Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

InstancePrincipalsSecurityTokenSigner doesn't work without explicit federation endpoint #29

Closed
nirvdrum opened this issue Feb 21, 2019 · 2 comments
Closed

InstancePrincipalsSecurityTokenSigner doesn't work without explicit federation endpoint #29

nirvdrum opened this issue Feb 21, 2019 · 2 comments

Comments

@nirvdrum
Copy link

The documentation and code samples both say that the federation_endpoint argument to the InstancePrincipalsSecurityTokenSigner constructor is optional. However, there's a logic error in the constructor's implementation that requires the federation endpoint to be supplied, otherwise it will default to a value of nil and will result in an ArgumentError in creating a URI from the federation client:

irb(main):001:0> instance_principals_signer = OCI::Auth::Signers::InstancePrincipalsSecurityTokenSigner.new
ArgumentError: bad argument (expected URI object or URI string)
	from /opt/graalvm/jre/languages/ruby/lib/mri/uri/common.rb:739:in `URI'
	from /opt/graalvm/jre/languages/ruby/lib/ruby/gems/2.4.0/gems/oci-2.3.5/lib/oci/auth/federation_client.rb:40:in `initialize'
	from /opt/graalvm/jre/languages/ruby/lib/ruby/gems/2.4.0/gems/oci-2.3.5/lib/oci/auth/signers/instance_principals_security_token_signer.rb:77:in `new'
	from /opt/graalvm/jre/languages/ruby/lib/ruby/gems/2.4.0/gems/oci-2.3.5/lib/oci/auth/signers/instance_principals_security_token_signer.rb:77:in `initialize'
	from (irb):2:in `new'
	from (irb):2
	from /opt/graalvm/jre/languages/ruby/bin/irb:29:in `<main>'

The issue is in the following block used to conditionally assign the federation endpoint value:

@federation_endpoint = if defined?(federation_endpoint)
                          federation_endpoint
                       else
                          "#{OCI::Regions.get_service_endpoint(@region, :Auth)}/v1/x509"
                       end

Since federation_endpoint is a keyword argument with a default value, it is always defined. defined?(federation_endpoint) => local-variable. The simple fix is to change the predicate to if federetion_endpoint. It's not clear if the code was implemented in this way to support an end user explicitly passing a false-y value. However, if a user does explicitly do that, the code is still going to error out several layers removed from where the error occurs.

On a side note, the published docs for the federation_endpoint value is truncated because the yard doc comment wraps. I don't know off-hand if there's a way to wrap it and generate properly or if you'd just need to accept wider-than-you-want comments for fields like this.
@andy-miles
Copy link
Contributor

Thanks for the investigation and pointing out the bug. I'll review and address the issues you cited.

@andy-miles
Copy link
Contributor

Fixes for instance principals are included with the 2.5.1 release. It's also available via RubyGems.

Please update your oci gem and verify that it addresses your issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nirvdrum @andy-miles