Class: OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner
- Inherits:
-
X509FederationClientBasedSecurityTokenSigner
- Object
- BaseSigner
- SecurityTokenSigner
- X509FederationClientBasedSecurityTokenSigner
- OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner
- Defined in:
- lib/oci/auth/signers/instance_principals_security_token_signer.rb
Overview
A SecurityTokenSigner which uses a security token for an instance principal. This signer can also refresh its token as needed.
This signer is self-sufficient in that its internals know how to source the required information to request and use the token:
* Using the metadata endpoint for the instance (http://169.254.169.254/opc/v1) we can discover the region the instance is in, its leaf certificate and any intermediate certificates (for requesting the token) and the tenancy (as) that is in the leaf certificate.
* The signer leverages {OCI::Auth::FederationClient} so it can refresh the security token and also get the private key needed to sign requests (via the client's session_key_supplier)
Constant Summary collapse
- METADATA_URL_BASE =
'http://169.254.169.254/opc/v1'.freeze
- GET_REGION_URL =
"#{METADATA_URL_BASE}/instance/region".freeze
- LEAF_CERTIFICATE_URL =
"#{METADATA_URL_BASE}/identity/cert.pem".freeze
- LEAF_CERTIFICATE_PRIVATE_KEY_URL =
"#{METADATA_URL_BASE}/identity/key.pem".freeze
- INTERMEDIATE_CERTIFICATE_URL =
"#{METADATA_URL_BASE}/identity/intermediate.pem".freeze
Constants inherited from BaseSigner
BaseSigner::BODY_HEADERS, BaseSigner::GENERIC_HEADERS, BaseSigner::SIGNATURE_VERSION, BaseSigner::SIGNING_STRATEGY_ENUM
Instance Attribute Summary collapse
-
#region ⇒ String
readonly
The region the instance is in, as returned from the metadata endpoint for the instance (169.254.169.254/opc/v1/instance/region).
Instance Method Summary collapse
-
#initialize(federation_endpoint: nil, federation_client_cert_bundle: nil, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS) ⇒ InstancePrincipalsSecurityTokenSigner
constructor
Creates a new InstancePrincipalsSecurityTokenSigner.
Methods inherited from X509FederationClientBasedSecurityTokenSigner
#refresh_security_token, #sign
Methods inherited from BaseSigner
Constructor Details
#initialize(federation_endpoint: nil, federation_client_cert_bundle: nil, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS) ⇒ InstancePrincipalsSecurityTokenSigner
Creates a new InstancePrincipalsSecurityTokenSigner
default to the endpoint which the instance is in
44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 |
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 44 def initialize( federation_endpoint: nil, federation_client_cert_bundle: nil, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS ) @leaf_certificate_retriever = OCI::Auth::UrlBasedCertificateRetriever.new( LEAF_CERTIFICATE_URL, private_key_url: LEAF_CERTIFICATE_PRIVATE_KEY_URL ) @intermediate_certificate_retriever = OCI::Auth::UrlBasedCertificateRetriever.new( INTERMEDIATE_CERTIFICATE_URL ) @session_key_supplier = OCI::Auth::SessionKeySupplier.new @tenancy_id = OCI::Auth::Util.get_tenancy_id_from_certificate( @leaf_certificate_retriever.certificate ) raw_region = Net::HTTP.get(URI(GET_REGION_URL)).strip symbolised_raw_region = raw_region.to_sym @region = if OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES.key?(symbolised_raw_region) OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES[symbolised_raw_region] else raw_region end @federation_endpoint = if federation_endpoint federation_endpoint else "#{OCI::Regions.get_service_endpoint(@region, :Auth)}/v1/x509" end @federation_client = OCI::Auth::FederationClient.new( @federation_endpoint, @tenancy_id, @session_key_supplier, @leaf_certificate_retriever, intermediate_certificate_suppliers: [@intermediate_certificate_retriever], cert_bundle_path: federation_client_cert_bundle ) super( @federation_client, signing_strategy: signing_strategy, headers_to_sign_in_all_requests: headers_to_sign_in_all_requests, body_headers_to_sign: body_headers_to_sign ) end |
Instance Attribute Details
#region ⇒ String (readonly)
The region the instance is in, as returned from the metadata endpoint for the instance (169.254.169.254/opc/v1/instance/region)
28 29 30 |
# File 'lib/oci/auth/signers/instance_principals_security_token_signer.rb', line 28 def region @region end |