add plugin for DSQL auth tokens

Author: danielfrankcom

wrapper/build.gradle.kts

@@ -37,6 +37,7 @@ dependencies {
     compileOnly("software.amazon.awssdk:rds:2.31.78")
     compileOnly("software.amazon.awssdk:auth:2.31.45") // Required for IAM (light implementation)
     compileOnly("software.amazon.awssdk:http-client-spi:2.31.60") // Required for IAM (light implementation)
+    compileOnly("software.amazon.awssdk:dsql:2.31.78")
     compileOnly("software.amazon.awssdk:sts:2.31.78")
     compileOnly("com.zaxxer:HikariCP:4.0.3") // Version 4.+ is compatible with Java 8
     compileOnly("com.mchange:c3p0:0.11.0")
@@ -73,6 +74,7 @@ dependencies {
     testImplementation("software.amazon.awssdk:rds:2.31.78")
     testImplementation("software.amazon.awssdk:auth:2.31.45") // Required for IAM (light implementation)
     testImplementation("software.amazon.awssdk:http-client-spi:2.31.60") // Required for IAM (light implementation)
+    testImplementation("software.amazon.awssdk:dsql:2.31.78")
     testImplementation("software.amazon.awssdk:ec2:2.31.78")
     testImplementation("software.amazon.awssdk:secretsmanager:2.31.12")
     testImplementation("software.amazon.awssdk:sts:2.31.78")

wrapper/src/main/java/software/amazon/jdbc/ConnectionPluginChainBuilder.java

@@ -45,6 +45,7 @@
 import software.amazon.jdbc.plugin.failover.FailoverConnectionPluginFactory;
 import software.amazon.jdbc.plugin.federatedauth.FederatedAuthPluginFactory;
 import software.amazon.jdbc.plugin.federatedauth.OktaAuthPluginFactory;
+import software.amazon.jdbc.plugin.iam.DsqlIamConnectionPluginFactory;
 import software.amazon.jdbc.plugin.iam.IamAuthConnectionPluginFactory;
 import software.amazon.jdbc.plugin.limitless.LimitlessConnectionPluginFactory;
 import software.amazon.jdbc.plugin.readwritesplitting.ReadWriteSplittingPluginFactory;
@@ -75,6 +76,7 @@ public class ConnectionPluginChainBuilder {
           put("failover", new FailoverConnectionPluginFactory());
           put("failover2", new software.amazon.jdbc.plugin.failover2.FailoverConnectionPluginFactory());
           put("iam", new IamAuthConnectionPluginFactory());
+          put("dsql", new DsqlIamConnectionPluginFactory());
           put("awsSecretsManager", new AwsSecretsManagerConnectionPluginFactory());
           put("federatedAuth", new FederatedAuthPluginFactory());
           put("okta", new OktaAuthPluginFactory());
@@ -114,6 +116,7 @@ public class ConnectionPluginChainBuilder {
           put(FastestResponseStrategyPluginFactory.class, 900);
           put(LimitlessConnectionPluginFactory.class, 950);
           put(IamAuthConnectionPluginFactory.class, 1000);
+          put(DsqlIamConnectionPluginFactory.class, 1001);
           put(AwsSecretsManagerConnectionPluginFactory.class, 1100);
           put(FederatedAuthPluginFactory.class, 1200);
           put(LogQueryConnectionPluginFactory.class, 1300);

wrapper/src/main/java/software/amazon/jdbc/plugin/iam/DsqlIamConnectionPluginFactory.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package software.amazon.jdbc.plugin.iam;
+
+import java.util.Properties;
+import org.checkerframework.checker.nullness.qual.NonNull;
+import software.amazon.jdbc.ConnectionPlugin;
+import software.amazon.jdbc.ConnectionPluginFactory;
+import software.amazon.jdbc.PluginService;
+
+/**
+ * Provides {@link ConnectionPlugin} instances which can be used to connect to Amazon Aurora DSQL.
+ */
+public class DsqlIamConnectionPluginFactory implements ConnectionPluginFactory {
+    @Override
+    public ConnectionPlugin getInstance(@NonNull final PluginService pluginService, @NonNull final Properties props) {
+        return new IamAuthConnectionPlugin(pluginService, new DsqlTokenUtility());
+    }
+}

wrapper/src/main/java/software/amazon/jdbc/plugin/iam/DsqlTokenUtility.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package software.amazon.jdbc.plugin.iam;
+
+import org.checkerframework.checker.nullness.qual.NonNull;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.regions.Region;
+import software.amazon.awssdk.services.dsql.DsqlUtilities;
+
+/**
+ * Represents an {@link IamTokenUtility} which provides auth tokens for connecting to Amazon Aurora DSQL.
+ */
+public class DsqlTokenUtility implements IamTokenUtility {
+
+  private DsqlUtilities utilities = null;
+
+  public DsqlTokenUtility() { }
+
+  // For testing only
+  DsqlTokenUtility(@NonNull final DsqlUtilities utilities) {
+    this.utilities = utilities;
+  }
+
+  @Override
+  public String generateAuthenticationToken(
+      @NonNull final AwsCredentialsProvider credentialsProvider,
+      @NonNull final Region region,
+      @NonNull final String hostname,
+      final int port,
+      @NonNull final String username) {
+    if (this.utilities == null) {
+      this.utilities = DsqlUtilities.builder()
+          .credentialsProvider(credentialsProvider)
+          .region(region)
+          .build();
+    }
+    if (username.equals("admin")) {
+      return this.utilities.generateDbConnectAdminAuthToken((builder) ->
+          builder.hostname(hostname).region(region)
+      );
+    } else {
+      return this.utilities.generateDbConnectAuthToken((builder) ->
+          builder.hostname(hostname).region(region)
+      );
+    }
+  }
+}

wrapper/src/test/java/software/amazon/jdbc/plugin/iam/DsqlIamConnectionPluginTest.java

@@ -0,0 +1,142 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package software.amazon.jdbc.plugin.iam;
+
+import static org.junit.jupiter.api.Assertions.*;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.*;
+import static software.amazon.jdbc.plugin.iam.DsqlTokenUtilityTest.*;
+
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.util.List;
+import java.util.Properties;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.MockitoAnnotations;
+import software.amazon.awssdk.regions.Region;
+import software.amazon.jdbc.*;
+import software.amazon.jdbc.dialect.Dialect;
+import software.amazon.jdbc.hostavailability.SimpleHostAvailabilityStrategy;
+import software.amazon.jdbc.plugin.TokenInfo;
+import software.amazon.jdbc.util.IamAuthUtils;
+import software.amazon.jdbc.util.telemetry.TelemetryContext;
+import software.amazon.jdbc.util.telemetry.TelemetryFactory;
+import software.amazon.jdbc.util.telemetry.TelemetryTraceLevel;
+
+class DsqlIamConnectionPluginTest {
+
+  private static final Region TEST_REGION = Region.US_EAST_1;
+  private static final String TEST_HOSTNAME = String.format("foo0bar1baz2quux3quuux4.dsql.%s.on.aws", TEST_REGION);
+  private static final int TEST_PORT = 5432;
+
+  private static final String DRIVER_PROTOCOL = "jdbc:postgresql:";
+  private static final HostSpec HOST_SPEC = new HostSpecBuilder(new SimpleHostAvailabilityStrategy())
+      .host(TEST_HOSTNAME).port(TEST_PORT).build();
+
+  private static final String DEFAULT_USERNAME = "admin";
+
+  private final Properties props = new Properties();
+
+  private AutoCloseable cleanMocksCallback;
+  @Mock private Connection mockConnection;
+  @Mock private PluginService mockPluginService;
+  @Mock private Dialect mockDialect;
+  @Mock private TelemetryFactory mockTelemetryFactory;
+  @Mock private TelemetryContext mockTelemetryContext;
+  @Mock private JdbcCallable<Connection, SQLException> mockLambda;
+  @Mock private ConnectionProvider mockConnectionProvider;
+  @Mock private PluginManagerService mockPluginManagerService;
+
+  @BeforeEach
+  public void init() {
+    cleanMocksCallback = MockitoAnnotations.openMocks(this);
+
+    IamAuthConnectionPlugin.clearCache();
+
+    props.setProperty(PropertyDefinition.USER.name, DEFAULT_USERNAME);
+    props.setProperty("iamRegion", Region.US_EAST_1.toString());
+    props.setProperty(PropertyDefinition.PLUGINS.name, "dsql");
+
+    doReturn(mockDialect).when(mockPluginService).getDialect();
+    doReturn(TEST_PORT).when(mockDialect).getDefaultPort();
+    doReturn(mockTelemetryFactory).when(mockPluginService).getTelemetryFactory();
+    doReturn(mockTelemetryContext).when(mockTelemetryFactory)
+        .openTelemetryContext(anyString(), eq(TelemetryTraceLevel.NESTED));
+  }
+
+  @AfterEach
+  public void cleanup() throws Exception {
+    cleanMocksCallback.close();
+  }
+
+  @SuppressWarnings("resource") // Prevent Mockito warning when mocking closeable return type.
+  private void assertPluginProvidesDsqlTokens(final ConnectionPlugin plugin, final String username) throws SQLException {
+    Mockito.doReturn(mockConnection).when(mockLambda).call();
+
+    plugin
+        .connect(DRIVER_PROTOCOL, HOST_SPEC, props, true, mockLambda)
+        .close();
+
+    final String cacheKey = IamAuthUtils.getCacheKey(
+        username,
+        TEST_HOSTNAME,
+        TEST_PORT,
+        TEST_REGION);
+
+    final TokenInfo info = IamAuthCacheHolder.tokenCache.get(cacheKey);
+    final String token = info.getToken();
+
+    assertTokenContainsProperties(token, TEST_HOSTNAME, username);
+  }
+
+  @Test
+  public void testDsqlPluginRegistration() throws SQLException {
+    ConnectionPluginChainBuilder builder = new ConnectionPluginChainBuilder();
+
+    final List<ConnectionPlugin> result = builder.getPlugins(
+        mockPluginService,
+        mockConnectionProvider,
+        null,
+        mockPluginManagerService,
+        props,
+        null);
+
+    // 2 because default plugin is always included.
+    assertEquals(2, result.size());
+    final ConnectionPlugin plugin = result.get(0);
+
+    assertInstanceOf(IamAuthConnectionPlugin.class, plugin);
+    assertPluginProvidesDsqlTokens(plugin, DEFAULT_USERNAME);
+  }
+
+  @ParameterizedTest
+  @ValueSource(strings = {REGULAR_USER, ADMIN_USER})
+  public void testDsqlTokenGeneratedBasedOnUser(final String username) throws SQLException {
+    props.setProperty(PropertyDefinition.USER.name, username);
+
+    final DsqlIamConnectionPluginFactory factory = new DsqlIamConnectionPluginFactory();
+    final ConnectionPlugin plugin = factory.getInstance(mockPluginService, props);
+    assertPluginProvidesDsqlTokens(plugin, username);
+  }
+}