diff --git a/.changelog/1733238900.md b/.changelog/1733238900.md new file mode 100644 index 0000000000..46630326b1 --- /dev/null +++ b/.changelog/1733238900.md @@ -0,0 +1,30 @@ +--- +applies_to: ["aws-sdk-rust"] +authors: ["Velfi"] +references: [] +breaking: false +new_feature: true +bug_fix: false +--- + +Add auth token generator for Amazon Aurora DSQL. + +```rust +use aws_sdk_dsql::auth_token::{AuthTokenGenerator, Config}; + +#[tokio::main] +async fn main() { + let cfg = aws_config::load_defaults(BehaviorVersion::latest()).await; + let generator = AuthTokenGenerator::new( + Config::builder() + .hostname("peccy.dsql.us-east-1.on.aws") + .build() + .expect("cfg is valid"), + ); + let token = generator.auth_token(&cfg).await.unwrap(); + println!("{token}"); +} +``` + +The resulting token can then be used as a password when connecting to the +database server. diff --git a/aws/rust-runtime/aws-config/Cargo.lock b/aws/rust-runtime/aws-config/Cargo.lock index 7379084a85..fb89c36ad0 100644 --- a/aws/rust-runtime/aws-config/Cargo.lock +++ b/aws/rust-runtime/aws-config/Cargo.lock @@ -89,7 +89,7 @@ dependencies = [ [[package]] name = "aws-runtime" -version = "1.4.4" +version = "1.5.0" dependencies = [ "aws-credential-types", "aws-sigv4", @@ -221,7 +221,7 @@ dependencies = [ [[package]] name = "aws-smithy-json" -version = "0.60.7" +version = "0.61.1" dependencies = [ "aws-smithy-types", ] diff --git a/aws/rust-runtime/aws-inlineable/src/dsql_auth_token.rs b/aws/rust-runtime/aws-inlineable/src/dsql_auth_token.rs new file mode 100644 index 0000000000..8d8dc766d5 --- /dev/null +++ b/aws/rust-runtime/aws-inlineable/src/dsql_auth_token.rs @@ -0,0 +1,304 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0 + */ + +//! Code related to creating signed URLs for logging in to DSQL. + +use aws_credential_types::provider::{ProvideCredentials, SharedCredentialsProvider}; +use aws_sigv4::http_request; +use aws_sigv4::http_request::{SignableBody, SignableRequest, SigningSettings}; +use aws_sigv4::sign::v4; +use aws_smithy_runtime_api::box_error::BoxError; +use aws_smithy_runtime_api::client::identity::Identity; +use aws_types::region::Region; +use std::fmt; +use std::fmt::Debug; +use std::time::Duration; + +const ACTION: &str = "DbConnect"; +const ACTION_ADMIN: &str = "DbConnectAdmin"; +const SERVICE: &str = "dsql"; + +/// A signer that generates an auth token for a database. +/// +/// ## Example +/// +/// ```ignore +/// use crate::auth_token::{AuthTokenGenerator, Config}; +/// +/// #[tokio::main] +/// async fn main() { +/// let cfg = aws_config::load_defaults(BehaviorVersion::latest()).await; +/// let generator = AuthTokenGenerator::new( +/// Config::builder() +/// .hostname("peccy.dsql.us-east-1.on.aws") +/// .build() +/// .expect("cfg is valid"), +/// ); +/// let token = generator.auth_token(&cfg).await.unwrap(); +/// println!("{token}"); +/// } +/// ``` +#[derive(Debug)] +pub struct AuthTokenGenerator { + config: Config, +} + +/// An auth token usable as a password for a DSQL database. +/// +/// This struct can be converted into a `&str` by calling `as_str` +/// or converted into a `String` by calling `to_string()`. +#[derive(Clone, Debug, PartialEq, Eq)] +pub struct AuthToken { + inner: String, +} + +impl AuthToken { + /// Return the auth token as a `&str`. + #[must_use] + pub fn as_str(&self) -> &str { + &self.inner + } +} + +impl fmt::Display for AuthToken { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + write!(f, "{}", self.inner) + } +} + +impl AuthTokenGenerator { + /// Given a `Config`, create a new DSQL database login URL signer. + pub fn new(config: Config) -> Self { + Self { config } + } + + /// Return a signed URL usable as an auth token. + pub async fn db_connect_auth_token( + &self, + config: &aws_types::sdk_config::SdkConfig, + ) -> Result { + self.inner(config, ACTION).await + } + + /// Return a signed URL usable as an admin auth token. + pub async fn db_connect_admin_auth_token( + &self, + config: &aws_types::sdk_config::SdkConfig, + ) -> Result { + self.inner(config, ACTION_ADMIN).await + } + + async fn inner( + &self, + config: &aws_types::sdk_config::SdkConfig, + action: &str, + ) -> Result { + let credentials = self + .config + .credentials() + .or(config.credentials_provider()) + .ok_or("credentials are required to create a signed URL for DSQL")? + .provide_credentials() + .await?; + let identity: Identity = credentials.into(); + let region = self + .config + .region() + .or(config.region()) + .ok_or("a region is required")?; + let time = config.time_source().ok_or("a time source is required")?; + + let mut signing_settings = SigningSettings::default(); + signing_settings.expires_in = + Some(Duration::from_secs(self.config.expires_in().unwrap_or(900))); + signing_settings.signature_location = http_request::SignatureLocation::QueryParams; + + let signing_params = v4::SigningParams::builder() + .identity(&identity) + .region(region.as_ref()) + .name(SERVICE) + .time(time.now()) + .settings(signing_settings) + .build()?; + + let url = format!("https://{}/?Action={}", self.config.hostname(), action); + let signable_request = + SignableRequest::new("GET", &url, std::iter::empty(), SignableBody::Bytes(&[])) + .expect("signable request"); + + let (signing_instructions, _signature) = + http_request::sign(signable_request, &signing_params.into())?.into_parts(); + + let mut url = url::Url::parse(&url).unwrap(); + for (name, value) in signing_instructions.params() { + url.query_pairs_mut().append_pair(name, value); + } + let inner = url.to_string().split_off("https://".len()); + + Ok(AuthToken { inner }) + } +} + +/// Configuration for a DSQL auth URL signer. +#[derive(Debug, Clone)] +pub struct Config { + /// The AWS credentials to sign requests with. + /// + /// Uses the default credential provider chain if not specified. + credentials: Option, + + /// The hostname of the database to connect to. + hostname: String, + + /// The region the database is located in. Uses the region inferred from the runtime if omitted. + region: Option, + + /// The number of seconds the signed URL should be valid for. + expires_in: Option, +} + +impl Config { + /// Create a new `SignerConfigBuilder`. + pub fn builder() -> ConfigBuilder { + ConfigBuilder::default() + } + + /// The AWS credentials to sign requests with. + pub fn credentials(&self) -> Option { + self.credentials.clone() + } + + /// The hostname of the database to connect to. + pub fn hostname(&self) -> &str { + &self.hostname + } + + /// The region to sign requests with. + pub fn region(&self) -> Option<&Region> { + self.region.as_ref() + } + + /// The number of seconds the signed URL should be valid for. + pub fn expires_in(&self) -> Option { + self.expires_in + } +} + +/// A builder for [`Config`]s. +#[derive(Debug, Default)] +pub struct ConfigBuilder { + /// The AWS credentials to create the auth token with. + /// + /// Uses the default credential provider chain if not specified. + credentials: Option, + + /// The hostname of the database to connect to. + hostname: Option, + + /// The region the database is located in. Uses the region inferred from the runtime if omitted. + region: Option, + + /// The number of seconds the auth token should be valid for. + expires_in: Option, +} + +impl ConfigBuilder { + /// The AWS credentials to create the auth token with. + /// + /// Uses the default credential provider chain if not specified. + pub fn credentials(mut self, credentials: impl ProvideCredentials + 'static) -> Self { + self.credentials = Some(SharedCredentialsProvider::new(credentials)); + self + } + + /// The hostname of the database to connect to. + pub fn hostname(mut self, hostname: impl Into) -> Self { + self.hostname = Some(hostname.into()); + self + } + + /// The region the database is located in. + pub fn region(mut self, region: Region) -> Self { + self.region = Some(region); + self + } + + /// The number of seconds the signed URL should be valid for. + /// + /// Maxes out at 900 seconds. + pub fn expires_in(mut self, expires_in: u64) -> Self { + self.expires_in = Some(expires_in); + self + } + + /// Consume this builder, returning an error if required fields are missing. + /// Otherwise, return a new `SignerConfig`. + pub fn build(self) -> Result { + Ok(Config { + credentials: self.credentials, + hostname: self.hostname.ok_or("A hostname is required")?, + region: self.region, + expires_in: self.expires_in, + }) + } +} + +#[cfg(test)] +mod test { + use super::{AuthTokenGenerator, Config}; + use aws_credential_types::provider::SharedCredentialsProvider; + use aws_credential_types::Credentials; + use aws_smithy_async::test_util::ManualTimeSource; + use aws_types::region::Region; + use aws_types::SdkConfig; + use std::time::{Duration, UNIX_EPOCH}; + + #[tokio::test] + async fn signing_works() { + let time_source = ManualTimeSource::new(UNIX_EPOCH + Duration::from_secs(1724716800)); + let sdk_config = SdkConfig::builder() + .credentials_provider(SharedCredentialsProvider::new(Credentials::new( + "akid", "secret", None, None, "test", + ))) + .time_source(time_source) + .build(); + let signer = AuthTokenGenerator::new( + Config::builder() + .hostname("peccy.dsql.us-east-1.on.aws") + .region(Region::new("us-east-1")) + .expires_in(450) + .build() + .unwrap(), + ); + + let signed_url = signer.db_connect_auth_token(&sdk_config).await.unwrap(); + assert_eq!(signed_url.as_str(), "peccy.dsql.us-east-1.on.aws/?Action=DbConnect&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=akid%2F20240827%2Fus-east-1%2Fdsql%2Faws4_request&X-Amz-Date=20240827T000000Z&X-Amz-Expires=450&X-Amz-SignedHeaders=host&X-Amz-Signature=f5f2ad764ca5df44045d4ab6ccecba0eef941b0007e5765885a0b6ed3702a3f8"); + } + + #[tokio::test] + async fn signing_works_admin() { + let time_source = ManualTimeSource::new(UNIX_EPOCH + Duration::from_secs(1724716800)); + let sdk_config = SdkConfig::builder() + .credentials_provider(SharedCredentialsProvider::new(Credentials::new( + "akid", "secret", None, None, "test", + ))) + .time_source(time_source) + .build(); + let signer = AuthTokenGenerator::new( + Config::builder() + .hostname("peccy.dsql.us-east-1.on.aws") + .region(Region::new("us-east-1")) + .expires_in(450) + .build() + .unwrap(), + ); + + let signed_url = signer + .db_connect_admin_auth_token(&sdk_config) + .await + .unwrap(); + assert_eq!(signed_url.as_str(), "peccy.dsql.us-east-1.on.aws/?Action=DbConnectAdmin&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=akid%2F20240827%2Fus-east-1%2Fdsql%2Faws4_request&X-Amz-Date=20240827T000000Z&X-Amz-Expires=450&X-Amz-SignedHeaders=host&X-Amz-Signature=267cf8d04d84444f7a62d5bdb40c44bfc6cb13dd6c64fa7f772df6bbaa90fff1"); + } +} diff --git a/aws/rust-runtime/aws-inlineable/src/lib.rs b/aws/rust-runtime/aws-inlineable/src/lib.rs index 3a07c16b56..88916c06c4 100644 --- a/aws/rust-runtime/aws-inlineable/src/lib.rs +++ b/aws/rust-runtime/aws-inlineable/src/lib.rs @@ -66,4 +66,5 @@ pub mod s3_expires_interceptor; #[derive(Debug)] pub struct Client; +pub mod dsql_auth_token; pub mod rds_auth_token; diff --git a/aws/sdk-codegen/src/main/kotlin/software/amazon/smithy/rustsdk/AwsCodegenDecorator.kt b/aws/sdk-codegen/src/main/kotlin/software/amazon/smithy/rustsdk/AwsCodegenDecorator.kt index afa1afe607..5f232826e6 100644 --- a/aws/sdk-codegen/src/main/kotlin/software/amazon/smithy/rustsdk/AwsCodegenDecorator.kt +++ b/aws/sdk-codegen/src/main/kotlin/software/amazon/smithy/rustsdk/AwsCodegenDecorator.kt @@ -15,6 +15,7 @@ import software.amazon.smithy.rustsdk.customize.RemoveDefaultsDecorator import software.amazon.smithy.rustsdk.customize.apigateway.ApiGatewayDecorator import software.amazon.smithy.rustsdk.customize.applyDecorators import software.amazon.smithy.rustsdk.customize.applyExceptFor +import software.amazon.smithy.rustsdk.customize.dsql.DsqlDecorator import software.amazon.smithy.rustsdk.customize.ec2.Ec2Decorator import software.amazon.smithy.rustsdk.customize.glacier.GlacierDecorator import software.amazon.smithy.rustsdk.customize.lambda.LambdaDecorator @@ -75,6 +76,7 @@ val DECORATORS: List = RetryClassifierDecorator().applyExceptFor("com.amazonaws.s3#AmazonS3"), // Service specific decorators ApiGatewayDecorator().onlyApplyTo("com.amazonaws.apigateway#BackplaneControlService"), + DsqlDecorator().onlyApplyTo("com.amazonaws.dsql#AxdbFrontend"), Ec2Decorator().onlyApplyTo("com.amazonaws.ec2#AmazonEC2"), GlacierDecorator().onlyApplyTo("com.amazonaws.glacier#Glacier"), LambdaDecorator().onlyApplyTo("com.amazonaws.lambda#AWSGirApiService"), diff --git a/aws/sdk-codegen/src/main/kotlin/software/amazon/smithy/rustsdk/customize/dsql/DsqlDecorator.kt b/aws/sdk-codegen/src/main/kotlin/software/amazon/smithy/rustsdk/customize/dsql/DsqlDecorator.kt new file mode 100644 index 0000000000..998ae3bd17 --- /dev/null +++ b/aws/sdk-codegen/src/main/kotlin/software/amazon/smithy/rustsdk/customize/dsql/DsqlDecorator.kt @@ -0,0 +1,45 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0 + */ +package software.amazon.smithy.rustsdk.customize.dsql + +import software.amazon.smithy.rust.codegen.client.smithy.ClientCodegenContext +import software.amazon.smithy.rust.codegen.client.smithy.customize.ClientCodegenDecorator +import software.amazon.smithy.rust.codegen.core.rustlang.CargoDependency +import software.amazon.smithy.rust.codegen.core.rustlang.Visibility +import software.amazon.smithy.rust.codegen.core.rustlang.rust +import software.amazon.smithy.rust.codegen.core.smithy.RuntimeType +import software.amazon.smithy.rust.codegen.core.smithy.RustCrate +import software.amazon.smithy.rustsdk.AwsCargoDependency +import software.amazon.smithy.rustsdk.InlineAwsDependency + +class DsqlDecorator : ClientCodegenDecorator { + override val name: String = "DSQL" + override val order: Byte = 0 + + override fun extras( + codegenContext: ClientCodegenContext, + rustCrate: RustCrate, + ) { + val rc = codegenContext.runtimeConfig + + rustCrate.lib { + // We should have a better way of including an inline dependency. + rust( + "// include #T;", + RuntimeType.forInlineDependency( + InlineAwsDependency.forRustFileAs( + "dsql_auth_token", + "auth_token", + Visibility.PUBLIC, + AwsCargoDependency.awsSigv4(rc), + CargoDependency.smithyRuntimeApiClient(rc), + CargoDependency.smithyAsync(rc).toDevDependency().withFeature("test-util"), + CargoDependency.Url, + ), + ), + ) + } + } +} diff --git a/codegen-server-test/build.gradle.kts b/codegen-server-test/build.gradle.kts index 808d476058..5d9464b3a4 100644 --- a/codegen-server-test/build.gradle.kts +++ b/codegen-server-test/build.gradle.kts @@ -21,6 +21,8 @@ val properties = PropertyRetriever(rootProject, project) val pluginName = "rust-server-codegen" val workingDirUnderBuildDir = "smithyprojections/codegen-server-test/" +val checkedInSmithyRuntimeLockfile = rootProject.projectDir.resolve("rust-runtime/Cargo.lock") + dependencies { implementation(project(":codegen-server")) implementation("software.amazon.smithy:smithy-aws-protocol-tests:$smithyVersion") @@ -104,9 +106,10 @@ val allCodegenTests = "../codegen-core/common-test-models".let { commonModels -> project.registerGenerateSmithyBuildTask(rootProject, pluginName, allCodegenTests) project.registerGenerateCargoWorkspaceTask(rootProject, pluginName, allCodegenTests, workingDirUnderBuildDir) project.registerGenerateCargoConfigTomlTask(layout.buildDirectory.dir(workingDirUnderBuildDir).get().asFile) +project.registerCopyCheckedInCargoLockfileTask(checkedInSmithyRuntimeLockfile, layout.buildDirectory.dir(workingDirUnderBuildDir).get().asFile) tasks["smithyBuild"].dependsOn("generateSmithyBuild") -tasks["assemble"].finalizedBy("generateCargoWorkspace", "generateCargoConfigToml") +tasks["assemble"].finalizedBy("generateCargoWorkspace", "copyCheckedInCargoLockfile", "generateCargoConfigToml") project.registerModifyMtimeTask() project.registerCargoCommandsTasks(layout.buildDirectory.dir(workingDirUnderBuildDir).get().asFile) diff --git a/rust-runtime/Cargo.lock b/rust-runtime/Cargo.lock index a1c8a25ded..1c4c428db5 100644 --- a/rust-runtime/Cargo.lock +++ b/rust-runtime/Cargo.lock @@ -219,7 +219,7 @@ dependencies = [ "aws-smithy-checksums 0.60.13 (registry+https://github.com/rust-lang/crates.io-index)", "aws-smithy-eventstream 0.60.5 (registry+https://github.com/rust-lang/crates.io-index)", "aws-smithy-http 0.60.11 (registry+https://github.com/rust-lang/crates.io-index)", - "aws-smithy-json 0.60.7 (registry+https://github.com/rust-lang/crates.io-index)", + "aws-smithy-json 0.60.7", "aws-smithy-runtime 1.7.3", "aws-smithy-runtime-api 1.7.3 (registry+https://github.com/rust-lang/crates.io-index)", "aws-smithy-types 1.2.9 (registry+https://github.com/rust-lang/crates.io-index)", @@ -468,7 +468,7 @@ version = "0.63.3" dependencies = [ "aws-smithy-cbor", "aws-smithy-http 0.60.11", - "aws-smithy-json 0.60.7", + "aws-smithy-json 0.61.1", "aws-smithy-runtime-api 1.7.3", "aws-smithy-types 1.2.9", "aws-smithy-xml 0.60.9", @@ -499,7 +499,7 @@ version = "0.63.2" dependencies = [ "aws-smithy-http 0.60.11", "aws-smithy-http-server", - "aws-smithy-json 0.60.7", + "aws-smithy-json 0.61.1", "aws-smithy-types 1.2.9", "aws-smithy-xml 0.60.9", "bytes", @@ -539,19 +539,19 @@ version = "0.60.3" [[package]] name = "aws-smithy-json" version = "0.60.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4683df9469ef09468dad3473d129960119a0d3593617542b7d52086c8486f2d6" dependencies = [ - "aws-smithy-types 1.2.9", - "proptest", - "serde_json", + "aws-smithy-types 1.2.9 (registry+https://github.com/rust-lang/crates.io-index)", ] [[package]] name = "aws-smithy-json" -version = "0.60.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4683df9469ef09468dad3473d129960119a0d3593617542b7d52086c8486f2d6" +version = "0.61.1" dependencies = [ - "aws-smithy-types 1.2.9 (registry+https://github.com/rust-lang/crates.io-index)", + "aws-smithy-types 1.2.9", + "proptest", + "serde_json", ] [[package]] @@ -1988,7 +1988,7 @@ dependencies = [ "aws-smithy-cbor", "aws-smithy-compression", "aws-smithy-http 0.60.11", - "aws-smithy-json 0.60.7", + "aws-smithy-json 0.61.1", "aws-smithy-runtime 1.7.4", "aws-smithy-runtime-api 1.7.3", "aws-smithy-types 1.2.9",