LookupEnv
Minio 支持两种类型的环境变量:本地和远程。当需要一个环境变量配置时,首先从本地环境变量中获取 key 对应的取值 value。如果 value 以 env 开头,则使用 value 作为远端服务器地址,执行远程获取操作;如果从远程失败,则检查本地是否有 **_key 开始的环境变量,如果有,返回;如果远程获取成功,更新本地 _key** 对应环境变量。
func LookupEnv(key string) (string, string, string, bool) {v, ok := os.LookupEnv(key)if ok && strings.HasPrefix(v, webEnvScheme) {// If env value starts with `env*://`// continue to parse and fetch from remotevar err errorv, user, pwd, err := getEnvValueFromHTTP(strings.TrimSpace(v), key)if err != nil {env, eok := os.LookupEnv("_" + key)if eok {// fallback to cached value if-any.return env, user, pwd, eok}}// Set the ENV value to _env value,// this value is a fallback in-case of// server restarts when webhook server// is down.os.Setenv("_"+key, v)return v, user, pwd, true}return v, "", "", ok}
Get From Remote
getEnvValueFromHTTP 方法尝试从远端获取环境变量的取值,传入参数位本地环境变量 key 对应的取值 value。第一步,从 value 中解析 URL
u, err := url.Parse(urlStr)if err != nil {return "", "", "", err}switch u.Scheme {case webEnvScheme:u.Scheme = "http"case webEnvSchemeSecure:u.Scheme = "https"default:return "", "", "", errors.New("invalid arguments")}
接下来,从 URL 中获取用户名、密码等信息
username, password, envURL, err := fetchHTTPConstituentParts(u)if err != nil {return "", "", "", err}
获取用户名、密码和实际 URL 的操作比较简单,通过正则匹配即可,L14 拼接真实 URL
var (hostKeys = regexp.MustCompile("^(https?://)(.*?):(.*?)@(.*?)$"))func fetchHTTPConstituentParts(u *url.URL) (username string, password string, envURL string, err error) {envURL = u.String()if hostKeys.MatchString(envURL) {parts := hostKeys.FindStringSubmatch(envURL)if len(parts) != 5 {return "", "", "", errors.New("invalid arguments")}username = parts[2]password = parts[3]envURL = fmt.Sprintf("%s%s", parts[1], parts[4])}if username == "" && password == "" && u.User != nil {username = u.User.Username()password, _ = u.User.Password()}return username, password, envURL, nil}
然后构建请求内容
req, err := http.NewRequestWithContext(ctx, http.MethodGet, envURL+"?key="+envKey, nil)if err != nil {return "", "", "", err}
设置身份鉴定
skey, err := jwk.New([]byte(password))if err != nil {return "", "", "", err}skey.Set(jwk.AlgorithmKey, jwa.HS512)skey.Set(jwk.KeyIDKey, "minio")token := jwt.New()t := time.Now().Add(15 * time.Minute)if err = token.Set(jwt.IssuerKey, username); err != nil {return "", "", "", err}if err = token.Set(jwt.SubjectKey, envKey); err != nil {return "", "", "", err}if err = token.Set(jwt.ExpirationKey, t.Unix()); err != nil {return "", "", "", err}signed, err := jwt.Sign(token, jwa.HS512, skey)if err != nil {return "", "", "", err}req.Header.Set("Authorization", "Bearer "+string(signed))
最后,执行请求,并返回。
clnt := &http.Client{Transport: &http.Transport{Proxy: http.ProxyFromEnvironment,DialContext: (&net.Dialer{Timeout: 3 * time.Second,KeepAlive: 5 * time.Second,}).DialContext,ResponseHeaderTimeout: 3 * time.Second,TLSHandshakeTimeout: 3 * time.Second,ExpectContinueTimeout: 3 * time.Second,TLSClientConfig: &tls.Config{RootCAs: globalRootCAs,},// Go net/http automatically unzip if content-type is// gzip disable this feature, as we are always interested// in raw stream.DisableCompression: true,},}resp, err := clnt.Do(req)if err != nil {return "", "", "", err}envValueBytes, err := ioutil.ReadAll(resp.Body)if err != nil {return "", "", "", err}return string(envValueBytes), username, password, nil
若有收获,就点个赞吧
0 人点赞
