CVO-17 Add an External ID param on RAM Role Authentication (#1153)

Co-authored-by: Mingming Zhu <[email protected]>

Author: Ihar Lichko

config/configure.go

@@ -265,6 +265,8 @@ func configureRamRoleArn(w io.Writer, cp *Profile) error {
 	if cp.ExpiredSeconds == 0 {
 		cp.ExpiredSeconds = 900
 	}
+	cli.Printf(w, "External ID [%s]: ", cp.ExternalId)
+	cp.ExternalId = ReadInput(cp.ExternalId)
 	cli.Printf(w, "Expired Seconds [%v]: ", cp.ExpiredSeconds)
 	cp.ExpiredSeconds, _ = strconv.Atoi(ReadInput(strconv.Itoa(cp.ExpiredSeconds)))
 	return nil
@@ -305,6 +307,8 @@ func configureChainableRamRoleArn(w io.Writer, cp *Profile) error {
 	if cp.ExpiredSeconds == 0 {
 		cp.ExpiredSeconds = 900
 	}
+	cli.Printf(w, "External ID [%s]: ", cp.ExternalId)
+	cp.ExternalId = ReadInput(cp.ExternalId)
 	cli.Printf(w, "Expired Seconds [%v]: ", cp.ExpiredSeconds)
 	cp.ExpiredSeconds, _ = strconv.Atoi(ReadInput(strconv.Itoa(cp.ExpiredSeconds)))
 	return nil

config/configure_get.go

@@ -85,6 +85,8 @@ func doConfigureGet(c *cli.Context, args []string) {
 			cli.Printf(c.Stdout(), "ram-role-name=%s\n", profile.RamRoleName)
 		case RamRoleArnFlagName:
 			cli.Printf(c.Stdout(), "ram-role-arn=%s\n", profile.RamRoleArn)
+		case ExternalIdFlagName:
+			cli.Printf(c.Stdout(), "external-id=%s\n", profile.ExternalId)
 		case RoleSessionNameFlagName:
 			cli.Printf(c.Stdout(), "role-session-name=%s\n", profile.RoleSessionName)
 		case KeyPairNameFlagName:

config/configure_get_test.go

@@ -72,8 +72,8 @@ func TestDoConfigureGet(t *testing.T) {
 	w.Reset()
 	stderr.Reset()
 	ctx.Flags().Flags()[1].SetAssigned(false)
-	doConfigureGet(ctx, []string{"profile", "mode", "access-key-id", "access-key-secret", "sts-token", "ram-role-name", "ram-role-arn", "role-session-name", "private-key", "key-pair-name", "region", "language"})
-	assert.Equal(t, "profile=default\nmode=AK\naccess-key-id=*************************_id\naccess-key-secret=*****************************ret\nsts-token=\nram-role-name=\nram-role-arn=\nrole-session-name=\nprivate-key=\nkey-pair-name=\nlanguage=\n\n", w.String())
+	doConfigureGet(ctx, []string{"profile", "mode", "access-key-id", "access-key-secret", "sts-token", "ram-role-name", "ram-role-arn", "role-session-name", "external-id", "private-key", "key-pair-name", "region", "language"})
+	assert.Equal(t, "profile=default\nmode=AK\naccess-key-id=*************************_id\naccess-key-secret=*****************************ret\nsts-token=\nram-role-name=\nram-role-arn=\nrole-session-name=\nexternal-id=\nprivate-key=\nkey-pair-name=\nlanguage=\n\n", w.String())
 
 	//TESTCASE 4
 	hookLoadConfiguration = func(fn func(path string) (*Configuration, error)) func(path string) (*Configuration, error) {

config/configure_list.go

@@ -61,12 +61,18 @@ func doConfigureList(w io.Writer) {
 			cred = "StsToken:" + "***" + GetLastChars(pf.AccessKeyId, 3)
 		case RamRoleArn:
 			cred = "RamRoleArn:" + "***" + GetLastChars(pf.AccessKeyId, 3)
+			if pf.ExternalId != "" {
+				cred = cred + ":" + GetLastChars(pf.ExternalId, 3)
+			}
 		case EcsRamRole:
 			cred = "EcsRamRole:" + pf.RamRoleName
 		case RamRoleArnWithEcs:
 			cred = "arn:" + "***" + GetLastChars(pf.AccessKeyId, 3)
 		case ChainableRamRoleArn:
 			cred = "ChainableRamRoleArn:" + pf.SourceProfile + ":" + pf.RamRoleArn
+			if pf.ExternalId != "" {
+				cred = cred + ":" + GetLastChars(pf.ExternalId, 3)
+			}
 		case RsaKeyPair:
 			cred = "RsaKeyPair:" + pf.KeyPairName
 		case External:

config/configure_list_test.go

@@ -58,6 +58,16 @@ func TestDoConfigureList(t *testing.T) {
 						RamRoleArn:      "RamRoleArn",
 						RoleSessionName: "RoleSessionName",
 					},
+					{
+						Name:            "bbbe",
+						Mode:            RamRoleArn,
+						AccessKeyId:     "sdf",
+						AccessKeySecret: "ddf",
+						OutputFormat:    "json",
+						RamRoleArn:      "RamRoleArn",
+						RoleSessionName: "RoleSessionName",
+						ExternalId:      "ExternalId",
+					},
 					{
 						Name:            "ccc",
 						Mode:            EcsRamRole,
@@ -92,6 +102,7 @@ func TestDoConfigureList(t *testing.T) {
 		"default * | AK:***_id              | Invalid |                  | \n"+
 		"aaa       | StsToken:******        | Invalid |                  | \n"+
 		"bbb       | RamRoleArn:******      | Invalid |                  | \n"+
+		"bbbe      | RamRoleArn:******:lId  | Invalid |                  | \n"+
 		"ccc       | EcsRamRole:RamRoleName | Invalid |                  | \n"+
 		"ddd       | RsaKeyPair:KeyPairName | Invalid |                  | \n"+
 		"eee       | CloudSSO:a@b           | Invalid |                  | \n", w.String())

config/configure_set.go

@@ -86,6 +86,7 @@ func doConfigureSet(w io.Writer, flags *cli.FlagSet) {
 		profile.AccessKeySecret = AccessKeySecretFlag(flags).GetStringOrDefault(profile.AccessKeySecret)
 		profile.RamRoleArn = RamRoleArnFlag(flags).GetStringOrDefault(profile.RamRoleArn)
 		profile.RoleSessionName = RoleSessionNameFlag(flags).GetStringOrDefault(profile.RoleSessionName)
+		profile.ExternalId = ExternalIdFlag(flags).GetStringOrDefault(profile.ExternalId)
 		profile.ExpiredSeconds = ExpiredSecondsFlag(flags).GetIntegerOrDefault(profile.ExpiredSeconds)
 	case EcsRamRole:
 		profile.RamRoleName = RamRoleNameFlag(flags).GetStringOrDefault(profile.RamRoleName)
@@ -98,6 +99,7 @@ func doConfigureSet(w io.Writer, flags *cli.FlagSet) {
 		profile.SourceProfile = SourceProfileFlag(flags).GetStringOrDefault(profile.SourceProfile)
 		profile.RamRoleArn = RamRoleArnFlag(flags).GetStringOrDefault(profile.RamRoleArn)
 		profile.RoleSessionName = RoleSessionNameFlag(flags).GetStringOrDefault(profile.RoleSessionName)
+		profile.ExternalId = ExternalIdFlag(flags).GetStringOrDefault(profile.ExternalId)
 		profile.ExpiredSeconds = ExpiredSecondsFlag(flags).GetIntegerOrDefault(profile.ExpiredSeconds)
 	case RsaKeyPair:
 		profile.PrivateKey = PrivateKeyFlag(flags).GetStringOrDefault(profile.PrivateKey)

config/configure_set_test.go

@@ -97,7 +97,7 @@ func TestDoConfigureSet(t *testing.T) {
 			return &Configuration{
 				CurrentProfile: "default",
 				Profiles: []Profile{
-					{Name: "default", Mode: RamRoleArn, RoleSessionName: "RoleSessionName", RamRoleArn: "RamRoleArn", AccessKeyId: "default_aliyun_access_key_id", AccessKeySecret: "default_aliyun_access_key_secret", OutputFormat: "json", RegionId: "cn-hangzhou"},
+					{Name: "default", Mode: RamRoleArn, RoleSessionName: "RoleSessionName", RamRoleArn: "RamRoleArn", ExternalId: "ExternalId", AccessKeyId: "default_aliyun_access_key_id", AccessKeySecret: "default_aliyun_access_key_secret", OutputFormat: "json", RegionId: "cn-hangzhou"},
 					{Name: "aaa", Mode: AK, AccessKeyId: "sdf", AccessKeySecret: "ddf", OutputFormat: "json"}}}, nil
 		}
 	}

config/configure_test.go

@@ -192,8 +192,8 @@ func TestConfigureStsToken(t *testing.T) {
 
 func TestConfigureRamRoleArn(t *testing.T) {
 	w := new(bytes.Buffer)
-	err := configureRamRoleArn(w, &Profile{Name: "default", Mode: AK, AccessKeyId: "access_key_id", AccessKeySecret: "access_key_secret", RamRoleArn: "RamRoleArn", RoleSessionName: "RoleSessionName", RegionId: "cn-hangzhou", OutputFormat: "json"})
-	assert.Equal(t, "Access Key Id [**********_id]: Access Key Secret [**************ret]: Sts Region []: Ram Role Arn [RamRoleArn]: Role Session Name [RoleSessionName]: Expired Seconds [900]: ", w.String())
+	err := configureRamRoleArn(w, &Profile{Name: "default", Mode: AK, AccessKeyId: "access_key_id", AccessKeySecret: "access_key_secret", RamRoleArn: "RamRoleArn", RoleSessionName: "RoleSessionName", ExternalId: "ExternalId", RegionId: "cn-hangzhou", OutputFormat: "json"})
+	assert.Equal(t, "Access Key Id [**********_id]: Access Key Secret [**************ret]: Sts Region []: Ram Role Arn [RamRoleArn]: Role Session Name [RoleSessionName]: External ID [ExternalId]: Expired Seconds [900]: ", w.String())
 	assert.Nil(t, err)
 }
 
@@ -246,11 +246,12 @@ func TestConfigureChainableRamRoleArn(t *testing.T) {
 		RamRoleArn:      "rra",
 		StsRegion:       "cn-hangzhou",
 		RoleSessionName: "rsn",
+		ExternalId:      "eid",
 		RegionId:        "cn-hangzhou",
 		ExpiredSeconds:  3600,
 		OutputFormat:    "json",
 	})
-	assert.Equal(t, "Source Profile [source]: Sts Region [cn-hangzhou]: Ram Role Arn [rra]: Role Session Name [rsn]: Expired Seconds [3600]: ", w.String())
+	assert.Equal(t, "Source Profile [source]: Sts Region [cn-hangzhou]: Ram Role Arn [rra]: Role Session Name [rsn]: External ID [eid]: Expired Seconds [3600]: ", w.String())
 	assert.Nil(t, err)
 }
 
@@ -265,8 +266,9 @@ func TestConfigureChainableRamRoleArnWhenZeroExpiredSeconds(t *testing.T) {
 		RoleSessionName: "rsn",
 		RegionId:        "cn-hangzhou",
 		OutputFormat:    "json",
+		ExternalId:      "eid",
 	})
-	assert.Equal(t, "Source Profile [source]: Sts Region [cn-hangzhou]: Ram Role Arn [rra]: Role Session Name [rsn]: Expired Seconds [900]: ", w.String())
+	assert.Equal(t, "Source Profile [source]: Sts Region [cn-hangzhou]: Ram Role Arn [rra]: Role Session Name [rsn]: External ID [eid]: Expired Seconds [900]: ", w.String())
 	assert.Nil(t, err)
 }
 

config/flags.go

@@ -29,6 +29,7 @@ const (
 	RamRoleNameFlagName          = "ram-role-name"
 	RamRoleArnFlagName           = "ram-role-arn"
 	RoleSessionNameFlagName      = "role-session-name"
+	ExternalIdFlagName           = "external-id"
 	SourceProfileFlagName        = "source-profile"
 	PrivateKeyFlagName           = "private-key"
 	KeyPairNameFlagName          = "key-pair-name"
@@ -63,6 +64,7 @@ func AddFlags(fs *cli.FlagSet) {
 	fs.Add(NewRamRoleNameFlag())
 	fs.Add(NewRamRoleArnFlag())
 	fs.Add(NewRoleSessionNameFlag())
+	fs.Add(NewExternalIdFlag())
 	fs.Add(NewPrivateKeyFlag())
 	fs.Add(NewKeyPairNameFlag())
 	fs.Add(NewReadTimeoutFlag())
@@ -122,6 +124,10 @@ func RoleSessionNameFlag(fs *cli.FlagSet) *cli.Flag {
 	return fs.Get(RoleSessionNameFlagName)
 }
 
+func ExternalIdFlag(fs *cli.FlagSet) *cli.Flag {
+	return fs.Get(ExternalIdFlagName)
+}
+
 func PrivateKeyFlag(fs *cli.FlagSet) *cli.Flag {
 	return fs.Get(PrivateKeyFlagName)
 }
@@ -292,6 +298,17 @@ func NewRoleSessionNameFlag() *cli.Flag {
 	}
 }
 
+func NewExternalIdFlag() *cli.Flag {
+	return &cli.Flag{
+		Category:     "config",
+		Name:         ExternalIdFlagName,
+		AssignedMode: cli.AssignedOnce,
+		Short: i18n.T(
+			"use `--external-id <ExternalId>` to assign ExternalId",
+			"使用 `--external-id <ExternalId>` 指定ExternalId"),
+	}
+}
+
 func NewExpiredSecondsFlag() *cli.Flag {
 	return &cli.Flag{
 		Category:     "config",

config/flags_test.go

@@ -168,6 +168,24 @@ func TestAddFlag(t *testing.T) {
 			DefaultValue: "",
 			Persistent:   false,
 		}
+		newExternalIdFlag = &cli.Flag{
+			Category:     "config",
+			Name:         ExternalIdFlagName,
+			AssignedMode: cli.AssignedOnce,
+			Short: i18n.T(
+				"use `--external-id <ExternalId>` to assign ExternalId",
+				"使用 `--external-id <ExternalId>` 指定ExternalId"),
+			Long:         nil,
+			Required:     false,
+			Aliases:      nil,
+			Hidden:       false,
+			Validate:     nil,
+			Fields:       nil,
+			ExcludeWith:  nil,
+			Shorthand:    0,
+			DefaultValue: "",
+			Persistent:   false,
+		}
 		newPrivateKeyFlag = &cli.Flag{
 			Category:     "config",
 			Name:         PrivateKeyFlagName,
@@ -378,6 +396,9 @@ func TestAddFlag(t *testing.T) {
 	f = NewRoleSessionNameFlag()
 	assert.Equal(t, newRoleSessionNameFlag, f)
 
+	f = NewExternalIdFlag()
+	assert.Equal(t, newExternalIdFlag, f)
+
 	f = NewPrivateKeyFlag()
 	assert.Equal(t, newPrivateKeyFlag, f)