From 5be7fe008b08c2292154c270c775c1e05d24addb Mon Sep 17 00:00:00 2001 From: mozillazg Date: Thu, 30 Nov 2023 17:03:14 +0800 Subject: [PATCH] openapi: add GetCallerIdentity and CleanClusterUserPermissions --- pkg/openapi/client.go | 10 +++++++++ pkg/openapi/cs.go | 35 ++++++++++++++++++++++++++++++++ pkg/openapi/sts.go | 47 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 92 insertions(+) diff --git a/pkg/openapi/client.go b/pkg/openapi/client.go index a0dd6f53..733feb26 100644 --- a/pkg/openapi/client.go +++ b/pkg/openapi/client.go @@ -4,6 +4,7 @@ import ( cs "github.com/alibabacloud-go/cs-20151215/v3/client" openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client" ram "github.com/alibabacloud-go/ram-20150501/client" + sts "github.com/alibabacloud-go/sts-20150401/client" "github.com/alibabacloud-go/tea/tea" "github.com/aliyun/credentials-go/credentials" // "github.com/aliyun/credentials-go/credentials" @@ -18,10 +19,12 @@ var ( type ClientInterface interface { RamClientInterface CSClientInterface + StsClientInterface } type Client struct { ramClient *ram.Client + stsClient *sts.Client csClient *cs.Client } @@ -38,8 +41,15 @@ func NewClient(config *openapi.Config) (*Client, error) { return nil, err } ramClient.Endpoint = tea.String(defaultRamApiEndpoint) + stsClient, err := sts.NewClient(v1config) + if err != nil { + return nil, err + } + stsClient.Endpoint = tea.String(defaultStsApiEndpoint) + return &Client{ ramClient: ramClient, + stsClient: stsClient, csClient: csClient, }, nil } diff --git a/pkg/openapi/cs.go b/pkg/openapi/cs.go index eb14f0ea..43f63475 100644 --- a/pkg/openapi/cs.go +++ b/pkg/openapi/cs.go @@ -9,6 +9,8 @@ import ( "github.com/AliyunContainerService/ack-ram-tool/pkg/types" cs "github.com/alibabacloud-go/cs-20151215/v3/client" + openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client" + util "github.com/alibabacloud-go/tea-utils/v2/service" "github.com/alibabacloud-go/tea/tea" "gopkg.in/yaml.v3" ) @@ -30,6 +32,7 @@ type CSClientInterface interface { GetAddonStatus(ctx context.Context, clusterId string, name string) (*types.ClusterAddon, error) InstallAddon(ctx context.Context, clusterId string, addon types.ClusterAddon) error ListAddons(ctx context.Context, clusterId string) ([]types.ClusterAddon, error) + CleanClusterUserPermissions(ctx context.Context, clusterId string, uid int64) error } func (c *Client) GetCluster(ctx context.Context, clusterId string) (*types.Cluster, error) { @@ -229,6 +232,38 @@ func (c *Client) ListAddons(ctx context.Context, clusterId string) ([]types.Clus return addons, nil } +type cleanClusterUserPermissions struct { + Headers map[string]*string `json:"headers,omitempty" xml:"headers,omitempty" require:"true"` + StatusCode *int32 `json:"statusCode,omitempty" xml:"statusCode,omitempty" require:"true"` +} + +func (c *Client) CleanClusterUserPermissions(ctx context.Context, clusterId string, uid int64) error { + client := c.csClient + + req := &openapi.OpenApiRequest{ + Headers: make(map[string]*string), + } + params := &openapi.Params{ + Action: tea.String("CleanClusterUserPermissions"), + Version: tea.String("2015-12-15"), + Protocol: tea.String("HTTPS"), + Pathname: tea.String(fmt.Sprintf("/cluster/%s/user/%d/permissions", clusterId, uid)), + Method: tea.String("DELETE"), + AuthType: tea.String("AK"), + Style: tea.String("ROA"), + ReqBodyType: tea.String("json"), + BodyType: tea.String("none"), + } + + _result := &cleanClusterUserPermissions{} + _body, _err := client.CallApi(params, req, &util.RuntimeOptions{}) + if _err != nil { + return _err + } + _err = tea.Convert(_body, &_result) + return _err +} + func convertDescribeClusterAddonsVersionResponse(resp *cs.DescribeClusterAddonsVersionResponse) []types.ClusterAddon { body := resp.Body if body == nil { diff --git a/pkg/openapi/sts.go b/pkg/openapi/sts.go index af945008..ecff0d02 100644 --- a/pkg/openapi/sts.go +++ b/pkg/openapi/sts.go @@ -3,11 +3,17 @@ package openapi import ( "context" "fmt" + "github.com/AliyunContainerService/ack-ram-tool/pkg/types" + "github.com/alibabacloud-go/tea/tea" "time" "github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/oidctoken" ) +type StsClientInterface interface { + GetCallerIdentity(ctx context.Context) (*types.Account, error) +} + func GetStsEndpoint(region string, vpc bool) string { if region == "" { return defaultStsApiEndpoint @@ -25,3 +31,44 @@ func AssumeRoleWithOIDCToken(ctx context.Context, providerArn, roleArn string, providerArn, roleArn, string(token), stsEndpoint, "https", "", "", sessionDuration) } + +func (c *Client) GetCallerIdentity(ctx context.Context) (*types.Account, error) { + client := c.stsClient + resp, err := client.GetCallerIdentity() + if err != nil { + return nil, err + } + if resp.Body == nil { + return nil, fmt.Errorf("unkown resp: %s", resp.String()) + } + body := resp.Body + switch tea.StringValue(body.IdentityType) { + case "Account": + return &types.Account{ + Type: types.AccountTypeRoot, + RootUId: tea.StringValue(body.AccountId), + User: types.RamUser{ + Id: tea.StringValue(body.UserId), + }, + }, nil + case "RAMUser": + return &types.Account{ + Type: types.AccountTypeUser, + RootUId: tea.StringValue(body.AccountId), + User: types.RamUser{ + Id: tea.StringValue(body.UserId), + }, + }, nil + case "AssumedRoleUser": + return &types.Account{ + Type: types.AccountTypeRole, + RootUId: tea.StringValue(body.AccountId), + Role: types.RamRole{ + RoleId: tea.StringValue(body.RoleId), + Arn: tea.StringValue(body.Arn), + }, + }, nil + } + + return nil, fmt.Errorf("unkown resp: %s", resp.String()) +}