From 61271962c5fecde524fefc2dea92d363b13ce0d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20Madrigal=20=F0=9F=90=A7?= <599908+Madrigal@users.noreply.github.com> Date: Mon, 9 Dec 2024 17:51:54 -0500 Subject: [PATCH 1/9] Add DSQL Auth Token Generator --- feature/dsql/token/auth_token_generator.go | 121 +++++++++++++ .../dsql/token/auth_token_generator_test.go | 165 ++++++++++++++++++ feature/dsql/token/go.mod | 9 + feature/dsql/token/go.sum | 2 + feature/dsql/token/go_module_metadata.go | 6 + 5 files changed, 303 insertions(+) create mode 100644 feature/dsql/token/auth_token_generator.go create mode 100644 feature/dsql/token/auth_token_generator_test.go create mode 100644 feature/dsql/token/go.mod create mode 100644 feature/dsql/token/go.sum create mode 100644 feature/dsql/token/go_module_metadata.go diff --git a/feature/dsql/token/auth_token_generator.go b/feature/dsql/token/auth_token_generator.go new file mode 100644 index 00000000000..c57b9eedead --- /dev/null +++ b/feature/dsql/token/auth_token_generator.go @@ -0,0 +1,121 @@ +package token + +import ( + "context" + "fmt" + "net/http" + "net/url" + "strconv" + "strings" + "time" + + "github.com/aws/aws-sdk-go-v2/aws" + v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4" + "github.com/aws/aws-sdk-go-v2/internal/sdk" +) + +const ( + rdsClusterTokenID = "dsql" + emptyPayloadHash = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" + userAction = "DbConnect" + adminUserAction = "DbConnectAdmin" +) + +// AuthTokenOptions is the optional set of configuration properties for AuthToken +type AuthTokenOptions struct { + ExpiresIn time.Duration +} + +// GenerateDbConnectAuthToken generates an authentication token for IAM authentication to a DSQL database +// +// This is the regular user variant, see [GenerateDBConnectAdminAuthToken] for the admin variant +// +// * endpoint - Endpoint is the hostname and optional port to connect to the database +// * region - Region is where the database is located +// * creds - Credentials to use when signing the token +func GenerateDbConnectAuthToken(ctx context.Context, endpoint, region string, creds aws.CredentialsProvider, optFns ...func(options *AuthTokenOptions)) (string, error) { + values := url.Values{ + "Action": []string{userAction}, + } + return generateAuthToken(ctx, endpoint, region, values, rdsClusterTokenID, creds, optFns...) +} + +// GenerateDBConnectAdminAuthToken Generates an admin authentication token for IAM authentication to a DSQL database. +// +// This is the admin user variant, see [GenerateDbConnectAuthToken] for the regular user variant +// +// * endpoint - Endpoint is the hostname and optional port to connect to the database +// * region - Region is where the database is located +// * creds - Credentials to use when signing the token +func GenerateDBConnectAdminAuthToken(ctx context.Context, endpoint, region string, creds aws.CredentialsProvider, optFns ...func(options *AuthTokenOptions)) (string, error) { + values := url.Values{ + "Action": []string{adminUserAction}, + } + return generateAuthToken(ctx, endpoint, region, values, rdsClusterTokenID, creds, optFns...) +} + +// All generate token functions are presigned URLs behind the scenes with the scheme stripped. +// This function abstracts generating this for all use cases +func generateAuthToken(ctx context.Context, endpoint, region string, values url.Values, signingID string, creds aws.CredentialsProvider, optFns ...func(options *AuthTokenOptions)) (string, error) { + if len(region) == 0 { + return "", fmt.Errorf("region is required") + } + if len(endpoint) == 0 { + return "", fmt.Errorf("endpoint is required") + } + + o := AuthTokenOptions{} + + for _, fn := range optFns { + fn(&o) + } + + if o.ExpiresIn == 0 { + o.ExpiresIn = 15 * time.Minute + } + + if creds == nil { + return "", fmt.Errorf("credetials provider must not ne nil") + } + + // the scheme is arbitrary and is only needed because validation of the URL requires one. + if !(strings.HasPrefix(endpoint, "http://") || strings.HasPrefix(endpoint, "https://")) { + endpoint = "https://" + endpoint + } + + req, err := http.NewRequest("GET", endpoint, nil) + if err != nil { + return "", err + } + req.URL.RawQuery = values.Encode() + signer := v4.NewSigner() + + credentials, err := creds.Retrieve(ctx) + if err != nil { + return "", err + } + + expires := o.ExpiresIn + // if credentials expire before expiresIn, set that as the expiration time + if credentials.CanExpire && !credentials.Expires.IsZero() { + credsExpireIn := credentials.Expires.Sub(sdk.NowTime()) + expires = min(o.ExpiresIn, credsExpireIn) + } + query := req.URL.Query() + query.Set("X-Amz-Expires", strconv.Itoa(int(expires.Seconds()))) + req.URL.RawQuery = query.Encode() + + signedURI, _, err := signer.PresignHTTP(ctx, credentials, req, emptyPayloadHash, signingID, region, sdk.NowTime().UTC()) + if err != nil { + return "", err + } + + url := signedURI + if strings.HasPrefix(url, "http://") { + url = url[len("http://"):] + } else if strings.HasPrefix(url, "https://") { + url = url[len("https://"):] + } + + return url, nil +} diff --git a/feature/dsql/token/auth_token_generator_test.go b/feature/dsql/token/auth_token_generator_test.go new file mode 100644 index 00000000000..68bb6a458c8 --- /dev/null +++ b/feature/dsql/token/auth_token_generator_test.go @@ -0,0 +1,165 @@ +package token + +import ( + "context" + "net/url" + "strings" + "testing" + "time" + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/internal/sdk" +) + +type dbTokenTestCase struct { + endpoint string + region string + expires time.Duration + credsExpireIn time.Duration + expectedHost string + expectedQueryParams []string + expectedError string +} + +type tokenGenFunc func(ctx context.Context, endpoint, region string, creds aws.CredentialsProvider, optFns ...func(options *AuthTokenOptions)) (string, error) + +func TestGenerateDbConnectAuthToken(t *testing.T) { + cases := map[string]dbTokenTestCase{ + "no region": { + endpoint: "https://prod-instance.us-east-1.rds.amazonaws.com:3306", + expectedError: "no region", + }, + "no endpoint": { + region: "us-west-2", + expectedError: "port", + }, + "endpoint with scheme": { + endpoint: "https://prod-instance.us-east-1.rds.amazonaws.com:3306", + region: "us-east-1", + expectedHost: "prod-instance.us-east-1.rds.amazonaws.com:3306", + expectedQueryParams: []string{"Action=DbConnect"}, + }, + "endpoint without scheme": { + endpoint: "prod-instance.us-east-1.rds.amazonaws.com:3306", + region: "us-east-1", + expectedHost: "prod-instance.us-east-1.rds.amazonaws.com:3306", + expectedQueryParams: []string{"Action=DbConnect"}, + }, + "endpoint without port": { + endpoint: "prod-instance.us-east-1.rds.amazonaws.com", + region: "us-east-1", + expectedHost: "prod-instance.us-east-1.rds.amazonaws.com", + expectedQueryParams: []string{"Action=DbConnect"}, + }, + "endpoint with region and expires": { + endpoint: "peccy.dsql.us-east-1.on.aws", + region: "us-east-1", + expires: time.Second * 450, + expectedHost: "peccy.dsql.us-east-1.on.aws", + expectedQueryParams: []string{ + "Action=DbConnect", + "X-Amz-Algorithm=AWS4-HMAC-SHA256", + "X-Amz-Credential=akid/20240827/us-east-1/dsql/aws4_request", + "X-Amz-Date=20240827T000000Z", + "X-Amz-Expires=450"}, + }, + "pick credential expires when less than expires": { + endpoint: "peccy.dsql.us-east-1.on.aws", + region: "us-east-1", + credsExpireIn: time.Second * 100, + expires: time.Second * 450, + expectedHost: "peccy.dsql.us-east-1.on.aws", + expectedQueryParams: []string{ + "Action=DbConnect", + "X-Amz-Algorithm=AWS4-HMAC-SHA256", + "X-Amz-Credential=akid/20240827/us-east-1/dsql/aws4_request", + "X-Amz-Date=20240827T000000Z", + "X-Amz-Expires=100"}, + }, + } + + for _, c := range cases { + creds := &staticCredentials{AccessKey: "akid", SecretKey: "secret", expiresIn: c.credsExpireIn} + defer withTempGlobalTime(time.Date(2024, time.August, 27, 0, 0, 0, 0, time.UTC))() + optFns := func(options *AuthTokenOptions) {} + if c.expires != 0 { + optFns = func(options *AuthTokenOptions) { + options.ExpiresIn = c.expires + } + } + verifyTestCase(GenerateDbConnectAuthToken, c, creds, optFns, t) + + // Update the test case to use Superuser variant + updated := []string{} + for _, part := range c.expectedQueryParams { + if part == "Action=DbConnect" { + part = "Action=DbConnectAdmin" + } + updated = append(updated, part) + } + c.expectedQueryParams = updated + + verifyTestCase(GenerateDBConnectAdminAuthToken, c, creds, optFns, t) + } +} + +func verifyTestCase(f tokenGenFunc, c dbTokenTestCase, creds aws.CredentialsProvider, optFns func(options *AuthTokenOptions), t *testing.T) { + token, err := f(context.Background(), c.endpoint, c.region, creds, optFns) + isErrorExpected := len(c.expectedError) > 0 + if err != nil && !isErrorExpected { + t.Fatalf("expect no err, got: %v", err) + } else if err == nil && isErrorExpected { + t.Fatalf("Expected error %v got none", c.expectedError) + } + // adding a scheme so we can parse it back as a URL. This is because comparing + // just direct string comparison was failing since "Action=DbConnect" is a substring or + // "Action=DBConnectSuperuser" + parsed, err := url.Parse("http://" + token) + if err != nil { + t.Fatalf("Couldn't parse the token %v to URL after adding a scheme, got: %v", token, err) + } + if parsed.Host != c.expectedHost { + t.Errorf("expect host %v, got %v", c.expectedHost, parsed.Host) + } + + q := parsed.Query() + queryValuePair := map[string]any{} + for k, v := range q { + pair := k + "=" + v[0] + queryValuePair[pair] = struct{}{} + } + + for _, part := range c.expectedQueryParams { + if _, ok := queryValuePair[part]; !ok { + t.Errorf("expect part %s to be present at token %s", part, token) + } + } + if token != "" && c.expires == 0 { + if !strings.Contains(token, "X-Amz-Expires=900") { + t.Errorf("expect token to contain default X-Amz-Expires value of 900, got %v", token) + } + } +} + +type staticCredentials struct { + AccessKey, SecretKey, Session string + expiresIn time.Duration +} + +func (s *staticCredentials) Retrieve(ctx context.Context) (aws.Credentials, error) { + c := aws.Credentials{ + AccessKeyID: s.AccessKey, + SecretAccessKey: s.SecretKey, + SessionToken: s.Session, + } + if s.expiresIn != 0 { + c.CanExpire = true + c.Expires = sdk.NowTime().Add(s.expiresIn) + } + return c, nil +} + +func withTempGlobalTime(t time.Time) func() { + sdk.NowTime = func() time.Time { return t } + return func() { sdk.NowTime = time.Now } +} diff --git a/feature/dsql/token/go.mod b/feature/dsql/token/go.mod new file mode 100644 index 00000000000..ab7c71faadd --- /dev/null +++ b/feature/dsql/token/go.mod @@ -0,0 +1,9 @@ +module github.com/aws/aws-sdk-go-v2/feature/dsql/token + +go 1.21 + +require github.com/aws/aws-sdk-go-v2 v1.32.6 + +require github.com/aws/smithy-go v1.22.1 // indirect + +replace github.com/aws/aws-sdk-go-v2 => ../../../ diff --git a/feature/dsql/token/go.sum b/feature/dsql/token/go.sum new file mode 100644 index 00000000000..bd2678891af --- /dev/null +++ b/feature/dsql/token/go.sum @@ -0,0 +1,2 @@ +github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro= +github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= diff --git a/feature/dsql/token/go_module_metadata.go b/feature/dsql/token/go_module_metadata.go new file mode 100644 index 00000000000..f6d900e1974 --- /dev/null +++ b/feature/dsql/token/go_module_metadata.go @@ -0,0 +1,6 @@ +// Code generated by internal/repotools/cmd/updatemodulemeta DO NOT EDIT. + +package token + +// goModuleVersion is the tagged release for this module +const goModuleVersion = "1.0.0" From 8e142bbd0d16a5889b7afb4d9701d54b0c2d9b30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20Madrigal=20=F0=9F=90=A7?= <599908+Madrigal@users.noreply.github.com> Date: Mon, 9 Dec 2024 17:52:13 -0500 Subject: [PATCH 2/9] Add license to DSQL Auth Token Generator --- feature/dsql/token/LICENSE.txt | 202 +++++++++++++++++++++++++++++++++ 1 file changed, 202 insertions(+) create mode 100644 feature/dsql/token/LICENSE.txt diff --git a/feature/dsql/token/LICENSE.txt b/feature/dsql/token/LICENSE.txt new file mode 100644 index 00000000000..d6456956733 --- /dev/null +++ b/feature/dsql/token/LICENSE.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. From e7c3ba2c24cf738477904fee5bd0e3c972d42935 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20Madrigal=20=F0=9F=90=A7?= <599908+Madrigal@users.noreply.github.com> Date: Mon, 9 Dec 2024 17:52:34 -0500 Subject: [PATCH 3/9] Add package documentation to DSQL Auth Token Generator --- feature/dsql/token/doc.go | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 feature/dsql/token/doc.go diff --git a/feature/dsql/token/doc.go b/feature/dsql/token/doc.go new file mode 100644 index 00000000000..2b209f9eb31 --- /dev/null +++ b/feature/dsql/token/doc.go @@ -0,0 +1,9 @@ +// Package token is used to generate authentication tokens for Amazon Aurora DSQL. +// +// These tokens use IAM policies to generate a token that will be used to connect +// to a database. +// +// You can see more details about it at the [official docs] +// +// [official docs]: https://docs.aws.amazon.com/aurora-dsql/latest/userguide/SECTION_authentication-token.html +package token From 8c88437f9e6cc64e6492f1033c6193a46c0c7824 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20Madrigal=20=F0=9F=90=A7?= <599908+Madrigal@users.noreply.github.com> Date: Mon, 9 Dec 2024 18:05:13 -0500 Subject: [PATCH 4/9] Add changelog --- .changelog/96240bbb6b5341a0a5e40055b0222be0.json | 8 ++++++++ feature/dsql/token/CHANGELOG.md | 4 ++++ 2 files changed, 12 insertions(+) create mode 100644 .changelog/96240bbb6b5341a0a5e40055b0222be0.json create mode 100644 feature/dsql/token/CHANGELOG.md diff --git a/.changelog/96240bbb6b5341a0a5e40055b0222be0.json b/.changelog/96240bbb6b5341a0a5e40055b0222be0.json new file mode 100644 index 00000000000..0ba604b63ea --- /dev/null +++ b/.changelog/96240bbb6b5341a0a5e40055b0222be0.json @@ -0,0 +1,8 @@ +{ + "id": "96240bbb-6b53-41a0-a5e4-0055b0222be0", + "type": "release", + "description": "Add DSQL Auth Token Generator", + "modules": [ + "feature/dsql/token" + ] +} \ No newline at end of file diff --git a/feature/dsql/token/CHANGELOG.md b/feature/dsql/token/CHANGELOG.md new file mode 100644 index 00000000000..978b3f50463 --- /dev/null +++ b/feature/dsql/token/CHANGELOG.md @@ -0,0 +1,4 @@ +# v1.0.0 (2024-12-09) + +* **Release**: Add DSQL Auth Token Generator + From 11fd9ee3a52d6543435cb2c5cb524503ae22e73f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20Madrigal=20=F0=9F=90=A7?= <599908+Madrigal@users.noreply.github.com> Date: Mon, 9 Dec 2024 19:31:10 -0500 Subject: [PATCH 5/9] Address feedback from PR --- .../96240bbb6b5341a0a5e40055b0222be0.json | 2 +- feature/dsql/token/CHANGELOG.md | 2 +- feature/dsql/token/auth_token_generator.go | 12 +++++------ .../dsql/token/auth_token_generator_test.go | 20 +++++++++---------- 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.changelog/96240bbb6b5341a0a5e40055b0222be0.json b/.changelog/96240bbb6b5341a0a5e40055b0222be0.json index 0ba604b63ea..e9652c3f9c1 100644 --- a/.changelog/96240bbb6b5341a0a5e40055b0222be0.json +++ b/.changelog/96240bbb6b5341a0a5e40055b0222be0.json @@ -1,7 +1,7 @@ { "id": "96240bbb-6b53-41a0-a5e4-0055b0222be0", "type": "release", - "description": "Add DSQL Auth Token Generator", + "description": "Add Aurora DSQL Auth Token Generator", "modules": [ "feature/dsql/token" ] diff --git a/feature/dsql/token/CHANGELOG.md b/feature/dsql/token/CHANGELOG.md index 978b3f50463..b75dce794cf 100644 --- a/feature/dsql/token/CHANGELOG.md +++ b/feature/dsql/token/CHANGELOG.md @@ -1,4 +1,4 @@ # v1.0.0 (2024-12-09) -* **Release**: Add DSQL Auth Token Generator +* **Release**: Add Aurora DSQL Auth Token Generator diff --git a/feature/dsql/token/auth_token_generator.go b/feature/dsql/token/auth_token_generator.go index c57b9eedead..1efba1fe608 100644 --- a/feature/dsql/token/auth_token_generator.go +++ b/feature/dsql/token/auth_token_generator.go @@ -15,8 +15,8 @@ import ( ) const ( - rdsClusterTokenID = "dsql" - emptyPayloadHash = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" + vendorCode = "dsql" + emptyPayloadHash = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" userAction = "DbConnect" adminUserAction = "DbConnectAdmin" ) @@ -30,28 +30,28 @@ type AuthTokenOptions struct { // // This is the regular user variant, see [GenerateDBConnectAdminAuthToken] for the admin variant // -// * endpoint - Endpoint is the hostname and optional port to connect to the database +// * endpoint - Endpoint is the hostname to connect to the database // * region - Region is where the database is located // * creds - Credentials to use when signing the token func GenerateDbConnectAuthToken(ctx context.Context, endpoint, region string, creds aws.CredentialsProvider, optFns ...func(options *AuthTokenOptions)) (string, error) { values := url.Values{ "Action": []string{userAction}, } - return generateAuthToken(ctx, endpoint, region, values, rdsClusterTokenID, creds, optFns...) + return generateAuthToken(ctx, endpoint, region, values, vendorCode, creds, optFns...) } // GenerateDBConnectAdminAuthToken Generates an admin authentication token for IAM authentication to a DSQL database. // // This is the admin user variant, see [GenerateDbConnectAuthToken] for the regular user variant // -// * endpoint - Endpoint is the hostname and optional port to connect to the database +// * endpoint - Endpoint is the hostname to connect to the database // * region - Region is where the database is located // * creds - Credentials to use when signing the token func GenerateDBConnectAdminAuthToken(ctx context.Context, endpoint, region string, creds aws.CredentialsProvider, optFns ...func(options *AuthTokenOptions)) (string, error) { values := url.Values{ "Action": []string{adminUserAction}, } - return generateAuthToken(ctx, endpoint, region, values, rdsClusterTokenID, creds, optFns...) + return generateAuthToken(ctx, endpoint, region, values, vendorCode, creds, optFns...) } // All generate token functions are presigned URLs behind the scenes with the scheme stripped. diff --git a/feature/dsql/token/auth_token_generator_test.go b/feature/dsql/token/auth_token_generator_test.go index 68bb6a458c8..77a442e53c8 100644 --- a/feature/dsql/token/auth_token_generator_test.go +++ b/feature/dsql/token/auth_token_generator_test.go @@ -26,29 +26,29 @@ type tokenGenFunc func(ctx context.Context, endpoint, region string, creds aws.C func TestGenerateDbConnectAuthToken(t *testing.T) { cases := map[string]dbTokenTestCase{ "no region": { - endpoint: "https://prod-instance.us-east-1.rds.amazonaws.com:3306", + endpoint: "https://oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws:3306", expectedError: "no region", }, "no endpoint": { region: "us-west-2", - expectedError: "port", + expectedError: "endpoint is required", }, "endpoint with scheme": { - endpoint: "https://prod-instance.us-east-1.rds.amazonaws.com:3306", + endpoint: "https://oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws:3306", region: "us-east-1", - expectedHost: "prod-instance.us-east-1.rds.amazonaws.com:3306", + expectedHost: "oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws:3306", expectedQueryParams: []string{"Action=DbConnect"}, }, "endpoint without scheme": { - endpoint: "prod-instance.us-east-1.rds.amazonaws.com:3306", + endpoint: "oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws:3306", region: "us-east-1", - expectedHost: "prod-instance.us-east-1.rds.amazonaws.com:3306", + expectedHost: "oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws:3306", expectedQueryParams: []string{"Action=DbConnect"}, }, "endpoint without port": { - endpoint: "prod-instance.us-east-1.rds.amazonaws.com", + endpoint: "oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws", region: "us-east-1", - expectedHost: "prod-instance.us-east-1.rds.amazonaws.com", + expectedHost: "oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws", expectedQueryParams: []string{"Action=DbConnect"}, }, "endpoint with region and expires": { @@ -89,7 +89,7 @@ func TestGenerateDbConnectAuthToken(t *testing.T) { } verifyTestCase(GenerateDbConnectAuthToken, c, creds, optFns, t) - // Update the test case to use Superuser variant + // Update the test case to use Admin variant updated := []string{} for _, part := range c.expectedQueryParams { if part == "Action=DbConnect" { @@ -113,7 +113,7 @@ func verifyTestCase(f tokenGenFunc, c dbTokenTestCase, creds aws.CredentialsProv } // adding a scheme so we can parse it back as a URL. This is because comparing // just direct string comparison was failing since "Action=DbConnect" is a substring or - // "Action=DBConnectSuperuser" + // "Action=DBConnectAdmin" parsed, err := url.Parse("http://" + token) if err != nil { t.Fatalf("Couldn't parse the token %v to URL after adding a scheme, got: %v", token, err) From 6b1878462618a1d740aaef67d767448003755d35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20Madrigal=20=F0=9F=90=A7?= <599908+Madrigal@users.noreply.github.com> Date: Mon, 9 Dec 2024 20:06:53 -0500 Subject: [PATCH 6/9] Rename feature/dsql/token to feature/dsql/auth --- feature/dsql/{token => auth}/CHANGELOG.md | 0 feature/dsql/{token => auth}/LICENSE.txt | 0 .../{token => auth}/auth_token_generator.go | 18 +++++++++--------- .../auth_token_generator_test.go | 10 +++++----- feature/dsql/{token => auth}/doc.go | 4 ++-- feature/dsql/{token => auth}/go.mod | 2 +- feature/dsql/{token => auth}/go.sum | 0 .../dsql/{token => auth}/go_module_metadata.go | 4 ++-- 8 files changed, 19 insertions(+), 19 deletions(-) rename feature/dsql/{token => auth}/CHANGELOG.md (100%) rename feature/dsql/{token => auth}/LICENSE.txt (100%) rename feature/dsql/{token => auth}/auth_token_generator.go (90%) rename feature/dsql/{token => auth}/auth_token_generator_test.go (94%) rename feature/dsql/{token => auth}/doc.go (74%) rename feature/dsql/{token => auth}/go.mod (74%) rename feature/dsql/{token => auth}/go.sum (100%) rename feature/dsql/{token => auth}/go_module_metadata.go (74%) diff --git a/feature/dsql/token/CHANGELOG.md b/feature/dsql/auth/CHANGELOG.md similarity index 100% rename from feature/dsql/token/CHANGELOG.md rename to feature/dsql/auth/CHANGELOG.md diff --git a/feature/dsql/token/LICENSE.txt b/feature/dsql/auth/LICENSE.txt similarity index 100% rename from feature/dsql/token/LICENSE.txt rename to feature/dsql/auth/LICENSE.txt diff --git a/feature/dsql/token/auth_token_generator.go b/feature/dsql/auth/auth_token_generator.go similarity index 90% rename from feature/dsql/token/auth_token_generator.go rename to feature/dsql/auth/auth_token_generator.go index 1efba1fe608..65709efca6f 100644 --- a/feature/dsql/token/auth_token_generator.go +++ b/feature/dsql/auth/auth_token_generator.go @@ -1,4 +1,4 @@ -package token +package auth import ( "context" @@ -17,12 +17,12 @@ import ( const ( vendorCode = "dsql" emptyPayloadHash = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" - userAction = "DbConnect" - adminUserAction = "DbConnectAdmin" + userAction = "DbConnect" + adminUserAction = "DbConnectAdmin" ) -// AuthTokenOptions is the optional set of configuration properties for AuthToken -type AuthTokenOptions struct { +// TokenOptions is the optional set of configuration properties for AuthToken +type TokenOptions struct { ExpiresIn time.Duration } @@ -33,7 +33,7 @@ type AuthTokenOptions struct { // * endpoint - Endpoint is the hostname to connect to the database // * region - Region is where the database is located // * creds - Credentials to use when signing the token -func GenerateDbConnectAuthToken(ctx context.Context, endpoint, region string, creds aws.CredentialsProvider, optFns ...func(options *AuthTokenOptions)) (string, error) { +func GenerateDbConnectAuthToken(ctx context.Context, endpoint, region string, creds aws.CredentialsProvider, optFns ...func(options *TokenOptions)) (string, error) { values := url.Values{ "Action": []string{userAction}, } @@ -47,7 +47,7 @@ func GenerateDbConnectAuthToken(ctx context.Context, endpoint, region string, cr // * endpoint - Endpoint is the hostname to connect to the database // * region - Region is where the database is located // * creds - Credentials to use when signing the token -func GenerateDBConnectAdminAuthToken(ctx context.Context, endpoint, region string, creds aws.CredentialsProvider, optFns ...func(options *AuthTokenOptions)) (string, error) { +func GenerateDBConnectAdminAuthToken(ctx context.Context, endpoint, region string, creds aws.CredentialsProvider, optFns ...func(options *TokenOptions)) (string, error) { values := url.Values{ "Action": []string{adminUserAction}, } @@ -56,7 +56,7 @@ func GenerateDBConnectAdminAuthToken(ctx context.Context, endpoint, region strin // All generate token functions are presigned URLs behind the scenes with the scheme stripped. // This function abstracts generating this for all use cases -func generateAuthToken(ctx context.Context, endpoint, region string, values url.Values, signingID string, creds aws.CredentialsProvider, optFns ...func(options *AuthTokenOptions)) (string, error) { +func generateAuthToken(ctx context.Context, endpoint, region string, values url.Values, signingID string, creds aws.CredentialsProvider, optFns ...func(options *TokenOptions)) (string, error) { if len(region) == 0 { return "", fmt.Errorf("region is required") } @@ -64,7 +64,7 @@ func generateAuthToken(ctx context.Context, endpoint, region string, values url. return "", fmt.Errorf("endpoint is required") } - o := AuthTokenOptions{} + o := TokenOptions{} for _, fn := range optFns { fn(&o) diff --git a/feature/dsql/token/auth_token_generator_test.go b/feature/dsql/auth/auth_token_generator_test.go similarity index 94% rename from feature/dsql/token/auth_token_generator_test.go rename to feature/dsql/auth/auth_token_generator_test.go index 77a442e53c8..91db73890ac 100644 --- a/feature/dsql/token/auth_token_generator_test.go +++ b/feature/dsql/auth/auth_token_generator_test.go @@ -1,4 +1,4 @@ -package token +package auth import ( "context" @@ -21,7 +21,7 @@ type dbTokenTestCase struct { expectedError string } -type tokenGenFunc func(ctx context.Context, endpoint, region string, creds aws.CredentialsProvider, optFns ...func(options *AuthTokenOptions)) (string, error) +type tokenGenFunc func(ctx context.Context, endpoint, region string, creds aws.CredentialsProvider, optFns ...func(options *TokenOptions)) (string, error) func TestGenerateDbConnectAuthToken(t *testing.T) { cases := map[string]dbTokenTestCase{ @@ -81,9 +81,9 @@ func TestGenerateDbConnectAuthToken(t *testing.T) { for _, c := range cases { creds := &staticCredentials{AccessKey: "akid", SecretKey: "secret", expiresIn: c.credsExpireIn} defer withTempGlobalTime(time.Date(2024, time.August, 27, 0, 0, 0, 0, time.UTC))() - optFns := func(options *AuthTokenOptions) {} + optFns := func(options *TokenOptions) {} if c.expires != 0 { - optFns = func(options *AuthTokenOptions) { + optFns = func(options *TokenOptions) { options.ExpiresIn = c.expires } } @@ -103,7 +103,7 @@ func TestGenerateDbConnectAuthToken(t *testing.T) { } } -func verifyTestCase(f tokenGenFunc, c dbTokenTestCase, creds aws.CredentialsProvider, optFns func(options *AuthTokenOptions), t *testing.T) { +func verifyTestCase(f tokenGenFunc, c dbTokenTestCase, creds aws.CredentialsProvider, optFns func(options *TokenOptions), t *testing.T) { token, err := f(context.Background(), c.endpoint, c.region, creds, optFns) isErrorExpected := len(c.expectedError) > 0 if err != nil && !isErrorExpected { diff --git a/feature/dsql/token/doc.go b/feature/dsql/auth/doc.go similarity index 74% rename from feature/dsql/token/doc.go rename to feature/dsql/auth/doc.go index 2b209f9eb31..35599b6e684 100644 --- a/feature/dsql/token/doc.go +++ b/feature/dsql/auth/doc.go @@ -1,4 +1,4 @@ -// Package token is used to generate authentication tokens for Amazon Aurora DSQL. +// Package auth is used to generate authentication tokens for Amazon Aurora DSQL. // // These tokens use IAM policies to generate a token that will be used to connect // to a database. @@ -6,4 +6,4 @@ // You can see more details about it at the [official docs] // // [official docs]: https://docs.aws.amazon.com/aurora-dsql/latest/userguide/SECTION_authentication-token.html -package token +package auth diff --git a/feature/dsql/token/go.mod b/feature/dsql/auth/go.mod similarity index 74% rename from feature/dsql/token/go.mod rename to feature/dsql/auth/go.mod index ab7c71faadd..319166bc66e 100644 --- a/feature/dsql/token/go.mod +++ b/feature/dsql/auth/go.mod @@ -1,4 +1,4 @@ -module github.com/aws/aws-sdk-go-v2/feature/dsql/token +module github.com/aws/aws-sdk-go-v2/feature/dsql/auth go 1.21 diff --git a/feature/dsql/token/go.sum b/feature/dsql/auth/go.sum similarity index 100% rename from feature/dsql/token/go.sum rename to feature/dsql/auth/go.sum diff --git a/feature/dsql/token/go_module_metadata.go b/feature/dsql/auth/go_module_metadata.go similarity index 74% rename from feature/dsql/token/go_module_metadata.go rename to feature/dsql/auth/go_module_metadata.go index f6d900e1974..cb158fee64d 100644 --- a/feature/dsql/token/go_module_metadata.go +++ b/feature/dsql/auth/go_module_metadata.go @@ -1,6 +1,6 @@ // Code generated by internal/repotools/cmd/updatemodulemeta DO NOT EDIT. -package token +package auth // goModuleVersion is the tagged release for this module -const goModuleVersion = "1.0.0" +const goModuleVersion = "tip" From eae1ff653e4e53ccc79f0cbb0d3bbf9aee1330f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20Madrigal=20=F0=9F=90=A7?= <599908+Madrigal@users.noreply.github.com> Date: Tue, 10 Dec 2024 16:37:35 -0500 Subject: [PATCH 7/9] Remove port from tests since port is not actually used on DSQL token --- feature/dsql/auth/auth_token_generator_test.go | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/feature/dsql/auth/auth_token_generator_test.go b/feature/dsql/auth/auth_token_generator_test.go index 91db73890ac..32ea9d7b240 100644 --- a/feature/dsql/auth/auth_token_generator_test.go +++ b/feature/dsql/auth/auth_token_generator_test.go @@ -26,7 +26,7 @@ type tokenGenFunc func(ctx context.Context, endpoint, region string, creds aws.C func TestGenerateDbConnectAuthToken(t *testing.T) { cases := map[string]dbTokenTestCase{ "no region": { - endpoint: "https://oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws:3306", + endpoint: "https://oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws", expectedError: "no region", }, "no endpoint": { @@ -34,18 +34,12 @@ func TestGenerateDbConnectAuthToken(t *testing.T) { expectedError: "endpoint is required", }, "endpoint with scheme": { - endpoint: "https://oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws:3306", + endpoint: "https://oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws", region: "us-east-1", - expectedHost: "oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws:3306", + expectedHost: "oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws", expectedQueryParams: []string{"Action=DbConnect"}, }, "endpoint without scheme": { - endpoint: "oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws:3306", - region: "us-east-1", - expectedHost: "oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws:3306", - expectedQueryParams: []string{"Action=DbConnect"}, - }, - "endpoint without port": { endpoint: "oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws", region: "us-east-1", expectedHost: "oo0bar1baz2quux3quuux4.dsql.us-east-1.on.aws", From 08014e768e7e2eb3a7450891b29b1b103caa18e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20Madrigal=20=F0=9F=90=A7?= <599908+Madrigal@users.noreply.github.com> Date: Tue, 10 Dec 2024 16:37:51 -0500 Subject: [PATCH 8/9] Update changelog to point to the right module after refactor --- .changelog/96240bbb6b5341a0a5e40055b0222be0.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changelog/96240bbb6b5341a0a5e40055b0222be0.json b/.changelog/96240bbb6b5341a0a5e40055b0222be0.json index e9652c3f9c1..be1dc2a7ade 100644 --- a/.changelog/96240bbb6b5341a0a5e40055b0222be0.json +++ b/.changelog/96240bbb6b5341a0a5e40055b0222be0.json @@ -3,6 +3,6 @@ "type": "release", "description": "Add Aurora DSQL Auth Token Generator", "modules": [ - "feature/dsql/token" + "feature/dsql/auth" ] } \ No newline at end of file From 4926adf21477d8a34a9a5c2a9368e286812c9924 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20Madrigal=20=F0=9F=90=A7?= <599908+Madrigal@users.noreply.github.com> Date: Fri, 13 Dec 2024 12:23:24 -0500 Subject: [PATCH 9/9] Remove generated changelog file on feature since it will be generated by make release --- feature/dsql/auth/CHANGELOG.md | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 feature/dsql/auth/CHANGELOG.md diff --git a/feature/dsql/auth/CHANGELOG.md b/feature/dsql/auth/CHANGELOG.md deleted file mode 100644 index b75dce794cf..00000000000 --- a/feature/dsql/auth/CHANGELOG.md +++ /dev/null @@ -1,4 +0,0 @@ -# v1.0.0 (2024-12-09) - -* **Release**: Add Aurora DSQL Auth Token Generator -