LookupEnv
Minio 支持两种类型的环境变量:本地和远程。当需要一个环境变量配置时,首先从本地环境变量中获取 key 对应的取值 value。如果 value 以 env 开头,则使用 value 作为远端服务器地址,执行远程获取操作;如果从远程失败,则检查本地是否有 **_key 开始的环境变量,如果有,返回;如果远程获取成功,更新本地 _key** 对应环境变量。
func LookupEnv(key string) (string, string, string, bool) {
v, ok := os.LookupEnv(key)
if ok && strings.HasPrefix(v, webEnvScheme) {
// If env value starts with `env*://`
// continue to parse and fetch from remote
var err error
v, user, pwd, err := getEnvValueFromHTTP(strings.TrimSpace(v), key)
if err != nil {
env, eok := os.LookupEnv("_" + key)
if eok {
// fallback to cached value if-any.
return env, user, pwd, eok
}
}
// Set the ENV value to _env value,
// this value is a fallback in-case of
// server restarts when webhook server
// is down.
os.Setenv("_"+key, v)
return v, user, pwd, true
}
return v, "", "", ok
}
Get From Remote
getEnvValueFromHTTP 方法尝试从远端获取环境变量的取值,传入参数位本地环境变量 key 对应的取值 value。第一步,从 value 中解析 URL
u, err := url.Parse(urlStr)
if err != nil {
return "", "", "", err
}
switch u.Scheme {
case webEnvScheme:
u.Scheme = "http"
case webEnvSchemeSecure:
u.Scheme = "https"
default:
return "", "", "", errors.New("invalid arguments")
}
接下来,从 URL 中获取用户名、密码等信息
username, password, envURL, err := fetchHTTPConstituentParts(u)
if err != nil {
return "", "", "", err
}
获取用户名、密码和实际 URL 的操作比较简单,通过正则匹配即可,L14 拼接真实 URL
var (
hostKeys = regexp.MustCompile("^(https?://)(.*?):(.*?)@(.*?)$")
)
func fetchHTTPConstituentParts(u *url.URL) (username string, password string, envURL string, err error) {
envURL = u.String()
if hostKeys.MatchString(envURL) {
parts := hostKeys.FindStringSubmatch(envURL)
if len(parts) != 5 {
return "", "", "", errors.New("invalid arguments")
}
username = parts[2]
password = parts[3]
envURL = fmt.Sprintf("%s%s", parts[1], parts[4])
}
if username == "" && password == "" && u.User != nil {
username = u.User.Username()
password, _ = u.User.Password()
}
return username, password, envURL, nil
}
然后构建请求内容
req, err := http.NewRequestWithContext(ctx, http.MethodGet, envURL+"?key="+envKey, nil)
if err != nil {
return "", "", "", err
}
设置身份鉴定
skey, err := jwk.New([]byte(password))
if err != nil {
return "", "", "", err
}
skey.Set(jwk.AlgorithmKey, jwa.HS512)
skey.Set(jwk.KeyIDKey, "minio")
token := jwt.New()
t := time.Now().Add(15 * time.Minute)
if err = token.Set(jwt.IssuerKey, username); err != nil {
return "", "", "", err
}
if err = token.Set(jwt.SubjectKey, envKey); err != nil {
return "", "", "", err
}
if err = token.Set(jwt.ExpirationKey, t.Unix()); err != nil {
return "", "", "", err
}
signed, err := jwt.Sign(token, jwa.HS512, skey)
if err != nil {
return "", "", "", err
}
req.Header.Set("Authorization", "Bearer "+string(signed))
最后,执行请求,并返回。
clnt := &http.Client{
Transport: &http.Transport{
Proxy: http.ProxyFromEnvironment,
DialContext: (&net.Dialer{
Timeout: 3 * time.Second,
KeepAlive: 5 * time.Second,
}).DialContext,
ResponseHeaderTimeout: 3 * time.Second,
TLSHandshakeTimeout: 3 * time.Second,
ExpectContinueTimeout: 3 * time.Second,
TLSClientConfig: &tls.Config{
RootCAs: globalRootCAs,
},
// Go net/http automatically unzip if content-type is
// gzip disable this feature, as we are always interested
// in raw stream.
DisableCompression: true,
},
}
resp, err := clnt.Do(req)
if err != nil {
return "", "", "", err
}
envValueBytes, err := ioutil.ReadAll(resp.Body)
if err != nil {
return "", "", "", err
}
return string(envValueBytes), username, password, nil