oci-common 2.70.1 → 2.70.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.d.ts +2 -1
- package/index.js +3 -1
- package/index.js.map +1 -1
- package/lib/auth/X509-federation-client-for-oke-workload-identity.d.ts +38 -0
- package/lib/auth/X509-federation-client-for-oke-workload-identity.js +175 -0
- package/lib/auth/X509-federation-client-for-oke-workload-identity.js.map +1 -0
- package/lib/auth/helpers/load-from-file.d.ts +5 -0
- package/lib/auth/helpers/load-from-file.js +19 -0
- package/lib/auth/helpers/load-from-file.js.map +1 -0
- package/lib/auth/oke-workload-identity-authentication-details-provider.d.ts +56 -0
- package/lib/auth/oke-workload-identity-authentication-details-provider.js +139 -0
- package/lib/auth/oke-workload-identity-authentication-details-provider.js.map +1 -0
- package/lib/auth/url-based-x509-certificate-supplier.d.ts +3 -0
- package/lib/auth/url-based-x509-certificate-supplier.js +7 -3
- package/lib/auth/url-based-x509-certificate-supplier.js.map +1 -1
- package/package.json +4 -2
package/index.d.ts
CHANGED
|
@@ -22,6 +22,7 @@ import { RequireOnlyOne, AuthParams } from "./lib/types";
|
|
|
22
22
|
import { HttpRequest } from "./lib/http-request";
|
|
23
23
|
import InstancePrincipalsAuthenticationDetailsProviderBuilder from "./lib/auth/instance-principals-authentication-detail-provider";
|
|
24
24
|
import ResourcePrincipalAuthenticationDetailsProvider from "./lib/auth/resource-principal-authentication-details-provider";
|
|
25
|
+
import OkeWorkloadIdentityAuthenticationDetailsProvider from "./lib/auth/oke-workload-identity-authentication-details-provider";
|
|
25
26
|
import { BaseRequest } from "./lib/base-request";
|
|
26
27
|
import { ClientConfiguration } from "./lib/client-configuration";
|
|
27
28
|
import { paginateRecords, genericPaginateRecords, paginatedRecordsWithLimit, paginateResponses, genericPaginateResponses, paginatedResponsesWithLimit } from "./lib/paginators";
|
|
@@ -48,4 +49,4 @@ export import convertStringToType = helper.convertStringToType;
|
|
|
48
49
|
export import ObjectSerializer = serializer.ObjectSerializer;
|
|
49
50
|
export import byteLength = helper.byteLength;
|
|
50
51
|
export import Range = range.Range;
|
|
51
|
-
export { Region, Realm, EndpointBuilder, DelayStrategy, TerminationStrategy, ExponentialBackoffDelayStrategy, MaxTimeTerminationStrategy, genericWaiter, genericTerminalConditionWaiter, WaiterConfiguration, RequireOnlyOne, AuthParams, paginateRecords, paginatedResponsesWithLimit, paginatedRecordsWithLimit, genericPaginateRecords, paginateResponses, genericPaginateResponses, Method, composeRequest, Params, composeResponse, HttpRequest, ConfigFileAuthenticationDetailsProvider, SessionAuthDetailProvider, ConfigFileReader, InstancePrincipalsAuthenticationDetailsProviderBuilder, ResourcePrincipalAuthenticationDetailsProvider, LOG, GenericRetrier, FixedTimeDelayStrategy, MaxAttemptsTerminationStrategy, RetryConfiguration, NoRetryConfigurationDetails, OciSdkDefaultRetryConfiguration, BaseRequest, ClientConfiguration, Constants, CircuitBreaker, getChunk, utils };
|
|
52
|
+
export { Region, Realm, EndpointBuilder, DelayStrategy, TerminationStrategy, ExponentialBackoffDelayStrategy, MaxTimeTerminationStrategy, genericWaiter, genericTerminalConditionWaiter, WaiterConfiguration, RequireOnlyOne, AuthParams, paginateRecords, paginatedResponsesWithLimit, paginatedRecordsWithLimit, genericPaginateRecords, paginateResponses, genericPaginateResponses, Method, composeRequest, Params, composeResponse, HttpRequest, ConfigFileAuthenticationDetailsProvider, SessionAuthDetailProvider, ConfigFileReader, InstancePrincipalsAuthenticationDetailsProviderBuilder, ResourcePrincipalAuthenticationDetailsProvider, LOG, GenericRetrier, FixedTimeDelayStrategy, MaxAttemptsTerminationStrategy, RetryConfiguration, NoRetryConfigurationDetails, OciSdkDefaultRetryConfiguration, BaseRequest, ClientConfiguration, Constants, CircuitBreaker, getChunk, utils, OkeWorkloadIdentityAuthenticationDetailsProvider };
|
package/index.js
CHANGED
|
@@ -26,7 +26,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
26
26
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
27
27
|
};
|
|
28
28
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
29
|
-
exports.utils = exports.getChunk = exports.CircuitBreaker = exports.Constants = exports.OciSdkDefaultRetryConfiguration = exports.NoRetryConfigurationDetails = exports.MaxAttemptsTerminationStrategy = exports.FixedTimeDelayStrategy = exports.GenericRetrier = exports.LOG = exports.ResourcePrincipalAuthenticationDetailsProvider = exports.InstancePrincipalsAuthenticationDetailsProviderBuilder = exports.ConfigFileReader = exports.SessionAuthDetailProvider = exports.ConfigFileAuthenticationDetailsProvider = exports.composeResponse = exports.composeRequest = exports.genericPaginateResponses = exports.paginateResponses = exports.genericPaginateRecords = exports.paginatedRecordsWithLimit = exports.paginatedResponsesWithLimit = exports.paginateRecords = exports.genericTerminalConditionWaiter = exports.genericWaiter = exports.MaxTimeTerminationStrategy = exports.ExponentialBackoffDelayStrategy = exports.EndpointBuilder = exports.Realm = exports.Region = exports.Range = exports.byteLength = exports.ObjectSerializer = exports.convertStringToType = exports.handleErrorBody = exports.mapContainer = exports.handleErrorResponse = exports.getStringFromResponseBody = exports.DefaultRequestSigner = exports.OciError = exports.FetchHttpClient = exports.isRegionProvider = exports.SimpleAuthenticationDetailsProvider = void 0;
|
|
29
|
+
exports.OkeWorkloadIdentityAuthenticationDetailsProvider = exports.utils = exports.getChunk = exports.CircuitBreaker = exports.Constants = exports.OciSdkDefaultRetryConfiguration = exports.NoRetryConfigurationDetails = exports.MaxAttemptsTerminationStrategy = exports.FixedTimeDelayStrategy = exports.GenericRetrier = exports.LOG = exports.ResourcePrincipalAuthenticationDetailsProvider = exports.InstancePrincipalsAuthenticationDetailsProviderBuilder = exports.ConfigFileReader = exports.SessionAuthDetailProvider = exports.ConfigFileAuthenticationDetailsProvider = exports.composeResponse = exports.composeRequest = exports.genericPaginateResponses = exports.paginateResponses = exports.genericPaginateRecords = exports.paginatedRecordsWithLimit = exports.paginatedResponsesWithLimit = exports.paginateRecords = exports.genericTerminalConditionWaiter = exports.genericWaiter = exports.MaxTimeTerminationStrategy = exports.ExponentialBackoffDelayStrategy = exports.EndpointBuilder = exports.Realm = exports.Region = exports.Range = exports.byteLength = exports.ObjectSerializer = exports.convertStringToType = exports.handleErrorBody = exports.mapContainer = exports.handleErrorResponse = exports.getStringFromResponseBody = exports.DefaultRequestSigner = exports.OciError = exports.FetchHttpClient = exports.isRegionProvider = exports.SimpleAuthenticationDetailsProvider = void 0;
|
|
30
30
|
const auth = __importStar(require("./lib/auth/auth"));
|
|
31
31
|
const error = __importStar(require("./lib/error"));
|
|
32
32
|
const signer = __importStar(require("./lib/signer"));
|
|
@@ -63,6 +63,8 @@ const instance_principals_authentication_detail_provider_1 = __importDefault(req
|
|
|
63
63
|
exports.InstancePrincipalsAuthenticationDetailsProviderBuilder = instance_principals_authentication_detail_provider_1.default;
|
|
64
64
|
const resource_principal_authentication_details_provider_1 = __importDefault(require("./lib/auth/resource-principal-authentication-details-provider"));
|
|
65
65
|
exports.ResourcePrincipalAuthenticationDetailsProvider = resource_principal_authentication_details_provider_1.default;
|
|
66
|
+
const oke_workload_identity_authentication_details_provider_1 = __importDefault(require("./lib/auth/oke-workload-identity-authentication-details-provider"));
|
|
67
|
+
exports.OkeWorkloadIdentityAuthenticationDetailsProvider = oke_workload_identity_authentication_details_provider_1.default;
|
|
66
68
|
const paginators_1 = require("./lib/paginators");
|
|
67
69
|
Object.defineProperty(exports, "paginateRecords", { enumerable: true, get: function () { return paginators_1.paginateRecords; } });
|
|
68
70
|
Object.defineProperty(exports, "genericPaginateRecords", { enumerable: true, get: function () { return paginators_1.genericPaginateRecords; } });
|
package/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,sDAAwC;AACxC,mDAAqC;AACrC,qDAAuC;AACvC,qDAAuC;AACvC,iDAAmC;AACnC,oEAAsD;AACtD,mDAAqC;AACrC,mDAAqC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,sDAAwC;AACxC,mDAAqC;AACrC,qDAAuC;AACvC,qDAAuC;AACvC,iDAAmC;AACnC,oEAAsD;AACtD,mDAAqC;AACrC,mDAAqC;AA8GnC,sBAAK;AA7GP,yCAAsC;AAqEpC,uFArEO,eAAM,OAqEP;AApER,uCAAoC;AAqElC,sFArEO,aAAK,OAqEP;AApEP,6DAAyD;AAqEvD,gGArEO,kCAAe,OAqEP;AApEjB,mCAAgC;AA8F9B,oFA9FO,SAAG,OA8FP;AA7FL,gEAAwC;AAsGtC,oBAtGK,mBAAS,CAsGL;AArGX,4EAAmD;AAsGjD,yBAtGK,yBAAc,CAsGL;AApGhB,yCAUsB;AAyDpB,gHAhEA,wCAA+B,OAgEA;AAC/B,2GAhEA,mCAA0B,OAgEA;AAC1B,8FAhEA,sBAAa,OAgEA;AACb,+GAhEA,uCAA8B,OAgEA;AAuB9B,+GArFA,uCAA8B,OAqFA;AAD9B,uGAnFA,+BAAsB,OAmFA;AAjFxB,2CAKuB;AA2ErB,+FA/EA,wBAAc,OA+EA;AAId,4GAjFA,qCAA2B,OAiFA;AAC3B,gHAjFA,yCAA+B,OAiFA;AA7EjC,uJAAmI;AAqEjI,iEArEK,4DAAsD,CAqEL;AApExD,uJAA2H;AAqEzH,yDArEK,4DAA8C,CAqEL;AApEhD,6JAAgI;AAkF9H,2DAlFK,+DAAgD,CAkFL;AA/ElD,iDAO0B;AA2CxB,gGAjDA,4BAAe,OAiDA;AAGf,uGAnDA,mCAAsB,OAmDA;AADtB,0GAjDA,sCAAyB,OAiDA;AAEzB,kGAlDA,8BAAiB,OAkDA;AACjB,yGAlDA,qCAAwB,OAkDA;AAJxB,4GA7CA,wCAA2B,OA6CA;AA1C7B,kEAAsF;AAoDpF,wHApDO,0DAAuC,OAoDP;AAnDzC,4FAAqF;AAoDnF,0GApDO,yDAAyB,OAoDP;AAnD3B,4DAAqC;AAkEnC,mBAlEK,iBAAQ,CAkEL;AAjEV,iEAA4D;AAmD1D,iGAnDO,qCAAgB,OAmDP;AAlDlB,+DAAyE;AA4CvE,+FA5Ce,kCAAc,OA4Cf;AA3ChB,iEAA2D;AA6CzD,gGA7CO,oCAAe,OA6CP;AA3CH,QAAA,mCAAmC,GAAG,IAAI,CAAC,mCAAmC,CAAC;AAE/E,QAAA,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAAC;AAGzC,QAAA,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC;AAEvC,QAAA,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC;AAG1B,QAAA,oBAAoB,GAAG,MAAM,CAAC,oBAAoB,CAAC;AAEnD,QAAA,yBAAyB,GAAG,MAAM,CAAC,yBAAyB,CAAC;AAC7D,QAAA,mBAAmB,GAAG,MAAM,CAAC,mBAAmB,CAAC;AACjD,QAAA,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;AACnC,QAAA,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;AACzC,QAAA,mBAAmB,GAAG,MAAM,CAAC,mBAAmB,CAAC;AACjD,QAAA,gBAAgB,GAAG,UAAU,CAAC,gBAAgB,CAAC;AAC/C,QAAA,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;AAE/B,QAAA,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC"}
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Copyright (c) 2020, 2021 Oracle and/or its affiliates. All rights reserved.
|
|
3
|
+
* This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
|
|
4
|
+
*/
|
|
5
|
+
import FederationClient from "./models/federation-client";
|
|
6
|
+
import SessionKeySupplier from "./models/session-key-supplier";
|
|
7
|
+
import SecurityTokenAdapter from "./security-token-adapter";
|
|
8
|
+
export default class X509FederationClientForOkeWorkloadIdentity implements FederationClient {
|
|
9
|
+
private proxymuxEndpoint;
|
|
10
|
+
private kubernetesServiceAccountToken;
|
|
11
|
+
private kubernetesServiceAccountCert;
|
|
12
|
+
private sessionKeySupplier;
|
|
13
|
+
securityTokenAdapter: SecurityTokenAdapter;
|
|
14
|
+
private retry;
|
|
15
|
+
constructor(proxymuxEndpoint: string, kubernetesServiceAccountToken: string, kubernetesServiceAccountCert: string, sessionKeySupplier: SessionKeySupplier);
|
|
16
|
+
/**
|
|
17
|
+
* Gets a security token. If there is already a valid token cached, it will be returned. Else this will make a call
|
|
18
|
+
* to the OKE Proxymux service to get a new token, using the provided suppliers.
|
|
19
|
+
*
|
|
20
|
+
* This method is thread-safe.
|
|
21
|
+
* @return the security token
|
|
22
|
+
* @throws OciError If there is any issue with getting a token from the OKE Proxymux server
|
|
23
|
+
*/
|
|
24
|
+
getSecurityToken(): Promise<string>;
|
|
25
|
+
/**
|
|
26
|
+
* Return a claim embedded in the security token
|
|
27
|
+
* @param key the name of the claim
|
|
28
|
+
* @return the value of the claim or null if unable to find
|
|
29
|
+
*/
|
|
30
|
+
getStringClaim(key: string): Promise<string | null>;
|
|
31
|
+
refreshAndGetSecurityToken(): Promise<string>;
|
|
32
|
+
private refreshAndGetSecurityTokenInner;
|
|
33
|
+
/**
|
|
34
|
+
* Gets a security token from the OKE Proxymux service
|
|
35
|
+
* @return the security token, which is basically a JWT token string
|
|
36
|
+
*/
|
|
37
|
+
private getSecurityTokenFromServer;
|
|
38
|
+
}
|
|
@@ -0,0 +1,175 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Copyright (c) 2020, 2021 Oracle and/or its affiliates. All rights reserved.
|
|
4
|
+
* This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
|
|
5
|
+
*/
|
|
6
|
+
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
7
|
+
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
8
|
+
return new (P || (P = Promise))(function (resolve, reject) {
|
|
9
|
+
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
|
|
10
|
+
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
|
|
11
|
+
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
|
|
12
|
+
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
13
|
+
});
|
|
14
|
+
};
|
|
15
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
16
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
17
|
+
};
|
|
18
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
19
|
+
const tls_1 = require("tls");
|
|
20
|
+
const https_1 = require("https");
|
|
21
|
+
const security_token_adapter_1 = __importDefault(require("./security-token-adapter"));
|
|
22
|
+
const auth_utils_1 = __importDefault(require("./helpers/auth-utils"));
|
|
23
|
+
const http_1 = require("../http");
|
|
24
|
+
/**
|
|
25
|
+
* This class gets a security token from the OKE Proxymux service by authenticating the request with the kubernetes service account,
|
|
26
|
+
* passing along a temporary public key that is bounded to the service account.
|
|
27
|
+
*/
|
|
28
|
+
const OKE_WORKLOAD_IDENTITY_GENERIC_ERROR = "Failed to get a RPST token from Proxymux. See https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm for more info.";
|
|
29
|
+
class X509FederationClientForOkeWorkloadIdentity {
|
|
30
|
+
constructor(proxymuxEndpoint, kubernetesServiceAccountToken, kubernetesServiceAccountCert, sessionKeySupplier) {
|
|
31
|
+
this.proxymuxEndpoint = proxymuxEndpoint;
|
|
32
|
+
this.kubernetesServiceAccountToken = kubernetesServiceAccountToken;
|
|
33
|
+
this.kubernetesServiceAccountCert = kubernetesServiceAccountCert;
|
|
34
|
+
this.sessionKeySupplier = sessionKeySupplier;
|
|
35
|
+
this.retry = 0;
|
|
36
|
+
this.securityTokenAdapter = new security_token_adapter_1.default("", this.sessionKeySupplier);
|
|
37
|
+
}
|
|
38
|
+
/**
|
|
39
|
+
* Gets a security token. If there is already a valid token cached, it will be returned. Else this will make a call
|
|
40
|
+
* to the OKE Proxymux service to get a new token, using the provided suppliers.
|
|
41
|
+
*
|
|
42
|
+
* This method is thread-safe.
|
|
43
|
+
* @return the security token
|
|
44
|
+
* @throws OciError If there is any issue with getting a token from the OKE Proxymux server
|
|
45
|
+
*/
|
|
46
|
+
getSecurityToken() {
|
|
47
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
48
|
+
if (this.securityTokenAdapter.isValid()) {
|
|
49
|
+
return this.securityTokenAdapter.getSecurityToken();
|
|
50
|
+
}
|
|
51
|
+
return yield this.refreshAndGetSecurityTokenInner(true);
|
|
52
|
+
});
|
|
53
|
+
}
|
|
54
|
+
/**
|
|
55
|
+
* Return a claim embedded in the security token
|
|
56
|
+
* @param key the name of the claim
|
|
57
|
+
* @return the value of the claim or null if unable to find
|
|
58
|
+
*/
|
|
59
|
+
getStringClaim(key) {
|
|
60
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
61
|
+
yield this.refreshAndGetSecurityTokenInner(true);
|
|
62
|
+
return this.securityTokenAdapter.getStringClaim(key);
|
|
63
|
+
});
|
|
64
|
+
}
|
|
65
|
+
refreshAndGetSecurityToken() {
|
|
66
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
67
|
+
return yield this.refreshAndGetSecurityTokenInner(false);
|
|
68
|
+
});
|
|
69
|
+
}
|
|
70
|
+
refreshAndGetSecurityTokenInner(doFinalTokenValidityCheck) {
|
|
71
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
72
|
+
// Check again to see if the JWT is still invalid, unless we want to skip that check
|
|
73
|
+
if (!doFinalTokenValidityCheck || !this.securityTokenAdapter.isValid()) {
|
|
74
|
+
this.sessionKeySupplier.refreshKeys();
|
|
75
|
+
this.securityTokenAdapter = yield this.getSecurityTokenFromServer();
|
|
76
|
+
return this.securityTokenAdapter.getSecurityToken();
|
|
77
|
+
}
|
|
78
|
+
return this.securityTokenAdapter.getSecurityToken();
|
|
79
|
+
});
|
|
80
|
+
}
|
|
81
|
+
/**
|
|
82
|
+
* Gets a security token from the OKE Proxymux service
|
|
83
|
+
* @return the security token, which is basically a JWT token string
|
|
84
|
+
*/
|
|
85
|
+
getSecurityTokenFromServer() {
|
|
86
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
87
|
+
const keyPair = this.sessionKeySupplier.getKeyPair();
|
|
88
|
+
if (!keyPair) {
|
|
89
|
+
throw Error("keyPair for session was not provided");
|
|
90
|
+
}
|
|
91
|
+
const publicKey = keyPair.getPublic();
|
|
92
|
+
if (!publicKey) {
|
|
93
|
+
throw Error("Public key is not present");
|
|
94
|
+
}
|
|
95
|
+
try {
|
|
96
|
+
// Create request body and call auth service.
|
|
97
|
+
const url = this.proxymuxEndpoint;
|
|
98
|
+
const requestPayload = {
|
|
99
|
+
podKey: auth_utils_1.default.sanitizeCertificateString(publicKey)
|
|
100
|
+
};
|
|
101
|
+
let jsonPayload = JSON.stringify(requestPayload);
|
|
102
|
+
jsonPayload = jsonPayload.replace(/\\n/g, "");
|
|
103
|
+
const requestObj = {
|
|
104
|
+
uri: url,
|
|
105
|
+
body: jsonPayload,
|
|
106
|
+
method: "POST",
|
|
107
|
+
headers: new Headers({
|
|
108
|
+
"Authorization": `Bearer ${this.kubernetesServiceAccountToken}`,
|
|
109
|
+
"Content-Type": "application/json"
|
|
110
|
+
})
|
|
111
|
+
};
|
|
112
|
+
const httpOptions = {};
|
|
113
|
+
httpOptions.agent = new https_1.Agent({
|
|
114
|
+
ca: [...tls_1.rootCertificates, this.kubernetesServiceAccountCert]
|
|
115
|
+
});
|
|
116
|
+
const httpClient = new http_1.FetchHttpClient(null, null, httpOptions);
|
|
117
|
+
// Call OKE Proxymux Service to get a base64 encoded JSON object which contains the auth token
|
|
118
|
+
const response = yield httpClient.send(requestObj);
|
|
119
|
+
//TODO: Implement retry here
|
|
120
|
+
// retry here
|
|
121
|
+
if (response.status !== 200) {
|
|
122
|
+
if (this.retry < 3) {
|
|
123
|
+
this.retry += 1;
|
|
124
|
+
return yield this.getSecurityTokenFromServer();
|
|
125
|
+
}
|
|
126
|
+
else {
|
|
127
|
+
throw Error(`Failed to call Proxymux for RPST token. Status: ${response.status}. ${OKE_WORKLOAD_IDENTITY_GENERIC_ERROR}`);
|
|
128
|
+
}
|
|
129
|
+
}
|
|
130
|
+
this.retry = 0;
|
|
131
|
+
// The response is a base64 blob of a json object, we need to decode and parse it
|
|
132
|
+
let responseBody;
|
|
133
|
+
try {
|
|
134
|
+
responseBody = yield response.text();
|
|
135
|
+
}
|
|
136
|
+
catch (e) {
|
|
137
|
+
throw Error(`Failed to read response body from Proxymux. ${OKE_WORKLOAD_IDENTITY_GENERIC_ERROR}`);
|
|
138
|
+
}
|
|
139
|
+
let decodedBodyStr;
|
|
140
|
+
try {
|
|
141
|
+
decodedBodyStr = Buffer.from(responseBody, "base64").toString("utf8");
|
|
142
|
+
}
|
|
143
|
+
catch (e) {
|
|
144
|
+
throw Error(`Invalid JSON response received from Proxymux. ${OKE_WORKLOAD_IDENTITY_GENERIC_ERROR}`);
|
|
145
|
+
}
|
|
146
|
+
let parsedBody;
|
|
147
|
+
try {
|
|
148
|
+
parsedBody = JSON.parse(decodedBodyStr);
|
|
149
|
+
}
|
|
150
|
+
catch (e) {
|
|
151
|
+
throw Error(`Invalid JSON response received from Proxymux. ${OKE_WORKLOAD_IDENTITY_GENERIC_ERROR}`);
|
|
152
|
+
}
|
|
153
|
+
if (!parsedBody) {
|
|
154
|
+
throw Error(`Invalid (undefined) RPST token received from Proxymux. ${OKE_WORKLOAD_IDENTITY_GENERIC_ERROR}`);
|
|
155
|
+
}
|
|
156
|
+
if (typeof parsedBody.token !== "string") {
|
|
157
|
+
throw Error(`Invalid (string) RPST token received from Proxymux. ${OKE_WORKLOAD_IDENTITY_GENERIC_ERROR}`);
|
|
158
|
+
}
|
|
159
|
+
const token = parsedBody.token;
|
|
160
|
+
if (!token || token.length === 0) {
|
|
161
|
+
throw Error(`Invalid (empty) RPST token received from Proxymux. ${OKE_WORKLOAD_IDENTITY_GENERIC_ERROR}`);
|
|
162
|
+
}
|
|
163
|
+
if (token.length < 3) {
|
|
164
|
+
throw Error(`Invalid RPST token received from Proxymux. ${OKE_WORKLOAD_IDENTITY_GENERIC_ERROR}`);
|
|
165
|
+
}
|
|
166
|
+
return new security_token_adapter_1.default(token.slice(3), this.sessionKeySupplier);
|
|
167
|
+
}
|
|
168
|
+
catch (e) {
|
|
169
|
+
throw Error(`Failed to call Proxymux, error: ${e}. ${OKE_WORKLOAD_IDENTITY_GENERIC_ERROR}`);
|
|
170
|
+
}
|
|
171
|
+
});
|
|
172
|
+
}
|
|
173
|
+
}
|
|
174
|
+
exports.default = X509FederationClientForOkeWorkloadIdentity;
|
|
175
|
+
//# sourceMappingURL=X509-federation-client-for-oke-workload-identity.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"X509-federation-client-for-oke-workload-identity.js","sourceRoot":"","sources":["../../../../../lib/auth/X509-federation-client-for-oke-workload-identity.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;AAEH,6BAAuC;AACvC,iCAA4C;AAG5C,sFAA4D;AAC5D,sEAA6C;AAE7C,kCAA0C;AAE1C;;;GAGG;AAEH,MAAM,mCAAmC,GACvC,oKAAoK,CAAC;AAEvK,MAAqB,0CAA0C;IAI7D,YACU,gBAAwB,EACxB,6BAAqC,EACrC,4BAAoC,EACpC,kBAAsC;QAHtC,qBAAgB,GAAhB,gBAAgB,CAAQ;QACxB,kCAA6B,GAA7B,6BAA6B,CAAQ;QACrC,iCAA4B,GAA5B,4BAA4B,CAAQ;QACpC,uBAAkB,GAAlB,kBAAkB,CAAoB;QANxC,UAAK,GAAG,CAAC,CAAC;QAQhB,IAAI,CAAC,oBAAoB,GAAG,IAAI,gCAAoB,CAAC,EAAE,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACpF,CAAC;IAED;;;;;;;OAOG;IACG,gBAAgB;;YACpB,IAAI,IAAI,CAAC,oBAAoB,CAAC,OAAO,EAAE,EAAE;gBACvC,OAAO,IAAI,CAAC,oBAAoB,CAAC,gBAAgB,EAAE,CAAC;aACrD;YACD,OAAO,MAAM,IAAI,CAAC,+BAA+B,CAAC,IAAI,CAAC,CAAC;QAC1D,CAAC;KAAA;IAED;;;;OAIG;IACG,cAAc,CAAC,GAAW;;YAC9B,MAAM,IAAI,CAAC,+BAA+B,CAAC,IAAI,CAAC,CAAC;YACjD,OAAO,IAAI,CAAC,oBAAoB,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QACvD,CAAC;KAAA;IAEK,0BAA0B;;YAC9B,OAAO,MAAM,IAAI,CAAC,+BAA+B,CAAC,KAAK,CAAC,CAAC;QAC3D,CAAC;KAAA;IAEa,+BAA+B,CAC3C,yBAAkC;;YAElC,oFAAoF;YACpF,IAAI,CAAC,yBAAyB,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,OAAO,EAAE,EAAE;gBACtE,IAAI,CAAC,kBAAkB,CAAC,WAAW,EAAE,CAAC;gBAEtC,IAAI,CAAC,oBAAoB,GAAG,MAAM,IAAI,CAAC,0BAA0B,EAAE,CAAC;gBAEpE,OAAO,IAAI,CAAC,oBAAoB,CAAC,gBAAgB,EAAE,CAAC;aACrD;YACD,OAAO,IAAI,CAAC,oBAAoB,CAAC,gBAAgB,EAAE,CAAC;QACtD,CAAC;KAAA;IAED;;;OAGG;IACW,0BAA0B;;YACtC,MAAM,OAAO,GAAG,IAAI,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC;YACrD,IAAI,CAAC,OAAO,EAAE;gBACZ,MAAM,KAAK,CAAC,sCAAsC,CAAC,CAAC;aACrD;YACD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;YACtC,IAAI,CAAC,SAAS,EAAE;gBACd,MAAM,KAAK,CAAC,2BAA2B,CAAC,CAAC;aAC1C;YAED,IAAI;gBACF,6CAA6C;gBAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,gBAAgB,CAAC;gBAClC,MAAM,cAAc,GAAG;oBACrB,MAAM,EAAE,oBAAS,CAAC,yBAAyB,CAAC,SAAS,CAAC;iBACvD,CAAC;gBAEF,IAAI,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;gBACjD,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;gBAE9C,MAAM,UAAU,GAAgB;oBAC9B,GAAG,EAAE,GAAG;oBACR,IAAI,EAAE,WAAW;oBACjB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,IAAI,OAAO,CAAC;wBACnB,eAAe,EAAE,UAAU,IAAI,CAAC,6BAA6B,EAAE;wBAC/D,cAAc,EAAE,kBAAkB;qBACnC,CAAC;iBACH,CAAC;gBAEF,MAAM,WAAW,GAAuC,EAAE,CAAC;gBAC3D,WAAW,CAAC,KAAK,GAAG,IAAI,aAAU,CAAC;oBACjC,EAAE,EAAE,CAAC,GAAG,sBAAgB,EAAE,IAAI,CAAC,4BAA4B,CAAC;iBAC7D,CAAC,CAAC;gBAEH,MAAM,UAAU,GAAG,IAAI,sBAAe,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,CAAC;gBAEhE,8FAA8F;gBAC9F,MAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBACnD,4BAA4B;gBAC5B,aAAa;gBACb,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;oBAC3B,IAAI,IAAI,CAAC,KAAK,GAAG,CAAC,EAAE;wBAClB,IAAI,CAAC,KAAK,IAAI,CAAC,CAAC;wBAChB,OAAO,MAAM,IAAI,CAAC,0BAA0B,EAAE,CAAC;qBAChD;yBAAM;wBACL,MAAM,KAAK,CACT,mDAAmD,QAAQ,CAAC,MAAM,KAAK,mCAAmC,EAAE,CAC7G,CAAC;qBACH;iBACF;gBACD,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC;gBAEf,iFAAiF;gBACjF,IAAI,YAAY,CAAC;gBACjB,IAAI;oBACF,YAAY,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;iBACtC;gBAAC,OAAO,CAAC,EAAE;oBACV,MAAM,KAAK,CACT,+CAA+C,mCAAmC,EAAE,CACrF,CAAC;iBACH;gBAED,IAAI,cAAc,CAAC;gBACnB,IAAI;oBACF,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;iBACvE;gBAAC,OAAO,CAAC,EAAE;oBACV,MAAM,KAAK,CACT,iDAAiD,mCAAmC,EAAE,CACvF,CAAC;iBACH;gBAED,IAAI,UAAU,CAAC;gBACf,IAAI;oBACF,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;iBACzC;gBAAC,OAAO,CAAC,EAAE;oBACV,MAAM,KAAK,CACT,iDAAiD,mCAAmC,EAAE,CACvF,CAAC;iBACH;gBACD,IAAI,CAAC,UAAU,EAAE;oBACf,MAAM,KAAK,CACT,0DAA0D,mCAAmC,EAAE,CAChG,CAAC;iBACH;gBACD,IAAI,OAAO,UAAU,CAAC,KAAK,KAAK,QAAQ,EAAE;oBACxC,MAAM,KAAK,CACT,uDAAuD,mCAAmC,EAAE,CAC7F,CAAC;iBACH;gBAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC;gBAC/B,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE;oBAChC,MAAM,KAAK,CACT,sDAAsD,mCAAmC,EAAE,CAC5F,CAAC;iBACH;gBACD,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE;oBACpB,MAAM,KAAK,CACT,8CAA8C,mCAAmC,EAAE,CACpF,CAAC;iBACH;gBAED,OAAO,IAAI,gCAAoB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC;aAC1E;YAAC,OAAO,CAAC,EAAE;gBACV,MAAM,KAAK,CAAC,mCAAmC,CAAC,KAAK,mCAAmC,EAAE,CAAC,CAAC;aAC7F;QACH,CAAC;KAAA;CACF;AAxKD,6DAwKC"}
|
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Copyright (c) 2020, 2021 Oracle and/or its affiliates. All rights reserved.
|
|
3
|
+
* This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
|
|
4
|
+
*/
|
|
5
|
+
export declare function loadFromFile(filePath: string): string;
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Copyright (c) 2020, 2021 Oracle and/or its affiliates. All rights reserved.
|
|
4
|
+
* This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
|
|
5
|
+
*/
|
|
6
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
7
|
+
exports.loadFromFile = void 0;
|
|
8
|
+
const fs_1 = require("fs");
|
|
9
|
+
function loadFromFile(filePath) {
|
|
10
|
+
try {
|
|
11
|
+
const fileContent = fs_1.readFileSync(filePath, "utf8");
|
|
12
|
+
return fileContent;
|
|
13
|
+
}
|
|
14
|
+
catch (e) {
|
|
15
|
+
throw Error(`Failed to read file contents, error: ${e}`);
|
|
16
|
+
}
|
|
17
|
+
}
|
|
18
|
+
exports.loadFromFile = loadFromFile;
|
|
19
|
+
//# sourceMappingURL=load-from-file.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"load-from-file.js","sourceRoot":"","sources":["../../../../../../lib/auth/helpers/load-from-file.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,2BAAkC;AAElC,SAAgB,YAAY,CAAC,QAAgB;IAC3C,IAAI;QACF,MAAM,WAAW,GAAG,iBAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAEnD,OAAO,WAAW,CAAC;KACpB;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,KAAK,CAAC,wCAAwC,CAAC,EAAE,CAAC,CAAC;KAC1D;AACH,CAAC;AARD,oCAQC"}
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Copyright (c) 2020, 2021 Oracle and/or its affiliates. All rights reserved.
|
|
3
|
+
* This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
|
|
4
|
+
*/
|
|
5
|
+
import FederationClient from "./models/federation-client";
|
|
6
|
+
import RefreshableOnNotAuthenticatedProvider from "./models/refreshable-on-not-authenticaticated-provider";
|
|
7
|
+
import AbstractRequestingAuthenticationDetailsProvider from "./abstract-requesting-authentication-detail-provider";
|
|
8
|
+
import SessionKeySupplier from "./models/session-key-supplier";
|
|
9
|
+
export default class OkeWorkloadIdentityAuthenticationDetailsProvider extends AbstractRequestingAuthenticationDetailsProvider implements RefreshableOnNotAuthenticatedProvider<String> {
|
|
10
|
+
protected federationClient: FederationClient;
|
|
11
|
+
protected sessionKeySupplier: SessionKeySupplier;
|
|
12
|
+
static KUBERNETES_SERVICE_HOST_ENV_VAR_NAME: string;
|
|
13
|
+
static KUBERNETES_SERVICE_PORT_PROXYMUX_ENV_VAR_NAME: string;
|
|
14
|
+
static DEFAULT_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH: string;
|
|
15
|
+
static DEFAULT_DEFAULT_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH: string;
|
|
16
|
+
protected _sessionKeySupplier: SessionKeySupplier;
|
|
17
|
+
protected _federationClient: FederationClient;
|
|
18
|
+
constructor(federationClient: FederationClient, sessionKeySupplier: SessionKeySupplier);
|
|
19
|
+
static ClaimKeys: {
|
|
20
|
+
new (): {};
|
|
21
|
+
/**
|
|
22
|
+
* COMPARTMENT_ID is the claim name that the RPST holds for the resource compartment.
|
|
23
|
+
* This can be passed to {@link #getStringClaim} to retrieve the resource's compartment OCID.
|
|
24
|
+
*/
|
|
25
|
+
COMPARTMENT_ID_CLAIM_KEY: string;
|
|
26
|
+
/**
|
|
27
|
+
* TENANT_ID_CLAIM_KEY is the claim name that the RPST holds for the resource tenancy.
|
|
28
|
+
* This can be passed to {@link #getStringClaim} to retrieve the resource's tenancy OCID.
|
|
29
|
+
*/
|
|
30
|
+
TENANT_ID_CLAIM_KEY: string;
|
|
31
|
+
};
|
|
32
|
+
static builder(customKubernetesServiceAccountCertPath: string, customKubernetesServiceAccountTokenPath: string): OkeWorkloadIdentityAuthenticationDetailsProvider;
|
|
33
|
+
/**
|
|
34
|
+
* Session tokens carry JWT-like claims. Permit the retrieval of the value of those
|
|
35
|
+
* claims from the token.
|
|
36
|
+
* At the least, the token should carry claims for {@link ClaimKeys#COMPARTMENT_ID_CLAIM_KEY} and {@link ClaimKeys#TENANT_ID_CLAIM_KEY}
|
|
37
|
+
* @param key the name of a claim in the session token
|
|
38
|
+
* @return the claim value.
|
|
39
|
+
*/
|
|
40
|
+
getStringClaim(key: string): Promise<string | null>;
|
|
41
|
+
/**
|
|
42
|
+
* Refreshes the authentication data used by the provider
|
|
43
|
+
* @return the refreshed authentication data
|
|
44
|
+
*/
|
|
45
|
+
refresh(): Promise<string>;
|
|
46
|
+
/**
|
|
47
|
+
* Builder for OkeWorkloadIdentityAuthenticationDetailsProvider
|
|
48
|
+
*/
|
|
49
|
+
static OkeWorkloadIdentityAuthenticationDetailsProviderBuilder: {
|
|
50
|
+
new (customKubernetesServiceAccountCertPath?: string | undefined, customKubernetesServiceAccountTokenPath?: string | undefined): {
|
|
51
|
+
kubernetesServiceAccountCertPath: string;
|
|
52
|
+
kubernetesServiceAccountTokenPath: string;
|
|
53
|
+
build(): OkeWorkloadIdentityAuthenticationDetailsProvider;
|
|
54
|
+
};
|
|
55
|
+
};
|
|
56
|
+
}
|
|
@@ -0,0 +1,139 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Copyright (c) 2020, 2021 Oracle and/or its affiliates. All rights reserved.
|
|
4
|
+
* This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
|
|
5
|
+
*/
|
|
6
|
+
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
7
|
+
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
8
|
+
return new (P || (P = Promise))(function (resolve, reject) {
|
|
9
|
+
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
|
|
10
|
+
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
|
|
11
|
+
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
|
|
12
|
+
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
13
|
+
});
|
|
14
|
+
};
|
|
15
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
16
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
17
|
+
};
|
|
18
|
+
var _a;
|
|
19
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
20
|
+
/**
|
|
21
|
+
* This constructs a default implementation of the {@link OkeWorkloadIdentityAuthenticationDetailsProvider}, constructed
|
|
22
|
+
* in accordance with the following environment variable settings:
|
|
23
|
+
* <ul>
|
|
24
|
+
*
|
|
25
|
+
* <li>{@code KUBERNETES_SERVICE_HOST}:
|
|
26
|
+
* <p>This environment variable represents the Kubernetes service host.</p>
|
|
27
|
+
* </li>
|
|
28
|
+
*
|
|
29
|
+
* <li>{@code KUBERNETES_SERVICE_PORT_PROXYMUX}:
|
|
30
|
+
* <p>This environment variable represents the Kubernetes service port for proxymux.</p>
|
|
31
|
+
* </li>
|
|
32
|
+
*
|
|
33
|
+
* </ul>
|
|
34
|
+
*/
|
|
35
|
+
const load_from_file_1 = require("./helpers/load-from-file");
|
|
36
|
+
const abstract_requesting_authentication_detail_provider_1 = __importDefault(require("./abstract-requesting-authentication-detail-provider"));
|
|
37
|
+
const X509_federation_client_for_oke_workload_identity_1 = __importDefault(require("./X509-federation-client-for-oke-workload-identity"));
|
|
38
|
+
const session_key_supplier_1 = __importDefault(require("./session-key-supplier"));
|
|
39
|
+
const OKE_WORKLOAD_IDENTITY_DEBUG_INFORMATION_LOG = "OKE workload identity can only be used in Enhanced OKE clusters. See https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm for more info.";
|
|
40
|
+
class OkeWorkloadIdentityAuthenticationDetailsProvider extends abstract_requesting_authentication_detail_provider_1.default {
|
|
41
|
+
constructor(federationClient, sessionKeySupplier) {
|
|
42
|
+
super(federationClient, sessionKeySupplier);
|
|
43
|
+
this.federationClient = federationClient;
|
|
44
|
+
this.sessionKeySupplier = sessionKeySupplier;
|
|
45
|
+
}
|
|
46
|
+
// Builder method to create OkeWorkloadIdentityAuthenticationDetailsProviderBuilder which will build
|
|
47
|
+
// OkeWorkloadIdentityAuthenticationDetailsProvider
|
|
48
|
+
static builder(customKubernetesServiceAccountCertPath, customKubernetesServiceAccountTokenPath) {
|
|
49
|
+
return new OkeWorkloadIdentityAuthenticationDetailsProvider.OkeWorkloadIdentityAuthenticationDetailsProviderBuilder(customKubernetesServiceAccountCertPath, customKubernetesServiceAccountTokenPath).build();
|
|
50
|
+
}
|
|
51
|
+
/**
|
|
52
|
+
* Session tokens carry JWT-like claims. Permit the retrieval of the value of those
|
|
53
|
+
* claims from the token.
|
|
54
|
+
* At the least, the token should carry claims for {@link ClaimKeys#COMPARTMENT_ID_CLAIM_KEY} and {@link ClaimKeys#TENANT_ID_CLAIM_KEY}
|
|
55
|
+
* @param key the name of a claim in the session token
|
|
56
|
+
* @return the claim value.
|
|
57
|
+
*/
|
|
58
|
+
getStringClaim(key) {
|
|
59
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
60
|
+
return yield this.federationClient.getStringClaim(key);
|
|
61
|
+
});
|
|
62
|
+
}
|
|
63
|
+
/**
|
|
64
|
+
* Refreshes the authentication data used by the provider
|
|
65
|
+
* @return the refreshed authentication data
|
|
66
|
+
*/
|
|
67
|
+
refresh() {
|
|
68
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
69
|
+
return yield this.federationClient.refreshAndGetSecurityToken();
|
|
70
|
+
});
|
|
71
|
+
}
|
|
72
|
+
}
|
|
73
|
+
exports.default = OkeWorkloadIdentityAuthenticationDetailsProvider;
|
|
74
|
+
OkeWorkloadIdentityAuthenticationDetailsProvider.KUBERNETES_SERVICE_HOST_ENV_VAR_NAME = "KUBERNETES_SERVICE_HOST";
|
|
75
|
+
OkeWorkloadIdentityAuthenticationDetailsProvider.KUBERNETES_SERVICE_PORT_PROXYMUX_ENV_VAR_NAME = "KUBERNETES_SERVICE_PORT_PROXYMUX";
|
|
76
|
+
OkeWorkloadIdentityAuthenticationDetailsProvider.DEFAULT_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt";
|
|
77
|
+
OkeWorkloadIdentityAuthenticationDetailsProvider.DEFAULT_DEFAULT_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token";
|
|
78
|
+
OkeWorkloadIdentityAuthenticationDetailsProvider.ClaimKeys = (_a = class ClaimsKey {
|
|
79
|
+
},
|
|
80
|
+
/**
|
|
81
|
+
* COMPARTMENT_ID is the claim name that the RPST holds for the resource compartment.
|
|
82
|
+
* This can be passed to {@link #getStringClaim} to retrieve the resource's compartment OCID.
|
|
83
|
+
*/
|
|
84
|
+
_a.COMPARTMENT_ID_CLAIM_KEY = "res_compartment",
|
|
85
|
+
/**
|
|
86
|
+
* TENANT_ID_CLAIM_KEY is the claim name that the RPST holds for the resource tenancy.
|
|
87
|
+
* This can be passed to {@link #getStringClaim} to retrieve the resource's tenancy OCID.
|
|
88
|
+
*/
|
|
89
|
+
_a.TENANT_ID_CLAIM_KEY = "res_tenant",
|
|
90
|
+
_a);
|
|
91
|
+
/**
|
|
92
|
+
* Builder for OkeWorkloadIdentityAuthenticationDetailsProvider
|
|
93
|
+
*/
|
|
94
|
+
OkeWorkloadIdentityAuthenticationDetailsProvider.OkeWorkloadIdentityAuthenticationDetailsProviderBuilder = class OkeWorkloadIdentityAuthenticationDetailsProviderBuilder {
|
|
95
|
+
constructor(customKubernetesServiceAccountCertPath, customKubernetesServiceAccountTokenPath) {
|
|
96
|
+
this.kubernetesServiceAccountCertPath =
|
|
97
|
+
customKubernetesServiceAccountCertPath ||
|
|
98
|
+
OkeWorkloadIdentityAuthenticationDetailsProvider.DEFAULT_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH;
|
|
99
|
+
this.kubernetesServiceAccountTokenPath =
|
|
100
|
+
customKubernetesServiceAccountTokenPath ||
|
|
101
|
+
OkeWorkloadIdentityAuthenticationDetailsProvider.DEFAULT_DEFAULT_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH;
|
|
102
|
+
}
|
|
103
|
+
build() {
|
|
104
|
+
let federationClient;
|
|
105
|
+
let sessionKeySupplier;
|
|
106
|
+
const kubernetesServiceHost = process.env[OkeWorkloadIdentityAuthenticationDetailsProvider.KUBERNETES_SERVICE_HOST_ENV_VAR_NAME];
|
|
107
|
+
if (!kubernetesServiceHost) {
|
|
108
|
+
throw Error(`${OkeWorkloadIdentityAuthenticationDetailsProvider.KUBERNETES_SERVICE_HOST_ENV_VAR_NAME} environment variable is missing. ` +
|
|
109
|
+
OKE_WORKLOAD_IDENTITY_DEBUG_INFORMATION_LOG);
|
|
110
|
+
}
|
|
111
|
+
const kubernetesServiceProxymuxPort = process.env[OkeWorkloadIdentityAuthenticationDetailsProvider
|
|
112
|
+
.KUBERNETES_SERVICE_PORT_PROXYMUX_ENV_VAR_NAME];
|
|
113
|
+
if (!kubernetesServiceProxymuxPort) {
|
|
114
|
+
throw Error(`${OkeWorkloadIdentityAuthenticationDetailsProvider.KUBERNETES_SERVICE_PORT_PROXYMUX_ENV_VAR_NAME} environment variable is missing. ` +
|
|
115
|
+
OKE_WORKLOAD_IDENTITY_DEBUG_INFORMATION_LOG);
|
|
116
|
+
}
|
|
117
|
+
let kubernetesServiceAccountCert;
|
|
118
|
+
try {
|
|
119
|
+
kubernetesServiceAccountCert = load_from_file_1.loadFromFile(this.kubernetesServiceAccountCertPath);
|
|
120
|
+
}
|
|
121
|
+
catch (e) {
|
|
122
|
+
throw Error(`Failed to read ${this.kubernetesServiceAccountCertPath}. ` +
|
|
123
|
+
OKE_WORKLOAD_IDENTITY_DEBUG_INFORMATION_LOG);
|
|
124
|
+
}
|
|
125
|
+
let kubernetesServiceAccountToken;
|
|
126
|
+
try {
|
|
127
|
+
kubernetesServiceAccountToken = load_from_file_1.loadFromFile(this.kubernetesServiceAccountTokenPath);
|
|
128
|
+
}
|
|
129
|
+
catch (e) {
|
|
130
|
+
throw Error(`Failed to read ${this.kubernetesServiceAccountTokenPath}. ` +
|
|
131
|
+
OKE_WORKLOAD_IDENTITY_DEBUG_INFORMATION_LOG);
|
|
132
|
+
}
|
|
133
|
+
// Initialize everything
|
|
134
|
+
sessionKeySupplier = new session_key_supplier_1.default();
|
|
135
|
+
federationClient = new X509_federation_client_for_oke_workload_identity_1.default(`https://${kubernetesServiceHost}:${kubernetesServiceProxymuxPort}/resourcePrincipalSessionTokens`, kubernetesServiceAccountToken, kubernetesServiceAccountCert, sessionKeySupplier);
|
|
136
|
+
return new OkeWorkloadIdentityAuthenticationDetailsProvider(federationClient, sessionKeySupplier);
|
|
137
|
+
}
|
|
138
|
+
};
|
|
139
|
+
//# sourceMappingURL=oke-workload-identity-authentication-details-provider.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oke-workload-identity-authentication-details-provider.js","sourceRoot":"","sources":["../../../../../lib/auth/oke-workload-identity-authentication-details-provider.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;AAEH;;;;;;;;;;;;;;GAcG;AAEH,6DAAwD;AAGxD,8IAAmH;AAEnH,0IAA4G;AAC5G,kFAA4D;AAE5D,MAAM,2CAA2C,GAC/C,2LAA2L,CAAC;AAE9L,MAAqB,gDACnB,SAAQ,4DAA+C;IAevD,YACY,gBAAkC,EAClC,kBAAsC;QAEhD,KAAK,CAAC,gBAAgB,EAAE,kBAAkB,CAAC,CAAC;QAHlC,qBAAgB,GAAhB,gBAAgB,CAAkB;QAClC,uBAAkB,GAAlB,kBAAkB,CAAoB;IAGlD,CAAC;IAgBD,oGAAoG;IACpG,mDAAmD;IAC5C,MAAM,CAAC,OAAO,CACnB,sCAA8C,EAC9C,uCAA+C;QAE/C,OAAO,IAAI,gDAAgD,CAAC,uDAAuD,CACjH,sCAAsC,EACtC,uCAAuC,CACxC,CAAC,KAAK,EAAE,CAAC;IACZ,CAAC;IAED;;;;;;OAMG;IACU,cAAc,CAAC,GAAW;;YACrC,OAAO,MAAM,IAAI,CAAC,gBAAgB,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QACzD,CAAC;KAAA;IAED;;;OAGG;IACG,OAAO;;YACX,OAAO,MAAM,IAAI,CAAC,gBAAgB,CAAC,0BAA0B,EAAE,CAAC;QAClE,CAAC;KAAA;;AAlEH,mEAqJC;AAlJQ,qFAAoC,GAAG,yBAAyB,CAAC;AACjE,8FAA6C,GAAG,kCAAkC,CAAC;AACnF,6FAA4C,GACjD,sDAAsD,CAAC;AAClD,qGAAoD,GACzD,qDAAqD,CAAC;AAe1C,0DAAS,SAAG,MAAM,SAAS;KAYxC;IAXC;;;OAGG;IACW,2BAAwB,GAAG,iBAAkB;IAE3D;;;OAGG;IACW,sBAAmB,GAAG,YAAa;QACjD;AAiCF;;GAEG;AACW,wGAAuD,GAAG,MAAM,uDAAuD;IAInI,YACE,sCAA+C,EAC/C,uCAAgD;QAEhD,IAAI,CAAC,gCAAgC;YACnC,sCAAsC;gBACtC,gDAAgD,CAAC,4CAA4C,CAAC;QAChG,IAAI,CAAC,iCAAiC;YACpC,uCAAuC;gBACvC,gDAAgD,CAAC,oDAAoD,CAAC;IAC1G,CAAC;IAEM,KAAK;QACV,IAAI,gBAAkC,CAAC;QACvC,IAAI,kBAAsC,CAAC;QAE3C,MAAM,qBAAqB,GACzB,OAAO,CAAC,GAAG,CACT,gDAAgD,CAAC,oCAAoC,CACtF,CAAC;QACJ,IAAI,CAAC,qBAAqB,EAAE;YAC1B,MAAM,KAAK,CACT,GAAG,gDAAgD,CAAC,oCAAoC,oCAAoC;gBAC1H,2CAA2C,CAC9C,CAAC;SACH;QAED,MAAM,6BAA6B,GACjC,OAAO,CAAC,GAAG,CACT,gDAAgD;aAC7C,6CAA6C,CACjD,CAAC;QACJ,IAAI,CAAC,6BAA6B,EAAE;YAClC,MAAM,KAAK,CACT,GAAG,gDAAgD,CAAC,6CAA6C,oCAAoC;gBACnI,2CAA2C,CAC9C,CAAC;SACH;QAED,IAAI,4BAA4B,CAAC;QACjC,IAAI;YACF,4BAA4B,GAAG,6BAAY,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;SACpF;QAAC,OAAO,CAAC,EAAE;YACV,MAAM,KAAK,CACT,kBAAkB,IAAI,CAAC,gCAAgC,IAAI;gBACzD,2CAA2C,CAC9C,CAAC;SACH;QAED,IAAI,6BAA6B,CAAC;QAClC,IAAI;YACF,6BAA6B,GAAG,6BAAY,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;SACtF;QAAC,OAAO,CAAC,EAAE;YACV,MAAM,KAAK,CACT,kBAAkB,IAAI,CAAC,iCAAiC,IAAI;gBAC1D,2CAA2C,CAC9C,CAAC;SACH;QAED,wBAAwB;QACxB,kBAAkB,GAAG,IAAI,8BAAsB,EAAE,CAAC;QAClD,gBAAgB,GAAG,IAAI,0DAA0C,CAC/D,WAAW,qBAAqB,IAAI,6BAA6B,iCAAiC,EAClG,6BAA6B,EAC7B,4BAA4B,EAC5B,kBAAkB,CACnB,CAAC;QAEF,OAAO,IAAI,gDAAgD,CACzD,gBAAgB,EAChB,kBAAkB,CACnB,CAAC;IACJ,CAAC;CACF,CAAC"}
|
|
@@ -7,6 +7,7 @@ import X509CertificateSupplier from "./models/X509-certificate-supplier";
|
|
|
7
7
|
import CertificateAndPrivateKeyPair from "./certificate-and-privatekey-pair";
|
|
8
8
|
import Refreshable from "./models/refreshable";
|
|
9
9
|
import CircuitBreaker from "../circuit-breaker";
|
|
10
|
+
import { Response } from "node-fetch";
|
|
10
11
|
/**
|
|
11
12
|
* A class that retrieves certificate based on metadata service url
|
|
12
13
|
*/
|
|
@@ -35,6 +36,8 @@ export declare class ResourceDetails {
|
|
|
35
36
|
private headers;
|
|
36
37
|
private circuitBreaker;
|
|
37
38
|
constructor(url: string, headers: Headers, circuitBreaker: CircuitBreaker);
|
|
39
|
+
private METADATA_AUTH_HEADERS;
|
|
40
|
+
private AUTHORIZATION;
|
|
38
41
|
send(): Promise<Response>;
|
|
39
42
|
getUrl(): string;
|
|
40
43
|
}
|
|
@@ -21,6 +21,7 @@ const sshpk_1 = require("sshpk");
|
|
|
21
21
|
const http_1 = require("../http");
|
|
22
22
|
const certificate_and_privatekey_pair_1 = __importDefault(require("./certificate-and-privatekey-pair"));
|
|
23
23
|
const helper_1 = require("../helper");
|
|
24
|
+
const node_fetch_1 = __importDefault(require("node-fetch"));
|
|
24
25
|
/**
|
|
25
26
|
* A class that retrieves certificate based on metadata service url
|
|
26
27
|
*/
|
|
@@ -89,14 +90,17 @@ class ResourceDetails {
|
|
|
89
90
|
this.url = url;
|
|
90
91
|
this.headers = headers;
|
|
91
92
|
this.circuitBreaker = circuitBreaker;
|
|
93
|
+
this.METADATA_AUTH_HEADERS = "Bearer Oracle";
|
|
94
|
+
this.AUTHORIZATION = "Authorization";
|
|
92
95
|
}
|
|
93
96
|
send() {
|
|
94
97
|
return __awaiter(this, void 0, void 0, function* () {
|
|
95
98
|
const httpClient = new http_1.FetchHttpClient(null, this.circuitBreaker);
|
|
96
|
-
const
|
|
97
|
-
|
|
99
|
+
const metaDataHeaders = {};
|
|
100
|
+
metaDataHeaders[this.AUTHORIZATION] = this.METADATA_AUTH_HEADERS;
|
|
101
|
+
const response = yield node_fetch_1.default(this.url, {
|
|
98
102
|
method: "GET",
|
|
99
|
-
headers:
|
|
103
|
+
headers: metaDataHeaders
|
|
100
104
|
});
|
|
101
105
|
return response;
|
|
102
106
|
});
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"url-based-x509-certificate-supplier.js","sourceRoot":"","sources":["../../../../../lib/auth/url-based-x509-certificate-supplier.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA;;;GAGG;AACH,iCAAmF;AACnF,kCAA0C;AAE1C,wGAA6E;AAE7E,sCAAsD;
|
|
1
|
+
{"version":3,"file":"url-based-x509-certificate-supplier.js","sourceRoot":"","sources":["../../../../../lib/auth/url-based-x509-certificate-supplier.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA;;;GAGG;AACH,iCAAmF;AACnF,kCAA0C;AAE1C,wGAA6E;AAE7E,sCAAsD;AAEtD,4DAA6C;AAE7C;;GAEG;AAEH,MAAa,+BAA+B;IAE1C,YACU,kBAAmC,EACnC,iBAAyC,EACzC,8BAA6C;QAF7C,uBAAkB,GAAlB,kBAAkB,CAAiB;QACnC,sBAAiB,GAAjB,iBAAiB,CAAwB;QACzC,mCAA8B,GAA9B,8BAA8B,CAAe;IACpD,CAAC;IAEJ;;;OAGG;IACH,SAAS;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;OAGG;IACG,OAAO;;YACX,MAAM,WAAW,GAAgB,MAAM,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YACxF,MAAM,UAAU,GAAsB,MAAM,IAAI,CAAC,cAAc,CAC7D,IAAI,CAAC,iBAAiB,EACtB,IAAI,CAAC,8BAA8B,CACpC,CAAC;YACF,IAAI,CAAC,qBAAqB,GAAG,IAAI,yCAA4B,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;YACvF,OAAO,IAAI,CAAC;QACd,CAAC;KAAA;IAEK,kBAAkB,CAAC,kBAAmC;;YAC1D,MAAM,iBAAiB,GAAG,MAAM,kBAAkB,CAAC,IAAI,EAAE,CAAC;YAC1D,sDAAsD;YACtD,MAAM,iBAAiB,GAAG,MAAM,kCAAyB,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;YAClF,MAAM,WAAW,GAAG,wBAAgB,CAAC,iBAAiB,EAAE,KAAK,CAAC,CAAC;YAC/D,OAAO,WAAW,CAAC;QACrB,CAAC;KAAA;IAEK,cAAc,CAClB,yBAAiD,EACjD,oBAAmC;;YAEnC,IAAI,OAAO,GAAG,EAAE,CAAC;YACjB,IAAI,CAAC,yBAAyB,IAAI,CAAC,yBAAyB,CAAC,MAAM,EAAE,EAAE;gBACrE,OAAO,IAAI,CAAC;aACb;YACD,IAAI,oBAAoB,EAAE;gBACxB,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,oBAAoB,EAAE,CAAC,CAAC;aAC9D;YACD,IAAI;gBACF,MAAM,gBAAgB,GAAG,MAAM,yBAAyB,CAAC,IAAI,EAAE,CAAC;gBAChE,gDAAgD;gBAChD,MAAM,gBAAgB,GAAG,MAAM,kCAAyB,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;gBAChF,MAAM,UAAU,GAAG,uBAAe,CAAC,gBAAgB,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;gBACtE,OAAO,UAAU,CAAC;aACnB;YAAC,OAAO,CAAC,EAAE;gBACV,MAAM,KAAK,CAAC,0CAA0C,CAAC,EAAE,CAAC,CAAC;aAC5D;QACH,CAAC;KAAA;IAED,wBAAwB;QACtB,OAAO,IAAI,CAAC,qBAAqB,CAAC;IACpC,CAAC;CACF;AA/DD,0EA+DC;AAED,MAAa,eAAe;IAC1B,YACU,GAAW,EACX,OAAgB,EAChB,cAA8B;QAF9B,QAAG,GAAH,GAAG,CAAQ;QACX,YAAO,GAAP,OAAO,CAAS;QAChB,mBAAc,GAAd,cAAc,CAAgB;QAEhC,0BAAqB,GAAG,eAAe,CAAC;QACxC,kBAAa,GAAG,eAAe,CAAC;IAFrC,CAAC;IAIE,IAAI;;YACR,MAAM,UAAU,GAAG,IAAI,sBAAe,CAAC,IAAI,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;YAClE,MAAM,eAAe,GAAQ,EAAE,CAAC;YAChC,eAAe,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,qBAAqB,CAAC;YACjE,MAAM,QAAQ,GAAG,MAAM,oBAAK,CAAC,IAAI,CAAC,GAAG,EAAE;gBACrC,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,eAAe;aACzB,CAAC,CAAC;YACH,OAAO,QAAQ,CAAC;QAClB,CAAC;KAAA;IAED,MAAM;QACJ,OAAO,IAAI,CAAC,GAAG,CAAC;IAClB,CAAC;CACF;AAvBD,0CAuBC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "oci-common",
|
|
3
|
-
"version": "2.70.
|
|
3
|
+
"version": "2.70.3",
|
|
4
4
|
"description": "OCI Common module for NodeJS",
|
|
5
5
|
"repository": {
|
|
6
6
|
"type": "git",
|
|
@@ -33,6 +33,7 @@
|
|
|
33
33
|
"@types/chai": "4.1.7",
|
|
34
34
|
"@types/node": "14.14.43",
|
|
35
35
|
"@types/mocha": "5.2.5",
|
|
36
|
+
"@types/node-fetch": "2.6.5",
|
|
36
37
|
"awesome-typescript-loader": "3.1.3",
|
|
37
38
|
"chai": "^4.2.0",
|
|
38
39
|
"mocha": "^5.2.0",
|
|
@@ -40,7 +41,8 @@
|
|
|
40
41
|
"ts-node": "^8.0.2",
|
|
41
42
|
"typescript": "4.1.3",
|
|
42
43
|
"webpack": "4.0.0",
|
|
43
|
-
"webpack-cli": "^3.3.0"
|
|
44
|
+
"webpack-cli": "^3.3.0",
|
|
45
|
+
"node-fetch": "2.6.5"
|
|
44
46
|
},
|
|
45
47
|
"publishConfig": {
|
|
46
48
|
"registry": "https://registry.npmjs.org"
|