diff --git a/upstream/go.mod b/upstream/go.mod index a73eaef2a7..c37baf741c 100644 --- a/upstream/go.mod +++ b/upstream/go.mod @@ -73,17 +73,17 @@ require ( github.com/ProtonMail/go-crypto v1.0.0 // indirect github.com/ThalesIgnite/crypto11 v1.2.5 // indirect github.com/agnivade/levenshtein v1.1.1 // indirect - github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect + github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect github.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect github.com/alibabacloud-go/cr-20181201 v1.0.10 // indirect github.com/alibabacloud-go/darabonba-openapi v0.2.1 // indirect github.com/alibabacloud-go/debug v1.0.0 // indirect github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect github.com/alibabacloud-go/openapi-util v0.1.0 // indirect - github.com/alibabacloud-go/tea v1.2.1 // indirect + github.com/alibabacloud-go/tea v1.2.2 // indirect github.com/alibabacloud-go/tea-utils v1.4.5 // indirect github.com/alibabacloud-go/tea-xml v1.1.3 // indirect - github.com/aliyun/credentials-go v1.3.1 // indirect + github.com/aliyun/credentials-go v1.3.6 // indirect github.com/antlr4-go/antlr/v4 v4.13.0 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/aws/aws-sdk-go-v2 v1.30.3 // indirect diff --git a/upstream/go.sum b/upstream/go.sum index 5e63ff225e..04dcd3b1a8 100644 --- a/upstream/go.sum +++ b/upstream/go.sum @@ -702,8 +702,9 @@ github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8V github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0= github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30= github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.2/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc= -github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 h1:iC9YFYKDGEy3n/FtqJnOkZsene9olVspKmkX5A2YBEo= github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc= +github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 h1:zE8vH9C7JiZLNJJQ5OwjU9mSi4T9ef9u3BURT6LCLC8= +github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5/go.mod h1:tWnyE9AjF8J8qqLk645oUmVUnFybApTQWklQmi5tY6g= github.com/alibabacloud-go/cr-20181201 v1.0.10 h1:B60f6S1imsgn2fgC6X6FrVNrONDrbCT0NwYhsJ0C9/c= github.com/alibabacloud-go/cr-20181201 v1.0.10/go.mod h1:VN9orB/w5G20FjytoSpZROqu9ZqxwycASmGqYUJSoDc= github.com/alibabacloud-go/darabonba-openapi v0.1.12/go.mod h1:sTAjsFJmVsmcVeklL9d9uDBlFsgl43wZ6jhI6BHqHqU= @@ -728,8 +729,8 @@ github.com/alibabacloud-go/tea v1.1.8/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeG github.com/alibabacloud-go/tea v1.1.11/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4= github.com/alibabacloud-go/tea v1.1.17/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A= github.com/alibabacloud-go/tea v1.1.19/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A= -github.com/alibabacloud-go/tea v1.2.1 h1:rFF1LnrAdhaiPmKwH5xwYOKlMh66CqRwPUTzIK74ask= -github.com/alibabacloud-go/tea v1.2.1/go.mod h1:qbzof29bM/IFhLMtJPrgTGK3eauV5J2wSyEUo4OEmnA= +github.com/alibabacloud-go/tea v1.2.2 h1:aTsR6Rl3ANWPfqeQugPglfurloyBJY85eFy7Gc1+8oU= +github.com/alibabacloud-go/tea v1.2.2/go.mod h1:CF3vOzEMAG+bR4WOql8gc2G9H3EkH3ZLAQdpmpXMgwk= github.com/alibabacloud-go/tea-utils v1.3.1/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE= github.com/alibabacloud-go/tea-utils v1.3.9/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE= github.com/alibabacloud-go/tea-utils v1.4.3/go.mod h1:KNcT0oXlZZxOXINnZBs6YvgOd5aYp9U67G+E3R8fcQw= @@ -739,8 +740,8 @@ github.com/alibabacloud-go/tea-xml v1.1.2/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCE github.com/alibabacloud-go/tea-xml v1.1.3 h1:7LYnm+JbOq2B+T/B0fHC4Ies4/FofC4zHzYtqw7dgt0= github.com/alibabacloud-go/tea-xml v1.1.3/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8= github.com/aliyun/credentials-go v1.1.2/go.mod h1:ozcZaMR5kLM7pwtCMEpVmQ242suV6qTJya2bDq4X1Tw= -github.com/aliyun/credentials-go v1.3.1 h1:uq/0v7kWrxmoLGpqjx7vtQ/s03f0zR//0br/xWDTE28= -github.com/aliyun/credentials-go v1.3.1/go.mod h1:8jKYhQuDawt8x2+fusqa1Y6mPxemTsBEN04dgcAcYz0= +github.com/aliyun/credentials-go v1.3.6 h1:K5STbhaWjoj5Ht0juOj9mWE2lGelShHLzu5QR3cQ5X8= +github.com/aliyun/credentials-go v1.3.6/go.mod h1:1LxUuX7L5YrZUWzBrRyk0SwSdH4OmPrib8NVePL3fxM= github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20220418222510-f25a4f6275ed/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY= @@ -1941,12 +1942,12 @@ golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2Uz golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= -golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= @@ -2092,12 +2093,12 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ= golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= +golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw= @@ -2269,6 +2270,7 @@ golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= @@ -2283,12 +2285,12 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= -golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= @@ -2309,7 +2311,6 @@ golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= diff --git a/upstream/vendor/github.com/alibabacloud-go/tea/tea/tea.go b/upstream/vendor/github.com/alibabacloud-go/tea/tea/tea.go index c984caf821..3fc9b086bb 100644 --- a/upstream/vendor/github.com/alibabacloud-go/tea/tea/tea.go +++ b/upstream/vendor/github.com/alibabacloud-go/tea/tea/tea.go @@ -218,8 +218,11 @@ func NewSDKError(obj map[string]interface{}) *SDKError { } } } - byt, _ := json.Marshal(data) - err.Data = String(string(byt)) + byt := bytes.NewBuffer([]byte{}) + jsonEncoder := json.NewEncoder(byt) + jsonEncoder.SetEscapeHTML(false) + jsonEncoder.Encode(data) + err.Data = String(string(bytes.TrimSpace(byt.Bytes()))) } if statusCode, ok := obj["statusCode"].(int); ok { diff --git a/upstream/vendor/github.com/aliyun/credentials-go/credentials/credential.go b/upstream/vendor/github.com/aliyun/credentials-go/credentials/credential.go index 2603dc0c7d..88e177f967 100644 --- a/upstream/vendor/github.com/aliyun/credentials-go/credentials/credential.go +++ b/upstream/vendor/github.com/aliyun/credentials-go/credentials/credential.go @@ -25,8 +25,11 @@ var hookParse = func(err error) error { // Credential is an interface for getting actual credential type Credential interface { + // Deprecated: GetAccessKeyId is deprecated, use GetCredential instead of. GetAccessKeyId() (*string, error) + // Deprecated: GetAccessKeySecret is deprecated, use GetCredential instead of. GetAccessKeySecret() (*string, error) + // Deprecated: GetSecurityToken is deprecated, use GetCredential instead of. GetSecurityToken() (*string, error) GetBearerToken() *string GetType() *string @@ -44,6 +47,8 @@ type Config struct { RoleSessionName *string `json:"role_session_name"` PublicKeyId *string `json:"public_key_id"` RoleName *string `json:"role_name"` + EnableIMDSv2 *bool `json:"enable_imds_v2"` + MetadataTokenDuration *int `json:"metadata_token_duration"` SessionExpiration *int `json:"session_expiration"` PrivateKeyFile *string `json:"private_key_file"` BearerToken *string `json:"bearer_token"` @@ -103,6 +108,16 @@ func (s *Config) SetRoleName(v string) *Config { return s } +func (s *Config) SetEnableIMDSv2(v bool) *Config { + s.EnableIMDSv2 = &v + return s +} + +func (s *Config) SetMetadataTokenDuration(v int) *Config { + s.MetadataTokenDuration = &v + return s +} + func (s *Config) SetSessionExpiration(v int) *Config { s.SessionExpiration = &v return s @@ -202,28 +217,45 @@ func NewCredential(config *Config) (credential Credential, err error) { ConnectTimeout: tea.IntValue(config.ConnectTimeout), STSEndpoint: tea.StringValue(config.STSEndpoint), } - credential = newOIDCRoleArnCredential(tea.StringValue(config.AccessKeyId), tea.StringValue(config.AccessKeySecret), tea.StringValue(config.RoleArn), tea.StringValue(config.OIDCProviderArn), tea.StringValue(config.OIDCTokenFilePath), tea.StringValue(config.RoleSessionName), tea.StringValue(config.Policy), tea.IntValue(config.RoleSessionExpiration), runtime) + credential = newOIDCRoleArnCredential( + tea.StringValue(config.AccessKeyId), + tea.StringValue(config.AccessKeySecret), + tea.StringValue(config.RoleArn), + tea.StringValue(config.OIDCProviderArn), + tea.StringValue(config.OIDCTokenFilePath), + tea.StringValue(config.RoleSessionName), + tea.StringValue(config.Policy), + tea.IntValue(config.RoleSessionExpiration), + runtime) case "access_key": err = checkAccessKey(config) if err != nil { return } - credential = newAccessKeyCredential(tea.StringValue(config.AccessKeyId), tea.StringValue(config.AccessKeySecret)) + credential = newAccessKeyCredential( + tea.StringValue(config.AccessKeyId), + tea.StringValue(config.AccessKeySecret)) case "sts": err = checkSTS(config) if err != nil { return } - credential = newStsTokenCredential(tea.StringValue(config.AccessKeyId), tea.StringValue(config.AccessKeySecret), tea.StringValue(config.SecurityToken)) + credential = newStsTokenCredential( + tea.StringValue(config.AccessKeyId), + tea.StringValue(config.AccessKeySecret), + tea.StringValue(config.SecurityToken)) case "ecs_ram_role": - checkEcsRAMRole(config) runtime := &utils.Runtime{ Host: tea.StringValue(config.Host), - Proxy: tea.StringValue(config.Proxy), ReadTimeout: tea.IntValue(config.Timeout), ConnectTimeout: tea.IntValue(config.ConnectTimeout), } - credential = newEcsRAMRoleCredential(tea.StringValue(config.RoleName), tea.Float64Value(config.InAdvanceScale), runtime) + credential = newEcsRAMRoleCredentialWithEnableIMDSv2( + tea.StringValue(config.RoleName), + tea.BoolValue(config.EnableIMDSv2), + tea.IntValue(config.MetadataTokenDuration), + tea.Float64Value(config.InAdvanceScale), + runtime) case "ram_role_arn": err = checkRAMRoleArn(config) if err != nil { @@ -236,9 +268,10 @@ func NewCredential(config *Config) (credential Credential, err error) { ConnectTimeout: tea.IntValue(config.ConnectTimeout), STSEndpoint: tea.StringValue(config.STSEndpoint), } - credential = newRAMRoleArnWithExternalIdCredential( + credential = newRAMRoleArnl( tea.StringValue(config.AccessKeyId), tea.StringValue(config.AccessKeySecret), + tea.StringValue(config.SecurityToken), tea.StringValue(config.RoleArn), tea.StringValue(config.RoleSessionName), tea.StringValue(config.Policy), @@ -271,7 +304,11 @@ func NewCredential(config *Config) (credential Credential, err error) { ConnectTimeout: tea.IntValue(config.ConnectTimeout), STSEndpoint: tea.StringValue(config.STSEndpoint), } - credential = newRsaKeyPairCredential(privateKey, tea.StringValue(config.PublicKeyId), tea.IntValue(config.SessionExpiration), runtime) + credential = newRsaKeyPairCredential( + privateKey, + tea.StringValue(config.PublicKeyId), + tea.IntValue(config.SessionExpiration), + runtime) case "bearer": if tea.StringValue(config.BearerToken) == "" { err = errors.New("BearerToken cannot be empty") @@ -279,7 +316,7 @@ func NewCredential(config *Config) (credential Credential, err error) { } credential = newBearerTokenCredential(tea.StringValue(config.BearerToken)) default: - err = errors.New("Invalid type option, support: access_key, sts, ecs_ram_role, ram_role_arn, rsa_key_pair") + err = errors.New("invalid type option, support: access_key, sts, ecs_ram_role, ram_role_arn, rsa_key_pair") return } return credential, nil @@ -310,26 +347,26 @@ func checkoutAssumeRamoidc(config *Config) (err error) { } func checkRAMRoleArn(config *Config) (err error) { + if tea.StringValue(config.AccessKeyId) == "" { + err = errors.New("AccessKeyId cannot be empty") + return + } + if tea.StringValue(config.AccessKeySecret) == "" { err = errors.New("AccessKeySecret cannot be empty") return } + if tea.StringValue(config.RoleArn) == "" { err = errors.New("RoleArn cannot be empty") return } + if tea.StringValue(config.RoleSessionName) == "" { err = errors.New("RoleSessionName cannot be empty") return } - if tea.StringValue(config.AccessKeyId) == "" { - err = errors.New("AccessKeyId cannot be empty") - return - } - return -} -func checkEcsRAMRole(config *Config) (err error) { return } diff --git a/upstream/vendor/github.com/aliyun/credentials-go/credentials/ecs_ram_role.go b/upstream/vendor/github.com/aliyun/credentials-go/credentials/ecs_ram_role.go index d86360fc5d..00aaada85d 100644 --- a/upstream/vendor/github.com/aliyun/credentials-go/credentials/ecs_ram_role.go +++ b/upstream/vendor/github.com/aliyun/credentials-go/credentials/ecs_ram_role.go @@ -3,6 +3,7 @@ package credentials import ( "encoding/json" "fmt" + "strconv" "time" "github.com/alibabacloud-go/tea/tea" @@ -11,13 +12,20 @@ import ( ) var securityCredURL = "http://100.100.100.200/latest/meta-data/ram/security-credentials/" +var securityCredTokenURL = "http://100.100.100.200/latest/api/token" + +const defaultMetadataTokenDuration = int(21600) // EcsRAMRoleCredential is a kind of credential type EcsRAMRoleCredential struct { *credentialUpdater - RoleName string - sessionCredential *sessionCredential - runtime *utils.Runtime + RoleName string + EnableIMDSv2 bool + MetadataTokenDuration int + sessionCredential *sessionCredential + runtime *utils.Runtime + metadataToken string + staleTime int64 } type ecsRAMRoleResponse struct { @@ -28,15 +36,17 @@ type ecsRAMRoleResponse struct { Expiration string `json:"Expiration" xml:"Expiration"` } -func newEcsRAMRoleCredential(roleName string, inAdvanceScale float64, runtime *utils.Runtime) *EcsRAMRoleCredential { +func newEcsRAMRoleCredentialWithEnableIMDSv2(roleName string, enableIMDSv2 bool, metadataTokenDuration int, inAdvanceScale float64, runtime *utils.Runtime) *EcsRAMRoleCredential { credentialUpdater := new(credentialUpdater) if inAdvanceScale < 1 && inAdvanceScale > 0 { credentialUpdater.inAdvanceScale = inAdvanceScale } return &EcsRAMRoleCredential{ - RoleName: roleName, - credentialUpdater: credentialUpdater, - runtime: runtime, + RoleName: roleName, + EnableIMDSv2: enableIMDSv2, + MetadataTokenDuration: metadataTokenDuration, + credentialUpdater: credentialUpdater, + runtime: runtime, } } @@ -123,6 +133,26 @@ func getRoleName() (string, error) { return string(content), nil } +func (e *EcsRAMRoleCredential) getMetadataToken() (err error) { + if e.needToRefresh() { + if e.MetadataTokenDuration <= 0 { + e.MetadataTokenDuration = defaultMetadataTokenDuration + } + tmpTime := time.Now().Unix() + int64(e.MetadataTokenDuration*1000) + request := request.NewCommonRequest() + request.URL = securityCredTokenURL + request.Method = "PUT" + request.Headers["X-aliyun-ecs-metadata-token-ttl-seconds"] = strconv.Itoa(e.MetadataTokenDuration) + content, err := doAction(request, e.runtime) + if err != nil { + return err + } + e.staleTime = tmpTime + e.metadataToken = string(content) + } + return +} + func (e *EcsRAMRoleCredential) updateCredential() (err error) { if e.runtime == nil { e.runtime = new(utils.Runtime) @@ -134,6 +164,13 @@ func (e *EcsRAMRoleCredential) updateCredential() (err error) { return fmt.Errorf("refresh Ecs sts token err: %s", err.Error()) } } + if e.EnableIMDSv2 { + err = e.getMetadataToken() + if err != nil { + return fmt.Errorf("failed to get token from ECS Metadata Service: %s", err.Error()) + } + request.Headers["X-aliyun-ecs-metadata-token"] = e.metadataToken + } request.URL = securityCredURL + e.RoleName request.Method = "GET" content, err := doAction(request, e.runtime) @@ -163,3 +200,8 @@ func (e *EcsRAMRoleCredential) updateCredential() (err error) { return } + +func (e *EcsRAMRoleCredential) needToRefresh() (needToRefresh bool) { + needToRefresh = time.Now().Unix() >= e.staleTime + return +} diff --git a/upstream/vendor/github.com/aliyun/credentials-go/credentials/instance_provider.go b/upstream/vendor/github.com/aliyun/credentials-go/credentials/instance_provider.go index 7e2ea07bb7..c82091dfda 100644 --- a/upstream/vendor/github.com/aliyun/credentials-go/credentials/instance_provider.go +++ b/upstream/vendor/github.com/aliyun/credentials-go/credentials/instance_provider.go @@ -2,6 +2,7 @@ package credentials import ( "os" + "strings" "github.com/alibabacloud-go/tea/tea" ) @@ -19,10 +20,12 @@ func (p *instanceCredentialsProvider) resolve() (*Config, error) { if !ok { return nil, nil } + enableIMDSv2, _ := os.LookupEnv(ENVEcsMetadataIMDSv2Enable) config := &Config{ - Type: tea.String("ecs_ram_role"), - RoleName: tea.String(roleName), + Type: tea.String("ecs_ram_role"), + RoleName: tea.String(roleName), + EnableIMDSv2: tea.Bool(strings.ToLower(enableIMDSv2) == "true"), } return config, nil } diff --git a/upstream/vendor/github.com/aliyun/credentials-go/credentials/oidc_credential.go b/upstream/vendor/github.com/aliyun/credentials-go/credentials/oidc_credential.go index 7d960abaf1..c2b9630b89 100644 --- a/upstream/vendor/github.com/aliyun/credentials-go/credentials/oidc_credential.go +++ b/upstream/vendor/github.com/aliyun/credentials-go/credentials/oidc_credential.go @@ -5,6 +5,7 @@ import ( "fmt" "io/ioutil" "os" + "strconv" "time" "github.com/alibabacloud-go/tea/tea" @@ -12,8 +13,6 @@ import ( "github.com/aliyun/credentials-go/credentials/utils" ) -const defaultOIDCDurationSeconds = 3600 - // OIDCCredential is a kind of credentials type OIDCCredential struct { *credentialUpdater @@ -154,6 +153,9 @@ func (r *OIDCCredential) updateCredential() (err error) { if r.Policy != "" { request.QueryParams["Policy"] = r.Policy } + if r.RoleSessionExpiration > 0 { + request.QueryParams["DurationSeconds"] = strconv.Itoa(r.RoleSessionExpiration) + } request.QueryParams["RoleSessionName"] = r.RoleSessionName request.QueryParams["Version"] = "2015-04-01" request.QueryParams["SignatureNonce"] = utils.GetUUID() diff --git a/upstream/vendor/github.com/aliyun/credentials-go/credentials/profile_provider.go b/upstream/vendor/github.com/aliyun/credentials-go/credentials/profile_provider.go index de02c3dc43..9326276505 100644 --- a/upstream/vendor/github.com/aliyun/credentials-go/credentials/profile_provider.go +++ b/upstream/vendor/github.com/aliyun/credentials-go/credentials/profile_provider.go @@ -100,21 +100,21 @@ func (p *profileProvider) resolve() (*Config, error) { } return config, nil default: - return nil, errors.New("Invalid type option, support: access_key, sts, ecs_ram_role, ram_role_arn, rsa_key_pair") + return nil, errors.New("invalid type option, support: access_key, sts, ecs_ram_role, ram_role_arn, rsa_key_pair") } } func getRSAKeyPair(section *ini.Section) (*Config, error) { publicKeyId, err := section.GetKey("public_key_id") if err != nil { - return nil, errors.New("Missing required public_key_id option in profile for rsa_key_pair") + return nil, errors.New("missing required public_key_id option in profile for rsa_key_pair") } if publicKeyId.String() == "" { return nil, errors.New("public_key_id cannot be empty") } privateKeyFile, err := section.GetKey("private_key_file") if err != nil { - return nil, errors.New("Missing required private_key_file option in profile for rsa_key_pair") + return nil, errors.New("missing required private_key_file option in profile for rsa_key_pair") } if privateKeyFile.String() == "" { return nil, errors.New("private_key_file cannot be empty") @@ -143,28 +143,28 @@ func getRSAKeyPair(section *ini.Section) (*Config, error) { func getRAMRoleArn(section *ini.Section) (*Config, error) { accessKeyId, err := section.GetKey("access_key_id") if err != nil { - return nil, errors.New("Missing required access_key_id option in profile for ram_role_arn") + return nil, errors.New("missing required access_key_id option in profile for ram_role_arn") } if accessKeyId.String() == "" { return nil, errors.New("access_key_id cannot be empty") } accessKeySecret, err := section.GetKey("access_key_secret") if err != nil { - return nil, errors.New("Missing required access_key_secret option in profile for ram_role_arn") + return nil, errors.New("missing required access_key_secret option in profile for ram_role_arn") } if accessKeySecret.String() == "" { return nil, errors.New("access_key_secret cannot be empty") } roleArn, err := section.GetKey("role_arn") if err != nil { - return nil, errors.New("Missing required role_arn option in profile for ram_role_arn") + return nil, errors.New("missing required role_arn option in profile for ram_role_arn") } if roleArn.String() == "" { return nil, errors.New("role_arn cannot be empty") } roleSessionName, err := section.GetKey("role_session_name") if err != nil { - return nil, errors.New("Missing required role_session_name option in profile for ram_role_arn") + return nil, errors.New("missing required role_session_name option in profile for ram_role_arn") } if roleSessionName.String() == "" { return nil, errors.New("role_session_name cannot be empty") @@ -210,7 +210,7 @@ func getEcsRAMRole(section *ini.Section) (*Config, error) { func getBearerToken(section *ini.Section) (*Config, error) { bearerToken, err := section.GetKey("bearer_token") if err != nil { - return nil, errors.New("Missing required bearer_token option in profile for bearer") + return nil, errors.New("missing required bearer_token option in profile for bearer") } if bearerToken.String() == "" { return nil, errors.New("bearer_token cannot be empty") @@ -225,21 +225,21 @@ func getBearerToken(section *ini.Section) (*Config, error) { func getSTS(section *ini.Section) (*Config, error) { accesskeyid, err := section.GetKey("access_key_id") if err != nil { - return nil, errors.New("Missing required access_key_id option in profile for sts") + return nil, errors.New("missing required access_key_id option in profile for sts") } if accesskeyid.String() == "" { return nil, errors.New("access_key_id cannot be empty") } accessKeySecret, err := section.GetKey("access_key_secret") if err != nil { - return nil, errors.New("Missing required access_key_secret option in profile for sts") + return nil, errors.New("missing required access_key_secret option in profile for sts") } if accessKeySecret.String() == "" { return nil, errors.New("access_key_secret cannot be empty") } securityToken, err := section.GetKey("security_token") if err != nil { - return nil, errors.New("Missing required security_token option in profile for sts") + return nil, errors.New("missing required security_token option in profile for sts") } if securityToken.String() == "" { return nil, errors.New("security_token cannot be empty") @@ -256,14 +256,14 @@ func getSTS(section *ini.Section) (*Config, error) { func getAccessKey(section *ini.Section) (*Config, error) { accesskeyid, err := section.GetKey("access_key_id") if err != nil { - return nil, errors.New("Missing required access_key_id option in profile for access_key") + return nil, errors.New("missing required access_key_id option in profile for access_key") } if accesskeyid.String() == "" { return nil, errors.New("access_key_id cannot be empty") } accessKeySecret, err := section.GetKey("access_key_secret") if err != nil { - return nil, errors.New("Missing required access_key_secret option in profile for access_key") + return nil, errors.New("missing required access_key_secret option in profile for access_key") } if accessKeySecret.String() == "" { return nil, errors.New("access_key_secret cannot be empty") @@ -289,7 +289,7 @@ func getType(path, profile string) (*ini.Key, *ini.Section, error) { value, err := section.GetKey("type") if err != nil { - return nil, nil, errors.New("Missing required type option " + err.Error()) + return nil, nil, errors.New("missing required type option " + err.Error()) } return value, section, nil } @@ -312,7 +312,7 @@ func getHomePath() string { func checkDefaultPath() (path string, err error) { path = getHomePath() if path == "" { - return "", errors.New("The default credential file path is invalid") + return "", errors.New("the default credential file path is invalid") } path = strings.Replace("~/.alibabacloud/credentials", "~", path, 1) _, err = hookState(os.Stat(path)) @@ -333,14 +333,14 @@ func setRuntimeToConfig(config *Config, section *ini.Section) error { if rawConnectTimeout != nil { connectTimeout, err := rawConnectTimeout.Int() if err != nil { - return fmt.Errorf("Please set connect_timeout with an int value") + return fmt.Errorf("please set connect_timeout with an int value") } config.ConnectTimeout = tea.Int(connectTimeout) } if rawTimeout != nil { timeout, err := rawTimeout.Int() if err != nil { - return fmt.Errorf("Please set timeout with an int value") + return fmt.Errorf("please set timeout with an int value") } config.Timeout = tea.Int(timeout) } diff --git a/upstream/vendor/github.com/aliyun/credentials-go/credentials/provider.go b/upstream/vendor/github.com/aliyun/credentials-go/credentials/provider.go index fe813db330..506e110b95 100644 --- a/upstream/vendor/github.com/aliyun/credentials-go/credentials/provider.go +++ b/upstream/vendor/github.com/aliyun/credentials-go/credentials/provider.go @@ -1,14 +1,15 @@ package credentials -//Environmental virables that may be used by the provider +// Environmental virables that may be used by the provider const ( - ENVCredentialFile = "ALIBABA_CLOUD_CREDENTIALS_FILE" - ENVEcsMetadata = "ALIBABA_CLOUD_ECS_METADATA" - PATHCredentialFile = "~/.alibabacloud/credentials" - ENVRoleArn = "ALIBABA_CLOUD_ROLE_ARN" - ENVOIDCProviderArn = "ALIBABA_CLOUD_OIDC_PROVIDER_ARN" - ENVOIDCTokenFile = "ALIBABA_CLOUD_OIDC_TOKEN_FILE" - ENVRoleSessionName = "ALIBABA_CLOUD_ROLE_SESSION_NAME" + ENVCredentialFile = "ALIBABA_CLOUD_CREDENTIALS_FILE" + ENVEcsMetadata = "ALIBABA_CLOUD_ECS_METADATA" + ENVEcsMetadataIMDSv2Enable = "ALIBABA_CLOUD_ECS_IMDSV2_ENABLE" + PATHCredentialFile = "~/.alibabacloud/credentials" + ENVRoleArn = "ALIBABA_CLOUD_ROLE_ARN" + ENVOIDCProviderArn = "ALIBABA_CLOUD_OIDC_PROVIDER_ARN" + ENVOIDCTokenFile = "ALIBABA_CLOUD_OIDC_TOKEN_FILE" + ENVRoleSessionName = "ALIBABA_CLOUD_ROLE_SESSION_NAME" ) // Provider will be implemented When you want to customize the provider. diff --git a/upstream/vendor/github.com/aliyun/credentials-go/credentials/provider_chain.go b/upstream/vendor/github.com/aliyun/credentials-go/credentials/provider_chain.go index a694d5cb58..e43388612d 100644 --- a/upstream/vendor/github.com/aliyun/credentials-go/credentials/provider_chain.go +++ b/upstream/vendor/github.com/aliyun/credentials-go/credentials/provider_chain.go @@ -27,6 +27,6 @@ func (p *providerChain) resolve() (*Config, error) { } return config, err } - return nil, errors.New("No credential found") + return nil, errors.New("no credential found") } diff --git a/upstream/vendor/github.com/aliyun/credentials-go/credentials/sts_role_arn_credential.go b/upstream/vendor/github.com/aliyun/credentials-go/credentials/sts_role_arn_credential.go index 3ddf32fa21..1b75500e87 100644 --- a/upstream/vendor/github.com/aliyun/credentials-go/credentials/sts_role_arn_credential.go +++ b/upstream/vendor/github.com/aliyun/credentials-go/credentials/sts_role_arn_credential.go @@ -19,6 +19,7 @@ type RAMRoleArnCredential struct { *credentialUpdater AccessKeyId string AccessKeySecret string + SecurityToken string RoleArn string RoleSessionName string RoleSessionExpiration int @@ -39,6 +40,21 @@ type credentialsInResponse struct { Expiration string `json:"Expiration" xml:"Expiration"` } +func newRAMRoleArnl(accessKeyId, accessKeySecret, securityToken, roleArn, roleSessionName, policy string, roleSessionExpiration int, externalId string, runtime *utils.Runtime) *RAMRoleArnCredential { + return &RAMRoleArnCredential{ + AccessKeyId: accessKeyId, + AccessKeySecret: accessKeySecret, + SecurityToken: securityToken, + RoleArn: roleArn, + RoleSessionName: roleSessionName, + RoleSessionExpiration: roleSessionExpiration, + Policy: policy, + ExternalId: externalId, + credentialUpdater: new(credentialUpdater), + runtime: runtime, + } +} + func newRAMRoleArnCredential(accessKeyId, accessKeySecret, roleArn, roleSessionName, policy string, roleSessionExpiration int, runtime *utils.Runtime) *RAMRoleArnCredential { return &RAMRoleArnCredential{ AccessKeyId: accessKeyId, @@ -140,6 +156,9 @@ func (r *RAMRoleArnCredential) updateCredential() (err error) { request.Scheme = "HTTPS" request.Method = "GET" request.QueryParams["AccessKeyId"] = r.AccessKeyId + if r.SecurityToken != "" { + request.QueryParams["SecurityToken"] = r.SecurityToken + } request.QueryParams["Action"] = "AssumeRole" request.QueryParams["Format"] = "JSON" if r.RoleSessionExpiration > 0 { diff --git a/upstream/vendor/modules.txt b/upstream/vendor/modules.txt index 12bcd565e5..17dd57685c 100644 --- a/upstream/vendor/modules.txt +++ b/upstream/vendor/modules.txt @@ -213,7 +213,7 @@ github.com/ThalesIgnite/crypto11 # github.com/agnivade/levenshtein v1.1.1 ## explicit; go 1.13 github.com/agnivade/levenshtein -# github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 +# github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 ## explicit; go 1.14 github.com/alibabacloud-go/alibabacloud-gateway-spi/client # github.com/alibabacloud-go/cr-20160607 v1.0.1 => github.com/vdemeester/cr-20160607 v1.0.1 @@ -234,7 +234,7 @@ github.com/alibabacloud-go/endpoint-util/service # github.com/alibabacloud-go/openapi-util v0.1.0 ## explicit; go 1.14 github.com/alibabacloud-go/openapi-util/service -# github.com/alibabacloud-go/tea v1.2.1 +# github.com/alibabacloud-go/tea v1.2.2 ## explicit; go 1.14 github.com/alibabacloud-go/tea/tea github.com/alibabacloud-go/tea/utils @@ -244,7 +244,7 @@ github.com/alibabacloud-go/tea-utils/service # github.com/alibabacloud-go/tea-xml v1.1.3 ## explicit; go 1.14 github.com/alibabacloud-go/tea-xml/service -# github.com/aliyun/credentials-go v1.3.1 +# github.com/aliyun/credentials-go v1.3.6 ## explicit; go 1.14 github.com/aliyun/credentials-go/credentials github.com/aliyun/credentials-go/credentials/request