volcengine-python-sdk 5.0.32__py2.py3-none-any.whl → 5.0.33__py2.py3-none-any.whl

{volcengine_python_sdk-5.0.32.dist-info → volcengine_python_sdk-5.0.33.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: volcengine-python-sdk
-Version: 5.0.32
+Version: 5.0.33
 Summary: Volcengine SDK for Python
 Home-page: https://github.com/volcengine/volcengine-python-sdk
 Author-email: volc-engine <volc-sdk-team@bytedance.com>

{volcengine_python_sdk-5.0.32.dist-info → volcengine_python_sdk-5.0.33.dist-info}/RECORD

@@ -1,5 +1,5 @@
-volcengine_python_sdk-5.0.32.dist-info/licenses/LICENSE.txt,sha256=z8d0m5b2O9McPEK1xHG_dWgUBT6EfBDz6wA0F7xSPTA,11358
-volcengine_python_sdk-5.0.32.dist-info/licenses/NOTICE.md,sha256=dqWX0O4-gFqGLdHJsXAiF6Q8JHlu_3nFaQSmrMHzujM,254
+volcengine_python_sdk-5.0.33.dist-info/licenses/LICENSE.txt,sha256=z8d0m5b2O9McPEK1xHG_dWgUBT6EfBDz6wA0F7xSPTA,11358
+volcengine_python_sdk-5.0.33.dist-info/licenses/NOTICE.md,sha256=dqWX0O4-gFqGLdHJsXAiF6Q8JHlu_3nFaQSmrMHzujM,254
 volcenginesdkacep/__init__.py,sha256=GZCeL2Dsp5v1XblcgInhNJzKW7X37XxrpMIE2Q3VL-c,31200
 volcenginesdkacep/api/__init__.py,sha256=MCzGEBg4XwY5aDIDy8nitUz4vu_2xmRRY83V6lqt460,138
 volcenginesdkacep/api/acep_api.py,sha256=ollQvh5qkrmNbENVBBh2JRha9aGDMUwtO7V6Q1A3-Js,410621
@@ -5381,8 +5381,8 @@ volcenginesdkconfig/models/update_rule_response.py,sha256=f16EgPddqWulPRT1Yw225x
 volcenginesdkconfig/models/update_rule_template_request.py,sha256=k4JyMyOEhL8Zvg9N6siac_6MlcB38ZoDeKfx5uVV4xo,10129
 volcenginesdkconfig/models/update_rule_template_response.py,sha256=eiATOg0bsvElLzs-K0Jt8x8k4JaLxlXUcsg3toMteCM,2814
 volcenginesdkcore/__init__.py,sha256=WkgQAEhL6zg4ofQI82LD-3K-ij28yT-lpMiDoKmppwM,318
-volcenginesdkcore/api_client.py,sha256=3WucEvkL3BmKes9qXrk-R7urs3IV4jAy9oJrTpNvwVM,29339
-volcenginesdkcore/configuration.py,sha256=mFDz9fJU3AhwRCY0-CaNJStPQ2VfNtW5di8mSaH2ImQ,12082
+volcenginesdkcore/api_client.py,sha256=xk2TgRm7PGtgDkAOvUwUA_z5E2Akb2Iy4IfRgViMKzc,29339
+volcenginesdkcore/configuration.py,sha256=uBLeXYDr1tkLYWERwK0oKph7z5pdJHH_yGipo-bYSWI,12082
 volcenginesdkcore/flatten.py,sha256=g3r61JS_AO7WV6ClRDkXgtnVXcw3c7tbZjeLAJxkSLc,3811
 volcenginesdkcore/metadata.py,sha256=lHsOz9JcwdM7oqBb5dhSl6z3qF-M3TnTFbCzxRV89f4,4529
 volcenginesdkcore/model.py,sha256=f3cvQ6QiQfecClucu-_-l5xVI3W5_vF-EKkjwZu7Vjc,177
@@ -5392,7 +5392,7 @@ volcenginesdkcore/universal.py,sha256=j1p9XAktEqIvVsWXm_sCI29jxf30YjqFEWBZAlkUEd
 volcenginesdkcore/auth/__init__.py,sha256=3g1cdl8E5ZJrjF_kijTELAIWTT74fNEYOPieE88DBBg,132
 volcenginesdkcore/auth/credential.py,sha256=adOo43AZi4BNL9sSYGe5v9YMn8vm2rL0vBU1iAe0jes,377
 volcenginesdkcore/auth/providers/__init__.py,sha256=Os4sb88zqpdSncVAiKTs8KPGarCViJeXpdUZ1ItnZSM,454
-volcenginesdkcore/auth/providers/cli_config_provider.py,sha256=dqpcJfEtVIWI7_nChFEHn-qJWmuGvw4kJcDgcvhcge0,23693
+volcenginesdkcore/auth/providers/cli_config_provider.py,sha256=tmpyc4YpyJ5CRSCrR9IAsisMxsL6Xb4FWEfEIgsZuDo,44251
 volcenginesdkcore/auth/providers/default_provider.py,sha256=R-OxpYSlIfk_YcaAW23EcsoMCuMRAFJQ035baE_3NfQ,4234
 volcenginesdkcore/auth/providers/ecs_role_provider.py,sha256=lWllVPA01NpPaaqXdP9vCMwbxBgEQW1URfxMl9uOTyc,7529
 volcenginesdkcore/auth/providers/env_provider.py,sha256=LUrPFemUs0i8X-hLqXDEuz5CHgOsQG6XbxaROC0tpxA,1255
@@ -9395,7 +9395,7 @@ volcenginesdkgtm/models/rule_for_update_rule_input.py,sha256=Ldb6pTVTfOLVbTG98bd
 volcenginesdkgtm/models/source_flow_for_get_policy_output.py,sha256=tyXwIrVjy8Kwjqa16Y_UMFjtxIMJL7OSb2VKtWlfA1I,2821
 volcenginesdkgtm/models/start_routing_request.py,sha256=KDNWMAiV23QsfPbuZA3om2SmQE2j5tDCg5Q1tNWdrag,3552
 volcenginesdkgtm/models/start_routing_response.py,sha256=atUcMwhhXJzt0kYQpH35XNEw8zYWm2vXqK0TXeARRxM,2781
-volcenginesdkgtm/models/statistic_for_update_load_input.py,sha256=8qlgcqwU7vJnwY96vsBDnnK8IwMv_DIwgwdfxFl7cKw,7368
+volcenginesdkgtm/models/statistic_for_update_load_input.py,sha256=TaSErSmDxX28BRhBHPlKZtPtHlch93VT_Fk0wKeGiVg,6615
 volcenginesdkgtm/models/statistics_for_get_policy_output.py,sha256=hi9vXAgJiYcqq0a91sX0s8_bmd9rP_dfLr14eGKLiFI,4421
 volcenginesdkgtm/models/stop_routing_request.py,sha256=oz24AtXhG8gn-NpB667E-x8a6I_iK73E07T_zTUoHsM,3543
 volcenginesdkgtm/models/stop_routing_response.py,sha256=9BuGoyBMymk2e1xT5OQYlT-2KJq9Ae7ipboxei7K65U,2776
@@ -11575,7 +11575,7 @@ volcenginesdklivesaas/models/list_activity_api_request.py,sha256=QuB4k1j8_TaMQFH
 volcenginesdklivesaas/models/list_activity_api_response.py,sha256=AYSOPD3SXOmdpIYYO1xVDJiPN8iFbgjODNIqa6pWn4w,6025
 volcenginesdklivesaas/models/list_activity_by_cache_api_request.py,sha256=KiHpTJRpsXNIfbbcWvQspBYcouC84jsAumRW7MYby4U,14895
 volcenginesdklivesaas/models/list_activity_by_cache_api_response.py,sha256=MtnemSo41lO9XscXKzZ-NIITIVc5sdcCGRLZ3u8Ttq8,6193
-volcenginesdklivesaas/models/list_activity_media_api_request.py,sha256=0lw0dybAwRhrBtjSK-ndk73czOELGvwe-1npJu_ofcE,9606
+volcenginesdklivesaas/models/list_activity_media_api_request.py,sha256=NQUYJccpSJTWoYkYbyYohnyipRdRPO8DKMps0QrR04c,10444
 volcenginesdklivesaas/models/list_activity_media_api_response.py,sha256=ThfoI96iUIrR8Al7dHIGxFCl7B--clFjejWVEjbFEM0,4444
 volcenginesdklivesaas/models/list_an_activity_start_and_end_time_api_request.py,sha256=KPp00NCSYE6oZeAodgVfEv1XRmBzXZtMSPZw8h7Alt4,3842
 volcenginesdklivesaas/models/list_an_activity_start_and_end_time_api_response.py,sha256=NxY8CB9rz6YiuPsi9WTMkthgaij7tyBaOOmbD3L-OZU,4029
@@ -22510,7 +22510,7 @@ volcenginesdkwafruntime/api/__init__.py,sha256=di_9IIKQ0HCuzkGrTyZ6h38iP7y1xelH8
 volcenginesdkwafruntime/api/waf_runtime_api.py,sha256=eWgdzFcwflEkhkNrPzZL1mqSid7O1OWiwHGUyWJvZNA,4035
 volcenginesdkwafruntime/models/__init__.py,sha256=di_9IIKQ0HCuzkGrTyZ6h38iP7y1xelH8_IJbKi4aWA,71
 volcenginesdkwafruntime/models/llm_stream_session.py,sha256=U9cig3fuZRBT4Ov8_cUsWDKXcMLNjBDxKt-7IoewoUw,1589
-volcengine_python_sdk-5.0.32.dist-info/METADATA,sha256=_y0nB0rAMfmt87cO5DvWliK4pdmqNCayYLdlctMPry4,8435
-volcengine_python_sdk-5.0.32.dist-info/WHEEL,sha256=Mk1ST5gDzEO5il5kYREiBnzzM469m5sI8ESPl7TRhJY,110
-volcengine_python_sdk-5.0.32.dist-info/top_level.txt,sha256=EWPYkwb-yVEO1fKOGHmIp8xZ5FoKVJmQ8njYtOV7XwA,2820
-volcengine_python_sdk-5.0.32.dist-info/RECORD,,
+volcengine_python_sdk-5.0.33.dist-info/METADATA,sha256=_J8YoRxCLPMoJbWfAgQPHGM7yBAaDQ-ZA8eVNekkx7U,8435
+volcengine_python_sdk-5.0.33.dist-info/WHEEL,sha256=Mk1ST5gDzEO5il5kYREiBnzzM469m5sI8ESPl7TRhJY,110
+volcengine_python_sdk-5.0.33.dist-info/top_level.txt,sha256=EWPYkwb-yVEO1fKOGHmIp8xZ5FoKVJmQ8njYtOV7XwA,2820
+volcengine_python_sdk-5.0.33.dist-info/RECORD,,

volcenginesdkcore/api_client.py

@@ -69,7 +69,7 @@ class ApiClient(object):
             self.default_headers[header_name] = header_value
         self.cookie = cookie
         # Set default User-Agent.
-        self.user_agent = 'volcstack-python-sdk/5.0.32'
+        self.user_agent = 'volcstack-python-sdk/5.0.33'
         self.client_side_validation = configuration.client_side_validation
 
         self.interceptor_chain = InterceptorChain()

volcenginesdkcore/auth/providers/cli_config_provider.py

@@ -3,11 +3,11 @@ import calendar
 import hashlib
 import json
 import os
-import tempfile
 import threading
 import time
 
-from datetime import datetime
+import dateutil.parser
+import six
 
 from .provider import Provider, CredentialValue
 
@@ -18,6 +18,9 @@ _PORTAL_ACCESS_TOKEN_HEADER = "x-bd-cloudidentity-bearer-token"
 _HTTP_TIMEOUT = 30
 _HTTP_MAX_RETRIES = 3
 _HTTP_RETRY_INTERVAL = 1
+_LOGIN_CACHE_DIRECTORY_ENV = "VOLCENGINE_LOGIN_CACHE_DIRECTORY"
+_DEFAULT_CONSOLE_LOGIN_ENDPOINT = "https://signin.volcengine.com"
+_CONSOLE_LOGIN_TOKEN_PATH = "/authorize/oauth/token"
 
 
 class CLIConfigCredentialProvider(Provider):
@@ -34,7 +37,10 @@ class CLIConfigCredentialProvider(Provider):
       - "RamRoleArn": delegate to StsCredentialProvider
       - "OIDC": delegate to StsOidcCredentialProvider
       - "EcsRole": delegate to EcsRoleCredentialProvider
-      - "sso": delegate to SsoCredentialProvider
+      - "sso": delegate to SsoCredentialProvider (SDK manages OAuth refresh in-memory,
+        never writes the cache file; ve sso login is the sole writer)
+      - "console-login": read CLI console-login cache; the SDK manages OAuth refresh
+        in-memory (never writes the cache file). ve login is the sole writer.
       - Other modes: raise RuntimeError (unsupported)
     """
 
@@ -50,6 +56,9 @@ class CLIConfigCredentialProvider(Provider):
         self._resolved_config_path = None
 
     def _init_delegate(self):
+        self._delegate = None
+        self._static_cred = None
+
         profile, profile_name, config = self._load_profile()
         raw_mode = profile.get("mode", "") or ""
         mode = raw_mode.lower().strip()
@@ -68,6 +77,9 @@ class CLIConfigCredentialProvider(Provider):
         elif mode == "sso":
             self._static_cred = None
             self._delegate = self._create_sso_delegate(profile, profile_name, config)
+        elif mode == "console-login":
+            self._static_cred = None
+            self._delegate = self._create_console_login_delegate(profile, profile_name)
         else:
             raise RuntimeError(
                 "{}: unsupported mode: {}".format(self.PROVIDER_NAME, mode)
@@ -294,6 +306,29 @@ class CLIConfigCredentialProvider(Provider):
             cache_dir=cache_dir,
         )
 
+    def _create_console_login_delegate(self, profile, profile_name):
+        login_session = (profile.get("login-session") or "").strip()
+        if not login_session:
+            raise RuntimeError(
+                "{}: profile '{}' mode is console-login but login-session is not set; run 've login' first.".format(
+                    self.PROVIDER_NAME, profile_name
+                )
+            )
+
+        config_path = self._resolved_config_path or (
+                self._config_path
+                or os.environ.get("VOLCENGINE_CLI_CONFIG_FILE")
+                or os.path.expanduser("~/.volcengine/config.json")
+        )
+        cache_dir = (
+                os.environ.get(_LOGIN_CACHE_DIRECTORY_ENV)
+                or os.path.join(os.path.dirname(config_path), "login", "cache")
+        )
+        return ConsoleLoginCredentialProvider(
+            login_session=login_session,
+            cache_dir=cache_dir,
+        )
+
 
 def _unix_timestamp_to_epoch(ts):
     """Convert a Unix timestamp (seconds, milliseconds, microseconds, or
@@ -316,26 +351,24 @@ def _token_cache_filename(start_url, session_name):
     return "{}.json".format(digest)
 
 
+def _login_cache_filename(login_session):
+    return "{}.json".format(hashlib.sha1(login_session.encode("utf-8")).hexdigest())
+
+
 def _parse_rfc3339(value):
-    """Parse an RFC 3339 timestamp string into a datetime (UTC)."""
+    """Parse an RFC 3339 timestamp string into a datetime.
+
+    Uses python-dateutil (already a project dependency) for Py2/Py3
+    compatibility; handles trailing 'Z' and explicit timezone offsets
+    (e.g. '+08:00') uniformly.
+    """
     value = value.strip()
     if not value:
         raise ValueError("expires_at is empty")
-    # Python 3.7+ datetime.fromisoformat doesn't handle trailing Z
-    if value.endswith("Z"):
-        value = value[:-1] + "+00:00"
     try:
-        return datetime.fromisoformat(value)
-    except (ValueError, AttributeError):
-        pass
-    # Fallback for Python < 3.7 or unusual formats
-    for fmt in ("%Y-%m-%dT%H:%M:%S%z", "%Y-%m-%dT%H:%M:%S.%f%z",
-                "%Y-%m-%dT%H:%M:%S", "%Y-%m-%dT%H:%M:%S.%f"):
-        try:
-            return datetime.strptime(value, fmt)
-        except ValueError:
-            continue
-    raise ValueError("cannot parse expires_at: {}".format(value))
+        return dateutil.parser.parse(value)
+    except (ValueError, OverflowError, TypeError) as e:
+        raise ValueError("cannot parse expires_at: {}: {}".format(value, e))
 
 
 def _rfc3339_to_epoch(value):
@@ -346,21 +379,396 @@ def _rfc3339_to_epoch(value):
     return calendar.timegm(exp_dt.timetuple())
 
 
-def _write_json_file_atomic(path, data):
-    """Write JSON data to a file atomically."""
-    dir_name = os.path.dirname(path)
-    fd, tmp_path = tempfile.mkstemp(dir=dir_name, prefix=".tmp-", suffix=".json")
+def _console_login_cache_expiration(token_cache, cache_path, provider_name):
+    _raw_ia = token_cache.get("issued_at")
+    issued_at = _raw_ia.strip() if isinstance(_raw_ia, six.string_types) else ""
+    if not issued_at:
+        raise RuntimeError(
+            "{}: console-login token cache '{}' does not contain issued_at.".format(
+                provider_name, cache_path
+            )
+        )
+    expires_in = token_cache.get("expires_in", 0)
+    try:
+        expires_in = int(expires_in)
+    except (TypeError, ValueError):
+        expires_in = 0
+    if expires_in <= 0:
+        raise RuntimeError(
+            "{}: console-login token cache '{}' does not contain valid expires_in.".format(
+                provider_name, cache_path
+            )
+        )
     try:
-        with os.fdopen(fd, 'w') as f:
-            json.dump(data, f)
-        os.chmod(tmp_path, 0o600)
-        os.rename(tmp_path, path)
-    except Exception:
+        issued_at_epoch = _rfc3339_to_epoch(issued_at)
+    except ValueError as e:
+        raise RuntimeError(
+            "{}: failed to parse console-login issued_at in '{}': {}".format(
+                provider_name, cache_path, e
+            )
+        )
+    return issued_at_epoch + expires_in
+
+
+def _parse_console_login_access_token(access_token, cache_path, provider_name):
+    if isinstance(access_token, dict):
+        sts_creds = access_token
+    elif isinstance(access_token, six.string_types):
+        try:
+            sts_creds = json.loads(access_token)
+        except ValueError as e:
+            raise RuntimeError(
+                "{}: failed to parse console-login access_token in '{}': {}".format(
+                    provider_name, cache_path, e
+                )
+            )
+    else:
+        raise RuntimeError(
+            "{}: console-login token cache '{}' does not contain valid access_token.".format(
+                provider_name, cache_path
+            )
+        )
+
+    if not isinstance(sts_creds, dict):
+        raise RuntimeError(
+            "{}: console-login access_token in '{}' is not an object.".format(
+                provider_name, cache_path
+            )
+        )
+
+    _raw_ak = sts_creds.get("access_key_id")
+    ak = _raw_ak.strip() if isinstance(_raw_ak, six.string_types) else ""
+    _raw_sk = sts_creds.get("secret_access_key")
+    sk = _raw_sk.strip() if isinstance(_raw_sk, six.string_types) else ""
+    _raw_tok = sts_creds.get("session_token")
+    token = _raw_tok.strip() if isinstance(_raw_tok, six.string_types) else ""
+    if not ak or not sk or not token:
+        raise RuntimeError(
+            "{}: console-login access_token in '{}' is missing STS credential fields.".format(
+                provider_name, cache_path
+            )
+        )
+
+    return {
+        "access_key_id": ak,
+        "secret_access_key": sk,
+        "session_token": token,
+    }
+
+
+
+class ConsoleLoginCredentialProvider(Provider):
+    """Reads and refreshes STS credentials for the CLI 've login' flow.
+
+    Contract:
+      - Disk reads happen on bootstrap and on the invalid_grant fallback only;
+        the provider never writes the cache file. ve cli remains the sole
+        writer.
+      - When the in-memory access_token expires, the provider exchanges the
+        cached refresh_token at signin.volcengine.com/authorize/oauth/token and
+        updates the in-memory cache only.
+      - If the signin service rejects the refresh_token with invalid_grant,
+        the provider re-reads the disk cache once. If the disk holds a newer
+        refresh_token (i.e. ve cli refreshed it under us), it retries; if the
+        disk RT is the same, the user must run `ve login` again.
+    """
+
+    PROVIDER_NAME = "ConsoleLoginCredentialProvider"
+
+    def __init__(self, login_session, cache_dir):
+        self._login_session = login_session
+        self._cache_dir = cache_dir
+
+        self._credentials = None
+        self._expiration = None  # epoch seconds
+        # _cache holds the most recently observed login cache dict, including
+        # refresh_token / client_id / scope / endpoint_url, so that the SDK can
+        # silently refresh access_token without re-reading the file on every
+        # call.
+        self._cache = None
+        self._lock = threading.Lock()
+
+    def retrieve(self):
+        return self.get_credentials()
+
+    def is_expired(self):
+        if self._credentials is None:
+            return True
+        if self._expiration is not None:
+            return time.time() >= self._expiration - 60
+        return False
+
+    def refresh(self):
+        with self._lock:
+            if self.is_expired():
+                self._do_refresh()
+
+    def get_credentials(self):
+        self.refresh()
+        return self._credentials
+
+    def _do_refresh(self):
+        # Bootstrap from disk only when the in-memory cache is empty; on every
+        # subsequent expiry we try the in-memory refresh_token first and only
+        # re-read the disk file as a fallback when the server rejects the RT.
+        if self._cache is None:
+            self._cache = self._load_cache_from_disk()
+
+        cache_path = os.path.join(
+            self._cache_dir, _login_cache_filename(self._login_session)
+        )
+
+        # Fast path: the cached access_token is still within its TTL.
+        applied = self._try_apply_from_cache(self._cache, cache_path)
+        if applied:
+            return
+
+        # Slow path: refresh in-memory using the cached refresh_token.
+        try:
+            self._refresh_with_oauth(self._cache, cache_path)
+            return
+        except _ConsoleLoginInvalidGrantError as exc:
+            invalid_grant_exc = exc
+        # Fallback: re-read the disk cache once. If ve login ran concurrently
+        # and wrote a new refresh_token, retrying with the disk RT may succeed.
+        # Any I/O or parse error surfaces with the actionable ve login hint.
+        try:
+            disk_cache = self._load_cache_from_disk()
+        except (RuntimeError, IOError, OSError) as e:
+            raise RuntimeError(
+                "{}: failed to reload console-login cache from disk; "
+                "please run 've login' to re-authenticate. "
+                "underlying error: {}".format(self.PROVIDER_NAME, e)
+            )
+        _disk_rt = disk_cache.get("refresh_token")
+        if not (isinstance(_disk_rt, six.string_types) and _disk_rt.strip()):
+            raise RuntimeError(
+                "{}: console-login refresh token rejected and disk cache lacks "
+                "refresh_token; please run 've login' to re-authenticate.".format(
+                    self.PROVIDER_NAME
+                )
+            )
+        if disk_cache.get("refresh_token") == self._cache.get("refresh_token"):
+            raise RuntimeError(
+                "{}: console-login refresh token rejected by signin service "
+                "(disk cache has the same RT); please run 've login' to "
+                "re-authenticate. underlying error: {}".format(
+                    self.PROVIDER_NAME, invalid_grant_exc
+                )
+            )
+        self._cache = disk_cache
+        # If the disk cache holds a fresh access_token (e.g. ve login ran
+        # concurrently), apply it directly without another OAuth round-trip.
+        # Otherwise exchange the disk refresh_token via OAuth once.
+        if self._try_apply_from_cache(self._cache, cache_path):
+            return
+        try:
+            self._refresh_with_oauth(self._cache, cache_path)
+        except _ConsoleLoginInvalidGrantError as exc2:
+            raise RuntimeError(
+                "{}: console-login refresh token rejected; reloaded disk cache "
+                "but new RT also failed; please run 've login'. underlying error: {}".format(
+                    self.PROVIDER_NAME, exc2
+                )
+            )
+
+
+
+    def _load_cache_from_disk(self):
+        cache_path = os.path.join(
+            self._cache_dir, _login_cache_filename(self._login_session)
+        )
+        if not os.path.isfile(cache_path):
+            raise RuntimeError(
+                "{}: console-login token cache file '{}' does not exist; "
+                "please run 've login' to re-authenticate.".format(
+                    self.PROVIDER_NAME, cache_path
+                )
+            )
+        try:
+            with open(cache_path, 'r') as f:
+                try:
+                    return json.load(f)
+                except ValueError as e:
+                    raise RuntimeError(
+                        "{}: failed to parse console-login token cache '{}': {}; "
+                        "please run 've login' to re-authenticate.".format(
+                            self.PROVIDER_NAME, cache_path, e
+                        )
+                    )
+        except (IOError, OSError) as e:
+            raise RuntimeError(
+                "{}: failed to read console-login token cache '{}': {}; "
+                "please run 've login' to re-authenticate.".format(
+                    self.PROVIDER_NAME, cache_path, e
+                )
+            )
+
+    def _try_apply_from_cache(self, cache, cache_path):
+        """Try to apply cache.access_token as live STS without calling OAuth.
+
+        Returns True iff the cache contains a non-expired access_token that
+        parses into STS credentials. Returns False on any expiry/parse miss
+        so the caller can fall through to OAuth refresh."""
+        try:
+            exp_epoch = _console_login_cache_expiration(
+                cache, cache_path, self.PROVIDER_NAME
+            )
+        except RuntimeError:
+            return False
+        if time.time() >= exp_epoch - 60:
+            return False
+        try:
+            sts_creds = _parse_console_login_access_token(
+                cache.get("access_token"), cache_path, self.PROVIDER_NAME
+            )
+        except RuntimeError:
+            return False
+        self._credentials = CredentialValue(
+            ak=sts_creds["access_key_id"],
+            sk=sts_creds["secret_access_key"],
+            session_token=sts_creds["session_token"],
+            provider_name=self.PROVIDER_NAME,
+        )
+        self._expiration = exp_epoch
+        return True
+
+    def _refresh_with_oauth(self, cache, cache_path):
+        """Refresh access_token via OAuth refresh_token grant; in-memory only.
+
+        On HTTP 400 invalid_grant the server has declared the refresh_token
+        unusable; raise _ConsoleLoginInvalidGrantError so the caller can run
+        the disk-reload fallback. All other failures raise RuntimeError."""
+        _raw_rt = cache.get("refresh_token")
+        refresh_token = _raw_rt.strip() if isinstance(_raw_rt, six.string_types) else ""
+        if not refresh_token:
+            raise RuntimeError(
+                "{}: console-login cache lacks refresh_token; please run 've login' first.".format(
+                    self.PROVIDER_NAME
+                )
+            )
+        _raw_cid = cache.get("client_id")
+        client_id = _raw_cid.strip() if isinstance(_raw_cid, six.string_types) else ""
+        if not client_id:
+            raise RuntimeError(
+                "{}: console-login cache lacks client_id; please run 've login' to regenerate.".format(
+                    self.PROVIDER_NAME
+                )
+            )
+        _raw_ep = cache.get("endpoint_url")
+        endpoint = (_raw_ep.strip() if isinstance(_raw_ep, six.string_types) else "") or _DEFAULT_CONSOLE_LOGIN_ENDPOINT
+        _raw_scope = cache.get("scope")
+        scope = _raw_scope.strip() if isinstance(_raw_scope, six.string_types) else ""
+        url = "{}{}".format(endpoint.rstrip("/"), _CONSOLE_LOGIN_TOKEN_PATH)
+        body = {
+            "grant_type": "refresh_token",
+            "client_id": client_id,
+            "refresh_token": refresh_token,
+        }
+        if scope:
+            body["scope"] = scope
+        try:
+            from urllib.parse import urlencode
+        except ImportError:
+            from urllib import urlencode
+        encoded = urlencode(body)
+        encoded_bytes = encoded.encode("utf-8")
+        # Py3: urllib.request + urllib.error; Py2: urllib2 exposes everything.
+        try:
+            import urllib.request as _urlreq
+            import urllib.error as _urlerr
+        except ImportError:
+            import urllib2 as _urlreq  # noqa: F401
+            _urlerr = _urlreq
+        # Providing data= implies POST on both Py2 and Py3 without needing
+        # the method= kwarg (which urllib2.Request does not accept).
+        req = _urlreq.Request(
+            url, encoded_bytes,
+            {"Content-Type": "application/x-www-form-urlencoded"},
+        )
+        try:
+            resp = _urlreq.urlopen(req, timeout=_HTTP_TIMEOUT)
+            try:
+                resp_bytes = resp.read()
+            finally:
+                resp.close()
+        except _urlerr.HTTPError as e:
+            err_body = e.read().decode("utf-8", "replace") if hasattr(e, "read") else ""
+            err_code = ""
+            try:
+                err_code = (json.loads(err_body or "{}").get("error") or "")
+            except ValueError:
+                pass
+            if e.code == 400 and err_code == "invalid_grant":
+                raise _ConsoleLoginInvalidGrantError(
+                    "console-login refresh_token rejected (invalid_grant): {}".format(err_body)
+                )
+            raise RuntimeError(
+                "{}: console-login refresh failed with HTTP {}: {}".format(
+                    self.PROVIDER_NAME, e.code, err_body
+                )
+            )
+        except Exception as e:
+            raise RuntimeError(
+                "{}: console-login refresh request failed: {}".format(self.PROVIDER_NAME, e)
+            )
+
+        try:
+            payload = json.loads(resp_bytes)
+        except ValueError as e:
+            raise RuntimeError(
+                "{}: console-login refresh response not JSON: {}".format(self.PROVIDER_NAME, e)
+            )
+
+        if not isinstance(payload, dict):
+            raise RuntimeError(
+                "{}: console-login refresh response is not a JSON object.".format(
+                    self.PROVIDER_NAME
+                )
+            )
+
+        _raw_access = payload.get("access_token")
+        new_access = _raw_access.strip() if isinstance(_raw_access, six.string_types) else ""
         try:
-            os.remove(tmp_path)
-        except OSError:
-            pass
-        raise
+            new_expires = int(payload.get("expires_in", 0))
+        except (TypeError, ValueError) as e:
+            raise RuntimeError(
+                "{}: console-login refresh response has invalid expires_in: {}".format(
+                    self.PROVIDER_NAME, e
+                )
+            )
+        if not new_access or new_expires <= 0:
+            raise RuntimeError(
+                "{}: console-login refresh response missing access_token or expires_in".format(
+                    self.PROVIDER_NAME
+                )
+            )
+        cache["access_token"] = new_access
+        _raw_rt = payload.get("refresh_token")
+        new_rt = _raw_rt.strip() if isinstance(_raw_rt, six.string_types) else ""
+        if new_rt:
+            cache["refresh_token"] = new_rt
+        _raw_id = payload.get("id_token")
+        new_id = _raw_id.strip() if isinstance(_raw_id, six.string_types) else ""
+        if new_id:
+            cache["id_token"] = new_id
+        _raw_tt = payload.get("token_type")
+        if isinstance(_raw_tt, six.string_types) and _raw_tt.strip():
+            cache["token_type"] = _raw_tt
+        cache["issued_at"] = time.strftime("%Y-%m-%dT%H:%M:%SZ", time.gmtime())
+        cache["expires_in"] = new_expires
+
+        # Now the in-memory cache is fresh; apply it (or surface a malformed-
+        # STS error from _try_apply_from_cache).
+        if not self._try_apply_from_cache(cache, cache_path):
+            raise RuntimeError(
+                "{}: console-login refresh succeeded but the new access_token "
+                "could not be parsed into STS credentials".format(self.PROVIDER_NAME)
+            )
+
+
+class _ConsoleLoginInvalidGrantError(Exception):
+    """Sentinel raised when the signin OAuth endpoint returns invalid_grant."""
 
 
 class SsoCredentialProvider(Provider):
@@ -384,6 +792,10 @@ class SsoCredentialProvider(Provider):
 
         self._credentials = None
         self._expiration = None  # epoch seconds
+        # _cache holds the most recently observed SSO token cache dict, including
+        # refresh_token / client_id / client_secret, so that the SDK can silently
+        # refresh the access_token without re-reading the file on every call.
+        self._cache = None
         self._lock = threading.Lock()
 
     def retrieve(self):
@@ -412,38 +824,53 @@ class SsoCredentialProvider(Provider):
             self._credentials = cred
             return
 
-        # Load SSO token cache
         token_path = os.path.join(
             self._cache_dir,
             _token_cache_filename(self._start_url, self._session_name),
         )
-        if not os.path.isfile(token_path):
-            raise RuntimeError(
-                "{}: SSO token cache file not found at '{}'.".format(
-                    self.PROVIDER_NAME, token_path
-                )
-            )
 
-        with open(token_path, 'r') as f:
+        # Bootstrap from disk only when the in-memory cache is empty; on every
+        # subsequent expiry we use the in-memory cache (which already has any
+        # rotated refresh_token from a previous cycle).
+        if self._cache is None:
+            if not os.path.isfile(token_path):
+                raise RuntimeError(
+                    "{}: SSO token cache file not found at '{}'; "
+                    "please run 've sso login' to re-authenticate.".format(
+                        self.PROVIDER_NAME, token_path
+                    )
+                )
             try:
-                token_cache = json.load(f)
+                with open(token_path, 'r') as f:
+                    self._cache = json.load(f)
             except ValueError as e:
                 raise RuntimeError(
-                    "{}: failed to parse SSO token cache '{}': {}".format(
+                    "{}: failed to parse SSO token cache '{}': {}; "
+                    "please run 've sso login' to re-authenticate.".format(
+                        self.PROVIDER_NAME, token_path, e
+                    )
+                )
+            except (IOError, OSError) as e:
+                raise RuntimeError(
+                    "{}: failed to read SSO token cache '{}': {}; "
+                    "please run 've sso login' to re-authenticate.".format(
                         self.PROVIDER_NAME, token_path, e
                     )
                 )
 
-        access_token = (token_cache.get("access_token") or "").strip()
+        _raw_at = self._cache.get("access_token")
+        access_token = _raw_at.strip() if isinstance(_raw_at, six.string_types) else ""
         if not access_token:
             raise RuntimeError(
-                "{}: SSO token cache '{}' does not contain access_token.".format(
+                "{}: SSO token cache '{}' does not contain access_token; "
+                "please run 've sso login' to re-authenticate.".format(
                     self.PROVIDER_NAME, token_path
                 )
             )
 
         # Check if access token is expired
-        expires_at = (token_cache.get("expires_at") or "").strip()
+        _raw_ea = self._cache.get("expires_at")
+        expires_at = _raw_ea.strip() if isinstance(_raw_ea, six.string_types) else ""
         token_expired = False
         if expires_at:
             try:
@@ -451,13 +878,14 @@ class SsoCredentialProvider(Provider):
                 token_expired = time.time() > exp_epoch
             except ValueError as e:
                 raise RuntimeError(
-                    "{}: failed to parse expires_at in '{}': {}".format(
+                    "{}: failed to parse expires_at in '{}': {}; "
+                    "please run 've sso login' to re-authenticate.".format(
                         self.PROVIDER_NAME, token_path, e
                     )
                 )
 
         if token_expired:
-            access_token = self._refresh_access_token(token_cache, token_path)
+            access_token = self._refresh_access_token(token_path)
 
         # Get role credentials from portal
         self._fetch_role_credentials(access_token)
@@ -487,12 +915,19 @@ class SsoCredentialProvider(Provider):
             provider_name=self.PROVIDER_NAME,
         )
 
-    def _refresh_access_token(self, token_cache, token_path):
-        """Refresh the SSO access token using the OAuth token endpoint."""
-        refresh_token = (token_cache.get("refresh_token") or "").strip()
+    def _refresh_access_token(self, token_path):
+        """Refresh the SSO access token using the OAuth token endpoint.
+
+        Operates on self._cache so that any rotated refresh_token is preserved
+        across subsequent expiry cycles (in-memory refresh, never writes disk).
+        """
+        token_cache = self._cache
+        _raw_sso_rt = token_cache.get("refresh_token")
+        refresh_token = _raw_sso_rt.strip() if isinstance(_raw_sso_rt, six.string_types) else ""
         if not refresh_token:
             raise RuntimeError(
-                "{}: SSO token cache '{}' does not contain refresh_token.".format(
+                "{}: SSO token cache '{}' does not contain refresh_token; "
+                "please run 've sso login' to re-authenticate.".format(
                     self.PROVIDER_NAME, token_path
                 )
             )
@@ -503,16 +938,20 @@ class SsoCredentialProvider(Provider):
             exp_epoch = _unix_timestamp_to_epoch(client_secret_expires_at)
             if time.time() >= exp_epoch:
                 raise RuntimeError(
-                    "{}: refresh token in '{}' has expired.".format(
+                    "{}: refresh token in '{}' has expired; "
+                    "please run 've sso login' to re-authenticate.".format(
                         self.PROVIDER_NAME, token_path
                     )
                 )
 
-        client_id = (token_cache.get("client_id") or "").strip()
-        client_secret = (token_cache.get("client_secret") or "").strip()
+        _raw_cid = token_cache.get("client_id")
+        client_id = _raw_cid.strip() if isinstance(_raw_cid, six.string_types) else ""
+        _raw_cs = token_cache.get("client_secret")
+        client_secret = _raw_cs.strip() if isinstance(_raw_cs, six.string_types) else ""
         if not client_id or not client_secret:
             raise RuntimeError(
-                "{}: SSO token cache '{}' does not contain client_id/client_secret.".format(
+                "{}: SSO token cache '{}' does not contain client_id/client_secret; "
+                "please run 've sso login' to re-authenticate.".format(
                     self.PROVIDER_NAME, token_path
                 )
             )
@@ -527,63 +966,93 @@ class SsoCredentialProvider(Provider):
         # Pass a dict body; RESTClient auto-serializes with Content-Type:
         # application/json (see volcenginesdkcore/rest.py). Do NOT json.dumps
         # here or it will be double-encoded.
-        resp_body = ApiClient(Configuration())._do_http_request(
-            oauth_url,
-            method="POST",
-            data={
-                "grant_type": "refresh_token",
-                "client_id": client_id,
-                "client_secret": client_secret,
-                "refresh_token": refresh_token,
-            },
-            headers={"Content-Type": "application/json"},
-            timeout=_HTTP_TIMEOUT,
-            max_retries=_HTTP_MAX_RETRIES,
-            retry_interval=_HTTP_RETRY_INTERVAL,
-            request_name="OAuth token refresh",
-            # OAuth refresh_token grants may rotate the refresh token on use;
-            # replaying a successful-but-response-lost POST would invalidate
-            # the local refresh_token. Fail fast on 5xx instead.
-            retry_on_5xx=False,
-            provider_name=self.PROVIDER_NAME,
-        )
+        try:
+            resp_body = ApiClient(Configuration())._do_http_request(
+                oauth_url,
+                method="POST",
+                data={
+                    "grant_type": "refresh_token",
+                    "client_id": client_id,
+                    "client_secret": client_secret,
+                    "refresh_token": refresh_token,
+                },
+                headers={"Content-Type": "application/json"},
+                timeout=_HTTP_TIMEOUT,
+                max_retries=_HTTP_MAX_RETRIES,
+                retry_interval=_HTTP_RETRY_INTERVAL,
+                request_name="OAuth token refresh",
+                # OAuth refresh_token grants may rotate the refresh token on use;
+                # replaying a successful-but-response-lost POST would invalidate
+                # the local refresh_token. Fail fast on 5xx instead.
+                retry_on_5xx=False,
+                provider_name=self.PROVIDER_NAME,
+            )
+        except RuntimeError as e:
+            raise RuntimeError(
+                "{}: SSO OAuth token refresh failed; "
+                "please run 've sso login' to re-authenticate. "
+                "underlying error: {}".format(self.PROVIDER_NAME, e)
+            )
 
         try:
             resp_data = json.loads(resp_body)
         except ValueError as e:
             raise RuntimeError(
-                "{}: failed to parse OAuth token response: {}".format(
+                "{}: failed to parse OAuth token response: {}; "
+                "please run 've sso login' to re-authenticate.".format(
                     self.PROVIDER_NAME, e
                 )
             )
 
-        new_access_token = (resp_data.get("access_token") or "").strip()
+        if not isinstance(resp_data, dict):
+            raise RuntimeError(
+                "{}: OAuth token response is not a JSON object; "
+                "please run 've sso login' to re-authenticate.".format(
+                    self.PROVIDER_NAME
+                )
+            )
+
+        _raw_access_token = resp_data.get("access_token")
+        new_access_token = _raw_access_token.strip() if isinstance(_raw_access_token, six.string_types) else ""
         if not new_access_token:
             raise RuntimeError(
-                "{}: OAuth token response did not contain access_token.".format(
+                "{}: OAuth token response did not contain access_token; "
+                "please run 've sso login' to re-authenticate.".format(
                     self.PROVIDER_NAME
                 )
             )
 
-        expires_in = resp_data.get("expires_in", 0)
+        try:
+            expires_in = int(resp_data.get("expires_in", 0))
+        except (TypeError, ValueError) as e:
+            raise RuntimeError(
+                "{}: OAuth token response has invalid expires_in: {}; "
+                "please run 've sso login' to re-authenticate.".format(
+                    self.PROVIDER_NAME, e
+                )
+            )
         if expires_in <= 0:
             raise RuntimeError(
-                "{}: OAuth token response did not contain valid expires_in.".format(
+                "{}: OAuth token response did not contain valid expires_in; "
+                "please run 've sso login' to re-authenticate.".format(
                     self.PROVIDER_NAME
                 )
             )
 
-        # Update the cache
+        # Write back into self._cache so any rotated refresh_token survives
+        # the next expiry cycle (in-memory only; disk is never written).
         token_cache["access_token"] = new_access_token
-        new_refresh = (resp_data.get("refresh_token") or "").strip()
+        _raw_refresh = resp_data.get("refresh_token")
+        new_refresh = _raw_refresh.strip() if isinstance(_raw_refresh, six.string_types) else ""
         if new_refresh:
             token_cache["refresh_token"] = new_refresh
         token_cache["expires_at"] = time.strftime(
             "%Y-%m-%dT%H:%M:%SZ", time.gmtime(time.time() + expires_in)
         )
 
-        _write_json_file_atomic(token_path, token_cache)
-
+        # SDK never writes the sso cache file: ve cli is the single writer; the
+        # SDK only refreshes the in-memory self._cache to avoid concurrent
+        # write races with cli.
         return new_access_token
 
     def _fetch_role_credentials(self, access_token):
@@ -627,9 +1096,12 @@ class SsoCredentialProvider(Provider):
         result = resp_data.get("Result") or resp_data.get("result") or {}
         role_creds = result.get("RoleCredentials") or result.get("roleCredentials") or {}
 
-        ak = (role_creds.get("AccessKeyId") or "").strip()
-        sk = (role_creds.get("SecretAccessKey") or "").strip()
-        token = (role_creds.get("sessionToken") or role_creds.get("SessionToken") or "").strip()
+        _raw_ak = role_creds.get("AccessKeyId")
+        ak = _raw_ak.strip() if isinstance(_raw_ak, six.string_types) else ""
+        _raw_sk = role_creds.get("SecretAccessKey")
+        sk = _raw_sk.strip() if isinstance(_raw_sk, six.string_types) else ""
+        _raw_tok = role_creds.get("sessionToken") or role_creds.get("SessionToken")
+        token = _raw_tok.strip() if isinstance(_raw_tok, six.string_types) else ""
 
         if not ak or not sk:
             # Check ResponseMetadata for error

volcenginesdkcore/configuration.py

@@ -291,7 +291,7 @@ class Configuration(six.with_metaclass(TypeWithDefault, object)):
                "OS: {env}\n" \
                "Python Version: {pyversion}\n" \
                "Version of the API: 0.1.0\n" \
-               "SDK Package Version: 5.0.32".\
+               "SDK Package Version: 5.0.33".\
             format(env=sys.platform, pyversion=sys.version)
 
     @property

volcenginesdkgtm/models/statistic_for_update_load_input.py

@@ -34,10 +34,10 @@ class StatisticForUpdateLoadInput(object):
     """
     swagger_types = {
         'addr_value': 'str',
-        'capacity': 'int',
-        'current_load': 'int',
+        'capacity': 'float',
+        'current_load': 'float',
         'pool_name': 'str',
-        'target_load': 'int'
+        'target_load': 'float'
     }
 
     attribute_map = {
@@ -99,7 +99,7 @@ class StatisticForUpdateLoadInput(object):
 
 
         :return: The capacity of this StatisticForUpdateLoadInput.  # noqa: E501
-        :rtype: int
+        :rtype: float
         """
         return self._capacity
 
@@ -109,11 +109,8 @@ class StatisticForUpdateLoadInput(object):
 
 
         :param capacity: The capacity of this StatisticForUpdateLoadInput.  # noqa: E501
-        :type: int
+        :type: float
         """
-        if (self._configuration.client_side_validation and
-                capacity is not None and capacity < 0):  # noqa: E501
-            raise ValueError("Invalid value for `capacity`, must be a value greater than or equal to `0`")  # noqa: E501
 
         self._capacity = capacity
 
@@ -123,7 +120,7 @@ class StatisticForUpdateLoadInput(object):
 
 
         :return: The current_load of this StatisticForUpdateLoadInput.  # noqa: E501
-        :rtype: int
+        :rtype: float
         """
         return self._current_load
 
@@ -133,11 +130,8 @@ class StatisticForUpdateLoadInput(object):
 
 
         :param current_load: The current_load of this StatisticForUpdateLoadInput.  # noqa: E501
-        :type: int
+        :type: float
         """
-        if (self._configuration.client_side_validation and
-                current_load is not None and current_load < 0):  # noqa: E501
-            raise ValueError("Invalid value for `current_load`, must be a value greater than or equal to `0`")  # noqa: E501
 
         self._current_load = current_load
 
@@ -168,7 +162,7 @@ class StatisticForUpdateLoadInput(object):
 
 
         :return: The target_load of this StatisticForUpdateLoadInput.  # noqa: E501
-        :rtype: int
+        :rtype: float
         """
         return self._target_load
 
@@ -178,11 +172,8 @@ class StatisticForUpdateLoadInput(object):
 
 
         :param target_load: The target_load of this StatisticForUpdateLoadInput.  # noqa: E501
-        :type: int
+        :type: float
         """
-        if (self._configuration.client_side_validation and
-                target_load is not None and target_load < 0):  # noqa: E501
-            raise ValueError("Invalid value for `target_load`, must be a value greater than or equal to `0`")  # noqa: E501
 
         self._target_load = target_load
 

volcenginesdklivesaas/models/list_activity_media_api_request.py

@@ -35,6 +35,7 @@ class ListActivityMediaAPIRequest(object):
     swagger_types = {
         'folder_id': 'int',
         'include_sub_folder': 'bool',
+        'is_close_dated': 'bool',
         'name': 'str',
         'order_key': 'str',
         'page_num': 'int',
@@ -47,6 +48,7 @@ class ListActivityMediaAPIRequest(object):
     attribute_map = {
         'folder_id': 'FolderId',
         'include_sub_folder': 'IncludeSubFolder',
+        'is_close_dated': 'IsCloseDated',
         'name': 'Name',
         'order_key': 'OrderKey',
         'page_num': 'PageNum',
@@ -56,7 +58,7 @@ class ListActivityMediaAPIRequest(object):
         'vid': 'Vid'
     }
 
-    def __init__(self, folder_id=None, include_sub_folder=None, name=None, order_key=None, page_num=None, page_size=None, search_type=None, source_type=None, vid=None, _configuration=None):  # noqa: E501
+    def __init__(self, folder_id=None, include_sub_folder=None, is_close_dated=None, name=None, order_key=None, page_num=None, page_size=None, search_type=None, source_type=None, vid=None, _configuration=None):  # noqa: E501
         """ListActivityMediaAPIRequest - a model defined in Swagger"""  # noqa: E501
         if _configuration is None:
             _configuration = Configuration()
@@ -64,6 +66,7 @@ class ListActivityMediaAPIRequest(object):
 
         self._folder_id = None
         self._include_sub_folder = None
+        self._is_close_dated = None
         self._name = None
         self._order_key = None
         self._page_num = None
@@ -77,6 +80,8 @@ class ListActivityMediaAPIRequest(object):
             self.folder_id = folder_id
         if include_sub_folder is not None:
             self.include_sub_folder = include_sub_folder
+        if is_close_dated is not None:
+            self.is_close_dated = is_close_dated
         if name is not None:
             self.name = name
         if order_key is not None:
@@ -133,6 +138,27 @@ class ListActivityMediaAPIRequest(object):
 
         self._include_sub_folder = include_sub_folder
 
+    @property
+    def is_close_dated(self):
+        """Gets the is_close_dated of this ListActivityMediaAPIRequest.  # noqa: E501
+
+
+        :return: The is_close_dated of this ListActivityMediaAPIRequest.  # noqa: E501
+        :rtype: bool
+        """
+        return self._is_close_dated
+
+    @is_close_dated.setter
+    def is_close_dated(self, is_close_dated):
+        """Sets the is_close_dated of this ListActivityMediaAPIRequest.
+
+
+        :param is_close_dated: The is_close_dated of this ListActivityMediaAPIRequest.  # noqa: E501
+        :type: bool
+        """
+
+        self._is_close_dated = is_close_dated
+
     @property
     def name(self):
         """Gets the name of this ListActivityMediaAPIRequest.  # noqa: E501