Version 3.25.5

zzq996 · zzq996 · commit f768e983cbb5 · 2025-05-29T10:56:46.000+08:00
diff --git a/README-Android.md b/README-Android.md
@@ -1,3 +1,7 @@
+Version 3.25.5
+New features:
+1. Added IMDSv2 logic
+-----------------------------------------------------------------------------------
 Version 3.25.4
 New features:
 1. Added logic to set okhttp callTimeout
diff --git a/README-Java.md b/README-Java.md
@@ -1,3 +1,7 @@
+Version 3.25.5
+New features:
+1. Added IMDSv2 logic
+-----------------------------------------------------------------------------------
 Version 3.25.4
 New features:
 1. Added logic to set okhttp callTimeout
diff --git a/README.MD b/README.MD
@@ -1,3 +1,7 @@
+Version 3.25.5
+New features:
+1. Added IMDSv2 logic
+-----------------------------------------------------------------------------------
 Version 3.25.4
 New features:
 1. Added logic to set okhttp callTimeout
diff --git a/README_CN.MD b/README_CN.MD
@@ -1,3 +1,7 @@
+Version 3.25.5
+New features:
+1. 支持IMDSv2
+-----------------------------------------------------------------------------------
 Version 3.25.4
 New features:
 1. 支持设置okhttp的callTimeout
diff --git a/app/src/main/java/com/obs/services/EcsObsCredentialsProvider.java b/app/src/main/java/com/obs/services/EcsObsCredentialsProvider.java
@@ -14,6 +14,8 @@
 
 package com.obs.services;
 
+import static com.obs.services.internal.security.EcsSecurityUtils.DEFAULT_METADATA_TOKEN_TTL_SECONDS;
+
 import java.io.IOException;
 import java.text.DateFormat;
 import java.text.ParseException;
@@ -38,6 +40,8 @@ public class EcsObsCredentialsProvider implements IObsCredentialsProvider {
     // default is -1, not retry
     private int maxRetryTimes = -1;
 
+    private int metadataTokenTTLSeconds = DEFAULT_METADATA_TOKEN_TTL_SECONDS;
+
     public EcsObsCredentialsProvider() {
         this.maxRetryTimes = 3;
     }
@@ -100,7 +104,7 @@ private void refresh(boolean ignoreException) {
 
     private LimitedTimeSecurityKey getNewSecurityKey() throws IOException, IllegalArgumentException {
 
-        String content = EcsSecurityUtils.getSecurityKeyInfoWithDetail();
+        String content = EcsSecurityUtils.getSecurityKeyInfoWithDetail(metadataTokenTTLSeconds);
         SecurityKey securityInfo = (SecurityKey) JSONChange.jsonToObj(new SecurityKey(), content);
 
         if (securityInfo == null) {
@@ -128,4 +132,12 @@ private LimitedTimeSecurityKey getNewSecurityKey() throws IOException, IllegalAr
         return new LimitedTimeSecurityKey(bean.getAccessKey(), bean.getSecretKey(), bean.getSecurityToken(),
                 expiryDate);
     }
+    public int getMetadataTokenTTLSeconds() {
+        return metadataTokenTTLSeconds;
+    }
+
+    public void setMetadataTokenTTLSeconds(int metadataTokenTTLSeconds) {
+        this.metadataTokenTTLSeconds = metadataTokenTTLSeconds;
+    }
+
 }
diff --git a/app/src/main/java/com/obs/services/internal/Constants.java b/app/src/main/java/com/obs/services/internal/Constants.java
@@ -239,7 +239,7 @@ public static class ObsBucketReplicationRequestParams {
 
     public static final TimeZone GMT_TIMEZONE = TimeZone.getTimeZone("GMT");
 
-    public static final String OBS_SDK_VERSION = "3.25.4";
+    public static final String OBS_SDK_VERSION = "3.25.5";
 
     public static final String USER_AGENT_VALUE = "obs-sdk-java/" + Constants.OBS_SDK_VERSION;
 
diff --git a/app/src/main/java/com/obs/services/internal/security/EcsSecurityUtils.java b/app/src/main/java/com/obs/services/internal/security/EcsSecurityUtils.java
@@ -15,20 +15,34 @@
 package com.obs.services.internal.security;
 
 import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
 import java.util.concurrent.TimeUnit;
 
+import com.obs.log.ILogger;
+import com.obs.log.LoggerBuilder;
+import com.obs.services.AbstractClient;
 import com.obs.services.internal.Constants;
 import com.obs.services.internal.utils.PropertyManager;
+import com.obs.services.model.HttpMethodEnum;
+
 import okhttp3.Call;
+import okhttp3.MediaType;
 import okhttp3.OkHttpClient;
 import okhttp3.Request;
+import okhttp3.RequestBody;
 import okhttp3.Response;
 
+
 public class EcsSecurityUtils {
     /**
      * Default root url for the openstack metadata apis.
      */
     private static final String OPENSTACK_METADATA_ROOT = "/openstack/latest";
+    /**
+     * Default root url for the metadata apis.
+     */
+    private static final String METADATA_ROOT = "/meta-data/latest";
 
     /**
      * Default endpoint for the ECS Instance Metadata Service.
@@ -46,13 +60,32 @@ public class EcsSecurityUtils {
             .writeTimeout(HTTP_CONNECT_TIMEOUT_VALUE, TimeUnit.MILLISECONDS)
             .readTimeout(HTTP_CONNECT_TIMEOUT_VALUE, TimeUnit.MILLISECONDS).build();
 
+    private static final String METADATA_TOKEN_HEADER_KEY = "X-Metadata-Token";
+    private static final String METADATA_TOKEN_TTL = METADATA_TOKEN_HEADER_KEY + "-Ttl-Seconds";
+    public static final int DEFAULT_METADATA_TOKEN_TTL_SECONDS = 21600;
+    private static final String METADATA_TOKEN_RESOURCE_PATH = METADATA_ROOT + "/api/token";
+    private static final String OPENSTACK_SECURITY_KEY_RESOURCE_PATH = OPENSTACK_METADATA_ROOT + "/securitykey";
+    private static final ILogger ILOG = LoggerBuilder.getLogger(AbstractClient.class);
     /**
      * Returns the temporary security credentials (access, secret,
      * securitytoken, and expires_at) associated with the IAM roles on the
      * instance.
      */
     public static String getSecurityKeyInfoWithDetail() throws IOException {
-        return getResourceWithDetail(getEndpointForECSMetadataService() + OPENSTACK_METADATA_ROOT + "/securitykey");
+        return getSecurityKeyInfoWithDetail(DEFAULT_METADATA_TOKEN_TTL_SECONDS);
+    }
+    
+    public static String getSecurityKeyInfoWithDetail(int metadataTokenTTLSeconds) throws IOException {
+        // try get metadataToken
+        String metadataApiToken = getMetadataApiToken(metadataTokenTTLSeconds);
+        String securityKeyResourcePath = getEndpointForECSMetadataService() + OPENSTACK_SECURITY_KEY_RESOURCE_PATH;
+        if(metadataApiToken.isEmpty()) {
+            // failed to get metadataToken(404 or 405), use IMDSv1
+            return getResourceWithDetail(securityKeyResourcePath);
+        } else {
+            // succeeded to get metadataToken(2xx), use IMDSv2
+            return getResourceWithDetailWithMetaDataToken(securityKeyResourcePath, metadataApiToken);
+        }
     }
 
     /**
@@ -85,7 +118,7 @@ private static String getResourceWithDetail(String endpoint) throws IOException
             }
 
             if (!(res.code() >= 200 && res.code() < 300)) {
-                String errorMessage = "Get securityKey form ECS failed, Code : " + res.code() + "; Headers : " + header
+                String errorMessage = "Get securityKey from ECS failed, Code : " + res.code() + "; Headers : " + header
                         + "; Content : " + content;
                 throw new IllegalArgumentException(errorMessage);
             }
@@ -97,4 +130,84 @@ private static String getResourceWithDetail(String endpoint) throws IOException
             }
         }
     }
+
+    private static String getMetadataApiToken(int metadataTokenTTLSeconds) throws IOException {
+        Map<String, String> headers = new HashMap<>();
+        headers.put(METADATA_TOKEN_TTL, String.valueOf(metadataTokenTTLSeconds));
+        ECSResult ecsResult =
+            executeEcsRequest(getEndpointForECSMetadataService() + METADATA_TOKEN_RESOURCE_PATH
+                , headers, HttpMethodEnum.PUT, "", null);
+        if(ecsResult.code == 404 || ecsResult.code == 405) {
+            ILOG.debug(METADATA_TOKEN_HEADER_KEY + " not supported," + ecsResult);
+            return "";
+        } else if (!(ecsResult.code >= 200 && ecsResult.code < 300)) {
+            String errorMessage = "Get " + METADATA_TOKEN_HEADER_KEY+ " with " +
+                METADATA_TOKEN_TTL + ":" + metadataTokenTTLSeconds
+                + " from ECS failed," + ecsResult;
+            ILOG.error(errorMessage);
+            throw new IllegalArgumentException(errorMessage);
+        } else {
+            ILOG.debug(METADATA_TOKEN_HEADER_KEY + " refreshed succeeded.");
+            return ecsResult.content;
+        }
+    }
+
+    private static String getResourceWithDetailWithMetaDataToken(String endpoint, String metadataApiToken) throws IOException {
+        Map<String, String> headers = new HashMap<>();
+        headers.put(METADATA_TOKEN_HEADER_KEY, metadataApiToken);
+        ECSResult ecsResult = executeEcsRequest(endpoint, headers, HttpMethodEnum.GET, "", null);
+        // if not 2xx, throw exception
+        if (!(ecsResult.code >= 200 && ecsResult.code < 300)) {
+            String errorMessage = "Get securityKey by " + METADATA_TOKEN_HEADER_KEY +
+                " from ECS failed," + ecsResult;
+            ILOG.error(errorMessage);
+            throw new IllegalArgumentException(errorMessage);
+        }
+        ILOG.debug("getResourceWithDetailWithMetaDataToken succeeded.");
+        return ecsResult.content;
+    }
+
+    private static ECSResult executeEcsRequest(String url, Map<String, String> headers,
+            HttpMethodEnum httpMethod, String body, MediaType contentType) throws IOException, IllegalArgumentException {
+        Request.Builder builder = new Request.Builder();
+        builder.header("Accept", "*/*");
+        headers.forEach(builder::header);
+        Request request;
+        if (httpMethod == HttpMethodEnum.PUT) {
+            request = builder.url(url).put(RequestBody.create(body, contentType)).build();
+        } else {
+            request = builder.url(url).get().build();
+        }
+        Call c = httpClient.newCall(request);
+        try (Response res = c.execute()) {
+            String header = "";
+            String content = "";
+            if (res.headers() != null) {
+                header = res.headers().toString();
+            }
+            if (res.body() != null) {
+                content = res.body().string();
+            }
+
+            return new ECSResult(res.code(), header, content);
+        }
+    }
+
+    private static class ECSResult {
+        public final int code;
+        public final String header;
+        public final String content;
+
+        public ECSResult(int code, String header, String content) {
+            this.code = code;
+            this.header = header;
+            this.content = content;
+        }
+
+        @Override
+        public String toString() {
+            return " Code : " + code + "; Headers : " + header
+                + "; Content : " + content;
+        }
+    }
 }
diff --git a/pom-android.xml b/pom-android.xml
@@ -4,7 +4,7 @@
 
 	<groupId>com.huaweicloud</groupId>
 	<artifactId>esdk-obs-android</artifactId>
-	<version>3.25.4</version>
+	<version>3.25.5</version>
 	<packaging>jar</packaging>
 
 	<name>OBS SDK for Android</name>
diff --git a/pom-java.xml b/pom-java.xml
@@ -4,7 +4,7 @@
 
     <groupId>com.huaweicloud</groupId>
     <artifactId>esdk-obs-java</artifactId>
-    <version>3.25.4</version>
+    <version>3.25.5</version>
     <packaging>jar</packaging>
 
     <name>OBS SDK for Java</name>
diff --git a/pom.xml b/pom.xml
@@ -4,7 +4,7 @@
 
     <groupId>com.huaweicloud</groupId>
     <artifactId>esdk-obs-java</artifactId>
-    <version>3.25.4</version>
+    <version>3.25.5</version>
     <packaging>jar</packaging>
 
     <name>OBS SDK for Java</name>
