feat: add RRSA (RAM roles) support for the OSS storage provider (#4831)

2026-01-13 23:01:04 +08:00
parent 9fb90fbb95
commit 4b663a437f
2 changed files with 48 additions and 4 deletions
--- a/go.mod
+++ b/go.mod
@@ -14,6 +14,8 @@ require (
 	github.com/alibabacloud-go/openapi-util v0.1.0
 	github.com/alibabacloud-go/tea v1.3.2
 	github.com/alibabacloud-go/tea-utils/v2 v2.0.7
+	github.com/aliyun/aliyun-oss-go-sdk v2.2.2+incompatible
+	github.com/aliyun/credentials-go v1.3.10
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.95.0
 	github.com/beego/beego/v2 v2.3.8
 	github.com/beevik/etree v1.1.0
@@ -110,8 +112,6 @@ require (
 	github.com/alibabacloud-go/tea-utils v1.3.6 // indirect
 	github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
 	github.com/aliyun/alibaba-cloud-sdk-go v1.62.545 // indirect
-	github.com/aliyun/aliyun-oss-go-sdk v2.2.2+incompatible // indirect
-	github.com/aliyun/credentials-go v1.3.10 // indirect
 	github.com/apistd/uni-go-sdk v0.0.2 // indirect
 	github.com/atc0005/go-teams-notify/v2 v2.13.0 // indirect
 	github.com/aws/aws-sdk-go v1.45.5 // indirect
--- a/storage/aliyun_oss.go
+++ b/storage/aliyun_oss.go
@@ -15,11 +15,55 @@
 package storage

 import (
-	"github.com/casdoor/oss"
+	"os"
+
+	"github.com/aliyun/aliyun-oss-go-sdk/oss"
+	"github.com/aliyun/credentials-go/credentials"
+	casdoorOss "github.com/casdoor/oss"
 	"github.com/casdoor/oss/aliyun"
 )

-func NewAliyunOssStorageProvider(clientId string, clientSecret string, region string, bucket string, endpoint string) oss.StorageInterface {
+func NewAliyunOssStorageProvider(clientId string, clientSecret string, region string, bucket string, endpoint string) casdoorOss.StorageInterface {
+	// Check if RRSA is available (empty credentials + environment variables set)
+	if (clientId == "" || clientId == "rrsa") &&
+		(clientSecret == "" || clientSecret == "rrsa") &&
+		os.Getenv("ALIBABA_CLOUD_ROLE_ARN") != "" {
+		// Use RRSA to get temporary credentials
+		config := &credentials.Config{}
+		config.SetType("oidc_role_arn")
+		config.SetRoleArn(os.Getenv("ALIBABA_CLOUD_ROLE_ARN"))
+		config.SetOIDCProviderArn(os.Getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN"))
+		config.SetOIDCTokenFilePath(os.Getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE"))
+		config.SetRoleSessionName("casdoor-oss")
+
+		// Set STS endpoint if provided
+		if stsEndpoint := os.Getenv("ALIBABA_CLOUD_STS_ENDPOINT"); stsEndpoint != "" {
+			config.SetSTSEndpoint(stsEndpoint)
+		}
+
+		credential, err := credentials.NewCredential(config)
+		if err == nil {
+			accessKeyId, errId := credential.GetAccessKeyId()
+			accessKeySecret, errSecret := credential.GetAccessKeySecret()
+			securityToken, errToken := credential.GetSecurityToken()
+
+			if errId == nil && errSecret == nil && errToken == nil &&
+				accessKeyId != nil && accessKeySecret != nil && securityToken != nil {
+				// Successfully obtained RRSA credentials
+				sp := aliyun.New(&aliyun.Config{
+					AccessID:      *accessKeyId,
+					AccessKey:     *accessKeySecret,
+					Bucket:        bucket,
+					Endpoint:      endpoint,
+					ClientOptions: []oss.ClientOption{oss.SecurityToken(*securityToken)},
+				})
+				return sp
+			}
+		}
+		// If RRSA fails, fall through to static credentials (which will fail if empty)
+	}
+
+	// Use static credentials (existing behavior)
 	sp := aliyun.New(&aliyun.Config{
 		AccessID:  clientId,
 		AccessKey: clientSecret,