feat: IAM auth token generator for RDS (#1851)

sichanyoo · Sichan Yoo · web-flow · commit bd2b0455b920 · 2024-12-30T09:49:50.000-08:00
* Add AuthTokenGenerator

* Move AuthTokenGenerator to Customizations/RDS/

* Add documentation comments to AuthTokenGenerator

* Add codegen for wrapper class to expose AuthTokenGenerator via AWSRDS module instead of AWSClientRuntime module.

* Include generated AuthTokenGenerator wrapper class for reference to reviewers

* Swiftlint; sort imports

* Ktlint; add newline at end of file

---------

Co-authored-by: Sichan Yoo &lt;chanyoo@amazon.com&gt;
diff --git a/Sources/Core/AWSClientRuntime/Sources/AWSClientRuntime/Customizations/RDS/AuthTokenGenerator.swift b/Sources/Core/AWSClientRuntime/Sources/AWSClientRuntime/Customizations/RDS/AuthTokenGenerator.swift
@@ -0,0 +1,100 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+import AwsCommonRuntimeKit
+import class AWSSDKHTTPAuth.AWSSigV4Signer
+import ClientRuntime
+import Smithy
+import SmithyHTTPAPI
+import SmithyHTTPAuth
+import SmithyHTTPAuthAPI
+import SmithyIdentity
+import struct Foundation.Date
+import struct Foundation.TimeInterval
+
+/// A utility class with a single utility method that generates IAM authentication token used for connecting to RDS.
+@_spi(AuthTokenGenerator)
+public class AuthTokenGenerator {
+    public var awsCredentialIdentity: AWSCredentialIdentity
+
+    /// The initializer that takes in AWSCredentialIdentity struct to use to generate the IAM authentication token.
+    public init(awsCredentialIdentity: AWSCredentialIdentity) {
+        self.awsCredentialIdentity = awsCredentialIdentity
+    }
+
+    /// The initializer that takes in a specific AWSCredentialIdentityResolver, used to resolve the AWSCredentialIdentity used to generate the IAM authentication token.
+    public init(awsCredentialIdentityResolver: any AWSCredentialIdentityResolver) async  throws {
+        self.awsCredentialIdentity = try await awsCredentialIdentityResolver.getIdentity()
+    }
+
+    /// Updates the AWS credentials used to generate the IAM auth token.
+    public func updateCredentials(newAWSCredentialIdentity: AWSCredentialIdentity) {
+        self.awsCredentialIdentity = newAWSCredentialIdentity
+    }
+
+    /// Updates the AWS credentials used to generate the IAM auth token by resolving credentials from passed in resolver.
+    public func updateCredentials(awsCredentialIdentityResolver: any AWSCredentialIdentityResolver) async throws {
+        self.awsCredentialIdentity = try await awsCredentialIdentityResolver.getIdentity()
+    }
+
+    /// Generates authenetication token using given inputs to the method and credential identity instance variable.
+    ///
+    /// - Parameters:
+    ///   - endpoint: The endpoint of the RDS instance. E.g., `rdsmysql.123456789012.us-west-2.rds.amazonaws.com`
+    ///   - port: The port of the RDS instance to connect to. E.g., `3306`
+    ///   - region: The region that RDS instance is located in. E.g., `us-west-2`
+    ///   - username: The username of the RDS database user. E.g., `admin`
+    ///   - expiration: The expiration for the token in seconds. Default is 900 seconds (15 minutes).
+    public func generateAuthToken(
+        endpoint: String,
+        port: Int16,
+        region: String,
+        username: String,
+        expiration: TimeInterval = 900
+    ) async throws -> String {
+        CommonRuntimeKit.initialize()
+        let requestBuilder = HTTPRequestBuilder()
+        requestBuilder.withHost(endpoint)
+        requestBuilder.withPort(port)
+
+        // Add the Host header and the required query items for the desired presigned URL.
+        requestBuilder.withHeader(name: "Host", value: "\(endpoint):\(port)")
+        requestBuilder.withQueryItem(URIQueryItem(name: "Action", value: "connect"))
+        requestBuilder.withQueryItem(URIQueryItem(name: "DBUser", value: username))
+
+        let signingConfig = AWSSigningConfig(
+            credentials: self.awsCredentialIdentity,
+            expiration: expiration,
+            signedBodyValue: .empty,
+            flags: SigningFlags(
+                useDoubleURIEncode: true,
+                shouldNormalizeURIPath: true,
+                omitSessionToken: false
+            ),
+            date: Date(),
+            service: "rds-db",
+            region: region,
+            signatureType: .requestQueryParams,
+            signingAlgorithm: .sigv4
+        )
+
+        let signedRequest = await AWSSigV4Signer().sigV4SignedRequest(
+            requestBuilder: requestBuilder,
+            signingConfig: signingConfig
+        )
+
+        guard let presignedURL = signedRequest?.destination.url else {
+            throw ClientError.authError("Failed to generate auth token for RDS.")
+        }
+
+        // Remove https:// from the presigned URL to get final value for RDS auth token.
+        let startIndex = presignedURL.absoluteString.index(presignedURL.absoluteString.startIndex, offsetBy: 8)
+        let rdsAuthToken = String(presignedURL.absoluteString[startIndex...])
+
+        return rdsAuthToken
+    }
+}
diff --git a/Sources/Services/AWSRDS/Sources/AWSRDS/AuthTokenGenerator.swift b/Sources/Services/AWSRDS/Sources/AWSRDS/AuthTokenGenerator.swift
@@ -0,0 +1,63 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+// Code generated by smithy-swift-codegen. DO NOT EDIT!
+
+
+
+@_spi(AuthTokenGenerator) import class AWSClientRuntime.AuthTokenGenerator
+import SmithyIdentity
+import struct Foundation.TimeInterval
+
+/// A utility class with a single utility method that generates IAM authentication token used for connecting to RDS.
+public class AuthTokenGenerator {
+    private let generator: AWSClientRuntime.AuthTokenGenerator
+
+    /// The initializer that takes in AWSCredentialIdentity struct to use to generate the IAM authentication token.
+    public init(awsCredentialIdentity: AWSCredentialIdentity) {
+        self.generator = AWSClientRuntime.AuthTokenGenerator(awsCredentialIdentity: awsCredentialIdentity)
+    }
+
+    /// The initializer that takes in a specific AWSCredentialIdentityResolver, used to resolve the AWSCredentialIdentity used to generate the IAM authentication token.
+    public init(awsCredentialIdentityResolver: any AWSCredentialIdentityResolver) async throws {
+        self.generator = try await AWSClientRuntime.AuthTokenGenerator(awsCredentialIdentityResolver: awsCredentialIdentityResolver)
+    }
+
+    /// Updates the AWS credentials used to generate the IAM auth token.
+    public func updateCredentials(newAWSCredentialIdentity: AWSCredentialIdentity) {
+        generator.updateCredentials(newAWSCredentialIdentity: newAWSCredentialIdentity)
+    }
+
+    /// Updates the AWS credentials used to generate the IAM auth token by resolving credentials from passed in resolver.
+    public func updateCredentials(awsCredentialIdentityResolver: any AWSCredentialIdentityResolver) async throws {
+        try await generator.updateCredentials(awsCredentialIdentityResolver: awsCredentialIdentityResolver)
+    }
+
+    /// Generates authenetication token using given inputs to the method and credential identity instance variable.
+    ///
+    /// - Parameters:
+    ///   - endpoint: The endpoint of the RDS instance. E.g., `rdsmysql.123456789012.us-west-2.rds.amazonaws.com`
+    ///   - port: The port of the RDS instance to connect to. E.g., `3306`
+    ///   - region: The region that RDS instance is located in. E.g., `us-west-2`
+    ///   - username: The username of the RDS database user. E.g., `admin`
+    ///   - expiration: The expiration for the token in seconds. Default is 900 seconds (15 minutes).
+    public func generateAuthToken(
+        endpoint: String,
+        port: Int16,
+        region: String,
+        username: String,
+        expiration: TimeInterval = 900
+    ) async throws -> String {
+        return try await generator.generateAuthToken(
+            endpoint: endpoint,
+            port: port,
+            region: region,
+            username: username,
+            expiration: expiration
+        )
+    }
+}
diff --git a/codegen/smithy-aws-swift-codegen/src/main/kotlin/software/amazon/smithy/aws/swift/codegen/customization/rds/AuthTokenGeneratorIntegration.kt b/codegen/smithy-aws-swift-codegen/src/main/kotlin/software/amazon/smithy/aws/swift/codegen/customization/rds/AuthTokenGeneratorIntegration.kt
@@ -0,0 +1,84 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package software.amazon.smithy.aws.swift.codegen.customization.rds
+
+import software.amazon.smithy.aws.swift.codegen.sdkId
+import software.amazon.smithy.model.Model
+import software.amazon.smithy.model.shapes.ServiceShape
+import software.amazon.smithy.swift.codegen.SwiftDelegator
+import software.amazon.smithy.swift.codegen.SwiftSettings
+import software.amazon.smithy.swift.codegen.core.SwiftCodegenContext
+import software.amazon.smithy.swift.codegen.integration.ProtocolGenerator
+import software.amazon.smithy.swift.codegen.integration.SwiftIntegration
+import software.amazon.smithy.swift.codegen.model.expectShape
+
+class AuthTokenGeneratorIntegration : SwiftIntegration {
+    override fun enabledForService(model: Model, settings: SwiftSettings): Boolean =
+        model.expectShape<ServiceShape>(settings.service).sdkId == "RDS"
+
+    override fun writeAdditionalFiles(
+        ctx: SwiftCodegenContext,
+        protocolGenerationContext: ProtocolGenerator.GenerationContext,
+        delegator: SwiftDelegator
+    ) {
+        delegator.useFileWriter("Sources/${ctx.settings.moduleName}/AuthTokenGenerator.swift") { writer ->
+            val authTokenGeneratorWrapperClass = """
+            @_spi(AuthTokenGenerator) import class AWSClientRuntime.AuthTokenGenerator
+            import SmithyIdentity
+            import struct Foundation.TimeInterval
+
+            /// A utility class with a single utility method that generates IAM authentication token used for connecting to RDS.
+            public class AuthTokenGenerator {
+                private let generator: AWSClientRuntime.AuthTokenGenerator
+
+                /// The initializer that takes in AWSCredentialIdentity struct to use to generate the IAM authentication token.
+                public init(awsCredentialIdentity: AWSCredentialIdentity) {
+                    self.generator = AWSClientRuntime.AuthTokenGenerator(awsCredentialIdentity: awsCredentialIdentity)
+                }
+
+                /// The initializer that takes in a specific AWSCredentialIdentityResolver, used to resolve the AWSCredentialIdentity used to generate the IAM authentication token.
+                public init(awsCredentialIdentityResolver: any AWSCredentialIdentityResolver) async throws {
+                    self.generator = try await AWSClientRuntime.AuthTokenGenerator(awsCredentialIdentityResolver: awsCredentialIdentityResolver)
+                }
+
+                /// Updates the AWS credentials used to generate the IAM auth token.
+                public func updateCredentials(newAWSCredentialIdentity: AWSCredentialIdentity) {
+                    generator.updateCredentials(newAWSCredentialIdentity: newAWSCredentialIdentity)
+                }
+
+                /// Updates the AWS credentials used to generate the IAM auth token by resolving credentials from passed in resolver.
+                public func updateCredentials(awsCredentialIdentityResolver: any AWSCredentialIdentityResolver) async throws {
+                    try await generator.updateCredentials(awsCredentialIdentityResolver: awsCredentialIdentityResolver)
+                }
+
+                /// Generates authenetication token using given inputs to the method and credential identity instance variable.
+                ///
+                /// - Parameters:
+                ///   - endpoint: The endpoint of the RDS instance. E.g., `rdsmysql.123456789012.us-west-2.rds.amazonaws.com`
+                ///   - port: The port of the RDS instance to connect to. E.g., `3306`
+                ///   - region: The region that RDS instance is located in. E.g., `us-west-2`
+                ///   - username: The username of the RDS database user. E.g., `admin`
+                ///   - expiration: The expiration for the token in seconds. Default is 900 seconds (15 minutes).
+                public func generateAuthToken(
+                    endpoint: String,
+                    port: Int16,
+                    region: String,
+                    username: String,
+                    expiration: TimeInterval = 900
+                ) async throws -> String {
+                    return try await generator.generateAuthToken(
+                        endpoint: endpoint,
+                        port: port,
+                        region: region,
+                        username: username,
+                        expiration: expiration
+                    )
+                }
+            }
+            """.trimIndent()
+            writer.write(authTokenGeneratorWrapperClass)
+        }
+    }
+}
diff --git a/codegen/smithy-aws-swift-codegen/src/main/resources/META-INF/services/software.amazon.smithy.swift.codegen.integration.SwiftIntegration b/codegen/smithy-aws-swift-codegen/src/main/resources/META-INF/services/software.amazon.smithy.swift.codegen.integration.SwiftIntegration
@@ -26,3 +26,4 @@ software.amazon.smithy.aws.swift.codegen.AWSClientConfigurationIntegration
 software.amazon.smithy.swift.codegen.swiftintegrations.InitialRequestIntegration
 software.amazon.smithy.aws.swift.codegen.swiftintegrations.RegistryConfigIntegration
 software.amazon.smithy.aws.swift.codegen.swiftintegrations.AmzSdkRetryHeadersIntegration
+software.amazon.smithy.aws.swift.codegen.customization.rds.AuthTokenGeneratorIntegration
