Class: Mongo::Crypt::KMS::GCP::Credentials Private

Inherits:

Object

• Object
• Mongo::Crypt::KMS::GCP::Credentials

Extended by:

Forwardable

Includes:

Validations

Defined in:

lib/mongo/crypt/kms/gcp/credentials.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

GCP Cloud Key Management Credentials object contains credentials for using GCP KMS provider.

API:

• private

Constant Summary

FORMAT_HINT =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

API:

• private

"GCP KMS provider options must be in the format: " +
"{ email: 'EMAIL', private_key: 'PRIVATE-KEY' }"

Instance Attribute Summary

• #access_token ⇒ String | nil readonly private

  GCP access token.

• #email ⇒ String readonly private

  GCP email to authenticate with.

• #endpoint ⇒ String | nil readonly private

  GCP KMS endpoint.

• #private_key ⇒ String readonly private

  GCP private key, base64 encoded DER format.

Instance Method Summary

• #initialize(opts) ⇒ Credentials constructor private

  Creates an GCP KMS credentials object form a parameters hash.

• #to_document ⇒ BSON::Document private

  Convert credentials object to a BSON document in libmongocrypt format.

Methods included from Validations

#validate_param, validate_tls_options

Constructor Details

#initialize(opts) ⇒ Credentials

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Creates an GCP KMS credentials object form a parameters hash.

Parameters:

• A hash that contains credentials for GCP KMS provider

Options Hash (opts):

• :email (String) —

  GCP email.

• :private_key (String) —

  GCP private key. This method accepts private key in either base64 encoded DER format, or PEM format.

• :endpoint (String | nil) —

  GCP endpoint, optional.

• :access_token (String | nil) —

  GCP access token, optional. If this option is not null, other options are ignored.

Raises:

• If required options are missing or incorrectly formatted.

API:

• private

# File 'lib/mongo/crypt/kms/gcp/credentials.rb', line 61

def initialize(opts)
  @opts = opts
  return if empty?

  if opts[:access_token]
    @access_token = opts[:access_token]
  else
    @email = validate_param(:email, opts, FORMAT_HINT)
    @private_key = begin
      private_key_opt = validate_param(:private_key, opts, FORMAT_HINT)
      if BSON::Environment.jruby?
        # We cannot really validate private key on JRuby, so we assume
        # it is in base64 encoded DER format.
        private_key_opt
      else
        # Check if private key is in PEM format.
        pkey = OpenSSL::PKey::RSA.new(private_key_opt)
        # PEM it is, need to be converted to base64 encoded DER.
        der = if pkey.respond_to?(:private_to_der)
          pkey.private_to_der
        else
          pkey.to_der
        end
        Base64.encode64(der)
      end
    rescue OpenSSL::PKey::RSAError
      # Check if private key is in DER.
      begin
        OpenSSL::PKey.read(Base64.decode64(private_key_opt))
        # Private key is fine, use it.
        private_key_opt
      rescue OpenSSL::PKey::PKeyError
        raise ArgumentError.new(
          "The private_key option must be either either base64 encoded DER format, or PEM format."
        )
      end
    end

    @endpoint = validate_param(
      :endpoint, opts, FORMAT_HINT, required: false
    )
  end
end

Instance Attribute Details

#access_token ⇒ String | nil (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns GCP access token.

Returns:

• GCP access token.

API:

• private

# File 'lib/mongo/crypt/kms/gcp/credentials.rb', line 40

def access_token
  @access_token
end

#email ⇒ String (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns GCP email to authenticate with.

Returns:

• GCP email to authenticate with.

API:

• private

# File 'lib/mongo/crypt/kms/gcp/credentials.rb', line 31

def email
  @email
end

#endpoint ⇒ String | nil (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns GCP KMS endpoint.

Returns:

• GCP KMS endpoint.

API:

• private

# File 'lib/mongo/crypt/kms/gcp/credentials.rb', line 37

def endpoint
  @endpoint
end

#private_key ⇒ String (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns GCP private key, base64 encoded DER format.

Returns:

• GCP private key, base64 encoded DER format.

API:

• private

# File 'lib/mongo/crypt/kms/gcp/credentials.rb', line 34

def private_key
  @private_key
end

Instance Method Details

#to_document ⇒ BSON::Document

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Convert credentials object to a BSON document in libmongocrypt format.

Returns:

• Azure KMS credentials in libmongocrypt format.

API:

• private

# File 'lib/mongo/crypt/kms/gcp/credentials.rb', line 108

def to_document
  return BSON::Document.new if empty?
  if access_token
    BSON::Document.new({ accessToken: access_token })
  else
    BSON::Document.new({
      email: email,
      privateKey: BSON::Binary.new(private_key, :generic),
    }).tap do |bson|
      unless endpoint.nil?
        bson.update({ endpoint: endpoint })
      end
    end
  end
end