-
Notifications
You must be signed in to change notification settings - Fork 10
/
cache.go
97 lines (86 loc) · 2.64 KB
/
cache.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
package credentialplugin
import (
"crypto/sha1" // #nosec G505
"encoding/json"
"errors"
"fmt"
"github.com/AliyunContainerService/ack-ram-tool/pkg/ctl"
"os"
"path/filepath"
"time"
"github.com/AliyunContainerService/ack-ram-tool/pkg/log"
"github.com/AliyunContainerService/ack-ram-tool/pkg/types"
)
const (
minExpirationDelta = time.Minute * 10
)
var defaultCacheDir = filepath.Join("~", ".kube", "cache", "ack-ram-tool", "credential-plugin")
var (
errNoValidCache = errors.New("no valid cache")
errNeedRefreshCache = errors.New("need refresh cache")
)
type CredentialCache struct {
cacheFilePath string
expirationDelta time.Duration
}
func NewCredentialCache(cacheDir string, opts GetCredentialOpts) *CredentialCache {
c := &CredentialCache{
cacheFilePath: getCacheFilePath(cacheDir, opts),
//expirationDelta: opts.expirationDelta,
}
expirationDelta := time.Duration(int64(float64(opts.temporaryDuration) * 0.2))
if expirationDelta < minExpirationDelta {
expirationDelta = minExpirationDelta
}
log.Logger.Debugf("will use %s as expirationDelta", expirationDelta)
c.expirationDelta = expirationDelta
return c
}
func (c *CredentialCache) GetCredential() (*types.ExecCredential, error) {
data, err := os.ReadFile(c.cacheFilePath)
if err != nil {
if os.IsNotExist(err) {
return nil, errNoValidCache
}
return nil, err
}
// TODO: base64 decode the data
var cred types.ExecCredential
if err := json.Unmarshal(data, &cred); err != nil {
return nil, errNoValidCache
}
remain := time.Until(cred.Status.ExpirationTimestamp.Time)
if remain <= 0 {
return nil, errNoValidCache
} else if remain <= c.expirationDelta {
return nil, errNeedRefreshCache
}
return &cred, nil
}
func (c *CredentialCache) SaveCredential(cred *types.ExecCredential) error {
d, err := json.MarshalIndent(cred, "", " ")
if err != nil {
return err
}
// TODO: base64 encode the data
return os.WriteFile(c.cacheFilePath, d, 0600)
}
func getCacheFilePath(cacheDir string, opts GetCredentialOpts) string {
filename := fmt.Sprintf("%s-exec-auth-credential-%s",
opts.clusterId, opts.apiVersion)
roleArn := ctl.GlobalOption.GetRoleArn()
profileName := ctl.GlobalOption.GetProfileName()
cpath := ctl.GlobalOption.GetCredentialFilePath()
apath := ctl.GlobalOption.GetAliyuncliConfigFilePath()
if roleArn != "" || profileName != "" || cpath != "" || apath != "" {
sh := sha1.New() // #nosec G401
sh.Write([]byte(roleArn))
sh.Write([]byte(profileName))
sh.Write([]byte(cpath))
sh.Write([]byte(apath))
h := sh.Sum(nil)
filename = fmt.Sprintf("%s-%x", filename, h)
}
filename = fmt.Sprintf("%s.json", filename)
return filepath.Join(cacheDir, filename)
}