Class: OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner

Inherits:
X509FederationClientBasedSecurityTokenSigner show all
Defined in:
lib/oci/auth/signers/instance_principals_security_token_signer.rb

Overview

A SecurityTokenSigner which uses a security token for an instance principal. This signer can also refresh its token as needed.

This signer is self-sufficient in that its internals know how to source the required information to request and use the token:

  • Using the metadata endpoint for the instance (169.254.169.254/opc/v1) we can discover the region the instance is in, its leaf certificate and any intermediate certificates (for requesting the token) and the tenancy (as) that is in the leaf certificate.

  • The signer leverages FederationClient so it can refresh the security token and also get the private key needed to sign requests (via the client's session_key_supplier)

Direct Known Subclasses

InstancePrincipalsDelegationTokenSigner

Constant Summary collapse

METADATA_URL_BASE = 
'http://169.254.169.254/opc/v2'.freeze
GET_REGION_URL = 
"#{METADATA_URL_BASE}/instance/region".freeze
GET_REGION_INFO_URL = 
"#{METADATA_URL_BASE}/instance/regionInfo/".freeze
LEAF_CERTIFICATE_URL = 
"#{METADATA_URL_BASE}/identity/cert.pem".freeze
LEAF_CERTIFICATE_PRIVATE_KEY_URL = 
"#{METADATA_URL_BASE}/identity/key.pem".freeze
INTERMEDIATE_CERTIFICATE_URL = 
"#{METADATA_URL_BASE}/identity/intermediate.pem".freeze

Constants inherited from BaseSigner

BaseSigner::BODY_HEADERS, BaseSigner::GENERIC_HEADERS, BaseSigner::SIGNATURE_VERSION, BaseSigner::SIGNING_STRATEGY_ENUM

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods inherited from X509FederationClientBasedSecurityTokenSigner

#refresh_security_token, #sign

Methods inherited from BaseSigner

#sign

Constructor Details

#initialize(federation_endpoint: nil, federation_client_cert_bundle: nil, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS, additional_auth_params: {}) ⇒ InstancePrincipalsSecurityTokenSigner

Creates a new InstancePrincipalsSecurityTokenSigner

Parameters:

  • federation_endpoint (String) (defaults to: nil)

    The endpoint where we will retrieve the instance principals auth token from. If not provided, this will default to the endpoint which the instance is in

  • federation_client_cert_bundle (String) (defaults to: nil)

    The full file path to a custom certificate bundle which can be used for SSL verification against the federation_endpoint. If not provided (e.g. because a custom bundle is not needed), defaults to nil

  • signing_strategy (String) (defaults to: OCI::BaseSigner::STANDARD)

    Whether this signer is used for Object Storage requests or not. Acceptable values are BaseSigner::STANDARD and BaseSigner::OBJECT_STORAGE. If not provided, defaults to BaseSigner::STANDARD

  • headers_to_sign_in_all_requests (Array<String>) (defaults to: OCI::BaseSigner::GENERIC_HEADERS)

    An array of headers which will be signed in each request. If not provided, defaults to BaseSigner::GENERIC_HEADERS

  • body_headers_to_sign (Array<String>) (defaults to: OCI::BaseSigner::BODY_HEADERS)

    An array of headers which should be signed on requests with bodies. If not provided, defaults to BaseSigner::BODY_HEADERS

  • additional_auth_params (Hash<String>) (defaults to: {})

    Additional parameters for the federation client to pass as part of the Auth Service request. If not provided, defaults to an empty hash

[View source]

58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
 
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 58

def initialize(
  federation_endpoint: nil,
  federation_client_cert_bundle: nil,
  signing_strategy: OCI::BaseSigner::STANDARD,
  headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS,
  body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS,
  additional_auth_params: {}
)

  @leaf_certificate_retriever = OCI::Auth::UrlBasedCertificateRetriever.new(
    LEAF_CERTIFICATE_URL, private_key_url: LEAF_CERTIFICATE_PRIVATE_KEY_URL
  )
  @intermediate_certificate_retriever = OCI::Auth::UrlBasedCertificateRetriever.new(
    INTERMEDIATE_CERTIFICATE_URL
  )
  @session_key_supplier = OCI::Auth::SessionKeySupplier.new
  @tenancy_id = OCI::Auth::Util.get_tenancy_id_from_certificate(
    @leaf_certificate_retriever.certificate
  )

  uri = URI(GET_REGION_URL)
  raw_region_client = Net::HTTP.new(uri.hostname, uri.port)
  raw_region = nil
  raw_region_client.request(OCI::Auth::Util.get_metadata_request(GET_REGION_URL, 'get')) do |response|
    raw_region = response.body.strip.downcase
  end
  symbolised_raw_region = raw_region.to_sym
  @region = if OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES.key?(symbolised_raw_region)
              OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES[symbolised_raw_region]
            else
              raw_region
            end

  @federation_endpoint = federation_endpoint || "#{OCI::Regions.get_service_endpoint(@region, :Auth)}/v1/x509"

  @federation_client = OCI::Auth::FederationClient.new(
    @federation_endpoint,
    @tenancy_id,
    @session_key_supplier,
    @leaf_certificate_retriever,
    intermediate_certificate_suppliers: [@intermediate_certificate_retriever],
    cert_bundle_path: federation_client_cert_bundle,
    additional_auth_params: additional_auth_params
  )

  super(
    @federation_client,
    signing_strategy: signing_strategy,
    headers_to_sign_in_all_requests: ,
    body_headers_to_sign: body_headers_to_sign
  )
end

Instance Attribute Details

#regionString (readonly)

The region the instance is in, as returned from the metadata endpoint for the instance (169.254.169.254/opc/v1/instance/region)

Returns:

  • (String)

    The region for the instance


33
34
35
 
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 33

def region
  @region
end