-
Notifications
You must be signed in to change notification settings - Fork 10
/
token.go
101 lines (86 loc) · 2.69 KB
/
token.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
package ramauthenticator
import (
"encoding/base64"
"fmt"
"net/url"
"strings"
openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
openapiutil "github.com/alibabacloud-go/openapi-util/service"
util "github.com/alibabacloud-go/tea-utils/service"
"github.com/alibabacloud-go/tea/tea"
"github.com/aliyun/credentials-go/credentials"
)
const (
tokenPrefixV1 = "k8s-ack-v1." // #nosec G101
)
type Token struct {
preSignedURLString string
}
func GenerateToken(clusterId, stsEndpoint string, cred credentials.Credential) (*Token, error) {
getCallerIdentityURL, err := generateGetCallerIdentityURL(clusterId, stsEndpoint, cred)
if err != nil {
return nil, err
}
token := &Token{preSignedURLString: getCallerIdentityURL}
return token, nil
}
func (t *Token) String() string {
return tokenPrefixV1 + base64.StdEncoding.EncodeToString([]byte(t.preSignedURLString))
}
func generateGetCallerIdentityURL(clusterId, stsEndpoint string, cred credentials.Credential) (string, error) {
if !strings.Contains(stsEndpoint, "://") {
stsEndpoint = "https://" + stsEndpoint
}
rawReq := &openapi.OpenApiRequest{
Query: map[string]*string{
"ClusterId": tea.String(clusterId),
},
}
teaReq := tea.NewRequest()
teaReq.Method = tea.String("GET")
teaReq.Pathname = tea.String("/")
teaReq.Query = tea.Merge(map[string]*string{
"Action": tea.String("GetCallerIdentity"),
"Format": tea.String("json"),
"Version": tea.String("2015-04-01"),
"Timestamp": openapiutil.GetTimestamp(),
"SignatureNonce": util.GetNonce(),
}, rawReq.Query)
accessKeyId, err := cred.GetAccessKeyId()
if err != nil {
return "", err
}
accessKeySecret, err := cred.GetAccessKeySecret()
if err != nil {
return "", err
}
securityToken, err := cred.GetSecurityToken()
if err != nil {
return "", err
}
if !tea.BoolValue(util.Empty(securityToken)) {
teaReq.Query["SecurityToken"] = securityToken
}
teaReq.Query["SignatureMethod"] = tea.String("HMAC-SHA1")
teaReq.Query["SignatureVersion"] = tea.String("1.0")
teaReq.Query["AccessKeyId"] = accessKeyId
signedParam := teaReq.Query
teaReq.Query["Signature"] = openapiutil.GetRPCSignature(signedParam, teaReq.Method, accessKeySecret)
requestURL := ""
requestURL = fmt.Sprintf("%s%s", stsEndpoint, tea.StringValue(teaReq.Pathname))
queryParams := teaReq.Query
// sort QueryParams by key
q := url.Values{}
for key, value := range queryParams {
q.Add(key, tea.StringValue(value))
}
querystring := q.Encode()
if len(querystring) > 0 {
if strings.Contains(requestURL, "?") {
requestURL = fmt.Sprintf("%s&%s", requestURL, querystring)
} else {
requestURL = fmt.Sprintf("%s?%s", requestURL, querystring)
}
}
return requestURL, nil
}