oci 2.0.5 → 2.0.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +2 -2
- data/lib/oci.rb +3 -0
- data/lib/oci/api_client.rb +24 -3
- data/lib/oci/audit/audit_client.rb +19 -5
- data/lib/oci/audit/models/audit_event.rb +19 -0
- data/lib/oci/audit/models/configuration.rb +1 -0
- data/lib/oci/audit/models/update_configuration_details.rb +1 -0
- data/lib/oci/auth/auth.rb +16 -0
- data/lib/oci/auth/federation_client.rb +125 -0
- data/lib/oci/auth/internal/auth_token_request_signer.rb +20 -0
- data/lib/oci/auth/security_token_container.rb +25 -0
- data/lib/oci/auth/session_key_supplier.rb +37 -0
- data/lib/oci/auth/signers/instance_principals_security_token_signer.rb +83 -0
- data/lib/oci/auth/signers/security_token_signer.rb +32 -0
- data/lib/oci/auth/signers/x509_federation_client_based_security_token_signer.rb +70 -0
- data/lib/oci/auth/url_based_certificate_retriever.rb +104 -0
- data/lib/oci/auth/util.rb +33 -0
- data/lib/oci/base_signer.rb +154 -0
- data/lib/oci/core/blockstorage_client.rb +19 -5
- data/lib/oci/core/compute_client.rb +19 -5
- data/lib/oci/core/models/attach_boot_volume_details.rb +5 -2
- data/lib/oci/core/models/attach_i_scsi_volume_details.rb +5 -1
- data/lib/oci/core/models/attach_vnic_details.rb +6 -2
- data/lib/oci/core/models/attach_volume_details.rb +8 -3
- data/lib/oci/core/models/boot_volume.rb +22 -6
- data/lib/oci/core/models/boot_volume_attachment.rb +17 -7
- data/lib/oci/core/models/bulk_add_virtual_circuit_public_prefixes_details.rb +2 -1
- data/lib/oci/core/models/bulk_delete_virtual_circuit_public_prefixes_details.rb +2 -1
- data/lib/oci/core/models/capture_console_history_details.rb +5 -1
- data/lib/oci/core/models/connect_local_peering_gateways_details.rb +3 -1
- data/lib/oci/core/models/console_history.rb +19 -6
- data/lib/oci/core/models/cpe.rb +18 -3
- data/lib/oci/core/models/create_cpe_details.rb +5 -2
- data/lib/oci/core/models/create_cross_connect_details.rb +10 -3
- data/lib/oci/core/models/create_cross_connect_group_details.rb +3 -1
- data/lib/oci/core/models/create_dhcp_details.rb +9 -3
- data/lib/oci/core/models/create_drg_attachment_details.rb +5 -2
- data/lib/oci/core/models/create_drg_details.rb +3 -1
- data/lib/oci/core/models/create_image_details.rb +9 -1
- data/lib/oci/core/models/create_instance_console_connection_details.rb +9 -2
- data/lib/oci/core/models/create_internet_gateway_details.rb +8 -4
- data/lib/oci/core/models/create_ip_sec_connection_details.rb +9 -4
- data/lib/oci/core/models/create_local_peering_gateway_details.rb +5 -2
- data/lib/oci/core/models/create_private_ip_details.rb +7 -1
- data/lib/oci/core/models/create_route_table_details.rb +9 -3
- data/lib/oci/core/models/create_security_list_details.rb +11 -4
- data/lib/oci/core/models/create_subnet_details.rb +17 -5
- data/lib/oci/core/models/create_vcn_details.rb +8 -2
- data/lib/oci/core/models/create_virtual_circuit_details.rb +14 -2
- data/lib/oci/core/models/create_virtual_circuit_public_prefix_details.rb +2 -1
- data/lib/oci/core/models/create_vnic_details.rb +14 -3
- data/lib/oci/core/models/create_volume_backup_details.rb +5 -1
- data/lib/oci/core/models/create_volume_details.rb +11 -2
- data/lib/oci/core/models/cross_connect.rb +26 -0
- data/lib/oci/core/models/cross_connect_group.rb +19 -0
- data/lib/oci/core/models/cross_connect_location.rb +5 -2
- data/lib/oci/core/models/cross_connect_mapping.rb +31 -0
- data/lib/oci/core/models/cross_connect_port_speed_shape.rb +6 -2
- data/lib/oci/core/models/cross_connect_status.rb +6 -1
- data/lib/oci/core/models/delete_virtual_circuit_public_prefix_details.rb +2 -1
- data/lib/oci/core/models/dhcp_dns_option.rb +7 -1
- data/lib/oci/core/models/dhcp_option.rb +9 -1
- data/lib/oci/core/models/dhcp_options.rb +31 -6
- data/lib/oci/core/models/dhcp_search_domain_option.rb +5 -1
- data/lib/oci/core/models/drg.rb +18 -3
- data/lib/oci/core/models/drg_attachment.rb +15 -5
- data/lib/oci/core/models/egress_security_rule.rb +10 -3
- data/lib/oci/core/models/export_image_details.rb +13 -1
- data/lib/oci/core/models/export_image_via_object_storage_tuple_details.rb +3 -0
- data/lib/oci/core/models/export_image_via_object_storage_uri_details.rb +2 -1
- data/lib/oci/core/models/fast_connect_provider_service.rb +17 -6
- data/lib/oci/core/models/i_scsi_volume_attachment.rb +17 -3
- data/lib/oci/core/models/icmp_options.rb +11 -1
- data/lib/oci/core/models/image.rb +28 -7
- data/lib/oci/core/models/image_source_details.rb +4 -1
- data/lib/oci/core/models/image_source_via_object_storage_tuple_details.rb +7 -3
- data/lib/oci/core/models/image_source_via_object_storage_uri_details.rb +3 -1
- data/lib/oci/core/models/ingress_security_rule.rb +10 -3
- data/lib/oci/core/models/instance.rb +33 -7
- data/lib/oci/core/models/instance_console_connection.rb +15 -0
- data/lib/oci/core/models/instance_credentials.rb +5 -2
- data/lib/oci/core/models/instance_source_details.rb +3 -1
- data/lib/oci/core/models/instance_source_via_boot_volume_details.rb +2 -1
- data/lib/oci/core/models/instance_source_via_image_details.rb +2 -1
- data/lib/oci/core/models/internet_gateway.rb +20 -5
- data/lib/oci/core/models/ip_sec_connection.rb +23 -6
- data/lib/oci/core/models/ip_sec_connection_device_config.rb +7 -2
- data/lib/oci/core/models/ip_sec_connection_device_status.rb +7 -2
- data/lib/oci/core/models/launch_instance_details.rb +20 -3
- data/lib/oci/core/models/launch_options.rb +10 -4
- data/lib/oci/core/models/letter_of_authority.rb +10 -0
- data/lib/oci/core/models/local_peering_gateway.rb +29 -9
- data/lib/oci/core/models/port_range.rb +4 -2
- data/lib/oci/core/models/private_ip.rb +41 -1
- data/lib/oci/core/models/route_rule.rb +7 -2
- data/lib/oci/core/models/route_table.rb +22 -5
- data/lib/oci/core/models/security_list.rb +32 -8
- data/lib/oci/core/models/shape.rb +5 -1
- data/lib/oci/core/models/subnet.rb +38 -10
- data/lib/oci/core/models/tcp_options.rb +5 -0
- data/lib/oci/core/models/tunnel_config.rb +6 -2
- data/lib/oci/core/models/tunnel_status.rb +7 -1
- data/lib/oci/core/models/udp_options.rb +5 -0
- data/lib/oci/core/models/update_boot_volume_details.rb +1 -0
- data/lib/oci/core/models/update_console_history_details.rb +3 -0
- data/lib/oci/core/models/update_cpe_details.rb +1 -0
- data/lib/oci/core/models/update_cross_connect_details.rb +5 -1
- data/lib/oci/core/models/update_cross_connect_group_details.rb +1 -0
- data/lib/oci/core/models/update_dhcp_details.rb +4 -0
- data/lib/oci/core/models/update_drg_attachment_details.rb +1 -0
- data/lib/oci/core/models/update_drg_details.rb +1 -0
- data/lib/oci/core/models/update_image_details.rb +3 -0
- data/lib/oci/core/models/update_instance_details.rb +3 -0
- data/lib/oci/core/models/update_internet_gateway_details.rb +3 -1
- data/lib/oci/core/models/update_ip_sec_connection_details.rb +1 -0
- data/lib/oci/core/models/update_local_peering_gateway_details.rb +1 -0
- data/lib/oci/core/models/update_private_ip_details.rb +5 -0
- data/lib/oci/core/models/update_route_table_details.rb +4 -0
- data/lib/oci/core/models/update_security_list_details.rb +5 -0
- data/lib/oci/core/models/update_subnet_details.rb +3 -0
- data/lib/oci/core/models/update_vcn_details.rb +3 -0
- data/lib/oci/core/models/update_virtual_circuit_details.rb +7 -0
- data/lib/oci/core/models/update_vnic_details.rb +4 -1
- data/lib/oci/core/models/update_volume_backup_details.rb +3 -0
- data/lib/oci/core/models/update_volume_details.rb +3 -0
- data/lib/oci/core/models/vcn.rb +24 -4
- data/lib/oci/core/models/virtual_circuit.rb +41 -0
- data/lib/oci/core/models/virtual_circuit_bandwidth_shape.rb +5 -1
- data/lib/oci/core/models/virtual_circuit_public_prefix.rb +8 -2
- data/lib/oci/core/models/vnic.rb +38 -9
- data/lib/oci/core/models/vnic_attachment.rb +21 -7
- data/lib/oci/core/models/volume.rb +28 -8
- data/lib/oci/core/models/volume_attachment.rb +25 -8
- data/lib/oci/core/models/volume_backup.rb +26 -5
- data/lib/oci/core/models/volume_source_details.rb +3 -0
- data/lib/oci/core/models/volume_source_from_volume_backup_details.rb +3 -1
- data/lib/oci/core/models/volume_source_from_volume_details.rb +3 -1
- data/lib/oci/core/virtual_network_client.rb +19 -5
- data/lib/oci/database/database_client.rb +19 -5
- data/lib/oci/database/models/backup.rb +13 -0
- data/lib/oci/database/models/backup_summary.rb +13 -0
- data/lib/oci/database/models/create_backup_details.rb +4 -2
- data/lib/oci/database/models/create_data_guard_association_details.rb +18 -4
- data/lib/oci/database/models/create_data_guard_association_to_existing_db_system_details.rb +5 -0
- data/lib/oci/database/models/create_database_details.rb +9 -2
- data/lib/oci/database/models/create_database_from_backup_details.rb +6 -3
- data/lib/oci/database/models/create_db_home_details.rb +5 -1
- data/lib/oci/database/models/create_db_home_with_db_system_id_base.rb +5 -1
- data/lib/oci/database/models/create_db_home_with_db_system_id_details.rb +6 -1
- data/lib/oci/database/models/create_db_home_with_db_system_id_from_backup_details.rb +4 -0
- data/lib/oci/database/models/data_guard_association.rb +32 -7
- data/lib/oci/database/models/data_guard_association_summary.rb +32 -7
- data/lib/oci/database/models/database.rb +22 -5
- data/lib/oci/database/models/database_summary.rb +22 -5
- data/lib/oci/database/models/db_backup_config.rb +5 -1
- data/lib/oci/database/models/db_home.rb +22 -5
- data/lib/oci/database/models/db_home_summary.rb +22 -5
- data/lib/oci/database/models/db_node.rb +17 -5
- data/lib/oci/database/models/db_node_summary.rb +17 -5
- data/lib/oci/database/models/db_system.rb +56 -12
- data/lib/oci/database/models/db_system_shape_summary.rb +11 -2
- data/lib/oci/database/models/db_system_summary.rb +56 -12
- data/lib/oci/database/models/db_version_summary.rb +8 -2
- data/lib/oci/database/models/failover_data_guard_association_details.rb +4 -1
- data/lib/oci/database/models/launch_db_system_details.rb +27 -8
- data/lib/oci/database/models/patch.rb +18 -4
- data/lib/oci/database/models/patch_details.rb +6 -0
- data/lib/oci/database/models/patch_history_entry.rb +12 -4
- data/lib/oci/database/models/patch_history_entry_summary.rb +12 -4
- data/lib/oci/database/models/patch_summary.rb +18 -4
- data/lib/oci/database/models/reinstate_data_guard_association_details.rb +4 -1
- data/lib/oci/database/models/restore_database_details.rb +4 -1
- data/lib/oci/database/models/switchover_data_guard_association_details.rb +4 -1
- data/lib/oci/database/models/update_database_details.rb +1 -0
- data/lib/oci/database/models/update_db_home_details.rb +3 -0
- data/lib/oci/database/models/update_db_system_details.rb +6 -0
- data/lib/oci/identity/identity.rb +3 -0
- data/lib/oci/identity/identity_client.rb +290 -70
- data/lib/oci/identity/models/add_user_to_group_details.rb +4 -2
- data/lib/oci/identity/models/api_key.rb +18 -0
- data/lib/oci/identity/models/availability_domain.rb +6 -0
- data/lib/oci/identity/models/compartment.rb +38 -10
- data/lib/oci/identity/models/create_api_key_details.rb +2 -1
- data/lib/oci/identity/models/create_compartment_details.rb +14 -7
- data/lib/oci/identity/models/create_customer_secret_key_details.rb +2 -1
- data/lib/oci/identity/models/create_dynamic_group_details.rb +160 -0
- data/lib/oci/identity/models/create_group_details.rb +14 -7
- data/lib/oci/identity/models/create_identity_provider_details.rb +19 -9
- data/lib/oci/identity/models/create_idp_group_mapping_details.rb +4 -2
- data/lib/oci/identity/models/create_policy_details.rb +18 -9
- data/lib/oci/identity/models/create_region_subscription_details.rb +2 -1
- data/lib/oci/identity/models/create_saml2_identity_provider_details.rb +10 -2
- data/lib/oci/identity/models/create_swift_password_details.rb +2 -1
- data/lib/oci/identity/models/create_tag_details.rb +12 -6
- data/lib/oci/identity/models/create_tag_namespace_details.rb +14 -7
- data/lib/oci/identity/models/create_user_details.rb +14 -7
- data/lib/oci/identity/models/customer_secret_key.rb +16 -0
- data/lib/oci/identity/models/customer_secret_key_summary.rb +10 -0
- data/lib/oci/identity/models/dynamic_group.rb +239 -0
- data/lib/oci/identity/models/group.rb +35 -11
- data/lib/oci/identity/models/identity_provider.rb +36 -12
- data/lib/oci/identity/models/idp_group_mapping.rb +27 -7
- data/lib/oci/identity/models/policy.rb +38 -11
- data/lib/oci/identity/models/region.rb +10 -0
- data/lib/oci/identity/models/region_subscription.rb +16 -5
- data/lib/oci/identity/models/saml2_identity_provider.rb +20 -3
- data/lib/oci/identity/models/swift_password.rb +17 -1
- data/lib/oci/identity/models/tag.rb +30 -13
- data/lib/oci/identity/models/tag_namespace.rb +25 -11
- data/lib/oci/identity/models/tag_namespace_summary.rb +23 -10
- data/lib/oci/identity/models/tag_summary.rb +21 -8
- data/lib/oci/identity/models/tenancy.rb +21 -4
- data/lib/oci/identity/models/ui_password.rb +10 -0
- data/lib/oci/identity/models/update_compartment_details.rb +10 -4
- data/lib/oci/identity/models/update_customer_secret_key_details.rb +1 -0
- data/lib/oci/identity/models/update_dynamic_group_details.rb +134 -0
- data/lib/oci/identity/models/update_group_details.rb +9 -4
- data/lib/oci/identity/models/update_identity_provider_details.rb +12 -5
- data/lib/oci/identity/models/update_idp_group_mapping_details.rb +2 -0
- data/lib/oci/identity/models/update_policy_details.rb +12 -5
- data/lib/oci/identity/models/update_saml2_identity_provider_details.rb +5 -0
- data/lib/oci/identity/models/update_state_details.rb +2 -1
- data/lib/oci/identity/models/update_swift_password_details.rb +1 -0
- data/lib/oci/identity/models/update_tag_details.rb +15 -7
- data/lib/oci/identity/models/update_tag_namespace_details.rb +15 -7
- data/lib/oci/identity/models/update_user_details.rb +9 -4
- data/lib/oci/identity/models/user.rb +38 -11
- data/lib/oci/identity/models/user_group_membership.rb +16 -6
- data/lib/oci/load_balancer/load_balancer.rb +1 -0
- data/lib/oci/load_balancer/load_balancer_client.rb +24 -9
- data/lib/oci/load_balancer/models/backend.rb +20 -10
- data/lib/oci/load_balancer/models/backend_details.rb +12 -5
- data/lib/oci/load_balancer/models/backend_health.rb +6 -2
- data/lib/oci/load_balancer/models/backend_set.rb +14 -2
- data/lib/oci/load_balancer/models/backend_set_details.rb +11 -1
- data/lib/oci/load_balancer/models/backend_set_health.rb +15 -5
- data/lib/oci/load_balancer/models/certificate.rb +10 -3
- data/lib/oci/load_balancer/models/certificate_details.rb +10 -1
- data/lib/oci/load_balancer/models/connection_configuration.rb +157 -0
- data/lib/oci/load_balancer/models/create_backend_details.rb +15 -5
- data/lib/oci/load_balancer/models/create_backend_set_details.rb +13 -2
- data/lib/oci/load_balancer/models/create_certificate_details.rb +10 -1
- data/lib/oci/load_balancer/models/create_listener_details.rb +28 -5
- data/lib/oci/load_balancer/models/create_load_balancer_details.rb +14 -5
- data/lib/oci/load_balancer/models/health_check_result.rb +10 -4
- data/lib/oci/load_balancer/models/health_checker.rb +15 -4
- data/lib/oci/load_balancer/models/health_checker_details.rb +10 -1
- data/lib/oci/load_balancer/models/ip_address.rb +5 -2
- data/lib/oci/load_balancer/models/listener.rb +28 -5
- data/lib/oci/load_balancer/models/listener_details.rb +23 -4
- data/lib/oci/load_balancer/models/load_balancer.rb +30 -7
- data/lib/oci/load_balancer/models/load_balancer_health.rb +15 -5
- data/lib/oci/load_balancer/models/load_balancer_health_summary.rb +5 -2
- data/lib/oci/load_balancer/models/load_balancer_policy.rb +6 -1
- data/lib/oci/load_balancer/models/load_balancer_protocol.rb +3 -1
- data/lib/oci/load_balancer/models/load_balancer_shape.rb +8 -1
- data/lib/oci/load_balancer/models/session_persistence_configuration_details.rb +14 -2
- data/lib/oci/load_balancer/models/ssl_configuration.rb +11 -4
- data/lib/oci/load_balancer/models/ssl_configuration_details.rb +6 -2
- data/lib/oci/load_balancer/models/update_backend_details.rb +12 -7
- data/lib/oci/load_balancer/models/update_backend_set_details.rb +12 -1
- data/lib/oci/load_balancer/models/update_health_checker_details.rb +16 -7
- data/lib/oci/load_balancer/models/update_listener_details.rb +23 -4
- data/lib/oci/load_balancer/models/update_load_balancer_details.rb +3 -1
- data/lib/oci/load_balancer/models/work_request.rb +20 -6
- data/lib/oci/load_balancer/models/work_request_error.rb +5 -1
- data/lib/oci/object_storage/models/bucket.rb +27 -8
- data/lib/oci/object_storage/models/bucket_summary.rb +16 -6
- data/lib/oci/object_storage/models/commit_multipart_upload_details.rb +7 -1
- data/lib/oci/object_storage/models/commit_multipart_upload_part_details.rb +8 -2
- data/lib/oci/object_storage/models/create_bucket_details.rb +15 -4
- data/lib/oci/object_storage/models/create_multipart_upload_details.rb +10 -1
- data/lib/oci/object_storage/models/create_preauthenticated_request_details.rb +7 -3
- data/lib/oci/object_storage/models/list_objects.rb +8 -1
- data/lib/oci/object_storage/models/multipart_upload.rb +20 -5
- data/lib/oci/object_storage/models/multipart_upload_part_summary.rb +13 -4
- data/lib/oci/object_storage/models/namespace_metadata.rb +8 -3
- data/lib/oci/object_storage/models/object_summary.rb +9 -1
- data/lib/oci/object_storage/models/preauthenticated_request.rb +20 -6
- data/lib/oci/object_storage/models/preauthenticated_request_summary.rb +13 -5
- data/lib/oci/object_storage/models/rename_object_details.rb +11 -2
- data/lib/oci/object_storage/models/restore_objects_details.rb +2 -1
- data/lib/oci/object_storage/models/update_bucket_details.rb +13 -2
- data/lib/oci/object_storage/models/update_namespace_metadata_details.rb +5 -0
- data/lib/oci/object_storage/object_storage_client.rb +26 -12
- data/lib/oci/regions.rb +8 -1
- data/lib/oci/signer.rb +5 -124
- data/lib/oci/version.rb +1 -1
- metadata +31 -2
@@ -0,0 +1,32 @@
|
|
1
|
+
# Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved.
|
2
|
+
|
3
|
+
require 'oci/base_signer'
|
4
|
+
|
5
|
+
module OCI
|
6
|
+
module Auth
|
7
|
+
module Signers
|
8
|
+
# The base signer for signing requests where the API key is a token (e.g. instance principals, service-to-service auth) rather representing
|
9
|
+
# the details for a specific user.
|
10
|
+
class SecurityTokenSigner < OCI::BaseSigner
|
11
|
+
# Creates a new SecurityTokenSigner
|
12
|
+
#
|
13
|
+
# @param [Strong] security_token The token to use as the API key
|
14
|
+
# @param [OpenSSL::PKey::RSA] private_key The private key whose corresponding public key was provided when requesting the token
|
15
|
+
# @param [String] pass_phrase The pass phrase for the public key, if any. Defaults to nil (no passphrase) if not provided
|
16
|
+
# @param [String] signing_strategy Whether this signer is used for Object Storage requests or not. Acceptable values are {OCI::BaseSigner::STANDARD} and {OCI::BaseSigner::OBJECT_STORAGE}. If not provided, defaults to {OCI::BaseSigner::STANDARD}
|
17
|
+
# @param [Array<String>] headers_to_sign_in_all_requests An array of headers which will be signed in each request. If not provided, defaults to {OCI::BaseSigner::GENERIC_HEADERS}
|
18
|
+
# @param [Array<String>] body_headers_to_sign An array of headers which should be signed on requests with bodies. If not provided, defaults to {OCI::BaseSigner::BODY_HEADERS}
|
19
|
+
def initialize(security_token, private_key, pass_phrase: nil, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS)
|
20
|
+
super(
|
21
|
+
"ST$#{security_token}",
|
22
|
+
private_key,
|
23
|
+
pass_phrase: pass_phrase,
|
24
|
+
signing_strategy: signing_strategy,
|
25
|
+
headers_to_sign_in_all_requests: headers_to_sign_in_all_requests,
|
26
|
+
body_headers_to_sign: body_headers_to_sign
|
27
|
+
)
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
@@ -0,0 +1,70 @@
|
|
1
|
+
# Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved.
|
2
|
+
|
3
|
+
require 'oci/base_signer'
|
4
|
+
require 'openssl'
|
5
|
+
require 'securerandom'
|
6
|
+
require 'thread'
|
7
|
+
|
8
|
+
require_relative 'security_token_signer'
|
9
|
+
|
10
|
+
module OCI
|
11
|
+
module Auth
|
12
|
+
module Signers
|
13
|
+
# A SecurityTokenSigner where the token and private key are sourced from a provided federation_client. The token is retrieved via
|
14
|
+
# the client's security_token method, and the private key is retrieved by reading it from the session_key_supplier in the client.
|
15
|
+
class X509FederationClientBasedSecurityTokenSigner < OCI::Auth::Signers::SecurityTokenSigner
|
16
|
+
# Creates a new X509FederationClientBasedSecurityTokenSigner
|
17
|
+
#
|
18
|
+
# @param [<OCI::Auth::FederationClient>] federation_client The federation client to use to request a security token
|
19
|
+
# @param [String] signing_strategy Whether this signer is used for Object Storage requests or not. Acceptable values are {OCI::BaseSigner::STANDARD} and {OCI::BaseSigner::OBJECT_STORAGE}. If not provided, defaults to {OCI::BaseSigner::STANDARD}
|
20
|
+
# @param [Array<String>] headers_to_sign_in_all_requests An array of headers which will be signed in each request. If not provided, defaults to {OCI::BaseSigner::GENERIC_HEADERS}
|
21
|
+
# @param [Array<String>] body_headers_to_sign An array of headers which should be signed on requests with bodies. If not provided, defaults to {OCI::BaseSigner::BODY_HEADERS}
|
22
|
+
def initialize(federation_client, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS)
|
23
|
+
@federation_client = federation_client
|
24
|
+
@refresh_lock = Mutex.new
|
25
|
+
|
26
|
+
super(
|
27
|
+
federation_client.security_token,
|
28
|
+
federation_client.session_key_supplier.key_pair[:private_key],
|
29
|
+
signing_strategy: signing_strategy,
|
30
|
+
headers_to_sign_in_all_requests: headers_to_sign_in_all_requests,
|
31
|
+
body_headers_to_sign: body_headers_to_sign
|
32
|
+
)
|
33
|
+
end
|
34
|
+
|
35
|
+
# Refreshes the security token in the federation_client used by this class
|
36
|
+
# @return [String] The new security token
|
37
|
+
def refresh_security_token
|
38
|
+
@federation_client.security_token!
|
39
|
+
end
|
40
|
+
|
41
|
+
# Generates the correct signature and adds it to the
|
42
|
+
# headers that are passed in. Also injects any required
|
43
|
+
# headers that might be missing.
|
44
|
+
#
|
45
|
+
# @param [Symbol] method The HTTP method, such as :get or :post.
|
46
|
+
# @param [String] uri The URI, such as 'https://iaas.us-phoenix-1.oraclecloud.com/20160918/volumeAttachments/'
|
47
|
+
# @param [Hash] headers A hash of headers
|
48
|
+
# @param [String] body The request body
|
49
|
+
def sign(method, uri, headers, body)
|
50
|
+
reset_signer
|
51
|
+
super
|
52
|
+
end
|
53
|
+
|
54
|
+
private
|
55
|
+
|
56
|
+
def reset_signer
|
57
|
+
@refresh_lock.lock
|
58
|
+
@key_id = "ST$#{@federation_client.security_token}"
|
59
|
+
@private_key_content = @federation_client.session_key_supplier.key_pair[:private_key]
|
60
|
+
@private_key = OpenSSL::PKey::RSA.new(
|
61
|
+
@private_key_content,
|
62
|
+
@pass_phrase || SecureRandom.uuid
|
63
|
+
)
|
64
|
+
ensure
|
65
|
+
@refresh_lock.unlock if @refresh_lock.locked? && @refresh_lock.owned?
|
66
|
+
end
|
67
|
+
end
|
68
|
+
end
|
69
|
+
end
|
70
|
+
end
|
@@ -0,0 +1,104 @@
|
|
1
|
+
# Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved.
|
2
|
+
|
3
|
+
require 'net/http'
|
4
|
+
require 'openssl'
|
5
|
+
require 'securerandom'
|
6
|
+
require 'thread'
|
7
|
+
require 'uri'
|
8
|
+
|
9
|
+
module OCI
|
10
|
+
module Auth
|
11
|
+
# A certificate retriever which reads PEM-format strings from URLs.
|
12
|
+
class UrlBasedCertificateRetriever
|
13
|
+
# Creates a new UrlBasedCertificateRetriever
|
14
|
+
#
|
15
|
+
# @param [String] certificate_url The URL from which to retrieve a certificate. It is assumed that what we retrieve is the PEM-formatted string for the certificate
|
16
|
+
# @param [String] private_key_url The URL from which to retrieve the private key corresponding to certificate_url (if any). It is assumed that what we retrieve is the PEM-formatted string for
|
17
|
+
# @param [String] private_key_passphrase The passphrase of the private key (if any)
|
18
|
+
def initialize(certificate_url, private_key_url: nil, private_key_passphrase: nil)
|
19
|
+
raise 'A certificate_url must be supplied' unless certificate_url
|
20
|
+
|
21
|
+
@certificate_url = certificate_url
|
22
|
+
@private_key_url = private_key_url
|
23
|
+
@private_key_passphrase = private_key_passphrase
|
24
|
+
|
25
|
+
@certificate_pem = nil
|
26
|
+
@private_key_pem = nil
|
27
|
+
@private_key = nil
|
28
|
+
|
29
|
+
@refresh_lock = Mutex.new
|
30
|
+
|
31
|
+
uri = URI(certificate_url)
|
32
|
+
@certificate_retrieve_http_client = Net::HTTP.new(uri.hostname, uri.port)
|
33
|
+
|
34
|
+
if !@private_key_url.nil? && !@private_key_url.strip.empty?
|
35
|
+
uri = URI(private_key_url.strip)
|
36
|
+
@private_key_retrieve_http_client = Net::HTTP.new(uri.hostname, uri.port)
|
37
|
+
else
|
38
|
+
@private_key_retrieve_http_client = nil
|
39
|
+
end
|
40
|
+
|
41
|
+
refresh
|
42
|
+
end
|
43
|
+
|
44
|
+
# @return [String] The certificate as a PEM formatted string
|
45
|
+
def certificate_pem
|
46
|
+
@refresh_lock.lock
|
47
|
+
pem = @certificate_pem
|
48
|
+
@refresh_lock.unlock
|
49
|
+
|
50
|
+
pem
|
51
|
+
end
|
52
|
+
|
53
|
+
# @return [OpenSSL::X509::Certificate] The certificate as an {OpenSSL::X509::Certificate}. This converts the
|
54
|
+
# PEM-formatted string into a {OpenSSL::X509::Certificate}
|
55
|
+
def certificate
|
56
|
+
cert_pem = certificate_pem
|
57
|
+
OpenSSL::X509::Certificate.new(cert_pem)
|
58
|
+
end
|
59
|
+
|
60
|
+
# @return [String] The private key as a PEM-formatted string
|
61
|
+
def private_key_pem
|
62
|
+
@refresh_lock.lock
|
63
|
+
pem = @private_key_pem
|
64
|
+
@refresh_lock.unlock
|
65
|
+
|
66
|
+
pem
|
67
|
+
end
|
68
|
+
|
69
|
+
# @return [OpenSSL::PKey::RSA] The private key
|
70
|
+
def private_key
|
71
|
+
@refresh_lock.lock
|
72
|
+
key = @private_key
|
73
|
+
@refresh_lock.unlock
|
74
|
+
|
75
|
+
key
|
76
|
+
end
|
77
|
+
|
78
|
+
def refresh
|
79
|
+
@refresh_lock.lock
|
80
|
+
@certificate_retrieve_http_client.start do
|
81
|
+
@certificate_retrieve_http_client.request(Net::HTTP::Get.new(@certificate_url)) do |response|
|
82
|
+
@certificate_pem = response.body
|
83
|
+
end
|
84
|
+
end
|
85
|
+
|
86
|
+
if @private_key_retrieve_http_client
|
87
|
+
@private_key_retrieve_http_client.start do
|
88
|
+
@private_key_retrieve_http_client.request(Net::HTTP::Get.new(@private_key_url)) do |response|
|
89
|
+
@private_key_pem = response.body
|
90
|
+
@private_key = OpenSSL::PKey::RSA.new(
|
91
|
+
@private_key_pem,
|
92
|
+
@pass_phrase || SecureRandom.uuid
|
93
|
+
)
|
94
|
+
end
|
95
|
+
end
|
96
|
+
end
|
97
|
+
|
98
|
+
nil
|
99
|
+
ensure
|
100
|
+
@refresh_lock.unlock if @refresh_lock.locked? && @refresh_lock.owned?
|
101
|
+
end
|
102
|
+
end
|
103
|
+
end
|
104
|
+
end
|
@@ -0,0 +1,33 @@
|
|
1
|
+
# Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved.
|
2
|
+
|
3
|
+
module OCI
|
4
|
+
module Auth
|
5
|
+
module Util
|
6
|
+
def self.get_tenancy_id_from_certificate(x509_certificate)
|
7
|
+
subject_array = x509_certificate.subject.to_a
|
8
|
+
subject_array.each do |subject_name|
|
9
|
+
# subject_name is actually a triple like:
|
10
|
+
# ["OU", "<name>", "<number>"]
|
11
|
+
if subject_name[0] == 'OU' && subject_name[1].include?('opc-tenant:')
|
12
|
+
# 'opc-tenant:' is 11 character long, so we want to start at the index after that and to the end of the string (-1)
|
13
|
+
return subject_name[1][11..-1]
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
raise 'Certificate did not contain a tenancy in its subject'
|
18
|
+
end
|
19
|
+
|
20
|
+
def self.colon_separate_fingerprint(raw_fingerprint)
|
21
|
+
raw_fingerprint.gsub(/(.{2})(?=.)/, '\1:\2')
|
22
|
+
end
|
23
|
+
|
24
|
+
def self.sanitize_certificate_string(cert_string)
|
25
|
+
cert_string.gsub('-----BEGIN CERTIFICATE-----', '')
|
26
|
+
.gsub('-----END CERTIFICATE-----', '')
|
27
|
+
.gsub('-----BEGIN PUBLIC KEY-----', '')
|
28
|
+
.gsub('-----END PUBLIC KEY-----', '')
|
29
|
+
.gsub("\n", '')
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
33
|
+
end
|
@@ -0,0 +1,154 @@
|
|
1
|
+
# Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved.
|
2
|
+
|
3
|
+
require 'base64'
|
4
|
+
require 'digest'
|
5
|
+
require 'openssl'
|
6
|
+
require 'securerandom'
|
7
|
+
require 'time'
|
8
|
+
require 'uri'
|
9
|
+
require 'cgi'
|
10
|
+
|
11
|
+
module OCI
|
12
|
+
|
13
|
+
# The base class for other classes which are meant to generate a signature
|
14
|
+
class BaseSigner
|
15
|
+
# enum to define the signing strategy
|
16
|
+
SIGNING_STRATEGY_ENUM = [STANDARD = 'standard', OBJECT_STORAGE = 'object_storage']
|
17
|
+
|
18
|
+
# The Oracle Cloud Infrastructure API signature version
|
19
|
+
SIGNATURE_VERSION = "1"
|
20
|
+
|
21
|
+
GENERIC_HEADERS = [:"date", :"(request-target)", :"host"]
|
22
|
+
BODY_HEADERS = [:"content-length", :"content-type", :"x-content-sha256"]
|
23
|
+
|
24
|
+
# Creates a BaseSigner
|
25
|
+
#
|
26
|
+
# @param [String] api_key The API key needed when making calls. For token-based signing this should be ST$<token> but for calling as a user it will be tenancy/user/fingerprint
|
27
|
+
# @param [String] private_key_content The private key as a PEM-formatted string
|
28
|
+
# @param [String] pass_phrase Optional the pass phrase for the private key (if any)
|
29
|
+
# @param [SIGNING_STRATEGY_ENUM] signing_strategy Optional signing for standard service or object storage service
|
30
|
+
# @param [Array<String>] headers_to_sign_in_all_requests Optional headers which should be signed on each request
|
31
|
+
# @param [Array<String>] body_headers_to_sign Optional headers which should be signed on requests with bodies
|
32
|
+
def initialize(api_key, private_key_content, pass_phrase:nil, signing_strategy:STANDARD, headers_to_sign_in_all_requests:GENERIC_HEADERS, body_headers_to_sign:BODY_HEADERS)
|
33
|
+
fail 'Missing required parameter api_key.' unless api_key
|
34
|
+
fail 'Missing required parameter private_key_content.' unless private_key_content
|
35
|
+
|
36
|
+
@key_id = api_key
|
37
|
+
@private_key_content = private_key_content
|
38
|
+
@pass_phrase = pass_phrase
|
39
|
+
@signing_strategy = signing_strategy
|
40
|
+
|
41
|
+
@headers_to_sign_all_requests = headers_to_sign_in_all_requests
|
42
|
+
@body_headers_to_sign = body_headers_to_sign
|
43
|
+
@operation_header_mapping = {
|
44
|
+
options: [],
|
45
|
+
get: headers_to_sign_in_all_requests,
|
46
|
+
head: headers_to_sign_in_all_requests,
|
47
|
+
delete: headers_to_sign_in_all_requests,
|
48
|
+
put: headers_to_sign_in_all_requests + body_headers_to_sign,
|
49
|
+
post: headers_to_sign_in_all_requests + body_headers_to_sign,
|
50
|
+
patch: headers_to_sign_in_all_requests + body_headers_to_sign
|
51
|
+
}
|
52
|
+
end
|
53
|
+
|
54
|
+
# Generates the correct signature and adds it to the
|
55
|
+
# headers that are passed in. Also injects any required
|
56
|
+
# headers that might be missing.
|
57
|
+
#
|
58
|
+
# @param [Symbol] method The HTTP method, such as :get or :post.
|
59
|
+
# @param [String] uri The URI, such as 'https://iaas.us-phoenix-1.oraclecloud.com/20160918/volumeAttachments/'
|
60
|
+
# @param [Hash] headers A hash of headers
|
61
|
+
# @param [String] body The request body
|
62
|
+
def sign(method, uri, headers, body)
|
63
|
+
method = method.to_sym.downcase
|
64
|
+
uri = URI(uri)
|
65
|
+
path = uri.query.nil? ? uri.path : "#{uri.path}?#{uri.query}"
|
66
|
+
inject_missing_headers(method, headers, body, uri)
|
67
|
+
signature = compute_signature(headers, method, path)
|
68
|
+
unless signature.nil?
|
69
|
+
inject_authorization_header(headers, method, signature)
|
70
|
+
end
|
71
|
+
end
|
72
|
+
|
73
|
+
private
|
74
|
+
|
75
|
+
def inject_missing_headers(method, headers, body, uri)
|
76
|
+
headers["date"] ||= Time.now.utc.httpdate
|
77
|
+
headers["accept"] ||= "*/*"
|
78
|
+
headers["host"] ||= uri.host if @headers_to_sign_all_requests.include?(:"host")
|
79
|
+
|
80
|
+
# For object storage service's put method, we don't need to set content type
|
81
|
+
if method != :put || @signing_strategy != OBJECT_STORAGE
|
82
|
+
headers["content-type"] ||= "application/json"
|
83
|
+
else
|
84
|
+
headers[:'Content-Type'] ||= 'application/octet-stream'
|
85
|
+
end
|
86
|
+
|
87
|
+
if method == :put || method == :post
|
88
|
+
body ||= ''
|
89
|
+
|
90
|
+
# For object storage service's put method, we don't need to set content length and x-content sha256
|
91
|
+
if method != :put || @signing_strategy != OBJECT_STORAGE
|
92
|
+
headers["content-length"] ||= body.length.to_s
|
93
|
+
headers["x-content-sha256"] ||= Digest::SHA256.base64digest(body)
|
94
|
+
else
|
95
|
+
if body.respond_to?(:read) && body.respond_to?(:write)
|
96
|
+
headers['Content-Length'] ||= body.respond_to?('size') ? body.size : body.stat.size
|
97
|
+
else
|
98
|
+
headers['Content-Length'] ||= body.length.to_s
|
99
|
+
end
|
100
|
+
end
|
101
|
+
end
|
102
|
+
end
|
103
|
+
|
104
|
+
def inject_authorization_header(headers, method, signature)
|
105
|
+
if method == :put && @signing_strategy == OBJECT_STORAGE
|
106
|
+
header_mapping = @headers_to_sign_all_requests
|
107
|
+
else
|
108
|
+
header_mapping = @operation_header_mapping[method]
|
109
|
+
end
|
110
|
+
|
111
|
+
signed_headers = header_mapping.map(&:to_s).join(" ")
|
112
|
+
headers["authorization"] = [
|
113
|
+
%(Signature headers="#{signed_headers}"),
|
114
|
+
%(keyId="#{@key_id}"),
|
115
|
+
%(algorithm="rsa-sha256"),
|
116
|
+
%(signature="#{signature}"),
|
117
|
+
%(version="#{SIGNATURE_VERSION}")
|
118
|
+
].join(",")
|
119
|
+
end
|
120
|
+
|
121
|
+
def compute_signature(headers, method, path)
|
122
|
+
if method == :put && @signing_strategy == OBJECT_STORAGE
|
123
|
+
header_mapping = @headers_to_sign_all_requests
|
124
|
+
else
|
125
|
+
header_mapping = @operation_header_mapping[method]
|
126
|
+
end
|
127
|
+
|
128
|
+
return if header_mapping.empty?
|
129
|
+
signing_string = header_mapping.map do |header|
|
130
|
+
if header == :"(request-target)"
|
131
|
+
"#{header}: #{method.downcase} #{path}"
|
132
|
+
else
|
133
|
+
"#{header}: #{headers[header.to_s]}"
|
134
|
+
end
|
135
|
+
end.join("\n")
|
136
|
+
|
137
|
+
signature = private_key.sign(OpenSSL::Digest::SHA256.new, signing_string.encode("ascii"))
|
138
|
+
Base64.strict_encode64(signature)
|
139
|
+
end
|
140
|
+
|
141
|
+
def private_key
|
142
|
+
# If a pass_phase was not provided and the key is in fact encrypted, then passing in
|
143
|
+
# nil for the passphrase here will show a user prompt and block until there is a response.
|
144
|
+
# Passing in an empty string will work for some versions of Ruby's openssl wrapper, but
|
145
|
+
# other versions will enforce the 4 character password minimum at this point. Passing in
|
146
|
+
# a dummy password that's greater than 4 characters avoids both problems, and will
|
147
|
+
# always succeed if the file is not encrypted.
|
148
|
+
@private_key ||= OpenSSL::PKey::RSA.new(
|
149
|
+
@private_key_content,
|
150
|
+
@pass_phrase || SecureRandom.uuid
|
151
|
+
)
|
152
|
+
end
|
153
|
+
end
|
154
|
+
end
|
@@ -28,15 +28,29 @@ module OCI
|
|
28
28
|
# @param [Config] config A Config object.
|
29
29
|
# @param [String] region A region used to determine the service endpoint. This will usually
|
30
30
|
# correspond to a value in {OCI::Regions::REGION_ENUM}, but may be an arbitrary string.
|
31
|
-
#
|
32
|
-
|
33
|
-
|
34
|
-
|
31
|
+
# @param [OCI::BaseSigner] signer A signer implementation which can be used by this client. If this is not provided then
|
32
|
+
# a signer will be constructed via the provided config. One use case of this parameter is instance principals authentication,
|
33
|
+
# so that the instance principals signer can be provided to the client
|
34
|
+
def initialize(config:nil, region:nil, signer:nil)
|
35
|
+
# If the signer is an InstancePrincipalsSecurityTokenSigner and no config was supplied (which is valid for instance principals)
|
36
|
+
# then create a dummy config to pass to the ApiClient constructor. If customers wish to create a client which uses instance principals
|
37
|
+
# and has config (either populated programmatically or loaded from a file), they must construct that config themselves and then
|
38
|
+
# pass it to this constructor.
|
39
|
+
#
|
40
|
+
# If there is no signer (or the signer is not an instance principals signer) and no config was supplied, this is not valid
|
41
|
+
# so try and load the config from the default file.
|
42
|
+
config ||= OCI.config unless signer.is_a?(OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner)
|
43
|
+
config ||= OCI::Config.new if signer.is_a?(OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner)
|
44
|
+
config.validate unless signer.is_a?(OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner)
|
45
|
+
|
46
|
+
if signer.nil?
|
47
|
+
signer = Signer.new(config.user, config.fingerprint, config.tenancy, config.key_file, pass_phrase: config.pass_phrase, private_key_content: config.key_content, signing_strategy: Signer::STANDARD)
|
48
|
+
end
|
35
49
|
|
36
|
-
signer = Signer.new(config.user, config.fingerprint, config.tenancy, config.key_file, pass_phrase: config.pass_phrase, private_key_content: config.key_content, signing_strategy: Signer::STANDARD)
|
37
50
|
@api_client = ApiClient.new(config, signer)
|
38
51
|
|
39
52
|
region ||= config.region
|
53
|
+
region ||= signer.region if signer.respond_to?(:region)
|
40
54
|
self.region = region
|
41
55
|
end
|
42
56
|
|
@@ -28,15 +28,29 @@ module OCI
|
|
28
28
|
# @param [Config] config A Config object.
|
29
29
|
# @param [String] region A region used to determine the service endpoint. This will usually
|
30
30
|
# correspond to a value in {OCI::Regions::REGION_ENUM}, but may be an arbitrary string.
|
31
|
-
#
|
32
|
-
|
33
|
-
|
34
|
-
|
31
|
+
# @param [OCI::BaseSigner] signer A signer implementation which can be used by this client. If this is not provided then
|
32
|
+
# a signer will be constructed via the provided config. One use case of this parameter is instance principals authentication,
|
33
|
+
# so that the instance principals signer can be provided to the client
|
34
|
+
def initialize(config:nil, region:nil, signer:nil)
|
35
|
+
# If the signer is an InstancePrincipalsSecurityTokenSigner and no config was supplied (which is valid for instance principals)
|
36
|
+
# then create a dummy config to pass to the ApiClient constructor. If customers wish to create a client which uses instance principals
|
37
|
+
# and has config (either populated programmatically or loaded from a file), they must construct that config themselves and then
|
38
|
+
# pass it to this constructor.
|
39
|
+
#
|
40
|
+
# If there is no signer (or the signer is not an instance principals signer) and no config was supplied, this is not valid
|
41
|
+
# so try and load the config from the default file.
|
42
|
+
config ||= OCI.config unless signer.is_a?(OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner)
|
43
|
+
config ||= OCI::Config.new if signer.is_a?(OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner)
|
44
|
+
config.validate unless signer.is_a?(OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner)
|
45
|
+
|
46
|
+
if signer.nil?
|
47
|
+
signer = Signer.new(config.user, config.fingerprint, config.tenancy, config.key_file, pass_phrase: config.pass_phrase, private_key_content: config.key_content, signing_strategy: Signer::STANDARD)
|
48
|
+
end
|
35
49
|
|
36
|
-
signer = Signer.new(config.user, config.fingerprint, config.tenancy, config.key_file, pass_phrase: config.pass_phrase, private_key_content: config.key_content, signing_strategy: Signer::STANDARD)
|
37
50
|
@api_client = ApiClient.new(config, signer)
|
38
51
|
|
39
52
|
region ||= config.region
|
53
|
+
region ||= signer.region if signer.respond_to?(:region)
|
40
54
|
self.region = region
|
41
55
|
end
|
42
56
|
|