v0.3.0 Changes (#4)

* Refactor of auth mechanisms
* Refactor of package structure

.gitignore

@@ -1,15 +1,15 @@
-# Binaries for programs and plugins
-*.exe
-*.exe~
-*.dll
-*.so
-*.dylib
-
-# Test binary, built with `go test -c`
-*.test
-
-# Output of the go coverage tool, specifically when used with LiteIDE
-*.out
-
-# Dependency directories (remove the comment below to include it)
-# vendor/
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+# vendor/

LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2022 Invicton Labs (https://invictonlabs.com)
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+MIT License
+
+Copyright (c) 2022 Invicton Labs (https://invictonlabs.com)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1,18 +1,18 @@
-# GORM Dynamic Authentication
-
-This package implements easy-to-use dynamic authentication for GORM connections. This is useful when using any kind of authentication mechanism where credentials may change between when the GORM handle is initially created and when new connections may open. Examples could include username/password credentials that are rotated frequently, or IAM authentication with AWS RDS.
-
-
-## Database Support
-
-This package supports MySQL, and theoretically supports PostgreSQL as well, although that has not yet been tested. It is built in a modular fashion that supports the implementation of additional databases as well. See the `connectors` and `dialectors` submodules.
-
-
-## Examples
-
-We have provided examples for the following use cases:
-
-- [Generic username/password MySQL](https://github.com/Invicton-Labs/gorm-auth/blob/main/examples/aws-rds-mysql-password-auth.go)
-- [AWS RDS IAM authentication for MySQL](https://github.com/Invicton-Labs/gorm-auth/blob/main/examples/aws-rds-mysql-iam-auth.go).
-
-For more custom implementations (multiple sources, multiple replicas, etc.), see the internal workings of the functions used in the examples.
+# GORM Dynamic Authentication
+
+This package implements easy-to-use dynamic authentication for GORM connections. This is useful when using any kind of authentication mechanism where credentials may change between when the GORM handle is initially created and when new connections may open. Examples could include username/password credentials that are rotated frequently, or IAM authentication with AWS RDS.
+
+
+## Database Support
+
+This package supports MySQL, and theoretically supports PostgreSQL as well, although that has not yet been tested. It is built in a modular fashion that supports the implementation of additional databases as well. See the `connectors` and `dialectors` submodules.
+
+
+## Examples
+
+We have provided examples for the following use cases:
+
+- [Generic username/password MySQL](https://github.com/Invicton-Labs/gorm-auth/blob/main/examples/aws-rds-mysql-password-auth.go)
+- [AWS RDS IAM authentication for MySQL](https://github.com/Invicton-Labs/gorm-auth/blob/main/examples/aws-rds-mysql-iam-auth.go).
+
+For more custom implementations (multiple sources, multiple replicas, etc.), see the internal workings of the functions used in the examples.

authenticators/authenticators.go

@@ -0,0 +1,18 @@
+package authenticators
+
+import (
+	"context"
+
+	"github.com/Invicton-Labs/go-stackerr"
+	"github.com/Invicton-Labs/gorm-auth/dialectors"
+	"github.com/go-sql-driver/mysql"
+)
+
+type AuthenticationSettings interface {
+	// UpdateConfigWithAuth adds authentication parameters
+	// to an existing mysql.Config struct.
+	UpdateConfigWithAuth(ctx context.Context, config mysql.Config) (*mysql.Config, stackerr.Error)
+	// UpdateDialectorSettings updates the dialector settings with
+	// override values required by this authentication method
+	UpdateDialectorSettings(dialectors.MysqlDialectorInput) (dialectors.MysqlDialectorInput, stackerr.Error)
+}

authenticators/aws-iam.go

@@ -0,0 +1,93 @@
+package authenticators
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+
+	"github.com/Invicton-Labs/go-stackerr"
+	"github.com/Invicton-Labs/gorm-auth/dialectors"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	awsconfig "github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/feature/rds/auth"
+	"github.com/go-sql-driver/mysql"
+)
+
+var (
+	rdsHostRegionRegexp       *regexp.Regexp = regexp.MustCompile(`^[^.]+\.[^.]+\.([a-z]+-[a-z]+-[0-9]+)\.rds\.amazonaws\.com$`)
+	rdsHostRegionRegexpReader *regexp.Regexp = regexp.MustCompile(`^reader\.endpoint\.proxy-[^.]+\.([a-z]+-[a-z]+-[0-9]+)\.rds\.amazonaws\.com$`)
+)
+
+type MysqlConnectionParametersAwsIam struct {
+	// The host of the primary cluster
+	Host string `json:"host"`
+	// The port to connect to the primary cluster
+	Port int `json:"port"`
+	// The name of the database to connect to
+	Schema string `json:"database"`
+	// The username to connect with
+	Username string `json:"username"`
+	// This is the region that the database is in, not
+	// that we're connecting from. If this field is not
+	// provideed, the connection function will attempt to
+	// parse the region from the host name.
+	Region string `json:"region"`
+	// The AWS config to use for authentication/credentials
+	AwsCredentials aws.CredentialsProvider
+}
+
+func (params *MysqlConnectionParametersAwsIam) UpdateDialectorSettings(dialectorInput dialectors.MysqlDialectorInput) (dialectors.MysqlDialectorInput, stackerr.Error) {
+	// IAM auth rotates tokens frequently, so a new token should be used each time
+	dialectorInput.ShouldReconfigureCallback = nil
+	return dialectorInput, nil
+}
+
+func (params *MysqlConnectionParametersAwsIam) UpdateConfigWithAuth(ctx context.Context, config mysql.Config) (*mysql.Config, stackerr.Error) {
+	if params.Region == "" {
+		// If no region was specified, try to extract it from the hostname
+		regionMatches := rdsHostRegionRegexp.FindStringSubmatch(params.Host)
+		if len(regionMatches) == 0 {
+			regionMatches = rdsHostRegionRegexpReader.FindStringSubmatch(params.Host)
+		}
+		if len(regionMatches) > 1 {
+			params.Region = regionMatches[1]
+		}
+	}
+	if params.Region == "" {
+		return &config, stackerr.Errorf("no database region was provided, and it could not be determined from the host name (%s)", params.Host)
+	}
+
+	// If no credential source is provided, use the default AWS config
+	// from environment variables.
+	if params.AwsCredentials == nil {
+		defaultAwsConfig, err := awsconfig.LoadDefaultConfig(ctx)
+		if err != nil {
+			return nil, stackerr.Wrap(err)
+		}
+		params.AwsCredentials = defaultAwsConfig.Credentials
+	}
+
+	addr := fmt.Sprintf("%s:%d", params.Host, params.Port)
+	authenticationToken, err := auth.BuildAuthToken(
+		ctx,
+		addr,
+		params.Region,
+		params.Username,
+		params.AwsCredentials,
+	)
+	if err != nil {
+		return nil, stackerr.Wrap(err)
+	}
+
+	config.User = params.Username
+	config.Passwd = authenticationToken
+	config.Addr = addr
+	config.DBName = params.Schema
+
+	// IAM requires clear text authentication
+	config.AllowCleartextPasswords = true
+	// IAM requires native password authentication
+	config.AllowNativePasswords = true
+
+	return &config, nil
+}

authenticators/password.go

@@ -0,0 +1,45 @@
+package authenticators
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/Invicton-Labs/go-stackerr"
+	"github.com/Invicton-Labs/gorm-auth/dialectors"
+	"github.com/go-sql-driver/mysql"
+)
+
+type PasswordCredentials struct {
+	// The username to connect to the database with
+	Username string `json:"username"`
+	// The password to connect to the database with
+	Password string `json:"password"`
+}
+
+type MysqlConnectionParametersPassword struct {
+	// The host of the primary cluster
+	Host string `json:"host"`
+	// The port to connect to the primary cluster
+	Port int `json:"port"`
+	// The name of the database to connect to
+	Schema string `json:"database"`
+	// A function for dynamically retrieving the username/password
+	GetCredentials func(ctx context.Context) (PasswordCredentials, stackerr.Error)
+}
+
+func (params *MysqlConnectionParametersPassword) UpdateDialectorSettings(dialectorInput dialectors.MysqlDialectorInput) (dialectors.MysqlDialectorInput, stackerr.Error) {
+	return dialectorInput, nil
+}
+
+func (params *MysqlConnectionParametersPassword) UpdateConfigWithAuth(ctx context.Context, config mysql.Config) (*mysql.Config, stackerr.Error) {
+	// Get the credentials
+	creds, err := params.GetCredentials(ctx)
+	if err != nil {
+		return &config, err
+	}
+	config.Addr = fmt.Sprintf("%s:%d", params.Host, params.Port)
+	config.DBName = params.Schema
+	config.User = creds.Username
+	config.Passwd = creds.Password
+	return &config, nil
+}