Class: OCI::Auth::Signers::OkeWorkloadIdentityResourcePrincipalSigner

Inherits:
SecurityTokenSigner show all
Defined in:
lib/oci/auth/signers/oke_workload_identity_resource_principal_signer.rb

Overview

This signer takes the following parameters: - sa_token_provider - sa_cert_path - service_host - service_port - region

Constant Summary

Constants inherited from BaseSigner

BaseSigner::BODY_HEADERS, BaseSigner::GENERIC_HEADERS, BaseSigner::SIGNATURE_VERSION, BaseSigner::SIGNING_STRATEGY_ENUM

Instance Method Summary collapse

Methods inherited from BaseSigner

#sign

Constructor Details

#initialize(sa_token_provider, sa_cert_path, service_host, service_port, region: nil) ⇒ OkeWorkloadIdentityResourcePrincipalSigner

Returns a new instance of OkeWorkloadIdentityResourcePrincipalSigner.



22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# File 'lib/oci/auth/signers/oke_workload_identity_resource_principal_signer.rb', line 22

def initialize(sa_token_provider, sa_cert_path, service_host, service_port, region: nil)
  @sa_token_provider = sa_token_provider
  @sa_cert_path = sa_cert_path
  @service_host = service_host
  raise 'Kubernetes service host was not provided.' if @service_host.nil?

  @service_port = service_port
  @region = initialize_and_return_region(region)
  @refresh_lock = Mutex.new

  @proxymux_endpoint = "https://#{service_host}:#{service_port}/resourcePrincipalSessionTokens"
  uri = URI(@proxymux_endpoint)
  @federation_http_client = Net::HTTP.new(uri.hostname, uri.port)
  @federation_http_client.use_ssl = (uri.scheme == 'https')
  @federation_http_client.ca_file = @sa_cert_path

  @session_key_supplier = OCI::Auth::SessionKeySupplier.new
  @rpst = security_token

  super(@rpst, @session_key_supplier.key_pair[:private_key])
end

Instance Method Details

#initialize_and_return_region(region) ⇒ Object



44
45
46
47
48
49
50
# File 'lib/oci/auth/signers/oke_workload_identity_resource_principal_signer.rb', line 44

def initialize_and_return_region(region)
  if OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES.include?(region)
    OCI::Regions::REGION_SHORT_NAMES_TO_LONG_NAMES[region]
  else
    region
  end
end

#refresh_security_tokenObject



60
61
62
63
64
65
66
67
# File 'lib/oci/auth/signers/oke_workload_identity_resource_principal_signer.rb', line 60

def refresh_security_token
  @refresh_lock.lock
  @session_key_supplier.refresh
  @security_token = OCI::Auth::SecurityTokenContainer.new(resource_principal_session_token)
  reset_signer
ensure
  @refresh_lock.unlock if @refresh_lock.locked? && @refresh_lock.owned?
end

#reset_signerObject



69
70
71
72
73
74
75
76
# File 'lib/oci/auth/signers/oke_workload_identity_resource_principal_signer.rb', line 69

def reset_signer
  @key_id = "ST$#{@security_token.security_token}"
  @private_key_content = @session_key_supplier.key_pair[:private_key]
  @private_key = OpenSSL::PKey::RSA.new(
    @private_key_content,
    @pass_phrase || SecureRandom.uuid
  )
end

#resource_principal_session_tokenObject



78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# File 'lib/oci/auth/signers/oke_workload_identity_resource_principal_signer.rb', line 78

def resource_principal_session_token
  request_payload = {
    "podKey": OCI::Auth::Util.sanitize_certificate_string(@session_key_supplier.key_pair[:public_key].to_pem)
  }
  sa_token = @sa_token_provider.

  request = OCI::Auth::Util.(@proxymux_endpoint, 'post')
  request.body = request_payload.to_json

  header_params = {}
  header_params[:'content-type'] = 'application/json'
  header_params[:authorization] = 'Bearer ' + sa_token
  header_params.each { |key, value| request[key.to_s] = value }
  request[:'opc-request-id'] ||= OCI::ApiClient.build_request_id

  raw_body = nil
  status_code = nil
  message = nil
  @federation_http_client.start do
    @federation_http_client.request(request) do |response|
      raw_body = response.body
      status_code = response.code
      message = response.message
    end
  end

  if status_code != '200'
    raise "Failed to get a RPST token from proxymux. URL: #{@proxymux_endpoint}, Status: #{status_code}, Message: #{message}"
  end

  decoded_response = Base64.decode64(raw_body)
  if (decoded_response.include? 'token') == false
    raise "Could not find token in decoded response from proxymux. URL: #{@proxymux_endpoint}, Decoded Response: #{decoded_response}"
  end

  begin
    response_json = JSON.parse(decoded_response)
    response_json['token'][3..-1]
  rescue JSON::ParserError
    raise "Unable to convert decoded response into JSON. Decoded response: #{decoded_response}"
  end
end

#security_tokenObject



52
53
54
55
56
57
58
# File 'lib/oci/auth/signers/oke_workload_identity_resource_principal_signer.rb', line 52

def security_token
  if defined? @security_token
    return @security_token.security_token if @security_token.token_valid_with_half_expiration_time?
  end
  refresh_security_token
  @security_token.security_token
end