Class: OCI::Auth::Signers::OkeWorkloadIdentityResourcePrincipalSigner
Overview
This signer takes the following parameters: - sa_token_provider - sa_cert_path - service_host - service_port - region
Constant Summary
Constants inherited
from BaseSigner
BaseSigner::BODY_HEADERS, BaseSigner::GENERIC_HEADERS, BaseSigner::SIGNATURE_VERSION, BaseSigner::SIGNING_STRATEGY_ENUM
Instance Method Summary
collapse
Methods inherited from BaseSigner
#sign
Constructor Details
#initialize(sa_token_provider, sa_cert_path, service_host, service_port, region: nil) ⇒ OkeWorkloadIdentityResourcePrincipalSigner
Returns a new instance of OkeWorkloadIdentityResourcePrincipalSigner.
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
# File 'lib/oci/auth/signers/oke_workload_identity_resource_principal_signer.rb', line 22
def initialize(sa_token_provider, sa_cert_path, service_host, service_port, region: nil)
@sa_token_provider = sa_token_provider
@sa_cert_path = sa_cert_path
@service_host = service_host
raise 'Kubernetes service host was not provided.' if @service_host.nil?
@service_port = service_port
@region = initialize_and_return_region(region)
@refresh_lock = Mutex.new
@proxymux_endpoint = "https://#{service_host}:#{service_port}/resourcePrincipalSessionTokens"
uri = URI(@proxymux_endpoint)
@federation_http_client = Net::HTTP.new(uri.hostname, uri.port)
@federation_http_client.use_ssl = (uri.scheme == 'https')
@federation_http_client.ca_file = @sa_cert_path
@session_key_supplier = OCI::Auth::SessionKeySupplier.new
@rpst = security_token
super(@rpst, @session_key_supplier.key_pair[:private_key])
end
|
Instance Method Details
#initialize_and_return_region(region) ⇒ Object
#refresh_security_token ⇒ Object
60
61
62
63
64
65
66
67
|
# File 'lib/oci/auth/signers/oke_workload_identity_resource_principal_signer.rb', line 60
def refresh_security_token
@refresh_lock.lock
@session_key_supplier.refresh
@security_token = OCI::Auth::SecurityTokenContainer.new(resource_principal_session_token)
reset_signer
ensure
@refresh_lock.unlock if @refresh_lock.locked? && @refresh_lock.owned?
end
|
#reset_signer ⇒ Object
69
70
71
72
73
74
75
76
|
# File 'lib/oci/auth/signers/oke_workload_identity_resource_principal_signer.rb', line 69
def reset_signer
@key_id = "ST$#{@security_token.security_token}"
@private_key_content = @session_key_supplier.key_pair[:private_key]
@private_key = OpenSSL::PKey::RSA.new(
@private_key_content,
@pass_phrase || SecureRandom.uuid
)
end
|
#resource_principal_session_token ⇒ Object
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
# File 'lib/oci/auth/signers/oke_workload_identity_resource_principal_signer.rb', line 78
def resource_principal_session_token
request_payload = {
"podKey": OCI::Auth::Util.sanitize_certificate_string(@session_key_supplier.key_pair[:public_key].to_pem)
}
sa_token = @sa_token_provider.service_account_token
request = OCI::Auth::Util.get_metadata_request(@proxymux_endpoint, 'post')
request.body = request_payload.to_json
= {}
[:'content-type'] = 'application/json'
[:authorization] = 'Bearer ' + sa_token
.each { |key, value| request[key.to_s] = value }
request[:'opc-request-id'] ||= OCI::ApiClient.build_request_id
raw_body = nil
status_code = nil
message = nil
@federation_http_client.start do
@federation_http_client.request(request) do |response|
raw_body = response.body
status_code = response.code
message = response.message
end
end
if status_code != '200'
raise "Failed to get a RPST token from proxymux. URL: #{@proxymux_endpoint}, Status: #{status_code}, Message: #{message}"
end
decoded_response = Base64.decode64(raw_body)
if (decoded_response.include? 'token') == false
raise "Could not find token in decoded response from proxymux. URL: #{@proxymux_endpoint}, Decoded Response: #{decoded_response}"
end
begin
response_json = JSON.parse(decoded_response)
response_json['token'][3..-1]
rescue JSON::ParserError
raise "Unable to convert decoded response into JSON. Decoded response: #{decoded_response}"
end
end
|
#security_token ⇒ Object
52
53
54
55
56
57
58
|
# File 'lib/oci/auth/signers/oke_workload_identity_resource_principal_signer.rb', line 52
def security_token
if defined? @security_token
return @security_token.security_token if @security_token.token_valid_with_half_expiration_time?
end
refresh_security_token
@security_token.security_token
end
|