openapi: add GetCallerIdentity and CleanClusterUserPermissions

AliyunContainerService · Nov 30, 2023 · 5be7fe0 · 5be7fe0
1 parent 0a54361
commit 5be7fe0
Show file tree

Hide file tree

Showing 3 changed files with 92 additions and 0 deletions.
diff --git a/pkg/openapi/client.go b/pkg/openapi/client.go
@@ -4,6 +4,7 @@ import (
 	cs "github.com/alibabacloud-go/cs-20151215/v3/client"
 	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
 	ram "github.com/alibabacloud-go/ram-20150501/client"
+	sts "github.com/alibabacloud-go/sts-20150401/client"
 	"github.com/alibabacloud-go/tea/tea"
 	"github.com/aliyun/credentials-go/credentials"
 	// "github.com/aliyun/credentials-go/credentials"
@@ -18,10 +19,12 @@ var (
 type ClientInterface interface {
 	RamClientInterface
 	CSClientInterface
+	StsClientInterface
 }
 
 type Client struct {
 	ramClient *ram.Client
+	stsClient *sts.Client
 	csClient  *cs.Client
 }
 
@@ -38,8 +41,15 @@ func NewClient(config *openapi.Config) (*Client, error) {
 		return nil, err
 	}
 	ramClient.Endpoint = tea.String(defaultRamApiEndpoint)
+	stsClient, err := sts.NewClient(v1config)
+	if err != nil {
+		return nil, err
+	}
+	stsClient.Endpoint = tea.String(defaultStsApiEndpoint)
+
 	return &Client{
 		ramClient: ramClient,
+		stsClient: stsClient,
 		csClient:  csClient,
 	}, nil
 }

diff --git a/pkg/openapi/cs.go b/pkg/openapi/cs.go
@@ -9,6 +9,8 @@ import (
 
 	"github.com/AliyunContainerService/ack-ram-tool/pkg/types"
 	cs "github.com/alibabacloud-go/cs-20151215/v3/client"
+	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
+	util "github.com/alibabacloud-go/tea-utils/v2/service"
 	"github.com/alibabacloud-go/tea/tea"
 	"gopkg.in/yaml.v3"
 )
@@ -30,6 +32,7 @@ type CSClientInterface interface {
 	GetAddonStatus(ctx context.Context, clusterId string, name string) (*types.ClusterAddon, error)
 	InstallAddon(ctx context.Context, clusterId string, addon types.ClusterAddon) error
 	ListAddons(ctx context.Context, clusterId string) ([]types.ClusterAddon, error)
+	CleanClusterUserPermissions(ctx context.Context, clusterId string, uid int64) error
 }
 
 func (c *Client) GetCluster(ctx context.Context, clusterId string) (*types.Cluster, error) {
@@ -229,6 +232,38 @@ func (c *Client) ListAddons(ctx context.Context, clusterId string) ([]types.Clus
 	return addons, nil
 }
 
+type cleanClusterUserPermissions struct {
+	Headers    map[string]*string `json:"headers,omitempty" xml:"headers,omitempty" require:"true"`
+	StatusCode *int32             `json:"statusCode,omitempty" xml:"statusCode,omitempty" require:"true"`
+}
+
+func (c *Client) CleanClusterUserPermissions(ctx context.Context, clusterId string, uid int64) error {
+	client := c.csClient
+
+	req := &openapi.OpenApiRequest{
+		Headers: make(map[string]*string),
+	}
+	params := &openapi.Params{
+		Action:      tea.String("CleanClusterUserPermissions"),
+		Version:     tea.String("2015-12-15"),
+		Protocol:    tea.String("HTTPS"),
+		Pathname:    tea.String(fmt.Sprintf("/cluster/%s/user/%d/permissions", clusterId, uid)),
+		Method:      tea.String("DELETE"),
+		AuthType:    tea.String("AK"),
+		Style:       tea.String("ROA"),
+		ReqBodyType: tea.String("json"),
+		BodyType:    tea.String("none"),
+	}
+
+	_result := &cleanClusterUserPermissions{}
+	_body, _err := client.CallApi(params, req, &util.RuntimeOptions{})
+	if _err != nil {
+		return _err
+	}
+	_err = tea.Convert(_body, &_result)
+	return _err
+}
+
 func convertDescribeClusterAddonsVersionResponse(resp *cs.DescribeClusterAddonsVersionResponse) []types.ClusterAddon {
 	body := resp.Body
 	if body == nil {

diff --git a/pkg/openapi/sts.go b/pkg/openapi/sts.go
@@ -3,11 +3,17 @@ package openapi
 import (
 	"context"
 	"fmt"
+	"github.com/AliyunContainerService/ack-ram-tool/pkg/types"
+	"github.com/alibabacloud-go/tea/tea"
 	"time"
 
 	"github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/oidctoken"
 )
 
+type StsClientInterface interface {
+	GetCallerIdentity(ctx context.Context) (*types.Account, error)
+}
+
 func GetStsEndpoint(region string, vpc bool) string {
 	if region == "" {
 		return defaultStsApiEndpoint
@@ -25,3 +31,44 @@ func AssumeRoleWithOIDCToken(ctx context.Context, providerArn, roleArn string,
 		providerArn, roleArn, string(token), stsEndpoint, "https", "",
 		"", sessionDuration)
 }
+
+func (c *Client) GetCallerIdentity(ctx context.Context) (*types.Account, error) {
+	client := c.stsClient
+	resp, err := client.GetCallerIdentity()
+	if err != nil {
+		return nil, err
+	}
+	if resp.Body == nil {
+		return nil, fmt.Errorf("unkown resp: %s", resp.String())
+	}
+	body := resp.Body
+	switch tea.StringValue(body.IdentityType) {
+	case "Account":
+		return &types.Account{
+			Type:    types.AccountTypeRoot,
+			RootUId: tea.StringValue(body.AccountId),
+			User: types.RamUser{
+				Id: tea.StringValue(body.UserId),
+			},
+		}, nil
+	case "RAMUser":
+		return &types.Account{
+			Type:    types.AccountTypeUser,
+			RootUId: tea.StringValue(body.AccountId),
+			User: types.RamUser{
+				Id: tea.StringValue(body.UserId),
+			},
+		}, nil
+	case "AssumedRoleUser":
+		return &types.Account{
+			Type:    types.AccountTypeRole,
+			RootUId: tea.StringValue(body.AccountId),
+			Role: types.RamRole{
+				RoleId: tea.StringValue(body.RoleId),
+				Arn:    tea.StringValue(body.Arn),
+			},
+		}, nil
+	}
+
+	return nil, fmt.Errorf("unkown resp: %s", resp.String())
+}