chore(auth): refine sdk auth

go.mod

@@ -3,7 +3,7 @@ module github.com/mozillazg/docker-credential-acr-helper
 go 1.18
 
 require (
-	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0
+	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0
 	github.com/alibabacloud-go/cr-20160607 v1.0.1
 	github.com/alibabacloud-go/cr-20181201 v1.0.10
 	github.com/alibabacloud-go/darabonba-openapi v0.1.18
@@ -26,6 +26,7 @@ require (
 	github.com/modern-go/reflect2 v1.0.1 // indirect
 	github.com/tjfoc/gmsm v1.3.2 // indirect
 	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	gopkg.in/ini.v1 v1.56.0 // indirect
 )

go.sum

@@ -1,5 +1,5 @@
-github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 h1:8+4G8JaejP8Xa6W46PzJEwisNgBXMvFcz78N6zG/ARw=
-github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0/go.mod h1:GgeIE+1be8Ivm7Sh4RgwI42aTtC9qrcj+Y9Y6CjJhJs=
+github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 h1:kcnfY4vljxXliXDBrA9K9lwF8IoEZ4Up6Eg9kWTIm28=
+github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0/go.mod h1:tlqp9mUGbsP+0z3Q+c0Q5MgSdq/OMwQhm5bffR3Q3ss=
 github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.2/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc=
 github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 h1:iC9YFYKDGEy3n/FtqJnOkZsene9olVspKmkX5A2YBEo=
 github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc=
@@ -106,6 +106,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

pkg/acr/client.go

@@ -1,6 +1,7 @@
 package acr
 
 import (
+	"github.com/sirupsen/logrus"
 	"time"
 )
 
@@ -12,14 +13,14 @@ type Credentials struct {
 	ExpireTime time.Time
 }
 
-func (c *Client) GetCredentials(serverURL string) (*Credentials, error) {
+func (c *Client) GetCredentials(serverURL string, logger *logrus.Logger) (*Credentials, error) {
 	registry, err := parseServerURL(serverURL)
 	if err != nil {
 		return nil, err
 	}
 
 	if registry.IsEE {
-		client, err := newEEClient(registry.Region)
+		client, err := newEEClient(registry.Region, logger)
 		if err != nil {
 			return nil, err
 		}
@@ -33,7 +34,7 @@ func (c *Client) GetCredentials(serverURL string) (*Credentials, error) {
 		return client.getCredentials(registry.InstanceId)
 	}
 
-	client, err := newPersonClient(registry.Region)
+	client, err := newPersonClient(registry.Region, logger)
 	if err != nil {
 		return nil, err
 	}

pkg/acr/ee.go

@@ -2,6 +2,7 @@ package acr
 
 import (
 	"fmt"
+	"github.com/sirupsen/logrus"
 	"time"
 
 	cr2018 "github.com/alibabacloud-go/cr-20181201/client"
@@ -14,8 +15,8 @@ type eeClient struct {
 	client *cr2018.Client
 }
 
-func newEEClient(region string) (*eeClient, error) {
-	cred, err := getOpenapiAuth()
+func newEEClient(region string, logger *logrus.Logger) (*eeClient, error) {
+	cred, err := getOpenapiAuth(logger)
 	if err != nil {
 		return nil, err
 	}

pkg/acr/openapiauth.go

@@ -1,17 +1,26 @@
 package acr
 
 import (
+	"github.com/sirupsen/logrus"
 	"os"
 	"path/filepath"
+	"time"
 
-	"github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper"
+	"github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider"
 	"github.com/aliyun/credentials-go/credentials"
-	"github.com/mozillazg/docker-credential-acr-helper/pkg/version"
 )
 
 var defaultProfilePath = filepath.Join("~", ".alibabacloud", "credentials")
 
-func getOpenapiAuth() (credentials.Credential, error) {
+type credentialForV2SDK struct {
+	*provider.CredentialForV2SDK
+}
+
+type logWrapper struct {
+	logger *logrus.Logger
+}
+
+func getOpenapiAuth(logger *logrus.Logger) (credentials.Credential, error) {
 	profilePath := defaultProfilePath
 	if os.Getenv(credentials.ENVCredentialFile) != "" {
 		profilePath = os.Getenv(credentials.ENVCredentialFile)
@@ -20,18 +29,57 @@ func getOpenapiAuth() (credentials.Credential, error) {
 	if err == nil {
 		if _, err := os.Stat(path); err == nil {
 			_ = os.Setenv(credentials.ENVCredentialFile, path)
+			return credentials.NewCredential(nil)
 		}
 	}
-	var conf *credentials.Config
 
-	if helper.HaveOidcCredentialRequiredEnv() {
-		return helper.NewOidcCredential(version.ProjectName)
+	cp := provider.NewDefaultChainProvider(provider.DefaultChainProviderOptions{
+		Logger: &logWrapper{logger: logger},
+	})
+	cred := &credentialForV2SDK{
+		CredentialForV2SDK: provider.NewCredentialForV2SDK(cp, provider.CredentialForV2SDKOptions{
+			CredentialRetrievalTimeout: time.Second * 30,
+			Logger:                     &logWrapper{logger: logger},
+		}),
 	}
 
-	cred, err := credentials.NewCredential(conf)
 	return cred, err
 }
 
+func (c *credentialForV2SDK) GetCredential() (*credentials.CredentialModel, error) {
+	ak, err := c.GetAccessKeyId()
+	if err != nil {
+		return nil, err
+	}
+	sk, err := c.GetAccessKeySecret()
+	if err != nil {
+		return nil, err
+	}
+	token, err := c.GetSecurityToken()
+	if err != nil {
+		return nil, err
+	}
+	return &credentials.CredentialModel{
+		AccessKeyId:     ak,
+		AccessKeySecret: sk,
+		SecurityToken:   token,
+		BearerToken:     nil,
+		Type:            c.GetType(),
+	}, err
+}
+
+func (l *logWrapper) Info(msg string) {
+	l.logger.Debug(msg)
+}
+
+func (l *logWrapper) Debug(msg string) {
+	l.logger.Debug(msg)
+}
+
+func (l *logWrapper) Error(err error, msg string) {
+	l.logger.WithError(err).Error(msg)
+}
+
 func expandPath(path string) (string, error) {
 	if len(path) > 0 && path[0] == '~' {
 		home, err := os.UserHomeDir()

pkg/acr/person.go

@@ -2,6 +2,7 @@ package acr
 
 import (
 	"fmt"
+	"github.com/sirupsen/logrus"
 	"time"
 
 	cr2016 "github.com/alibabacloud-go/cr-20160607/client"
@@ -15,8 +16,8 @@ type personClient struct {
 	client *cr2016.Client
 }
 
-func newPersonClient(region string) (*personClient, error) {
-	cred, err := getOpenapiAuth()
+func newPersonClient(region string, logger *logrus.Logger) (*personClient, error) {
+	cred, err := getOpenapiAuth(logger)
 	if err != nil {
 		return nil, err
 	}

pkg/credhelper/helper.go

@@ -34,7 +34,7 @@ func (a *ACRHelper) WithLoggerOut(w io.Writer) *ACRHelper {
 
 func (a *ACRHelper) Get(serverURL string) (string, string, error) {
 	// TODO: add cache
-	cred, err := a.client.GetCredentials(serverURL)
+	cred, err := a.client.GetCredentials(serverURL, a.logger)
 	if err != nil {
 		a.logger.WithField("name", version.ProjectName).
 			WithField("serverURL", serverURL).