Add support for OKE workload identity authentication in the cloud service

Author: gmfeinberg

.gitignore

@@ -2,3 +2,4 @@ target
 *.versionsBackup
 *.diff
 Fortify*
+logging.properties

CHANGELOG.md

@@ -7,6 +7,10 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/).
 ### Added
 - Cloud only: added new OCI regions (TYO, AHU, DAC, DOH, IZQ)
 - Cloud only: added use of ETag in AddReplicaRequest and DropReplicaRequest
+- Cloud only: added OKE workload identity authentication support
+ - SignatureProvider.createWithOkeWorkloadIdentity()
+ - SignatureProvider.createWithOkeWorkloadIdentity(String serviceAccountToken, Logger logger)
+ - SignatureProvider.createWithOkeWorkloadIdentity(File serviceAccountTokenFile, Logger logger)
 
 ### Fixed
 - Changed handle close to not use the Netty "quiet period" when shutting down

README.md

@@ -243,14 +243,15 @@ public class Quickstart {
     private String endpoint;
     private String service;
 
-    /* required for Instance/Resource Principal auth */
+    /* required for Instance/Resource Principal auth and OKE workload identity */
     private String compartment = null; // an OCID
 
     /* alternative cloud authorization mechanisms */
     private final static boolean useUserPrincipal = true;
     private final static boolean useInstancePrincipal = false;
     private final static boolean useResourcePrincipal = false;
     private final static boolean useSessionToken = false;
+    private final static boolean useOkeWorkloadIdentity = false;
 
     private Quickstart(String[] args) {
         /*
@@ -350,6 +351,9 @@ public class Quickstart {
                     } else if (useResourcePrincipal) {
                         authProvider =
                             SignatureProvider.createWithResourcePrincipal();
+                    } else if (useOkeWorkloadIdentity) {
+                        authProvider =
+                            SignatureProvider.createWithOkeWorkloadIdentity();
                     } else {
                         throw new IllegalArgumentException(
                             "Authorization method is required");

driver/src/main/java/oracle/nosql/driver/httpclient/HttpClient.java

@@ -111,6 +111,9 @@ public class HttpClient {
     private final SslContext sslCtx;
     private final int handshakeTimeoutMs;
 
+    /* Enable endpoint identification by default if using SSL */
+    private boolean enableEndpointIdentification = true;
+
     private final Logger logger;
 
     /*
@@ -282,6 +285,14 @@ SslContext getSslContext() {
         return sslCtx;
     }
 
+    public boolean isEndpointIdentificationEnabled() {
+        return enableEndpointIdentification;
+    }
+
+    public void disableEndpointIdentification() {
+        this.enableEndpointIdentification = false;
+    }
+
     public int getPort() {
         return port;
     }

driver/src/main/java/oracle/nosql/driver/httpclient/HttpClientChannelPoolHandler.java

@@ -72,10 +72,13 @@ public void channelCreated(Channel ch) {
             /* Enable hostname verification */
             final SslHandler sslHandler = client.getSslContext().newHandler(
                 ch.alloc(), client.getHost(), client.getPort());
-            final SSLEngine sslEngine = sslHandler.engine();
-            final SSLParameters sslParameters = sslEngine.getSSLParameters();
-            sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
-            sslEngine.setSSLParameters(sslParameters);
+
+            if (client.isEndpointIdentificationEnabled()) {
+                final SSLEngine sslEngine = sslHandler.engine();
+                final SSLParameters sslParameters = sslEngine.getSSLParameters();
+                sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+                sslEngine.setSSLParameters(sslParameters);
+            }
             sslHandler.setHandshakeTimeoutMillis(client.getHandshakeTimeoutMs());
 
             p.addLast(sslHandler);

driver/src/main/java/oracle/nosql/driver/iam/FederationRequestHelper.java

@@ -69,7 +69,7 @@ static String getSecurityToken(HttpClient client,
                     response.getOutput()));
         }
         logTrace(logger, "Federation response " + response.getOutput());
-        return parseResponse(response.getOutput());
+        return parseTokenResponse(response.getOutput());
     }
 
     /*
@@ -168,30 +168,4 @@ private static String keyId(String tenantId, X509CertificateKeyPair pair) {
         return String.format("%s/fed-x509-sha256/%s",
                              tenantId, Utils.getFingerPrint(pair));
     }
-
-    /*
-     * Response:
-     * { "token": "...."}
-     */
-    private static String parseResponse(String response) {
-        try {
-            JsonParser parser = createParser(response);
-            if (parser.getCurrentToken() == null) {
-                parser.nextToken();
-            }
-            while (parser.getCurrentToken() != null) {
-                String field = findField(response, parser, "token");
-                if (field != null) {
-                    parser.nextToken();
-                    return parser.getText();
-                }
-            }
-            throw new IllegalStateException(
-                "Unable to find security token in " + response);
-        } catch (IOException ioe) {
-            throw new IllegalStateException(
-                "Error parsing security token " + response +
-                " " + ioe.getMessage());
-        }
-    }
 }

driver/src/main/java/oracle/nosql/driver/iam/InstanceMetadataHelper.java

@@ -0,0 +1,154 @@
+/*-
+ * Copyright (c) 2011, 2024 Oracle and/or its affiliates. All rights reserved.
+ *
+ * Licensed under the Universal Permissive License v 1.0 as shown at
+ *  https://oss.oracle.com/licenses/upl/
+ */
+
+package oracle.nosql.driver.iam;
+
+import static oracle.nosql.driver.iam.Utils.*;
+import static oracle.nosql.driver.util.HttpConstants.APPLICATION_JSON;
+import static oracle.nosql.driver.util.HttpConstants.AUTHORIZATION;
+import static oracle.nosql.driver.util.HttpConstants.CONTENT_TYPE;
+
+import java.io.IOException;
+import java.util.logging.Logger;
+
+import oracle.nosql.driver.httpclient.HttpClient;
+import oracle.nosql.driver.util.HttpRequestUtil;
+
+import com.fasterxml.jackson.core.JsonFactory;
+import com.fasterxml.jackson.core.JsonParser;
+import io.netty.handler.codec.http.DefaultHttpHeaders;
+import io.netty.handler.codec.http.HttpHeaders;
+
+/**
+ * @hidden
+ * Internal use only
+ * <p>
+ * Helper class to fetch instance metadata from metadata service URL.
+ */
+class InstanceMetadataHelper {
+    private static final JsonFactory factory = new JsonFactory();
+
+    /* Instance metadata service base URL */
+    private static final String METADATA_SERVICE_BASE_URL =
+        "http://169.254.169.254/opc/v2/";
+    private static final String FALLBACK_METADATA_SERVICE_URL =
+        "http://169.254.169.254/opc/v1/";
+
+    /* The authorization header need to send to metadata service since V2 */
+    static final String AUTHORIZATION_HEADER_VALUE = "Bearer Oracle";
+    private static final String METADATA_SERVICE_HOST =
+        "169.254.169.254";
+
+    static String getInstanceMetadaURL(String baseMetadataURL) {
+        return baseMetadataURL + "instance/";
+    }
+
+    /**
+     * Fetch the instance metadata.
+     *
+     * @param timeout request timeout
+     * @param logger logger
+     */
+    static InstanceMetadata fetchMetadata(int timeout, Logger logger) {
+        String baseMetadataURL = METADATA_SERVICE_BASE_URL;
+        String instanceMDURL = getInstanceMetadaURL(baseMetadataURL);
+        logTrace(logger, "Fetch instance metadata using " + instanceMDURL);
+        HttpClient client = null;
+        try {
+            client = HttpClient.createMinimalClient(METADATA_SERVICE_HOST,
+                80,
+                null,
+                0,
+                "InstanceMDClient",
+                logger);
+
+            HttpRequestUtil.HttpResponse response = HttpRequestUtil.doGetRequest
+                (client, instanceMDURL, headers(), timeout, logger);
+
+            int status = response.getStatusCode();
+            if (status == 404) {
+                logTrace(logger, "Falling back to v1 metadata URL, " +
+                    "resource not found from v2");
+                baseMetadataURL = FALLBACK_METADATA_SERVICE_URL;
+                instanceMDURL = getInstanceMetadaURL(baseMetadataURL);
+                response = HttpRequestUtil.doGetRequest
+                    (client, instanceMDURL, headers(), timeout, logger);
+                if (response.getStatusCode() != 200) {
+                    throw new IllegalStateException(
+                        String.format("Unable to get federation URL from" +
+                                "instance metadata " + METADATA_SERVICE_BASE_URL +
+                                " or fallback to " + FALLBACK_METADATA_SERVICE_URL +
+                                ", status code: %d, output: %s",
+                            response.getOutput()));
+                }
+            } else if (status != 200) {
+                throw new IllegalStateException(
+                    String.format("Unable to get federation URL from" +
+                            "instance metadata " + METADATA_SERVICE_BASE_URL +
+                            ", status code: %d, output: %s",
+                        response.getStatusCode(),
+                        response.getOutput()));
+            }
+
+            logTrace(logger, "Instance metadata " + response.getOutput());
+            String insRegion = findRegion(response.getOutput());
+            logTrace(logger, "Instance region " + insRegion);
+            return new InstanceMetadata(insRegion, baseMetadataURL);
+        } finally {
+            if (client != null) {
+                client.shutdown();
+            }
+        }
+    }
+
+    private static HttpHeaders headers() {
+        return new DefaultHttpHeaders()
+            .set(CONTENT_TYPE, APPLICATION_JSON)
+            .set(AUTHORIZATION, AUTHORIZATION_HEADER_VALUE);
+    }
+
+    private static String findRegion(String response) {
+        try {
+            JsonParser parser = factory.createParser(response);
+            if (parser.getCurrentToken() == null) {
+                parser.nextToken();
+            }
+            while (parser.getCurrentToken() != null) {
+                String field = findField(
+                    response, parser, "canonicalRegionName");
+                if (field != null) {
+                    parser.nextToken();
+                    return parser.getText();
+                }
+            }
+            throw new IllegalStateException(
+                "Unable to find region in instance metadata " + response);
+        } catch (IOException ioe) {
+            throw new IllegalStateException(
+                "Error parsing instance metadata in response " +
+                    response+ " " + ioe.getMessage());
+        }
+    }
+
+    static class InstanceMetadata {
+        private String region;
+        private String baseMetadataURL;
+
+        InstanceMetadata(String region, String baseMetadataURL) {
+            this.region = region;
+            this.baseMetadataURL = baseMetadataURL;
+        }
+
+        String getRegion() {
+            return region;
+        }
+
+        String getBaseURL() {
+            return baseMetadataURL;
+        }
+    }
+}