Class: OCI::Auth::Signers::EphemeralResourcePrincipalsSigner

Inherits:

SecurityTokenSigner

• Object
• BaseSigner
• SecurityTokenSigner
• OCI::Auth::Signers::EphemeralResourcePrincipalsSigner

Defined in:

lib/oci/auth/signers/ephemeral_resource_principals_signer.rb

Overview

This signer takes the following parameters: - session_token - private_key - private_key_passphrase These parameters may be used in one of two modes. In the first mode, they contain the actual contents of the Resource Pricipals Session Token, private key (in PEM format) and the passphrase.

In the second mode, if these parameters contain absolute paths, then those paths are taken as the
on-filesystem location of the values in question.

• region: the canonical region name

  This is utilised in locating the "local" endpoints of services.

Constant Summary

Constants inherited from BaseSigner

BaseSigner::BODY_HEADERS, BaseSigner::GENERIC_HEADERS, BaseSigner::SIGNATURE_VERSION, BaseSigner::SIGNING_STRATEGY_ENUM

Instance Attribute Summary

• #region ⇒ Object readonly

  Returns the value of attribute region.

Instance Method Summary

• #claim(claim) ⇒ Object
• #initialize(session_token: nil, private_key: nil, private_key_passphrase: nil, region: nil) ⇒ EphemeralResourcePrincipalsSigner constructor

  A new instance of EphemeralResourcePrincipalsSigner.

• #initialize_and_return_region(region) ⇒ Object

  The region should be something like “us-phoenix-1” but if we get “phx” then convert it.

• #refresh_security_token ⇒ Object
• #reset_claims ⇒ Object
• #reset_signer ⇒ Object
• #resource_principal_session_token ⇒ Object
• #security_token ⇒ Object

Methods inherited from BaseSigner

#sign

Constructor Details

#initialize(session_token: nil, private_key: nil, private_key_passphrase: nil, region: nil) ⇒ EphemeralResourcePrincipalsSigner

Returns a new instance of EphemeralResourcePrincipalsSigner.

# File 'lib/oci/auth/signers/ephemeral_resource_principals_signer.rb', line 31

def initialize(
  session_token: nil,
  private_key: nil,
  private_key_passphrase: nil,
  region: nil
)
  @refresh_lock = Mutex.new
  @region = initialize_and_return_region(region)
  raise 'Missing Resource Principal Session Token when initializing resource principals signer' if session_token.nil?

  @rpst = session_token

  # Load the initial values
  @session_key_supplier = OCI::Auth::Signers::EphemeralRPSessionKeySupplier.new(private_key, private_key_passphrase)
  @security_token = OCI::Auth::SecurityTokenContainer.new(resource_principal_session_token, key_pair: @session_key_supplier.session_key)

  # After load, the RPST holds claims for tenancy and compartment.
  reset_claims

  # Get the Resource Principal Session Token and use it to set up the signer
  super(@security_token.security_token, @session_key_supplier.session_key)
end

Instance Attribute Details

#region ⇒ Object (readonly)

Returns the value of attribute region.

# File 'lib/oci/auth/signers/ephemeral_resource_principals_signer.rb', line 29

def region
  @region
end

Instance Method Details

#claim(claim) ⇒ Object

# File 'lib/oci/auth/signers/ephemeral_resource_principals_signer.rb', line 104

def claim(claim)
  @security_token.jwt[0][claim]
end

#initialize_and_return_region(region) ⇒ Object

The region should be something like “us-phoenix-1” but if we get “phx” then convert it.

# File 'lib/oci/auth/signers/ephemeral_resource_principals_signer.rb', line 55

def initialize_and_return_region(region)
  if OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES.include?(region)
    OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES[region]
  else
    region
  end
end

#refresh_security_token ⇒ Object

# File 'lib/oci/auth/signers/ephemeral_resource_principals_signer.rb', line 71

def refresh_security_token
  @refresh_lock.lock
  @session_key_supplier.refresh
  @security_token = OCI::Auth::SecurityTokenContainer.new(resource_principal_session_token, key_pair: @session_key_supplier.session_key)
  reset_signer
  # Resources may be moved between compartments. Update any coordinates on refresh.
  reset_claims
ensure
  @refresh_lock.unlock if @refresh_lock.locked? && @refresh_lock.owned?
end

#reset_claims ⇒ Object

# File 'lib/oci/auth/signers/ephemeral_resource_principals_signer.rb', line 99

def reset_claims
  @tenancy_id = claim('res_tenant')
  @compartment_id = claim('res_compartment')
end

#reset_signer ⇒ Object

# File 'lib/oci/auth/signers/ephemeral_resource_principals_signer.rb', line 82

def reset_signer
  @key_id = "ST$#{@security_token.security_token}"
  @private_key_content = @session_key_supplier.session_key
  @private_key = OpenSSL::PKey::RSA.new(
    @private_key_content,
    @pass_phrase || SecureRandom.uuid
  )
end

#resource_principal_session_token ⇒ Object

# File 'lib/oci/auth/signers/ephemeral_resource_principals_signer.rb', line 91

def resource_principal_session_token
  if File.exist?(File.expand_path(@rpst))
    File.read(File.expand_path(@rpst)).to_s.strip
  else
    @rpst
  end
end

#security_token ⇒ Object

# File 'lib/oci/auth/signers/ephemeral_resource_principals_signer.rb', line 63

def security_token
  if defined? @security_token
    return @security_token.security_token if @security_token.token_valid?
  end
  refresh_security_token
  @security_token.security_token
end