diff --git a/go.mod b/go.mod index 661add30f..99c609240 100644 --- a/go.mod +++ b/go.mod @@ -9,8 +9,8 @@ require ( cloud.google.com/go/storage v1.30.1 github.com/DATA-DOG/go-sqlmock v1.5.2 github.com/MakeNowJust/heredoc v1.0.0 - github.com/alibabacloud-go/darabonba-openapi v0.2.1 - github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.10 + github.com/alibabacloud-go/darabonba-openapi v0.1.16 + github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.8 github.com/alibabacloud-go/maxcompute-20220104 v1.4.1 github.com/alibabacloud-go/sts-20150401 v1.1.2 github.com/aliyun/aliyun-odps-go-sdk v0.3.15 @@ -73,13 +73,13 @@ require ( github.com/Microsoft/go-winio v0.5.2 // indirect github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect github.com/alecthomas/chroma v0.8.2 // indirect - github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect + github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect github.com/alibabacloud-go/debug v1.0.1 // indirect github.com/alibabacloud-go/endpoint-util v1.1.0 // indirect github.com/alibabacloud-go/openapi-util v0.1.0 // indirect github.com/alibabacloud-go/tea v1.2.2 // indirect github.com/alibabacloud-go/tea-utils v1.4.3 // indirect - github.com/alibabacloud-go/tea-utils/v2 v2.0.6 // indirect + github.com/alibabacloud-go/tea-utils/v2 v2.0.5 // indirect github.com/alibabacloud-go/tea-xml v1.1.3 // indirect github.com/aliyun/credentials-go v1.3.10 // indirect github.com/andybalholm/brotli v1.0.4 // indirect @@ -179,7 +179,7 @@ require ( github.com/tidwall/match v1.1.1 // indirect github.com/tidwall/pretty v1.2.1 // indirect github.com/tidwall/sjson v1.2.5 // indirect - github.com/tjfoc/gmsm v1.4.1 // indirect + github.com/tjfoc/gmsm v1.3.2 // indirect github.com/tklauser/go-sysconf v0.3.14 // indirect github.com/tklauser/numcpus v0.8.0 // indirect github.com/uptrace/opentelemetry-go-extra/otelsql v0.2.4 // indirect diff --git a/go.sum b/go.sum index 72d34b67a..f1d62fa15 100644 --- a/go.sum +++ b/go.sum @@ -165,28 +165,13 @@ github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRF github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0= github.com/alexflint/go-filemutex v1.1.0/go.mod h1:7P4iRhttt/nUvUOrYIhcpMzv2G6CY9UnI16Z+UJqRyk= -github.com/alibabacloud-go/alibabacloud-gateway-pop v0.0.6 h1:eIf+iGJxdU4U9ypaUfbtOWCsZSbTb8AUHvyPrxu6mAA= -github.com/alibabacloud-go/alibabacloud-gateway-pop v0.0.6/go.mod h1:4EUIoxs/do24zMOGGqYVWgw0s9NtiylnJglOeEB5UJo= +github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 h1:iC9YFYKDGEy3n/FtqJnOkZsene9olVspKmkX5A2YBEo= github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc= -github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 h1:zE8vH9C7JiZLNJJQ5OwjU9mSi4T9ef9u3BURT6LCLC8= -github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5/go.mod h1:tWnyE9AjF8J8qqLk645oUmVUnFybApTQWklQmi5tY6g= -github.com/alibabacloud-go/darabonba-array v0.1.0 h1:vR8s7b1fWAQIjEjWnuF0JiKsCvclSRTfDzZHTYqfufY= -github.com/alibabacloud-go/darabonba-array v0.1.0/go.mod h1:BLKxr0brnggqOJPqT09DFJ8g3fsDshapUD3C3aOEFaI= -github.com/alibabacloud-go/darabonba-encode-util v0.0.2 h1:1uJGrbsGEVqWcWxrS9MyC2NG0Ax+GpOM5gtupki31XE= -github.com/alibabacloud-go/darabonba-encode-util v0.0.2/go.mod h1:JiW9higWHYXm7F4PKuMgEUETNZasrDM6vqVr/Can7H8= -github.com/alibabacloud-go/darabonba-map v0.0.2 h1:qvPnGB4+dJbJIxOOfawxzF3hzMnIpjmafa0qOTp6udc= -github.com/alibabacloud-go/darabonba-map v0.0.2/go.mod h1:28AJaX8FOE/ym8OUFWga+MtEzBunJwQGceGQlvaPGPc= +github.com/alibabacloud-go/darabonba-openapi v0.1.16 h1:f6ZspWKTBurQzyLpZKMVxO51HAePY8aedicwuX3+E20= github.com/alibabacloud-go/darabonba-openapi v0.1.16/go.mod h1:ZjyqRbbZOaUBSh7keeH8VQN/BzCPvxCQwMuJGDdbmXQ= -github.com/alibabacloud-go/darabonba-openapi v0.2.1 h1:WyzxxKvhdVDlwpAMOHgAiCJ+NXa6g5ZWPFEzaK/ewwY= -github.com/alibabacloud-go/darabonba-openapi v0.2.1/go.mod h1:zXOqLbpIqq543oioL9IuuZYOQgHQ5B8/n5OPrnko8aY= +github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.8 h1:benoD0QHDrylMzEQVpX/6uKtrN8LohT66ZlKXVJh7pM= github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.8/go.mod h1:CzQnh+94WDnJOnKZH5YRyouL+OOcdBnXY5VWAf0McgI= -github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.10 h1:GEYkMApgpKEVDn6z12DcH1EGYpDYRB8JxsazM4Rywak= -github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.10/go.mod h1:26a14FGhZVELuz2cc2AolvW4RHmIO3/HRwsdHhaIPDE= -github.com/alibabacloud-go/darabonba-signature-util v0.0.7 h1:UzCnKvsjPFzApvODDNEYqBHMFt1w98wC7FOo0InLyxg= -github.com/alibabacloud-go/darabonba-signature-util v0.0.7/go.mod h1:oUzCYV2fcCH797xKdL6BDH8ADIHlzrtKVjeRtunBNTQ= github.com/alibabacloud-go/darabonba-string v1.0.0/go.mod h1:93cTfV3vuPhhEwGGpKKqhVW4jLe7tDpo3LUM0i0g6mA= -github.com/alibabacloud-go/darabonba-string v1.0.2 h1:E714wms5ibdzCqGeYJ9JCFywE5nDyvIXIIQbZVFkkqo= -github.com/alibabacloud-go/darabonba-string v1.0.2/go.mod h1:93cTfV3vuPhhEwGGpKKqhVW4jLe7tDpo3LUM0i0g6mA= github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68/go.mod h1:6pb/Qy8c+lqua8cFpEy7g39NRRqOWc3rOwAy8m5Y2BY= github.com/alibabacloud-go/debug v1.0.0/go.mod h1:8gfgZCCAC3+SCzjWtY053FrOcd4/qlH6IHTI4QyICOc= github.com/alibabacloud-go/debug v1.0.1 h1:MsW9SmUtbb1Fnt3ieC6NNZi6aEwrXfDksD4QA6GSbPg= @@ -206,18 +191,14 @@ github.com/alibabacloud-go/tea v1.1.7/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeG github.com/alibabacloud-go/tea v1.1.8/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4= github.com/alibabacloud-go/tea v1.1.11/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4= github.com/alibabacloud-go/tea v1.1.17/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A= -github.com/alibabacloud-go/tea v1.1.19/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A= -github.com/alibabacloud-go/tea v1.1.20/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A= github.com/alibabacloud-go/tea v1.2.1/go.mod h1:qbzof29bM/IFhLMtJPrgTGK3eauV5J2wSyEUo4OEmnA= github.com/alibabacloud-go/tea v1.2.2 h1:aTsR6Rl3ANWPfqeQugPglfurloyBJY85eFy7Gc1+8oU= github.com/alibabacloud-go/tea v1.2.2/go.mod h1:CF3vOzEMAG+bR4WOql8gc2G9H3EkH3ZLAQdpmpXMgwk= github.com/alibabacloud-go/tea-utils v1.3.1/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE= github.com/alibabacloud-go/tea-utils v1.4.3 h1:8SzwmmRrOnQ09Hf5a9GyfJc0d7Sjv6fmsZoF4UDbFjo= github.com/alibabacloud-go/tea-utils v1.4.3/go.mod h1:KNcT0oXlZZxOXINnZBs6YvgOd5aYp9U67G+E3R8fcQw= +github.com/alibabacloud-go/tea-utils/v2 v2.0.5 h1:EUakYEUAwr6L3wLT0vejIw2rc0IA1RSXDwLnIb3f2vU= github.com/alibabacloud-go/tea-utils/v2 v2.0.5/go.mod h1:dL6vbUT35E4F4bFTHL845eUloqaerYBYPsdWR2/jhe4= -github.com/alibabacloud-go/tea-utils/v2 v2.0.6 h1:ZkmUlhlQbaDC+Eba/GARMPy6hKdCLiSke5RsN5LcyQ0= -github.com/alibabacloud-go/tea-utils/v2 v2.0.6/go.mod h1:qxn986l+q33J5VkialKMqT/TTs3E+U9MJpd001iWQ9I= -github.com/alibabacloud-go/tea-xml v1.1.2/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8= github.com/alibabacloud-go/tea-xml v1.1.3 h1:7LYnm+JbOq2B+T/B0fHC4Ies4/FofC4zHzYtqw7dgt0= github.com/alibabacloud-go/tea-xml v1.1.3/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8= github.com/aliyun/aliyun-odps-go-sdk v0.3.15 h1:HkWki3g7G0xEAyxSAChqSDxLw8NCl7PFc8KxcECXReQ= @@ -226,7 +207,6 @@ github.com/aliyun/aliyun-oss-go-sdk v3.0.2+incompatible h1:8psS8a+wKfiLt1iVDX79F github.com/aliyun/aliyun-oss-go-sdk v3.0.2+incompatible/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8= github.com/aliyun/credentials-go v1.1.2/go.mod h1:ozcZaMR5kLM7pwtCMEpVmQ242suV6qTJya2bDq4X1Tw= github.com/aliyun/credentials-go v1.3.1/go.mod h1:8jKYhQuDawt8x2+fusqa1Y6mPxemTsBEN04dgcAcYz0= -github.com/aliyun/credentials-go v1.3.6/go.mod h1:1LxUuX7L5YrZUWzBrRyk0SwSdH4OmPrib8NVePL3fxM= github.com/aliyun/credentials-go v1.3.10 h1:45Xxrae/evfzQL9V10zL3xX31eqgLWEaIdCoPipOEQA= github.com/aliyun/credentials-go v1.3.10/go.mod h1:Jm6d+xIgwJVLVWT561vy67ZRP4lPTQxMbEYRuT2Ti1U= github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY= @@ -1430,9 +1410,8 @@ github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4= github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY= github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28= +github.com/tjfoc/gmsm v1.3.2 h1:7JVkAn5bvUJ7HtU08iW6UiD+UTmJTIToHCfeFzkcCxM= github.com/tjfoc/gmsm v1.3.2/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w= -github.com/tjfoc/gmsm v1.4.1 h1:aMe1GlZb+0bLjn+cKTPEvvn9oUEBlJitaZiiBwsbgho= -github.com/tjfoc/gmsm v1.4.1/go.mod h1:j4INPkHWMrhJb38G+J6W4Tw0AbuN8Thu3PbdVYhVcTE= github.com/tklauser/go-sysconf v0.3.14 h1:g5vzr9iPFFz24v2KZXs/pvpvh8/V9Fw6vQK5ZZb78yU= github.com/tklauser/go-sysconf v0.3.14/go.mod h1:1ym4lWMLUOhuBOPGtRcJm7tEGX4SCYNEEEtghGG/8uY= github.com/tklauser/numcpus v0.8.0 h1:Mx4Wwe/FjZLeQsK/6kt2EOepwwSl7SmJrK5bV/dXYgY= @@ -1623,7 +1602,6 @@ golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= @@ -1638,8 +1616,6 @@ golang.org/x/crypto v0.4.0/go.mod h1:3quD/ATkf6oY+rnes5c3ExXTbLc8mueNue5/DoinL80 golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= -golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= -golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -1747,7 +1723,6 @@ golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81R golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201006153459-a7d1128ccaa0/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= @@ -1790,7 +1765,6 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= -golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/oauth2 v0.0.0-20180227000427-d7d64896b5ff/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -1986,8 +1960,6 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= @@ -2004,8 +1976,6 @@ golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= -golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= -golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q= golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/pkg/stsClient/stsClient.go b/pkg/stsClient/stsClient.go new file mode 100644 index 000000000..fa3247fcd --- /dev/null +++ b/pkg/stsClient/stsClient.go @@ -0,0 +1,90 @@ +package sts + +import ( + "fmt" + "time" + + openapi "github.com/alibabacloud-go/darabonba-openapi/client" + openapiV2 "github.com/alibabacloud-go/darabonba-openapi/v2/client" + + "github.com/alibabacloud-go/sts-20150401/client" +) + +var assumeRoleDurationHours int64 = 1 + +type StsClient struct { + client *client.Client + expiryTimeStamp time.Time +} + +type Sts struct { + clients map[string]*StsClient +} + +func NewSTS() *Sts { + return &Sts{ + clients: make(map[string]*StsClient), + } +} + +func (s *Sts) IsSTSTokenValid(ramRole string) bool { + client := s.clients[ramRole] + if client == nil { + return false + } + + return time.Now().Before(client.expiryTimeStamp) +} + +func NewSTSClient(userAccessKeyID, userSecretAccessKey, regionID string) (*client.Client, error) { + stsEndpoint := fmt.Sprintf("sts.%s.aliyuncs.com", regionID) + + config := &openapi.Config{ + AccessKeyId: &userAccessKeyID, + AccessKeySecret: &userSecretAccessKey, + Endpoint: &stsEndpoint, + } + + stsClient, err := client.NewClient(config) + if err != nil { + return nil, fmt.Errorf("failed to initialize STS client: %w", err) + } + + return stsClient, nil +} + +func (s *Sts) GetSTSClient(ramRole, userAccessKeyID, userSecret, regionID string) (*client.Client, error) { + stsClient, err := NewSTSClient(userAccessKeyID, userSecret, regionID) + if err != nil { + return nil, err + } + + s.clients[ramRole] = &StsClient{ + client: stsClient, + expiryTimeStamp: time.Now().Add(time.Duration(assumeRoleDurationHours) * time.Hour), + } + + return stsClient, nil +} + +func AssumeRole(stsClient *client.Client, userAccessKeyID, roleArn, roleSessionName string) (*openapiV2.Config, error) { + durationSeconds := assumeRoleDurationHours * int64(time.Hour.Seconds()) + request := client.AssumeRoleRequest{ + RoleArn: &roleArn, + RoleSessionName: &roleSessionName, + DurationSeconds: &durationSeconds, + } + + res, err := stsClient.AssumeRole(&request) + if err != nil { + return nil, fmt.Errorf("failed to assume role: %w", err) + } + + config := &openapiV2.Config{ + AccessKeyId: res.Body.Credentials.AccessKeyId, + AccessKeySecret: res.Body.Credentials.AccessKeySecret, + SecurityToken: res.Body.Credentials.SecurityToken, + } + + return config, nil +} diff --git a/plugins/providers/maxcompute/provider.go b/plugins/providers/maxcompute/provider.go index 55ea0f590..ac83b114a 100644 --- a/plugins/providers/maxcompute/provider.go +++ b/plugins/providers/maxcompute/provider.go @@ -7,12 +7,8 @@ import ( "slices" "strings" "sync" - "time" - openapi "github.com/alibabacloud-go/darabonba-openapi/client" - openapiv2 "github.com/alibabacloud-go/darabonba-openapi/v2/client" maxcompute "github.com/alibabacloud-go/maxcompute-20220104/client" - sts "github.com/alibabacloud-go/sts-20150401/client" "github.com/aliyun/aliyun-odps-go-sdk/odps" "github.com/aliyun/aliyun-odps-go-sdk/odps/account" "github.com/aliyun/aliyun-odps-go-sdk/odps/restclient" @@ -20,12 +16,11 @@ import ( pv "github.com/goto/guardian/core/provider" "github.com/goto/guardian/domain" "github.com/goto/guardian/pkg/log" + sts "github.com/goto/guardian/pkg/stsClient" "github.com/goto/guardian/utils" "golang.org/x/net/context" ) -var assumeRoleDuration int64 = 1 - //go:generate mockery --name=encryptor --exported --with-expecter type encryptor interface { domain.Crypto @@ -34,14 +29,13 @@ type encryptor interface { type provider struct { pv.UnimplementedClient pv.PermissionManager - typeName string - encryptor encryptor - restClients map[string]*maxcompute.Client - odpsClients map[string]*odps.Odps - lastOdpsClientCreatedTime map[string]time.Time - lastRestClientCreatedTime map[string]time.Time - logger log.Logger - mu sync.Mutex + typeName string + encryptor encryptor + restClients map[string]*maxcompute.Client + odpsClients map[string]*odps.Odps + sts *sts.Sts + logger log.Logger + mu sync.Mutex } func New( @@ -50,12 +44,11 @@ func New( logger log.Logger, ) *provider { return &provider{ - typeName: typeName, - encryptor: encryptor, - restClients: make(map[string]*maxcompute.Client), - odpsClients: make(map[string]*odps.Odps), - lastOdpsClientCreatedTime: make(map[string]time.Time), - lastRestClientCreatedTime: make(map[string]time.Time), + typeName: typeName, + encryptor: encryptor, + restClients: make(map[string]*maxcompute.Client), + odpsClients: make(map[string]*odps.Odps), + sts: sts.NewSTS(), logger: logger, } @@ -267,11 +260,11 @@ func (p *provider) RevokeAccess(ctx context.Context, pc *domain.ProviderConfig, query := fmt.Sprintf("REMOVE USER %s", g.AccountID) job, err := securityManager.Run(query, true, "") if err != nil { - return fmt.Errorf("failed to add %q as member in %q: %v", g.AccountID, project, err) + return fmt.Errorf("failed to remove %q as member in %q: %v", g.AccountID, project, err) } if _, err := job.WaitForSuccess(); err != nil { - return fmt.Errorf("failed to add %q as member in %q: %v", g.AccountID, project, err) + return fmt.Errorf("failed to remove %q as member in %q: %v", g.AccountID, project, err) } } @@ -359,105 +352,55 @@ func (p *provider) getCreds(pc *domain.ProviderConfig) (*credentials, error) { return creds, nil } -func getClientConfig(providerURN, accountID, accountSecret, regionID, assumeAsRAMRole string) (*openapiv2.Config, error) { - configV2 := &openapiv2.Config{ - AccessKeyId: &accountID, - AccessKeySecret: &accountSecret, - Endpoint: &[]string{fmt.Sprintf("maxcompute.%s.aliyuncs.com", regionID)}[0], - } - if assumeAsRAMRole != "" { - stsEndpoint := fmt.Sprintf("sts.%s.aliyuncs.com", regionID) - configV1 := &openapi.Config{ - AccessKeyId: configV2.AccessKeyId, - AccessKeySecret: configV2.AccessKeySecret, - Endpoint: &stsEndpoint, - } - stsClient, err := sts.NewClient(configV1) - if err != nil { - return nil, fmt.Errorf("failed to initialize STS client: %w", err) - } - - durationSeconds := assumeRoleDuration * int64(time.Hour.Seconds()) - res, err := stsClient.AssumeRole(&sts.AssumeRoleRequest{ - DurationSeconds: &durationSeconds, - RoleArn: &assumeAsRAMRole, - RoleSessionName: &providerURN, - }) - if err != nil { - return nil, fmt.Errorf("failed to assume role %q: %w", assumeAsRAMRole, err) - } - // TODO: handle refreshing token when the used one is expired - - configV2.AccessKeyId = res.Body.Credentials.AccessKeyId - configV2.AccessKeySecret = res.Body.Credentials.AccessKeySecret - configV2.SecurityToken = res.Body.Credentials.SecurityToken - } - - return configV2, nil -} - func (p *provider) getRestClient(pc *domain.ProviderConfig) (*maxcompute.Client, error) { - p.mu.Lock() - defer p.mu.Unlock() - if client, ok := p.restClients[pc.URN]; ok { - clientCreatedTime := p.lastRestClientCreatedTime[pc.URN] - clientAge := time.Since(clientCreatedTime) - - if clientAge < time.Duration(assumeRoleDuration)*time.Hour { - return client, nil - } + return client, nil } creds, err := p.getCreds(pc) if err != nil { return nil, err } - clientConfig, err := getClientConfig(pc.URN, creds.AccessKeyID, creds.AccessKeySecret, creds.RegionID, creds.RAMRole) + + stsClient, err := p.sts.GetSTSClient(pc.URN, creds.AccessKeyID, creds.AccessKeySecret, creds.RegionID) + if err != nil { + return nil, err + } + + clientConfig, err := sts.AssumeRole(stsClient, creds.AccessKeyID, creds.RAMRole, pc.URN) if err != nil { return nil, err } + restClient, err := maxcompute.NewClient(clientConfig) if err != nil { return nil, err } + p.mu.Lock() p.restClients[pc.URN] = restClient + p.mu.Unlock() return restClient, nil } -func (p *provider) getOdpsClient(pc *domain.ProviderConfig, overrideRAMRole string) (*odps.Odps, error) { - usingRAMRole := overrideRAMRole != "" - - p.mu.Lock() - defer p.mu.Unlock() - - var existingClient *odps.Odps - var ok bool - var clientCreatedTime time.Time - if usingRAMRole { - existingClient, ok = p.odpsClients[overrideRAMRole] - clientCreatedTime = p.lastOdpsClientCreatedTime[overrideRAMRole] - } else { - existingClient, ok = p.odpsClients[pc.URN] - clientCreatedTime = p.lastOdpsClientCreatedTime[pc.URN] - } - - clientAge := time.Since(clientCreatedTime) - if ok && clientAge < time.Duration(assumeRoleDuration)*time.Hour { - return existingClient, nil +func (p *provider) getOdpsClient(pc *domain.ProviderConfig, ramRole string) (*odps.Odps, error) { + if existingClient, ok := p.odpsClients[ramRole]; ok { + if p.sts.IsSTSTokenValid(ramRole) { + return existingClient, nil + } } creds, err := p.getCreds(pc) if err != nil { return nil, err } - ramRole := creds.RAMRole - if usingRAMRole { - ramRole = overrideRAMRole + + stsClient, err := p.sts.GetSTSClient(ramRole, creds.AccessKeyID, creds.AccessKeySecret, creds.RegionID) + if err != nil { + return nil, err } - clientConfig, err := getClientConfig(pc.URN, creds.AccessKeyID, creds.AccessKeySecret, creds.RegionID, ramRole) + clientConfig, err := sts.AssumeRole(stsClient, creds.AccessKeyID, ramRole, pc.URN) if err != nil { return nil, err } @@ -471,13 +414,9 @@ func (p *provider) getOdpsClient(pc *domain.ProviderConfig, overrideRAMRole stri endpoint := fmt.Sprintf("http://service.%s.maxcompute.aliyun.com/api", creds.RegionID) client := odps.NewOdps(acc, endpoint) - if usingRAMRole { - p.odpsClients[overrideRAMRole] = client - p.lastOdpsClientCreatedTime[overrideRAMRole] = time.Now() - } else { - p.odpsClients[pc.URN] = client - p.lastOdpsClientCreatedTime[overrideRAMRole] = time.Now() - } + p.mu.Lock() + p.odpsClients[ramRole] = client + p.mu.Unlock() return client, nil }