oci 2.0.5 → 2.0.6

data/lib/oci/auth/signers/security_token_signer.rb

@@ -0,0 +1,32 @@
+# Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved.
+
+require 'oci/base_signer'
+
+module OCI
+  module Auth
+    module Signers
+      # The base signer for signing requests where the API key is a token (e.g. instance principals, service-to-service auth) rather representing
+      # the details for a specific user.
+      class SecurityTokenSigner < OCI::BaseSigner
+        # Creates a new SecurityTokenSigner
+        #
+        # @param [Strong] security_token The token to use as the API key
+        # @param [OpenSSL::PKey::RSA] private_key The private key whose corresponding public key was provided when requesting the token
+        # @param [String] pass_phrase  The pass phrase for the public key, if any. Defaults to nil (no passphrase) if not provided
+        # @param [String] signing_strategy Whether this signer is used for Object Storage requests or not. Acceptable values are {OCI::BaseSigner::STANDARD} and {OCI::BaseSigner::OBJECT_STORAGE}. If not provided, defaults to {OCI::BaseSigner::STANDARD}
+        # @param [Array<String>] headers_to_sign_in_all_requests An array of headers which will be signed in each request. If not provided, defaults to {OCI::BaseSigner::GENERIC_HEADERS}
+        # @param [Array<String>] body_headers_to_sign An array of headers which should be signed on requests with bodies. If not provided, defaults to {OCI::BaseSigner::BODY_HEADERS}
+        def initialize(security_token, private_key, pass_phrase: nil, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS)
+          super(
+            "ST$#{security_token}", 
+            private_key, 
+            pass_phrase: pass_phrase, 
+            signing_strategy: signing_strategy, 
+            headers_to_sign_in_all_requests: headers_to_sign_in_all_requests,
+            body_headers_to_sign: body_headers_to_sign
+          )
+        end
+      end
+    end
+  end
+end

data/lib/oci/auth/signers/x509_federation_client_based_security_token_signer.rb

@@ -0,0 +1,70 @@
+# Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved.
+
+require 'oci/base_signer'
+require 'openssl'
+require 'securerandom'
+require 'thread'
+
+require_relative 'security_token_signer'
+
+module OCI
+  module Auth
+    module Signers
+      # A SecurityTokenSigner where the token and private key are sourced from a provided federation_client. The token is retrieved via 
+      # the client's security_token method, and the private key is retrieved by reading it from the session_key_supplier in the client.
+      class X509FederationClientBasedSecurityTokenSigner < OCI::Auth::Signers::SecurityTokenSigner
+        # Creates a new X509FederationClientBasedSecurityTokenSigner
+        #
+        # @param [<OCI::Auth::FederationClient>] federation_client The federation client to use to request a security token
+        # @param [String] signing_strategy Whether this signer is used for Object Storage requests or not. Acceptable values are {OCI::BaseSigner::STANDARD} and {OCI::BaseSigner::OBJECT_STORAGE}. If not provided, defaults to {OCI::BaseSigner::STANDARD}
+        # @param [Array<String>] headers_to_sign_in_all_requests An array of headers which will be signed in each request. If not provided, defaults to {OCI::BaseSigner::GENERIC_HEADERS}
+        # @param [Array<String>] body_headers_to_sign An array of headers which should be signed on requests with bodies. If not provided, defaults to {OCI::BaseSigner::BODY_HEADERS}
+        def initialize(federation_client, signing_strategy: OCI::BaseSigner::STANDARD, headers_to_sign_in_all_requests: OCI::BaseSigner::GENERIC_HEADERS, body_headers_to_sign: OCI::BaseSigner::BODY_HEADERS)
+          @federation_client = federation_client
+          @refresh_lock = Mutex.new
+
+          super(
+            federation_client.security_token,
+            federation_client.session_key_supplier.key_pair[:private_key],
+            signing_strategy: signing_strategy,
+            headers_to_sign_in_all_requests: headers_to_sign_in_all_requests,
+            body_headers_to_sign: body_headers_to_sign
+          )
+        end
+
+        # Refreshes the security token in the federation_client used by this class
+        # @return [String] The new security token
+        def refresh_security_token
+          @federation_client.security_token!
+        end
+
+        # Generates the correct signature and adds it to the
+        # headers that are passed in. Also injects any required
+        # headers that might be missing.
+        #
+        # @param [Symbol] method The HTTP method, such as :get or :post.
+        # @param [String] uri The URI, such as 'https://iaas.us-phoenix-1.oraclecloud.com/20160918/volumeAttachments/'
+        # @param [Hash] headers A hash of headers
+        # @param [String] body The request body
+        def sign(method, uri, headers, body)
+          reset_signer
+          super
+        end
+
+        private
+
+        def reset_signer
+          @refresh_lock.lock
+          @key_id = "ST$#{@federation_client.security_token}"
+          @private_key_content = @federation_client.session_key_supplier.key_pair[:private_key]
+          @private_key = OpenSSL::PKey::RSA.new(
+            @private_key_content,
+            @pass_phrase || SecureRandom.uuid
+          )
+        ensure
+          @refresh_lock.unlock if @refresh_lock.locked? && @refresh_lock.owned?
+        end
+      end
+    end
+  end
+end

data/lib/oci/auth/url_based_certificate_retriever.rb

@@ -0,0 +1,104 @@
+# Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved.
+
+require 'net/http'
+require 'openssl'
+require 'securerandom'
+require 'thread'
+require 'uri'
+
+module OCI
+  module Auth
+    # A certificate retriever which reads PEM-format strings from URLs.
+    class UrlBasedCertificateRetriever
+      # Creates a new UrlBasedCertificateRetriever
+      #
+      # @param [String] certificate_url The URL from which to retrieve a certificate. It is assumed that what we retrieve is the PEM-formatted string for the certificate
+      # @param [String] private_key_url The URL from which to retrieve the private key corresponding to certificate_url (if any). It is assumed that what we retrieve is the PEM-formatted string for
+      # @param [String] private_key_passphrase The passphrase of the private key (if any)
+      def initialize(certificate_url, private_key_url: nil, private_key_passphrase: nil)
+        raise 'A certificate_url must be supplied' unless certificate_url
+
+        @certificate_url = certificate_url
+        @private_key_url = private_key_url
+        @private_key_passphrase = private_key_passphrase
+
+        @certificate_pem = nil
+        @private_key_pem = nil
+        @private_key = nil
+
+        @refresh_lock = Mutex.new
+
+        uri = URI(certificate_url)
+        @certificate_retrieve_http_client = Net::HTTP.new(uri.hostname, uri.port)
+
+        if !@private_key_url.nil? && !@private_key_url.strip.empty?
+          uri = URI(private_key_url.strip)
+          @private_key_retrieve_http_client = Net::HTTP.new(uri.hostname, uri.port)
+        else
+          @private_key_retrieve_http_client = nil
+        end
+
+        refresh
+      end
+
+      # @return [String] The certificate as a PEM formatted string
+      def certificate_pem
+        @refresh_lock.lock
+        pem = @certificate_pem
+        @refresh_lock.unlock
+
+        pem
+      end
+
+      # @return [OpenSSL::X509::Certificate] The certificate as an {OpenSSL::X509::Certificate}. This converts the 
+      # PEM-formatted string into a {OpenSSL::X509::Certificate}
+      def certificate
+        cert_pem = certificate_pem
+        OpenSSL::X509::Certificate.new(cert_pem) 
+      end
+
+      # @return [String] The private key as a PEM-formatted string
+      def private_key_pem
+        @refresh_lock.lock
+        pem = @private_key_pem
+        @refresh_lock.unlock
+
+        pem
+      end
+
+      # @return [OpenSSL::PKey::RSA] The private key
+      def private_key
+        @refresh_lock.lock
+        key = @private_key
+        @refresh_lock.unlock
+
+        key
+      end
+
+      def refresh
+        @refresh_lock.lock
+        @certificate_retrieve_http_client.start do
+          @certificate_retrieve_http_client.request(Net::HTTP::Get.new(@certificate_url)) do |response|
+            @certificate_pem = response.body
+          end
+        end
+
+        if @private_key_retrieve_http_client
+          @private_key_retrieve_http_client.start do
+            @private_key_retrieve_http_client.request(Net::HTTP::Get.new(@private_key_url)) do |response|
+              @private_key_pem = response.body
+              @private_key = OpenSSL::PKey::RSA.new(
+                @private_key_pem,
+                @pass_phrase || SecureRandom.uuid
+              )
+            end
+          end
+        end
+
+        nil
+      ensure
+        @refresh_lock.unlock if @refresh_lock.locked? && @refresh_lock.owned?
+      end
+    end
+  end
+end

data/lib/oci/auth/util.rb

@@ -0,0 +1,33 @@
+# Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved.
+
+module OCI
+  module Auth
+    module Util
+      def self.get_tenancy_id_from_certificate(x509_certificate)
+        subject_array = x509_certificate.subject.to_a
+        subject_array.each do |subject_name|
+          # subject_name is actually a triple like:
+          #   ["OU", "<name>", "<number>"]
+          if subject_name[0] == 'OU' && subject_name[1].include?('opc-tenant:')
+            # 'opc-tenant:' is 11 character long, so we want to start at the index after that and to the end of the string (-1)
+            return subject_name[1][11..-1]
+          end
+        end
+
+        raise 'Certificate did not contain a tenancy in its subject'
+      end
+
+      def self.colon_separate_fingerprint(raw_fingerprint)
+        raw_fingerprint.gsub(/(.{2})(?=.)/, '\1:\2')
+      end
+
+      def self.sanitize_certificate_string(cert_string)
+        cert_string.gsub('-----BEGIN CERTIFICATE-----', '')
+          .gsub('-----END CERTIFICATE-----', '')
+          .gsub('-----BEGIN PUBLIC KEY-----', '')
+          .gsub('-----END PUBLIC KEY-----', '')
+          .gsub("\n", '')
+      end
+    end
+  end
+end

data/lib/oci/base_signer.rb

@@ -0,0 +1,154 @@
+# Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved.
+
+require 'base64'
+require 'digest'
+require 'openssl'
+require 'securerandom'
+require 'time'
+require 'uri'
+require 'cgi'
+
+module OCI
+
+  # The base class for other classes which are meant to generate a signature
+  class BaseSigner
+    # enum to define the signing strategy
+    SIGNING_STRATEGY_ENUM = [STANDARD = 'standard', OBJECT_STORAGE = 'object_storage']
+
+    # The Oracle Cloud Infrastructure API signature version
+    SIGNATURE_VERSION = "1"
+
+    GENERIC_HEADERS = [:"date", :"(request-target)", :"host"]
+    BODY_HEADERS = [:"content-length", :"content-type", :"x-content-sha256"]
+
+    # Creates a BaseSigner
+    #
+    # @param [String] api_key The API key needed when making calls. For token-based signing this should be ST$<token> but for calling as a user it will be tenancy/user/fingerprint
+    # @param [String] private_key_content The private key as a PEM-formatted string
+    # @param [String] pass_phrase Optional the pass phrase for the private key (if any)
+    # @param [SIGNING_STRATEGY_ENUM] signing_strategy Optional signing for standard service or object storage service
+    # @param [Array<String>] headers_to_sign_in_all_requests Optional headers which should be signed on each request 
+    # @param [Array<String>] body_headers_to_sign Optional headers which should be signed on requests with bodies
+    def initialize(api_key, private_key_content, pass_phrase:nil, signing_strategy:STANDARD, headers_to_sign_in_all_requests:GENERIC_HEADERS, body_headers_to_sign:BODY_HEADERS)
+      fail 'Missing required parameter api_key.' unless api_key
+      fail 'Missing required parameter private_key_content.' unless private_key_content
+
+      @key_id = api_key
+      @private_key_content = private_key_content
+      @pass_phrase = pass_phrase
+      @signing_strategy = signing_strategy
+
+      @headers_to_sign_all_requests = headers_to_sign_in_all_requests
+      @body_headers_to_sign = body_headers_to_sign  
+      @operation_header_mapping = {
+        options: [],
+        get: headers_to_sign_in_all_requests,
+        head: headers_to_sign_in_all_requests,
+        delete: headers_to_sign_in_all_requests,
+        put: headers_to_sign_in_all_requests + body_headers_to_sign,
+        post: headers_to_sign_in_all_requests + body_headers_to_sign,
+        patch: headers_to_sign_in_all_requests + body_headers_to_sign
+      }
+    end
+
+    # Generates the correct signature and adds it to the
+    # headers that are passed in. Also injects any required
+    # headers that might be missing.
+    #
+    # @param [Symbol] method The HTTP method, such as :get or :post.
+    # @param [String] uri The URI, such as 'https://iaas.us-phoenix-1.oraclecloud.com/20160918/volumeAttachments/'
+    # @param [Hash] headers A hash of headers
+    # @param [String] body The request body
+    def sign(method, uri, headers, body)
+      method = method.to_sym.downcase
+      uri = URI(uri)
+      path = uri.query.nil? ? uri.path : "#{uri.path}?#{uri.query}"
+      inject_missing_headers(method, headers, body, uri)
+      signature = compute_signature(headers, method, path)
+      unless signature.nil?
+        inject_authorization_header(headers, method, signature)
+      end
+    end
+
+    private
+
+    def inject_missing_headers(method, headers, body, uri)
+      headers["date"] ||= Time.now.utc.httpdate
+      headers["accept"] ||= "*/*"
+      headers["host"] ||= uri.host if @headers_to_sign_all_requests.include?(:"host")
+
+      # For object storage service's put method, we don't need to set content type
+      if method != :put || @signing_strategy != OBJECT_STORAGE
+        headers["content-type"] ||= "application/json"
+      else
+        headers[:'Content-Type'] ||= 'application/octet-stream'
+      end
+
+      if method == :put || method == :post
+        body ||= ''
+
+        # For object storage service's put method, we don't need to set content length and x-content sha256
+        if method != :put || @signing_strategy != OBJECT_STORAGE
+          headers["content-length"] ||= body.length.to_s
+          headers["x-content-sha256"] ||= Digest::SHA256.base64digest(body)
+        else
+          if body.respond_to?(:read) && body.respond_to?(:write)
+            headers['Content-Length'] ||= body.respond_to?('size') ? body.size : body.stat.size
+          else
+            headers['Content-Length'] ||= body.length.to_s
+          end
+        end
+      end
+    end
+
+    def inject_authorization_header(headers, method, signature)
+      if method == :put && @signing_strategy == OBJECT_STORAGE
+        header_mapping = @headers_to_sign_all_requests
+      else
+        header_mapping = @operation_header_mapping[method]
+      end
+
+      signed_headers = header_mapping.map(&:to_s).join(" ")
+      headers["authorization"] = [
+          %(Signature headers="#{signed_headers}"),
+          %(keyId="#{@key_id}"),
+          %(algorithm="rsa-sha256"),
+          %(signature="#{signature}"),
+          %(version="#{SIGNATURE_VERSION}")
+      ].join(",")
+    end
+
+    def compute_signature(headers, method, path)
+      if method == :put && @signing_strategy == OBJECT_STORAGE
+        header_mapping = @headers_to_sign_all_requests
+      else
+        header_mapping = @operation_header_mapping[method]
+      end
+
+      return if header_mapping.empty?
+      signing_string = header_mapping.map do |header|
+        if header == :"(request-target)"
+          "#{header}: #{method.downcase} #{path}"
+        else
+          "#{header}: #{headers[header.to_s]}"
+        end
+      end.join("\n")
+
+      signature = private_key.sign(OpenSSL::Digest::SHA256.new, signing_string.encode("ascii"))
+      Base64.strict_encode64(signature)
+    end
+
+    def private_key
+      # If a pass_phase was not provided and the key is in fact encrypted, then passing in
+      # nil for the passphrase here will show a user prompt and block until there is a response.
+      # Passing in an empty string will work for some versions of Ruby's openssl wrapper, but
+      # other versions will enforce the 4 character password minimum at this point. Passing in
+      # a dummy password that's greater than 4 characters avoids both problems, and will
+      # always succeed if the file is not encrypted.
+      @private_key ||= OpenSSL::PKey::RSA.new(
+        @private_key_content,
+        @pass_phrase || SecureRandom.uuid
+      )
+    end
+  end
+end

data/lib/oci/core/blockstorage_client.rb

@@ -28,15 +28,29 @@ module OCI
     # @param [Config] config A Config object.
     # @param [String] region A region used to determine the service endpoint. This will usually
     #   correspond to a value in {OCI::Regions::REGION_ENUM}, but may be an arbitrary string.
-    #
-    def initialize(config:nil, region:nil)
-      config ||= OCI.config
-      config.validate
+    # @param [OCI::BaseSigner] signer A signer implementation which can be used by this client. If this is not provided then
+    #   a signer will be constructed via the provided config. One use case of this parameter is instance principals authentication,
+    #   so that the instance principals signer can be provided to the client
+    def initialize(config:nil, region:nil, signer:nil)
+      # If the signer is an InstancePrincipalsSecurityTokenSigner and no config was supplied (which is valid for instance principals)
+      # then create a dummy config to pass to the ApiClient constructor. If customers wish to create a client which uses instance principals
+      # and has config (either populated programmatically or loaded from a file), they must construct that config themselves and then
+      # pass it to this constructor.
+      #
+      # If there is no signer (or the signer is not an instance principals signer) and no config was supplied, this is not valid
+      # so try and load the config from the default file.
+      config ||= OCI.config unless signer.is_a?(OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner)
+      config ||= OCI::Config.new if signer.is_a?(OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner)
+      config.validate unless signer.is_a?(OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner)
+
+      if signer.nil?
+        signer = Signer.new(config.user, config.fingerprint, config.tenancy, config.key_file, pass_phrase: config.pass_phrase, private_key_content: config.key_content, signing_strategy: Signer::STANDARD)
+      end
 
-      signer = Signer.new(config.user, config.fingerprint, config.tenancy, config.key_file, pass_phrase: config.pass_phrase, private_key_content: config.key_content, signing_strategy: Signer::STANDARD)
       @api_client = ApiClient.new(config, signer)
 
       region ||= config.region
+      region ||= signer.region if signer.respond_to?(:region)
       self.region = region
     end
 

data/lib/oci/core/compute_client.rb

@@ -28,15 +28,29 @@ module OCI
     # @param [Config] config A Config object.
     # @param [String] region A region used to determine the service endpoint. This will usually
     #   correspond to a value in {OCI::Regions::REGION_ENUM}, but may be an arbitrary string.
-    #
-    def initialize(config:nil, region:nil)
-      config ||= OCI.config
-      config.validate
+    # @param [OCI::BaseSigner] signer A signer implementation which can be used by this client. If this is not provided then
+    #   a signer will be constructed via the provided config. One use case of this parameter is instance principals authentication,
+    #   so that the instance principals signer can be provided to the client
+    def initialize(config:nil, region:nil, signer:nil)
+      # If the signer is an InstancePrincipalsSecurityTokenSigner and no config was supplied (which is valid for instance principals)
+      # then create a dummy config to pass to the ApiClient constructor. If customers wish to create a client which uses instance principals
+      # and has config (either populated programmatically or loaded from a file), they must construct that config themselves and then
+      # pass it to this constructor.
+      #
+      # If there is no signer (or the signer is not an instance principals signer) and no config was supplied, this is not valid
+      # so try and load the config from the default file.
+      config ||= OCI.config unless signer.is_a?(OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner)
+      config ||= OCI::Config.new if signer.is_a?(OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner)
+      config.validate unless signer.is_a?(OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner)
+
+      if signer.nil?
+        signer = Signer.new(config.user, config.fingerprint, config.tenancy, config.key_file, pass_phrase: config.pass_phrase, private_key_content: config.key_content, signing_strategy: Signer::STANDARD)
+      end
 
-      signer = Signer.new(config.user, config.fingerprint, config.tenancy, config.key_file, pass_phrase: config.pass_phrase, private_key_content: config.key_content, signing_strategy: Signer::STANDARD)
       @api_client = ApiClient.new(config, signer)
 
       region ||= config.region
+      region ||= signer.region if signer.respond_to?(:region)
       self.region = region
     end