diff --git a/.changelog/96240bbb6b5341a0a5e40055b0222be0.json b/.changelog/96240bbb6b5341a0a5e40055b0222be0.json new file mode 100644 index 00000000000..be1dc2a7ade --- /dev/null +++ b/.changelog/96240bbb6b5341a0a5e40055b0222be0.json @@ -0,0 +1,8 @@ +{ + "id": "96240bbb-6b53-41a0-a5e4-0055b0222be0", + "type": "release", + "description": "Add Aurora DSQL Auth Token Generator", + "modules": [ + "feature/dsql/auth" + ] +} \ No newline at end of file diff --git a/feature/dsql/auth/LICENSE.txt b/feature/dsql/auth/LICENSE.txt new file mode 100644 index 00000000000..d6456956733 --- /dev/null +++ b/feature/dsql/auth/LICENSE.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/feature/dsql/auth/auth_token_generator.go b/feature/dsql/auth/auth_token_generator.go new file mode 100644 index 00000000000..65709efca6f --- /dev/null +++ b/feature/dsql/auth/auth_token_generator.go @@ -0,0 +1,121 @@ +package auth + +import ( + "context" + "fmt" + "net/http" + "net/url" + "strconv" + "strings" + "time" + + "github.com/aws/aws-sdk-go-v2/aws" + v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4" + "github.com/aws/aws-sdk-go-v2/internal/sdk" +) + +const ( + vendorCode = "dsql" + emptyPayloadHash = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" + userAction = "DbConnect" + adminUserAction = "DbConnectAdmin" +) + +// TokenOptions is the optional set of configuration properties for AuthToken +type TokenOptions struct { + ExpiresIn time.Duration +} + +// GenerateDbConnectAuthToken generates an authentication token for IAM authentication to a DSQL database +// +// This is the regular user variant, see [GenerateDBConnectAdminAuthToken] for the admin variant +// +// * endpoint - Endpoint is the hostname to connect to the database +// * region - Region is where the database is located +// * creds - Credentials to use when signing the token +func GenerateDbConnectAuthToken(ctx context.Context, endpoint, region string, creds aws.CredentialsProvider, optFns ...func(options *TokenOptions)) (string, error) { + values := url.Values{ + "Action": []string{userAction}, + } + return generateAuthToken(ctx, endpoint, region, values, vendorCode, creds, optFns...) +} + +// GenerateDBConnectAdminAuthToken Generates an admin authentication token for IAM authentication to a DSQL database. +// +// This is the admin user variant, see [GenerateDbConnectAuthToken] for the regular user variant +// +// * endpoint - Endpoint is the hostname to connect to the database +// * region - Region is where the database is located +// * creds - Credentials to use when signing the token +func GenerateDBConnectAdminAuthToken(ctx context.Context, endpoint, region string, creds aws.CredentialsProvider, optFns ...func(options *TokenOptions)) (string, error) { + values := url.Values{ + "Action": []string{adminUserAction}, + } + return generateAuthToken(ctx, endpoint, region, values, vendorCode, creds, optFns...) +} + +// All generate token functions are presigned URLs behind the scenes with the scheme stripped. +// This function abstracts generating this for all use cases +func generateAuthToken(ctx context.Context, endpoint, region string, values url.Values, signingID string, creds aws.CredentialsProvider, optFns ...func(options *TokenOptions)) (string, error) { + if len(region) == 0 { + return "", fmt.Errorf("region is required") + } + if len(endpoint) == 0 { + return "", fmt.Errorf("endpoint is required") + } + + o := TokenOptions{} + + for _, fn := range optFns { + fn(&o) + } + + if o.ExpiresIn == 0 { + o.ExpiresIn = 15 * time.Minute + } + + if creds == nil { + return "", fmt.Errorf("credetials provider must not ne nil") + } + + // the scheme is arbitrary and is only needed because validation of the URL requires one. + if !(strings.HasPrefix(endpoint, "http://") || strings.HasPrefix(endpoint, "https://")) { + endpoint = "https://" + endpoint + } + + req, err := http.NewRequest("GET", endpoint, nil) + if err != nil { + return "", err + } + req.URL.RawQuery = values.Encode() + signer := v4.NewSigner() + + credentials, err := creds.Retrieve(ctx) + if err != nil { + return "", err + } + + expires := o.ExpiresIn + // if credentials expire before expiresIn, set that as the expiration time + if credentials.CanExpire && !credentials.Expires.IsZero() { + credsExpireIn := credentials.Expires.Sub(sdk.NowTime()) + expires = min(o.ExpiresIn, credsExpireIn) + } + query := req.URL.Query() + query.Set("X-Amz-Expires", strconv.Itoa(int(expires.Seconds()))) + req.URL.RawQuery = query.Encode() + + signedURI, _, err := signer.PresignHTTP(ctx, credentials, req, emptyPayloadHash, signingID, region, sdk.NowTime().UTC()) + if err != nil { + return "", err + } + + url := signedURI + if strings.HasPrefix(url, "http://") { + url = url[len("http://"):] + } else if strings.HasPrefix(url, "https://") { + url = url[len("https://"):] + } + + return url, nil +} diff --git a/feature/dsql/auth/auth_token_generator_test.go b/feature/dsql/auth/auth_token_generator_test.go new file mode 100644 index 00000000000..32ea9d7b240 --- /dev/null +++ b/feature/dsql/auth/auth_token_generator_test.go @@ -0,0 +1,159 @@ +package auth + +import ( + "context" + "net/url" + "strings" + "testing" + "time" + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/internal/sdk" +) + +type dbTokenTestCase struct { + endpoint string + region string + expires time.Duration + credsExpireIn time.Duration + expectedHost string + expectedQueryParams []string + expectedError string +} + +type tokenGenFunc func(ctx context.Context, endpoint, region string, creds aws.CredentialsProvider, optFns ...func(options *TokenOptions)) (string, error) + +func TestGenerateDbConnectAuthToken(t *testing.T) { + cases := map[string]dbTokenTestCase{ + "no region": { + endpoint: "https://oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws", + expectedError: "no region", + }, + "no endpoint": { + region: "us-west-2", + expectedError: "endpoint is required", + }, + "endpoint with scheme": { + endpoint: "https://oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws", + region: "us-east-1", + expectedHost: "oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws", + expectedQueryParams: []string{"Action=DbConnect"}, + }, + "endpoint without scheme": { + endpoint: "oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws", + region: "us-east-1", + expectedHost: "oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws", + expectedQueryParams: []string{"Action=DbConnect"}, + }, + "endpoint with region and expires": { + endpoint: "peccy.dsql.us-east-1.on.aws", + region: "us-east-1", + expires: time.Second * 450, + expectedHost: "peccy.dsql.us-east-1.on.aws", + expectedQueryParams: []string{ + "Action=DbConnect", + "X-Amz-Algorithm=AWS4-HMAC-SHA256", + "X-Amz-Credential=akid/20240827/us-east-1/dsql/aws4_request", + "X-Amz-Date=20240827T000000Z", + "X-Amz-Expires=450"}, + }, + "pick credential expires when less than expires": { + endpoint: "peccy.dsql.us-east-1.on.aws", + region: "us-east-1", + credsExpireIn: time.Second * 100, + expires: time.Second * 450, + expectedHost: "peccy.dsql.us-east-1.on.aws", + expectedQueryParams: []string{ + "Action=DbConnect", + "X-Amz-Algorithm=AWS4-HMAC-SHA256", + "X-Amz-Credential=akid/20240827/us-east-1/dsql/aws4_request", + "X-Amz-Date=20240827T000000Z", + "X-Amz-Expires=100"}, + }, + } + + for _, c := range cases { + creds := &staticCredentials{AccessKey: "akid", SecretKey: "secret", expiresIn: c.credsExpireIn} + defer withTempGlobalTime(time.Date(2024, time.August, 27, 0, 0, 0, 0, time.UTC))() + optFns := func(options *TokenOptions) {} + if c.expires != 0 { + optFns = func(options *TokenOptions) { + options.ExpiresIn = c.expires + } + } + verifyTestCase(GenerateDbConnectAuthToken, c, creds, optFns, t) + + // Update the test case to use Admin variant + updated := []string{} + for _, part := range c.expectedQueryParams { + if part == "Action=DbConnect" { + part = "Action=DbConnectAdmin" + } + updated = append(updated, part) + } + c.expectedQueryParams = updated + + verifyTestCase(GenerateDBConnectAdminAuthToken, c, creds, optFns, t) + } +} + +func verifyTestCase(f tokenGenFunc, c dbTokenTestCase, creds aws.CredentialsProvider, optFns func(options *TokenOptions), t *testing.T) { + token, err := f(context.Background(), c.endpoint, c.region, creds, optFns) + isErrorExpected := len(c.expectedError) > 0 + if err != nil && !isErrorExpected { + t.Fatalf("expect no err, got: %v", err) + } else if err == nil && isErrorExpected { + t.Fatalf("Expected error %v got none", c.expectedError) + } + // adding a scheme so we can parse it back as a URL. This is because comparing + // just direct string comparison was failing since "Action=DbConnect" is a substring or + // "Action=DBConnectAdmin" + parsed, err := url.Parse("http://" + token) + if err != nil { + t.Fatalf("Couldn't parse the token %v to URL after adding a scheme, got: %v", token, err) + } + if parsed.Host != c.expectedHost { + t.Errorf("expect host %v, got %v", c.expectedHost, parsed.Host) + } + + q := parsed.Query() + queryValuePair := map[string]any{} + for k, v := range q { + pair := k + "=" + v[0] + queryValuePair[pair] = struct{}{} + } + + for _, part := range c.expectedQueryParams { + if _, ok := queryValuePair[part]; !ok { + t.Errorf("expect part %s to be present at token %s", part, token) + } + } + if token != "" && c.expires == 0 { + if !strings.Contains(token, "X-Amz-Expires=900") { + t.Errorf("expect token to contain default X-Amz-Expires value of 900, got %v", token) + } + } +} + +type staticCredentials struct { + AccessKey, SecretKey, Session string + expiresIn time.Duration +} + +func (s *staticCredentials) Retrieve(ctx context.Context) (aws.Credentials, error) { + c := aws.Credentials{ + AccessKeyID: s.AccessKey, + SecretAccessKey: s.SecretKey, + SessionToken: s.Session, + } + if s.expiresIn != 0 { + c.CanExpire = true + c.Expires = sdk.NowTime().Add(s.expiresIn) + } + return c, nil +} + +func withTempGlobalTime(t time.Time) func() { + sdk.NowTime = func() time.Time { return t } + return func() { sdk.NowTime = time.Now } +} diff --git a/feature/dsql/auth/doc.go b/feature/dsql/auth/doc.go new file mode 100644 index 00000000000..35599b6e684 --- /dev/null +++ b/feature/dsql/auth/doc.go @@ -0,0 +1,9 @@ +// Package auth is used to generate authentication tokens for Amazon Aurora DSQL. +// +// These tokens use IAM policies to generate a token that will be used to connect +// to a database. +// +// You can see more details about it at the [official docs] +// +// [official docs]: https://docs.aws.amazon.com/aurora-dsql/latest/userguide/SECTION_authentication-token.html +package auth diff --git a/feature/dsql/auth/go.mod b/feature/dsql/auth/go.mod new file mode 100644 index 00000000000..319166bc66e --- /dev/null +++ b/feature/dsql/auth/go.mod @@ -0,0 +1,9 @@ +module github.com/aws/aws-sdk-go-v2/feature/dsql/auth + +go 1.21 + +require github.com/aws/aws-sdk-go-v2 v1.32.6 + +require github.com/aws/smithy-go v1.22.1 // indirect + +replace github.com/aws/aws-sdk-go-v2 => ../../../ diff --git a/feature/dsql/auth/go.sum b/feature/dsql/auth/go.sum new file mode 100644 index 00000000000..bd2678891af --- /dev/null +++ b/feature/dsql/auth/go.sum @@ -0,0 +1,2 @@ +github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro= +github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= diff --git a/feature/dsql/auth/go_module_metadata.go b/feature/dsql/auth/go_module_metadata.go new file mode 100644 index 00000000000..cb158fee64d --- /dev/null +++ b/feature/dsql/auth/go_module_metadata.go @@ -0,0 +1,6 @@ +// Code generated by internal/repotools/cmd/updatemodulemeta DO NOT EDIT. + +package auth + +// goModuleVersion is the tagged release for this module +const goModuleVersion = "tip"