Class: OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner

Inherits:

X509FederationClientBasedSecurityTokenSigner

• Object
• BaseSigner
• SecurityTokenSigner
• X509FederationClientBasedSecurityTokenSigner
• OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner

Defined in:

lib/oci/auth/signers/instance_principals_security_token_signer.rb

Overview

A SecurityTokenSigner which uses a security token for an instance principal. This signer can also refresh its token as needed.

This signer is self-sufficient in that its internals know how to source the required information to request and

use the token:

* Using the metadata endpoint for the instance (http://169.254.169.254/opc/v1) we can discover the region the
  instance is in, its leaf certificate and any intermediate certificates (for requesting the token) and the
  tenancy (as) that is in the leaf certificate.
* The signer leverages {OCI::Auth::FederationClient} so it can refresh the security token and also get the
  private key needed to sign requests (via the client's session_key_supplier)

Constant Summary

METADATA_URL_BASE =

'http://169.254.169.254/opc/v1'.freeze

GET_REGION_URL =

"#{METADATA_URL_BASE}/instance/region".freeze

LEAF_CERTIFICATE_URL =

"#{METADATA_URL_BASE}/identity/cert.pem".freeze

LEAF_CERTIFICATE_PRIVATE_KEY_URL =

"#{METADATA_URL_BASE}/identity/key.pem".freeze

INTERMEDIATE_CERTIFICATE_URL =

"#{METADATA_URL_BASE}/identity/intermediate.pem".freeze

Constants inherited from BaseSigner

BaseSigner::BODY_HEADERS, BaseSigner::GENERIC_HEADERS, BaseSigner::SIGNATURE_VERSION, BaseSigner::SIGNING_STRATEGY_ENUM

Instance Attribute Summary

• #region ⇒ String readonly

  The region the instance is in, as returned from the metadata endpoint for the instance (169.254.169.254/opc/v1/instance/region).

Instance Method Summary

• #initialize(federation_endpoint: nil, federation_client_cert_bundle: nil, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS) ⇒ InstancePrincipalsSecurityTokenSigner constructor

  Creates a new InstancePrincipalsSecurityTokenSigner.

Methods inherited from X509FederationClientBasedSecurityTokenSigner

#refresh_security_token, #sign

Methods inherited from BaseSigner

#sign

Constructor Details

#initialize(federation_endpoint: nil, federation_client_cert_bundle: nil, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS) ⇒ InstancePrincipalsSecurityTokenSigner

Creates a new InstancePrincipalsSecurityTokenSigner

Parameters:

• federation_endpoint (String) (defaults to: nil) —

  The endpoint where we will retrieve the instance principals auth token from. If not provided, this will default to the endpoint which the instance is in

• federation_client_cert_bundle (String) (defaults to: nil) —

  The full file path to a custom certificate bundle which can be used for SSL verification against the federation_endpoint. If not provided (e.g. because a custom bundle is not needed), defaults to nil

• signing_strategy (String) (defaults to: OCI::BaseSigner::STANDARD) —

  Whether this signer is used for Object Storage requests or not. Acceptable values are BaseSigner::STANDARD and BaseSigner::OBJECT_STORAGE. If not provided, defaults to BaseSigner::STANDARD

• headers_to_sign_in_all_requests (Array<String>) (defaults to: OCI::BaseSigner::GENERIC_HEADERS) —

  An array of headers which will be signed in each request. If not provided, defaults to BaseSigner::GENERIC_HEADERS

• body_headers_to_sign (Array<String>) (defaults to: OCI::BaseSigner::BODY_HEADERS) —

  An array of headers which should be signed on requests with bodies. If not provided, defaults to BaseSigner::BODY_HEADERS

# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 54

def initialize(
  federation_endpoint: nil,
  federation_client_cert_bundle: nil,
  signing_strategy: OCI::BaseSigner::STANDARD,
  headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS,
  body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS
)

  @leaf_certificate_retriever = OCI::Auth::UrlBasedCertificateRetriever.new(
    LEAF_CERTIFICATE_URL, private_key_url: LEAF_CERTIFICATE_PRIVATE_KEY_URL
  )
  @intermediate_certificate_retriever = OCI::Auth::UrlBasedCertificateRetriever.new(
    INTERMEDIATE_CERTIFICATE_URL
  )
  @session_key_supplier = OCI::Auth::SessionKeySupplier.new
  @tenancy_id = OCI::Auth::Util.get_tenancy_id_from_certificate(
    @leaf_certificate_retriever.certificate
  )

  raw_region = Net::HTTP.get(URI(GET_REGION_URL)).strip.downcase
  symbolised_raw_region = raw_region.to_sym
  @region = if OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES.key?(symbolised_raw_region)
              OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES[symbolised_raw_region]
            else
              raw_region
            end

  @federation_endpoint = federation_endpoint || "#{OCI::Regions.get_service_endpoint(@region, :Auth)}/v1/x509"

  @federation_client = OCI::Auth::FederationClient.new(
    @federation_endpoint,
    @tenancy_id,
    @session_key_supplier,
    @leaf_certificate_retriever,
    intermediate_certificate_suppliers: [@intermediate_certificate_retriever],
    cert_bundle_path: federation_client_cert_bundle
  )

  super(
    @federation_client,
    signing_strategy: signing_strategy,
    headers_to_sign_in_all_requests: headers_to_sign_in_all_requests,
    body_headers_to_sign: body_headers_to_sign
  )
end

Instance Attribute Details

#region ⇒ String (readonly)

The region the instance is in, as returned from the metadata endpoint for the instance

(http://169.254.169.254/opc/v1/instance/region)

Returns:

• (String) —

  The region for the instance

# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 32

def region
  @region
end