Class: OCI::Auth::Signers::ResourcePrincipalsFederationSigner

Inherits:
SecurityTokenSigner show all
Defined in:
lib/oci/auth/signers/resource_principals_federation_signer.rb

Overview

rp federation signer

Constant Summary

Constants inherited from BaseSigner

BaseSigner::BODY_HEADERS, BaseSigner::GENERIC_HEADERS, BaseSigner::SIGNATURE_VERSION, BaseSigner::SIGNING_STRATEGY_ENUM

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods inherited from BaseSigner

#sign

Constructor Details

#initialize(rp_token_endpoint: nil, rp_session_endpoint: nil, rp_token_path_provider: nil, retry_config: nil, log_requests: nil) ⇒ ResourcePrincipalsFederationSigner

Creates a new ResourcePrincipalSigner



19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# File 'lib/oci/auth/signers/resource_principals_federation_signer.rb', line 19

def initialize(
    rp_token_endpoint: nil,
    rp_session_endpoint: nil,
    rp_token_path_provider: nil,
    retry_config: nil,
    log_requests: nil
  )
  @refresh_lock = Mutex.new
  if rp_token_endpoint.nil?
    raise 'Missing resource principals token endpoint when initializing resource principals signer'
  end

  @rp_token_endpoint = rp_token_endpoint

  @instance_principal_signer = OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner.new
  @session_key_supplier = OCI::Auth::SessionKeySupplier.new
  @region = @instance_principal_signer.region
   = OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner::METADATA_URL_BASE
  @rp_token_path_provider = rp_token_path_provider || OCI::Auth::Signers::RptPathProvider::DefaultRptPathProvider.new(metadata_url: )

  @rp_session_endpoint = rp_session_endpoint || OCI::Regions.get_service_endpoint(@region, :Auth)

  # set up retry policy
  if !retry_config.nil?
    @retry_config = retry_config
  else
    @retry_config = OCI::Retry::RetryConfig.new(
      base_sleep_time_millis: 500,
      exponential_growth_factor: 2,
      should_retry_exception_proc:
        OCI::Retry::Functions::ShouldRetryOnError.retry_on_network_error_throttle_and_internal_server_errors,
      sleep_calc_millis_proc: OCI::Retry::Functions::Sleep.exponential_backoff_with_equal_jitter,
      max_attempts: 5,
      max_elapsed_time_millis: 300_000,
      max_sleep_between_attempts_millis: 10_000
    )
  end
  @rpt = nil
  @spst = nil
  config = OCI::Config.new
  config.log_requests = log_requests if log_requests
  @api_client = OCI::ApiClient.new(config, @instance_principal_signer)
  # Get the Resource Principal Session Token and use it to set up the signer
  @rpst = security_token
  super(@rpst, @session_key_supplier.key_pair[:private_key])
end

Instance Attribute Details

#regionObject (readonly)

Returns the value of attribute region.



16
17
18
# File 'lib/oci/auth/signers/resource_principals_federation_signer.rb', line 16

def region
  @region
end

Instance Method Details

#make_call(method, resource_path, endpoint, header_params = nil, body = nil) ⇒ Object

rubocop:enable Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/PerceivedComplexity, Metrics/ClassLength, Metrics/LineLength, Layout/EmptyLines



124
125
126
127
128
129
130
131
132
133
134
135
136
# File 'lib/oci/auth/signers/resource_principals_federation_signer.rb', line 124

def make_call(method, resource_path, endpoint, header_params = nil, body = nil)
  OCI::Retry.make_retrying_call(@retry_config) do
    @api_client.call_api(
      method,
      resource_path,
      endpoint,
      operation_signing_strategy: :standard,
      return_type: 'Stream',
      header_params: header_params,
      body: @api_client.object_to_http_body(body)
    )
  end
end

#refresh_security_tokenObject



75
76
77
78
79
80
81
82
83
84
85
# File 'lib/oci/auth/signers/resource_principals_federation_signer.rb', line 75

def refresh_security_token
  @refresh_lock.lock
  @session_key_supplier.refresh
  @instance_principal_signer.refresh_security_token
  # Get RPT blob, Service Principal Session Token from service, Steps A.1 and B.1
  @rpt, @spst = resource_principal_token_and_service_principal_session_token(@rp_token_path_provider)
  # Get RPST token from itentity, steps A.2 and B.2
  @security_token = OCI::Auth::SecurityTokenContainer.new(resource_principal_session_token)
ensure
  @refresh_lock.unlock if @refresh_lock.locked? && @refresh_lock.owned?
end

#resource_principal_session_tokenObject

rubocop:disable Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/PerceivedComplexity, Layout/EmptyLines



101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# File 'lib/oci/auth/signers/resource_principals_federation_signer.rb', line 101

def resource_principal_session_token
  method = :POST
  resource_path = URI('/v1/resourcePrincipalSessionToken')
  public_key = @session_key_supplier.key_pair[:public_key]

  sanitized_public_key = OCI::Auth::Util.sanitize_certificate_string(public_key.to_pem)

  request_payload = {
    'resourcePrincipalToken': @rpt,
    'servicePrincipalSessionToken': @spst,
    'sessionPublicKey': sanitized_public_key
  }
  header_params = {}
  header_params[:accept] = 'application/json'
  header_params[:'content-type'] = 'application/json'
  response = make_call(method, resource_path, @rp_session_endpoint, header_params, request_payload)
  parsed_response = JSON.parse(response.data)
  raise 'Failed to get Resource Principal Session Token' if parsed_response['token'].nil?

  parsed_response['token']
end

#resource_principal_token_and_service_principal_session_token(rp_token_path_provider) ⇒ Object



87
88
89
90
91
92
93
94
95
96
97
# File 'lib/oci/auth/signers/resource_principals_federation_signer.rb', line 87

def resource_principal_token_and_service_principal_session_token(rp_token_path_provider)
  method = :GET
  resource_path = rp_token_path_provider.token_path
  response = make_call(method, resource_path, @rp_token_endpoint)
  parsed_response = JSON.parse(response.data)
  if parsed_response['resourcePrincipalToken'].nil? || parsed_response['servicePrincipalSessionToken'].nil?
    raise 'Failed to get Resource Principal Token or Service Principal Session Token'
  end

  [parsed_response['resourcePrincipalToken'], parsed_response['servicePrincipalSessionToken']]
end

#security_tokenObject

rubocop:enable Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/PerceivedComplexity, Layout/EmptyLines



67
68
69
70
71
72
73
# File 'lib/oci/auth/signers/resource_principals_federation_signer.rb', line 67

def security_token
  if defined? @security_token
    return @security_token.security_token if @security_token.token_valid?
  end
  refresh_security_token
  @security_token.security_token
end