feat: add auth token generators for RDS and DSQL (#1495)

lauzadis · web-flow · commit 580f5ab6988f · 2025-01-16T16:45:56.000-05:00
diff --git a/.changes/a2520ae2-1cba-49b1-b720-10b70e52f9e0.json b/.changes/a2520ae2-1cba-49b1-b720-10b70e52f9e0.json
@@ -0,0 +1,5 @@
+{
+    "id": "a2520ae2-1cba-49b1-b720-10b70e52f9e0",
+    "type": "feature",
+    "description": "Add auth token generator for RDS and DSQL"
+}
diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
@@ -42,7 +42,7 @@ jobs:
           ./gradlew -Ptest.java.version=${{ matrix.java-version }} jvmTest --stacktrace
       - name: Save Test Reports
         if: failure()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: test-reports
           path: '**/build/reports'
@@ -80,7 +80,7 @@ jobs:
           ./gradlew testAllProtocols
       - name: Save Test Reports
         if: failure()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: test-reports
           path: '**/build/reports'
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -4,16 +4,16 @@ ksp-version = "2.1.0-1.0.29" # Keep in sync with kotlin-version
 
 dokka-version = "1.9.10"
 
-aws-kotlin-repo-tools-version = "0.4.17"
+aws-kotlin-repo-tools-version = "0.4.18"
 
 # libs
 coroutines-version = "1.9.0"
 atomicfu-version = "0.25.0"
 binary-compatibility-validator-version = "0.16.3"
 
 # smithy-kotlin codegen and runtime are versioned separately
-smithy-kotlin-runtime-version = "1.4.0"
-smithy-kotlin-codegen-version = "0.34.0"
+smithy-kotlin-runtime-version = "1.4.1"
+smithy-kotlin-codegen-version = "0.34.1"
 
 # codegen
 smithy-version = "1.53.0"
diff --git a/services/dsql/common/src/aws/sdk/kotlin/services/dsql/DsqlAuthTokenGenerator.kt b/services/dsql/common/src/aws/sdk/kotlin/services/dsql/DsqlAuthTokenGenerator.kt
@@ -0,0 +1,57 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package aws.sdk.kotlin.services.dsql
+
+import aws.sdk.kotlin.runtime.auth.credentials.DefaultChainCredentialsProvider
+import aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProvider
+import aws.smithy.kotlin.runtime.auth.awssigning.AuthTokenGenerator
+import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigner
+import aws.smithy.kotlin.runtime.auth.awssigning.DefaultAwsSigner
+import aws.smithy.kotlin.runtime.net.url.Url
+import aws.smithy.kotlin.runtime.time.Clock
+import kotlin.time.Duration
+import kotlin.time.Duration.Companion.seconds
+
+/**
+ * Generates an IAM authentication token for use with DSQL databases
+ * @param credentialsProvider The [CredentialsProvider] which will provide credentials to use when generating the auth token, defaults to [DefaultChainCredentialsProvider]
+ * @param signer The [AwsSigner] implementation to use when creating the authentication token, defaults to [DefaultAwsSigner]
+ * @param clock The [Clock] implementation to use
+ */
+public class DsqlAuthTokenGenerator(
+    public val credentialsProvider: CredentialsProvider = DefaultChainCredentialsProvider(),
+    public val signer: AwsSigner = DefaultAwsSigner,
+    public val clock: Clock = Clock.System,
+) {
+    private val generator = AuthTokenGenerator("dsql", credentialsProvider, signer, clock)
+
+    /**
+     * Generates an auth token for the DbConnect action.
+     * @param endpoint the endpoint of the database
+     * @param region the region of the database
+     * @param expiration how long the auth token should be valid for. Defaults to 900.seconds
+     */
+    public suspend fun generateDbConnectAuthToken(endpoint: Url, region: String, expiration: Duration = 900.seconds): String {
+        val dbConnectEndpoint = endpoint.toBuilder().apply {
+            parameters.decodedParameters.put("Action", "DbConnect")
+        }.build()
+
+        return generator.generateAuthToken(dbConnectEndpoint, region, expiration)
+    }
+
+    /**
+     * Generates an auth token for the DbConnectAdmin action.
+     * @param endpoint the endpoint of the database
+     * @param region the region of the database
+     * @param expiration how long the auth token should be valid for. Defaults to 900.seconds
+     */
+    public suspend fun generateDbConnectAdminAuthToken(endpoint: Url, region: String, expiration: Duration = 900.seconds): String {
+        val dbConnectAdminEndpoint = endpoint.toBuilder().apply {
+            parameters.decodedParameters.put("Action", "DbConnectAdmin")
+        }.build()
+
+        return generator.generateAuthToken(dbConnectAdminEndpoint, region, expiration)
+    }
+}
diff --git a/services/dsql/common/test/aws/sdk/kotlin/services/dsql/DsqlAuthTokenGeneratorTest.kt b/services/dsql/common/test/aws/sdk/kotlin/services/dsql/DsqlAuthTokenGeneratorTest.kt
@@ -0,0 +1,80 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package aws.sdk.kotlin.services.dsql
+
+import aws.sdk.kotlin.runtime.auth.credentials.StaticCredentialsProvider
+import aws.smithy.kotlin.runtime.auth.awscredentials.Credentials
+import aws.smithy.kotlin.runtime.net.Host
+import aws.smithy.kotlin.runtime.net.url.Url
+import aws.smithy.kotlin.runtime.time.Instant
+import aws.smithy.kotlin.runtime.time.ManualClock
+import kotlinx.coroutines.test.runTest
+import kotlin.test.Test
+import kotlin.test.assertContains
+import kotlin.test.assertEquals
+import kotlin.test.assertFalse
+import kotlin.time.Duration.Companion.seconds
+
+class DsqlAuthTokenGeneratorTest {
+    @Test
+    fun testGenerateDbConnectAuthToken() = runTest {
+        val clock = ManualClock(Instant.fromEpochSeconds(1724716800))
+
+        val credentials = Credentials("akid", "secret")
+        val credentialsProvider = StaticCredentialsProvider(credentials)
+
+        val token = DsqlAuthTokenGenerator(credentialsProvider, clock = clock)
+            .generateDbConnectAuthToken(
+                endpoint = Url { host = Host.parse("peccy.dsql.us-east-1.on.aws") },
+                region = "us-east-1",
+                expiration = 450.seconds,
+            )
+
+        // Token should have a parameter Action=DbConnect
+        assertContains(token, "peccy.dsql.us-east-1.on.aws?Action=DbConnect")
+        assertContains(token, "X-Amz-Credential=akid%2F20240827%2Fus-east-1%2Fdsql%2Faws4_request")
+        assertContains(token, "X-Amz-Expires=450")
+        assertContains(token, "X-Amz-SignedHeaders=host")
+
+        // Token should not contain a scheme
+        listOf("http://", "https://").forEach {
+            assertFalse(token.contains(it))
+        }
+
+        val urlToken = Url.parse("https://$token")
+        val xAmzDate = urlToken.parameters.decodedParameters.getValue("X-Amz-Date").single()
+        assertEquals(clock.now(), Instant.fromIso8601(xAmzDate))
+    }
+
+    @Test
+    fun testGenerateDbConnectAuthAdminToken() = runTest {
+        val clock = ManualClock(Instant.fromEpochSeconds(1724716800))
+
+        val credentials = Credentials("akid", "secret")
+        val credentialsProvider = StaticCredentialsProvider(credentials)
+
+        val token = DsqlAuthTokenGenerator(credentialsProvider, clock = clock)
+            .generateDbConnectAdminAuthToken(
+                endpoint = Url { host = Host.parse("peccy.dsql.us-east-1.on.aws") },
+                region = "us-east-1",
+                expiration = 450.seconds,
+            )
+
+        // Token should have a parameter Action=DbConnectAdmin
+        assertContains(token, "peccy.dsql.us-east-1.on.aws?Action=DbConnectAdmin")
+        assertContains(token, "X-Amz-Credential=akid%2F20240827%2Fus-east-1%2Fdsql%2Faws4_request")
+        assertContains(token, "X-Amz-Expires=450")
+        assertContains(token, "X-Amz-SignedHeaders=host")
+
+        // Token should not contain a scheme
+        listOf("http://", "https://").forEach {
+            assertFalse(token.contains(it))
+        }
+
+        val urlToken = Url.parse("https://$token")
+        val xAmzDate = urlToken.parameters.decodedParameters.getValue("X-Amz-Date").single()
+        assertEquals(clock.now(), Instant.fromIso8601(xAmzDate))
+    }
+}
diff --git a/services/rds/common/src/aws/sdk/kotlin/services/rds/RdsAuthTokenGenerator.kt b/services/rds/common/src/aws/sdk/kotlin/services/rds/RdsAuthTokenGenerator.kt
@@ -0,0 +1,48 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package aws.sdk.kotlin.services.rds
+
+import aws.sdk.kotlin.runtime.auth.credentials.DefaultChainCredentialsProvider
+import aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProvider
+import aws.smithy.kotlin.runtime.auth.awssigning.AuthTokenGenerator
+import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigner
+import aws.smithy.kotlin.runtime.auth.awssigning.DefaultAwsSigner
+import aws.smithy.kotlin.runtime.net.url.Url
+import aws.smithy.kotlin.runtime.time.Clock
+import kotlin.apply
+import kotlin.time.Duration
+import kotlin.time.Duration.Companion.seconds
+
+/**
+ * Generates an IAM authentication token for use with RDS databases
+ * @param credentialsProvider The [CredentialsProvider] which will provide credentials to use when generating the auth token, defaults to [DefaultChainCredentialsProvider]
+ * @param signer The [AwsSigner] implementation to use when creating the authentication token, defaults to [DefaultAwsSigner]
+ * @param clock The [Clock] implementation to use
+ */
+public class RdsAuthTokenGenerator(
+    public val credentialsProvider: CredentialsProvider = DefaultChainCredentialsProvider(),
+    public val signer: AwsSigner = DefaultAwsSigner,
+    public val clock: Clock = Clock.System,
+) {
+    private val generator = AuthTokenGenerator("rds-db", credentialsProvider, signer, clock)
+
+    /**
+     * Generates an auth token for the `connect` action.
+     * @param endpoint the endpoint of the database
+     * @param region the region of the database
+     * @param username the username to authenticate with
+     * @param expiration how long the auth token should be valid for. Defaults to 900.seconds
+     */
+    public suspend fun generateAuthToken(endpoint: Url, region: String, username: String, expiration: Duration = 900.seconds): String {
+        val endpoint = endpoint.toBuilder().apply {
+            parameters.decodedParameters.apply {
+                put("Action", "connect")
+                put("DBUser", username)
+            }
+        }.build()
+
+        return generator.generateAuthToken(endpoint, region, expiration)
+    }
+}
diff --git a/services/rds/common/test/RdsAuthTokenGeneratorTest.kt b/services/rds/common/test/RdsAuthTokenGeneratorTest.kt
@@ -0,0 +1,55 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package aws.sdk.kotlin.services.rds
+
+import aws.sdk.kotlin.runtime.auth.credentials.StaticCredentialsProvider
+import aws.smithy.kotlin.runtime.auth.awscredentials.Credentials
+import aws.smithy.kotlin.runtime.net.Host
+import aws.smithy.kotlin.runtime.net.url.Url
+import aws.smithy.kotlin.runtime.time.Instant
+import aws.smithy.kotlin.runtime.time.ManualClock
+import kotlinx.coroutines.test.runTest
+import kotlin.test.Test
+import kotlin.test.assertContains
+import kotlin.test.assertEquals
+import kotlin.test.assertFalse
+import kotlin.time.Duration.Companion.seconds
+
+class RdsAuthTokenGeneratorTest {
+    @Test
+    fun testGenerateAuthToken() = runTest {
+        val clock = ManualClock(Instant.fromEpochSeconds(1724716800))
+
+        val credentials = Credentials("akid", "secret")
+        val credentialsProvider = StaticCredentialsProvider(credentials)
+
+        val generator = RdsAuthTokenGenerator(credentialsProvider, clock = clock)
+
+        val token = generator.generateAuthToken(
+            endpoint = Url {
+                host = Host.parse("prod-instance.us-east-1.rds.amazonaws.com")
+                port = 3306
+            },
+            region = "us-east-1",
+            username = "peccy",
+            expiration = 450.seconds,
+        )
+
+        // Token should have a parameter Action=connect, DBUser=peccy
+        assertContains(token, "prod-instance.us-east-1.rds.amazonaws.com:3306?Action=connect&DBUser=peccy")
+        assertContains(token, "X-Amz-Credential=akid%2F20240827%2Fus-east-1%2Frds-db%2Faws4_request")
+        assertContains(token, "X-Amz-Expires=450")
+        assertContains(token, "X-Amz-SignedHeaders=host")
+
+        // Token should not contain a scheme
+        listOf("http://", "https://").forEach {
+            assertFalse(token.contains(it))
+        }
+
+        val urlToken = Url.parse("https://$token")
+        val xAmzDate = urlToken.parameters.decodedParameters.getValue("X-Amz-Date").single()
+        assertEquals(clock.now(), Instant.fromIso8601(xAmzDate))
+    }
+}
