vault支持跨账号角色授权登陆

Author: benlfhuang

Diff for: .gitignore

@@ -15,3 +15,4 @@
 # vendor/
 
 .idea
+/cmd/vault-plugin-auth-tencentcloud/vault-plugin-auth-tencentcloud

Diff for: backend_test.go

@@ -366,29 +366,13 @@ func (e *testEnv) getIsAccTestCreds(t *testing.T) (creds common.CredentialIface)
 }
 
 func (e *testEnv) LoginSuccess(t *testing.T) {
-
-	var creds common.CredentialIface
-	var err error
-
-	if e.isAccTest {
-		creds = e.getIsAccTestCreds(t)
-	} else {
-		creds, err = clients.NewConfigurationCredentialProvider(&clients.Configuration{
-			// dummy creds are fine
-			SecretId:  e.clientConfigSecretId,
-			SecretKey: e.clientConfigSecretKey,
-			Token:     e.token,
-		}).GetCredential()
-	}
-
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	data, err := tools.GenerateLoginData(e.arn.RoleName, creds, "us-west-2")
-	if err != nil {
-		t.Fatal(err)
-	}
+	data := tools.GenerateLoginDataV2(
+		e.arn.RoleName,
+		"na-ashburn",
+		e.clientConfigSecretId,
+		e.clientConfigSecretKey,
+		e.token,
+	)
 	req := &logical.Request{
 		Operation: logical.UpdateOperation,
 		Path:      "login",

Diff for: cli.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/hashicorp/vault-plugin-auth-tencentcloud/clients"
 	"github.com/hashicorp/vault-plugin-auth-tencentcloud/tools"
 	"github.com/hashicorp/vault/api"
 )
@@ -20,15 +19,11 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
 		mount = "tencentcloud"
 	}
 	role := m["role"]
-
-	creds, err := clients.ChainedCredsToCli(m["secret_id"], m["secret_key"], m["token"])
-	if err != nil {
-		return nil, err
-	}
-	loginData, err := tools.GenerateLoginData(role, creds, m["region"])
-	if err != nil {
-		return nil, err
-	}
+	sid := m["secret_id"]
+	skey := m["secret_key"]
+	token := m["token"]
+	region := m["region"]
+	loginData := tools.GenerateLoginDataV2(role, sid, skey, token, region)
 	path := fmt.Sprintf("auth/%s/login", mount)
 	secret, err := c.Logical().Write(path, loginData)
 	if err != nil {

Diff for: clients/cam.go

@@ -1,16 +1,14 @@
 package clients
 
 import (
-	"fmt"
-
 	cam "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cam/v20190116"
 	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
 	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/regions"
 )
 
 // init New CAM Client
-func NewCAMClient(secretId, secretKey string) (*CAMClient, error) {
-	creds, err := ChainedCredsToCli(secretId, secretKey, "")
+func NewCAMClient(secretId, secretKey, token string) (*CAMClient, error) {
+	creds, err := ChainedCredsToCli(secretId, secretKey, token)
 	if err != nil {
 		return nil, err
 	}
@@ -34,7 +32,6 @@ func (c *CAMClient) GetRoleName(roleId string) (roleName string, err error) {
 	req := cam.NewGetRoleRequest()
 	req.RoleId = &roleId
 	roleRsp, err := c.client.GetRole(req)
-	fmt.Println(roleRsp.ToJsonString())
 	if err != nil {
 		return "", err
 	}

Diff for: clients/cam_test.go

@@ -0,0 +1,65 @@
+package clients
+
+import (
+	"fmt"
+	cam "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cam/v20190116"
+	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
+	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/regions"
+	"testing"
+)
+
+func TestCAMClient_GetRoleName(t *testing.T) {
+	secretId := "xxxx"
+	secretKey := "xxxx"
+	token := "xxxx"
+
+	creds, err := ChainedCredsToCli(secretId, secretKey, token)
+	if err != nil {
+		fmt.Printf("错误信息,%v", err)
+	}
+	profile := profile.NewClientProfile()
+	profile.Language = "en-US"
+	profile.HttpProfile.ReqTimeout = 90
+	client, err := cam.NewClient(creds, regions.Ashburn, profile)
+	if err != nil {
+		fmt.Printf("错误信息,%v", err)
+	}
+	type fields struct {
+		client *cam.Client
+	}
+	type args struct {
+		roleId string
+	}
+	tests := []struct {
+		name         string
+		fields       fields
+		args         args
+		wantRoleName string
+		wantErr      bool
+	}{
+		{
+			name: "TestCAMClient_GetRoleName",
+			fields: fields{
+				client: client,
+			},
+			args: args{
+				roleId: "4611686028425447636",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &CAMClient{
+				client: tt.fields.client,
+			}
+			gotRoleName, err := c.GetRoleName(tt.args.roleId)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("GetRoleName() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if gotRoleName != tt.wantRoleName {
+				t.Errorf("GetRoleName() gotRoleName = %v, want %v", gotRoleName, tt.wantRoleName)
+			}
+		})
+	}
+}

Diff for: clients/sts.go

@@ -0,0 +1,54 @@
+package clients
+
+import (
+	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
+	sts "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/sts/v20180813"
+)
+
+// NewStsClient init New STS Client
+func NewStsClient(secretId, secretKey, token, region string) (*STSClient, error) {
+	creds, err := ChainedCredsToCli(secretId, secretKey, token)
+	if err != nil {
+		return nil, err
+	}
+	profile := profile.NewClientProfile()
+	profile.Language = "en-US"
+	profile.HttpProfile.ReqTimeout = 90
+	client, err := sts.NewClient(creds, region, profile)
+	if err != nil {
+		return nil, err
+	}
+	return &STSClient{client: client}, nil
+}
+
+// STSClient STS Client
+type STSClient struct {
+	client *sts.Client
+}
+
+// CallerIdentityRsp caller identity response
+type CallerIdentityRsp struct {
+	Arn         string
+	AccountId   string
+	UserId      string
+	PrincipalId string
+	Type        string
+	RequestId   string
+}
+
+// GetCallerIdentity get caller identity
+func (c *STSClient) GetCallerIdentity() (rsp *CallerIdentityRsp, err error) {
+	req := sts.NewGetCallerIdentityRequest()
+	callerIdentityRsp, err := c.client.GetCallerIdentity(req)
+	if err != nil {
+		return nil, err
+	}
+	return &CallerIdentityRsp{
+		Type:        *callerIdentityRsp.Response.Type,
+		Arn:         *callerIdentityRsp.Response.Arn,
+		AccountId:   *callerIdentityRsp.Response.AccountId,
+		UserId:      *callerIdentityRsp.Response.UserId,
+		PrincipalId: *callerIdentityRsp.Response.PrincipalId,
+		RequestId:   *callerIdentityRsp.Response.RequestId,
+	}, nil
+}

Diff for: docs/Tencent Cloud - Auth Methods - HTTP API.md

@@ -164,18 +164,20 @@ Fetch a token. This endpoint verifies the signature of the signed GetCallerIdent
 ### Parameters
 
 - `role` `(string: <required>)` - Name of the role.
-- `identity_request_url` `(string: <required>)` - Base64-encoded HTTP URL used in the signed request.
-- `identity_request_headers` `(string: <required>)` - Base64-encoded, JSON-serialized representation of the sts:
-  GetCallerIdentity HTTP request headers. The JSON serialization assumes that each header key maps to either a string
-  value or an array of string values (though the length of that array will probably only be one).
+- `region` `(string: <optional>)` - Name of the region.
+- `secret_id` `(string: <required>)` - Tencentcloud secret id
+- `secret_key` `(string: <required>)` - Tencentcloud secret key
+- `token` `(string: <required>)` - Tencentcloud token
 
 ### Sample Payload
 
 ```json
 {
   "role": "dev-role",
-  "identity_request_url": "...",
-  "identity_request_headers": "..."
+  "region": "...",
+  "secret_id": "...",
+  "secret_key": "...",
+  "token": "..."
 }
 ```
 

Diff for: docs/Tencent Cloud Auth Method.md

@@ -93,8 +93,10 @@ $ vault write auth/tencentcloud/role/dev-role arn='qcs::cam::uin/100021543443:ro
 ```shell
 $ vault write auth/tencentcloud/login \
         role=dev-role \
-        identity_request_url=$IDENTITY_REQUEST_URL_BASE_64 \
-        identity_request_headers=$IDENTITY_REQUEST_HEADERS_BASE_64
+        region=$IDENTITY_REQUEST_REGION \
+        secret_id=$IDENTITY_REQUEST_SECRET_ID \
+        secret_key=$IDENTITY_REQUEST_SECRET_KEY \
+        token=$IDENTITY_REQUEST_TOKEN
 ```
 
 For the CAM auth method, generating the signed request is a non-standard operation. The Vault CLI supports generating

Diff for: go.mod

@@ -10,16 +10,15 @@ require (
 	github.com/hashicorp/go-uuid v1.0.2
 	github.com/hashicorp/vault/api v1.3.0
 	github.com/hashicorp/vault/sdk v0.3.0
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cam v1.0.286
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.285
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/sts v1.0.293
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cam v1.0.1016
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1016
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/sts v1.0.1016
 )
 
 require (
 	github.com/armon/go-metrics v0.3.9 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/evanphx/json-patch/v5 v5.5.0 // indirect
 	github.com/fatih/color v1.7.0 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
@@ -47,7 +46,6 @@ require (
 	github.com/oklog/run v1.0.0 // indirect
 	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect
@@ -59,5 +57,4 @@ require (
 	google.golang.org/grpc v1.41.0 // indirect
 	google.golang.org/protobuf v1.26.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
 )

Diff for: go.sum

@@ -223,12 +223,14 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cam v1.0.286 h1:vKUWFu+b7zixbzuZqGbuOkzQzw2eeUxituc8MsuQ89o=
-github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cam v1.0.286/go.mod h1:ys+65P4jdhUP5rQFSPI9O8/5s0lNcPycl5IPOTaZyVU=
-github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.285 h1:/pxhtrvLDidDxEi0MFyICPKeJ+gvtIBdfZZSx3Nz8rA=
-github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.285/go.mod h1:7sCQWVkxcsR38nffDW057DRGk8mUjK1Ing/EFOK8s8Y=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cam v1.0.1016 h1:i2iHHQVd1jh7ATG1AOGBl1Ok1WJQngy4Nk11RiPLnC4=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cam v1.0.1016/go.mod h1:08eNxt3v411zXWW1Pr1GMDnj4Qm6HCNgDSvG/naOrhQ=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1016 h1:gFA+fJStsfNwOAfVrgpjej4iq1A/YdWW4GB2D6B8fGk=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1016/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/sts v1.0.293 h1:VExz4pakQsBu872prgUMIZnAVTIsJQHuAqGIZBNreVc=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/sts v1.0.293/go.mod h1:3LRL4bjS4JieTruoWSqnMA/rPOxd2TXsstNBKtN+2qQ=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/sts v1.0.1016 h1:9pXcgdNC+7Esd3soQUwn1aHgFrIw1J2+n6LCiMnTuYg=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/sts v1.0.1016/go.mod h1:yR/gWOCs7bEn5d0B9zSzTVKshBLgI30ZvVxlkLIx7No=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
@@ -324,7 +326,6 @@ google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/l
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
 gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=