feat: resolve sensitive value in model && deprecate regionId

Author: yndu13

src/main/java/com/aliyun/credentials/models/CredentialModel.java

@@ -3,6 +3,7 @@
 
 import com.aliyun.credentials.AlibabaCloudCredentials;
 import com.aliyun.credentials.api.ICredentials;
+import com.aliyun.credentials.utils.StringUtils;
 import com.aliyun.tea.*;
 
 public class CredentialModel extends TeaModel implements AlibabaCloudCredentials, ICredentials {
@@ -87,9 +88,47 @@ public String getProviderName() {
         return providerName;
     }
 
+    /**
+     * 对敏感信息进行模糊处理，保留首尾字符
+     *
+     * @param value 需要模糊处理的字符串
+     * @return 模糊处理后的字符串
+     */
+    private String maskSensitiveValue(String value) {
+        if (value == null || value.length() <= 6) {
+            return "****";
+        }
+
+        int length = value.length();
+        int prefixLength = Math.min(3, length / 4);
+        int suffixLength = Math.min(3, length / 4);
+
+        String prefix = value.substring(0, prefixLength);
+        String suffix = value.substring(length - suffixLength);
+
+        StringBuilder masked = new StringBuilder();
+        masked.append(prefix);
+        for (int i = 0; i < length - prefixLength - suffixLength; i++) {
+            masked.append("*");
+        }
+        masked.append(suffix);
+
+        return masked.toString();
+    }
+
     @Override
     public String toString() {
-        return String.format("Credential(accessKeyId=%s, accessKeySecret=%s, securityToken=%s, providerName=%s, expiration=%s)", accessKeyId, accessKeySecret, securityToken, providerName, expiration);
+        if (!StringUtils.isEmpty(bearerToken)) {
+            return String.format("Credential(bearerToken=%s, providerName=%s)",
+                    maskSensitiveValue(bearerToken),
+                    providerName);
+        }
+        return String.format("Credential(accessKeyId=%s, accessKeySecret=%s, securityToken=%s, providerName=%s, expiration=%s)",
+                maskSensitiveValue(accessKeyId),
+                maskSensitiveValue(accessKeySecret),
+                maskSensitiveValue(securityToken),
+                providerName,
+                expiration);
     }
 
     public static final class Builder {
@@ -141,5 +180,4 @@ public CredentialModel build() {
         }
     }
 
-}
-
+}

src/main/java/com/aliyun/credentials/provider/OIDCRoleArnCredentialProvider.java

@@ -347,6 +347,7 @@ public interface Builder extends SessionCredentialsProvider.Builder<OIDCRoleArnC
 
         Builder oidcTokenFilePath(String oidcTokenFilePath);
 
+        @Deprecated
         Builder regionId(String regionId);
 
         Builder policy(String policy);
@@ -406,6 +407,7 @@ public Builder oidcTokenFilePath(String oidcTokenFilePath) {
             return this;
         }
 
+        @Deprecated
         public Builder regionId(String regionId) {
             this.regionId = regionId;
             return this;

src/main/java/com/aliyun/credentials/provider/RamRoleArnCredentialProvider.java

@@ -341,6 +341,7 @@ public interface Builder extends SessionCredentialsProvider.Builder<RamRoleArnCr
 
         Builder roleArn(String roleArn);
 
+        @Deprecated
         Builder regionId(String regionId);
 
         Builder policy(String policy);
@@ -403,6 +404,7 @@ public Builder roleArn(String roleArn) {
             return this;
         }
 
+        @Deprecated
         public Builder regionId(String regionId) {
             this.regionId = regionId;
             return this;

src/test/java/com/aliyun/credentials/models/CredentialModelTest.java

@@ -7,13 +7,13 @@ public class CredentialModelTest {
     @Test
     public void builderTest() {
         CredentialModel model = CredentialModel.builder()
-            .accessKeyId("akid")
-            .accessKeySecret("aksecret")
-            .securityToken("securityToken")
-            .bearerToken("bearertoken")
-            .expiration(100L)
-            .type("type")
-            .build();
+                .accessKeyId("akid")
+                .accessKeySecret("aksecret")
+                .securityToken("securityToken")
+                .bearerToken("bearertoken")
+                .expiration(100L)
+                .type("type")
+                .build();
         Assert.assertEquals("akid", model.getAccessKeyId());
         Assert.assertEquals("aksecret", model.getAccessKeySecret());
         Assert.assertEquals("securityToken", model.getSecurityToken());
@@ -26,10 +26,10 @@ public void builderTest() {
     public void setGetTest() {
         CredentialModel model = CredentialModel.builder().build();
         model.setAccessKeyId("akid")
-            .setAccessKeySecret("aksecret")
-            .setSecurityToken("securityToken")
-            .setBearerToken("bearertoken")
-            .setType("type");
+                .setAccessKeySecret("aksecret")
+                .setSecurityToken("securityToken")
+                .setBearerToken("bearertoken")
+                .setType("type");
         Assert.assertEquals("akid", model.getAccessKeyId());
         Assert.assertEquals("aksecret", model.getAccessKeySecret());
         Assert.assertEquals("securityToken", model.getSecurityToken());
@@ -38,4 +38,89 @@ public void setGetTest() {
         // Assert.assertEquals(100L, model.getExpiration());
         Assert.assertEquals("type", model.getType());
     }
-}
+
+    @Test
+    public void toStringWithBearerTokenTest() {
+        CredentialModel model = CredentialModel.builder()
+                .bearerToken("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9")
+                .providerName("testProvider")
+                .build();
+
+        String result = model.toString();
+        Assert.assertTrue("toString should contain bearerToken format", result.startsWith("Credential(bearerToken="));
+        Assert.assertTrue("toString should contain masked bearerToken", result.contains("eyJ******************************CJ9"));
+        Assert.assertTrue("toString should contain providerName", result.contains("providerName=testProvider"));
+        Assert.assertFalse("toString should not contain accessKeyId when bearerToken exists", result.contains("accessKeyId"));
+    }
+
+    @Test
+    public void toStringWithoutBearerTokenTest() {
+        CredentialModel model = CredentialModel.builder()
+                .accessKeyId("LTAI4G3jVkK2DYajXXXXXXXX")
+                .accessKeySecret("abcdefghijklmnopqrstuvwxyz")
+                .securityToken("STS.NUCJMaR7bKxD5A2rDq6")
+                .providerName("testProvider")
+                .expiration(1234567890L)
+                .build();
+
+        String result = model.toString();
+        Assert.assertTrue("toString should contain accessKeyId format", result.startsWith("Credential(accessKeyId="));
+        Assert.assertTrue("toString should contain masked accessKeyId", result.contains("LTA******************XXX"));
+        Assert.assertTrue("toString should contain masked accessKeySecret", result.contains("abc********************xyz"));
+        Assert.assertTrue("toString should contain masked securityToken", result.contains("STS*****************Dq6"));
+        Assert.assertTrue("toString should contain providerName", result.contains("providerName=testProvider"));
+        Assert.assertTrue("toString should contain expiration", result.contains("expiration=1234567890"));
+    }
+
+    @Test
+    public void toStringWithEmptyBearerTokenTest() {
+        CredentialModel model = CredentialModel.builder()
+                .accessKeyId("testAccessKeyId")
+                .accessKeySecret("testAccessKeySecret")
+                .securityToken("testSecurityToken")
+                .bearerToken("")  // 空字符串
+                .providerName("testProvider")
+                .expiration(9876543210L)
+                .build();
+
+        String result = model.toString();
+        // 空字符串应该被认为是空，所以应该使用accessKey格式
+        Assert.assertTrue("toString should contain accessKeyId format when bearerToken is empty", result.startsWith("Credential(accessKeyId="));
+        Assert.assertTrue("toString should contain masked accessKeyId", result.contains("tes*********yId"));
+        Assert.assertFalse("toString should not contain bearerToken when it's empty", result.contains("bearerToken"));
+    }
+
+    @Test
+    public void toStringWithNullBearerTokenTest() {
+        CredentialModel model = CredentialModel.builder()
+                .accessKeyId("testAccessKeyId")
+                .accessKeySecret("testAccessKeySecret")
+                .securityToken("testSecurityToken")
+                .bearerToken(null)  // null值
+                .providerName("testProvider")
+                .expiration(9876543210L)
+                .build();
+
+        String result = model.toString();
+        // null应该被认为是空，所以应该使用accessKey格式
+        Assert.assertTrue("toString should contain accessKeyId format when bearerToken is null", result.startsWith("Credential(accessKeyId="));
+        Assert.assertTrue("toString should contain masked accessKeyId", result.contains("tes*********yId"));
+        Assert.assertFalse("toString should not contain bearerToken when it's null", result.contains("bearerToken"));
+    }
+
+    @Test
+    public void toStringMaskingShortValuesTest() {
+        CredentialModel model = CredentialModel.builder()
+                .accessKeyId("short")  // 短字符串
+                .accessKeySecret("abc")  // 很短的字符串
+                .securityToken(null)  // null值
+                .providerName("testProvider")
+                .expiration(1111111111L)
+                .build();
+
+        String result = model.toString();
+        Assert.assertTrue("toString should mask short accessKeyId with ****", result.contains("accessKeyId=****"));
+        Assert.assertTrue("toString should mask short accessKeySecret with ****", result.contains("accessKeySecret=****"));
+        Assert.assertTrue("toString should mask null securityToken with ****", result.contains("securityToken=****"));
+    }
+}