Add CloudSSO authentication support and related configurations (#1225)

* Add CloudSSO authentication support and related configurations

* Enhance CloudSSO configuration handling and add related tests

* Refactor CloudSSO functions for improved testability and add unit tests for configuration handling

* Refactor configuration handling and enhance testing for profile management

* Fix typo in error message for expired CloudSSO access token

* Refactor configuration saving to use a variable function for improved testability

* Skip external tests on Windows in TestProfile_GetCredential_External

Author: CodeSpaceiiii

README.md

@@ -101,6 +101,7 @@ The following are supported authentication methods:
 | External               | Use external processes to provide access credentials        |
 | CredentialsURI         | Use external services to provide access credentials         |
 | ChainableRamRoleArn    | Use chainable role assumption to provide access credentials |
+| CloudSSO               | Use CloudSSO to provide access credentials                  |
 
 If the --mode is not specified during configuration, the AK mode will be used by default.
 
@@ -226,7 +227,7 @@ The Credentials URI must be response with status code 200, and following body:
 }
 ```
 
-Otherwise, CLI treate as failure case.
+Otherwise, CLI treat as failure case.
 
 ### Use OIDC to get credentials
 
@@ -245,7 +246,20 @@ Default Language [zh|en] en:
 Saving profile[oidc_p] ...Done.
 ```
 
-### Enable bash/zsh auto completion
+### Use CloudSSO to get credentials
+
+You can use the `--mode CloudSSO` to obtain credentials through CloudSSO. An example is as follows:
+
+```shell
+$ aliyun configure --mode CloudSSO --profile cloud_sso
+Configuring profile 'cloudsso-test' in 'CloudSSO' authenticate mode...
+CloudSSO Sign In Url [https://signin-cn-shanghai.alibabacloudsso.com/start/login]:
+# CloudSSO Sign In Url is required, please input it.
+# then follow the instructions to sign in.
+```
+
+
+### Enable bash/zsh auto-completion
 
 - Use `aliyun auto-completion` command to enable auto completion in zsh/bash
 - Use `aliyun auto-completion --uninstall` command to disable auto completion.
@@ -431,6 +445,7 @@ We support the following environment variables:
 - `ALIBABA_CLOUD_ACCESS_KEY_SECRET`: When no Access Key Secret is specified, the CLI uses it.
 - `ALIBABA_CLOUD_SECURITY_TOKEN`: When no Security Token is specified, the CLI uses it.
 - `ALIBABA_CLOUD_REGION_ID`: When no Region Id is specified, the CLI uses it.
+- `ALIBABA_CLOUD_SSO_CLIENT_ID`: Use this variable to override the client ID of the SSO application.
 - `DEBUG=sdk`：Through this variable, the CLI can display HTTP request information, which is helpful for troubleshooting.
 
 ## Getting Help

cli/version.go

@@ -11,6 +11,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+
 package cli
 
 import (

cloudsso/access_configurations.go

@@ -0,0 +1,134 @@
+package cloudsso
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/aliyun/aliyun-cli/v3/cli"
+	"io"
+	"net/http"
+	"strconv"
+)
+
+// AccessConfigurationsParameter is a struct that holds the parameters for accessing configurations.
+type AccessConfigurationsParameter struct {
+	UrlPrefix   string       `json:"urlPrefix"`
+	AccessToken string       `json:"accessToken"`
+	AccountId   string       `json:"accountId"`
+	HttpClient  *http.Client `json:"-"`
+}
+
+// AccessConfigurationsRequest 表示获取访问配置的请求参数
+type AccessConfigurationsRequest struct {
+	AccountId  string
+	NextToken  string
+	MaxResults int
+}
+
+// AccessConfigurationsResponse 表示访问配置的响应
+type AccessConfigurationsResponse struct {
+	AccessConfigurationsForAccount []AccessConfiguration `json:"AccessConfigurationsForAccount"`
+	NextToken                      string                `json:"NextToken"`
+	IsTruncated                    bool                  `json:"IsTruncated"`
+}
+
+// AccessConfiguration 表示单个访问配置
+type AccessConfiguration struct {
+	AccessConfigurationId          string `json:"AccessConfigurationId"`
+	AccessConfigurationName        string `json:"AccessConfigurationName"`
+	AccessConfigurationDescription string `json:"AccessConfigurationDescription"`
+}
+
+// ListAccessConfigurationsForAccount 获取单次访问配置列表
+func (p *AccessConfigurationsParameter) ListAccessConfigurationsForAccount(req AccessConfigurationsRequest) (*AccessConfigurationsResponse, error) {
+	// 构建URL
+	url := fmt.Sprintf("%s/access-assignments/access-configurations", p.UrlPrefix)
+
+	// 添加查询参数
+	query := url + "?AccountId=" + req.AccountId
+	if req.NextToken != "" {
+		query += "&NextToken=" + req.NextToken
+	}
+	if req.MaxResults > 0 {
+		query += "&MaxResults=" + strconv.Itoa(req.MaxResults)
+	}
+
+	// 创建HTTP请求
+	httpReq, err := http.NewRequest("GET", query, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	// 设置请求头
+	httpReq.Header.Set("Accept", "application/json")
+	httpReq.Header.Set("Content-Type", "application/json")
+	httpReq.Header.Set("Authorization", "Bearer "+p.AccessToken)
+	httpReq.Header.Set("User-Agent", "aliyun/CLI-"+cli.Version)
+
+	// 发送请求
+	client := p.HttpClient
+	if client == nil {
+		client = http.DefaultClient
+	}
+
+	resp, err := client.Do(httpReq)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	// 读取响应体
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	// 检查错误
+	if resp.StatusCode >= 400 && resp.StatusCode < 500 {
+		var errResp struct {
+			ErrorCode    string `json:"ErrorCode"`
+			ErrorMessage string `json:"ErrorMessage"`
+			RequestId    string `json:"RequestId"`
+		}
+
+		if err := json.Unmarshal(body, &errResp); err != nil {
+			return nil, err
+		}
+
+		return nil, fmt.Errorf("%s: %s %s", errResp.ErrorCode, errResp.ErrorMessage, errResp.RequestId)
+	}
+
+	// 解析响应
+	var result AccessConfigurationsResponse
+	if err := json.Unmarshal(body, &result); err != nil {
+		return nil, err
+	}
+
+	return &result, nil
+}
+
+// ListAllAccessConfigurations 获取所有访问配置列表
+func (p *AccessConfigurationsParameter) ListAllAccessConfigurations(req AccessConfigurationsRequest) ([]AccessConfiguration, error) {
+	var configurations []AccessConfiguration
+
+	// 获取第一页数据
+	response, err := p.ListAccessConfigurationsForAccount(req)
+	if err != nil {
+		return nil, err
+	}
+
+	configurations = append(configurations, response.AccessConfigurationsForAccount...)
+
+	// 如果有更多页，继续请求
+	for response.IsTruncated {
+		req.NextToken = response.NextToken
+
+		response, err = p.ListAccessConfigurationsForAccount(req)
+		if err != nil {
+			return nil, err
+		}
+
+		configurations = append(configurations, response.AccessConfigurationsForAccount...)
+	}
+
+	return configurations, nil
+}