Class: OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner

Inherits:

X509FederationClientBasedSecurityTokenSigner

Object
BaseSigner
SecurityTokenSigner
X509FederationClientBasedSecurityTokenSigner
OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner

show all

Defined in:: lib/oci/auth/signers/instance_principals_security_token_signer.rb

Overview

A SecurityTokenSigner which uses a security token for an instance principal. This signer can also refresh its token as needed.

This signer is self-sufficient in that its internals know how to source the required information to request and

use the token:

* Using the metadata endpoint for the instance (http://169.254.169.254/opc/v1) we can discover the region the
  instance is in, its leaf certificate and any intermediate certificates (for requesting the token) and the
  tenancy (as) that is in the leaf certificate.
* The signer leverages {OCI::Auth::FederationClient} so it can refresh the security token and also get the
  private key needed to sign requests (via the client's session_key_supplier)

Constant Summary collapse

METADATA_URL_BASE =

'http://169.254.169.254/opc/v2'.freeze

GET_REGION_URL =

"#{METADATA_URL_BASE}/instance/region".freeze

GET_REGION_INFO_URL =

"#{METADATA_URL_BASE}/instance/regionInfo/".freeze

LEAF_CERTIFICATE_URL =

"#{METADATA_URL_BASE}/identity/cert.pem".freeze

LEAF_CERTIFICATE_PRIVATE_KEY_URL =

"#{METADATA_URL_BASE}/identity/key.pem".freeze

INTERMEDIATE_CERTIFICATE_URL =

"#{METADATA_URL_BASE}/identity/intermediate.pem".freeze

Constants inherited from BaseSigner

BaseSigner::BODY_HEADERS, BaseSigner::GENERIC_HEADERS, BaseSigner::SIGNATURE_VERSION, BaseSigner::SIGNING_STRATEGY_ENUM

Instance Attribute Summary collapse

#region ⇒ String readonly

The region the instance is in, as returned from the metadata endpoint for the instance (169.254.169.254/opc/v1/instance/region).

Instance Method Summary collapse

#initialize(federation_endpoint: nil, federation_client_cert_bundle: nil, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS, additional_auth_params: {}) ⇒ InstancePrincipalsSecurityTokenSigner constructor

Creates a new InstancePrincipalsSecurityTokenSigner.

Methods inherited from X509FederationClientBasedSecurityTokenSigner

#refresh_security_token, #sign

Methods inherited from BaseSigner

#sign

Constructor Details

#initialize(federation_endpoint: nil, federation_client_cert_bundle: nil, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS, additional_auth_params: {}) ⇒ `InstancePrincipalsSecurityTokenSigner`

Creates a new InstancePrincipalsSecurityTokenSigner

# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 58

def initialize(
  federation_endpoint: nil,
  federation_client_cert_bundle: nil,
  signing_strategy: OCI::BaseSigner::STANDARD,
  headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS,
  body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS,
  additional_auth_params: {}
)

  @leaf_certificate_retriever = OCI::Auth::UrlBasedCertificateRetriever.new(
    LEAF_CERTIFICATE_URL, private_key_url: LEAF_CERTIFICATE_PRIVATE_KEY_URL
  )
  @intermediate_certificate_retriever = OCI::Auth::UrlBasedCertificateRetriever.new(
    INTERMEDIATE_CERTIFICATE_URL
  )
  @session_key_supplier = OCI::Auth::SessionKeySupplier.new
  @tenancy_id = OCI::Auth::Util.get_tenancy_id_from_certificate(
    @leaf_certificate_retriever.certificate
  )

  uri = URI(GET_REGION_URL)
  raw_region_client = Net::HTTP.new(uri.hostname, uri.port)
  raw_region = nil
  raw_region_client.request(OCI::Auth::Util.get_metadata_request(GET_REGION_URL, 'get')) do |response|
    raw_region = response.body.strip.downcase
  end
  symbolised_raw_region = raw_region.to_sym
  @region = if OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES.key?(symbolised_raw_region)
              OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES[symbolised_raw_region]
            else
              raw_region
            end

  @federation_endpoint = federation_endpoint || "#{OCI::Regions.get_service_endpoint(@region, :Auth)}/v1/x509"

  @federation_client = OCI::Auth::FederationClient.new(
    @federation_endpoint,
    @tenancy_id,
    @session_key_supplier,
    @leaf_certificate_retriever,
    intermediate_certificate_suppliers: [@intermediate_certificate_retriever],
    cert_bundle_path: federation_client_cert_bundle,
    additional_auth_params: additional_auth_params
  )

  super(
    @federation_client,
    signing_strategy: signing_strategy,
    headers_to_sign_in_all_requests: headers_to_sign_in_all_requests,
    body_headers_to_sign: body_headers_to_sign
  )
end

Instance Attribute Details

#region ⇒ `String` (readonly)

The region the instance is in, as returned from the metadata endpoint for the instance

(http://169.254.169.254/opc/v1/instance/region)



33
34
35

# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 33

def region
  @region
end