Add OIDCCredentialsProvider into default credentials provider chain

JacksonTian · yndu13 · commit 43686960adbc · 2024-07-08T10:55:54.000+08:00
diff --git a/aliyun-java-sdk-core/src/main/java/com/aliyuncs/DefaultAcsClient.java b/aliyun-java-sdk-core/src/main/java/com/aliyuncs/DefaultAcsClient.java
@@ -319,7 +319,6 @@ private <T extends AcsResponse> HttpResponse doRealAction(AcsRequest<T> request,
                                                               String regionId, AlibabaCloudCredentials credentials, Signer signer, FormatType format)
             throws ClientException, ServerException {
 
-
         doActionWithProxy(request.getSysProtocol(), System.getenv("HTTPS_PROXY"), System.getenv("HTTP_PROXY"));
         doActionWithIgnoreSSL(request, X509TrustAll.ignoreSSLCerts);
 
@@ -584,7 +583,6 @@ public void shutdown() {
             IOUtils.closeQuietly(this.httpClient);
             this.httpClient = null;
         }
-
     }
 
     public DefaultProfile getProfile() {
diff --git a/aliyun-java-sdk-core/src/main/java/com/aliyuncs/auth/DefaultCredentialsProvider.java b/aliyun-java-sdk-core/src/main/java/com/aliyuncs/auth/DefaultCredentialsProvider.java
@@ -2,6 +2,7 @@
 
 import com.aliyuncs.exceptions.ClientException;
 import com.aliyuncs.utils.AuthUtils;
+import com.aliyuncs.utils.StringUtils;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -15,6 +16,14 @@ public class DefaultCredentialsProvider implements AlibabaCloudCredentialsProvid
     public DefaultCredentialsProvider() throws ClientException {
         defaultProviders.add(new SystemPropertiesCredentialsProvider());
         defaultProviders.add(new EnvironmentVariableCredentialsProvider());
+        // Add oidc credentials provider
+        String oidcProviderArn = System.getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN");
+        String roleArn = System.getenv("ALIBABA_CLOUD_ROLE_ARN");
+        String oidcTokenFile = System.getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE");
+        if (!StringUtils.isEmpty(oidcProviderArn) && !StringUtils.isEmpty(oidcTokenFile) && !StringUtils.isEmpty(roleArn)) {
+            defaultProviders.add(new OIDCCredentialsProvider(roleArn, oidcProviderArn, oidcTokenFile, "java-sdk-v1-default-rsn", null));
+        }
+
         defaultProviders.add(new ProfileCredentialsProvider());
         String roleName = AuthUtils.getEnvironmentECSMetaData();
         if (roleName != null) {
@@ -42,6 +51,7 @@ public AlibabaCloudCredentials getCredentials() throws ClientException {
                 return credential;
             }
         }
+
         throw new ClientException("not found credentials");
     }
 
diff --git a/aliyun-java-sdk-core/src/main/java/com/aliyuncs/auth/SystemPropertiesCredentialsProvider.java b/aliyun-java-sdk-core/src/main/java/com/aliyuncs/auth/SystemPropertiesCredentialsProvider.java
@@ -12,11 +12,13 @@ public AlibabaCloudCredentials getCredentials() throws ClientException, ServerEx
         if (!"default".equals(AuthUtils.getClientType())) {
             return null;
         }
+
         String accessKeyId = System.getProperty(AuthConstant.SYSTEM_ACCESSKEYID);
         String accessKeySecret = System.getProperty(AuthConstant.SYSTEM_ACCESSKEYSECRET);
         if (StringUtils.isEmpty(accessKeyId) || StringUtils.isEmpty(accessKeySecret)) {
             return null;
         }
+
         return new BasicCredentials(accessKeyId, accessKeySecret);
     }
 }
diff --git a/java-sdk-function-test/src/test/java/com/aliyuncs/CredentialsTest.java b/java-sdk-function-test/src/test/java/com/aliyuncs/CredentialsTest.java
@@ -45,4 +45,13 @@ public void oidcProviderTest() throws ClientException {
         Assert.assertTrue(response.getArn().endsWith("/sessionname"));
     }
 
+    @Test
+    public void oidcProviderForDefaultCredentialsProviderTest() throws ClientException {
+        DefaultAcsClient client = new DefaultAcsClient(this.regionId);
+        GetCallerIdentityRequest request = new GetCallerIdentityRequest();
+        GetCallerIdentityResponse response = client.getAcsResponse(request);
+        Assert.assertNotNull(response);
+        Assert.assertEquals("AssumedRoleUser", response.getIdentityType());
+        Assert.assertTrue(response.getArn().endsWith("/java-sdk-v1-default-rsn"));
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -319,7 +319,6 @@ private <T extends AcsResponse> HttpResponse doRealAction(AcsRequest<T> request,`
`319`	`319`	`String regionId, AlibabaCloudCredentials credentials, Signer signer, FormatType format)`
`320`	`320`	`throws ClientException, ServerException {`
`321`	`321`
`322`		`-`
`323`	`322`	`doActionWithProxy(request.getSysProtocol(), System.getenv("HTTPS_PROXY"), System.getenv("HTTP_PROXY"));`
`324`	`323`	`doActionWithIgnoreSSL(request, X509TrustAll.ignoreSSLCerts);`
`325`	`324`
`@@ -584,7 +583,6 @@ public void shutdown() {`
`584`	`583`	`IOUtils.closeQuietly(this.httpClient);`
`585`	`584`	`this.httpClient = null;`
`586`	`585`	`}`
`587`		`-`
`588`	`586`	`}`
`589`	`587`
`590`	`588`	`public DefaultProfile getProfile() {`
Original file line number	Diff line number	Diff line change
`@@ -12,11 +12,13 @@ public AlibabaCloudCredentials getCredentials() throws ClientException, ServerEx`
`12`	`12`	`if (!"default".equals(AuthUtils.getClientType())) {`
`13`	`13`	`return null;`
`14`	`14`	`}`
	`15`	`+`
`15`	`16`	`String accessKeyId = System.getProperty(AuthConstant.SYSTEM_ACCESSKEYID);`
`16`	`17`	`String accessKeySecret = System.getProperty(AuthConstant.SYSTEM_ACCESSKEYSECRET);`
`17`	`18`	`if (StringUtils.isEmpty(accessKeyId) \|\| StringUtils.isEmpty(accessKeySecret)) {`
`18`	`19`	`return null;`
`19`	`20`	`}`
	`21`	`+`
`20`	`22`	`return new BasicCredentials(accessKeyId, accessKeySecret);`
`21`	`23`	`}`
`22`	`24`	`}`
Original file line number	Diff line number	Diff line change
`@@ -45,4 +45,13 @@ public void oidcProviderTest() throws ClientException {`
`45`	`45`	`Assert.assertTrue(response.getArn().endsWith("/sessionname"));`
`46`	`46`	`}`
`47`	`47`
	`48`	`+ @Test`
	`49`	`+ public void oidcProviderForDefaultCredentialsProviderTest() throws ClientException {`
	`50`	`+ DefaultAcsClient client = new DefaultAcsClient(this.regionId);`
	`51`	`+ GetCallerIdentityRequest request = new GetCallerIdentityRequest();`
	`52`	`+ GetCallerIdentityResponse response = client.getAcsResponse(request);`
	`53`	`+ Assert.assertNotNull(response);`
	`54`	`+ Assert.assertEquals("AssumedRoleUser", response.getIdentityType());`
	`55`	`+ Assert.assertTrue(response.getArn().endsWith("/java-sdk-v1-default-rsn"));`
	`56`	`+ }`
`48`	`57`	`}`