Class: OCI::Auth::FederationClient

Inherits:

Object

• Object
• OCI::Auth::FederationClient

Defined in:

lib/oci/auth/federation_client.rb

Overview

A client which can be used to retrieve a token from Auth Service. It needs the following supplied to it:

• The endpoint for Auth Service

• Our tenancy OCID

• A session key supplier so that we can send its public key as part of the token request. The private key in the session key supplier should be used to sign all requests made with the token

• The certificate (via leaf_certificate_supplier) which will be used to sign the requests to Auth Service.

Optionally, intermediate certificates (if present) can be supplied as part of the request to Auth Service.

The client has knowledge of its last requested token and can re-request the token if it is expired (otherwise it will vend the last requested token if it is not expired).

Instance Attribute Summary

• #session_key_supplier ⇒ OCI::Auth::SessionKeySupplier readonly

  A supplier which vends a private and public key for signing token requests to Auth Service.

Instance Method Summary

• #initialize(federation_endpoint, tenancy_id, session_key_supplier, leaf_certificate_supplier, intermediate_certificate_suppliers: [], cert_bundle_path: nil, additional_auth_params: {}) ⇒ FederationClient constructor

  Creates a new FederationClient.

• #security_token ⇒ String

  Retrieves the security token held by the client.

• #security_token! ⇒ String

  Retrieves a security token, but always asks Auth Service for a new token, regardless of whether or not the previously requested token is still valid.

Constructor Details

#initialize(federation_endpoint, tenancy_id, session_key_supplier, leaf_certificate_supplier, intermediate_certificate_suppliers: [], cert_bundle_path: nil, additional_auth_params: {}) ⇒ FederationClient

Creates a new FederationClient

Parameters:

• federation_endpoint (String) —

  The Auth Service endpoint from which to retrieve the token

• tenancy_id (String) —

  The OCID of the tenancy whose resources will be interacted with by users of the token

• session_key_supplier (OCI::Auth::SessionKeySupplier) —

  A supplier which vends a private and public key for signing token requests to Auth Service

• leaf_certificate_supplier (OCI::Auth::UrlBasedCertificateRetriever) —

  The certificate which will be used to sign requests to Auth Service

• intermediate_certificate_suppliers (Array<OCI::Auth::UrlBasedCertificateRetriever>) (defaults to: []) —

  An array of retrievers which can be used to fetch intermediate certificates which can be sent as part of the Auth Service request. If not provided, defaults to an empty array

• cert_bundle_path (String) (defaults to: nil) —

  The full file path to a custom certificate bundle which can be used for SSL verification against the Auth Service endpoint. If not provided (e.g. because a custom bundle is not needed), defaults to nil

• additional_auth_params (Hash<String>) (defaults to: {}) —

  Additional parameters to pass as part of the Auth Service request. If not provided, defaults to an empty hash

# File 'lib/oci/auth/federation_client.rb', line 41

def initialize(federation_endpoint, tenancy_id, session_key_supplier, leaf_certificate_supplier, intermediate_certificate_suppliers: [], cert_bundle_path: nil, additional_auth_params: {})
  @federation_endpoint = federation_endpoint
  uri = URI(@federation_endpoint)
  @federation_http_client = Net::HTTP.new(uri.hostname, uri.port)
  @federation_http_client.use_ssl = (uri.scheme == 'https')
  @federation_http_client.ca_file = cert_bundle_path if cert_bundle_path
  @additional_auth_params = additional_auth_params

  @tenancy_id = tenancy_id
  @session_key_supplier = session_key_supplier
  @leaf_certificate_supplier = leaf_certificate_supplier
  @intermediate_certificate_suppliers = intermediate_certificate_suppliers

  @refresh_lock = Mutex.new
  @security_token = nil
end

Instance Attribute Details

#session_key_supplier ⇒ OCI::Auth::SessionKeySupplier (readonly)

A supplier which vends a private and public key for signing token requests to Auth Service. The public key will be sent as part of the token request and the private key should be used to sign all requests made with the token vended by this client

Returns:

• (OCI::Auth::SessionKeySupplier) —

  A supplier which vends a private and public key for signing token requests to Auth Service

# File 'lib/oci/auth/federation_client.rb', line 28

def session_key_supplier
  @session_key_supplier
end

Instance Method Details

#security_token ⇒ String

Retrieves the security token held by the client. If the previously retrieved token is still valid, it is vended rather than making another request

Returns:

• (String) —

  The security token

# File 'lib/oci/auth/federation_client.rb', line 70

def security_token
  return @security_token.security_token if @security_token && @security_token.token_valid?

  refresh_security_token_inner
end

#security_token! ⇒ String

Retrieves a security token, but always asks Auth Service for a new token, regardless of whether or not the previously requested token is still valid

Returns:

• (String) —

  The security token

# File 'lib/oci/auth/federation_client.rb', line 63

def security_token!
  refresh_security_token_inner
end