Class: OCI::Auth::UrlBasedCertificateRetriever

Inherits:

Object

• Object
• OCI::Auth::UrlBasedCertificateRetriever

Defined in:

lib/oci/auth/url_based_certificate_retriever.rb

Overview

A certificate retriever which reads PEM-format strings from URLs.

Instance Method Summary

• #certificate ⇒ OpenSSL::X509::Certificate

  PEM-formatted string into a OpenSSL::X509::Certificate.

• #certificate_pem ⇒ String

  The certificate as a PEM formatted string.

• #initialize(certificate_url, private_key_url: nil, private_key_passphrase: nil) ⇒ UrlBasedCertificateRetriever constructor

  Creates a new UrlBasedCertificateRetriever.

• #private_key ⇒ OpenSSL::PKey::RSA

  The private key.

• #private_key_pem ⇒ String

  The private key as a PEM-formatted string.

• #refresh ⇒ Object

  rubocop:disable Metrics/CyclomaticComplexity.

• #request_metadata(url) ⇒ Object

  rubocop:enable Metrics/CyclomaticComplexity.

Constructor Details

#initialize(certificate_url, private_key_url: nil, private_key_passphrase: nil) ⇒ UrlBasedCertificateRetriever

Creates a new UrlBasedCertificateRetriever

Parameters:

• certificate_url (String) —

  The URL from which to retrieve a certificate. It is assumed that what we retrieve is the PEM-formatted string for the certificate

• private_key_url (String) (defaults to: nil) —

  The URL from which to retrieve the private key corresponding to certificate_url (if any). It is assumed that what we retrieve is the PEM-formatted string for

• private_key_passphrase (String) (defaults to: nil) —

  The passphrase of the private key (if any)

# File 'lib/oci/auth/url_based_certificate_retriever.rb', line 19

def initialize(certificate_url, private_key_url: nil, private_key_passphrase: nil)
  raise 'A certificate_url must be supplied' unless certificate_url

  @certificate_url = certificate_url
  @private_key_url = private_key_url
  @private_key_passphrase = private_key_passphrase

  @certificate_pem = nil
  @private_key_pem = nil
  @private_key = nil

  @refresh_lock = Mutex.new

  uri = URI(certificate_url)
  @certificate_retrieve_http_client = Net::HTTP.new(uri.hostname, uri.port)

  if !@private_key_url.nil? && !@private_key_url.strip.empty?
    uri = URI(private_key_url.strip)
    @private_key_retrieve_http_client = Net::HTTP.new(uri.hostname, uri.port)
  else
    @private_key_retrieve_http_client = nil
  end

  refresh
end

Instance Method Details

#certificate ⇒ OpenSSL::X509::Certificate

PEM-formatted string into a OpenSSL::X509::Certificate

Returns:

• (OpenSSL::X509::Certificate) —

  The certificate as an OpenSSL::X509::Certificate. This converts the

# File 'lib/oci/auth/url_based_certificate_retriever.rb', line 56

def certificate
  cert_pem = certificate_pem
  OpenSSL::X509::Certificate.new(cert_pem)
end

#certificate_pem ⇒ String

Returns The certificate as a PEM formatted string.

Returns:

• (String) —

  The certificate as a PEM formatted string

# File 'lib/oci/auth/url_based_certificate_retriever.rb', line 46

def certificate_pem
  @refresh_lock.lock
  pem = @certificate_pem
  @refresh_lock.unlock

  pem
end

#private_key ⇒ OpenSSL::PKey::RSA

Returns The private key.

Returns:

• (OpenSSL::PKey::RSA) —

  The private key

# File 'lib/oci/auth/url_based_certificate_retriever.rb', line 71

def private_key
  @refresh_lock.lock
  key = @private_key
  @refresh_lock.unlock

  key
end

#private_key_pem ⇒ String

Returns The private key as a PEM-formatted string.

Returns:

• (String) —

  The private key as a PEM-formatted string

# File 'lib/oci/auth/url_based_certificate_retriever.rb', line 62

def private_key_pem
  @refresh_lock.lock
  pem = @private_key_pem
  @refresh_lock.unlock

  pem
end

#refresh ⇒ Object

rubocop:disable Metrics/CyclomaticComplexity

# File 'lib/oci/auth/url_based_certificate_retriever.rb', line 80

def refresh
  @refresh_lock.lock
  OCI::Retry.make_retrying_call(OCI::Auth::Util.default_imds_retry_policy, call_name: 'x509') do
    OCI::Auth::Util.circuit.run do
      response = request_metadata(@certificate_url)
      raise OCI::Errors::NetworkError.new(response.body, response.code) unless response.is_a?(Net::HTTPSuccess)

      @certificate_pem = response.body
    end
  end

  if @private_key_retrieve_http_client
    OCI::Retry.make_retrying_call(OCI::Auth::Util.default_imds_retry_policy, call_name: 'x509') do
      OCI::Auth::Util.circuit.run do
        response = request_metadata(@private_key_url)
        raise OCI::Errors::NetworkError.new(response.body, response.code) unless response.is_a?(Net::HTTPSuccess)

        @private_key_pem = response.body
        @private_key = OpenSSL::PKey::RSA.new(@private_key_pem, @private_key_passphrase || SecureRandom.uuid)
      end
    end
  end
ensure
  @refresh_lock.unlock if @refresh_lock.locked? && @refresh_lock.owned?
end

#request_metadata(url) ⇒ Object

rubocop:enable Metrics/CyclomaticComplexity

# File 'lib/oci/auth/url_based_certificate_retriever.rb', line 108

def request_metadata(url)
  uri = URI(url)
  Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == 'https') do |http|
    response = http.request(OCI::Auth::Util.get_metadata_request(url, 'get'))
    return response
  end
rescue StandardError => e
  pp "Request to #{url} failed: #{e.class} - #{e.message}"
  raise
end