Add Utilities for RDS IAM Authentication (#1230)

skmcgrail · web-flow · commit 26a0c16a2ce8 · 2021-04-20T16:58:49.000-07:00
diff --git a/feature/rds/auth/connect.go b/feature/rds/auth/connect.go
@@ -0,0 +1,96 @@
+package auth
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/aws/signer/v4"
+)
+
+const (
+	signingID        = "rds-db"
+	emptyPayloadHash = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
+)
+
+// BuildAuthTokenOptions is the optional set of configuration properties for BuildAuthToken
+type BuildAuthTokenOptions struct{}
+
+// BuildAuthToken will return an authorization token used as the password for a DB
+// connection.
+//
+// * endpoint - Endpoint consists of the port needed to connect to the DB. <host>:<port>
+// * region - Region is the location of where the DB is
+// * dbUser - User account within the database to sign in with
+// * creds - Credentials to be signed with
+//
+// The following example shows how to use BuildAuthToken to create an authentication
+// token for connecting to a MySQL database in RDS.
+//
+//   authToken, err := BuildAuthToken(dbEndpoint, awsRegion, dbUser, awsCreds)
+//
+//   // Create the MySQL DNS string for the DB connection
+//   // user:password@protocol(endpoint)/dbname?<params>
+//   connectStr = fmt.Sprintf("%s:%s@tcp(%s)/%s?allowCleartextPasswords=true&tls=rds",
+//      dbUser, authToken, dbEndpoint, dbName,
+//   )
+//
+//   // Use db to perform SQL operations on database
+//   db, err := sql.Open("mysql", connectStr)
+//
+// See http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html
+// for more information on using IAM database authentication with RDS.
+func BuildAuthToken(ctx context.Context, endpoint, region, dbUser string, creds aws.CredentialsProvider, optFns ...func(options *BuildAuthTokenOptions)) (string, error) {
+	o := BuildAuthTokenOptions{}
+
+	for _, fn := range optFns {
+		fn(&o)
+	}
+
+	if creds == nil {
+		return "", fmt.Errorf("credetials provider must not ne nil")
+	}
+
+	// the scheme is arbitrary and is only needed because validation of the URL requires one.
+	if !(strings.HasPrefix(endpoint, "http://") || strings.HasPrefix(endpoint, "https://")) {
+		endpoint = "https://" + endpoint
+	}
+
+	req, err := http.NewRequest("GET", endpoint, nil)
+	if err != nil {
+		return "", err
+	}
+	values := req.URL.Query()
+	values.Set("Action", "connect")
+	values.Set("DBUser", dbUser)
+	req.URL.RawQuery = values.Encode()
+
+	signer := v4.NewSigner()
+
+	credentials, err := creds.Retrieve(ctx)
+	if err != nil {
+		return "", err
+	}
+
+	// Expire Time: 15 minute
+	query := req.URL.Query()
+	query.Set("X-Amz-Expires", "900")
+	req.URL.RawQuery = query.Encode()
+
+	signedURI, _, err := signer.PresignHTTP(ctx, credentials, req, emptyPayloadHash, signingID, region, time.Now().UTC())
+	if err != nil {
+		return "", err
+	}
+
+	url := signedURI
+	if strings.HasPrefix(url, "http://") {
+		url = url[len("http://"):]
+	} else if strings.HasPrefix(url, "https://") {
+		url = url[len("https://"):]
+	}
+
+	return url, nil
+}
diff --git a/feature/rds/auth/connect_test.go b/feature/rds/auth/connect_test.go
@@ -0,0 +1,55 @@
+package auth_test
+
+import (
+	"context"
+	"regexp"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/feature/rds/auth"
+)
+
+func TestBuildAuthToken(t *testing.T) {
+	cases := []struct {
+		endpoint      string
+		region        string
+		user          string
+		expectedRegex string
+	}{
+		{
+			"https://prod-instance.us-east-1.rds.amazonaws.com:3306",
+			"us-west-2",
+			"mysqlUser",
+			`^prod-instance\.us-east-1\.rds\.amazonaws\.com:3306\?Action=connect.*?DBUser=mysqlUser.*`,
+		},
+		{
+			"prod-instance.us-east-1.rds.amazonaws.com:3306",
+			"us-west-2",
+			"mysqlUser",
+			`^prod-instance\.us-east-1\.rds\.amazonaws\.com:3306\?Action=connect.*?DBUser=mysqlUser.*`,
+		},
+	}
+
+	for _, c := range cases {
+		creds := &staticCredentials{AccessKey: "AKID", SecretKey: "SECRET", Session: "SESSION"}
+		url, err := auth.BuildAuthToken(context.Background(), c.endpoint, c.region, c.user, creds)
+		if err != nil {
+			t.Errorf("expect no error, got %v", err)
+		}
+		if re, a := regexp.MustCompile(c.expectedRegex), url; !re.MatchString(a) {
+			t.Errorf("expect %s to match %s", re, a)
+		}
+	}
+}
+
+type staticCredentials struct {
+	AccessKey, SecretKey, Session string
+}
+
+func (s *staticCredentials) Retrieve(ctx context.Context) (aws.Credentials, error) {
+	return aws.Credentials{
+		AccessKeyID:     s.AccessKey,
+		SecretAccessKey: s.SecretKey,
+		SessionToken:    s.Session,
+	}, nil
+}
diff --git a/feature/rds/auth/doc.go b/feature/rds/auth/doc.go
@@ -0,0 +1,8 @@
+// Package auth is used to generate authentication tokens used to
+// connect to a given Amazon Relational Database Service (RDS) database.
+//
+// Before using the authentication please visit the docs here to ensure
+// the database has the proper policies to allow for IAM token authentication.
+// https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html#UsingWithRDS.IAMDBAuth.Availability
+// https://aws.github.io/aws-sdk-go-v2/docs/sdk-utilities/rds
+package auth
diff --git a/feature/rds/auth/go.mod b/feature/rds/auth/go.mod
@@ -0,0 +1,7 @@
+module github.com/aws/aws-sdk-go-v2/feature/rds/auth
+
+go 1.15
+
+require github.com/aws/aws-sdk-go-v2 v1.3.3
+
+replace github.com/aws/aws-sdk-go-v2 => ../../../
diff --git a/feature/rds/auth/go.sum b/feature/rds/auth/go.sum
@@ -0,0 +1,15 @@
+github.com/aws/aws-sdk-go-v2 v1.3.3 h1:BKKakJ9v28yopLRF6bg6FAMbVKmcXuZe+r688XMsxtk=
+github.com/aws/aws-sdk-go-v2 v1.3.3/go.mod h1:7OaACgj2SX3XGWnrIjGlJM22h6yD6MEWKvm7levnnM8=
+github.com/aws/smithy-go v1.3.1 h1:xJFO4pK0y9J8fCl34uGsSJX5KNnGbdARDlA5BPhXnwE=
+github.com/aws/smithy-go v1.3.1/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M=
+github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
