gromov/casdoor
1
0
Fork 0
forked from casdoor/casdoor
Code Pull Requests Actions Packages Releases Activity

feat: add RRSA (RAM roles) support for the OSS storage provider (#4831)

Browse Source
This commit is contained in:
gufeiyan1215
2026-01-13 23:01:04 +08:00
committed by GitHub
parent 9fb90fbb95
commit 4b663a437f
2 changed files with 48 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
go.mod
View File

@@ -14,6 +14,8 @@ require (
github.com/alibabacloud-go/openapi-util v0.1.0 github.com/alibabacloud-go/openapi-util v0.1.0
github.com/alibabacloud-go/tea v1.3.2 github.com/alibabacloud-go/tea v1.3.2
github.com/alibabacloud-go/tea-utils/v2 v2.0.7 github.com/alibabacloud-go/tea-utils/v2 v2.0.7
github.com/aliyun/aliyun-oss-go-sdk v2.2.2+incompatible
github.com/aliyun/credentials-go v1.3.10
github.com/aws/aws-sdk-go-v2/service/s3 v1.95.0 github.com/aws/aws-sdk-go-v2/service/s3 v1.95.0
github.com/beego/beego/v2 v2.3.8 github.com/beego/beego/v2 v2.3.8
github.com/beevik/etree v1.1.0 github.com/beevik/etree v1.1.0
@@ -110,8 +112,6 @@ require (
github.com/alibabacloud-go/tea-utils v1.3.6 // indirect github.com/alibabacloud-go/tea-utils v1.3.6 // indirect
github.com/alibabacloud-go/tea-xml v1.1.3 // indirect github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
github.com/aliyun/alibaba-cloud-sdk-go v1.62.545 // indirect github.com/aliyun/alibaba-cloud-sdk-go v1.62.545 // indirect
github.com/aliyun/aliyun-oss-go-sdk v2.2.2+incompatible // indirect
github.com/aliyun/credentials-go v1.3.10 // indirect
github.com/apistd/uni-go-sdk v0.0.2 // indirect github.com/apistd/uni-go-sdk v0.0.2 // indirect
github.com/atc0005/go-teams-notify/v2 v2.13.0 // indirect github.com/atc0005/go-teams-notify/v2 v2.13.0 // indirect
github.com/aws/aws-sdk-go v1.45.5 // indirect github.com/aws/aws-sdk-go v1.45.5 // indirect

48
storage/aliyun_oss.go
View File

@@ -15,11 +15,55 @@
package storage package storage
import ( import (
"github.com/casdoor/oss" "os"
"github.com/aliyun/aliyun-oss-go-sdk/oss"
"github.com/aliyun/credentials-go/credentials"
casdoorOss "github.com/casdoor/oss"
"github.com/casdoor/oss/aliyun" "github.com/casdoor/oss/aliyun"
) )
func NewAliyunOssStorageProvider(clientId string, clientSecret string, region string, bucket string, endpoint string) oss.StorageInterface { func NewAliyunOssStorageProvider(clientId string, clientSecret string, region string, bucket string, endpoint string) casdoorOss.StorageInterface {
// Check if RRSA is available (empty credentials + environment variables set)
if (clientId == "" || clientId == "rrsa") &&
(clientSecret == "" || clientSecret == "rrsa") &&
os.Getenv("ALIBABA_CLOUD_ROLE_ARN") != "" {
// Use RRSA to get temporary credentials
config := &credentials.Config{}
config.SetType("oidc_role_arn")
config.SetRoleArn(os.Getenv("ALIBABA_CLOUD_ROLE_ARN"))
config.SetOIDCProviderArn(os.Getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN"))
config.SetOIDCTokenFilePath(os.Getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE"))
config.SetRoleSessionName("casdoor-oss")
// Set STS endpoint if provided
if stsEndpoint := os.Getenv("ALIBABA_CLOUD_STS_ENDPOINT"); stsEndpoint != "" {
config.SetSTSEndpoint(stsEndpoint)
}
credential, err := credentials.NewCredential(config)
if err == nil {
accessKeyId, errId := credential.GetAccessKeyId()
accessKeySecret, errSecret := credential.GetAccessKeySecret()
securityToken, errToken := credential.GetSecurityToken()
if errId == nil && errSecret == nil && errToken == nil &&
accessKeyId != nil && accessKeySecret != nil && securityToken != nil {
// Successfully obtained RRSA credentials
sp := aliyun.New(&aliyun.Config{
AccessID: *accessKeyId,
AccessKey: *accessKeySecret,
Bucket: bucket,
Endpoint: endpoint,
ClientOptions: []oss.ClientOption{oss.SecurityToken(*securityToken)},
})
return sp
}
}
// If RRSA fails, fall through to static credentials (which will fail if empty)
}
// Use static credentials (existing behavior)
sp := aliyun.New(&aliyun.Config{ sp := aliyun.New(&aliyun.Config{
AccessID: clientId, AccessID: clientId,
AccessKey: clientSecret, AccessKey: clientSecret,