feat : sts

app/Cache/Redis/Admin/MenuCache.php

@@ -3,9 +3,8 @@
 namespace App\Cache\Redis\Admin;
 
 use App\Cache\Redis\RedisCache;
-use App\Constants\Admin\AuthCode;
 use App\Model\AdminMenu;
-use App\Service\ServiceTrait\AdminRoleMenuTrait;
+use App\Service\ServiceTrait\Admin\AdminRoleMenuTrait;
 use Hyperf\Di\Annotation\Inject;
 use Psr\Container\ContainerExceptionInterface;
 use Psr\Container\NotFoundExceptionInterface;

app/Cache/Redis/Admin/RoleCache.php

@@ -6,7 +6,7 @@ use App\Cache\Redis\RedisCache;
 use App\Constants\Admin\AuthCode;
 use App\Model\AdminMenu;
 use App\Model\AdminRoleMenu;
-use App\Service\ServiceTrait\AdminRoleMenuTrait;
+use App\Service\ServiceTrait\Admin\AdminRoleMenuTrait;
 use Hyperf\Di\Annotation\Inject;
 use Psr\Container\ContainerExceptionInterface;
 use Psr\Container\NotFoundExceptionInterface;

app/Controller/Admin/ThirdController.php

@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Admin;
+
+use App\Controller\AbstractController;
+use App\Middleware\Admin\JwtAuthMiddleware;
+use App\Service\Admin\Third\AliStsService;
+use Hyperf\HttpServer\Annotation\Controller;
+use Hyperf\HttpServer\Annotation\Middleware;
+use Hyperf\HttpServer\Annotation\RequestMapping;
+
+#[Controller(prefix: "admin/third")]
+class ThirdController extends AbstractController
+{
+    #[RequestMapping(path: "sts/accredit", methods: "GET")]
+    #[Middleware(JwtAuthMiddleware::class)]
+    public function aliSts()
+    {
+        return (new AliStsService)->handle();
+    }
+}

app/Lib/Log.php

@@ -18,7 +18,7 @@ class Log
      * @throws ContainerExceptionInterface
      * @throws NotFoundExceptionInterface
      */
-    private function getLogger(string $name = 'app',string $group = 'app')
+    private function getLogger(string $name = 'app',string $group = 'app'): LoggerInterface
     {
         return ApplicationContext::getContainer()->get(LoggerFactory::class)->get($name, $group);
     }

app/Service/Admin/Third/AliStsService.php

@@ -0,0 +1,99 @@
+<?php
+/**
+ * This service file is part of item.
+ *
+ * @author   ctexthuang
+ * @contact  ctexthuang@qq.com
+ */
+
+declare(strict_types=1);
+
+namespace App\Service\Admin\Third;
+
+use App\Service\Admin\BaseService;
+use App\Service\ServiceTrait\Common\AliStsTrait;
+use Psr\Container\ContainerExceptionInterface;
+use Psr\Container\NotFoundExceptionInterface;
+use function Hyperf\Config\config;
+
+class AliStsService extends BaseService
+{
+    use AliStsTrait;
+
+    /**
+     * 过期时间
+     * @var int
+     */
+    private int $seconds = 3600;
+
+    /**
+     * bucket
+     * @var string
+     */
+    private string $bucket;
+
+    /**
+     * 角色
+     * @var string
+     */
+    private string $roleArn;
+
+    public function __construct()
+    {
+        parent::__construct();
+        $this->bucket = config('ali.bucket');
+        $this->roleArn = config('ali.role_arn'); //acs:ram::1987853712163999:role/video-access
+    }
+
+    /**
+     * @return array
+     * @throws ContainerExceptionInterface
+     * @throws NotFoundExceptionInterface
+     */
+    public function handle(): array
+    {
+        $payload = [
+            'durationSeconds' => $this->seconds,
+            'roleArn' => $this->roleArn,
+            'roleSessionName' => 'adminUpload',
+            'policy' => [
+                'Version' => '1',
+                'Statement' => [
+                    [
+                        'Effect' => 'Allow',
+                        'Action' => [
+                            'oss:*'
+                        ],
+                        'Resource' => [
+                            sprintf('acs:oss:*:*:%s', $this->bucket),
+                            sprintf('acs:oss:*:*:%s/*', $this->bucket),
+                        ]
+                    ],
+                    [
+                        'Effect' => 'Deny',
+                        'Action' => [
+                            'oss:DeleteBucket'
+                        ],
+                        'Resource' => [
+                            sprintf('acs:oss:*:*:%s', $this->bucket),
+                        ]
+                    ],
+                    [
+                        'Effect' => 'Allow',
+                        'Action' => [
+                            'oss:DeleteObject'
+                        ],
+                        'Resource' => [
+                            sprintf('acs:oss:*:*:%s/*', $this->bucket),
+                        ]
+                    ],
+
+                ],
+            ]
+        ];
+
+        $res = $this->getAliStsControls($payload);
+        $this->log->info(__CLASS__.__FUNCTION__.':'.json_encode($res));
+        return $this->return->success();
+    }
+}

app/Service/ServiceTrait/Admin/AdminRoleMenuTrait.php

@@ -8,7 +8,7 @@
 
 declare(strict_types=1);
 
-namespace App\Service\ServiceTrait;
+namespace App\Service\ServiceTrait\Admin;
 
 use App\Constants\Admin\AuthCode;
 

app/Service/ServiceTrait/Common/AliStsTrait.php

@@ -0,0 +1,66 @@
+<?php
+/**
+ * This service file is part of item.
+ *
+ * @author   ctexthuang
+ * @contact  ctexthuang@qq.com
+ */
+
+declare(strict_types=1);
+
+namespace App\Service\ServiceTrait\Common;
+
+use AlibabaCloud\SDK\Sts\V20150401\Models\AssumeRoleRequest;
+use AlibabaCloud\SDK\Sts\V20150401\Sts;
+use AlibabaCloud\Tea\Utils\Utils\RuntimeOptions;
+use App\Lib\Log;
+use Darabonba\OpenApi\Models\Config;
+use Exception;
+use Hyperf\Di\Annotation\Inject;
+use Psr\Container\ContainerExceptionInterface;
+use Psr\Container\NotFoundExceptionInterface;
+use function Hyperf\Config\config;
+
+trait AliStsTrait
+{
+    /**
+     * @var Log
+     */
+    #[Inject]
+    protected Log $log;
+
+    /**
+     * 创建客户端
+     * @return Sts
+     */
+    protected function createClient(): Sts
+    {
+        $config = new Config([
+            "accessKeyId" => config('ali.accessKeyId'),
+            "accessKeySecret" => config('ali.accessKeySecret')
+        ]);
+        $config->endpoint = config('ali.sts_endpoint');
+
+        return new Sts($config);
+    }
+
+    /**
+     * 获取 ali sts 控制器
+     * @param $payload
+     * @return Sts|void
+     * @throws ContainerExceptionInterface
+     * @throws NotFoundExceptionInterface
+     */
+    public function getAliStsControls($payload){
+        $client = self::createClient();
+        $assumeRoleRequest = new AssumeRoleRequest($payload);
+        $runtime = new RuntimeOptions([]);
+        try {
+            $client->assumeRoleWithOptions($assumeRoleRequest, $runtime);
+
+            return $client;
+        } catch (Exception $error) {
+            $this->log->error(__CLASS__.__FUNCTION__.'-'.__LINE__, [$error->getMessage()]);
+        }
+    }
+}

composer.json

@@ -13,7 +13,7 @@
     "license": "Apache-2.0",
     "require": {
         "php": ">=8.3",
-        "alibabacloud/sts-20150401": "^1.1",
+        "alibabacloud/sts-20150401": "1.1.4",
         "aliyuncs/oss-sdk-php": "^2.7",
         "firebase/php-jwt": "^6.10",
         "hyperf/amqp": "~3.1.0",

config/autoload/ali.php

@@ -14,17 +14,21 @@ use function Hyperf\Support\env;
 
 return [
     // 阿里云 accessKeyId
-    'access_key_id' => env('ALI_ACCESS_KEY_ID', ''),
+    'access_key_id' => env('ALI_ACCESS_KEY_ID', 'LTAI5tFsBsKskcrRmkjpMXay'),
     // 阿里云 accessKeySecret
-    'access_key_secret' => env('ALI_ACCESS_KEY_SECRET', ''),
+    'access_key_secret' => env('ALI_ACCESS_KEY_SECRET', 'YSIMtOGLu7W8tpQLKdgioTUYmgXB8M'),
     // 阿里云 oss bucket
-    'bucket' => env('ALI_BUCKET', ''),
+    'bucket' => env('ALI_BUCKET', 'hhl-catering'),
     // 阿里云 oss region
     'region' => env('ALI_REGION', 'cn-shenzhen'),
     // 阿里云 oss 临时上传目录
-    'upload_dir' => env('ALI_UPLOAD_DIR', ''),
+    'upload_dir' => env('ALI_UPLOAD_DIR', '/tmp/upload'),
     // 阿里云 oss 回调地址
-    'callback_url' => env('ALI_CALLBACK_URL', ''),
+    'callback_url' => env('ALI_CALLBACK_URL', 'https://xxx.xxx.com/common/third/oss/callback'),
     // 阿里云 oss 外网访问地址
-    'oss_url' => env('ALI_OSS_URL', ''),
+    'oss_url' => env('ALI_OSS_URL', 'https://playlet-video-asset.oss-cn-shenzhen.aliyuncs.com/'),
+    // 阿里云 sts 访问端点
+    'sts_endpoint' => env('ALI_STS_ENDPOINT', 'sts.cn-shenzhen.aliyuncs.com'),
+    // 阿里云 sts 角色
+    'role_arn' => env('ALI_ROLE_ARN', 'acs:ram::1644087445786901:role/oss'),
 ];

sync/http/admin/auth.http

@@ -109,4 +109,9 @@ Authorization: Bearer {{admin_token}}
 ### 账号重置密码
 GET {{host}}/admin/employee/reset_password?id=2
 Content-Type: application/x-www-form-urlencoded
+Authorization: Bearer {{admin_token}}
+
+### ali sts 临时授权
+GET {{host}}/admin/third/sts/accredit
+Content-Type: application/x-www-form-urlencoded
 Authorization: Bearer {{admin_token}}