UNPKG

@alicloud/fun/lib/ram.js

Version:

5.76 kBJavaScriptView Raw

1'use strict';
2
3const Ram = require('@alicloud/ram');
4const getProfile = require('./profile').getProfile;
5const promiseRetry = require('./retry');
6const { red } = require('colors');
7const debug = require('debug')('fun:ram');
8const _ = require('lodash');
9const { throwProcessedPopPermissionError } = require('./error-message');
10
11const FNF_ASSUME_ROLE_POLICY = {
'Statement': [
  {
    'Action': 'sts:AssumeRole',
    'Effect': 'Allow',
    'Principal': {
      'Service': [
        'fnf.aliyuncs.com'
      ]
    }
  }
],
'Version': '1'
24};
25
26const getRamClient = async () => {
const profile = await getProfile();

const ram = new Ram({
  accessKeyId: profile.accessKeyId,
  accessKeySecret: profile.accessKeySecret,
  endpoint: 'https://ram.aliyuncs.com',
  opts: {
    timeout: profile.timeout * 1000
  }
});
37
const realRequest = ram.request.bind(ram);
ram.request = async (action, params, options) => {
  try {
    return await realRequest(action, params, options);
  } catch (ex) {
    await throwProcessedPopPermissionError(ex, action);
    throw ex;
  }
};
return ram;
48};
49
50function normalizeRoleOrPoliceName(roleName) {
return roleName.replace(/_/g, '-');
52}
53
54async function deletePolicyNotDefaultVersion(ram, policyName) {
const listResponse = await ram.listPolicyVersions({
  PolicyType: 'Custom',
  PolicyName: policyName
});
  
const versions = (listResponse.PolicyVersions || {}).PolicyVersion;
if (versions) {
  for (let version of versions) {
    if (version.IsDefaultVersion === false) {
      await ram.deletePolicyVersion({
        PolicyName: policyName,
        VersionId: version.VersionId
      });
    }
  }
}
71}
72
73async function makePolicy(policyName, policyDocument) {
const ram = await getRamClient();

let exists = true;
77
await promiseRetry(async (retry, times) => {
  try {
    try {
      await ram.getPolicy({
        PolicyType: 'Custom',
        PolicyName: policyName
      });
    } catch (ex) {
      if (ex.code !== 'EntityNotExist.Policy') {
        throw ex;
      } else { exists = false; }
    }
      
    if (!exists) {
      await ram.createPolicy({
        PolicyName: policyName,
        Description: 'generated by fc fun',
        PolicyDocument: JSON.stringify(policyDocument)
      });
    } else {
      // avoid limitExceeded.Policy.Version
      await deletePolicyNotDefaultVersion(ram, policyName);
    
      await ram.createPolicyVersion({
        PolicyName: policyName,
        PolicyDocument: JSON.stringify(policyDocument), 
        SetAsDefault: true
      });
    }
  } catch (ex) {
    if (ex.code && ex.code === 'NoPermission') {
      throw ex;
    }
    console.log(red(`retry ${times} times`));
    retry(ex);
  }
});
115}
116
117async function attachPolicyToRole(policyName, roleName, policyType = 'System') { 
const ram = await getRamClient();
119
await promiseRetry(async (retry, times) => {
  try {
    const policies = await ram.listPoliciesForRole({
      RoleName: roleName
    });
    var policy = policies.Policies.Policy.find((item) => {
      return _.toLower(item.PolicyName) === _.toLower(policyName);
    });
    if (!policy) {
      await ram.attachPolicyToRole({
        PolicyType: policyType,
        PolicyName: policyName,
        RoleName: roleName
      });
    }
  } catch (ex) {
    if (ex.code && ex.code === 'NoPermission') {
      throw ex;
    }
    debug('error when attachPolicyToRole: %s, policyName %s, error is: \n%O', roleName, policyName, ex);
140
    console.log(red(`retry ${times} times`));
    retry(ex);
  }
});
145}
146
147async function getRamRole(ramClient, roleName) {
try {
  return await ramClient.getRole({
    RoleName: roleName
  });
} catch (ex) {
  debug('error when getRole: %s, error is: \n%O', roleName, ex);
  if (ex.name !== 'EntityNotExist.RoleError') {
    throw ex;
  }
}
158}  
159
160async function makeRole(roleName, createRoleIfNotExist, description = 'FunctionCompute Default Role', assumeRolePolicy) {

const ram = await getRamClient();
var role;
await promiseRetry(async (retry, times) => {
  try {      
    role = await getRamRole(ram, roleName);

    if (!assumeRolePolicy) {
      assumeRolePolicy = {
        'Statement': [
          {
            'Action': 'sts:AssumeRole',
            'Effect': 'Allow',
            'Principal': {
              'Service': [
                'fc.aliyuncs.com'
              ]
            }
          }
        ],
        'Version': '1'
      };
    }
184
    if (!role && createRoleIfNotExist) {
      role = await ram.createRole({
        RoleName: roleName,
        Description: description,
        AssumeRolePolicyDocument: JSON.stringify(assumeRolePolicy)
      });
    } else if (!role) {
      throw new Error(`role ${roleName} not exist`);
    }
  } catch (ex) {
    debug('error when makeRole: %s, error is: \n%O', roleName, ex);
196
    if (ex.code && ex.code.startsWith('InvalidParameter')) {
      throw ex;
    } else if (ex.code && ex.code === 'NoPermission') {
      throw ex;
    } else {
      console.log(red(`retry ${times} times`));
      retry(ex);
    }
  }
});
207
return role;
209}
210
211async function makeAndAttachPolicy(policyName, policyDocument, roleName) {
debug('begin makePolicy');
await makePolicy(policyName, policyDocument);
debug('begin attachPolicyToRole');
await attachPolicyToRole(policyName, roleName, 'Custom');
216}
217
218module.exports = {
makeRole, makePolicy, 
attachPolicyToRole, makeAndAttachPolicy,
normalizeRoleOrPoliceName,
FNF_ASSUME_ROLE_POLICY
223};
\No newline at end of file

1	`'use strict';`
2
3	`const Ram = require('@alicloud/ram');`
4	`const getProfile = require('./profile').getProfile;`
5	`const promiseRetry = require('./retry');`
6	`const { red } = require('colors');`
7	`const debug = require('debug')('fun:ram');`
8	`const _ = require('lodash');`
9	`const { throwProcessedPopPermissionError } = require('./error-message');`
10
11	`const FNF_ASSUME_ROLE_POLICY = {`
12	`'Statement': [`
13	`{`
14	`'Action': 'sts:AssumeRole',`
15	`'Effect': 'Allow',`
16	`'Principal': {`
17	`'Service': [`
18	`'fnf.aliyuncs.com'`
19	`]`
20	`}`
21	`}`
22	`],`
23	`'Version': '1'`
24	`};`
25
26	`const getRamClient = async () => {`
27	`const profile = await getProfile();`
28
29	`const ram = new Ram({`
30	`accessKeyId: profile.accessKeyId,`
31	`accessKeySecret: profile.accessKeySecret,`
32	`endpoint: 'https://ram.aliyuncs.com',`
33	`opts: {`
34	`timeout: profile.timeout * 1000`
35	`}`
36	`});`
37
38	`const realRequest = ram.request.bind(ram);`
39	`ram.request = async (action, params, options) => {`
40	`try {`
41	`return await realRequest(action, params, options);`
42	`} catch (ex) {`
43	`await throwProcessedPopPermissionError(ex, action);`
44	`throw ex;`
45	`}`
46	`};`
47	`return ram;`
48	`};`
49
50	`function normalizeRoleOrPoliceName(roleName) {`
51	`return roleName.replace(/_/g, '-');`
52	`}`
53
54	`async function deletePolicyNotDefaultVersion(ram, policyName) {`
55	`const listResponse = await ram.listPolicyVersions({`
56	`PolicyType: 'Custom',`
57	`PolicyName: policyName`
58	`});`
59
60	`const versions = (listResponse.PolicyVersions \|\| {}).PolicyVersion;`
61	`if (versions) {`
62	`for (let version of versions) {`
63	`if (version.IsDefaultVersion === false) {`
64	`await ram.deletePolicyVersion({`
65	`PolicyName: policyName,`
66	`VersionId: version.VersionId`
67	`});`
68	`}`
69	`}`
70	`}`
71	`}`
72
73	`async function makePolicy(policyName, policyDocument) {`
74	`const ram = await getRamClient();`
75
76	`let exists = true;`
77
78	`await promiseRetry(async (retry, times) => {`
79	`try {`
80	`try {`
81	`await ram.getPolicy({`
82	`PolicyType: 'Custom',`
83	`PolicyName: policyName`
84	`});`
85	`} catch (ex) {`
86	`if (ex.code !== 'EntityNotExist.Policy') {`
87	`throw ex;`
88	`} else { exists = false; }`
89	`}`
90
91	`if (!exists) {`
92	`await ram.createPolicy({`
93	`PolicyName: policyName,`
94	`Description: 'generated by fc fun',`
95	`PolicyDocument: JSON.stringify(policyDocument)`
96	`});`
97	`} else {`
98	`// avoid limitExceeded.Policy.Version`
99	`await deletePolicyNotDefaultVersion(ram, policyName);`
100
101	`await ram.createPolicyVersion({`
102	`PolicyName: policyName,`
103	`PolicyDocument: JSON.stringify(policyDocument),`
104	`SetAsDefault: true`
105	`});`
106	`}`
107	`} catch (ex) {`
108	`if (ex.code && ex.code === 'NoPermission') {`
109	`throw ex;`
110	`}`
111	console.log(red(`retry ${times} times`));
112	`retry(ex);`
113	`}`
114	`});`
115	`}`
116
117	`async function attachPolicyToRole(policyName, roleName, policyType = 'System') {`
118	`const ram = await getRamClient();`
119
120	`await promiseRetry(async (retry, times) => {`
121	`try {`
122	`const policies = await ram.listPoliciesForRole({`
123	`RoleName: roleName`
124	`});`
125	`var policy = policies.Policies.Policy.find((item) => {`
126	`return _.toLower(item.PolicyName) === _.toLower(policyName);`
127	`});`
128	`if (!policy) {`
129	`await ram.attachPolicyToRole({`
130	`PolicyType: policyType,`
131	`PolicyName: policyName,`
132	`RoleName: roleName`
133	`});`
134	`}`
135	`} catch (ex) {`
136	`if (ex.code && ex.code === 'NoPermission') {`
137	`throw ex;`
138	`}`
139	`debug('error when attachPolicyToRole: %s, policyName %s, error is: \n%O', roleName, policyName, ex);`
140
141	console.log(red(`retry ${times} times`));
142	`retry(ex);`
143	`}`
144	`});`
145	`}`
146
147	`async function getRamRole(ramClient, roleName) {`
148	`try {`
149	`return await ramClient.getRole({`
150	`RoleName: roleName`
151	`});`
152	`} catch (ex) {`
153	`debug('error when getRole: %s, error is: \n%O', roleName, ex);`
154	`if (ex.name !== 'EntityNotExist.RoleError') {`
155	`throw ex;`
156	`}`
157	`}`
158	`}`
159
160	`async function makeRole(roleName, createRoleIfNotExist, description = 'FunctionCompute Default Role', assumeRolePolicy) {`
161
162	`const ram = await getRamClient();`
163	`var role;`
164	`await promiseRetry(async (retry, times) => {`
165	`try {`
166	`role = await getRamRole(ram, roleName);`
167
168	`if (!assumeRolePolicy) {`
169	`assumeRolePolicy = {`
170	`'Statement': [`
171	`{`
172	`'Action': 'sts:AssumeRole',`
173	`'Effect': 'Allow',`
174	`'Principal': {`
175	`'Service': [`
176	`'fc.aliyuncs.com'`
177	`]`
178	`}`
179	`}`
180	`],`
181	`'Version': '1'`
182	`};`
183	`}`
184
185	`if (!role && createRoleIfNotExist) {`
186	`role = await ram.createRole({`
187	`RoleName: roleName,`
188	`Description: description,`
189	`AssumeRolePolicyDocument: JSON.stringify(assumeRolePolicy)`
190	`});`
191	`} else if (!role) {`
192	throw new Error(`role ${roleName} not exist`);
193	`}`
194	`} catch (ex) {`
195	`debug('error when makeRole: %s, error is: \n%O', roleName, ex);`
196
197	`if (ex.code && ex.code.startsWith('InvalidParameter')) {`
198	`throw ex;`
199	`} else if (ex.code && ex.code === 'NoPermission') {`
200	`throw ex;`
201	`} else {`
202	console.log(red(`retry ${times} times`));
203	`retry(ex);`
204	`}`
205	`}`
206	`});`
207
208	`return role;`
209	`}`
210
211	`async function makeAndAttachPolicy(policyName, policyDocument, roleName) {`
212	`debug('begin makePolicy');`
213	`await makePolicy(policyName, policyDocument);`
214	`debug('begin attachPolicyToRole');`
215	`await attachPolicyToRole(policyName, roleName, 'Custom');`
216	`}`
217
218	`module.exports = {`
219	`makeRole, makePolicy,`
220	`attachPolicyToRole, makeAndAttachPolicy,`
221	`normalizeRoleOrPoliceName,`
222	`FNF_ASSUME_ROLE_POLICY`
223	`};`
\	No newline at end of file