Class: OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner
- Inherits:
-
X509FederationClientBasedSecurityTokenSigner
- Object
- BaseSigner
- SecurityTokenSigner
- X509FederationClientBasedSecurityTokenSigner
- OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner
- Defined in:
- lib/oci/auth/signers/instance_principals_security_token_signer.rb
Overview
A SecurityTokenSigner which uses a security token for an instance principal. This signer can also refresh its token as needed.
This signer is self-sufficient in that its internals know how to source the required information to request and use the token:
-
Using the metadata endpoint for the instance (169.254.169.254/opc/v1) we can discover the region the instance is in, its leaf certificate and any intermediate certificates (for requesting the token) and the tenancy (as) that is in the leaf certificate.
-
The signer leverages FederationClient so it can refresh the security token and also get the private key needed to sign requests (via the client's session_key_supplier)
Direct Known Subclasses
Constant Summary collapse
- METADATA_URL_BASE =
'http://169.254.169.254/opc/v2'.freeze
- GET_REGION_URL =
"#{METADATA_URL_BASE}/instance/region".freeze
- GET_REGION_INFO_URL =
"#{METADATA_URL_BASE}/instance/regionInfo/".freeze
- LEAF_CERTIFICATE_URL =
"#{METADATA_URL_BASE}/identity/cert.pem".freeze
- LEAF_CERTIFICATE_PRIVATE_KEY_URL =
"#{METADATA_URL_BASE}/identity/key.pem".freeze
- INTERMEDIATE_CERTIFICATE_URL =
"#{METADATA_URL_BASE}/identity/intermediate.pem".freeze
Constants inherited from BaseSigner
BaseSigner::BODY_HEADERS, BaseSigner::GENERIC_HEADERS, BaseSigner::SIGNATURE_VERSION, BaseSigner::SIGNING_STRATEGY_ENUM
Instance Attribute Summary collapse
-
#region ⇒ String
readonly
The region the instance is in, as returned from the metadata endpoint for the instance (169.254.169.254/opc/v1/instance/region).
Instance Method Summary collapse
-
#initialize(federation_endpoint: nil, federation_client_cert_bundle: nil, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS, additional_auth_params: {}) ⇒ InstancePrincipalsSecurityTokenSigner
constructor
Creates a new InstancePrincipalsSecurityTokenSigner.
Methods inherited from X509FederationClientBasedSecurityTokenSigner
#refresh_security_token, #sign
Methods inherited from BaseSigner
Constructor Details
#initialize(federation_endpoint: nil, federation_client_cert_bundle: nil, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS, additional_auth_params: {}) ⇒ InstancePrincipalsSecurityTokenSigner
Creates a new InstancePrincipalsSecurityTokenSigner
58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 |
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 58 def initialize( federation_endpoint: nil, federation_client_cert_bundle: nil, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS, additional_auth_params: {} ) @leaf_certificate_retriever = OCI::Auth::UrlBasedCertificateRetriever.new( LEAF_CERTIFICATE_URL, private_key_url: LEAF_CERTIFICATE_PRIVATE_KEY_URL ) @intermediate_certificate_retriever = OCI::Auth::UrlBasedCertificateRetriever.new( INTERMEDIATE_CERTIFICATE_URL ) @session_key_supplier = OCI::Auth::SessionKeySupplier.new @tenancy_id = OCI::Auth::Util.get_tenancy_id_from_certificate( @leaf_certificate_retriever.certificate ) uri = URI(GET_REGION_URL) raw_region_client = Net::HTTP.new(uri.hostname, uri.port) raw_region = nil raw_region_client.request(OCI::Auth::Util.(GET_REGION_URL, 'get')) do |response| raw_region = response.body.strip.downcase end symbolised_raw_region = raw_region.to_sym @region = if OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES.key?(symbolised_raw_region) OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES[symbolised_raw_region] else raw_region end @federation_endpoint = federation_endpoint || "#{OCI::Regions.get_service_endpoint(@region, :Auth)}/v1/x509" @federation_client = OCI::Auth::FederationClient.new( @federation_endpoint, @tenancy_id, @session_key_supplier, @leaf_certificate_retriever, intermediate_certificate_suppliers: [@intermediate_certificate_retriever], cert_bundle_path: federation_client_cert_bundle, additional_auth_params: additional_auth_params ) super( @federation_client, signing_strategy: signing_strategy, headers_to_sign_in_all_requests: headers_to_sign_in_all_requests, body_headers_to_sign: body_headers_to_sign ) end |
Instance Attribute Details
#region ⇒ String (readonly)
The region the instance is in, as returned from the metadata endpoint for the instance (169.254.169.254/opc/v1/instance/region)
33 34 35 |
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 33 def region @region end |