hatter/ts-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update openclaw secret

Browse Source
This commit is contained in:
Hatter Jiang
2026-03-08 22:44:12 +08:00
parent dbdc022fb3
commit 25f7fdd6d6
2 changed files with 136 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

130
libraries/deno-commons-mod.ts
View File

@@ -1249,3 +1249,133 @@ export async function fetchFileWithCache(
throw e;
}
}
interface AlibabaCloudInstanceIdentityAudienceMeta {
version: 1 | number;
issuedAtMs: number;
expiresAtMs: number;
purpose: string;
}
export type AlibabaCloudInstanceIdentityMode = "normal" | "secured";
// https://help.aliyun.com/zh/ecs/user-guide/use-instance-identities
export async function fetchAlibabaCloudInstanceIdentityV1(
purpose: string,
mode?: AlibabaCloudInstanceIdentityMode,
): Promise<string> {
let metaDataToken = null;
if (!mode) {
mode = getEnv("ALIBABA_CLOUD_INSTANCE_IDENTITY_MODE");
}
if (mode === "secured") {
const tokenResponse = await fetchDataWithTimeout(
"http://100.100.100.200/latest/api/token",
{
method: "PUT",
headers: {
"X-aliyun-ecs-metadata-token-ttl-seconds": "60",
},
},
);
if (tokenResponse.status != 200) {
throw new Error(
`Get meta api token failed: ${tokenResponse.status}`,
);
}
metaDataToken = await tokenResponse.text();
}
const audienceMeta = {
version: 1,
issuedAtMs: Date.now(),
expiresAtMs: Date.now() + 60 * 1000,
purpose: purpose,
} as AlibabaCloudInstanceIdentityAudienceMeta;
const pkcs7Options = {};
if (metaDataToken) {
pkcs7Options["X-aliyun-ecs-metadata-token"] = metaDataToken;
}
const pkcs7Response = await fetchDataWithTimeout(
`http://100.100.100.200/latest/dynamic/instance-identity/pkcs7?audience=${
encodeURIComponent(JSON.stringify(audienceMeta))
}`,
pkcs7Options,
);
if (pkcs7Response.status != 200) {
throw new Error("Get PKCS#7 failed: ${pkcs7Response.status}`)");
}
return await pkcs7Response.text();
}
interface GetSecretResponse {
status: number;
message: string;
data: {
created: number;
modified: number;
name: string;
creatorKeyId: string;
grantedKeyIds: string[];
comment: string;
value: string;
version: number;
};
}
export async function getSecretValueViaAlibabaCloudInstanceIdentity(
key: string,
mode?: AlibabaCloudInstanceIdentityMode,
): Promise<string> {
const pkcs7 = await fetchAlibabaCloudInstanceIdentityV1(
"access_hatter_ink",
mode,
);
const httpSecretResponse = await fetchDataWithTimeout(
`https://global.hatter.ink//secret/get.json?name=${
encodeURIComponent(key)
}`,
{
headers: {
"Authorization": `PKCS7 ${pkcs7}`,
},
},
);
if (httpSecretResponse.status != 200) {
throw new Error(`Get secret failed: ${httpSecretResponse.status}`);
}
const secretResponse = await httpSecretResponse
.json() as GetSecretResponse;
log.debug("secretResponse", secretResponse);
if (secretResponse.status != 200) {
throw new Error(`Get secret failed: ${secretResponse.status}`);
}
return secretResponse.data.value;
}
async function getSecretValueViaHatterCli(key: string): Promise<string> {
const output = await execCommand("hatter", [
"secret",
"get",
"--name",
key,
]);
const secretResponse = output.getStdoutAsJson() as GetSecretResponse;
log.debug("secretResponse", secretResponse);
if (secretResponse.status != 200) {
throw new Error(`Get secret failed: ${secretResponse.status}`);
}
return secretResponse.data.value;
}
export type SecretValueRunEnv = "ALIBABA_CLOUD" | "HATTER_CLI";
export async function getSecretValue(
key: string,
runEnv?: SecretValueRunEnv,
): Promise<string> {
if (runEnv == "ALIBABA_CLOUD") {
return await getSecretValueViaAlibabaCloudInstanceIdentity(key);
}
return await getSecretValueViaHatterCli(key);
}