feat: add AWS credential provider support & more detailed schema for DBs

Author: kriswest

config.schema.json

@@ -192,17 +192,20 @@
                 "additionalProperties": false,
                 "properties": {
                   "text": {
-                    "type": "string"
+                    "type": "string",
+                    "description": "Tooltip text"
                   },
                   "links": {
                     "type": "array",
+                    "description": "An array of links to display under the tooltip text, providing additional context about the question",
                     "items": {
                       "type": "object",
                       "additionalProperties": false,
                       "properties": {
-                        "text": { "type": "string" },
-                        "url": { "type": "string", "format": "url" }
-                      }
+                        "text": { "type": "string", "description": "Link text" },
+                        "url": { "type": "string", "format": "url", "description": "Link URL" }
+                      },
+                      "required": ["text", "url"]
                     }
                   }
                 },
@@ -377,15 +380,56 @@
       "required": ["project", "name", "url"]
     },
     "database": {
-      "type": "object",
-      "properties": {
-        "type": { "type": "string" },
-        "enabled": { "type": "boolean" },
-        "connectionString": { "type": "string" },
-        "options": { "type": "object" },
-        "params": { "type": "object" }
-      },
-      "required": ["type", "enabled"]
+      "description": "Configuration entry for a database",
+      "oneOf": [
+        {
+          "type": "object",
+          "name": "MongoDB Config",
+          "description": "Connection properties for mongoDB. Options may be passed in either the connection string or broken out in the options object",
+          "properties": {
+            "type": { "type": "string", "const": "mongo" },
+            "enabled": { "type": "boolean" },
+            "connectionString": {
+              "type": "string",
+              "description": "mongoDB Client connection string, see https://www.mongodb.com/docs/manual/reference/connection-string/"
+            },
+            "options": {
+              "type": "object",
+              "description": "mongoDB Client connection options. Please note that only custom options are described here, see https://www.mongodb.com/docs/drivers/node/current/connect/connection-options/ for all config options.",
+              "properties": {
+                "authMechanismProperties": {
+                  "type": "object",
+                  "properties": {
+                    "AWS_CREDENTIAL_PROVIDER": {
+                      "type": "boolean",
+                      "description": "If set to true fromNodeProviderChain() from @aws-sdk/credential-providers is passed as the AWS_CREDENTIAL_PROVIDER"
+                    }
+                  },
+                  "additionalProperties": true
+                }
+              },
+              "required": [],
+              "additionalProperties": true
+            }
+          },
+          "required": ["type", "enabled", "connectionString"]
+        },
+        {
+          "type": "object",
+          "name": "File-based DB Config",
+          "description": "Connection properties for an neDB file-based database",
+          "properties": {
+            "type": { "type": "string", "const": "fs" },
+            "enabled": { "type": "boolean" },
+            "params": {
+              "type": "object",
+              "description": "Legacy config property not currently used",
+              "deprecated": true
+            }
+          },
+          "required": ["type", "enabled"]
+        }
+      ]
     },
     "authenticationElement": {
       "type": "object",

package.json

@@ -81,6 +81,7 @@
     "url": "https://github.com/finos/git-proxy"
   },
   "dependencies": {
+    "@aws-sdk/credential-providers": "^3.940.0",
     "@material-ui/core": "^4.12.4",
     "@material-ui/icons": "4.11.3",
     "@primer/octicons-react": "^19.21.0",

src/config/generated/config.ts

@@ -157,7 +157,7 @@ export interface Ls {
  */
 export interface AuthenticationElement {
   enabled: boolean;
-  type: Type;
+  type: AuthenticationElementType;
   /**
    * Additional Active Directory configuration supporting LDAP connection which can be used to
    * confirm group membership. For the full set of available options see the activedirectory 2
@@ -251,7 +251,7 @@ export interface OidcConfig {
   [property: string]: any;
 }
 
-export enum Type {
+export enum AuthenticationElementType {
   ActiveDirectory = 'ActiveDirectory',
   Jwt = 'jwt',
   Local = 'local',
@@ -286,13 +286,26 @@ export interface Question {
  * and used to provide additional guidance to the reviewer.
  */
 export interface QuestionTooltip {
+  /**
+   * An array of links to display under the tooltip text, providing additional context about
+   * the question
+   */
   links?: Link[];
+  /**
+   * Tooltip text
+   */
   text: string;
 }
 
 export interface Link {
-  text?: string;
-  url?: string;
+  /**
+   * Link text
+   */
+  text: string;
+  /**
+   * Link URL
+   */
+  url: string;
 }
 
 export interface AuthorisedRepo {
@@ -458,15 +471,59 @@ export interface RateLimit {
   windowMs: number;
 }
 
+/**
+ * Configuration entry for a database
+ *
+ * Connection properties for mongoDB. Options may be passed in either the connection string
+ * or broken out in the options object
+ *
+ * Connection properties for an neDB file-based database
+ */
 export interface Database {
+  /**
+   * mongoDB Client connection string, see
+   * https://www.mongodb.com/docs/manual/reference/connection-string/
+   */
   connectionString?: string;
   enabled: boolean;
-  options?: { [key: string]: any };
+  /**
+   * mongoDB Client connection options. Please note that only custom options are described
+   * here, see https://www.mongodb.com/docs/drivers/node/current/connect/connection-options/
+   * for all config options.
+   */
+  options?: Options;
+  type: DatabaseType;
+  /**
+   * Legacy config property not currently used
+   */
   params?: { [key: string]: any };
-  type: string;
   [property: string]: any;
 }
 
+/**
+ * mongoDB Client connection options. Please note that only custom options are described
+ * here, see https://www.mongodb.com/docs/drivers/node/current/connect/connection-options/
+ * for all config options.
+ */
+export interface Options {
+  authMechanismProperties?: AuthMechanismProperties;
+  [property: string]: any;
+}
+
+export interface AuthMechanismProperties {
+  /**
+   * If set to true fromNodeProviderChain() from @aws-sdk/credential-providers is passed as
+   * the AWS_CREDENTIAL_PROVIDER
+   */
+  AWS_CREDENTIAL_PROVIDER?: boolean;
+  [property: string]: any;
+}
+
+export enum DatabaseType {
+  FS = 'fs',
+  Mongo = 'mongo',
+}
+
 /**
  * Toggle the generation of temporary password for git-proxy admin user
  */
@@ -747,7 +804,7 @@ const typeMap: any = {
   AuthenticationElement: o(
     [
       { json: 'enabled', js: 'enabled', typ: true },
-      { json: 'type', js: 'type', typ: r('Type') },
+      { json: 'type', js: 'type', typ: r('AuthenticationElementType') },
       { json: 'adConfig', js: 'adConfig', typ: u(undefined, r('AdConfig')) },
       { json: 'adminGroup', js: 'adminGroup', typ: u(undefined, '') },
       { json: 'domain', js: 'domain', typ: u(undefined, '') },
@@ -807,8 +864,8 @@ const typeMap: any = {
   ),
   Link: o(
     [
-      { json: 'text', js: 'text', typ: u(undefined, '') },
-      { json: 'url', js: 'url', typ: u(undefined, '') },
+      { json: 'text', js: 'text', typ: '' },
+      { json: 'url', js: 'url', typ: '' },
     ],
     false,
   ),
@@ -875,12 +932,26 @@ const typeMap: any = {
     [
       { json: 'connectionString', js: 'connectionString', typ: u(undefined, '') },
       { json: 'enabled', js: 'enabled', typ: true },
-      { json: 'options', js: 'options', typ: u(undefined, m('any')) },
+      { json: 'options', js: 'options', typ: u(undefined, r('Options')) },
+      { json: 'type', js: 'type', typ: r('DatabaseType') },
       { json: 'params', js: 'params', typ: u(undefined, m('any')) },
-      { json: 'type', js: 'type', typ: '' },
     ],
     'any',
   ),
+  Options: o(
+    [
+      {
+        json: 'authMechanismProperties',
+        js: 'authMechanismProperties',
+        typ: u(undefined, r('AuthMechanismProperties')),
+      },
+    ],
+    'any',
+  ),
+  AuthMechanismProperties: o(
+    [{ json: 'AWS_CREDENTIAL_PROVIDER', js: 'AWS_CREDENTIAL_PROVIDER', typ: u(undefined, true) }],
+    'any',
+  ),
   TempPassword: o(
     [
       { json: 'emailConfig', js: 'emailConfig', typ: u(undefined, m('any')) },
@@ -911,5 +982,6 @@ const typeMap: any = {
     ],
     'any',
   ),
-  Type: ['ActiveDirectory', 'jwt', 'local', 'openidconnect'],
+  AuthenticationElementType: ['ActiveDirectory', 'jwt', 'local', 'openidconnect'],
+  DatabaseType: ['fs', 'mongo'],
 };

src/db/mongo/helper.ts

@@ -1,6 +1,7 @@
 import { MongoClient, Db, Collection, Filter, Document, FindOptions } from 'mongodb';
 import { getDatabase } from '../../config';
 import MongoDBStore from 'connect-mongo';
+import { fromNodeProviderChain } from '@aws-sdk/credential-providers';
 
 let _db: Db | null = null;
 
@@ -15,6 +16,11 @@ export const connect = async (collectionName: string): Promise<Collection> => {
       throw new Error('MongoDB connection string is not provided');
     }
 
+    if (options?.authMechanismProperties?.AWS_CREDENTIAL_PROVIDER) {
+      // we break from the config types here as we're providing a function to the mongoDB client
+      (options.authMechanismProperties.AWS_CREDENTIAL_PROVIDER as any) = fromNodeProviderChain();
+    }
+
     const client = new MongoClient(connectionString, options);
     await client.connect();
     _db = client.db();

src/service/passport/jwtAuthHandler.ts

@@ -1,14 +1,19 @@
 import { assignRoles, validateJwt } from './jwtUtils';
 import type { Request, Response, NextFunction } from 'express';
 import { getAPIAuthMethods } from '../../config';
-import { AuthenticationElement, JwtConfig, RoleMapping, Type } from '../../config/generated/config';
+import {
+  AuthenticationElement,
+  JwtConfig,
+  RoleMapping,
+  AuthenticationElementType,
+} from '../../config/generated/config';
 
 export const type = 'jwt';
 
 export const jwtAuthHandler = (overrideConfig: JwtConfig | null = null) => {
   return async (req: Request, res: Response, next: NextFunction): Promise<void> => {
     const apiAuthMethods: AuthenticationElement[] = overrideConfig
-      ? [{ type: 'jwt' as Type, enabled: true, jwtConfig: overrideConfig }]
+      ? [{ type: 'jwt' as AuthenticationElementType, enabled: true, jwtConfig: overrideConfig }]
       : getAPIAuthMethods();
 
     const jwtAuthMethod = apiAuthMethods.find((method) => method.type.toLowerCase() === type);