feat: support CloudSSO credentials provider

Author: yndu13

alibabacloud_credentials/provider/__init__.py

@@ -9,6 +9,7 @@
 from .cli_profile import CLIProfileCredentialsProvider
 from .profile import ProfileCredentialsProvider
 from .default import DefaultCredentialsProvider
+from .cloud_sso import CloudSSOCredentialsProvider
 
 __all__ = [
     'StaticAKCredentialsProvider',
@@ -21,5 +22,6 @@
     'URLCredentialsProvider',
     'CLIProfileCredentialsProvider',
     'ProfileCredentialsProvider',
-    'DefaultCredentialsProvider'
+    'DefaultCredentialsProvider',
+    'CloudSSOCredentialsProvider'
 ]

alibabacloud_credentials/provider/cli_profile.py

@@ -4,8 +4,12 @@
 
 import aiofiles
 
-from alibabacloud_credentials.provider import StaticAKCredentialsProvider, EcsRamRoleCredentialsProvider, \
-    RamRoleArnCredentialsProvider, OIDCRoleArnCredentialsProvider, StaticSTSCredentialsProvider
+from .static_ak import StaticAKCredentialsProvider
+from .ecs_ram_role import EcsRamRoleCredentialsProvider
+from .ram_role_arn import RamRoleArnCredentialsProvider
+from .oidc import OIDCRoleArnCredentialsProvider
+from .static_sts import StaticSTSCredentialsProvider
+from .cloud_sso import CloudSSOCredentialsProvider
 from .refreshable import Credentials
 from alibabacloud_credentials_api import ICredentialsProvider
 from alibabacloud_credentials.utils import auth_constant as ac
@@ -163,6 +167,14 @@ def _get_credentials_provider(self, config: Dict, profile_name: str) -> ICredent
                         sts_region_id=profile.get('sts_region'),
                         enable_vpc=profile.get('enable_vpc'),
                     )
+                elif mode == "CloudSSO":
+                    return CloudSSOCredentialsProvider(
+                        sign_in_url=profile.get('cloud_sso_sign_in_url'),
+                        account_id=profile.get('cloud_sso_account_id'),
+                        access_config=profile.get('cloud_sso_access_config'),
+                        access_token=profile.get('access_token'),
+                        access_token_expire=profile.get('cloud_sso_access_token_expire'),
+                    )
                 else:
                     raise CredentialException(f"unsupported profile mode '{mode}' form cli credentials file.")
 

alibabacloud_credentials/provider/cloud_sso.py

@@ -0,0 +1,160 @@
+import calendar
+import json
+import time
+from urllib.parse import urlparse
+
+from alibabacloud_credentials.provider.refreshable import Credentials, RefreshResult, RefreshCachedSupplier
+from alibabacloud_credentials.http import HttpOptions
+from Tea.core import TeaCore
+from alibabacloud_credentials_api import ICredentialsProvider
+from alibabacloud_credentials.utils import parameter_helper as ph
+from alibabacloud_credentials.exceptions import CredentialException
+
+
+def _get_stale_time(expiration: int) -> int:
+    if expiration < 0:
+        return int(time.mktime(time.localtime())) + 60 * 60
+    return expiration - 15 * 60
+
+
+class CloudSSOCredentialsProvider(ICredentialsProvider):
+    DEFAULT_CONNECT_TIMEOUT = 5000
+    DEFAULT_READ_TIMEOUT = 10000
+
+    def __init__(self, *,
+                 sign_in_url: str = None,
+                 account_id: str = None,
+                 access_config: str = None,
+                 access_token: str = None,
+                 access_token_expire: int = 0,
+                 http_options: HttpOptions = None):
+
+        self._sign_in_url = sign_in_url
+        self._account_id = account_id
+        self._access_config = access_config
+        self._access_token = access_token
+        self._access_token_expire = access_token_expire
+
+        if self._access_token is None or self._access_token_expire == 0 or self._access_token_expire - int(
+                time.mktime(time.localtime())) <= 0:
+            raise ValueError(
+                'CloudSSO access token is empty or expired, please re-login with cli')
+        if self._sign_in_url is None or self._account_id is None or self._access_config is None:
+            raise ValueError(
+                'CloudSSO sign in url or account id or access config is empty')
+
+        self._http_options = http_options if http_options is not None else HttpOptions()
+        self._runtime_options = {
+            'connectTimeout': self._http_options.connect_timeout if self._http_options.connect_timeout is not None else CloudSSOCredentialsProvider.DEFAULT_CONNECT_TIMEOUT,
+            'readTimeout': self._http_options.read_timeout if self._http_options.read_timeout is not None else CloudSSOCredentialsProvider.DEFAULT_READ_TIMEOUT,
+            'httpsProxy': self._http_options.proxy
+        }
+        self._credentials_cache = RefreshCachedSupplier(
+            refresh_callable=self._refresh_credentials,
+            refresh_callable_async=self._refresh_credentials_async,
+        )
+
+    def get_credentials(self) -> Credentials:
+        return self._credentials_cache._sync_call()
+
+    async def get_credentials_async(self) -> Credentials:
+        return await self._credentials_cache._async_call()
+
+    def _refresh_credentials(self) -> RefreshResult[Credentials]:
+        r = urlparse(self._sign_in_url)
+        tea_request = ph.get_new_request()
+        tea_request.headers['host'] = r.hostname
+        tea_request.port = r.port
+        tea_request.protocol = r.scheme
+        tea_request.method = 'POST'
+        tea_request.pathname = '/cloud-credentials'
+
+        tea_request.body = json.dumps({
+            'AccountId': self._account_id,
+            'AccessConfigurationId': self._access_config,
+        })
+
+        tea_request.headers['Accept'] = 'application/json'
+        tea_request.headers['Content-Type'] = 'application/json'
+        tea_request.headers['Authorization'] = f'Bearer {self._access_token}'
+
+        response = TeaCore.do_action(tea_request, self._runtime_options)
+
+        if response.status_code != 200:
+            raise CredentialException(
+                f'error refreshing credentials from sso, http_code: {response.status_code}, result: {response.body.decode("utf-8")}')
+
+        dic = json.loads(response.body.decode('utf-8'))
+        if 'CloudCredential' not in dic:
+            raise CredentialException(
+                f'error retrieving credentials from sso result: {response.body.decode("utf-8")}')
+
+        cre = dic.get('CloudCredential')
+        if 'AccessKeyId' not in cre or 'AccessKeySecret' not in cre or 'SecurityToken' not in cre:
+            raise CredentialException(
+                f'error retrieving credentials from sso result: {response.body.decode("utf-8")}')
+
+        # 先转换为时间数组
+        time_array = time.strptime(cre.get('Expiration'), '%Y-%m-%dT%H:%M:%SZ')
+        # 转换为时间戳
+        expiration = calendar.timegm(time_array)
+        credentials = Credentials(
+            access_key_id=cre.get('AccessKeyId'),
+            access_key_secret=cre.get('AccessKeySecret'),
+            security_token=cre.get('SecurityToken'),
+            expiration=expiration,
+            provider_name=self.get_provider_name()
+        )
+        return RefreshResult(value=credentials,
+                             stale_time=_get_stale_time(expiration))
+
+    async def _refresh_credentials_async(self) -> RefreshResult[Credentials]:
+        r = urlparse(self._sign_in_url)
+        tea_request = ph.get_new_request()
+        tea_request.headers['host'] = r.hostname
+        tea_request.port = r.port
+        tea_request.protocol = r.scheme
+        tea_request.method = 'POST'
+        tea_request.pathname = '/cloud-credentials'
+
+        tea_request.body = json.dumps({
+            'AccountId': self._account_id,
+            'AccessConfigurationId': self._access_config,
+        })
+
+        tea_request.headers['Accept'] = 'application/json'
+        tea_request.headers['Content-Type'] = 'application/json'
+        tea_request.headers['Authorization'] = f'Bearer {self._access_token}'
+
+        response = await TeaCore.async_do_action(tea_request, self._runtime_options)
+
+        if response.status_code != 200:
+            raise CredentialException(
+                f'error refreshing credentials from sso, http_code: {response.status_code}, result: {response.body.decode("utf-8")}')
+
+        dic = json.loads(response.body.decode('utf-8'))
+        if 'CloudCredential' not in dic:
+            raise CredentialException(
+                f'error retrieving credentials from sso result: {response.body.decode("utf-8")}')
+
+        cre = dic.get('CloudCredential')
+        if 'AccessKeyId' not in cre or 'AccessKeySecret' not in cre or 'SecurityToken' not in cre:
+            raise CredentialException(
+                f'error retrieving credentials from sso result: {response.body.decode("utf-8")}')
+
+        # 先转换为时间数组
+        time_array = time.strptime(cre.get('Expiration'), '%Y-%m-%dT%H:%M:%SZ')
+        # 转换为时间戳
+        expiration = calendar.timegm(time_array)
+        credentials = Credentials(
+            access_key_id=cre.get('AccessKeyId'),
+            access_key_secret=cre.get('AccessKeySecret'),
+            security_token=cre.get('SecurityToken'),
+            expiration=expiration,
+            provider_name=self.get_provider_name()
+        )
+        return RefreshResult(value=credentials,
+                             stale_time=_get_stale_time(expiration))
+
+    def get_provider_name(self) -> str:
+        return 'cloud_sso'

alibabacloud_credentials/provider/ecs_ram_role.py

@@ -15,7 +15,7 @@
 from alibabacloud_credentials.exceptions import CredentialException
 
 log = logging.getLogger('credentials')
-log.setLevel(logging.DEBUG)
+log.setLevel(logging.INFO)
 ch = logging.StreamHandler()
 log.addHandler(ch)
 

alibabacloud_credentials/provider/refreshable.py

@@ -14,7 +14,7 @@
 from alibabacloud_credentials_api import ICredentials
 
 log = logging.getLogger('credentials')
-log.setLevel(logging.DEBUG)
+log.setLevel(logging.INFO)
 ch = logging.StreamHandler()
 log.addHandler(ch)
 

tests/provider/test_cli_profile.py

@@ -3,6 +3,7 @@
 import asyncio
 import os
 import json
+import time
 from alibabacloud_credentials.provider.cli_profile import (
     CLIProfileCredentialsProvider,
     CredentialException,
@@ -13,7 +14,8 @@
     StaticAKCredentialsProvider,
     RamRoleArnCredentialsProvider,
     EcsRamRoleCredentialsProvider,
-    OIDCRoleArnCredentialsProvider
+    OIDCRoleArnCredentialsProvider,
+    CloudSSOCredentialsProvider
 )
 from alibabacloud_credentials.utils import auth_constant as ac
 
@@ -80,6 +82,15 @@ def setUp(self):
                     "external_id": "test_external_id",
                     "sts_region": "test_sts_region",
                     "enable_vpc": True
+                },
+                {
+                    "name": "cloud_sso_profile",
+                    "mode": "CloudSSO",
+                    "cloud_sso_sign_in_url": "https://sso.example.com",
+                    "cloud_sso_account_id": "test_account_id",
+                    "cloud_sso_access_config": "test_access_config",
+                    "access_token": "test_access_token",
+                    "cloud_sso_access_token_expire": int(time.mktime(time.localtime())) + 1000
                 }
             ]
         }
@@ -243,9 +254,30 @@ def test_get_credentials_valid_chainable_ram_role_arn(self):
                         self.assertEqual(credentials_provider._external_id, 'test_external_id')
                         self.assertEqual(credentials_provider._sts_endpoint, 'sts-vpc.test_sts_region.aliyuncs.com')
 
+    def test_get_credentials_valid_cloud_sso(self):
+        """
+        Test case 7: Valid input, successfully retrieves credentials for CloudSSO mode
+        """
+        with patch('alibabacloud_credentials.provider.cli_profile.au.environment_cli_profile_disabled', False):
+            with patch('os.path.exists', return_value=True):
+                with patch('os.path.isfile', return_value=True):
+                    with patch('alibabacloud_credentials.provider.cli_profile._load_config', return_value=self.config):
+                        provider = CLIProfileCredentialsProvider(profile_name="cloud_sso_profile")
+
+                        credentials_provider = provider._get_credentials_provider(config=self.config,
+                                                                                  profile_name="cloud_sso_profile")
+
+                        self.assertIsInstance(credentials_provider, CloudSSOCredentialsProvider)
+
+                        self.assertEqual(credentials_provider._sign_in_url, 'https://sso.example.com')
+                        self.assertEqual(credentials_provider._account_id, 'test_account_id')
+                        self.assertEqual(credentials_provider._access_config, 'test_access_config')
+                        self.assertEqual(credentials_provider._access_token, 'test_access_token')
+                        self.assertTrue(credentials_provider._access_token_expire > int(time.mktime(time.localtime())))
+
     def test_get_credentials_cli_profile_disabled(self):
         """
-        Test case 7: CLI profile disabled raises CredentialException
+        Test case 8: CLI profile disabled raises CredentialException
         """
         with patch('alibabacloud_credentials.provider.cli_profile.au.environment_cli_profile_disabled', 'True'):
             provider = CLIProfileCredentialsProvider(profile_name=self.profile_name)
@@ -257,7 +289,7 @@ def test_get_credentials_cli_profile_disabled(self):
 
     def test_get_credentials_profile_name_not_exists(self):
         """
-        Test case 8: Profile file does not exist raises CredentialException
+        Test case 9: Profile file does not exist raises CredentialException
         """
         with patch('alibabacloud_credentials.provider.cli_profile.au.environment_cli_profile_disabled', 'False'):
             provider = CLIProfileCredentialsProvider(profile_name='not_exists')
@@ -269,7 +301,7 @@ def test_get_credentials_profile_name_not_exists(self):
 
     def test_get_credentials_profile_file_not_exists(self):
         """
-        Test case 8: Profile file does not exist raises CredentialException
+        Test case 10: Profile file does not exist raises CredentialException
         """
         with patch('alibabacloud_credentials.provider.cli_profile.au.environment_cli_profile_disabled', 'False'):
             with patch('os.path.exists', return_value=False):
@@ -282,7 +314,7 @@ def test_get_credentials_profile_file_not_exists(self):
 
     def test_get_credentials_profile_file_not_file(self):
         """
-        Test case 9: Profile file is not a file raises CredentialException
+        Test case 11: Profile file is not a file raises CredentialException
         """
         with patch('alibabacloud_credentials.provider.cli_profile.au.environment_cli_profile_disabled', 'False'):
             with patch('os.path.exists', return_value=True):
@@ -296,7 +328,7 @@ def test_get_credentials_profile_file_not_file(self):
 
     def test_get_credentials_invalid_json_format(self):
         """
-        Test case 10: Invalid JSON format in profile file raises CredentialException
+        Test case 12: Invalid JSON format in profile file raises CredentialException
         """
         with patch('alibabacloud_credentials.provider.cli_profile.au.environment_cli_profile_disabled', 'False'):
             with patch('os.path.exists', return_value=True):
@@ -313,7 +345,7 @@ def test_get_credentials_invalid_json_format(self):
 
     def test_get_credentials_empty_json(self):
         """
-        Test case 11: Empty JSON in profile file raises CredentialException
+        Test case 13: Empty JSON in profile file raises CredentialException
         """
         with patch('alibabacloud_credentials.provider.cli_profile.au.environment_cli_profile_disabled', 'False'):
             with patch('os.path.exists', return_value=True):
@@ -329,7 +361,7 @@ def test_get_credentials_empty_json(self):
 
     def test_get_credentials_missing_profiles(self):
         """
-        Test case 12: Missing profiles in JSON raises CredentialException
+        Test case 14: Missing profiles in JSON raises CredentialException
         """
         with patch('alibabacloud_credentials.provider.cli_profile.au.environment_cli_profile_disabled', 'False'):
             with patch('os.path.exists', return_value=True):
@@ -346,7 +378,7 @@ def test_get_credentials_missing_profiles(self):
 
     def test_get_credentials_invalid_profile_mode(self):
         """
-        Test case 13: Invalid profile mode raises CredentialException
+        Test case 15: Invalid profile mode raises CredentialException
         """
         invalid_config = {
             "current": "invalid_profile",
@@ -374,7 +406,7 @@ def test_get_credentials_invalid_profile_mode(self):
 
     def test_get_credentials_async_valid_ak(self):
         """
-        Test case 14: Valid input, successfully retrieves credentials for AK mode
+        Test case 16: Valid input, successfully retrieves credentials for AK mode
         """
         with patch('alibabacloud_credentials.provider.cli_profile.au.environment_cli_profile_disabled', 'False'):
             with patch('os.path.exists', return_value=True):
@@ -398,7 +430,7 @@ def test_get_credentials_async_valid_ak(self):
     @patch('builtins.open', new_callable=MagicMock)
     def test_load_config_file_not_found(self, mock_open):
         """
-        Test case 15: File not found raises FileNotFoundError
+        Test case 17: File not found raises FileNotFoundError
         """
         mock_open.side_effect = FileNotFoundError(f"No such file or directory: '{self.profile_file}'")
 
@@ -410,7 +442,7 @@ def test_load_config_file_not_found(self, mock_open):
     @patch('builtins.open', new_callable=MagicMock)
     def test_load_config_invalid_json(self, mock_open):
         """
-        Test case 16: Invalid JSON format raises json.JSONDecodeError
+        Test case 18: Invalid JSON format raises json.JSONDecodeError
         """
         invalid_json = "invalid json content"
         mock_open.return_value.__enter__.return_value.read.return_value = invalid_json