1 | 'use strict';
|
2 | var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
3 | return new (P || (P = Promise))(function (resolve, reject) {
|
4 | function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
|
5 | function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
|
6 | function step(result) { result.done ? resolve(result.value) : new P(function (resolve) { resolve(result.value); }).then(fulfilled, rejected); }
|
7 | step((generator = generator.apply(thisArg, _arguments || [])).next());
|
8 | });
|
9 | };
|
10 | const { getProfile } = require('./profile');
|
11 | const { red } = require('colors');
|
12 | function throwProcessedException(ex, policyName) {
|
13 | if (ex.code === 'Forbidden.RAM') {
|
14 | console.error(`\n${ex.message}`);
|
15 | throw new Error(`\nMaybe you need grant ${policyName} policy to the sub-account or use the primary account.\nIf you don’t want use the ${policyName} policy or primary account, you can also specify the Role property for Service.`);
|
16 | }
|
17 | throw ex;
|
18 | }
|
19 | function throwProcessedPopPermissionError(ex, action) {
|
20 | return __awaiter(this, void 0, void 0, function* () {
|
21 | if (!ex.code || !ex.url || (ex.code !== 'NoPermission' && ex.code !== 'Forbidden.RAM' && !ex.code.includes('Forbbiden'))) {
|
22 | throw ex;
|
23 | }
|
24 | const productRegex = new RegExp(/https?:\/\/([a-zA-Z]*).(.*)aliyuncs.com/);
|
25 | const productRegexRes = productRegex.exec(ex.url);
|
26 | if (!productRegexRes) {
|
27 | throw ex;
|
28 | }
|
29 | const product = productRegexRes[1];
|
30 | action = `${product}:${action}`;
|
31 | let resource = '*';
|
32 | if (ex.data && ex.data.Message) {
|
33 | const regex = new RegExp(/Resource: (.*) Action: (.*)/);
|
34 | const res = regex.exec(ex.data.Message);
|
35 | if (res) {
|
36 | resource = res[1];
|
37 | action = res[2];
|
38 | }
|
39 | }
|
40 | const policyName = generatePolicyName(action);
|
41 | printPermissionTip(policyName, action, resource);
|
42 | throw ex;
|
43 | });
|
44 | }
|
45 | function throwProcessedFCPermissionError(ex, ...resourceArr) {
|
46 | return __awaiter(this, void 0, void 0, function* () {
|
47 | if (!ex.code || ex.code !== 'AccessDenied' || !ex.message) {
|
48 | throw ex;
|
49 | }
|
50 | const regex = new RegExp(/the caller is not authorized to perform '(.*)' on resource '(.*)'/);
|
51 | const res = regex.exec(ex.message);
|
52 | if (!res) {
|
53 | throw ex;
|
54 | }
|
55 | const profile = yield getProfile();
|
56 | const action = res[1];
|
57 | const resource = res[2];
|
58 | const policyName = generatePolicyName(action, profile.defaultRegion, ...resourceArr);
|
59 | printPermissionTip(policyName, action, resource);
|
60 | throw ex;
|
61 | });
|
62 | }
|
63 | function throwProcessedSLSPermissionError(ex) {
|
64 | return __awaiter(this, void 0, void 0, function* () {
|
65 | if (!ex.code || ex.code !== 'Unauthorized' || !ex.message) {
|
66 | throw ex;
|
67 | }
|
68 | const regex = new RegExp(/action: (.*), resource: (.*)/);
|
69 | const res = regex.exec(ex.message);
|
70 | if (!res) {
|
71 | throw ex;
|
72 | }
|
73 | const action = res[1];
|
74 | const resource = res[2];
|
75 | const policyName = generatePolicyName(action);
|
76 | printPermissionTip(policyName, action, resource);
|
77 | throw ex;
|
78 | });
|
79 | }
|
80 | function printPermissionTip(policyName, action, resource) {
|
81 | const policy = {
|
82 | 'Version': '1',
|
83 | 'Statement': [
|
84 | {
|
85 | 'Effect': 'Allow',
|
86 | 'Action': [
|
87 | action
|
88 | ],
|
89 | 'Resource': [
|
90 | resource
|
91 | ]
|
92 | }
|
93 | ]
|
94 | };
|
95 | console.error(red(`\nYou can run the following commands to grant permission '${action}' on '${resource}' `));
|
96 | console.error(red('Via the link: https://shell.aliyun.com/ or aliyun cli'));
|
97 | console.error(red('(Note: aliyun cli tool needs to be configured with credentials that have related RAM permissions, such as primary account\'s AK)'));
|
98 | console.error(red('\n1. Create Policy'));
|
99 | console.error(red(`aliyun ram CreatePolicy --PolicyName ${policyName} --PolicyDocument "${JSON.stringify(policy).replace(/"/g, '\\"')}"`));
|
100 | console.error(red('\n2. Attach Policy To User'));
|
101 | console.error(red(`aliyun ram AttachPolicyToUser --PolicyName ${policyName} --PolicyType "Custom" --UserName "YOUR_USER_NAME"\n`));
|
102 | }
|
103 | function generatePolicyName(action, ...resourceArr) {
|
104 | const resource = resourceArr && resourceArr.length ? resourceArr.join('-') : Math.random().toString(36).slice(-8);
|
105 | return `fun-generated-${action.replace(/:/g, '-')}-${resource}`;
|
106 | }
|
107 | module.exports = {
|
108 | throwProcessedException,
|
109 | throwProcessedPopPermissionError,
|
110 | throwProcessedFCPermissionError,
|
111 | throwProcessedSLSPermissionError
|
112 | };
|