From 7562210083e5eda93c4c04ebc7266bc2aad58033 Mon Sep 17 00:00:00 2001 From: mozillazg Date: Sun, 1 Sep 2024 03:41:28 +0000 Subject: [PATCH] chore(auth): refine sdk auth --- go.mod | 3 +- go.sum | 6 ++-- pkg/acr/client.go | 7 +++-- pkg/acr/ee.go | 5 ++-- pkg/acr/openapiauth.go | 62 +++++++++++++++++++++++++++++++++++----- pkg/acr/person.go | 5 ++-- pkg/credhelper/helper.go | 2 +- 7 files changed, 72 insertions(+), 18 deletions(-) diff --git a/go.mod b/go.mod index 7727ec5..16a85aa 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/mozillazg/docker-credential-acr-helper go 1.18 require ( - github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 + github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 github.com/alibabacloud-go/cr-20160607 v1.0.1 github.com/alibabacloud-go/cr-20181201 v1.0.10 github.com/alibabacloud-go/darabonba-openapi v0.1.18 @@ -26,6 +26,7 @@ require ( github.com/modern-go/reflect2 v1.0.1 // indirect github.com/tjfoc/gmsm v1.3.2 // indirect golang.org/x/net v0.17.0 // indirect + golang.org/x/sync v0.7.0 // indirect golang.org/x/sys v0.13.0 // indirect gopkg.in/ini.v1 v1.56.0 // indirect ) diff --git a/go.sum b/go.sum index 53bddd6..4c2153e 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 h1:8+4G8JaejP8Xa6W46PzJEwisNgBXMvFcz78N6zG/ARw= -github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0/go.mod h1:GgeIE+1be8Ivm7Sh4RgwI42aTtC9qrcj+Y9Y6CjJhJs= +github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 h1:kcnfY4vljxXliXDBrA9K9lwF8IoEZ4Up6Eg9kWTIm28= +github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0/go.mod h1:tlqp9mUGbsP+0z3Q+c0Q5MgSdq/OMwQhm5bffR3Q3ss= github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.2/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc= github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 h1:iC9YFYKDGEy3n/FtqJnOkZsene9olVspKmkX5A2YBEo= github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc= @@ -106,6 +106,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= diff --git a/pkg/acr/client.go b/pkg/acr/client.go index 72341b7..12e58e5 100644 --- a/pkg/acr/client.go +++ b/pkg/acr/client.go @@ -1,6 +1,7 @@ package acr import ( + "github.com/sirupsen/logrus" "time" ) @@ -12,14 +13,14 @@ type Credentials struct { ExpireTime time.Time } -func (c *Client) GetCredentials(serverURL string) (*Credentials, error) { +func (c *Client) GetCredentials(serverURL string, logger *logrus.Logger) (*Credentials, error) { registry, err := parseServerURL(serverURL) if err != nil { return nil, err } if registry.IsEE { - client, err := newEEClient(registry.Region) + client, err := newEEClient(registry.Region, logger) if err != nil { return nil, err } @@ -33,7 +34,7 @@ func (c *Client) GetCredentials(serverURL string) (*Credentials, error) { return client.getCredentials(registry.InstanceId) } - client, err := newPersonClient(registry.Region) + client, err := newPersonClient(registry.Region, logger) if err != nil { return nil, err } diff --git a/pkg/acr/ee.go b/pkg/acr/ee.go index be83997..363e2a0 100644 --- a/pkg/acr/ee.go +++ b/pkg/acr/ee.go @@ -2,6 +2,7 @@ package acr import ( "fmt" + "github.com/sirupsen/logrus" "time" cr2018 "github.com/alibabacloud-go/cr-20181201/client" @@ -14,8 +15,8 @@ type eeClient struct { client *cr2018.Client } -func newEEClient(region string) (*eeClient, error) { - cred, err := getOpenapiAuth() +func newEEClient(region string, logger *logrus.Logger) (*eeClient, error) { + cred, err := getOpenapiAuth(logger) if err != nil { return nil, err } diff --git a/pkg/acr/openapiauth.go b/pkg/acr/openapiauth.go index 6963223..346b74d 100644 --- a/pkg/acr/openapiauth.go +++ b/pkg/acr/openapiauth.go @@ -1,17 +1,26 @@ package acr import ( + "github.com/sirupsen/logrus" "os" "path/filepath" + "time" - "github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper" + "github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider" "github.com/aliyun/credentials-go/credentials" - "github.com/mozillazg/docker-credential-acr-helper/pkg/version" ) var defaultProfilePath = filepath.Join("~", ".alibabacloud", "credentials") -func getOpenapiAuth() (credentials.Credential, error) { +type credentialForV2SDK struct { + *provider.CredentialForV2SDK +} + +type logWrapper struct { + logger *logrus.Logger +} + +func getOpenapiAuth(logger *logrus.Logger) (credentials.Credential, error) { profilePath := defaultProfilePath if os.Getenv(credentials.ENVCredentialFile) != "" { profilePath = os.Getenv(credentials.ENVCredentialFile) @@ -20,18 +29,57 @@ func getOpenapiAuth() (credentials.Credential, error) { if err == nil { if _, err := os.Stat(path); err == nil { _ = os.Setenv(credentials.ENVCredentialFile, path) + return credentials.NewCredential(nil) } } - var conf *credentials.Config - if helper.HaveOidcCredentialRequiredEnv() { - return helper.NewOidcCredential(version.ProjectName) + cp := provider.NewDefaultChainProvider(provider.DefaultChainProviderOptions{ + Logger: &logWrapper{logger: logger}, + }) + cred := &credentialForV2SDK{ + CredentialForV2SDK: provider.NewCredentialForV2SDK(cp, provider.CredentialForV2SDKOptions{ + CredentialRetrievalTimeout: time.Second * 30, + Logger: &logWrapper{logger: logger}, + }), } - cred, err := credentials.NewCredential(conf) return cred, err } +func (c *credentialForV2SDK) GetCredential() (*credentials.CredentialModel, error) { + ak, err := c.GetAccessKeyId() + if err != nil { + return nil, err + } + sk, err := c.GetAccessKeySecret() + if err != nil { + return nil, err + } + token, err := c.GetSecurityToken() + if err != nil { + return nil, err + } + return &credentials.CredentialModel{ + AccessKeyId: ak, + AccessKeySecret: sk, + SecurityToken: token, + BearerToken: nil, + Type: c.GetType(), + }, err +} + +func (l *logWrapper) Info(msg string) { + l.logger.Debug(msg) +} + +func (l *logWrapper) Debug(msg string) { + l.logger.Debug(msg) +} + +func (l *logWrapper) Error(err error, msg string) { + l.logger.WithError(err).Error(msg) +} + func expandPath(path string) (string, error) { if len(path) > 0 && path[0] == '~' { home, err := os.UserHomeDir() diff --git a/pkg/acr/person.go b/pkg/acr/person.go index fdf05e1..3106245 100644 --- a/pkg/acr/person.go +++ b/pkg/acr/person.go @@ -2,6 +2,7 @@ package acr import ( "fmt" + "github.com/sirupsen/logrus" "time" cr2016 "github.com/alibabacloud-go/cr-20160607/client" @@ -15,8 +16,8 @@ type personClient struct { client *cr2016.Client } -func newPersonClient(region string) (*personClient, error) { - cred, err := getOpenapiAuth() +func newPersonClient(region string, logger *logrus.Logger) (*personClient, error) { + cred, err := getOpenapiAuth(logger) if err != nil { return nil, err } diff --git a/pkg/credhelper/helper.go b/pkg/credhelper/helper.go index 5bf772e..c4f83bf 100644 --- a/pkg/credhelper/helper.go +++ b/pkg/credhelper/helper.go @@ -34,7 +34,7 @@ func (a *ACRHelper) WithLoggerOut(w io.Writer) *ACRHelper { func (a *ACRHelper) Get(serverURL string) (string, string, error) { // TODO: add cache - cred, err := a.client.GetCredentials(serverURL) + cred, err := a.client.GetCredentials(serverURL, a.logger) if err != nil { a.logger.WithField("name", version.ProjectName). WithField("serverURL", serverURL).