Class: OCI::Auth::Signers::EphemeralResourcePrincipalsSigner

Inherits:
SecurityTokenSigner show all
Defined in:
lib/oci/auth/signers/ephemeral_resource_principals_signer.rb

Overview

This signer takes the following parameters: - session_token - private_key - private_key_passphrase These parameters may be used in one of two modes. In the first mode, they contain the actual contents of the Resource Pricipals Session Token, private key (in PEM format) and the passphrase.

In the second mode, if these parameters contain absolute paths, then those paths are taken as the
on-filesystem location of the values in question.
  • region: the canonical region name

    This is utilised in locating the "local" endpoints of services.

Constant Summary

Constants inherited from BaseSigner

BaseSigner::BODY_HEADERS, BaseSigner::GENERIC_HEADERS, BaseSigner::SIGNATURE_VERSION, BaseSigner::SIGNING_STRATEGY_ENUM

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods inherited from BaseSigner

#sign

Constructor Details

#initialize(session_token: nil, private_key: nil, private_key_passphrase: nil, region: nil) ⇒ EphemeralResourcePrincipalsSigner

Returns a new instance of EphemeralResourcePrincipalsSigner.



31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# File 'lib/oci/auth/signers/ephemeral_resource_principals_signer.rb', line 31

def initialize(
  session_token: nil,
  private_key: nil,
  private_key_passphrase: nil,
  region: nil
)
  @refresh_lock = Mutex.new
  @region = initialize_and_return_region(region)
  raise 'Missing Resource Principal Session Token when initializing resource principals signer' if session_token.nil?

  @rpst = session_token

  # Load the initial values
  @session_key_supplier = OCI::Auth::Signers::EphemeralRPSessionKeySupplier.new(private_key, private_key_passphrase)
  @security_token = OCI::Auth::SecurityTokenContainer.new(resource_principal_session_token, key_pair: @session_key_supplier.session_key)

  # After load, the RPST holds claims for tenancy and compartment.
  reset_claims

  # Get the Resource Principal Session Token and use it to set up the signer
  super(@security_token.security_token, @session_key_supplier.session_key)
end

Instance Attribute Details

#regionObject (readonly)

Returns the value of attribute region.



29
30
31
# File 'lib/oci/auth/signers/ephemeral_resource_principals_signer.rb', line 29

def region
  @region
end

Instance Method Details

#claim(claim) ⇒ Object



104
105
106
# File 'lib/oci/auth/signers/ephemeral_resource_principals_signer.rb', line 104

def claim(claim)
  @security_token.jwt[0][claim]
end

#initialize_and_return_region(region) ⇒ Object

The region should be something like “us-phoenix-1” but if we get “phx” then convert it.



55
56
57
58
59
60
61
# File 'lib/oci/auth/signers/ephemeral_resource_principals_signer.rb', line 55

def initialize_and_return_region(region)
  if OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES.include?(region)
    OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES[region]
  else
    region
  end
end

#refresh_security_tokenObject



71
72
73
74
75
76
77
78
79
80
# File 'lib/oci/auth/signers/ephemeral_resource_principals_signer.rb', line 71

def refresh_security_token
  @refresh_lock.lock
  @session_key_supplier.refresh
  @security_token = OCI::Auth::SecurityTokenContainer.new(resource_principal_session_token, key_pair: @session_key_supplier.session_key)
  reset_signer
  # Resources may be moved between compartments. Update any coordinates on refresh.
  reset_claims
ensure
  @refresh_lock.unlock if @refresh_lock.locked? && @refresh_lock.owned?
end

#reset_claimsObject



99
100
101
102
# File 'lib/oci/auth/signers/ephemeral_resource_principals_signer.rb', line 99

def reset_claims
  @tenancy_id = claim('res_tenant')
  @compartment_id = claim('res_compartment')
end

#reset_signerObject



82
83
84
85
86
87
88
89
# File 'lib/oci/auth/signers/ephemeral_resource_principals_signer.rb', line 82

def reset_signer
  @key_id = "ST$#{@security_token.security_token}"
  @private_key_content = @session_key_supplier.session_key
  @private_key = OpenSSL::PKey::RSA.new(
    @private_key_content,
    @pass_phrase || SecureRandom.uuid
  )
end

#resource_principal_session_tokenObject



91
92
93
94
95
96
97
# File 'lib/oci/auth/signers/ephemeral_resource_principals_signer.rb', line 91

def resource_principal_session_token
  if File.exist?(File.expand_path(@rpst))
    File.read(File.expand_path(@rpst)).to_s.strip
  else
    @rpst
  end
end

#security_tokenObject



63
64
65
66
67
68
69
# File 'lib/oci/auth/signers/ephemeral_resource_principals_signer.rb', line 63

def security_token
  if defined? @security_token
    return @security_token.security_token if @security_token.token_valid?
  end
  refresh_security_token
  @security_token.security_token
end