feat: add signatureUrl refreshSTSToken and init stsTokenFreshTime

.github/workflows/codeCov.yml

@@ -14,7 +14,7 @@ jobs:
     environment: ali_oss_AK
     runs-on: ubuntu-latest
     env:
-      ONCI: true
+      ONCI: true 
       ALI_SDK_OSS_ID: ${{secrets.ALI_SDK_OSS_ID}}
       ALI_SDK_OSS_SECRET: ${{secrets.ALI_SDK_OSS_SECRET}}
       ALI_SDK_OSS_REGION: ${{secrets.ALI_SDK_OSS_REGION}}

lib/browser/client.js

@@ -54,6 +54,7 @@ function Client(options, ctx) {
   }
   this.ctx = ctx;
   this.userAgent = this._getUserAgent();
+  this.stsTokenFreshTime = new Date();
 
   // record the time difference between client and server
   this.options.amendTimeSkewed = 0;
@@ -95,6 +96,7 @@ merge(proto, require('./object'));
 /**
  * Bucket operations
  */
+merge(proto, require('./bucket'));
 merge(proto, require('../common/bucket/getBucketWebsite'));
 merge(proto, require('../common/bucket/putBucketWebsite'));
 merge(proto, require('../common/bucket/deleteBucketWebsite'));

lib/client.js

@@ -43,6 +43,7 @@ function Client(options, ctx) {
   }
   this.ctx = ctx;
   this.userAgent = this._getUserAgent();
+  this.stsTokenFreshTime = new Date();
 }
 
 /**

lib/common/object/signatureUrl.js

@@ -3,10 +3,12 @@ const utility = require('utility');
 const copy = require('copy-to');
 const signHelper = require('../../common/signUtils');
 const { isIP } = require('../utils/isIP');
+const { setSTSToken } = require('../../common/utils/setSTSToken');
+const { isFunction } = require('../../common/utils/isFunction');
 
 const proto = exports;
 
-proto.signatureUrl = function signatureUrl(name, options) {
+proto.signatureUrl = async function signatureUrl(name, options) {
   if (isIP(this.options.endpoint.hostname)) {
     throw new Error('can not get the object URL when endpoint is IP');
   }
@@ -21,6 +23,9 @@ proto.signatureUrl = function signatureUrl(name, options) {
 
   const resource = this._getResource(params);
 
+  if (this.options.stsToken && isFunction(this.options.refreshSTSToken)) {
+    await setSTSToken.call(this);
+  }
   if (this.options.stsToken) {
     options['security-token'] = this.options.stsToken;
   }

lib/object.js

@@ -240,7 +240,7 @@ proto.list = async function list(query, options) {
   };
 };
 
-proto.listV2 = async function listV2(query, options = {}) {
+proto.listV2 = async function listV2(query = {}, options = {}) {
   const continuation_token = query['continuation-token'] || query.continuationToken;
   delete query['continuation-token'];
   delete query.continuationToken;

test/browser/browser.test.js

@@ -58,6 +58,17 @@ describe('browser', () => {
     await cleanBucket(store);
   });
 
+  describe('stsTokenFreshTime', () => {
+    it('init stsTokenFreshTime', () => {
+      const store = oss(ossConfig);
+      const now = new Date();
+      if (!store.stsTokenFreshTime) {
+        throw new Error('not init stsTokenFreshTime');
+      }
+      assert(true, +now <= +store.stsTokenFreshTime);
+    });
+  });
+
   describe('endpoint', () => {
     it('should init with region', () => {
       console.log('xxx');
@@ -775,10 +786,10 @@ describe('browser', () => {
       const newName = 'newName';
       const url = store.signatureUrl(newName, {
         method: 'PUT',
-        'Content-Type': 'application/json; charset=UTF-8',
+        'Content-Type': 'application/json; charset=UTF-8'
       });
       const headers = {
-        'Content-Type': 'application/json; charset=UTF-8',
+        'Content-Type': 'application/json; charset=UTF-8'
       };
       const res = await oss.urllib.request(url, { method: 'PUT', data: putString, headers });
       assert.equal(res.status, 200);

test/node/client.test.js

@@ -6,6 +6,15 @@ const mm = require('mm');
 const pkg = require('../../package.json');
 
 describe('test/client.test.js', () => {
+  it('init stsTokenFreshTime', () => {
+    const store = oss(config);
+    const now = new Date();
+    if (!store.stsTokenFreshTime) {
+      throw new Error('not init stsTokenFreshTime');
+    }
+    assert(true, +now <= +store.stsTokenFreshTime);
+  });
+
   it('should init with region', () => {
     let store = oss({
       accessKeyId: 'foo',

test/node/object.test.js

@@ -6,10 +6,11 @@ const ms = require('humanize-ms');
 const { metaSyncTime } = require('../config');
 const AgentKeepalive = require('agentkeepalive');
 const HttpsAgentKeepalive = require('agentkeepalive').HttpsAgent;
-const sleep = require('mz-modules/sleep');
 const utils = require('./utils');
 const oss = require('../..');
+const sts = require('../..').STS;
 const config = require('../config').oss;
+const stsConfig = require('../config').sts;
 const urllib = require('urllib');
 const copy = require('copy-to');
 const mm = require('mm');
@@ -128,7 +129,7 @@ describe('test/object.test.js', () => {
         const nameCpy = `${prefix}ali-sdk/oss/nodejs-1024x768`;
         const imagepath = path.join(__dirname, 'nodejs-1024x768.png');
         await store.putStream(name, fs.createReadStream(imagepath), { mime: 'image/png' });
-        const signUrl = store.signatureUrl(name, { expires: 3600 });
+        const signUrl = await store.signatureUrl(name, { expires: 3600 });
         const httpStream = request(signUrl);
         let result = await store.putStream(nameCpy, httpStream);
         assert.equal(result.res.status, 200);
@@ -1047,10 +1048,53 @@ describe('test/object.test.js', () => {
       assert.equal(typeof object.res.headers['x-oss-request-id'], 'string');
     });
 
+    it('should signature use setSTSToken', async () => {
+      const stsClient = sts(stsConfig);
+      const policy = {
+        Statement: [
+          {
+            Action: ['oss:*'],
+            Effect: 'Allow',
+            Resource: ['acs:oss:*:*:*']
+          }
+        ],
+        Version: '1'
+      };
+      const response = await stsClient.assumeRole(stsConfig.roleArn, policy);
+
+      const tempStore = oss({
+        bucket: stsConfig.bucket,
+        accessKeyId: response.credentials.AccessKeyId,
+        accessKeySecret: response.credentials.AccessKeySecret,
+        region: config.region,
+        stsToken: response.credentials.SecurityToken,
+        refreshSTSToken: async () => {
+          const r = await stsClient.assumeRole(stsConfig.roleArn, policy);
+          return {
+            accessKeyId: r.credentials.AccessKeyId,
+            accessKeySecret: r.credentials.AccessKeySecret,
+            stsToken: r.credentials.SecurityToken
+          };
+        },
+        refreshSTSTokenInterval: 2000
+      });
+      const content = 'setSTSToken test';
+      await tempStore.put(name, Buffer.from(content));
+      const beforeUrl = await tempStore.signatureUrl(name);
+      const urlRes = await urllib.request(beforeUrl);
+      assert.equal(urlRes.data.toString(), content);
+      const beforeTime = tempStore.stsTokenFreshTime;
+      await utils.sleep(ms(5000));
+      const afterUrl = await tempStore.signatureUrl(name);
+      const afeterRes = await urllib.request(afterUrl);
+      assert.equal(afeterRes.data.toString(), content);
+      assert.notEqual(beforeTime, tempStore.stsTokenFreshTime);
+    });
+
     it('should signature url get object ok', async () => {
       try {
         const result = await store.get(name);
-        const url = store.signatureUrl(name);
+        const url = await store.signatureUrl(name);
         const urlRes = await urllib.request(url);
         assert.equal(urlRes.data.toString(), result.content.toString());
       } catch (error) {
@@ -1064,7 +1108,7 @@ describe('test/object.test.js', () => {
           'content-type': 'xml',
           'content-language': 'zh-cn'
         };
-        const url = store.signatureUrl(name, { response });
+        const url = await store.signatureUrl(name, { response });
         assert(url.indexOf('response-content-type=xml') !== -1);
         assert(url.indexOf('response-content-language=zh-cn') !== -1);
       } catch (error) {
@@ -1090,7 +1134,7 @@ describe('test/object.test.js', () => {
           mime: 'image/png'
         });
 
-        const signUrl = store.signatureUrl(imageName, options);
+        const signUrl = await store.signatureUrl(imageName, options);
         const processedKeyword = 'x-oss-process=image%2Fresize%2Cw_200';
         assert.equal(signUrl.match(processedKeyword), processedKeyword);
         const urlRes = await urllib.request(signUrl);
@@ -1109,7 +1153,7 @@ describe('test/object.test.js', () => {
           mime: 'image/png'
         });
 
-        const signUrl = store.signatureUrl(imageName, { expires: 3600, process: 'image/resize,w_200' });
+        const signUrl = await store.signatureUrl(imageName, { expires: 3600, process: 'image/resize,w_200' });
         const processedKeyword = 'x-oss-process=image%2Fresize%2Cw_200';
         assert.equal(signUrl.match(processedKeyword), processedKeyword);
         const urlRes = await urllib.request(signUrl);
@@ -1123,7 +1167,7 @@ describe('test/object.test.js', () => {
       try {
         const putString = 'Hello World';
         const contentMd5 = crypto.createHash('md5').update(Buffer.from(putString, 'utf8')).digest('base64');
-        const url = store.signatureUrl(name, {
+        const url = await store.signatureUrl(name, {
           method: 'PUT',
           'Content-Type': 'text/plain; charset=UTF-8',
           'Content-Md5': contentMd5
@@ -1168,22 +1212,22 @@ describe('test/object.test.js', () => {
     it('should signature url get need escape object ok', async () => {
       try {
         const result = await store.get(needEscapeName);
-        const url = store.signatureUrl(needEscapeName);
+        const url = await store.signatureUrl(needEscapeName);
         const urlRes = await urllib.request(url);
         assert.equal(urlRes.data.toString(), result.content.toString());
       } catch (error) {
         assert(error.message === 'can not get the object URL when endpoint is IP');
       }
     });
 
-    it('should signature url with custom host ok', () => {
+    it('should signature url with custom host ok', async () => {
       const conf = {};
       copy(config).to(conf);
       conf.endpoint = 'www.aliyun.com';
       conf.cname = true;
       const tempStore = oss(conf);
 
-      const url = tempStore.signatureUrl(name);
+      const url = await tempStore.signatureUrl(name);
       // http://www.aliyun.com/darwin-v4.4.2/ali-sdk/oss/get-meta.js?OSSAccessKeyId=
       assert.equal(url.indexOf('http://www.aliyun.com/'), 0);
     });
@@ -1197,7 +1241,7 @@ describe('test/object.test.js', () => {
       fs.writeFileSync(file_1mb, Buffer.alloc(1 * 1024 * 1024).fill('a\n'));
 
       try {
-        url = store.signatureUrl(limit_name, {
+        url = await store.signatureUrl(limit_name, {
           trafficLimit: 8 * 1024 * 100 * 4,
           method: 'PUT'
         });
@@ -1213,7 +1257,7 @@ describe('test/object.test.js', () => {
       }
 
       try {
-        url = store.signatureUrl(name, {
+        url = await store.signatureUrl(name, {
           trafficLimit: 8 * 1024 * 100 * 4
         });
         result = await store.urllib.request(url, {
@@ -1305,7 +1349,7 @@ describe('test/object.test.js', () => {
       }
     });
 
-    if(!process.env.ONCI) {
+    if (!process.env.ONCI) {
       it('should throw error and consume the response stream', async () => {
         store.agent = new AgentKeepalive({
           keepAlive: true
@@ -1315,7 +1359,7 @@ describe('test/object.test.js', () => {
           await store.getStream(`${name}not-exists`);
           throw new Error('should not run this');
         } catch (err) {
-          console.log('error is', err)
+          console.log('error is', err);
           assert.equal(err.name, 'NoSuchKeyError');
           assert(Object.keys(store.agent.freeSockets).length === 0);
           await utils.sleep(ms(metaSyncTime));