Class: OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner

Inherits:
X509FederationClientBasedSecurityTokenSigner show all
Defined in:
lib/oci/auth/signers/instance_principals_security_token_signer.rb

Overview

A SecurityTokenSigner which uses a security token for an instance principal. This signer can also refresh its token as needed.

This signer is self-sufficient in that its internals know how to source the required information to request and use the token:

  • Using the metadata endpoint for the instance (169.254.169.254/opc/v2) we can discover the region the instance is in, its leaf certificate and any intermediate certificates (for requesting the token) and the tenancy (as) that is in the leaf certificate.

  • The signer leverages FederationClient so it can refresh the security token and also get the private key needed to sign requests (via the client's session_key_supplier)

Direct Known Subclasses

InstancePrincipalsDelegationTokenSigner

Constant Summary collapse

METADATA_URL_BASE =
'http://169.254.169.254/opc/v2'.freeze
OCI_METADATA_BASE_URL_ENV_VAR =

Set OCI_METADATA_BASE_URL to override the default IMDS base URL used for instance metadata endpoints.

'OCI_METADATA_BASE_URL'.freeze

Constants inherited from BaseSigner

BaseSigner::BODY_HEADERS, BaseSigner::GENERIC_HEADERS, BaseSigner::SIGNATURE_VERSION, BaseSigner::SIGNING_STRATEGY_ENUM

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from X509FederationClientBasedSecurityTokenSigner

#refresh_security_token, #sign

Methods inherited from BaseSigner

#sign

Constructor Details

#initialize(federation_endpoint: nil, federation_client_cert_bundle: nil, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS, additional_auth_params: {}) ⇒ InstancePrincipalsSecurityTokenSigner

Creates a new InstancePrincipalsSecurityTokenSigner

Parameters:

  • federation_endpoint (String) (defaults to: nil)

    The endpoint where we will retrieve the instance principals auth token from. If not provided, this will default to the endpoint which the instance is in

  • federation_client_cert_bundle (String) (defaults to: nil)

    The full file path to a custom certificate bundle which can be used for SSL verification against the federation_endpoint. If not provided (e.g. because a custom bundle is not needed), defaults to nil

  • signing_strategy (String) (defaults to: OCI::BaseSigner::STANDARD)

    Whether this signer is used for Object Storage requests or not. Acceptable values are BaseSigner::STANDARD and BaseSigner::OBJECT_STORAGE. If not provided, defaults to BaseSigner::STANDARD

  • headers_to_sign_in_all_requests (Array<String>) (defaults to: OCI::BaseSigner::GENERIC_HEADERS)

    An array of headers which will be signed in each request. If not provided, defaults to BaseSigner::GENERIC_HEADERS

  • body_headers_to_sign (Array<String>) (defaults to: OCI::BaseSigner::BODY_HEADERS)

    An array of headers which should be signed on requests with bodies. If not provided, defaults to BaseSigner::BODY_HEADERS

  • additional_auth_params (Hash<String>) (defaults to: {})

    Additional parameters for the federation client to pass as part of the Auth Service request. If not provided, defaults to an empty hash



83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 83

def initialize(
  federation_endpoint: nil,
  federation_client_cert_bundle: nil,
  signing_strategy: OCI::BaseSigner::STANDARD,
  headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS,
  body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS,
  additional_auth_params: {}
)

  @leaf_certificate_retriever = OCI::Auth::UrlBasedCertificateRetriever.new(
    self.class.leaf_certificate_url, private_key_url: self.class.leaf_certificate_private_key_url
  )
  @intermediate_certificate_retriever = OCI::Auth::UrlBasedCertificateRetriever.new(
    self.class.intermediate_certificate_url
  )
  @session_key_supplier = OCI::Auth::SessionKeySupplier.new
  @tenancy_id = OCI::Auth::Util.get_tenancy_id_from_certificate(
    @leaf_certificate_retriever.certificate
  )

  uri = URI(self.class.region_url)
  raw_region_client = Net::HTTP.new(uri.hostname, uri.port)
  raw_region = nil
  raw_region_client.request(OCI::Auth::Util.(self.class.region_url, 'get')) do |response|
    raw_region = response.body.strip.downcase
  end
  symbolised_raw_region = raw_region.to_sym
  @region = if OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES.key?(symbolised_raw_region)
              OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES[symbolised_raw_region]
            else
              raw_region
            end

  @federation_endpoint = federation_endpoint || "#{OCI::Regions.get_service_endpoint(@region, :Auth)}/v1/x509"

  @federation_client = OCI::Auth::FederationClient.new(
    @federation_endpoint,
    @tenancy_id,
    @session_key_supplier,
    @leaf_certificate_retriever,
    intermediate_certificate_suppliers: [@intermediate_certificate_retriever],
    cert_bundle_path: federation_client_cert_bundle,
    additional_auth_params: additional_auth_params
  )

  super(
    @federation_client,
    signing_strategy: signing_strategy,
    headers_to_sign_in_all_requests: ,
    body_headers_to_sign: body_headers_to_sign
  )
end

Instance Attribute Details

#regionString (readonly)

The region the instance is in, as returned from the metadata endpoint for the instance (169.254.169.254/opc/v2/instance/region)

Returns:

  • (String)

    The region for the instance



33
34
35
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 33

def region
  @region
end

Class Method Details

.intermediate_certificate_urlObject



63
64
65
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 63

def self.intermediate_certificate_url
  "#{}/identity/intermediate.pem"
end

.leaf_certificate_private_key_urlObject



59
60
61
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 59

def self.leaf_certificate_private_key_url
  "#{}/identity/key.pem"
end

.leaf_certificate_urlObject



55
56
57
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 55

def self.leaf_certificate_url
  "#{}/identity/cert.pem"
end

.metadata_url_baseObject



39
40
41
42
43
44
45
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 39

def self.
  configured_base_url = ENV[OCI_METADATA_BASE_URL_ENV_VAR]
  return METADATA_URL_BASE if configured_base_url.nil? || configured_base_url.strip.empty?

  # Remove trailing slashes so appending endpoint paths does not create double slashes.
  configured_base_url.sub(/\/+$/, '')
end

.region_info_urlObject



51
52
53
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 51

def self.region_info_url
  "#{}/instance/regionInfo/"
end

.region_urlObject



47
48
49
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 47

def self.region_url
  "#{}/instance/region"
end