From b62a4e4fd318697db8f91ed0c59d1b1a63132358 Mon Sep 17 00:00:00 2001 From: zpp <865287328@qq.com> Date: Fri, 3 Jan 2025 18:06:38 +0800 Subject: [PATCH] feat: support cli provider and uri provider --- aliyun-net-sdk-core.Tests/.aliyun/config.json | 76 ++++ .../Units/.aliyun/config.json | 76 ++++ .../Auth/CLIProfileCredentialsProviderTest.cs | 149 ++++++++ .../Provider/DefaultCredentialProviderTest.cs | 26 +- .../Units/Auth/URLCredentialProviderTest.cs | 38 ++ aliyun-net-sdk-core.Tests/Units/TestHelper.cs | 19 + aliyun-net-sdk-core.Tests/empty_file.json | 0 .../full_cli_config.json | 46 +++ .../invalid_cli_config.json | 1 + .../mock_empty_cli_config.json | 1 + .../Provider/CLIProfileCredentialsProvider.cs | 345 ++++++++++++++++++ .../Provider/DefaultCredentialProvider.cs | 138 ++++++- .../ECSMetadataServiceCredentialsFetcher.cs | 2 +- .../EnvironmentVariableCredentialsProvider.cs | 27 ++ .../InstanceProfileCredentialsProvider.cs | 9 +- .../Auth/Provider/OIDCCredentialsProvider.cs | 198 ++++++++-- .../Provider/ProfileCredentialsProvider.cs | 241 ++++++++++++ ...STSAssumeRoleSessionCredentialsProvider.cs | 202 +++++++++- .../Auth/Provider/URLCredentialProvider.cs | 152 ++++++++ .../Auth/Sts/AssumeRoleRequest.cs | 11 + aliyun-net-sdk-core/DefaultAcsClient.cs | 2 +- .../Exceptions/ClientException.cs | 2 +- .../Properties/AssemblyInfo.cs | 2 +- aliyun-net-sdk-core/Utils/AuthUtils.cs | 118 ++++++ 24 files changed, 1812 insertions(+), 69 deletions(-) create mode 100644 aliyun-net-sdk-core.Tests/.aliyun/config.json create mode 100644 aliyun-net-sdk-core.Tests/Units/.aliyun/config.json create mode 100644 aliyun-net-sdk-core.Tests/Units/Auth/CLIProfileCredentialsProviderTest.cs create mode 100644 aliyun-net-sdk-core.Tests/Units/Auth/URLCredentialProviderTest.cs create mode 100644 aliyun-net-sdk-core.Tests/empty_file.json create mode 100644 aliyun-net-sdk-core.Tests/full_cli_config.json create mode 100644 aliyun-net-sdk-core.Tests/invalid_cli_config.json create mode 100644 aliyun-net-sdk-core.Tests/mock_empty_cli_config.json create mode 100644 aliyun-net-sdk-core/Auth/Provider/CLIProfileCredentialsProvider.cs create mode 100644 aliyun-net-sdk-core/Auth/Provider/EnvironmentVariableCredentialsProvider.cs create mode 100644 aliyun-net-sdk-core/Auth/Provider/ProfileCredentialsProvider.cs create mode 100644 aliyun-net-sdk-core/Auth/Provider/URLCredentialProvider.cs diff --git a/aliyun-net-sdk-core.Tests/.aliyun/config.json b/aliyun-net-sdk-core.Tests/.aliyun/config.json new file mode 100644 index 0000000000..f0f7ffd80d --- /dev/null +++ b/aliyun-net-sdk-core.Tests/.aliyun/config.json @@ -0,0 +1,76 @@ +{ + "current": "AK", + "profiles": [ + { + "name": "AK", + "mode": "AK", + "access_key_id": "akid", + "access_key_secret": "secret" + }, + { + "name": "RamRoleArn", + "mode": "RamRoleArn", + "access_key_id": "akid", + "access_key_secret": "secret", + "ram_role_arn": "arn" + }, + { + "name": "RamRoleArnEnableVpc", + "mode": "RamRoleArn", + "access_key_id": "akid", + "access_key_secret": "secret", + "ram_role_arn": "arn", + "sts_region": "cn-hangzhou", + "enable_vpc": true, + "policy": "policy", + "external_id": "id" + }, + { + "name": "Invalid_RamRoleArn", + "mode": "RamRoleArn" + }, + { + "name": "EcsRamRole", + "mode": "EcsRamRole", + "ram_role_name": "rolename" + }, + { + "name": "OIDC", + "mode": "OIDC", + "ram_role_arn": "role_arn", + "oidc_token_file": "path/to/oidc/file", + "oidc_provider_arn": "provider_arn" + }, + { + "name": "OIDCEnableVpc", + "mode": "OIDC", + "ram_role_arn": "role_arn", + "oidc_token_file": "path/to/oidc/file", + "oidc_provider_arn": "provider_arn", + "sts_region": "cn-hangzhou", + "enable_vpc": true, + "policy": "policy" + }, + { + "name": "ChainableRamRoleArn", + "mode": "ChainableRamRoleArn", + "ram_role_arn": "arn", + "source_profile": "AK" + }, + { + "name": "ChainableRamRoleArn1", + "mode": "ChainableRamRoleArn", + "ram_role_arn": "arn", + "source_profile": "ChainableRamRoleArn1" + }, + { + "name": "ChainableRamRoleArn2", + "mode": "ChainableRamRoleArn", + "source_profile": "InvalidSource" + }, + { + "name": "Unsupported", + "mode": "Unsupported" + } + ] +} \ No newline at end of file diff --git a/aliyun-net-sdk-core.Tests/Units/.aliyun/config.json b/aliyun-net-sdk-core.Tests/Units/.aliyun/config.json new file mode 100644 index 0000000000..f0f7ffd80d --- /dev/null +++ b/aliyun-net-sdk-core.Tests/Units/.aliyun/config.json @@ -0,0 +1,76 @@ +{ + "current": "AK", + "profiles": [ + { + "name": "AK", + "mode": "AK", + "access_key_id": "akid", + "access_key_secret": "secret" + }, + { + "name": "RamRoleArn", + "mode": "RamRoleArn", + "access_key_id": "akid", + "access_key_secret": "secret", + "ram_role_arn": "arn" + }, + { + "name": "RamRoleArnEnableVpc", + "mode": "RamRoleArn", + "access_key_id": "akid", + "access_key_secret": "secret", + "ram_role_arn": "arn", + "sts_region": "cn-hangzhou", + "enable_vpc": true, + "policy": "policy", + "external_id": "id" + }, + { + "name": "Invalid_RamRoleArn", + "mode": "RamRoleArn" + }, + { + "name": "EcsRamRole", + "mode": "EcsRamRole", + "ram_role_name": "rolename" + }, + { + "name": "OIDC", + "mode": "OIDC", + "ram_role_arn": "role_arn", + "oidc_token_file": "path/to/oidc/file", + "oidc_provider_arn": "provider_arn" + }, + { + "name": "OIDCEnableVpc", + "mode": "OIDC", + "ram_role_arn": "role_arn", + "oidc_token_file": "path/to/oidc/file", + "oidc_provider_arn": "provider_arn", + "sts_region": "cn-hangzhou", + "enable_vpc": true, + "policy": "policy" + }, + { + "name": "ChainableRamRoleArn", + "mode": "ChainableRamRoleArn", + "ram_role_arn": "arn", + "source_profile": "AK" + }, + { + "name": "ChainableRamRoleArn1", + "mode": "ChainableRamRoleArn", + "ram_role_arn": "arn", + "source_profile": "ChainableRamRoleArn1" + }, + { + "name": "ChainableRamRoleArn2", + "mode": "ChainableRamRoleArn", + "source_profile": "InvalidSource" + }, + { + "name": "Unsupported", + "mode": "Unsupported" + } + ] +} \ No newline at end of file diff --git a/aliyun-net-sdk-core.Tests/Units/Auth/CLIProfileCredentialsProviderTest.cs b/aliyun-net-sdk-core.Tests/Units/Auth/CLIProfileCredentialsProviderTest.cs new file mode 100644 index 0000000000..34b2234b5d --- /dev/null +++ b/aliyun-net-sdk-core.Tests/Units/Auth/CLIProfileCredentialsProviderTest.cs @@ -0,0 +1,149 @@ +using System; +using Aliyun.Acs.Core.Auth; +using Aliyun.Acs.Core.Auth.Provider; +using Aliyun.Acs.Core.Exceptions; +using Aliyun.Acs.Core.Utils; +using Newtonsoft.Json; +using Xunit; + + +namespace Aliyun.Acs.Core.Tests.Units.Auth +{ + public class CLIProfileCredentialsProviderTest + { + [Fact] + public void GetProfileNameTest() + { + CLIProfileCredentialsProvider provider = new CLIProfileCredentialsProvider(); + Assert.Null(provider.GetProfileName()); + provider = new CLIProfileCredentialsProvider("AK"); + Assert.Equal("AK", provider.GetProfileName()); + + var cacheProfile = Environment.GetEnvironmentVariable("ALIBABA_CLOUD_PROFILE"); + Environment.SetEnvironmentVariable("ALIBABA_CLOUD_PROFILE", "TEST"); + provider = new CLIProfileCredentialsProvider(); + Assert.Equal("TEST", provider.GetProfileName()); + Environment.SetEnvironmentVariable("ALIBABA_CLOUD_PROFILE", cacheProfile); + + var path = TestHelper.GetCLIConfigFilePath("aliyun"); + provider = new CLIProfileCredentialsProvider(); + var credential = provider.GetCredentials(path); + + Environment.SetEnvironmentVariable("ALIBABA_CLOUD_PROFILE", "AK"); + credential = provider.GetCredentials(path); + Environment.SetEnvironmentVariable("ALIBABA_CLOUD_PROFILE", cacheProfile); + + path = TestHelper.GetCLIConfigFilePath("empty"); + var ex = Assert.Throws(() => provider.GetCredentials(path)); + Assert.Equal("Unable to get profile form empty CLI credentials file.", ex.Message); + } + + [Fact] + public void ShouldReloadCredentialsProviderTest() + { + CLIProfileCredentialsProvider provider = new CLIProfileCredentialsProvider(); + Assert.True(provider.ShouldReloadCredentialsProvider("")); + } + + [Fact] + public void DisableCLIProfileTest() + { + bool isDisableCLIProfile = AuthUtils.EnvironmentDisableCLIProfile; + AuthUtils.EnvironmentDisableCLIProfile = true; + CLIProfileCredentialsProvider provider = new CLIProfileCredentialsProvider(); + var ex = Assert.Throws(() => { provider.GetCredentials(); }); + Assert.Contains("CLI credentials file is disabled.", ex.Message); + AuthUtils.EnvironmentDisableCLIProfile = isDisableCLIProfile; + } + + [Fact] + public void ParseProfileTest() + { + CLIProfileCredentialsProvider provider = new CLIProfileCredentialsProvider(); + var ex = Assert.Throws(() => { provider.ParseProfile("./not_exist_config.json"); }); + Assert.Contains("Unable to open credentials file", ex.Message); + + string configPath = TestHelper.GetCLIConfigFilePath("invalid"); + ex = Assert.Throws(() => { provider.ParseProfile(configPath); }); + Assert.Contains("Failed to parse credential from CLI credentials file", ex.Message); + + configPath = TestHelper.GetCLIConfigFilePath("empty"); + CLIProfileCredentialsProvider.Config config = provider.ParseProfile(configPath); + Assert.Null(config); + + configPath = TestHelper.GetCLIConfigFilePath("mock_empty"); + config = provider.ParseProfile(configPath); + Assert.NotNull(config); + Assert.Null(config.GetCurrent()); + Assert.Null(config.GetProfiles()); + + configPath = TestHelper.GetCLIConfigFilePath("full"); + config = provider.ParseProfile(configPath); + Assert.Equal("AK", config.GetCurrent()); + Assert.Equal(5, config.GetProfiles().Count); + var settings = new JsonSerializerSettings { NullValueHandling = NullValueHandling.Ignore }; + Assert.Equal( + "[{\"name\":\"AK\",\"mode\":\"AK\",\"access_key_id\":\"access_key_id\",\"access_key_secret\":\"access_key_secret\"},{\"name\":\"RamRoleArn\",\"mode\":\"RamRoleArn\",\"access_key_id\":\"access_key_id\",\"access_key_secret\":\"access_key_secret\",\"ram_role_arn\":\"ram_role_arn\",\"ram_session_name\":\"ram_session_name\",\"expired_seconds\":3600,\"sts_region\":\"cn-hangzhou\",\"enable_vpc\":true},{\"name\":\"EcsRamRole\",\"mode\":\"EcsRamRole\",\"ram_role_name\":\"ram_role_name\"},{\"name\":\"OIDC\",\"mode\":\"OIDC\",\"ram_role_arn\":\"ram_role_arn\",\"ram_session_name\":\"ram_session_name\",\"expired_seconds\":3600,\"sts_region\":\"cn-hangzhou\",\"oidc_token_file\":\"path/to/oidc/file\",\"oidc_provider_arn\":\"oidc_provider_arn\"},{\"name\":\"ChainableRamRoleArn\",\"mode\":\"ChainableRamRoleArn\",\"ram_role_arn\":\"ram_role_arn\",\"ram_session_name\":\"ram_session_name\",\"expired_seconds\":3600,\"sts_region\":\"cn-hangzhou\",\"source_profile\":\"AK\"}]", + JsonConvert.SerializeObject(config.GetProfiles(), settings)); + } + + [Fact] + public void ReloadCredentialsProviderTest() + { + CLIProfileCredentialsProvider provider = new CLIProfileCredentialsProvider(); + var configPath = TestHelper.GetCLIConfigFilePath("aliyun"); + CLIProfileCredentialsProvider.Config config = provider.ParseProfile(configPath); + var ex = Assert.Throws(() => { provider.ReloadCredentialsProvider(config, "notExist"); }); + Assert.Contains("Unable to get profile with 'notExist' form CLI credentials file.", ex.Message); + + AlibabaCloudCredentialsProvider credentialsProvider = provider.ReloadCredentialsProvider(config, "AK"); + Assert.True(credentialsProvider is StaticCredentialsProvider); + AlibabaCloudCredentials credential = credentialsProvider.GetCredentials(); + Assert.Equal("akid", credential.GetAccessKeyId()); + Assert.Equal("secret", credential.GetAccessKeySecret()); + + credentialsProvider = provider.ReloadCredentialsProvider(config, "RamRoleArn"); + Assert.True(credentialsProvider is STSAssumeRoleSessionCredentialsProvider); + ex = Assert.Throws(() => { credentialsProvider.GetCredentials(); }); + Assert.Contains("InvalidAccessKeyId.NotFound", ex.Message); + + credentialsProvider = provider.ReloadCredentialsProvider(config, "RamRoleArnEnableVpc"); + Assert.True(credentialsProvider is STSAssumeRoleSessionCredentialsProvider); + ex = Assert.Throws(() => { credentialsProvider.GetCredentials(); }); + Assert.Contains("the request url is sts-vpc.cn-hangzhou.aliyuncs.com", ex.Message); + + var ex1 = Assert.Throws(() => + { + provider.ReloadCredentialsProvider(config, "Invalid_RamRoleArn"); + }); + Assert.Contains("Access key ID cannot be null.", ex1.Message); + + credentialsProvider = provider.ReloadCredentialsProvider(config, "EcsRamRole"); + Assert.True(credentialsProvider is InstanceProfileCredentialsProvider); + + credentialsProvider = provider.ReloadCredentialsProvider(config, "OIDC"); + Assert.True(credentialsProvider is OIDCCredentialsProvider); + + credentialsProvider = provider.ReloadCredentialsProvider(config, "OIDCEnableVpc"); + Assert.True(credentialsProvider is OIDCCredentialsProvider); + + credentialsProvider = provider.ReloadCredentialsProvider(config, "ChainableRamRoleArn"); + Assert.True(credentialsProvider is STSAssumeRoleSessionCredentialsProvider); + + ex = Assert.Throws(() => + { + provider.ReloadCredentialsProvider(config, "ChainableRamRoleArn1"); + }); + Assert.Equal("Source profile name can not be the same as profile name.", ex.Message); + + ex = Assert.Throws(() => + { + provider.ReloadCredentialsProvider(config, "ChainableRamRoleArn2"); + }); + Assert.Contains("Unable to get profile with 'InvalidSource' form CLI credentials file.", ex.Message); + + ex = Assert.Throws(() => { provider.ReloadCredentialsProvider(config, "Unsupported"); }); + Assert.Contains("Unsupported profile mode 'Unsupported' form CLI credentials file.", ex.Message); + } + } +} diff --git a/aliyun-net-sdk-core.Tests/Units/Auth/Provider/DefaultCredentialProviderTest.cs b/aliyun-net-sdk-core.Tests/Units/Auth/Provider/DefaultCredentialProviderTest.cs index 58ec21b7af..083e2e2727 100644 --- a/aliyun-net-sdk-core.Tests/Units/Auth/Provider/DefaultCredentialProviderTest.cs +++ b/aliyun-net-sdk-core.Tests/Units/Auth/Provider/DefaultCredentialProviderTest.cs @@ -34,6 +34,22 @@ namespace Aliyun.Acs.Core.Tests.Units.Auth.Provider { public class DefaultCredentialProviderTest { + [Fact] + public void GetCredentials() + { + var provider = new DefaultCredentialProvider(false); + Assert.NotNull(provider); + Assert.Throws(() => { provider.GetCredentials(); }); + + var testProvider = new STSAssumeRoleSessionCredentialsProvider.Builder() + .AccessKeyId("accessKeyId2") + .AccessKeySecret("accessKeySecret") + .RoleArn("roleArn") + .Build(); + + new DefaultCredentialProvider(null, testProvider); + + } /* Case: Should throw ClientException("There is no credential chain can use") */ @@ -62,7 +78,11 @@ public void GetCredentialWithException() var credential = defaultProvider.GetCredentials(); }); - Assert.Equal("There is no credential chain can use.", exception.Message); + var mes = exception.Message; + Assert.Contains("There is no credential chain can use: [EnvironmentVariableCredentialsProvider: Environment variable accessKeyId cannot be empty,", exception.Message); + Assert.Contains("CLIProfileCredentialsProvider: Unable to open credentials file: ", exception.Message); + Assert.Contains("ProfileCredentialsProvider: Unable to open credentials file: ", exception.Message); + Assert.Contains("InstanceProfileCredentialsProvider: Failed to get RAM session credentials from ECS metadata service. Reason: Aliyun.Acs.Core.Exceptions.ClientException: SDK.WebException : HttpWebRequest WebException occured, ", exception.Message); } /* @@ -126,7 +146,7 @@ public void GetCredentialFileAlibabaCloudCredentialWithAKTypeButAKIsEmpty() TestHelper.DeleteIniFile(); - Assert.Equal("Access key ID cannot be null.", exception.Message); + Assert.Contains("Access key ID cannot be null.", exception.Message); Environment.SetEnvironmentVariable("ALIBABA_CLOUD_ROLE_ARN", cacheRoleArn); Environment.SetEnvironmentVariable("ALIBABA_CLOUD_OIDC_PROVIDER_ARN", cacheProviderArn); Environment.SetEnvironmentVariable("ALIBABA_CLOUD_OIDC_TOKEN_FILE", cacheFile); @@ -217,7 +237,7 @@ public void GetCredentialFileAlibabaCloudCredentialWithEcsRamRole() mockDefaultCredentialProvider.Setup(x => x.GetInstanceRamRoleAlibabaCloudCredential()) .Returns(ecsRamRoleCredential); mockDefaultCredentialProvider.Setup(x => x.GetHomePath()).Returns(mockHomePath); - + var defaultCredentialProvider = mockDefaultCredentialProvider.Object; var credential = (InstanceProfileCredentials)defaultCredentialProvider.GetAlibabaCloudClientCredential(); diff --git a/aliyun-net-sdk-core.Tests/Units/Auth/URLCredentialProviderTest.cs b/aliyun-net-sdk-core.Tests/Units/Auth/URLCredentialProviderTest.cs new file mode 100644 index 0000000000..912ea84439 --- /dev/null +++ b/aliyun-net-sdk-core.Tests/Units/Auth/URLCredentialProviderTest.cs @@ -0,0 +1,38 @@ +using System; +using Aliyun.Acs.Core.Auth.Provider; +using Aliyun.Acs.Core.Exceptions; +using Xunit; + +namespace Aliyun.Acs.Core.Tests.Units.Auth +{ + public class URLCredentialProviderTest + { + [Fact] + public void TestConstructor() + { + URLCredentialProvider provider; + var ex = Assert.Throws(() => + provider = new URLCredentialProvider.Builder().CredentialsURI("").Build()); + Assert.Contains("Credential URI or environment variable ALIBABA_CLOUD_CREDENTIALS_URI cannot be empty.", + ex.Message); + var ex1 = Assert.Throws(() => + provider = new URLCredentialProvider.Builder().CredentialsURI("url").Build()); + Assert.Contains("Credential URI is not valid.", ex1.Message); + provider = new URLCredentialProvider.Builder().CredentialsURI("http://test").Build(); + provider = new URLCredentialProvider.Builder().CredentialsURI(new Uri("http://test")).Build(); + } + + [Fact] + public void TestGetCredentials() + { + var provider = new URLCredentialProvider.Builder() + .CredentialsURI("http://10.10.10.10") + .ConnectTimeout(2000) + .ReadTimeout(2000) + .Build(); + + var ex = Assert.Throws(() => { provider.GetCredentials(); }); + Assert.StartsWith("Failed to connect Server: http://10.10.10.10", ex.Message); + } + } +} diff --git a/aliyun-net-sdk-core.Tests/Units/TestHelper.cs b/aliyun-net-sdk-core.Tests/Units/TestHelper.cs index 79b81e14ac..11e22cf218 100644 --- a/aliyun-net-sdk-core.Tests/Units/TestHelper.cs +++ b/aliyun-net-sdk-core.Tests/Units/TestHelper.cs @@ -33,6 +33,25 @@ public class TestHelper private static readonly string Slash = Environment.OSVersion.Platform == PlatformID.Unix ? "/" : "\\"; private static readonly string HomePath = Environment.CurrentDirectory; + public static string GetCLIConfigFilePath(string type) + { + switch (type) + { + case "invalid": + return HomePath + Slash + "invalid_cli_config.json"; + case "empty": + return HomePath + Slash + "empty_file.json"; + case "mock_empty": + return HomePath + Slash + "mock_empty_cli_config.json"; + case "full": + return HomePath + Slash + "full_cli_config.json"; + case "aliyun": + return HomePath + Slash + ".aliyun/config.json"; + default: + return ""; + } + } + public static string GetOIDCTokenFilePath() { return HomePath + Slash + "OIDCToken.txt"; diff --git a/aliyun-net-sdk-core.Tests/empty_file.json b/aliyun-net-sdk-core.Tests/empty_file.json new file mode 100644 index 0000000000..e69de29bb2 diff --git a/aliyun-net-sdk-core.Tests/full_cli_config.json b/aliyun-net-sdk-core.Tests/full_cli_config.json new file mode 100644 index 0000000000..125fb8b1fa --- /dev/null +++ b/aliyun-net-sdk-core.Tests/full_cli_config.json @@ -0,0 +1,46 @@ +{ + "current": "AK", + "profiles": [ + { + "name": "AK", + "mode": "AK", + "access_key_id": "access_key_id", + "access_key_secret": "access_key_secret" + }, + { + "name": "RamRoleArn", + "mode": "RamRoleArn", + "access_key_id": "access_key_id", + "access_key_secret": "access_key_secret", + "ram_role_arn": "ram_role_arn", + "ram_session_name": "ram_session_name", + "enable_vpc": true, + "expired_seconds": 3600, + "sts_region": "cn-hangzhou" + }, + { + "name": "EcsRamRole", + "mode": "EcsRamRole", + "ram_role_name": "ram_role_name" + }, + { + "name": "OIDC", + "mode": "OIDC", + "ram_role_arn": "ram_role_arn", + "oidc_token_file": "path/to/oidc/file", + "oidc_provider_arn": "oidc_provider_arn", + "ram_session_name": "ram_session_name", + "expired_seconds": 3600, + "sts_region": "cn-hangzhou" + }, + { + "name": "ChainableRamRoleArn", + "mode": "ChainableRamRoleArn", + "source_profile": "AK", + "ram_role_arn": "ram_role_arn", + "ram_session_name": "ram_session_name", + "expired_seconds": 3600, + "sts_region": "cn-hangzhou" + } + ] +} \ No newline at end of file diff --git a/aliyun-net-sdk-core.Tests/invalid_cli_config.json b/aliyun-net-sdk-core.Tests/invalid_cli_config.json new file mode 100644 index 0000000000..e4fd6fad78 --- /dev/null +++ b/aliyun-net-sdk-core.Tests/invalid_cli_config.json @@ -0,0 +1 @@ +invalid config \ No newline at end of file diff --git a/aliyun-net-sdk-core.Tests/mock_empty_cli_config.json b/aliyun-net-sdk-core.Tests/mock_empty_cli_config.json new file mode 100644 index 0000000000..9e26dfeeb6 --- /dev/null +++ b/aliyun-net-sdk-core.Tests/mock_empty_cli_config.json @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/aliyun-net-sdk-core/Auth/Provider/CLIProfileCredentialsProvider.cs b/aliyun-net-sdk-core/Auth/Provider/CLIProfileCredentialsProvider.cs new file mode 100644 index 0000000000..a211f13334 --- /dev/null +++ b/aliyun-net-sdk-core/Auth/Provider/CLIProfileCredentialsProvider.cs @@ -0,0 +1,345 @@ +using System; +using System.Collections.Generic; +using System.IO; +using System.Text; +using System.Threading.Tasks; +using Aliyun.Acs.Core.Exceptions; +using Aliyun.Acs.Core.Utils; +using Newtonsoft.Json; + +namespace Aliyun.Acs.Core.Auth.Provider +{ + /// + /// Obtain the credential information from a configuration file. The path of the configuration file varies based on the operating system: + /// + /// Linux: ~/.aliyun/config.json + /// Windows: C:\Users\USER_NAME\.aliyun\config.json + /// + /// + public class CLIProfileCredentialsProvider : AlibabaCloudCredentialsProvider + { + private readonly string CLI_CREDENTIALS_CONFIG_PATH = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), ".aliyun", "config.json"); + private volatile AlibabaCloudCredentialsProvider credentialsProvider; + private volatile string currentProfileName; + private readonly object credentialsProviderLock = new object(); + + public CLIProfileCredentialsProvider(string profileName = null) + { + currentProfileName = profileName ?? Environment.GetEnvironmentVariable("ALIBABA_CLOUD_PROFILE"); + } + + public AlibabaCloudCredentials GetCredentials() + { + if (AuthUtils.EnvironmentDisableCLIProfile) + { + throw new ClientException("CLI credentials file is disabled."); + } + var config = ParseProfile(CLI_CREDENTIALS_CONFIG_PATH); + if (config == null) + { + throw new ClientException("Unable to get profile form empty CLI credentials file."); + } + var refreshedProfileName = Environment.GetEnvironmentVariable("ALIBABA_CLOUD_PROFILE"); + + if (ShouldReloadCredentialsProvider(refreshedProfileName)) + { + lock (credentialsProviderLock) + { + if (ShouldReloadCredentialsProvider(refreshedProfileName)) + { + if (!string.IsNullOrEmpty(refreshedProfileName)) + { + this.currentProfileName = refreshedProfileName; + } + this.credentialsProvider = ReloadCredentialsProvider(config, this.currentProfileName); + } + } + } + return this.credentialsProvider.GetCredentials(); + } + + internal AlibabaCloudCredentials GetCredentials(string path) + { + if (AuthUtils.EnvironmentDisableCLIProfile) + { + throw new ClientException("CLI credentials file is disabled."); + } + var config = ParseProfile(path); + if (config == null) + { + throw new ClientException("Unable to get profile form empty CLI credentials file."); + } + var refreshedProfileName = Environment.GetEnvironmentVariable("ALIBABA_CLOUD_PROFILE"); + + if (ShouldReloadCredentialsProvider(refreshedProfileName)) + { + lock (credentialsProviderLock) + { + if (ShouldReloadCredentialsProvider(refreshedProfileName)) + { + if (!string.IsNullOrEmpty(refreshedProfileName)) + { + this.currentProfileName = refreshedProfileName; + } + this.credentialsProvider = ReloadCredentialsProvider(config, this.currentProfileName); + } + } + } + return this.credentialsProvider.GetCredentials(); + } + + internal string GetProfileName() + { + return this.currentProfileName; + } + + internal AlibabaCloudCredentialsProvider ReloadCredentialsProvider(Config config, string profileName) + { + var currentProfileName = !string.IsNullOrEmpty(profileName) ? profileName : config.GetCurrent(); + var profiles = config.GetProfiles(); + if (profiles != null && profiles.Count > 0) + { + foreach (var profile in profiles) + { + if (!string.IsNullOrEmpty(profile.GetName()) && profile.GetName().Equals(currentProfileName)) + { + switch (profile.GetMode()) + { + case "AK": + return new StaticCredentialsProvider(new BasicCredentials(profile.GetAccessKeyId(), profile.GetAccessKeySecret())); + case "RamRoleArn": + AlibabaCloudCredentialsProvider innerProvider = + new StaticCredentialsProvider(new BasicCredentials(profile.GetAccessKeyId(), + profile.GetAccessKeySecret())); + return new STSAssumeRoleSessionCredentialsProvider.Builder() + .CredentialsProvider(innerProvider) + .RoleArn(profile.GetRoleArn()) + .DurationSeconds(profile.GetDurationSeconds()) + .RoleSessionName(profile.GetRoleSessionName()) + .StsRegionId(profile.GetStsRegionId()) + .EnableVpc(profile.GetEnableVpc()) + .Policy(profile.GetPolicy()) + .ExternalId(profile.GetExternalId()) + .Build(); + case "EcsRamRole": + return new InstanceProfileCredentialsProvider.Builder().RoleName(profile.GetRamRoleName()).Build(); + case "OIDC": + return new OIDCCredentialsProvider.Builder() + .DurationSeconds(profile.GetDurationSeconds()) + .RoleArn(profile.GetRoleArn()) + .RoleSessionName(profile.GetRoleSessionName()) + .OIDCProviderArn(profile.GetOidcProviderArn()) + .OIDCTokenFilePath(profile.GetOidcTokenFile()) + .StsRegionId(profile.GetStsRegionId()) + .Policy(profile.GetPolicy()) + .EnableVpc(profile.GetEnableVpc()) + .Build(); + case "ChainableRamRoleArn": + if (profile.GetSourceProfile() == profile.GetName()) + { + throw new ClientException("Source profile name can not be the same as profile name."); + } + var previousProvider = ReloadCredentialsProvider(config, profile.GetSourceProfile()); + return new STSAssumeRoleSessionCredentialsProvider.Builder() + .CredentialsProvider(previousProvider) + .RoleArn(profile.GetRoleArn()) + .DurationSeconds(profile.GetDurationSeconds()) + .RoleSessionName(profile.GetRoleSessionName()) + .StsRegionId(profile.GetStsRegionId()) + .EnableVpc(profile.GetEnableVpc()) + .Policy(profile.GetPolicy()) + .ExternalId(profile.GetExternalId()) + .Build(); + default: + throw new ClientException(string.Format("Unsupported profile mode '{0}' form CLI credentials file.", profile.GetMode())); + } + } + } + } + throw new ClientException(string.Format("Unable to get profile with '{0}' form CLI credentials file.", currentProfileName)); + } + + internal Config ParseProfile(string configFilePath) + { + FileInfo configFile = new FileInfo(configFilePath); + if (!configFile.Exists || !configFile.Attributes.HasFlag(FileAttributes.Normal) || !IsFileReadable(configFile)) + { + throw new ClientException(string.Format("Unable to open credentials file: {0}.", configFile.FullName)); + } + + try + { + using (StreamReader sr = new StreamReader(configFile.FullName)) + { + StringBuilder sb = new StringBuilder(); + string line; + + while ((line = sr.ReadLine()) != null) + { + sb.Append(line); + } + + var jsonContent = sb.ToString(); + return JsonConvert.DeserializeObject(jsonContent); + } + } + catch (Exception) + { + throw new ClientException(string.Format("Failed to parse credential from CLI credentials file: {0}.", configFile.FullName)); + } + } + + private static bool IsFileReadable(FileInfo fileInfo) + { + try + { + using (FileStream stream = fileInfo.OpenRead()) + { + return true; + } + } + catch + { + return false; + } + } + + internal bool ShouldReloadCredentialsProvider(string profileName) + { + return credentialsProvider == null || (!string.IsNullOrEmpty(currentProfileName) && !string.IsNullOrEmpty(profileName) && !currentProfileName.Equals(profileName)); + } + + internal class Config + { + [JsonProperty("current")] + private readonly string current; + [JsonProperty("profiles")] + private readonly List profiles; + + public string GetCurrent() + { + return current; + } + + public List GetProfiles() + { + return profiles; + } + } + + internal class Profile + { + [JsonProperty("name")] + private readonly string name; + [JsonProperty("mode")] + private readonly string mode; + [JsonProperty("access_key_id")] + private readonly string accessKeyId; + [JsonProperty("access_key_secret")] + private readonly string accessKeySecret; + [JsonProperty("ram_role_arn")] + private readonly string roleArn; + [JsonProperty("ram_session_name")] + private readonly string roleSessionName; + [JsonProperty("expired_seconds")] + private readonly int? durationSeconds; + [JsonProperty("sts_region")] + private readonly string stsRegionId; + [JsonProperty("ram_role_name")] + private readonly string ramRoleName; + [JsonProperty("oidc_token_file")] + private readonly string oidcTokenFile; + [JsonProperty("oidc_provider_arn")] + private readonly string oidcProviderArn; + [JsonProperty("source_profile")] + private readonly string sourceProfile; + [JsonProperty("policy")] + private readonly string policy; + [JsonProperty("region_id")] + private readonly string regionId; + [JsonProperty("enable_vpc")] + private readonly bool? enableVpc; + [JsonProperty("external_id")] + private readonly string externalId; + + public string GetName() + { + return name; + } + public string GetMode() + { + return mode; + } + + public string GetAccessKeyId() + { + return accessKeyId; + } + + public string GetAccessKeySecret() + { + return accessKeySecret; + } + + public string GetRoleArn() + { + return roleArn; + } + + public string GetRoleSessionName() + { + return roleSessionName; + } + + public int? GetDurationSeconds() + { + return durationSeconds; + } + + public string GetStsRegionId() + { + return stsRegionId; + } + + public string GetRamRoleName() + { + return ramRoleName; + } + + public string GetOidcTokenFile() + { + return oidcTokenFile; + } + + public string GetOidcProviderArn() + { + return oidcProviderArn; + } + + public string GetSourceProfile() + { + return sourceProfile; + } + + public string GetPolicy() + { + return policy; + } + + public string GetRegionId() + { + return regionId; + } + + public bool? GetEnableVpc() + { + return enableVpc; + } + + public string GetExternalId() + { + return externalId; + } + } + } +} diff --git a/aliyun-net-sdk-core/Auth/Provider/DefaultCredentialProvider.cs b/aliyun-net-sdk-core/Auth/Provider/DefaultCredentialProvider.cs index 447ee0cb48..4bfc921609 100644 --- a/aliyun-net-sdk-core/Auth/Provider/DefaultCredentialProvider.cs +++ b/aliyun-net-sdk-core/Auth/Provider/DefaultCredentialProvider.cs @@ -18,6 +18,7 @@ */ using System; +using System.Collections.Generic; using System.IO; using System.Text; using Aliyun.Acs.Core.Exceptions; @@ -43,6 +44,14 @@ public class DefaultCredentialProvider : AlibabaCloudCredentialsProvider private string oidcProviderArn; private string oidcTokenFile; + private readonly List UserConfigurationProviders = + new List(); + + + private volatile AlibabaCloudCredentialsProvider lastUsedCredentialsProvider; + + private readonly bool reuseLastProviderEnabled; + public DefaultCredentialProvider() { accessKeyId = EnvironmentUtil.GetEnvironmentAccessKeyId(); @@ -53,16 +62,42 @@ public DefaultCredentialProvider() roleArn = EnvironmentUtil.GetEnvironmentRoleArn(); oidcProviderArn = EnvironmentUtil.GetEnvironmentOIDCProviderArn(); oidcTokenFile = EnvironmentUtil.GetEnvironmentOIDCTokenFile(); + this.reuseLastProviderEnabled = true; + CreateDefaultChain(); + } + + public DefaultCredentialProvider(bool reuseLastProviderEnabled) + { + accessKeyId = EnvironmentUtil.GetEnvironmentAccessKeyId(); + accessKeySecret = EnvironmentUtil.GetEnvironmentAccessKeySecret(); + regionId = EnvironmentUtil.GetEnvironmentRegionId(); + credentialFileLocation = EnvironmentUtil.GetEnvironmentCredentialFile(); + roleName = EnvironmentUtil.GetEnvironmentRoleName(); + roleArn = EnvironmentUtil.GetEnvironmentRoleArn(); + oidcProviderArn = EnvironmentUtil.GetEnvironmentOIDCProviderArn(); + oidcTokenFile = EnvironmentUtil.GetEnvironmentOIDCTokenFile(); + this.reuseLastProviderEnabled = reuseLastProviderEnabled; + CreateDefaultChain(); } [Obsolete] public DefaultCredentialProvider( IClientProfile profile, AlibabaCloudCredentialsProvider alibabaCloudCredentialProvider - ) : this() + ) { + accessKeyId = EnvironmentUtil.GetEnvironmentAccessKeyId(); + accessKeySecret = EnvironmentUtil.GetEnvironmentAccessKeySecret(); + regionId = EnvironmentUtil.GetEnvironmentRegionId(); + credentialFileLocation = EnvironmentUtil.GetEnvironmentCredentialFile(); + roleName = EnvironmentUtil.GetEnvironmentRoleName(); + roleArn = EnvironmentUtil.GetEnvironmentRoleArn(); + oidcProviderArn = EnvironmentUtil.GetEnvironmentOIDCProviderArn(); + oidcTokenFile = EnvironmentUtil.GetEnvironmentOIDCTokenFile(); + this.reuseLastProviderEnabled = true; defaultProfile = profile; this.alibabaCloudCredentialProvider = alibabaCloudCredentialProvider; + CreateDefaultChain(); } [Obsolete] @@ -71,10 +106,86 @@ public DefaultCredentialProvider( string publicKeyId, string privateKeyFile, AlibabaCloudCredentialsProvider alibabaCloudCredentialsProvider - ) : this(profile, alibabaCloudCredentialsProvider) + ) { + accessKeyId = EnvironmentUtil.GetEnvironmentAccessKeyId(); + accessKeySecret = EnvironmentUtil.GetEnvironmentAccessKeySecret(); + regionId = EnvironmentUtil.GetEnvironmentRegionId(); + credentialFileLocation = EnvironmentUtil.GetEnvironmentCredentialFile(); + roleName = EnvironmentUtil.GetEnvironmentRoleName(); + roleArn = EnvironmentUtil.GetEnvironmentRoleArn(); + oidcProviderArn = EnvironmentUtil.GetEnvironmentOIDCProviderArn(); + oidcTokenFile = EnvironmentUtil.GetEnvironmentOIDCTokenFile(); + this.reuseLastProviderEnabled = true; + defaultProfile = profile; + this.alibabaCloudCredentialProvider = alibabaCloudCredentialsProvider; this.privateKeyFile = privateKeyFile; this.publicKeyId = publicKeyId; + CreateDefaultChain(); + } + + private void CreateDefaultChain() + { + if (alibabaCloudCredentialProvider != null) + { + UserConfigurationProviders.Add(alibabaCloudCredentialProvider); + } + UserConfigurationProviders.Add(new EnvironmentVariableCredentialsProvider()); + if (!string.IsNullOrEmpty(this.oidcProviderArn) + && !string.IsNullOrEmpty(this.roleArn) + && !string.IsNullOrEmpty(this.oidcTokenFile)) + { + UserConfigurationProviders.Add(new OIDCCredentialsProvider.Builder() + .RoleArn(this.roleArn) + .OIDCProviderArn(this.oidcProviderArn) + .OIDCTokenFilePath(this.oidcTokenFile) + .Build()); + } + + UserConfigurationProviders.Add(new CLIProfileCredentialsProvider()); + UserConfigurationProviders.Add(new ProfileCredentialsProvider(defaultProfile, + alibabaCloudCredentialProvider)); + var metadataDisabled = AuthUtils.EnvironmentEcsMetaDataDisabled ?? ""; + if (metadataDisabled.ToLower() != "true") + { + UserConfigurationProviders.Add(new InstanceProfileCredentialsProvider.Builder().RoleName(roleName) + .Build()); + } + + var uri = AuthUtils.EnvironmentCredentialsURI; + if (!string.IsNullOrEmpty(uri)) + { + UserConfigurationProviders.Add(new URLCredentialProvider.Builder().CredentialsURI(uri).Build()); + } + } + + public AlibabaCloudCredentials GetCredentials() + { + if (this.reuseLastProviderEnabled && this.lastUsedCredentialsProvider != null) + { + return this.lastUsedCredentialsProvider.GetCredentials(); + } + + AlibabaCloudCredentials credentials; + var errorMessages = new List(); + foreach (AlibabaCloudCredentialsProvider provider in UserConfigurationProviders) + { + try + { + credentials = provider.GetCredentials(); + if (credentials != null) + { + this.lastUsedCredentialsProvider = provider; + return credentials; + } + } + catch (Exception e) + { + errorMessages.Add( provider.GetType().Name + ": " + e.Message); + } + } + + throw new ClientException("There is no credential chain can use: [" + string.Join(", ", errorMessages) + "]"); } public AlibabaCloudCredentials GetAlibabaCloudClientCredential() @@ -98,7 +209,13 @@ internal virtual AlibabaCloudCredentials GetOIDCAlibabaCloudCredential() { return null; } - return new OIDCCredentialsProvider(roleArn, oidcProviderArn, oidcTokenFile, null, regionId).GetCredentials(); + + var provider = new OIDCCredentialsProvider.Builder() + .RoleArn(roleArn) + .OIDCProviderArn(oidcProviderArn) + .OIDCTokenFilePath(oidcTokenFile) + .Build(); + return provider.GetCredentials(); } public AlibabaCloudCredentials GetEnvironmentAlibabaCloudCredential() @@ -317,20 +434,5 @@ public virtual string GetHomePath() { return EnvironmentUtil.GetHomePath(); } - - public AlibabaCloudCredentials GetCredentials() - { - var credential = GetEnvironmentAlibabaCloudCredential() ?? - GetOIDCAlibabaCloudCredential() ?? - GetCredentialFileAlibabaCloudCredential() ?? - GetInstanceRamRoleAlibabaCloudCredential(); - - if (credential == null) - { - throw new ClientException("There is no credential chain can use."); - } - - return credential; - } } } diff --git a/aliyun-net-sdk-core/Auth/Provider/ECSMetadataServiceCredentialsFetcher.cs b/aliyun-net-sdk-core/Auth/Provider/ECSMetadataServiceCredentialsFetcher.cs index 10922122a6..5dc51517ac 100644 --- a/aliyun-net-sdk-core/Auth/Provider/ECSMetadataServiceCredentialsFetcher.cs +++ b/aliyun-net-sdk-core/Auth/Provider/ECSMetadataServiceCredentialsFetcher.cs @@ -63,7 +63,7 @@ public ECSMetadataServiceCredentialsFetcher(string roleName, bool? disableIMDSv1 this.readTimeout = readTimeout == null ? 1000 : readTimeout.Value; } - public AlibabaCloudCredentials GetCredentials() + public virtual AlibabaCloudCredentials GetCredentials() { return Fetch(); } diff --git a/aliyun-net-sdk-core/Auth/Provider/EnvironmentVariableCredentialsProvider.cs b/aliyun-net-sdk-core/Auth/Provider/EnvironmentVariableCredentialsProvider.cs new file mode 100644 index 0000000000..60a6363918 --- /dev/null +++ b/aliyun-net-sdk-core/Auth/Provider/EnvironmentVariableCredentialsProvider.cs @@ -0,0 +1,27 @@ +using Aliyun.Acs.Core.Exceptions; +using Aliyun.Acs.Core.Utils; + +namespace Aliyun.Acs.Core.Auth.Provider +{ + internal class EnvironmentVariableCredentialsProvider : AlibabaCloudCredentialsProvider + { + public AlibabaCloudCredentials GetCredentials() + { + var accessKeyId = EnvironmentUtil.GetEnvironmentAccessKeyId(); + var accessKeySecret = EnvironmentUtil.GetEnvironmentAccessKeySecret(); + if (string.IsNullOrWhiteSpace(accessKeyId)) + { + throw new ClientException("Environment variable accessKeyId cannot be empty"); + } + + if (string.IsNullOrWhiteSpace(accessKeySecret)) + { + throw new ClientException("Environment variable accessKeySecret cannot be empty"); + } + + var accessKeyCredentialProvider = + new AccessKeyCredentialProvider(accessKeyId, accessKeySecret); + return accessKeyCredentialProvider.GetCredentials(); + } + } +} diff --git a/aliyun-net-sdk-core/Auth/Provider/InstanceProfileCredentialsProvider.cs b/aliyun-net-sdk-core/Auth/Provider/InstanceProfileCredentialsProvider.cs index 99bcb61db7..2eb7c04230 100644 --- a/aliyun-net-sdk-core/Auth/Provider/InstanceProfileCredentialsProvider.cs +++ b/aliyun-net-sdk-core/Auth/Provider/InstanceProfileCredentialsProvider.cs @@ -85,17 +85,16 @@ public virtual AlibabaCloudCredentials GetCredentials() ex.ErrorMessage != null && ex.ErrorMessage.Equals("Current session token has expired.")) { CommonLog.LogException(ex, ex.ErrorCode, ex.ErrorMessage); - throw new ClientException(ex.ErrorCode, ex.ErrorMessage); } - + // Use the current expiring session token and wait for next round if (credentials != null) { credentials.SetLastFailedRefreshTime(); + return credentials; } + throw; } - - return credentials; } public void withFetcher(ECSMetadataServiceCredentialsFetcher fetcher) @@ -134,7 +133,7 @@ public Builder ReadTimeout(int? readTimeout) this.readTimeout = readTimeout; return this; } - + public InstanceProfileCredentialsProvider Build() { return new InstanceProfileCredentialsProvider(this); diff --git a/aliyun-net-sdk-core/Auth/Provider/OIDCCredentialsProvider.cs b/aliyun-net-sdk-core/Auth/Provider/OIDCCredentialsProvider.cs index 9b42b4d581..e2e9ae6e09 100644 --- a/aliyun-net-sdk-core/Auth/Provider/OIDCCredentialsProvider.cs +++ b/aliyun-net-sdk-core/Auth/Provider/OIDCCredentialsProvider.cs @@ -1,12 +1,9 @@ using System; using System.Text; using System.Collections.Generic; - using Aliyun.Acs.Core.Utils; using Aliyun.Acs.Core.Exceptions; - using Aliyun.Acs.Core.Http; - using Newtonsoft.Json; namespace Aliyun.Acs.Core.Auth @@ -24,22 +21,24 @@ public class OIDCCredentialsProvider : AlibabaCloudCredentialsProvider private readonly long durationSeconds; private BasicSessionCredentials credentials; + /// + /// Unit of millisecond + /// + private int connectTimeout = 5000; - public OIDCCredentialsProvider(string roleArn, string oidcProviderArn, string oidcTokenFilePath, string roleSessionName, string regionId) - { - RoleArn = ParameterHelper.ValidateEnvNotNull(roleArn, "ALIBABA_CLOUD_ROLE_ARN", "roleArn", "roleArn does not exist and env ALIBABA_CLOUD_ROLE_ARN is null."); - OIDCProviderArn = ParameterHelper.ValidateEnvNotNull(oidcProviderArn, "ALIBABA_CLOUD_OIDC_PROVIDER_ARN", "oidcProviderArn", "OIDCProviderArn does not exist and env ALIBABA_CLOUD_OIDC_PROVIDER_ARN is null."); - OIDCTokenFilePath = ParameterHelper.ValidateEnvNotNull(oidcTokenFilePath, "ALIBABA_CLOUD_OIDC_TOKEN_FILE", "oidcTokenFilePath", "OIDCTokenFilePath does not exist and env ALIBABA_CLOUD_OIDC_TOKEN_FILE is null."); + private int readTimeout = 10000; - if (!string.IsNullOrEmpty(roleSessionName)) - { - RoleSessionName = roleSessionName; - } - else - { - RoleSessionName = Environment.GetEnvironmentVariable("ALIBABA_CLOUD_ROLE_SESSION_NAME"); - } + public OIDCCredentialsProvider(string roleArn, string oidcProviderArn, string oidcTokenFilePath, + string roleSessionName, string regionId) + { + RoleArn = ParameterHelper.ValidateEnvNotNull(roleArn, "ALIBABA_CLOUD_ROLE_ARN", "roleArn", + "roleArn does not exist and env ALIBABA_CLOUD_ROLE_ARN is null."); + OIDCProviderArn = ParameterHelper.ValidateEnvNotNull(oidcProviderArn, "ALIBABA_CLOUD_OIDC_PROVIDER_ARN", + "oidcProviderArn", "OIDCProviderArn does not exist and env ALIBABA_CLOUD_OIDC_PROVIDER_ARN is null."); + OIDCTokenFilePath = ParameterHelper.ValidateEnvNotNull(oidcTokenFilePath, "ALIBABA_CLOUD_OIDC_TOKEN_FILE", + "oidcTokenFilePath", "OIDCTokenFilePath does not exist and env ALIBABA_CLOUD_OIDC_TOKEN_FILE is null."); + RoleSessionName = !string.IsNullOrEmpty(roleSessionName) ? roleSessionName : AuthUtils.EnvironmentRoleSessionName; if (string.IsNullOrEmpty(RoleSessionName)) { RoleSessionName = "aliyun-net-sdk-" + DateTime.UtcNow.currentTimeMillis(); @@ -55,38 +54,29 @@ public OIDCCredentialsProvider(string roleArn, string oidcProviderArn, string oi } durationSeconds = 3600; + connectTimeout = 5000; + readTimeout = 10000; } public string InvokeAssumeRoleWithOIDC() { - var queries = new Dictionary - { - { "Action", "AssumeRoleWithOIDC" }, - { "Format", "JSON" }, - { "Version", "2015-04-01" }, - { "Timestamp", ParameterHelper.FormatIso8601Date(DateTime.UtcNow) } - }; - string url; try { - url = stsEndpoint + "?" + "Action=AssumeRoleWithOIDC&Format=JSON&Version=2015-04-01&Timestamp=" + ParameterHelper.FormatIso8601Date(DateTime.UtcNow); + url = stsEndpoint + "?" + "Action=AssumeRoleWithOIDC&Format=JSON&Version=2015-04-01&Timestamp=" + + ParameterHelper.FormatIso8601Date(DateTime.UtcNow); } catch (Exception ex) { throw new ClientException("AssumeRoleWithOIDC failed: " + ex.Message); } - var httpRequest = new HttpRequest(url) - { - Method = MethodType.POST, - ContentType = FormatType.FORM, - }; + var httpRequest = new HttpRequest(url) { Method = MethodType.POST, ContentType = FormatType.FORM, }; - httpRequest.SetConnectTimeoutInMilliSeconds(1000); - httpRequest.SetReadTimeoutInMilliSeconds(3000); + httpRequest.SetConnectTimeoutInMilliSeconds(this.connectTimeout); + httpRequest.SetReadTimeoutInMilliSeconds(this.readTimeout); - var oidcToken = AuthUtils.GetOIDCToken(OIDCTokenFilePath); + var oidcToken = AuthUtils.GetOIDCToken(this.OIDCTokenFilePath); if (oidcToken == null) { throw new ClientException("Read OIDC token failed"); @@ -157,7 +147,147 @@ public AlibabaCloudCredentials GetCredentials() var body = InvokeAssumeRoleWithOIDC(); credentials = ParseCredentials(body, durationSeconds); } + return credentials; } + + private OIDCCredentialsProvider(Builder builder) + { + this.durationSeconds = (builder.durationSeconds == null || builder.durationSeconds == 0) + ? 3600 + : builder.durationSeconds.Value; + if (this.durationSeconds < 900) + { + throw new ClientException("Session duration should be in the range of 900s - max session duration"); + } + + this.RoleSessionName = string.IsNullOrEmpty(builder.roleSessionName) + ? AuthUtils.EnvironmentRoleSessionName + ?? "aliyun-net-sdk-" + DateTime.UtcNow.currentTimeMillis() + : builder.roleSessionName; + this.RoleArn = string.IsNullOrEmpty(builder.roleArn) + ? AuthUtils.EnvironmentRoleArn + : builder.roleArn; + if (string.IsNullOrEmpty(this.RoleArn)) + { + throw new ArgumentException("RoleArn or environment variable ALIBABA_CLOUD_ROLE_ARN cannot be empty."); + } + + this.OIDCProviderArn = string.IsNullOrEmpty(builder.oidcProviderArn) + ? AuthUtils.EnvironmentOIDCProviderArn + : builder.oidcProviderArn; + if (string.IsNullOrEmpty(this.OIDCProviderArn)) + { + throw new ArgumentException("OIDCProviderArn or environment variable ALIBABA_CLOUD_OIDC_PROVIDER_ARN cannot be empty."); + } + + this.OIDCTokenFilePath = string.IsNullOrEmpty(builder.oidcProviderArn) + ? AuthUtils.EnvironmentOIDCTokenFilePath + : builder.oidcTokenFilePath; + if (string.IsNullOrEmpty(this.OIDCTokenFilePath)) + { + throw new ArgumentException("OIDCTokenFilePath or environment variable ALIBABA_CLOUD_OIDC_TOKEN_FILE cannot be empty."); + } + + this.Policy = builder.policy; + this.connectTimeout = (builder.connectTimeout == null || builder.connectTimeout <= 0) + ? 5000 + : builder.connectTimeout.Value; + this.readTimeout = (builder.readTimeout == null || builder.readTimeout <= 0) + ? 10000 + : builder.readTimeout.Value; + + var prefix = builder.enableVpc == null + ? (AuthUtils.EnableVpcEndpoint ? "sts-vpc" : "sts") + : (builder.enableVpc == true ? "sts-vpc" : "sts"); + if (!string.IsNullOrEmpty(builder.stsRegionId)) + { + this.stsEndpoint = string.Format("https://{0}.{1}.aliyuncs.com", prefix, builder.stsRegionId); + } + if (!string.IsNullOrEmpty(AuthUtils.EnvironmentSTSRegion)) + { + this.stsEndpoint = string.Format("https://{0}.{1}.aliyuncs.com", prefix, AuthUtils.EnvironmentSTSRegion); + } + this.stsEndpoint = "https://sts.aliyuncs.com"; + } + + public class Builder + { + internal int? durationSeconds; + internal string roleSessionName; + internal string roleArn; + internal string oidcProviderArn; + internal string oidcTokenFilePath; + internal string policy; + internal int? connectTimeout; + internal int? readTimeout; + internal string stsRegionId; + internal bool? enableVpc; + + public Builder DurationSeconds(int? durationSeconds) + { + this.durationSeconds = durationSeconds; + return this; + } + + public Builder RoleSessionName(string roleSessionName) + { + this.roleSessionName = roleSessionName; + return this; + } + + public Builder RoleArn(string roleArn) + { + this.roleArn = roleArn; + return this; + } + + public Builder OIDCProviderArn(string oidcProviderArn) + { + this.oidcProviderArn = oidcProviderArn; + return this; + } + + public Builder OIDCTokenFilePath(string oidcTokenFilePath) + { + this.oidcTokenFilePath = oidcTokenFilePath; + return this; + } + + public Builder Policy(string policy) + { + this.policy = policy; + return this; + } + + public Builder ConnectTimeout(int? connectTimeout) + { + this.connectTimeout = connectTimeout; + return this; + } + + public Builder ReadTimeout(int? readTimeout) + { + this.readTimeout = readTimeout; + return this; + } + + public Builder StsRegionId(string stsRegionId) + { + this.stsRegionId = stsRegionId; + return this; + } + + public Builder EnableVpc(bool? enableVpc) + { + this.enableVpc = enableVpc; + return this; + } + + public OIDCCredentialsProvider Build() + { + return new OIDCCredentialsProvider(this); + } + } } -} \ No newline at end of file +} diff --git a/aliyun-net-sdk-core/Auth/Provider/ProfileCredentialsProvider.cs b/aliyun-net-sdk-core/Auth/Provider/ProfileCredentialsProvider.cs new file mode 100644 index 0000000000..97c281b076 --- /dev/null +++ b/aliyun-net-sdk-core/Auth/Provider/ProfileCredentialsProvider.cs @@ -0,0 +1,241 @@ +using System; +using System.IO; +using System.Text; +using Aliyun.Acs.Core.Exceptions; +using Aliyun.Acs.Core.Profile; +using Aliyun.Acs.Core.Utils; + +namespace Aliyun.Acs.Core.Auth.Provider +{ + internal class ProfileCredentialsProvider : AlibabaCloudCredentialsProvider + { + private readonly IClientProfile defaultProfile; + private readonly AlibabaCloudCredentialsProvider alibabaCloudCredentialProvider; + + public ProfileCredentialsProvider(IClientProfile defaultProfile, + AlibabaCloudCredentialsProvider alibabaCloudCredentialProvider) + { + this.defaultProfile = defaultProfile; + this.alibabaCloudCredentialProvider = alibabaCloudCredentialProvider; + } + + public AlibabaCloudCredentials GetCredentials() + { + var filePath = EnvironmentUtil.GetEnvironmentCredentialFile(); + if (null == filePath) + { + filePath = EnvironmentUtil.GetHomePath(); + var slash = EnvironmentUtil.GetOSSlash(); + var fileLocation = EnvironmentUtil.GetComposedPath(filePath, slash); + + if (File.Exists(fileLocation)) + { + filePath = fileLocation; + } + else + { + throw new ClientException(string.Format("Unable to open credentials file: {0}.", filePath)); + } + } + + if (filePath.Equals("")) + { + throw new ClientException( + "Credentials file environment variable 'ALIBABA_CLOUD_CREDENTIALS_FILE' cannot be empty"); + } + + IniReader iniReader; + try + { + iniReader = new IniReader(filePath); + } + catch (IOException) + { + throw new ClientException(string.Format("Unable to open credentials file: {0}.", filePath)); + } + + string userDefineSectionNode; + if (this.defaultProfile != null && this.defaultProfile.DefaultClientName != null) + { + userDefineSectionNode = defaultProfile.DefaultClientName; + } + else + { + userDefineSectionNode = AuthUtils.GetClientType(); + } + + var iniKeyTypeValue = iniReader.GetValue("type", userDefineSectionNode); + + if (string.IsNullOrWhiteSpace(iniKeyTypeValue)) + { + throw new ClientException("The configured client type is empty"); + } + + switch (iniKeyTypeValue) + { + case "ecs_ram_role": + return GetInstanceProfileCredentials(iniReader, userDefineSectionNode); + case "ram_role_arn": + return GetSTSAssumeRoleSessionCredentials(iniReader, userDefineSectionNode); + case "rsa_key_pair": + return GetRsaKeyPairAlibabaCloudCredential(iniReader, userDefineSectionNode); + case "oidc_role_arn": + return GetSTSOIDCRoleSessionCredentials(iniReader, userDefineSectionNode); + default: + return GetAccessKeyCredential(iniReader, userDefineSectionNode); + } + } + + private AlibabaCloudCredentials GetInstanceProfileCredentials(IniReader iniReader, + string userDefineSectionNode) + { + var roleName = iniReader.GetValue("role_name", userDefineSectionNode); + if (string.IsNullOrEmpty(roleName)) + { + throw new ClientException("The configured role_name is empty"); + } + + var provider = new InstanceProfileCredentialsProvider.Builder().RoleName(roleName).Build(); + return provider.GetCredentials(); + } + + private AlibabaCloudCredentials GetSTSAssumeRoleSessionCredentials(IniReader iniReader, + string userDefineSectionNode) + { + var accessKeyId = iniReader.GetValue("access_key_id", userDefineSectionNode); + var accessKeySecret = iniReader.GetValue("access_key_secret", userDefineSectionNode); + if (string.IsNullOrWhiteSpace(accessKeyId) || string.IsNullOrWhiteSpace(accessKeySecret)) + { + throw new ClientException("The configured access_key_id or access_key_secret is empty"); + } + + var roleArn = iniReader.GetValue("role_arn", userDefineSectionNode); + var roleSessionName = iniReader.GetValue("role_session_name", userDefineSectionNode); + if (string.IsNullOrWhiteSpace(roleArn) || string.IsNullOrWhiteSpace(roleSessionName)) + { + throw new ClientException("The configured role_session_name or role_arn is empty"); + } + + var policy = iniReader.GetValue("policy", userDefineSectionNode); + var stsRegionId = iniReader.GetValue("sts_region", userDefineSectionNode); + var enable = iniReader.GetValue("enable", userDefineSectionNode); + var enableVpc = enable == null ? (bool?)null + : enable.ToLower() == "true" ? true + : enable.ToLower() == "false" ? false + : (bool?)null; + var externalId = iniReader.GetValue("external_id", userDefineSectionNode); + + var provider = new STSAssumeRoleSessionCredentialsProvider.Builder() + .AccessKeyId(accessKeyId) + .AccessKeySecret(accessKeySecret) + .RoleSessionName(roleSessionName) + .RoleArn(roleArn) + .Policy(policy) + .StsRegionId(stsRegionId) + .EnableVpc(enableVpc) + .ExternalId(externalId) + .Build(); + return provider.GetCredentials(); + } + + private AlibabaCloudCredentials GetSTSOIDCRoleSessionCredentials(IniReader iniReader, + string userDefineSectionNode) + { + var oidcProviderArn = iniReader.GetValue("oidc_provider_arn", userDefineSectionNode); + var oidcTokenFilePath = iniReader.GetValue("oidc_token_file_path", userDefineSectionNode); + var roleArn = iniReader.GetValue("role_arn", userDefineSectionNode); + + if (string.IsNullOrWhiteSpace(roleArn)) + { + throw new ClientException("The configured role_arn is empty"); + } + + if (string.IsNullOrWhiteSpace(oidcProviderArn)) + { + throw new ClientException("The configured oidc_provider_arn is empty"); + } + + var roleSessionName = iniReader.GetValue("role_session_name", userDefineSectionNode); + var policy = iniReader.GetValue("policy", userDefineSectionNode); + var stsRegionId = iniReader.GetValue("sts_region", userDefineSectionNode); + var enable = iniReader.GetValue("enable", userDefineSectionNode); + var enableVpc = enable == null ? (bool?)null + : enable.ToLower() == "true" ? true + : enable.ToLower() == "false" ? false + : (bool?)null; + + var provider = new OIDCCredentialsProvider.Builder() + .RoleArn(roleArn) + .OIDCProviderArn(oidcProviderArn) + .OIDCTokenFilePath(oidcTokenFilePath) + .RoleSessionName(roleSessionName) + .Policy(policy) + .StsRegionId(stsRegionId) + .EnableVpc(enableVpc) + .Build(); + return provider.GetCredentials(); + } + + private AlibabaCloudCredentials GetAccessKeyCredential(IniReader iniReader, string userDefineSectionNode) + { + var accessKeyId = iniReader.GetValue("access_key_id", userDefineSectionNode); + var accessKeySecret = iniReader.GetValue("access_key_secret", userDefineSectionNode); + if (string.IsNullOrWhiteSpace(accessKeyId)) + { + throw new ClientException("Environment variable accessKeyId cannot be empty"); + } + + if (string.IsNullOrWhiteSpace(accessKeySecret)) + { + throw new ClientException("Environment variable accessKeySecret cannot be empty"); + } + + var accessKeyCredentialProvider = + new AccessKeyCredentialProvider(accessKeyId, accessKeySecret); + return accessKeyCredentialProvider.GetCredentials(); + } + + private AlibabaCloudCredentials GetRsaKeyPairAlibabaCloudCredential(IniReader iniReader, + string userDefineSectionNode) + { + var publicKeyId = iniReader.GetValue("public_key_id", userDefineSectionNode); + var privateKeyFile = iniReader.GetValue("private_key_file", userDefineSectionNode); + if (string.IsNullOrWhiteSpace(privateKeyFile)) + { + throw new ClientException("The configured private_key_file is empty"); + } + + string privateKey; + try + { + privateKey = File.ReadAllText(privateKeyFile, Encoding.UTF8); + } + catch (IOException) + { + privateKey = null; + } + + if (string.IsNullOrWhiteSpace(publicKeyId) || string.IsNullOrWhiteSpace(privateKey)) + { + throw new ClientException("The configured public_key_id or private_key_file is empty"); + } + + var rsaKeyPairCredential = new KeyPairCredentials(publicKeyId, privateKeyFile); + var regionId = EnvironmentUtil.GetEnvironmentRegionId(); + var profile = DefaultProfile.GetProfile(regionId, publicKeyId, privateKeyFile); + + RsaKeyPairCredentialProvider rsaKeyPairCredentialProvider; + + if (null != alibabaCloudCredentialProvider) + { + rsaKeyPairCredentialProvider = (RsaKeyPairCredentialProvider)alibabaCloudCredentialProvider; + } + else + { + rsaKeyPairCredentialProvider = new RsaKeyPairCredentialProvider(rsaKeyPairCredential, profile); + } + + return rsaKeyPairCredentialProvider.GetCredentials(); + } + } +} diff --git a/aliyun-net-sdk-core/Auth/Provider/STSAssumeRoleSessionCredentialsProvider.cs b/aliyun-net-sdk-core/Auth/Provider/STSAssumeRoleSessionCredentialsProvider.cs index ed4705100a..df35133a1c 100644 --- a/aliyun-net-sdk-core/Auth/Provider/STSAssumeRoleSessionCredentialsProvider.cs +++ b/aliyun-net-sdk-core/Auth/Provider/STSAssumeRoleSessionCredentialsProvider.cs @@ -18,8 +18,8 @@ */ using System; - using Aliyun.Acs.Core.Auth.Sts; +using Aliyun.Acs.Core.Exceptions; using Aliyun.Acs.Core.Profile; using Aliyun.Acs.Core.Utils; @@ -32,11 +32,32 @@ public class STSAssumeRoleSessionCredentialsProvider : AlibabaCloudCredentialsPr { private readonly string policy; + /// + /// The arn of the role to be assumed. + /// private readonly string roleArn; private BasicSessionCredentials credentials; + + /// + /// Default duration for started sessions. Unit of Second + /// private long roleSessionDurationSeconds = 3600; + private string roleSessionName; + private string externalId; + + /// + /// Unit of millisecond + /// + private int connectTimeout = 5000; + + private int readTimeout = 10000; + + /// + /// Endpoint of RAM OpenAPI + /// + private readonly string stsEndpoint; private IAcsClient stsClient; @@ -132,6 +153,9 @@ public void WithSTSClient(IAcsClient client) stsClient = client; } + /// + /// An identifier for the assumed role session. + /// public static string GetNewRoleSessionName() { return "aliyun-net-sdk-" + DateTime.UtcNow.currentTimeMillis(); @@ -141,22 +165,190 @@ private BasicSessionCredentials GetNewSessionCredentials() { var assumeRoleRequest = new AssumeRoleRequest { - RoleArn = roleArn, - RoleSessionName = roleSessionName, - DurationSeconds = roleSessionDurationSeconds + RoleArn = roleArn, RoleSessionName = roleSessionName, DurationSeconds = roleSessionDurationSeconds }; + if (!string.IsNullOrEmpty(this.stsEndpoint)) + { + assumeRoleRequest.SetEndpoint(this.stsEndpoint); + } if (!string.IsNullOrEmpty(policy)) { assumeRoleRequest.Policy = policy; } + if (null != this.externalId) + { + assumeRoleRequest.ExternalId = this.externalId; + } + var response = stsClient.GetAcsResponse(assumeRoleRequest); return new BasicSessionCredentials( response.Credentials.AccessKeyId, response.Credentials.AccessKeySecret, - response.Credentials.SecurityToken, roleSessionDurationSeconds + response.Credentials.SecurityToken, + roleSessionDurationSeconds ); } + + private STSAssumeRoleSessionCredentialsProvider(Builder builder) + { + this.roleSessionName = builder.roleSessionName ?? + (!string.IsNullOrEmpty(AuthUtils.EnvironmentRoleSessionName) + ? AuthUtils.EnvironmentRoleSessionName + : GetNewRoleSessionName()); + this.roleSessionDurationSeconds = (builder.durationSeconds == null || builder.durationSeconds == 0) + ? 3600 + : builder.durationSeconds.Value; + if (this.roleSessionDurationSeconds < 900) + { + throw new ClientException("Session duration should be in the range of 900s - max session duration"); + } + + this.roleArn = string.IsNullOrEmpty(builder.roleArn) ? AuthUtils.EnvironmentRoleArn : builder.roleArn; + if (string.IsNullOrEmpty(this.roleArn)) + { + throw new ArgumentException("RoleArn or environment variable ALIBABA_CLOUD_ROLE_ARN cannot be empty."); + } + + this.policy = builder.policy; + this.externalId = builder.externalId; + this.connectTimeout = (builder.connectTimeout == null || builder.connectTimeout <= 0) + ? 5000 + : builder.connectTimeout.Value; + this.readTimeout = (builder.readTimeout == null || builder.readTimeout <= 0) + ? 10000 + : builder.readTimeout.Value; + + var prefix = builder.enableVpc == null + ? (AuthUtils.EnableVpcEndpoint ? "sts-vpc" : "sts") + : (builder.enableVpc == true ? "sts-vpc" : "sts"); + if (!string.IsNullOrEmpty(builder.stsRegionId)) + { + this.stsEndpoint = string.Format("{0}.{1}.aliyuncs.com", prefix, builder.stsRegionId); + } + if (!string.IsNullOrEmpty(AuthUtils.EnvironmentSTSRegion)) + { + this.stsEndpoint = string.Format("{0}.{1}.aliyuncs.com", prefix, AuthUtils.EnvironmentSTSRegion); + } + this.stsEndpoint = "sts.aliyuncs.com"; + + var profile = DefaultProfile.GetProfile(builder.stsRegionId); + if (null != builder.credentialsProvider) + { + this.stsClient = new DefaultAcsClient(profile, builder.credentialsProvider); + } else if (!string.IsNullOrEmpty(builder.securityToken)) + { + var credentialsProvider = new StaticCredentialsProvider( + new BasicSessionCredentials(builder.accessKeyId, builder.accessKeySecret, builder.securityToken)); + this.stsClient = new DefaultAcsClient(profile, credentialsProvider); + } + else + { + var credentialsProvider = new StaticCredentialsProvider( + new BasicCredentials(builder.accessKeyId, builder.accessKeySecret)); + this.stsClient = new DefaultAcsClient(profile, credentialsProvider); + } + } + + public class Builder + { + internal int? durationSeconds; + internal string roleSessionName; + internal string roleArn; + internal string policy; + internal int? connectTimeout; + internal int? readTimeout; + internal AlibabaCloudCredentialsProvider credentialsProvider; + internal string externalId; + internal string stsRegionId; + internal bool? enableVpc; + internal string accessKeyId; + internal string accessKeySecret; + internal string securityToken; + + public Builder DurationSeconds(int? durationSeconds) + { + this.durationSeconds = durationSeconds; + return this; + } + + public Builder RoleSessionName(string roleSessionName) + { + this.roleSessionName = roleSessionName; + return this; + } + + public Builder RoleArn(string roleArn) + { + this.roleArn = roleArn; + return this; + } + + public Builder Policy(string policy) + { + this.policy = policy; + return this; + } + + public Builder ConnectTimeout(int? connectTimeout) + { + this.connectTimeout = connectTimeout; + return this; + } + + public Builder ReadTimeout(int? readTimeout) + { + this.readTimeout = readTimeout; + return this; + } + + public Builder CredentialsProvider(AlibabaCloudCredentialsProvider credentialsProvider) + { + this.credentialsProvider = credentialsProvider; + return this; + } + + public Builder ExternalId(string externalId) + { + this.externalId = externalId; + return this; + } + + public Builder StsRegionId(string stsRegionId) + { + this.stsRegionId = stsRegionId; + return this; + } + + public Builder EnableVpc(bool? enableVpc) + { + this.enableVpc = enableVpc; + return this; + } + + public Builder AccessKeyId(string accessKeyId) + { + this.accessKeyId = accessKeyId; + return this; + } + + public Builder AccessKeySecret(string accessKeySecret) + { + this.accessKeySecret = accessKeySecret; + return this; + } + + public Builder SecurityToken(string securityToken) + { + this.securityToken = securityToken; + return this; + } + + public STSAssumeRoleSessionCredentialsProvider Build() + { + return new STSAssumeRoleSessionCredentialsProvider(this); + } + } } } diff --git a/aliyun-net-sdk-core/Auth/Provider/URLCredentialProvider.cs b/aliyun-net-sdk-core/Auth/Provider/URLCredentialProvider.cs new file mode 100644 index 0000000000..40b81b9f6d --- /dev/null +++ b/aliyun-net-sdk-core/Auth/Provider/URLCredentialProvider.cs @@ -0,0 +1,152 @@ +using System; +using System.Collections.Generic; +using Aliyun.Acs.Core.Exceptions; +using Aliyun.Acs.Core.Http; +using Aliyun.Acs.Core.Utils; +using Newtonsoft.Json; + +namespace Aliyun.Acs.Core.Auth.Provider +{ + /// + /// By specifying the url, the credential will be able to automatically request maintenance of STS Token. + /// + public class URLCredentialProvider : AlibabaCloudCredentialsProvider + { + private readonly Uri credentialsURI; + + /// + /// Unit of millsecond. + /// + private int connectTimeout = 5000; + + private int readTimeout = 10000; + + public URLCredentialProvider() {} + + private URLCredentialProvider(Builder builder) + { + this.connectTimeout = (builder.connectTimeout == null || builder.connectTimeout <= 0) + ? 5000 + : builder.connectTimeout.Value; + this.readTimeout = (builder.readTimeout == null || builder.readTimeout <= 0) + ? 10000 + : builder.readTimeout.Value; + + var uriStr = string.IsNullOrEmpty(builder.credentialsURI) + ? AuthUtils.EnvironmentCredentialsURI + : builder.credentialsURI; + if (string.IsNullOrEmpty(uriStr)) + { + throw new ArgumentNullException("Credential URI or environment variable ALIBABA_CLOUD_CREDENTIALS_URI cannot be empty."); + } + + try + { + this.credentialsURI = new Uri(uriStr); + + } + catch (UriFormatException) + { + throw new ClientException("Credential URI is not valid."); + } + } + + public class Builder + { + internal string credentialsURI; + internal int? connectTimeout; + internal int? readTimeout; + + public Builder CredentialsURI(string credentialsURI) + { + this.credentialsURI = credentialsURI; + return this; + } + + public Builder CredentialsURI(Uri credentialsURI) + { + this.credentialsURI = credentialsURI.ToString(); + return this; + } + + public Builder ConnectTimeout(int? connectTimeout) + { + this.connectTimeout = connectTimeout; + return this; + } + + public Builder ReadTimeout(int? readTimeout) + { + this.readTimeout = readTimeout; + return this; + } + + public URLCredentialProvider Build() + { + return new URLCredentialProvider(this); + } + } + + public AlibabaCloudCredentials GetCredentials() + { + var httpRequest = new HttpRequest(credentialsURI.ToString()); + httpRequest.Method = MethodType.GET; + httpRequest.SetConnectTimeoutInMilliSeconds(this.connectTimeout); + httpRequest.SetReadTimeoutInMilliSeconds(this.readTimeout); + HttpResponse httpResponse; + + try + { + httpResponse = GetResponse(httpRequest); + } + catch (Exception e) + { + throw new ClientException("Failed to connect Server: " + credentialsURI.ToString() + e.ToString()); + } + + if (httpResponse.Status >= 300 || httpResponse.Status < 200) + { + throw new ClientException("Failed to get credentials from server: " + credentialsURI.ToString() + + "\nHttpCode=" + httpResponse.Status + + "\nHttpRAWContent=" + httpResponse.GetHttpContentString()); + } + + Dictionary map; + try + { + map = JsonConvert.DeserializeObject>(httpResponse.GetHttpContentString()); + } + catch (Exception e) + { + throw new ClientException("Failed to parse credentials from server: " + credentialsURI.ToString() + + "\nHttpCode=" + httpResponse.Status + + "\nHttpRAWContent=" + httpResponse.GetHttpContentString()); + } + + if (null == map || !map.ContainsKey("Code") || DictionaryUtil.Get(map, "Code") == "Success") + { + throw new ClientException(string.Format("Error retrieving credentials from url: {0}, result: {1}.", this.credentialsURI, httpResponse.GetHttpContentString())); + } + + if (!map.ContainsKey("AccessKeyId") || !map.ContainsKey("AccessKeySecret") || + !map.ContainsKey("SecurityToken") || !map.ContainsKey("Expiration")) + { + throw new ClientException(string.Format("Error retrieving credentials from url: {0}, result: {1}.", this.credentialsURI, httpResponse.GetHttpContentString())); + } + + var accessKeyId = DictionaryUtil.Get(map, "AccessKeyId"); + var accessKeySecret = DictionaryUtil.Get(map, "AccessKeySecret"); + var securityToken = DictionaryUtil.Get(map, "SecurityToken"); + var expirationStr = DictionaryUtil.Get(map, "Expiration").Replace('T', ' ').Replace('Z', ' '); + var dt = Convert.ToDateTime(expirationStr); + var expiration = dt.currentTimeMillis(); + return new BasicSessionCredentials(accessKeyId, accessKeySecret, securityToken, + expiration - DateTime.UtcNow.currentTimeMillis()); + } + + public virtual HttpResponse GetResponse(HttpRequest request) + { + return HttpResponse.GetResponse(request); + } + } +} diff --git a/aliyun-net-sdk-core/Auth/Sts/AssumeRoleRequest.cs b/aliyun-net-sdk-core/Auth/Sts/AssumeRoleRequest.cs index b84f59a1ee..ca949980d6 100644 --- a/aliyun-net-sdk-core/Auth/Sts/AssumeRoleRequest.cs +++ b/aliyun-net-sdk-core/Auth/Sts/AssumeRoleRequest.cs @@ -29,6 +29,7 @@ public class AssumeRoleRequest : RpcAcsRequest private string policy; private string roleArn; private string roleSessionName; + private string externalId; public AssumeRoleRequest() : base("Sts", "2015-04-01", "AssumeRole") { @@ -74,6 +75,16 @@ public string RoleSessionName DictionaryUtil.Add(QueryParameters, "RoleSessionName", value); } } + + public string ExternalId + { + get { return externalId; } + set + { + externalId = value; + DictionaryUtil.Add(QueryParameters, "ExternalId", value); + } + } public override AssumeRoleResponse GetResponse(UnmarshallerContext unmarshallerContext) { diff --git a/aliyun-net-sdk-core/DefaultAcsClient.cs b/aliyun-net-sdk-core/DefaultAcsClient.cs index 6ccbd0d7d7..98b363833e 100644 --- a/aliyun-net-sdk-core/DefaultAcsClient.cs +++ b/aliyun-net-sdk-core/DefaultAcsClient.cs @@ -228,7 +228,7 @@ public HttpResponse DoAction(AcsRequest request, bool autoRetry, int maxRe var credentials = credentialsProvider.GetCredentials(); if (credentials == null) { - credentials = new DefaultCredentialProvider().GetAlibabaCloudClientCredential(); + credentials = new DefaultCredentialProvider().GetCredentials(); } var signer = Signer.GetSigner(credentials); diff --git a/aliyun-net-sdk-core/Exceptions/ClientException.cs b/aliyun-net-sdk-core/Exceptions/ClientException.cs index d310ce42dc..45cbb2f6e3 100644 --- a/aliyun-net-sdk-core/Exceptions/ClientException.cs +++ b/aliyun-net-sdk-core/Exceptions/ClientException.cs @@ -32,7 +32,7 @@ public ClientException(string errCode, string errMsg, string requestId) : base( ErrorCode = errCode; } - public ClientException(string errCode, string errMsg) : base(errCode + " : " + errMsg) + public ClientException(string errCode, string errMsg) : base(string.IsNullOrEmpty(errCode) ? errMsg : errCode + " : " + errMsg) { ErrorCode = errCode; ErrorMessage = errMsg; diff --git a/aliyun-net-sdk-core/Properties/AssemblyInfo.cs b/aliyun-net-sdk-core/Properties/AssemblyInfo.cs index 42b627d1bd..3785dfd37b 100644 --- a/aliyun-net-sdk-core/Properties/AssemblyInfo.cs +++ b/aliyun-net-sdk-core/Properties/AssemblyInfo.cs @@ -31,4 +31,4 @@ // [assembly: AssemblyVersion("1.6.2.0")] [assembly: AssemblyFileVersion("1.6.2.0")] -[assembly: InternalsVisibleTo("Aliyun.Net.Credentials.UnitTests")] +[assembly: InternalsVisibleTo("aliyun-net-sdk-core.Tests")] diff --git a/aliyun-net-sdk-core/Utils/AuthUtils.cs b/aliyun-net-sdk-core/Utils/AuthUtils.cs index 1724065dfc..9b3ea07b7c 100644 --- a/aliyun-net-sdk-core/Utils/AuthUtils.cs +++ b/aliyun-net-sdk-core/Utils/AuthUtils.cs @@ -32,11 +32,113 @@ public class AuthUtils private static volatile string disableECSIMDSv1; private static volatile string disableECSMetaData; private static volatile string environmentEcsMetaDataDisabled; + private static volatile string environmentCLIProfileDisabled; + private static volatile string environmentRoleSessionName; + private static volatile string environmentRoleArn; + private static volatile string enableVpcEndpoint; + private static volatile string environmentSTSRegion; + private static volatile string environmentOIDCProviderArn; + private static volatile string environmentOIDCTokenFilePath; + private static volatile string environmentCredentialsURI; AuthUtils() { } + public static string EnvironmentCredentialsURI + { + get + { + return AuthUtils.environmentCredentialsURI ?? Environment.GetEnvironmentVariable("ALIBABA_CLOUD_CREDENTIALS_URI"); + } + + set { AuthUtils.environmentCredentialsURI = value; } + } + + + public static string EnvironmentOIDCTokenFilePath + { + get + { + return AuthUtils.environmentOIDCTokenFilePath ?? Environment.GetEnvironmentVariable("ALIBABA_CLOUD_OIDC_TOKEN_FILE"); + } + + set { AuthUtils.environmentOIDCTokenFilePath = value; } + } + + + public static string EnvironmentOIDCProviderArn + { + get + { + return AuthUtils.environmentOIDCProviderArn ?? Environment.GetEnvironmentVariable("ALIBABA_CLOUD_OIDC_PROVIDER_ARN"); + } + + set { AuthUtils.environmentOIDCProviderArn = value; } + } + + public static string EnvironmentSTSRegion + { + get + { + return AuthUtils.environmentSTSRegion ?? Environment.GetEnvironmentVariable("ALIBABA_CLOUD_STS_REGION"); + } + + set { AuthUtils.environmentSTSRegion = value; } + } + + public static bool EnableVpcEndpoint + { + get + { + if (!string.IsNullOrEmpty(AuthUtils.enableVpcEndpoint)) + { + return bool.Parse(AuthUtils.enableVpcEndpoint); + } + + var env = Environment.GetEnvironmentVariable("ALIBABA_CLOUD_VPC_ENDPOINT_ENABLED"); + return !string.IsNullOrEmpty(env) && bool.Parse(env); + } + + set { AuthUtils.environmentCLIProfileDisabled = value.ToString(); } + } + + public static string EnvironmentRoleArn + { + get + { + return AuthUtils.environmentRoleArn ?? Environment.GetEnvironmentVariable("ALIBABA_CLOUD_ROLE_ARN"); + } + + set { AuthUtils.environmentRoleArn = value; } + } + + public static string EnvironmentRoleSessionName + { + get + { + return AuthUtils.environmentRoleSessionName ?? Environment.GetEnvironmentVariable("ALIBABA_CLOUD_ROLE_SESSION_NAME"); + } + + set { AuthUtils.environmentRoleSessionName = value; } + } + + public static bool EnvironmentDisableCLIProfile + { + get + { + if (!string.IsNullOrEmpty(AuthUtils.environmentCLIProfileDisabled)) + { + return bool.Parse(AuthUtils.environmentCLIProfileDisabled); + } + + var env = Environment.GetEnvironmentVariable("ALIBABA_CLOUD_IMDSV1_DISABLED"); + return !string.IsNullOrEmpty(env) && bool.Parse(env); + } + + set { AuthUtils.environmentCLIProfileDisabled = value.ToString(); } + } + public static string EnvironmentEcsMetaDataDisabled { get @@ -123,5 +225,21 @@ public static string GetOIDCToken(string OIDCTokenFilePath) return oidcToken; } + + public static string GetStsRegionWithVpc(string stsRegionId, bool? enableVpc) + { + var prefix = enableVpc == null + ? (AuthUtils.EnableVpcEndpoint ? "sts-vpc" : "sts") + : (enableVpc == true ? "sts-vpc" : "sts"); + if (!string.IsNullOrEmpty(stsRegionId)) + { + return string.Format("https://{0}.{1}.aliyuncs.com", prefix, stsRegionId); + } + if (!string.IsNullOrEmpty(AuthUtils.EnvironmentSTSRegion)) + { + return string.Format("https://{0}.{1}.aliyuncs.com", prefix, AuthUtils.EnvironmentSTSRegion); + } + return "https://sts.aliyuncs.com"; + } } }