Class: Mongo::Crypt::KMS::GCP::Credentials Private

Inherits:
Object
  • Object
show all
Extended by:
Forwardable
Includes:
Validations
Defined in:
lib/mongo/crypt/kms/gcp/credentials.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

GCP Cloud Key Management Credentials object contains credentials for using GCP KMS provider.

Constant Summary collapse

FORMAT_HINT =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

"GCP KMS provider options must be in the format: " +
"{ email: 'EMAIL', private_key: 'PRIVATE-KEY' }"

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Validations

#validate_param, validate_tls_options

Constructor Details

#initialize(opts) ⇒ Credentials

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Creates an GCP KMS credentials object form a parameters hash.

Parameters:

  • opts (Hash)

    A hash that contains credentials for GCP KMS provider

Options Hash (opts):

  • :email (String)

    GCP email.

  • :private_key (String)

    GCP private key. This method accepts private key in either base64 encoded DER format, or PEM format.

  • :endpoint (String | nil)

    GCP endpoint, optional.

  • :access_token (String | nil)

    GCP access token, optional. If this option is not null, other options are ignored.

Raises:

  • (ArgumentError)

    If required options are missing or incorrectly formatted.



61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# File 'lib/mongo/crypt/kms/gcp/credentials.rb', line 61

def initialize(opts)
  @opts = opts
  return if empty?

  if opts[:access_token]
    @access_token = opts[:access_token]
  else
    @email = validate_param(:email, opts, FORMAT_HINT)
    @private_key = begin
      private_key_opt = validate_param(:private_key, opts, FORMAT_HINT)
      if BSON::Environment.jruby?
        # We cannot really validate private key on JRuby, so we assume
        # it is in base64 encoded DER format.
        private_key_opt
      else
        # Check if private key is in PEM format.
        pkey = OpenSSL::PKey::RSA.new(private_key_opt)
        # PEM it is, need to be converted to base64 encoded DER.
        der = if pkey.respond_to?(:private_to_der)
          pkey.private_to_der
        else
          pkey.to_der
        end
        Base64.encode64(der)
      end
    rescue OpenSSL::PKey::RSAError
      # Check if private key is in DER.
      begin
        OpenSSL::PKey.read(Base64.decode64(private_key_opt))
        # Private key is fine, use it.
        private_key_opt
      rescue OpenSSL::PKey::PKeyError
        raise ArgumentError.new(
          "The private_key option must be either either base64 encoded DER format, or PEM format."
        )
      end
    end

    @endpoint = validate_param(
      :endpoint, opts, FORMAT_HINT, required: false
    )
  end
end

Instance Attribute Details

#access_tokenString | nil (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns GCP access token.

Returns:

  • (String | nil)

    GCP access token.



40
41
42
# File 'lib/mongo/crypt/kms/gcp/credentials.rb', line 40

def access_token
  @access_token
end

#emailString (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns GCP email to authenticate with.

Returns:

  • (String)

    GCP email to authenticate with.



31
32
33
# File 'lib/mongo/crypt/kms/gcp/credentials.rb', line 31

def email
  @email
end

#endpointString | nil (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns GCP KMS endpoint.

Returns:

  • (String | nil)

    GCP KMS endpoint.



37
38
39
# File 'lib/mongo/crypt/kms/gcp/credentials.rb', line 37

def endpoint
  @endpoint
end

#private_keyString (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns GCP private key, base64 encoded DER format.

Returns:

  • (String)

    GCP private key, base64 encoded DER format.



34
35
36
# File 'lib/mongo/crypt/kms/gcp/credentials.rb', line 34

def private_key
  @private_key
end

Instance Method Details

#to_documentBSON::Document

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Convert credentials object to a BSON document in libmongocrypt format.

Returns:

  • (BSON::Document)

    Azure KMS credentials in libmongocrypt format.



108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# File 'lib/mongo/crypt/kms/gcp/credentials.rb', line 108

def to_document
  return BSON::Document.new if empty?
  if access_token
    BSON::Document.new({ accessToken: access_token })
  else
    BSON::Document.new({
      email: email,
      privateKey: BSON::Binary.new(private_key, :generic),
    }).tap do |bson|
      unless endpoint.nil?
        bson.update({ endpoint: endpoint })
      end
    end
  end
end