Skip to content

feat: upgrade the credential refresh mechanism and add fallbacks for … #96

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yndu13 merged 1 commit into from
Feb 12, 2025
Merged

feat: upgrade the credential refresh mechanism and add fallbacks for … #96

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 11 additions & 30 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,7 @@
<properties>
<maven.compiler.source>8</maven.compiler.source>
<maven.compiler.target>8</maven.compiler.target>
<powermock.version>2.0.2</powermock.version>
<mockito.version>3.0.0</mockito.version>
<mockito.version>4.11.0</mockito.version>
</properties>

<dependencies>
Expand All @@ -69,7 +68,7 @@
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>tea</artifactId>
<version>[1.1.14, 2.0.0)</version>
<version>[1.2.0, 2.0.0)</version>
</dependency>
<dependency>
<groupId>junit</groupId>
Expand All @@ -94,38 +93,16 @@
<version>0.8.8</version>
<classifier>runtime</classifier>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-api-mockito2</artifactId>
<version>${powermock.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>${mockito.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-module-junit4</artifactId>
<version>2.0.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId>
<version>2.3.0</version>
</dependency>
<dependency>
<groupId>com.sun.xml.bind</groupId>
<artifactId>jaxb-core</artifactId>
<version>2.3.0</version>
</dependency>
<dependency>
<groupId>com.sun.xml.bind</groupId>
<artifactId>jaxb-impl</artifactId>
<version>2.3.0</version>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.17.1</version>
</dependency>
</dependencies>

Expand Down Expand Up @@ -175,7 +152,6 @@
<autoReleaseAfterClose>true</autoReleaseAfterClose>
</configuration>
</plugin>

<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
Expand Down Expand Up @@ -218,6 +194,11 @@
</execution>

</executions>
<configuration>
<excludes>
<exclude>com/aliyun/credentials/Credential</exclude>
</excludes>
</configuration>
</plugin>

<plugin>
Expand All @@ -229,7 +210,7 @@
<format>html</format>
<format>xml</format>
</formats>
<check />
<check/>
</configuration>
</plugin>
<plugin>
Expand Down
5 changes: 5 additions & 0 deletions src/main/java/com/aliyun/credentials/models/CredentialModel.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,11 @@ public String getProviderName() {
return providerName;
}

@Override
public String toString() {
return String.format("Credential(accessKeyId=%s, accessKeySecret=%s, securityToken=%s, providerName=%s, expiration=%s)", accessKeyId, accessKeySecret, securityToken, providerName, expiration);
}

public static final class Builder {
private String accessKeyId;
private String accessKeySecret;
Expand Down
57 changes: 57 additions & 0 deletions src/main/java/com/aliyun/credentials/policy/NonBlocking.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
package com.aliyun.credentials.policy;

import com.aliyun.tea.logging.ClientLogger;

import java.util.concurrent.*;
import java.util.concurrent.atomic.AtomicBoolean;

import static java.util.concurrent.TimeUnit.SECONDS;

public class NonBlocking implements PrefetchStrategy {
private static final ClientLogger logger = new ClientLogger(NonBlocking.class);
static final int MAX_CONCURRENT_REFRESHES = 100;
private static final Semaphore CONCURRENT_REFRESH_LEASES = new Semaphore(MAX_CONCURRENT_REFRESHES);
private final AtomicBoolean currentlyRefreshing = new AtomicBoolean(false);

private static final ThreadPoolExecutor executor = new ThreadPoolExecutor(1, Integer.MAX_VALUE, 60, SECONDS,
new SynchronousQueue<>(),
new ThreadFactory() {
public Thread newThread(Runnable r) {
Thread t = Executors.defaultThreadFactory().newThread(r);
t.setName("non-blocking-refresh");
t.setDaemon(true);
return t;
}
});

@Override
public void prefetch(Runnable valueUpdater) {
if (currentlyRefreshing.compareAndSet(false, true)) {
if (!CONCURRENT_REFRESH_LEASES.tryAcquire()) {
logger.warning("Skipping a background refresh task because there are too many other tasks running.");
currentlyRefreshing.set(false);
return;
}
try {
executor.submit(() -> {
try {
valueUpdater.run();
} catch (Throwable t) {
logger.logThrowableAsWarning(t);
} finally {
CONCURRENT_REFRESH_LEASES.release();
currentlyRefreshing.set(false);
}
});
} catch (Throwable t) {
logger.logThrowableAsWarning(t);
CONCURRENT_REFRESH_LEASES.release();
currentlyRefreshing.set(false);
}
}
}

@Override
public void close() {
}
}
18 changes: 18 additions & 0 deletions src/main/java/com/aliyun/credentials/policy/OneCallerBlocks.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
package com.aliyun.credentials.policy;

import java.util.concurrent.atomic.AtomicBoolean;

public class OneCallerBlocks implements PrefetchStrategy {
private final AtomicBoolean currentlyRefreshing = new AtomicBoolean(false);

@Override
public void prefetch(Runnable valueUpdater) {
if (currentlyRefreshing.compareAndSet(false, true)) {
try {
valueUpdater.run();
} finally {
currentlyRefreshing.set(false);
}
}
}
}
9 changes: 9 additions & 0 deletions src/main/java/com/aliyun/credentials/policy/PrefetchStrategy.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
package com.aliyun.credentials.policy;

@FunctionalInterface
public interface PrefetchStrategy extends AutoCloseable {
void prefetch(Runnable valueUpdater);

default void close() {
}
}
6 changes: 3 additions & 3 deletions src/main/java/com/aliyun/credentials/provider/CLIProfileCredentialsProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ private CLIProfileCredentialsProvider(Builder builder) {
this.currentProfileName = builder.profileName == null ? System.getenv("ALIBABA_CLOUD_PROFILE") : builder.profileName;
}

static Builder builder() {
public static Builder builder() {
return new Builder();
}

Expand Down Expand Up @@ -173,15 +173,15 @@ public String getProviderName() {
public void close() {
}

static final class Builder {
public static final class Builder {
private String profileName;

public Builder profileName(String profileName) {
this.profileName = profileName;
return this;
}

CLIProfileCredentialsProvider build() {
public CLIProfileCredentialsProvider build() {
return new CLIProfileCredentialsProvider(this);
}
}
Expand Down
10 changes: 3 additions & 7 deletions src/main/java/com/aliyun/credentials/provider/DefaultCredentialsProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,7 @@ private void createDefaultChain() {
defaultProviders.add(new SystemPropertiesCredentialsProvider());
defaultProviders.add(new EnvironmentVariableCredentialsProvider());
if (AuthUtils.environmentEnableOIDC()) {
defaultProviders.add(OIDCRoleArnCredentialProvider.builder()
.roleArn(AuthUtils.getEnvironmentRoleArn())
.oidcProviderArn(AuthUtils.getEnvironmentOIDCProviderArn())
.oidcTokenFilePath(AuthUtils.getEnvironmentOIDCTokenFilePath())
.build());
defaultProviders.add(OIDCRoleArnCredentialProvider.builder().build());
}
defaultProviders.add(CLIProfileCredentialsProvider.builder().build());
defaultProviders.add(new ProfileCredentialsProvider());
Expand Down Expand Up @@ -99,7 +95,7 @@ public CredentialModel getCredentials() {
errorMessages.add(provider.getClass().getSimpleName() + ": " + e.getMessage());
}
}
throw new CredentialException("Unable to load credentials from any of the providers in the chain: ." + errorMessages);
throw new CredentialException("Unable to load credentials from any of the providers in the chain: " + errorMessages);
}

@Deprecated
Expand Down Expand Up @@ -139,7 +135,7 @@ public Builder reuseLastProviderEnabled(Boolean reuseLastProviderEnabled) {
return this;
}

DefaultCredentialsProvider build() {
public DefaultCredentialsProvider build() {
return new DefaultCredentialsProvider(this);
}
}
Expand Down
25 changes: 21 additions & 4 deletions src/main/java/com/aliyun/credentials/provider/ECSMetadataServiceCredentialsFetcher.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,13 @@

import java.net.MalformedURLException;
import java.net.URL;
import java.util.Date;
import java.util.Map;

public class ECSMetadataServiceCredentialsFetcher {
private static final String URL_IN_ECS_METADATA = "/latest/meta-data/ram/security-credentials/";
private static final String URL_IN_METADATA_TOKEN = "/latest/api/token";
private static final String ECS_METADAT_FETCH_ERROR_MSG = "Failed to get RAM session credentials from ECS metadata service.";
private static final String ECS_METADATA_FETCH_ERROR_MSG = "Failed to get RAM session credentials from ECS metadata service.";
private URL credentialUrl;
private final String roleName;
private final String metadataServiceHost = "100.100.100.200";
Expand Down Expand Up @@ -98,7 +99,7 @@ private String getMetadata(CompatibleUrlConnClient client, String url) {
}

if (response.getResponseCode() != 200) {
throw new CredentialException(ECS_METADAT_FETCH_ERROR_MSG + " HttpCode=" + response.getResponseCode());
throw new CredentialException(ECS_METADATA_FETCH_ERROR_MSG + " HttpCode=" + response.getResponseCode());
}

return new String(response.getHttpContent());
Expand All @@ -113,7 +114,10 @@ public RefreshResult<CredentialModel> fetch(CompatibleUrlConnClient client) {
Map<String, String> result = new Gson().fromJson(jsonContent, Map.class);

if (!"Success".equals(result.get("Code"))) {
throw new CredentialException(ECS_METADAT_FETCH_ERROR_MSG);
throw new CredentialException(ECS_METADATA_FETCH_ERROR_MSG);
}
if (!result.containsKey("AccessKeyId") || !result.containsKey("AccessKeySecret") || !result.containsKey("SecurityToken")) {
throw new CredentialException(String.format("Error retrieving credentials from IMDS result: %s.", jsonContent));
}
long expiration = ParameterHelper.getUTCDate(result.get("Expiration")).getTime();
CredentialModel credential = CredentialModel.builder()
Expand All @@ -125,11 +129,24 @@ public RefreshResult<CredentialModel> fetch(CompatibleUrlConnClient client) {
.expiration(expiration)
.build();
return RefreshResult.builder(credential)
.staleTime(expiration - 3 * 60 * 1000)
.staleTime(getStaleTime(expiration))
.prefetchTime(getPrefetchTime(expiration))
.build();

}

private long getStaleTime(long expiration) {
return expiration <= 0 ?
new Date().getTime() + 60 * 60 * 1000
: expiration - 15 * 60 * 1000;
}

private long getPrefetchTime(long expiration) {
return expiration <= 0 ?
new Date().getTime() + 5 * 60 * 1000
: new Date().getTime() + 60 * 60 * 1000;
}

public URL getCredentialUrl() {
return credentialUrl;
}
Expand Down
Loading