feat: support OAuth credentials provider

Author: yndu13

alibabacloud_credentials/provider/__init__.py

@@ -10,6 +10,7 @@
 from .profile import ProfileCredentialsProvider
 from .default import DefaultCredentialsProvider
 from .cloud_sso import CloudSSOCredentialsProvider
+from .oauth import OAuthCredentialsProvider
 
 __all__ = [
     'StaticAKCredentialsProvider',
@@ -23,5 +24,6 @@
     'CLIProfileCredentialsProvider',
     'ProfileCredentialsProvider',
     'DefaultCredentialsProvider',
-    'CloudSSOCredentialsProvider'
+    'CloudSSOCredentialsProvider',
+    'OAuthCredentialsProvider'
 ]

alibabacloud_credentials/provider/cli_profile.py

@@ -10,6 +10,7 @@
 from .oidc import OIDCRoleArnCredentialsProvider
 from .static_sts import StaticSTSCredentialsProvider
 from .cloud_sso import CloudSSOCredentialsProvider
+from .oauth import OAuthCredentialsProvider
 from .refreshable import Credentials
 from alibabacloud_credentials_api import ICredentialsProvider
 from alibabacloud_credentials.utils import auth_constant as ac
@@ -175,6 +176,12 @@ def _get_credentials_provider(self, config: Dict, profile_name: str) -> ICredent
                         access_token=profile.get('access_token'),
                         access_token_expire=profile.get('cloud_sso_access_token_expire'),
                     )
+                elif mode == "OAuth":
+                    return OAuthCredentialsProvider(
+                        site_type=profile.get('oauth_site_type'),
+                        access_token=profile.get('oauth_access_token'),
+                        access_token_expire=profile.get('oauth_access_token_expire'),
+                    )
                 else:
                     raise CredentialException(f"unsupported profile mode '{mode}' form cli credentials file.")
 

alibabacloud_credentials/provider/oauth.py

@@ -0,0 +1,148 @@
+import calendar
+import json
+import time
+from urllib.parse import urlparse
+
+from alibabacloud_credentials.provider.refreshable import Credentials, RefreshResult, RefreshCachedSupplier
+from alibabacloud_credentials.http import HttpOptions
+from Tea.core import TeaCore
+from alibabacloud_credentials_api import ICredentialsProvider
+from alibabacloud_credentials.utils import parameter_helper as ph
+from alibabacloud_credentials.exceptions import CredentialException
+
+_oauth_base_url_map = {
+    'CN': 'https://oauth.aliyun.com',
+    'INTL': 'https://oauth.alibabacloud.com'
+}
+
+
+def _get_stale_time(expiration: int) -> int:
+    if expiration < 0:
+        return int(time.mktime(time.localtime())) + 60 * 60
+    return expiration - 15 * 60
+
+
+class OAuthCredentialsProvider(ICredentialsProvider):
+    DEFAULT_CONNECT_TIMEOUT = 5000
+    DEFAULT_READ_TIMEOUT = 10000
+
+    def __init__(self, *,
+                 site_type: str = None,
+                 access_token: str = None,
+                 access_token_expire: int = 0,
+                 http_options: HttpOptions = None):
+
+        self._site_type = site_type or 'CN'
+        self._sign_in_url = _oauth_base_url_map.get(self._site_type.upper())
+        self._access_token = access_token
+        self._access_token_expire = access_token_expire
+
+        if self._sign_in_url is None:
+            raise CredentialException('Invalid OAuth site type, support CN or INTL')
+
+        if self._access_token is None or self._access_token_expire == 0 or self._access_token_expire - int(
+                time.mktime(time.localtime())) <= 0:
+            raise ValueError(
+                'OAuth access token is empty or expired, please re-login with cli')
+
+        self._http_options = http_options if http_options is not None else HttpOptions()
+        self._runtime_options = {
+            'connectTimeout': self._http_options.connect_timeout if self._http_options.connect_timeout is not None else OAuthCredentialsProvider.DEFAULT_CONNECT_TIMEOUT,
+            'readTimeout': self._http_options.read_timeout if self._http_options.read_timeout is not None else OAuthCredentialsProvider.DEFAULT_READ_TIMEOUT,
+            'httpsProxy': self._http_options.proxy
+        }
+        self._credentials_cache = RefreshCachedSupplier(
+            refresh_callable=self._refresh_credentials,
+            refresh_callable_async=self._refresh_credentials_async,
+        )
+
+    def get_credentials(self) -> Credentials:
+        return self._credentials_cache._sync_call()
+
+    async def get_credentials_async(self) -> Credentials:
+        return await self._credentials_cache._async_call()
+
+    def _refresh_credentials(self) -> RefreshResult[Credentials]:
+        r = urlparse(self._sign_in_url)
+        tea_request = ph.get_new_request()
+        tea_request.headers['host'] = r.hostname
+        tea_request.port = r.port
+        tea_request.protocol = r.scheme
+        tea_request.method = 'POST'
+        tea_request.pathname = '/v1/exchange'
+
+        tea_request.headers['Content-Type'] = 'application/json'
+        tea_request.headers['Authorization'] = f'Bearer {self._access_token}'
+
+        response = TeaCore.do_action(tea_request, self._runtime_options)
+
+        if response.status_code != 200:
+            raise CredentialException(
+                f'error refreshing credentials from OAuth, http_code: {response.status_code}, result: {response.body.decode("utf-8")}')
+
+        dic = json.loads(response.body.decode('utf-8'))
+        if 'error' in dic:
+            raise CredentialException(
+                f'error retrieving credentials from OAuth result: {response.body.decode("utf-8")}')
+
+        if 'accessKeyId' not in dic or 'accessKeySecret' not in dic or 'securityToken' not in dic:
+            raise CredentialException(
+                f'error retrieving credentials from OAuth result: {response.body.decode("utf-8")}')
+
+        # 先转换为时间数组
+        time_array = time.strptime(dic.get('expiration'), '%Y-%m-%dT%H:%M:%SZ')
+        # 转换为时间戳
+        expiration = calendar.timegm(time_array)
+        credentials = Credentials(
+            access_key_id=dic.get('accessKeyId'),
+            access_key_secret=dic.get('accessKeySecret'),
+            security_token=dic.get('securityToken'),
+            expiration=expiration,
+            provider_name=self.get_provider_name()
+        )
+        return RefreshResult(value=credentials,
+                             stale_time=_get_stale_time(expiration))
+
+    async def _refresh_credentials_async(self) -> RefreshResult[Credentials]:
+        r = urlparse(self._sign_in_url)
+        tea_request = ph.get_new_request()
+        tea_request.headers['host'] = r.hostname
+        tea_request.port = r.port
+        tea_request.protocol = r.scheme
+        tea_request.method = 'POST'
+        tea_request.pathname = '/v1/exchange'
+
+        tea_request.headers['Content-Type'] = 'application/json'
+        tea_request.headers['Authorization'] = f'Bearer {self._access_token}'
+
+        response = await TeaCore.async_do_action(tea_request, self._runtime_options)
+
+        if response.status_code != 200:
+            raise CredentialException(
+                f'error refreshing credentials from OAuth, http_code: {response.status_code}, result: {response.body.decode("utf-8")}')
+
+        dic = json.loads(response.body.decode('utf-8'))
+        if 'error' in dic:
+            raise CredentialException(
+                f'error retrieving credentials from OAuth result: {response.body.decode("utf-8")}')
+
+        if 'accessKeyId' not in dic or 'accessKeySecret' not in dic or 'securityToken' not in dic:
+            raise CredentialException(
+                f'error retrieving credentials from OAuth result: {response.body.decode("utf-8")}')
+
+        # 先转换为时间数组
+        time_array = time.strptime(dic.get('expiration'), '%Y-%m-%dT%H:%M:%SZ')
+        # 转换为时间戳
+        expiration = calendar.timegm(time_array)
+        credentials = Credentials(
+            access_key_id=dic.get('accessKeyId'),
+            access_key_secret=dic.get('accessKeySecret'),
+            security_token=dic.get('securityToken'),
+            expiration=expiration,
+            provider_name=self.get_provider_name()
+        )
+        return RefreshResult(value=credentials,
+                             stale_time=_get_stale_time(expiration))
+
+    def get_provider_name(self) -> str:
+        return 'oauth'

tests/provider/test_cli_profile.py

@@ -15,7 +15,8 @@
     RamRoleArnCredentialsProvider,
     EcsRamRoleCredentialsProvider,
     OIDCRoleArnCredentialsProvider,
-    CloudSSOCredentialsProvider
+    CloudSSOCredentialsProvider,
+    OAuthCredentialsProvider
 )
 from alibabacloud_credentials.utils import auth_constant as ac
 
@@ -91,6 +92,13 @@ def setUp(self):
                     "cloud_sso_access_config": "test_access_config",
                     "access_token": "test_access_token",
                     "cloud_sso_access_token_expire": int(time.mktime(time.localtime())) + 1000
+                },
+                {
+                    "name": "oauth_profile",
+                    "mode": "OAuth",
+                    "oauth_site_type": "CN",
+                    "oauth_access_token": "test_oauth_access_token",
+                    "oauth_access_token_expire": int(time.mktime(time.localtime())) + 1000
                 }
             ]
         }
@@ -275,9 +283,29 @@ def test_get_credentials_valid_cloud_sso(self):
                         self.assertEqual(credentials_provider._access_token, 'test_access_token')
                         self.assertTrue(credentials_provider._access_token_expire > int(time.mktime(time.localtime())))
 
+    def test_get_credentials_valid_oauth(self):
+        """
+        Test case 8: Valid input, successfully retrieves credentials for OAuth mode
+        """
+        with patch('alibabacloud_credentials.provider.cli_profile.au.environment_cli_profile_disabled', False):
+            with patch('os.path.exists', return_value=True):
+                with patch('os.path.isfile', return_value=True):
+                    with patch('alibabacloud_credentials.provider.cli_profile._load_config', return_value=self.config):
+                        provider = CLIProfileCredentialsProvider(profile_name="oauth_profile")
+
+                        credentials_provider = provider._get_credentials_provider(config=self.config,
+                                                                                  profile_name="oauth_profile")
+
+                        self.assertIsInstance(credentials_provider, OAuthCredentialsProvider)
+
+                        self.assertEqual(credentials_provider._site_type, 'CN')
+                        self.assertEqual(credentials_provider._sign_in_url, 'https://oauth.aliyun.com')
+                        self.assertEqual(credentials_provider._access_token, 'test_oauth_access_token')
+                        self.assertTrue(credentials_provider._access_token_expire > int(time.mktime(time.localtime())))
+
     def test_get_credentials_cli_profile_disabled(self):
         """
-        Test case 8: CLI profile disabled raises CredentialException
+        Test case 9: CLI profile disabled raises CredentialException
         """
         with patch('alibabacloud_credentials.provider.cli_profile.au.environment_cli_profile_disabled', 'True'):
             provider = CLIProfileCredentialsProvider(profile_name=self.profile_name)
@@ -289,7 +317,7 @@ def test_get_credentials_cli_profile_disabled(self):
 
     def test_get_credentials_profile_name_not_exists(self):
         """
-        Test case 9: Profile file does not exist raises CredentialException
+        Test case 10: Profile file does not exist raises CredentialException
         """
         with patch('alibabacloud_credentials.provider.cli_profile.au.environment_cli_profile_disabled', 'False'):
             provider = CLIProfileCredentialsProvider(profile_name='not_exists')
@@ -301,7 +329,7 @@ def test_get_credentials_profile_name_not_exists(self):
 
     def test_get_credentials_profile_file_not_exists(self):
         """
-        Test case 10: Profile file does not exist raises CredentialException
+        Test case 11: Profile file does not exist raises CredentialException
         """
         with patch('alibabacloud_credentials.provider.cli_profile.au.environment_cli_profile_disabled', 'False'):
             with patch('os.path.exists', return_value=False):
@@ -314,7 +342,7 @@ def test_get_credentials_profile_file_not_exists(self):
 
     def test_get_credentials_profile_file_not_file(self):
         """
-        Test case 11: Profile file is not a file raises CredentialException
+        Test case 12: Profile file is not a file raises CredentialException
         """
         with patch('alibabacloud_credentials.provider.cli_profile.au.environment_cli_profile_disabled', 'False'):
             with patch('os.path.exists', return_value=True):
@@ -328,7 +356,7 @@ def test_get_credentials_profile_file_not_file(self):
 
     def test_get_credentials_invalid_json_format(self):
         """
-        Test case 12: Invalid JSON format in profile file raises CredentialException
+        Test case 13: Invalid JSON format in profile file raises CredentialException
         """
         with patch('alibabacloud_credentials.provider.cli_profile.au.environment_cli_profile_disabled', 'False'):
             with patch('os.path.exists', return_value=True):
@@ -345,7 +373,7 @@ def test_get_credentials_invalid_json_format(self):
 
     def test_get_credentials_empty_json(self):
         """
-        Test case 13: Empty JSON in profile file raises CredentialException
+        Test case 14: Empty JSON in profile file raises CredentialException
         """
         with patch('alibabacloud_credentials.provider.cli_profile.au.environment_cli_profile_disabled', 'False'):
             with patch('os.path.exists', return_value=True):
@@ -361,7 +389,7 @@ def test_get_credentials_empty_json(self):
 
     def test_get_credentials_missing_profiles(self):
         """
-        Test case 14: Missing profiles in JSON raises CredentialException
+        Test case 15: Missing profiles in JSON raises CredentialException
         """
         with patch('alibabacloud_credentials.provider.cli_profile.au.environment_cli_profile_disabled', 'False'):
             with patch('os.path.exists', return_value=True):
@@ -378,7 +406,7 @@ def test_get_credentials_missing_profiles(self):
 
     def test_get_credentials_invalid_profile_mode(self):
         """
-        Test case 15: Invalid profile mode raises CredentialException
+        Test case 16: Invalid profile mode raises CredentialException
         """
         invalid_config = {
             "current": "invalid_profile",
@@ -406,7 +434,7 @@ def test_get_credentials_invalid_profile_mode(self):
 
     def test_get_credentials_async_valid_ak(self):
         """
-        Test case 16: Valid input, successfully retrieves credentials for AK mode
+        Test case 17: Valid input, successfully retrieves credentials for AK mode
         """
         with patch('alibabacloud_credentials.provider.cli_profile.au.environment_cli_profile_disabled', 'False'):
             with patch('os.path.exists', return_value=True):
@@ -430,7 +458,7 @@ def test_get_credentials_async_valid_ak(self):
     @patch('builtins.open', new_callable=MagicMock)
     def test_load_config_file_not_found(self, mock_open):
         """
-        Test case 17: File not found raises FileNotFoundError
+        Test case 18: File not found raises FileNotFoundError
         """
         mock_open.side_effect = FileNotFoundError(f"No such file or directory: '{self.profile_file}'")
 
@@ -442,7 +470,7 @@ def test_load_config_file_not_found(self, mock_open):
     @patch('builtins.open', new_callable=MagicMock)
     def test_load_config_invalid_json(self, mock_open):
         """
-        Test case 18: Invalid JSON format raises json.JSONDecodeError
+        Test case 19: Invalid JSON format raises json.JSONDecodeError
         """
         invalid_json = "invalid json content"
         mock_open.return_value.__enter__.return_value.read.return_value = invalid_json