Class: OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner

Inherits:
X509FederationClientBasedSecurityTokenSigner show all
Defined in:
lib/oci/auth/signers/instance_principals_security_token_signer.rb

Overview

A SecurityTokenSigner which uses a security token for an instance principal. This signer can also refresh its token as needed.

This signer is self-sufficient in that its internals know how to source the required information to request and

use the token:

* Using the metadata endpoint for the instance (http://169.254.169.254/opc/v1) we can discover the region the
  instance is in, its leaf certificate and any intermediate certificates (for requesting the token) and the
  tenancy (as) that is in the leaf certificate.
* The signer leverages {OCI::Auth::FederationClient} so it can refresh the security token and also get the
  private key needed to sign requests (via the client's session_key_supplier)

Constant Summary collapse

METADATA_URL_BASE =
'http://169.254.169.254/opc/v1'.freeze
GET_REGION_URL =
"#{METADATA_URL_BASE}/instance/region".freeze
LEAF_CERTIFICATE_URL =
"#{METADATA_URL_BASE}/identity/cert.pem".freeze
LEAF_CERTIFICATE_PRIVATE_KEY_URL =
"#{METADATA_URL_BASE}/identity/key.pem".freeze
INTERMEDIATE_CERTIFICATE_URL =
"#{METADATA_URL_BASE}/identity/intermediate.pem".freeze

Constants inherited from BaseSigner

BaseSigner::BODY_HEADERS, BaseSigner::GENERIC_HEADERS, BaseSigner::SIGNATURE_VERSION, BaseSigner::SIGNING_STRATEGY_ENUM

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods inherited from X509FederationClientBasedSecurityTokenSigner

#refresh_security_token, #sign

Methods inherited from BaseSigner

#sign

Constructor Details

#initialize(federation_endpoint: nil, federation_client_cert_bundle: nil, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS) ⇒ InstancePrincipalsSecurityTokenSigner

Creates a new InstancePrincipalsSecurityTokenSigner

Parameters:

  • federation_endpoint (String) (defaults to: nil)

    The endpoint where we will retrieve the instance principals auth token from. If not provided, this will default to the endpoint which the instance is in

  • federation_client_cert_bundle (String) (defaults to: nil)

    The full file path to a custom certificate bundle which can be used for SSL verification against the federation_endpoint. If not provided (e.g. because a custom bundle is not needed), defaults to nil

  • signing_strategy (String) (defaults to: OCI::BaseSigner::STANDARD)

    Whether this signer is used for Object Storage requests or not. Acceptable values are BaseSigner::STANDARD and BaseSigner::OBJECT_STORAGE. If not provided, defaults to BaseSigner::STANDARD

  • headers_to_sign_in_all_requests (Array<String>) (defaults to: OCI::BaseSigner::GENERIC_HEADERS)

    An array of headers which will be signed in each request. If not provided, defaults to BaseSigner::GENERIC_HEADERS

  • body_headers_to_sign (Array<String>) (defaults to: OCI::BaseSigner::BODY_HEADERS)

    An array of headers which should be signed on requests with bodies. If not provided, defaults to BaseSigner::BODY_HEADERS



54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 54

def initialize(
  federation_endpoint: nil,
  federation_client_cert_bundle: nil,
  signing_strategy: OCI::BaseSigner::STANDARD,
  headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS,
  body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS
)

  @leaf_certificate_retriever = OCI::Auth::UrlBasedCertificateRetriever.new(
    LEAF_CERTIFICATE_URL, private_key_url: LEAF_CERTIFICATE_PRIVATE_KEY_URL
  )
  @intermediate_certificate_retriever = OCI::Auth::UrlBasedCertificateRetriever.new(
    INTERMEDIATE_CERTIFICATE_URL
  )
  @session_key_supplier = OCI::Auth::SessionKeySupplier.new
  @tenancy_id = OCI::Auth::Util.get_tenancy_id_from_certificate(
    @leaf_certificate_retriever.certificate
  )

  raw_region = Net::HTTP.get(URI(GET_REGION_URL)).strip.downcase
  symbolised_raw_region = raw_region.to_sym
  @region = if OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES.key?(symbolised_raw_region)
              OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES[symbolised_raw_region]
            else
              raw_region
            end

  @federation_endpoint = federation_endpoint || "#{OCI::Regions.get_service_endpoint(@region, :Auth)}/v1/x509"

  @federation_client = OCI::Auth::FederationClient.new(
    @federation_endpoint,
    @tenancy_id,
    @session_key_supplier,
    @leaf_certificate_retriever,
    intermediate_certificate_suppliers: [@intermediate_certificate_retriever],
    cert_bundle_path: federation_client_cert_bundle
  )

  super(
    @federation_client,
    signing_strategy: signing_strategy,
    headers_to_sign_in_all_requests: ,
    body_headers_to_sign: body_headers_to_sign
  )
end

Instance Attribute Details

#regionString (readonly)

The region the instance is in, as returned from the metadata endpoint for the instance

(http://169.254.169.254/opc/v1/instance/region)

Returns:

  • (String)

    The region for the instance



32
33
34
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 32

def region
  @region
end