Class: JwtAuthCognito::SSMService

Inherits:

Object

• Object
• JwtAuthCognito::SSMService

Defined in:

lib/jwt_auth_cognito/ssm_service.rb

Class Attribute Summary

• .certificate_cache ⇒ Object

  Returns the value of attribute certificate_cache.

• .client ⇒ Object

  Returns the value of attribute client.

Class Method Summary

• .cache_stats ⇒ Object

  Gets cache stats.

• .clear_cache ⇒ Object

  Clears the certificate cache.

• .get_ca_certificate(cert_path, cert_name) ⇒ Object

  Gets a certificate from AWS Parameter Store (compatible with auth-service) Uses the same path pattern: /$cert_path/$cert_name.

• .get_client ⇒ Object

  Initialize the SSM client with comprehensive AWS configuration.

• .get_parameter(parameter_name, with_decryption = true) ⇒ Object

  Gets a parameter from AWS Parameter Store.

Class Attribute Details

.certificate_cache ⇒ Object

Returns the value of attribute certificate_cache.

# File 'lib/jwt_auth_cognito/ssm_service.rb', line 11

def certificate_cache
  @certificate_cache
end

.client ⇒ Object

Returns the value of attribute client.

# File 'lib/jwt_auth_cognito/ssm_service.rb', line 11

def client
  @client
end

Class Method Details

.cache_stats ⇒ Object

Gets cache stats

# File 'lib/jwt_auth_cognito/ssm_service.rb', line 123

def self.cache_stats
  {
    size: @certificate_cache.size,
    keys: @certificate_cache.keys
  }
end

.clear_cache ⇒ Object

Clears the certificate cache

# File 'lib/jwt_auth_cognito/ssm_service.rb', line 118

def self.clear_cache
  @certificate_cache.clear
end

.get_ca_certificate(cert_path, cert_name) ⇒ Object

Gets a certificate from AWS Parameter Store (compatible with auth-service) Uses the same path pattern: /$cert_path/$cert_name

# File 'lib/jwt_auth_cognito/ssm_service.rb', line 47

def self.get_ca_certificate(cert_path, cert_name)
  full_path = "/#{cert_path}/#{cert_name}"

  # Check cache first
  if @certificate_cache.key?(full_path)
    puts '📋 Using cached certificate from SSM'
    return @certificate_cache[full_path]
  end

  begin
    region = ENV['AWS_REGION'] || ENV['AWS_DEFAULT_REGION'] || 'us-east-1'
    has_credentials = !(ENV.fetch('AWS_ACCESS_KEY_ID', nil) && ENV.fetch('AWS_SECRET_ACCESS_KEY', nil)).nil?

    puts "📡 Getting certificate from Parameter Store: #{full_path}"
    puts "🌍 AWS Region: #{region}"
    puts "🔑 Credentials configured: #{has_credentials ? 'Yes' : 'No (using IAM role/profile)'}"

    client = get_client
    response = client.get_parameter({
                                      name: full_path,
                                      with_decryption: true
                                    })

    raise ConfigurationError, "Certificate parameter not found or invalid: #{full_path}" unless response.parameter&.value

    # Cache the certificate
    @certificate_cache[full_path] = response.parameter.value
    puts '✅ Certificate obtained from SSM and cached'

    response.parameter.value
  rescue Aws::SSM::Errors::ParameterNotFound
    raise ConfigurationError, "Certificate parameter not found: #{full_path}"
  rescue Aws::SSM::Errors::ServiceError => e
    puts "❌ Error getting certificate from SSM (#{full_path}): #{e.message}"
    raise ConfigurationError, "Error accessing SSM: #{e.message}"
  rescue StandardError => e
    puts "❌ Error getting certificate from SSM (#{full_path}): #{e.message}"
    raise e
  end
end

.get_client ⇒ Object

Initialize the SSM client with comprehensive AWS configuration

# File 'lib/jwt_auth_cognito/ssm_service.rb', line 18

def self.get_client
  @client ||= begin
    require 'aws-sdk-ssm'

    client_config = {
      region: ENV['AWS_REGION'] || ENV['AWS_DEFAULT_REGION'] || 'us-east-1'
    }

    # Add credentials if provided
    if ENV['AWS_ACCESS_KEY_ID'] && ENV['AWS_SECRET_ACCESS_KEY']
      client_config[:credentials] = Aws::Credentials.new(
        ENV['AWS_ACCESS_KEY_ID'],
        ENV['AWS_SECRET_ACCESS_KEY'],
        ENV.fetch('AWS_SESSION_TOKEN', nil)
      )
    end

    # Add endpoint if provided (for custom endpoints)
    client_config[:endpoint] = ENV['AWS_SSM_ENDPOINT'] if ENV['AWS_SSM_ENDPOINT']

    Aws::SSM::Client.new(client_config)
  end
rescue LoadError
  raise ConfigurationError,
        "aws-sdk-ssm gem is required for SSM functionality. Add 'gem \"aws-sdk-ssm\"' to your Gemfile"
end

.get_parameter(parameter_name, with_decryption = true) ⇒ Object

Gets a parameter from AWS Parameter Store

# File 'lib/jwt_auth_cognito/ssm_service.rb', line 89

def self.get_parameter(parameter_name, with_decryption = true)
  # Check cache first
  return @certificate_cache[parameter_name] if @certificate_cache.key?(parameter_name)

  begin
    client = get_client
    response = client.get_parameter({
                                      name: parameter_name,
                                      with_decryption: with_decryption
                                    })

    raise ConfigurationError, "Parameter not found or invalid: #{parameter_name}" unless response.parameter&.value

    # Cache the parameter
    @certificate_cache[parameter_name] = response.parameter.value

    response.parameter.value
  rescue Aws::SSM::Errors::ParameterNotFound
    raise ConfigurationError, "Parameter not found: #{parameter_name}"
  rescue Aws::SSM::Errors::ServiceError => e
    puts "❌ Error getting parameter from SSM (#{parameter_name}): #{e.message}"
    raise ConfigurationError, "Error accessing SSM: #{e.message}"
  rescue StandardError => e
    puts "❌ Error getting parameter from SSM (#{parameter_name}): #{e.message}"
    raise e
  end
end