Package com.oracle.bmc.auth

Class ResourcePrincipalAuthenticationDetailsProvider

java.lang.Object

com.oracle.bmc.auth.AbstractRequestingAuthenticationDetailsProvider

com.oracle.bmc.auth.ResourcePrincipalAuthenticationDetailsProvider

All Implemented Interfaces:

AbstractAuthenticationDetailsProvider, BasicAuthenticationDetailsProvider, ConfigurableRefreshOnNotAuthenticatedProvider<String>, RefreshableOnNotAuthenticatedProvider<String>, RegionProvider

Direct Known Subclasses:

ResourcePrincipalsV3AuthenticationDetailsProvider

public class ResourcePrincipalAuthenticationDetailsProvider
extends AbstractRequestingAuthenticationDetailsProvider
implements RegionProvider, RefreshableOnNotAuthenticatedProvider<String>, ConfigurableRefreshOnNotAuthenticatedProvider<String>

This constructs a default implementation of the ResourcePrincipalAuthenticationDetailsProvider, constructed in accordance with the following environment variable settings:

• OCI_RESOURCE_PRINCIPAL_VERSION:

  This is required. Permitted values are "1.1", "2.1", "2.1.1", "2.1.2", "2.2" and "3.0"

  For OCI_RESOURCE_PRINCIPAL_VERSION = "1.1"

• OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT:

  This is required. The endpoint for retrieving the Resource Principal Token.

• OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT:

  If set, the value from environment variable is used.

  Otherwise, it uses the default resource principal token path provider.

  For OCI_RESOURCE_PRINCIPAL_VERSION = "2.1"

• OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT

  This is required. The endpoint for retrieving the Resource Principal Token.

• OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT

  This is required. The endpoint for retrieving the Resource Principal Session Token.

• OCI_RESOURCE_PRINCIPAL_RESOURCE_ID

  This is required. The RPv2.1 resource id.

• OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM

  This is required. If this points to existing file path, then the filesystem-supplied private key will be retrieved from that location.

  Otherwise, the value is interpreted as the direct injection of a private key.

• OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE

  This is optional. The passphrase for the private key.

  For OCI_RESOURCE_PRINCIPAL_VERSION = "2.1.1"

• OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT

  This is required. The endpoint for retrieving the Resource Principal Token.

• OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT

  This is required. The endpoint for retrieving the Resource Principal Session Token.

• OCI_RESOURCE_PRINCIPAL_RESOURCE_ID

  This is required. The RPv2.1.1 resource id.

• OCI_RESOURCE_PRINCIPAL_TENANCY_ID

  This is required. The RPv2.1.1 tenancy id.

• OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM

  This is required. If this points to existing file path, then the filesystem-supplied private key will be retrieved from that location.

  Otherwise, the value is interpreted as the direct injection of a private key.

• OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE

  This is optional. The passphrase for the private key.

  For OCI_RESOURCE_PRINCIPAL_VERSION = "2.1.2"

• OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT

  This is required. The endpoint for retrieving the Resource Principal Token.

• OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT

  This is required. The endpoint for retrieving the Resource Principal Session Token.

• OCI_RESOURCE_PRINCIPAL_RESOURCE_ID

  This is required. The RPv2.1.2 resource id.

• OCI_RESOURCE_PRINCIPAL_TENANCY_ID

  This is required. The RPv2.1.2 tenancy id.

• OCI_RESOURCE_PRINCIPAL_SECURITY_CONTEXT

  Security context is a must for RPv2.1.2. If set via the environment variable, the value of RPv2.1.2 security context from environment variable is used.

  If set via the builder, security context provided via the builder overrides the value provided via the environment variable.

• OCI_RESOURCE_PRINCIPAL_RPT_PATH

  If set, the value from environment variable is used.

  Otherwise, it uses the default resource principal token path DEFAULT_OCI_RESOURCE_PRINCIPAL_RPT_PATH_FORV212.

• OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM

  This is required. If this points to existing file path, then the filesystem-supplied private key will be retrieved from that location.

  Otherwise, the value is interpreted as the direct injection of a private key.

• OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE

  This is optional. The passphrase for the private key.

  For OCI_RESOURCE_PRINCIPAL_VERSION = "2.2"

• OCI_RESOURCE_PRINCIPAL_RPST:

  If this points to an existing file path, then the filesystem-supplied resource principal session token will be retrieved from that location. This mode supports token refresh (if the environment replaces the RPST in the filesystem).

  Otherwise, the environment variable is taken to hold the raw value of an RPST. Under these circumstances, the RPST cannot be refreshed; consequently, this mode is only usable for short-lived executables.

• OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM:

  If this points to an existing file path, then the filesystem-supplied private key will be retrieved from that location. As with the OCI_RESOURCE_PRINCIPAL_RPST, this mode supports token refresh if the environment can update the file contents.

  Otherwise, the value is interpreted as the direct injection of a private key. The same considerations as to the lifetime of this value apply when directly injecting a key.

• OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE:

  This is optional. If set, it contains either the location (as an existing file path) or the value of the passphrase associated with the private key.

• OCI_RESOURCE_PRINCIPAL_REGION:

  If set, this holds the canonical form of the local region. This is intended to enable executables to locate their "local" OCI service endpoints.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	ResourcePrincipalAuthenticationDetailsProvider.ClaimKeys
static class	ResourcePrincipalAuthenticationDetailsProvider.ResourcePrincipalAuthenticationDetailsProviderBuilder	Builder for ResourcePrincipalAuthenticationDetailsProvider that understands the V2.2 configuration

Nested classes/interfaces inherited from class com.oracle.bmc.auth.AbstractRequestingAuthenticationDetailsProvider

AbstractRequestingAuthenticationDetailsProvider.Builder<B extends AbstractRequestingAuthenticationDetailsProvider.Builder<B>>, AbstractRequestingAuthenticationDetailsProvider.CachingSessionKeySupplier

Field Summary

Fields

Modifier and Type	Field	Description
protected Region	region	Returns the region where the java code using resource principal authentication is running at
protected static String	RP_VERSION_2_1
protected static String	RP_VERSION_2_1_1
protected static String	RP_VERSION_2_1_2
protected static String	RP_VERSION_3_0

Fields inherited from class com.oracle.bmc.auth.AbstractRequestingAuthenticationDetailsProvider

federationClient, sessionKeySupplier

Constructor Summary

Constructors

Constructor	Description
ResourcePrincipalAuthenticationDetailsProvider(FederationClient federationClient, SessionKeySupplier sessionKeySupplier, Region region)	Constructor of ResourcePrincipalAuthenticationDetailsProvider.

Method Summary

Modifier and Type	Method	Description
static ResourcePrincipalAuthenticationDetailsProvider.ResourcePrincipalAuthenticationDetailsProviderBuilder	builder()
protected static FederationClient	getFederationClientFromRpst(String ociResourcePrincipalRpst, String inputType, SessionKeySupplier sessionKeySupplier)
Region	getRegion()	Returns the region.
protected static Region	getRegion(String ociResourcePrincipalRegion, String inputType)
protected static SessionKeySupplier	getSessionKeySupplierFromPemAndPassphrase(String ociResourcePrincipalPrivateKey, String ociResourcePrincipalPassphrase, String inputType)
String	getStringClaim(String key)	Session tokens carry JWT-like claims.
String	refresh()	Refreshes the authentication data used by the provider
String	refreshIfExpiringWithin(Duration time)	Refreshes the authentication data used by the provider
String	refreshIfExpiringWithin(Duration time, boolean refreshKeys)	Refreshes the authentication data used by the provider

Methods inherited from class com.oracle.bmc.auth.AbstractRequestingAuthenticationDetailsProvider

getKeyId, getPassPhrase, getPassphraseCharacters, getPrivateKey

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

RP_VERSION_2_1

protected static final String RP_VERSION_2_1

See Also:

Constant Field Values

RP_VERSION_2_1_1

protected static final String RP_VERSION_2_1_1

See Also:

Constant Field Values

RP_VERSION_2_1_2

protected static final String RP_VERSION_2_1_2

See Also:

Constant Field Values

RP_VERSION_3_0

protected static final String RP_VERSION_3_0

See Also:

Constant Field Values

region

protected final Region region

Returns the region where the java code using resource principal authentication is running at

Constructor Detail

ResourcePrincipalAuthenticationDetailsProvider

public ResourcePrincipalAuthenticationDetailsProvider(FederationClient federationClient,
                                                      SessionKeySupplier sessionKeySupplier,
                                                      Region region)

Constructor of ResourcePrincipalAuthenticationDetailsProvider.

Parameters:

federationClient - federation client implementation.

sessionKeySupplier - session key supplier implementation.

region - the region

Method Detail

getRegion

public Region getRegion()

Description copied from interface: RegionProvider

Returns the region.

Specified by:

getRegion in interface RegionProvider

Returns:

Region object.

builder

public static ResourcePrincipalAuthenticationDetailsProvider.ResourcePrincipalAuthenticationDetailsProviderBuilder builder()

getStringClaim

public String getStringClaim(String key)

Session tokens carry JWT-like claims.

Permit the retrieval of the value of those claims from the token. At the least, the token should carry claims for ResourcePrincipalAuthenticationDetailsProvider.ClaimKeys.COMPARTMENT_ID_CLAIM_KEY and ResourcePrincipalAuthenticationDetailsProvider.ClaimKeys.TENANT_ID_CLAIM_KEY

Parameters:

key - the name of a claim in the session token

Returns:

the claim value.

refresh

public String refresh()

Refreshes the authentication data used by the provider

Specified by:

refresh in interface RefreshableOnNotAuthenticatedProvider<String>

Returns:

the refreshed authentication data

refreshIfExpiringWithin

public String refreshIfExpiringWithin(Duration time)

Refreshes the authentication data used by the provider

Specified by:

refreshIfExpiringWithin in interface ConfigurableRefreshOnNotAuthenticatedProvider<String>

Parameters:

time - the duration to check

Returns:

the refreshed authentication data

refreshIfExpiringWithin

public String refreshIfExpiringWithin(Duration time,
                                      boolean refreshKeys)

Refreshes the authentication data used by the provider

Specified by:

refreshIfExpiringWithin in interface ConfigurableRefreshOnNotAuthenticatedProvider<String>

Parameters:

time - the duration to check

refreshKeys - boolean value to enable/disable refresh of keys

Returns:

the refreshed authentication data

getRegion

protected static Region getRegion(String ociResourcePrincipalRegion,
                                  String inputType)

getFederationClientFromRpst

protected static FederationClient getFederationClientFromRpst(String ociResourcePrincipalRpst,
                                                              String inputType,
                                                              SessionKeySupplier sessionKeySupplier)

getSessionKeySupplierFromPemAndPassphrase

protected static SessionKeySupplier getSessionKeySupplierFromPemAndPassphrase(String ociResourcePrincipalPrivateKey,
                                                                              String ociResourcePrincipalPassphrase,
                                                                              String inputType)