Class: OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner
- Inherits:
-
X509FederationClientBasedSecurityTokenSigner
- Object
- BaseSigner
- SecurityTokenSigner
- X509FederationClientBasedSecurityTokenSigner
- OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner
- Defined in:
- lib/oci/auth/signers/instance_principals_security_token_signer.rb
Overview
A SecurityTokenSigner which uses a security token for an instance principal. This signer can also refresh its token as needed.
This signer is self-sufficient in that its internals know how to source the required information to request and use the token:
-
Using the metadata endpoint for the instance (169.254.169.254/opc/v2) we can discover the region the instance is in, its leaf certificate and any intermediate certificates (for requesting the token) and the tenancy (as) that is in the leaf certificate.
-
The signer leverages FederationClient so it can refresh the security token and also get the private key needed to sign requests (via the client's session_key_supplier)
Direct Known Subclasses
Constant Summary collapse
- METADATA_URL_BASE =
'http://169.254.169.254/opc/v2'.freeze
- OCI_METADATA_BASE_URL_ENV_VAR =
Set OCI_METADATA_BASE_URL to override the default IMDS base URL used for instance metadata endpoints.
'OCI_METADATA_BASE_URL'.freeze
Constants inherited from BaseSigner
BaseSigner::BODY_HEADERS, BaseSigner::GENERIC_HEADERS, BaseSigner::SIGNATURE_VERSION, BaseSigner::SIGNING_STRATEGY_ENUM
Instance Attribute Summary collapse
-
#region ⇒ String
readonly
The region the instance is in, as returned from the metadata endpoint for the instance (169.254.169.254/opc/v2/instance/region).
Class Method Summary collapse
- .intermediate_certificate_url ⇒ Object
- .leaf_certificate_private_key_url ⇒ Object
- .leaf_certificate_url ⇒ Object
- .metadata_url_base ⇒ Object
- .region_info_url ⇒ Object
- .region_url ⇒ Object
Instance Method Summary collapse
-
#initialize(federation_endpoint: nil, federation_client_cert_bundle: nil, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS, additional_auth_params: {}) ⇒ InstancePrincipalsSecurityTokenSigner
constructor
Creates a new InstancePrincipalsSecurityTokenSigner.
Methods inherited from X509FederationClientBasedSecurityTokenSigner
#refresh_security_token, #sign
Methods inherited from BaseSigner
Constructor Details
#initialize(federation_endpoint: nil, federation_client_cert_bundle: nil, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS, additional_auth_params: {}) ⇒ InstancePrincipalsSecurityTokenSigner
Creates a new InstancePrincipalsSecurityTokenSigner
83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 |
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 83 def initialize( federation_endpoint: nil, federation_client_cert_bundle: nil, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS, additional_auth_params: {} ) @leaf_certificate_retriever = OCI::Auth::UrlBasedCertificateRetriever.new( self.class.leaf_certificate_url, private_key_url: self.class.leaf_certificate_private_key_url ) @intermediate_certificate_retriever = OCI::Auth::UrlBasedCertificateRetriever.new( self.class.intermediate_certificate_url ) @session_key_supplier = OCI::Auth::SessionKeySupplier.new @tenancy_id = OCI::Auth::Util.get_tenancy_id_from_certificate( @leaf_certificate_retriever.certificate ) uri = URI(self.class.region_url) raw_region_client = Net::HTTP.new(uri.hostname, uri.port) raw_region = nil raw_region_client.request(OCI::Auth::Util.(self.class.region_url, 'get')) do |response| raw_region = response.body.strip.downcase end symbolised_raw_region = raw_region.to_sym @region = if OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES.key?(symbolised_raw_region) OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES[symbolised_raw_region] else raw_region end @federation_endpoint = federation_endpoint || "#{OCI::Regions.get_service_endpoint(@region, :Auth)}/v1/x509" @federation_client = OCI::Auth::FederationClient.new( @federation_endpoint, @tenancy_id, @session_key_supplier, @leaf_certificate_retriever, intermediate_certificate_suppliers: [@intermediate_certificate_retriever], cert_bundle_path: federation_client_cert_bundle, additional_auth_params: additional_auth_params ) super( @federation_client, signing_strategy: signing_strategy, headers_to_sign_in_all_requests: headers_to_sign_in_all_requests, body_headers_to_sign: body_headers_to_sign ) end |
Instance Attribute Details
#region ⇒ String (readonly)
The region the instance is in, as returned from the metadata endpoint for the instance (169.254.169.254/opc/v2/instance/region)
33 34 35 |
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 33 def region @region end |
Class Method Details
.intermediate_certificate_url ⇒ Object
63 64 65 |
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 63 def self.intermediate_certificate_url "#{}/identity/intermediate.pem" end |
.leaf_certificate_private_key_url ⇒ Object
59 60 61 |
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 59 def self.leaf_certificate_private_key_url "#{}/identity/key.pem" end |
.leaf_certificate_url ⇒ Object
55 56 57 |
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 55 def self.leaf_certificate_url "#{}/identity/cert.pem" end |
.metadata_url_base ⇒ Object
39 40 41 42 43 44 45 |
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 39 def self. configured_base_url = ENV[OCI_METADATA_BASE_URL_ENV_VAR] return METADATA_URL_BASE if configured_base_url.nil? || configured_base_url.strip.empty? # Remove trailing slashes so appending endpoint paths does not create double slashes. configured_base_url.sub(/\/+$/, '') end |
.region_info_url ⇒ Object
51 52 53 |
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 51 def self.region_info_url "#{}/instance/regionInfo/" end |
.region_url ⇒ Object
47 48 49 |
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 47 def self.region_url "#{}/instance/region" end |