Errorf("invalid ram_role_arn")
+		}
+		if cp.RoleSessionName == "" {
+			return fmt.Errorf("invalid role_session_name")
+		}
 	case ChainableRamRoleArn:
 		if cp.SourceProfile == "" {
 			return fmt.Errorf("invalid source_profile")
@@ -400,6 +416,17 @@ func (cp *Profile) GetCredential(ctx *cli.Context, proxyHost *string) (cred cred
 			SetAccessKeyId(response.AccessKeyId).
 			SetAccessKeySecret(response.AccessKeySecret).
 			SetSecurityToken(response.SecurityToken)
+
+	case OIDC:
+		config.SetType("oidc_role_arn").
+			SetOIDCProviderArn(cp.OIDCProviderARN).
+			SetOIDCTokenFilePath(cp.OIDCTokenFile).
+			SetRoleArn(cp.RamRoleArn).
+			SetRoleSessionName(cp.RoleSessionName).
+			SetSTSEndpoint(getSTSEndpoint(cp.StsRegion)).
+			SetSessionExpiration(3600).
+			SetProxy(*proxyHost)
+
 	default:
 		return nil, fmt.Errorf("unexcepted certificate mode: %s", cp.Mode)
 	}