CVO-17 Add an External ID param on RAM Role Authentication

config/configure.go

@@ -202,6 +202,8 @@ func configureRamRoleArn(w io.Writer, cp *Profile) error {
 	if cp.ExpiredSeconds == 0 {
 		cp.ExpiredSeconds = 900
 	}
+	cli.Printf(w, "External ID [%s]: ", cp.ExternalId)
+	cp.ExternalId = ReadInput(cp.ExternalId)
 	cli.Printf(w, "Expired Seconds [%v]: ", cp.ExpiredSeconds)
 	cp.ExpiredSeconds, _ = strconv.Atoi(ReadInput(strconv.Itoa(cp.ExpiredSeconds)))
 	return nil
@@ -242,6 +244,8 @@ func configureChainableRamRoleArn(w io.Writer, cp *Profile) error {
 	if cp.ExpiredSeconds == 0 {
 		cp.ExpiredSeconds = 900
 	}
+	cli.Printf(w, "External ID [%s]: ", cp.ExternalId)
+	cp.ExternalId = ReadInput(cp.ExternalId)
 	cli.Printf(w, "Expired Seconds [%v]: ", cp.ExpiredSeconds)
 	cp.ExpiredSeconds, _ = strconv.Atoi(ReadInput(strconv.Itoa(cp.ExpiredSeconds)))
 	return nil

config/configure_get.go

@@ -84,6 +84,8 @@ func doConfigureGet(c *cli.Context, args []string) {
 			cli.Printf(c.Stdout(), "ram-role-name=%s\n", profile.RamRoleName)
 		case RamRoleArnFlagName:
 			cli.Printf(c.Stdout(), "ram-role-arn=%s\n", profile.RamRoleArn)
+		case ExternalIdFlagName:
+			cli.Printf(c.Stdout(), "external-id=%s\n", profile.ExternalId)
 		case RoleSessionNameFlagName:
 			cli.Printf(c.Stdout(), "role-session-name=%s\n", profile.RoleSessionName)
 		case KeyPairNameFlagName:

config/configure_get_test.go

@@ -72,8 +72,8 @@ func TestDoConfigureGet(t *testing.T) {
 	w.Reset()
 	stderr.Reset()
 	ctx.Flags().Flags()[1].SetAssigned(false)
-	doConfigureGet(ctx, []string{"profile", "mode", "access-key-id", "access-key-secret", "sts-token", "ram-role-name", "ram-role-arn", "role-session-name", "private-key", "key-pair-name", "region", "language"})
-	assert.Equal(t, "profile=default\nmode=AK\naccess-key-id=*************************_id\naccess-key-secret=*****************************ret\nsts-token=\nram-role-name=\nram-role-arn=\nrole-session-name=\nprivate-key=\nkey-pair-name=\nlanguage=\n\n", w.String())
+	doConfigureGet(ctx, []string{"profile", "mode", "access-key-id", "access-key-secret", "sts-token", "ram-role-name", "ram-role-arn", "role-session-name", "external-id", "private-key", "key-pair-name", "region", "language"})
+	assert.Equal(t, "profile=default\nmode=AK\naccess-key-id=*************************_id\naccess-key-secret=*****************************ret\nsts-token=\nram-role-name=\nram-role-arn=\nrole-session-name=\nexternal-id=\nprivate-key=\nkey-pair-name=\nlanguage=\n\n", w.String())
 
 	//TESTCASE 4
 	hookLoadConfiguration = func(fn func(path string) (*Configuration, error)) func(path string) (*Configuration, error) {

config/configure_list.go

@@ -61,12 +61,18 @@ func doConfigureList(w io.Writer) {
 			cred = "StsToken:" + "***" + GetLastChars(pf.AccessKeyId, 3)
 		case RamRoleArn:
 			cred = "RamRoleArn:" + "***" + GetLastChars(pf.AccessKeyId, 3)
+			if pf.ExternalId != "" {
+				cred = cred + ":" + GetLastChars(pf.ExternalId, 3)
+			}
 		case EcsRamRole:
 			cred = "EcsRamRole:" + pf.RamRoleName
 		case RamRoleArnWithEcs:
 			cred = "arn:" + "***" + GetLastChars(pf.AccessKeyId, 3)
 		case ChainableRamRoleArn:
 			cred = "ChainableRamRoleArn:" + pf.SourceProfile + ":" + pf.RamRoleArn
+			if pf.ExternalId != "" {
+				cred = cred + ":" + GetLastChars(pf.ExternalId, 3)
+			}
 		case RsaKeyPair:
 			cred = "RsaKeyPair:" + pf.KeyPairName
 		case External:

config/configure_list_test.go

@@ -4,7 +4,7 @@
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
-//     http://www.apache.org/licenses/LICENSE-2.0
+//	http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ -58,6 +58,16 @@ func TestDoConfigureList(t *testing.T) {
 						RamRoleArn:      "RamRoleArn",
 						RoleSessionName: "RoleSessionName",
 					},
+					{
+						Name:            "bbbe",
+						Mode:            RamRoleArn,
+						AccessKeyId:     "sdf",
+						AccessKeySecret: "ddf",
+						OutputFormat:    "json",
+						RamRoleArn:      "RamRoleArn",
+						RoleSessionName: "RoleSessionName",
+						ExternalId:      "ExternalId",
+					},
 					{
 						Name:            "ccc",
 						Mode:            EcsRamRole,
@@ -84,6 +94,7 @@ func TestDoConfigureList(t *testing.T) {
 		"default * | AK:***_id              | Invalid |                  | \n"+
 		"aaa       | StsToken:******        | Invalid |                  | \n"+
 		"bbb       | RamRoleArn:******      | Invalid |                  | \n"+
+		"bbbe      | RamRoleArn:******:lId  | Invalid |                  | \n"+
 		"ccc       | EcsRamRole:RamRoleName | Invalid |                  | \n"+
 		"ddd       | RsaKeyPair:KeyPairName | Invalid |                  | \n", w.String())
 

config/configure_set.go

@@ -86,6 +86,7 @@ func doConfigureSet(w io.Writer, flags *cli.FlagSet) {
 		profile.AccessKeySecret = AccessKeySecretFlag(flags).GetStringOrDefault(profile.AccessKeySecret)
 		profile.RamRoleArn = RamRoleArnFlag(flags).GetStringOrDefault(profile.RamRoleArn)
 		profile.RoleSessionName = RoleSessionNameFlag(flags).GetStringOrDefault(profile.RoleSessionName)
+		profile.ExternalId = ExternalIdFlag(flags).GetStringOrDefault(profile.ExternalId)
 		profile.ExpiredSeconds = ExpiredSecondsFlag(flags).GetIntegerOrDefault(profile.ExpiredSeconds)
 	case EcsRamRole:
 		profile.RamRoleName = RamRoleNameFlag(flags).GetStringOrDefault(profile.RamRoleName)
@@ -98,6 +99,7 @@ func doConfigureSet(w io.Writer, flags *cli.FlagSet) {
 		profile.SourceProfile = SourceProfileFlag(flags).GetStringOrDefault(profile.SourceProfile)
 		profile.RamRoleArn = RamRoleArnFlag(flags).GetStringOrDefault(profile.RamRoleArn)
 		profile.RoleSessionName = RoleSessionNameFlag(flags).GetStringOrDefault(profile.RoleSessionName)
+		profile.ExternalId = ExternalIdFlag(flags).GetStringOrDefault(profile.ExternalId)
 		profile.ExpiredSeconds = ExpiredSecondsFlag(flags).GetIntegerOrDefault(profile.ExpiredSeconds)
 	case RsaKeyPair:
 		profile.PrivateKey = PrivateKeyFlag(flags).GetStringOrDefault(profile.PrivateKey)

config/configure_set_test.go

@@ -4,7 +4,7 @@
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
-//     http://www.apache.org/licenses/LICENSE-2.0
+//	http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ -97,7 +97,7 @@ func TestDoConfigureSet(t *testing.T) {
 			return &Configuration{
 				CurrentProfile: "default",
 				Profiles: []Profile{
-					{Name: "default", Mode: RamRoleArn, RoleSessionName: "RoleSessionName", RamRoleArn: "RamRoleArn", AccessKeyId: "default_aliyun_access_key_id", AccessKeySecret: "default_aliyun_access_key_secret", OutputFormat: "json", RegionId: "cn-hangzhou"},
+					{Name: "default", Mode: RamRoleArn, RoleSessionName: "RoleSessionName", RamRoleArn: "RamRoleArn", ExternalId: "ExternalId", AccessKeyId: "default_aliyun_access_key_id", AccessKeySecret: "default_aliyun_access_key_secret", OutputFormat: "json", RegionId: "cn-hangzhou"},
 					{Name: "aaa", Mode: AK, AccessKeyId: "sdf", AccessKeySecret: "ddf", OutputFormat: "json"}}}, nil
 		}
 	}

config/configure_test.go

@@ -189,8 +189,8 @@ func TestConfigureStsToken(t *testing.T) {
 
 func TestConfigureRamRoleArn(t *testing.T) {
 	w := new(bytes.Buffer)
-	err := configureRamRoleArn(w, &Profile{Name: "default", Mode: AK, AccessKeyId: "access_key_id", AccessKeySecret: "access_key_secret", RamRoleArn: "RamRoleArn", RoleSessionName: "RoleSessionName", RegionId: "cn-hangzhou", OutputFormat: "json"})
-	assert.Equal(t, "Access Key Id [**********_id]: Access Key Secret [**************ret]: Sts Region []: Ram Role Arn [RamRoleArn]: Role Session Name [RoleSessionName]: Expired Seconds [900]: ", w.String())
+	err := configureRamRoleArn(w, &Profile{Name: "default", Mode: AK, AccessKeyId: "access_key_id", AccessKeySecret: "access_key_secret", RamRoleArn: "RamRoleArn", RoleSessionName: "RoleSessionName", ExternalId: "ExternalId", RegionId: "cn-hangzhou", OutputFormat: "json"})
+	assert.Equal(t, "Access Key Id [**********_id]: Access Key Secret [**************ret]: Sts Region []: Ram Role Arn [RamRoleArn]: Role Session Name [RoleSessionName]: External ID [ExternalId]: Expired Seconds [900]: ", w.String())
 	assert.Nil(t, err)
 }
 
@@ -243,11 +243,12 @@ func TestConfigureChainableRamRoleArn(t *testing.T) {
 		RamRoleArn:      "rra",
 		StsRegion:       "cn-hangzhou",
 		RoleSessionName: "rsn",
+		ExternalId:      "eid",
 		RegionId:        "cn-hangzhou",
 		ExpiredSeconds:  3600,
 		OutputFormat:    "json",
 	})
-	assert.Equal(t, "Source Profile [source]: Sts Region [cn-hangzhou]: Ram Role Arn [rra]: Role Session Name [rsn]: Expired Seconds [3600]: ", w.String())
+	assert.Equal(t, "Source Profile [source]: Sts Region [cn-hangzhou]: Ram Role Arn [rra]: Role Session Name [rsn]: External ID [eid]: Expired Seconds [3600]: ", w.String())
 	assert.Nil(t, err)
 }
 

config/flags.go

@@ -28,6 +28,7 @@ const (
 	RamRoleNameFlagName     = "ram-role-name"
 	RamRoleArnFlagName      = "ram-role-arn"
 	RoleSessionNameFlagName = "role-session-name"
+	ExternalIdFlagName      = "external-id"
 	SourceProfileFlagName   = "source-profile"
 	PrivateKeyFlagName      = "private-key"
 	KeyPairNameFlagName     = "key-pair-name"
@@ -59,6 +60,7 @@ func AddFlags(fs *cli.FlagSet) {
 	fs.Add(NewRamRoleNameFlag())
 	fs.Add(NewRamRoleArnFlag())
 	fs.Add(NewRoleSessionNameFlag())
+	fs.Add(NewExternalIdFlag())
 	fs.Add(NewPrivateKeyFlag())
 	fs.Add(NewKeyPairNameFlag())
 	fs.Add(NewReadTimeoutFlag())
@@ -115,6 +117,10 @@ func RoleSessionNameFlag(fs *cli.FlagSet) *cli.Flag {
 	return fs.Get(RoleSessionNameFlagName)
 }
 
+func ExternalIdFlag(fs *cli.FlagSet) *cli.Flag {
+	return fs.Get(ExternalIdFlagName)
+}
+
 func PrivateKeyFlag(fs *cli.FlagSet) *cli.Flag {
 	return fs.Get(PrivateKeyFlagName)
 }
@@ -270,6 +276,17 @@ func NewRoleSessionNameFlag() *cli.Flag {
 	}
 }
 
+func NewExternalIdFlag() *cli.Flag {
+	return &cli.Flag{
+		Category:     "config",
+		Name:         ExternalIdFlagName,
+		AssignedMode: cli.AssignedOnce,
+		Short: i18n.T(
+			"use `--external-id <ExternalId>` to assign ExternalId",
+			"使用 `--external-id <ExternalId>` 指定ExternalId"),
+	}
+}
+
 func NewExpiredSecondsFlag() *cli.Flag {
 	return &cli.Flag{
 		Category:     "config",

config/flags_test.go

@@ -4,7 +4,7 @@
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
-//     http://www.apache.org/licenses/LICENSE-2.0
+//	http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ -168,6 +168,24 @@ func TestAddFlag(t *testing.T) {
 			DefaultValue: "",
 			Persistent:   false,
 		}
+		newExternalIdFlag = &cli.Flag{
+			Category:     "config",
+			Name:         ExternalIdFlagName,
+			AssignedMode: cli.AssignedOnce,
+			Short: i18n.T(
+				"use `--external-id <ExternalId>` to assign ExternalId",
+				"使用 `--external-id <ExternalId>` 指定ExternalId"),
+			Long:         nil,
+			Required:     false,
+			Aliases:      nil,
+			Hidden:       false,
+			Validate:     nil,
+			Fields:       nil,
+			ExcludeWith:  nil,
+			Shorthand:    0,
+			DefaultValue: "",
+			Persistent:   false,
+		}
 		newPrivateKeyFlag = &cli.Flag{
 			Category:     "config",
 			Name:         PrivateKeyFlagName,
@@ -378,6 +396,9 @@ func TestAddFlag(t *testing.T) {
 	f = NewRoleSessionNameFlag()
 	assert.Equal(t, newRoleSessionNameFlag, f)
 
+	f = NewExternalIdFlag()
+	assert.Equal(t, newExternalIdFlag, f)
+
 	f = NewPrivateKeyFlag()
 	assert.Equal(t, newPrivateKeyFlag, f)
 

config/profile.go

@@ -57,6 +57,7 @@ type Profile struct {
 	RamRoleName     string           `json:"ram_role_name,omitempty"`
 	RamRoleArn      string           `json:"ram_role_arn,omitempty"`
 	RoleSessionName string           `json:"ram_session_name,omitempty"`
+	ExternalId      string           `json:"external_id,omitempty"`
 	SourceProfile   string           `json:"source_profile,omitempty"`
 	PrivateKey      string           `json:"private_key,omitempty"`
 	KeyPairName     string           `json:"key_pair_name,omitempty"`
@@ -296,6 +297,7 @@ func (cp *Profile) GetCredential(ctx *cli.Context, proxyHost *string) (cred cred
 			SetRoleArn(cp.RamRoleArn).
 			SetRoleSessionName(cp.RoleSessionName).
 			SetRoleSessionExpiration(cp.ExpiredSeconds).
+			SetExternalId(cp.ExternalId).
 			SetSTSEndpoint(getSTSEndpoint(cp.StsRegion))
 
 		if cp.StsToken != "" {
@@ -367,6 +369,7 @@ func (cp *Profile) GetCredential(ctx *cli.Context, proxyHost *string) (cred cred
 			SetRoleArn(cp.RamRoleArn).
 			SetRoleSessionName(cp.RoleSessionName).
 			SetRoleSessionExpiration(cp.ExpiredSeconds).
+			SetExternalId(cp.ExternalId).
 			SetSTSEndpoint(getSTSEndpoint(cp.StsRegion))
 
 		if model.SecurityToken != nil {

oss/lib/allpart_size.go

@@ -100,6 +100,7 @@ var allPartSizeCommand = AllPartSizeCommand{
 			OptionTokenTimeout,
 			OptionRamRoleArn,
 			OptionRoleSessionName,
+			OptionExternalId,
 			OptionReadTimeout,
 			OptionConnectTimeout,
 			OptionSTSRegion,

oss/lib/append_file.go

@@ -155,6 +155,7 @@ var appendFileCommand = AppendFileCommand{
 			OptionTokenTimeout,
 			OptionRamRoleArn,
 			OptionRoleSessionName,
+			OptionExternalId,
 			OptionReadTimeout,
 			OptionConnectTimeout,
 			OptionSTSRegion,

oss/lib/bucket_access_monitor.go

@@ -126,6 +126,7 @@ var bucketAccessMonitorCommand = BucketAccessMonitorCommand{
 			OptionTokenTimeout,
 			OptionRamRoleArn,
 			OptionRoleSessionName,
+			OptionExternalId,
 			OptionReadTimeout,
 			OptionConnectTimeout,
 			OptionSTSRegion,

oss/lib/bucket_cname.go

@@ -245,6 +245,7 @@ var bucketCnameCommand = BucketCnameCommand{
 			OptionTokenTimeout,
 			OptionRamRoleArn,
 			OptionRoleSessionName,
+			OptionExternalId,
 			OptionReadTimeout,
 			OptionConnectTimeout,
 			OptionSTSRegion,

oss/lib/bucket_cors.go

@@ -151,6 +151,7 @@ var corsCommand = CorsCommand{
 			OptionTokenTimeout,
 			OptionRamRoleArn,
 			OptionRoleSessionName,
+			OptionExternalId,
 			OptionReadTimeout,
 			OptionConnectTimeout,
 			OptionSTSRegion,

oss/lib/bucket_encryption.go

@@ -140,6 +140,7 @@ var bucketEncryptionCommand = BucketEncryptionCommand{
 			OptionTokenTimeout,
 			OptionRamRoleArn,
 			OptionRoleSessionName,
+			OptionExternalId,
 			OptionReadTimeout,
 			OptionConnectTimeout,
 			OptionSTSRegion,

oss/lib/bucket_inventory.go

@@ -213,6 +213,7 @@ var bucketInventoryCommand = BucketInventoryCommand{
 			OptionTokenTimeout,
 			OptionRamRoleArn,
 			OptionRoleSessionName,
+			OptionExternalId,
 			OptionReadTimeout,
 			OptionConnectTimeout,
 			OptionSTSRegion,

oss/lib/bucket_lifecycle.go

@@ -169,6 +169,7 @@ var bucketLifeCycleCommand = BucketLifeCycleCommand{
 			OptionTokenTimeout,
 			OptionRamRoleArn,
 			OptionRoleSessionName,
+			OptionExternalId,
 			OptionReadTimeout,
 			OptionConnectTimeout,
 			OptionSTSRegion,

oss/lib/bucket_logging.go

@@ -130,6 +130,7 @@ var bucketLogCommand = BucketLogCommand{
 			OptionTokenTimeout,
 			OptionRamRoleArn,
 			OptionRoleSessionName,
+			OptionExternalId,
 			OptionReadTimeout,
 			OptionConnectTimeout,
 			OptionSTSRegion,

oss/lib/bucket_policy.go

@@ -167,6 +167,7 @@ var bucketPolicyCommand = BucketPolicyCommand{
 			OptionTokenTimeout,
 			OptionRamRoleArn,
 			OptionRoleSessionName,
+			OptionExternalId,
 			OptionReadTimeout,
 			OptionConnectTimeout,
 			OptionSTSRegion,

oss/lib/bucket_qos.go

@@ -156,6 +156,7 @@ var bucketQosCommand = BucketQosCommand{
 			OptionTokenTimeout,
 			OptionRamRoleArn,
 			OptionRoleSessionName,
+			OptionExternalId,
 			OptionReadTimeout,
 			OptionConnectTimeout,
 			OptionSTSRegion,

oss/lib/bucket_referer.go

@@ -136,6 +136,7 @@ var bucketRefererCommand = BucketRefererCommand{
 			OptionTokenTimeout,
 			OptionRamRoleArn,
 			OptionRoleSessionName,
+			OptionExternalId,
 			OptionReadTimeout,
 			OptionConnectTimeout,
 			OptionSTSRegion,

oss/lib/bucket_replication.go

@@ -225,6 +225,7 @@ var replicationCommand = ReplicationCommand{
 			OptionTokenTimeout,
 			OptionRamRoleArn,
 			OptionRoleSessionName,
+			OptionExternalId,
 			OptionReadTimeout,
 			OptionConnectTimeout,
 			OptionSTSRegion,

oss/lib/bucket_resource_group.go

@@ -126,6 +126,7 @@ var bucketResourceGroupCommand = BucketResourceGroupCommand{
 			OptionTokenTimeout,
 			OptionRamRoleArn,
 			OptionRoleSessionName,
+			OptionExternalId,
 			OptionReadTimeout,
 			OptionConnectTimeout,
 			OptionSTSRegion,

oss/lib/bucket_style.go

@@ -152,6 +152,7 @@ var bucketStyleCommand = BucketStyleCommand{
 			OptionTokenTimeout,
 			OptionRamRoleArn,
 			OptionRoleSessionName,
+			OptionExternalId,
 			OptionReadTimeout,
 			OptionConnectTimeout,
 			OptionSTSRegion,

oss/lib/bucket_tagging.go

@@ -120,6 +120,7 @@ var bucketTagCommand = BucketTagCommand{
 			OptionTokenTimeout,
 			OptionRamRoleArn,
 			OptionRoleSessionName,
+			OptionExternalId,
 			OptionReadTimeout,
 			OptionConnectTimeout,
 			OptionSTSRegion,

oss/lib/bucket_versioning.go

@@ -112,6 +112,7 @@ var bucketVersioningCommand = BucketVersioningCommand{
 			OptionTokenTimeout,
 			OptionRamRoleArn,
 			OptionRoleSessionName,
+			OptionExternalId,
 			OptionReadTimeout,
 			OptionConnectTimeout,
 			OptionSTSRegion,