Skip to content

Commit 3d331ec

Browse files
atptrosjj3086786
authored andcommitted
support policy
1 parent 89f72af commit 3d331ec

6 files changed

Lines changed: 54 additions & 36 deletions

File tree

aliyun-java-sdk-core/src/main/java/com/aliyuncs/auth/AuthConstant.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ public class AuthConstant {
1818
public static final String INI_ROLE_NAME = "role_name";
1919
public static final String INI_ROLE_SESSION_NAME = "role_session_name";
2020
public static final String INI_ROLE_ARN = "role_arn";
21-
21+
public static final String INI_POLICY = "policy";
2222
public static final long TSC_VALID_TIME_SECONDS = 3600L;
2323
public static final String DEFAULT_REGION = "region_id";
2424
public static final String INI_ENABLE = "enable";

aliyun-java-sdk-core/src/main/java/com/aliyuncs/auth/ProfileCredentialsProvider.java

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,7 @@ private AlibabaCloudCredentials getSTSAssumeRoleSessionCredentials(Map<String, S
9696
String roleSessionName = clientConfig.get(AuthConstant.INI_ROLE_SESSION_NAME);
9797
String roleArn = clientConfig.get(AuthConstant.INI_ROLE_ARN);
9898
String regionId = clientConfig.get(AuthConstant.DEFAULT_REGION);
99+
String policy = clientConfig.get(AuthConstant.INI_POLICY);
99100
if (StringUtils.isEmpty(accessKeyId) || StringUtils.isEmpty(accessKeySecret)) {
100101
throw new ClientException("The configured access_key_id or access_key_secret is empty");
101102
}
@@ -104,7 +105,7 @@ private AlibabaCloudCredentials getSTSAssumeRoleSessionCredentials(Map<String, S
104105
}
105106
STSAssumeRoleSessionCredentialsProvider provider =
106107
factory.createCredentialsProvider(new STSAssumeRoleSessionCredentialsProvider(accessKeyId,
107-
accessKeySecret, roleSessionName, roleArn, regionId));
108+
accessKeySecret, roleSessionName, roleArn, regionId, policy));
108109
return provider.getCredentials();
109110
}
110111

aliyun-java-sdk-core/src/main/java/com/aliyuncs/auth/STSAssumeRoleSessionCredentialsProvider.java

Lines changed: 13 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -1,28 +1,5 @@
1-
/*
2-
* Licensed to the Apache Software Foundation (ASF) under one
3-
* or more contributor license agreements. See the NOTICE file
4-
* distributed with this work for additional information
5-
* regarding copyright ownership. The ASF licenses this file
6-
* to you under the Apache License, Version 2.0 (the
7-
* "License"); you may not use this file except in compliance
8-
* with the License. You may obtain a copy of the License at
9-
*
10-
* http://www.apache.org/licenses/LICENSE-2.0
11-
*
12-
* Unless required by applicable law or agreed to in writing,
13-
* software distributed under the License is distributed on an
14-
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15-
* KIND, either express or implied. See the License for the
16-
* specific language governing permissions and limitations
17-
* under the License.
18-
*/
19-
201
package com.aliyuncs.auth;
212

22-
/**
23-
* Created by haowei.yao on 2017/9/12.
24-
*/
25-
263
import com.aliyuncs.DefaultAcsClient;
274
import com.aliyuncs.IAcsClient;
285
import com.aliyuncs.auth.sts.AssumeRoleRequest;
@@ -63,6 +40,8 @@ public class STSAssumeRoleSessionCredentialsProvider implements AlibabaCloudCred
6340
* The Duration for assume role sessions.
6441
*/
6542
private long roleSessionDurationSeconds;
43+
44+
private String policy;
6645
private BasicSessionCredentials credentials = null;
6746

6847

@@ -82,15 +61,22 @@ public STSAssumeRoleSessionCredentialsProvider(AlibabaCloudCredentialsProvider l
8261
this.stsClient = new DefaultAcsClient(clientProfile, longLivedCredentialsProvider);
8362
this.roleSessionDurationSeconds = DEFAULT_DURATION_SECONDS;
8463
}
64+
8565
public STSAssumeRoleSessionCredentialsProvider(String accessKeyId, String accessKeySecret, String roleSessionName,
86-
String roleArn,String regionId) {
66+
String roleArn, String regionId) {
8767
this.roleArn = roleArn;
8868
this.roleSessionName = roleSessionName;
8969
DefaultProfile profile = DefaultProfile.getProfile(regionId, accessKeyId, accessKeySecret);
9070
this.stsClient = new DefaultAcsClient(profile);
9171
this.roleSessionDurationSeconds = AuthConstant.TSC_VALID_TIME_SECONDS;
9272
}
9373

74+
public STSAssumeRoleSessionCredentialsProvider(String accessKeyId, String accessKeySecret, String roleSessionName,
75+
String roleArn, String regionId, String policy) {
76+
this(accessKeyId, accessKeySecret, roleSessionName, roleArn, regionId);
77+
this.policy = policy;
78+
}
79+
9480
public static String getNewRoleSessionName() {
9581
return "aliyun-java-sdk-" + System.currentTimeMillis();
9682
}
@@ -130,7 +116,9 @@ private BasicSessionCredentials getNewSessionCredentials() throws ClientExceptio
130116
assumeRoleRequest.setRoleArn(roleArn);
131117
assumeRoleRequest.setRoleSessionName(roleSessionName);
132118
assumeRoleRequest.setDurationSeconds(roleSessionDurationSeconds);
133-
119+
if (null != policy){
120+
assumeRoleRequest.setPolicy(policy);
121+
}
134122
AssumeRoleResponse response = stsClient.getAcsResponse(assumeRoleRequest);
135123
return new BasicSessionCredentials(
136124
response.getCredentials().getAccessKeyId(),

aliyun-java-sdk-core/src/test/java/com/aliyuncs/auth/STSAssumeRoleSessionCredentialsProviderTest.java

Lines changed: 29 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
package com.aliyuncs.auth;
22

3+
import com.aliyuncs.AcsRequest;
34
import com.aliyuncs.IAcsClient;
45
import com.aliyuncs.auth.sts.AssumeRoleRequest;
56
import com.aliyuncs.auth.sts.AssumeRoleResponse;
@@ -10,6 +11,8 @@
1011
import org.junit.Test;
1112
import org.junit.rules.ExpectedException;
1213

14+
import java.lang.reflect.Field;
15+
1316
import static org.mockito.Matchers.any;
1417
import static org.mockito.Mockito.mock;
1518
import static org.mockito.Mockito.when;
@@ -28,6 +31,30 @@ public void constructorNormalTest1() {
2831
Assert.assertNotNull(provider);
2932
}
3033

34+
@Test
35+
public void policyCredentialTest() throws NoSuchFieldException, IllegalAccessException, ClientException {
36+
STSAssumeRoleSessionCredentialsProvider provider = new STSAssumeRoleSessionCredentialsProvider(
37+
"test", "test", "test", "test", "test",
38+
"test");
39+
IAcsClient client = mock(IAcsClient.class);
40+
AssumeRoleResponse response = mock(AssumeRoleResponse.class);
41+
AssumeRoleResponse.Credentials credentials = mock(AssumeRoleResponse.Credentials.class);
42+
when(credentials.getAccessKeyId()).thenReturn("ak");
43+
when(credentials.getAccessKeySecret()).thenReturn("sk");
44+
when(credentials.getSecurityToken()).thenReturn("token");
45+
when(response.getCredentials()).thenReturn(credentials);
46+
when(client.getAcsResponse(any(AcsRequest.class))).thenReturn(response);
47+
Class providerClass = provider.getClass();
48+
Field policy = providerClass.getDeclaredField("policy");
49+
Field stsClient = providerClass.getDeclaredField("stsClient");
50+
policy.setAccessible(true);
51+
stsClient.setAccessible(true);
52+
stsClient.set(provider, client);
53+
String policyResult = (String) policy.get(provider);
54+
Assert.assertEquals("test", policyResult);
55+
Assert.assertTrue(provider.getCredentials() instanceof BasicSessionCredentials);
56+
}
57+
3158
@Test
3259
public void constructorNormalTest2() {
3360
AlibabaCloudCredentialsProvider mockProvider = mock(AlibabaCloudCredentialsProvider.class);
@@ -39,9 +66,9 @@ public void constructorNormalTest2() {
3966
}
4067

4168
@Test
42-
public void constructorNormalTest3(){
69+
public void constructorNormalTest3() {
4370
STSAssumeRoleSessionCredentialsProvider provider = new STSAssumeRoleSessionCredentialsProvider(
44-
"","","","","");
71+
"", "", "", "", "");
4572
Assert.assertNotNull(provider);
4673
}
4774

docs/2-Client-CN.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -67,11 +67,12 @@ role_name = EcsRamRoleTest # Role Name
6767
[client2] # 命名为 `client2` 的配置
6868
enable = false # 不启用
6969
type = ram_role_arn # 认证方式为 ram_role_arn
70-
region_id = cn-test # 必填,获取session用的region
70+
region_id = cn-test # 获取session用的region
71+
policy = test # 选填 指定权限
7172
access_key_id = foo
7273
access_key_secret = bar
7374
role_arn = role_arn
74-
role_session_name = session_name
75+
role_session_name = session_name # 选填
7576

7677
[client3] # 命名为 `client4` 的配置
7778
type = rsa_key_pair # 认证方式为 rsa_key_pair

docs/2-Client-EN.md

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -68,11 +68,12 @@ role_name = EcsRamRoleTest # Role Name
6868
[client2] # configuration that is named as `client2`
6969
enable = false # Disable
7070
type = ram_role_arn # Certification type: ram_role_arn
71-
region_id = cn-test # required
72-
access_key_id = foo
73-
access_key_secret = bar
74-
role_arn = role_arn
75-
role_session_name = session_name
71+
region_id = cn-test
72+
policy = test # optional Specify permissions
73+
access_key_id = foo
74+
access_key_secret = bar
75+
role_arn = role_arn
76+
role_session_name = session_name # optional
7677

7778
[client3] # configuration that is named as `client3`
7879
type = rsa_key_pair # Certification type: rsa_key_pair

0 commit comments

Comments
 (0)