Release 2019 08 27 (#185)

Releasing version v8.0.0

Author: jasonyin

CHANGELOG.md

@@ -4,6 +4,39 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 
+## 8.0.0 - 2019-08-27
+### Added
+- Support for the Sao Paulo (GRU) region
+- Support for dedicated virtual machine hosts in the Compute service
+- Support for resource groups in metrics and alarms in the Monitoring service
+- Support for resource principle auth. Example can be found on [Github](https://github.com/oracle/oci-go-sdk/tree/master/example/example_resource_principal_function/README.md)
+
+### Breaking changes
+- Breaking changes were made for following enum values
+    - Before
+    ```golang
+    autoscaling.ActionTypeEnum.ActionTypeBy
+    keymanagement.CreateVaultDetailsVaultTypeEnum.CreateVaultDetailsVaultTypePrivate
+    keymanagement.VaultSummaryVaultTypeEnum.VaultSummaryVaultTypePrivate
+    keymanagement.VaultVaultTypeEnum.VaultVaultTypePrivate
+    objectstorage.WorkRequestSummaryOperationTypeEnum.WorkRequestSummaryOperationTypeObject
+    objectstorage.WorkRequestOperationTypeEnum.WorkRequestOperationTypeObject
+    resourcemanager.LogEntryTypeEnum.LogEntryTypeConsole
+    resourcemanager.WorkRequestOperationTypeEnum.WorkRequestOperationTypeCompartment
+    ```
+
+    - After
+    ```golang
+    autoscaling.ActionTypeEnum.ActionTypeChangeCountBy
+    keymanagement.CreateVaultDetailsVaultTypeEnum.CreateVaultDetailsVaultTypeVirtualPrivate
+    keymanagement.VaultSummaryVaultTypeEnum.VaultSummaryVaultTypeVirtualPrivate
+    keymanagement.VaultVaultTypeEnum.VaultVaultTypeVirtualPrivate
+    objectstorage.WorkRequestSummaryOperationTypeEnum.WorkRequestSummaryOperationTypeCopyObject
+    objectstorage.WorkRequestOperationTypeEnum.WorkRequestOperationTypeCopyObject
+    resourcemanager.LogEntryTypeEnum.LogEntryTypeTerraformConsole
+    resourcemanager.WorkRequestOperationTypeEnum.WorkRequestOperationTypeChangeStackCompartment
+    ```
+
 ## 7.1.0 - 2019-08-20
 ### Added
 - Support for the Limits service

autoscaling/action.go

@@ -33,11 +33,11 @@ type ActionTypeEnum string
 
 // Set of constants representing the allowable values for ActionTypeEnum
 const (
-	ActionTypeBy ActionTypeEnum = "CHANGE_COUNT_BY"
+	ActionTypeChangeCountBy ActionTypeEnum = "CHANGE_COUNT_BY"
 )
 
 var mappingActionType = map[string]ActionTypeEnum{
-	"CHANGE_COUNT_BY": ActionTypeBy,
+	"CHANGE_COUNT_BY": ActionTypeChangeCountBy,
 }
 
 // GetActionTypeEnumValues Enumerates the set of values for ActionTypeEnum

common/auth/federation_client.go

@@ -9,8 +9,10 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"github.com/oracle/oci-go-sdk/common"
+	"io/ioutil"
 	"net/http"
 	"os"
 	"strings"
@@ -21,10 +23,113 @@ import (
 // federationClient is a client to retrieve the security token for an instance principal necessary to sign a request.
 // It also provides the private key whose corresponding public key is used to retrieve the security token.
 type federationClient interface {
+	ClaimHolder
 	PrivateKey() (*rsa.PrivateKey, error)
 	SecurityToken() (string, error)
 }
 
+// ClaimHolder is implemented by any token interface that provides access to the security claims embedded in the token.
+type ClaimHolder interface {
+	GetClaim(key string) (interface{}, error)
+}
+
+type genericFederationClient struct {
+	SessionKeySupplier   sessionKeySupplier
+	RefreshSecurityToken func() (securityToken, error)
+
+	securityToken securityToken
+	mux           sync.Mutex
+}
+
+var _ federationClient = &genericFederationClient{}
+
+func (c *genericFederationClient) PrivateKey() (*rsa.PrivateKey, error) {
+	c.mux.Lock()
+	defer c.mux.Unlock()
+
+	if err := c.renewKeyAndSecurityTokenIfNotValid(); err != nil {
+		return nil, err
+	}
+	return c.SessionKeySupplier.PrivateKey(), nil
+}
+
+func (c *genericFederationClient) SecurityToken() (token string, err error) {
+	c.mux.Lock()
+	defer c.mux.Unlock()
+
+	if err = c.renewKeyAndSecurityTokenIfNotValid(); err != nil {
+		return "", err
+	}
+	return c.securityToken.String(), nil
+}
+
+func (c *genericFederationClient) renewKeyAndSecurityTokenIfNotValid() (err error) {
+	if c.securityToken == nil || !c.securityToken.Valid() {
+		if err = c.renewKeyAndSecurityToken(); err != nil {
+			return fmt.Errorf("failed to renew security token: %s", err.Error())
+		}
+	}
+	return nil
+}
+
+func (c *genericFederationClient) renewKeyAndSecurityToken() (err error) {
+	common.Logf("Renewing keys for file based security token at: %v\n", time.Now().Format("15:04:05.000"))
+	if err = c.SessionKeySupplier.Refresh(); err != nil {
+		return fmt.Errorf("failed to refresh session key: %s", err.Error())
+	}
+
+	common.Logf("Renewing security token at: %v\n", time.Now().Format("15:04:05.000"))
+	if c.securityToken, err = c.RefreshSecurityToken(); err != nil {
+		return fmt.Errorf("failed to refresh security token key: %s", err.Error())
+	}
+	common.Logf("Security token renewed at: %v\n", time.Now().Format("15:04:05.000"))
+	return nil
+}
+
+func (c *genericFederationClient) GetClaim(key string) (interface{}, error) {
+	c.mux.Lock()
+	defer c.mux.Unlock()
+
+	if err := c.renewKeyAndSecurityTokenIfNotValid(); err != nil {
+		return nil, err
+	}
+	return c.securityToken.GetClaim(key)
+}
+
+func newFileBasedFederationClient(securityTokenPath string, supplier sessionKeySupplier) (*genericFederationClient, error) {
+	return &genericFederationClient{
+		SessionKeySupplier: supplier,
+		RefreshSecurityToken: func() (token securityToken, err error) {
+			var content []byte
+			if content, err = ioutil.ReadFile(securityTokenPath); err != nil {
+				return nil, fmt.Errorf("failed to read security token from :%s. Due to: %s", securityTokenPath, err.Error())
+			}
+
+			var newToken securityToken
+			if newToken, err = newInstancePrincipalToken(string(content)); err != nil {
+				return nil, fmt.Errorf("failed to read security token from :%s. Due to: %s", securityTokenPath, err.Error())
+			}
+
+			return newToken, nil
+		},
+	}, nil
+}
+
+func newStaticFederationClient(sessionToken string, supplier sessionKeySupplier) (*genericFederationClient, error) {
+	var newToken securityToken
+	var err error
+	if newToken, err = newInstancePrincipalToken(string(sessionToken)); err != nil {
+		return nil, fmt.Errorf("failed to read security token. Due to: %s", err.Error())
+	}
+
+	return &genericFederationClient{
+		SessionKeySupplier: supplier,
+		RefreshSecurityToken: func() (token securityToken, err error) {
+			return newToken, nil
+		},
+	}, nil
+}
+
 // x509FederationClient retrieves a security token from Auth service.
 type x509FederationClient struct {
 	tenancyID                         string
@@ -197,6 +302,16 @@ func (c *x509FederationClient) getSecurityToken() (securityToken, error) {
 	return newInstancePrincipalToken(response.Token.Token)
 }
 
+func (c *x509FederationClient) GetClaim(key string) (interface{}, error) {
+	c.mux.Lock()
+	defer c.mux.Unlock()
+
+	if err := c.renewSecurityTokenIfNotValid(); err != nil {
+		return nil, err
+	}
+	return c.securityToken.GetClaim(key)
+}
+
 type x509FederationRequest struct {
 	X509FederationDetails `contributesTo:"body"`
 }
@@ -249,6 +364,103 @@ type sessionKeySupplier interface {
 	PublicKeyPemRaw() []byte
 }
 
+//genericKeySupplier implements sessionKeySupplier and provides an arbitrary refresh mechanism
+type genericKeySupplier struct {
+	RefreshFn func() (*rsa.PrivateKey, []byte, error)
+
+	privateKey      *rsa.PrivateKey
+	publicKeyPemRaw []byte
+}
+
+func (s genericKeySupplier) PrivateKey() *rsa.PrivateKey {
+	if s.privateKey == nil {
+		return nil
+	}
+
+	c := *s.privateKey
+	return &c
+}
+
+func (s genericKeySupplier) PublicKeyPemRaw() []byte {
+	if s.publicKeyPemRaw == nil {
+		return nil
+	}
+
+	c := make([]byte, len(s.publicKeyPemRaw))
+	copy(c, s.publicKeyPemRaw)
+	return c
+}
+
+func (s *genericKeySupplier) Refresh() (err error) {
+	privateKey, publicPem, err := s.RefreshFn()
+	if err != nil {
+		return err
+	}
+
+	s.privateKey = privateKey
+	s.publicKeyPemRaw = publicPem
+	return nil
+}
+
+// create a sessionKeySupplier that reads keys from file every time it refreshes
+func newFileBasedKeySessionSupplier(privateKeyPemPath string, passphrasePath *string) (*genericKeySupplier, error) {
+	return &genericKeySupplier{
+		RefreshFn: func() (*rsa.PrivateKey, []byte, error) {
+			var err error
+			var passContent []byte
+			if passphrasePath != nil {
+				if passContent, err = ioutil.ReadFile(*passphrasePath); err != nil {
+					return nil, nil, fmt.Errorf("can not read passphrase from file: %s, due to %s", *passphrasePath, err.Error())
+				}
+			}
+
+			var keyPemContent []byte
+			if keyPemContent, err = ioutil.ReadFile(privateKeyPemPath); err != nil {
+				return nil, nil, fmt.Errorf("can not read private privateKey pem from file: %s, due to %s", privateKeyPemPath, err.Error())
+			}
+
+			var privateKey *rsa.PrivateKey
+			if privateKey, err = common.PrivateKeyFromBytesWithPassword(keyPemContent, passContent); err != nil {
+				return nil, nil, fmt.Errorf("can not create private privateKey from contents of: %s, due to: %s", privateKeyPemPath, err.Error())
+			}
+
+			var publicKeyAsnBytes []byte
+			if publicKeyAsnBytes, err = x509.MarshalPKIXPublicKey(privateKey.Public()); err != nil {
+				return nil, nil, fmt.Errorf("failed to marshal the public part of the new keypair: %s", err.Error())
+			}
+			publicKeyPemRaw := pem.EncodeToMemory(&pem.Block{
+				Type:  "PUBLIC KEY",
+				Bytes: publicKeyAsnBytes,
+			})
+			return privateKey, publicKeyPemRaw, nil
+		},
+	}, nil
+}
+
+func newStaticKeySessionSupplier(privateKeyPemContent, passphrase []byte) (*genericKeySupplier, error) {
+	var err error
+	var privateKey *rsa.PrivateKey
+
+	if privateKey, err = common.PrivateKeyFromBytesWithPassword(privateKeyPemContent, passphrase); err != nil {
+		return nil, fmt.Errorf("can not create private privateKey, due to: %s", err.Error())
+	}
+
+	var publicKeyAsnBytes []byte
+	if publicKeyAsnBytes, err = x509.MarshalPKIXPublicKey(privateKey.Public()); err != nil {
+		return nil, fmt.Errorf("failed to marshal the public part of the new keypair: %s", err.Error())
+	}
+	publicKeyPemRaw := pem.EncodeToMemory(&pem.Block{
+		Type:  "PUBLIC KEY",
+		Bytes: publicKeyAsnBytes,
+	})
+
+	return &genericKeySupplier{
+		RefreshFn: func() (key *rsa.PrivateKey, bytes []byte, err error) {
+			return privateKey, publicKeyPemRaw, nil
+		},
+	}, nil
+}
+
 // inMemorySessionKeySupplier implements sessionKeySupplier to vend an RSA keypair.
 // Refresh() generates a new RSA keypair with a random source, and keeps it in memory.
 //
@@ -311,6 +523,8 @@ func (s *inMemorySessionKeySupplier) PublicKeyPemRaw() []byte {
 type securityToken interface {
 	fmt.Stringer
 	Valid() bool
+
+	ClaimHolder
 }
 
 type instancePrincipalToken struct {
@@ -333,3 +547,15 @@ func (t *instancePrincipalToken) String() string {
 func (t *instancePrincipalToken) Valid() bool {
 	return !t.jwtToken.expired()
 }
+
+var (
+	// ErrNoSuchClaim is returned when a token does not hold the claim sought
+	ErrNoSuchClaim = errors.New("no such claim")
+)
+
+func (t *instancePrincipalToken) GetClaim(key string) (interface{}, error) {
+	if value, ok := t.jwtToken.payload[key]; ok {
+		return value, nil
+	}
+	return nil, ErrNoSuchClaim
+}

common/auth/federation_client_test.go

@@ -559,3 +559,8 @@ func (m *mockSecurityToken) Valid() bool {
 	args := m.Called()
 	return args.Bool(0)
 }
+
+func (m *mockSecurityToken) GetClaim(key string) (interface{}, error) {
+	args := m.Called(key)
+	return args.Get(0), args.Error(1)
+}

common/auth/instance_principal_key_provider_test.go

@@ -118,3 +118,8 @@ func (m *mockFederationClient) SecurityToken() (string, error) {
 	args := m.Called()
 	return args.String(0), args.Error(1)
 }
+
+func (m *mockFederationClient) GetClaim(key string) (interface{}, error) {
+	args := m.Called(key)
+	return args.Get(0), args.Error(1)
+}