feat: FederatedAuthConnectionPlugin #741
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aaronchung-bitquill
force-pushed
the
feature/federated-auth-plugin
branch
4 times, most recently
from
a2ac9cd
to
bc89e93
Compare
brunos-bq
reviewed
Nov 17, 2023
docs/using-the-jdbc-driver/using-plugins/UsingTheFederatedAuthPlugin.md
Outdated
Show resolved
Hide resolved
docs/using-the-jdbc-driver/using-plugins/UsingTheFederatedAuthPlugin.md
Outdated
Show resolved
Hide resolved
docs/using-the-jdbc-driver/using-plugins/UsingTheFederatedAuthPlugin.md
Outdated
Show resolved
Hide resolved
...rc/main/java/software/amazon/jdbc/plugin/federatedauth/CredentialsProviderGetterFactory.java
Outdated
Show resolved
Hide resolved
...r/src/main/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthConnectionPlugin.java
Outdated
Show resolved
Hide resolved
...r/src/main/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthConnectionPlugin.java
Outdated
Show resolved
Hide resolved
...r/src/main/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthConnectionPlugin.java
Outdated
Show resolved
Hide resolved
...r/src/main/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthConnectionPlugin.java
Outdated
Show resolved
Hide resolved
aaronchung-bitquill
force-pushed
the
feature/federated-auth-plugin
branch
from
bc89e93
to
84018c3
Compare
karenc-bq
changed the title
aaronchung-bitquill
force-pushed
the
feature/federated-auth-plugin
branch
9 times, most recently
from
a0c2a31
to
6b73c62
Compare
aaronchung-bitquill
force-pushed
the
feature/federated-auth-plugin
branch
5 times, most recently
from
2419f9e
to
15a5ba6
Compare
sergiyvamz
reviewed
Nov 23, 2023
.../src/main/java/software/amazon/jdbc/plugin/federatedauth/AdfsCredentialsProviderFactory.java
Outdated
Show resolved
Hide resolved
sergiyvamz
reviewed
Nov 23, 2023
.../src/main/java/software/amazon/jdbc/plugin/federatedauth/AdfsCredentialsProviderFactory.java
Outdated
Show resolved
Hide resolved
sergiyvamz
reviewed
Nov 23, 2023
...r/src/main/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthConnectionPlugin.java
Outdated
Show resolved
Hide resolved
sergiyvamz
reviewed
Nov 23, 2023
...r/src/main/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthConnectionPlugin.java
Outdated
Show resolved
Hide resolved
sergiyvamz
reviewed
Nov 23, 2023
.../src/main/java/software/amazon/jdbc/plugin/federatedauth/AdfsCredentialsProviderFactory.java
Outdated
Show resolved
Hide resolved
sergiyvamz
reviewed
Nov 23, 2023
...r/src/main/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthConnectionPlugin.java
Outdated
Show resolved
Hide resolved
sergiyvamz
reviewed
Nov 23, 2023
...r/src/main/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthConnectionPlugin.java
Outdated
Show resolved
Hide resolved
aaronchung-bitquill
force-pushed
the
feature/federated-auth-plugin
branch
from
d37c8be
to
6bcfc68
Compare
karenc-bq
reviewed
Dec 7, 2023
| @@ -92,7 +93,8 @@ public class ConnectionPluginChainBuilder { | |||
| put(HostMonitoringConnectionPluginFactory.class, 800); | |||
| put(IamAuthConnectionPluginFactory.class, 900); | |||
| put(AwsSecretsManagerConnectionPluginFactory.class, 1000); | |||
| put(LogQueryConnectionPluginFactory.class, 1100); | |||
| put(FederatedAuthPluginFactory.class, 1100); | |||
There was a problem hiding this comment.
What would happen if users provide both IAM and FederatedAuth in their plugin list? Should federated auth be put before IAM?
wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/HttpClientFactory.java
Outdated
Show resolved
Hide resolved
wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/HttpClientFactory.java
Outdated
Show resolved
Hide resolved
.../src/main/java/software/amazon/jdbc/plugin/federatedauth/AdfsCredentialsProviderFactory.java
Outdated
Show resolved
Hide resolved
.../src/main/java/software/amazon/jdbc/plugin/federatedauth/AdfsCredentialsProviderFactory.java
Outdated
Show resolved
Hide resolved
wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthPluginFactory.java
Outdated
Show resolved
Hide resolved
wrapper/src/main/resources/aws_advanced_jdbc_wrapper_messages.properties
Outdated
Show resolved
Hide resolved
wrapper/src/main/resources/aws_advanced_jdbc_wrapper_messages.properties
Outdated
Show resolved
Hide resolved
| @@ -147,6 +157,17 @@ Failover.failedToUpdateCurrentHostspecAvailability=Failed to update current host | |||
| Failover.noOperationsAfterConnectionClosed=No operations allowed after connection closed. | |||
| Failover.invalidHostListProvider=Incorrect type of host list provider found, please ensure the correct host list provider is specified. The host list provider in use is: ''{0}'', the plugin is expected a cluster-aware host list provider such as the AuroraHostListProvider. | |||
|
|
|||
| # Federated Authentication Connection Plugin | |||
| FederatedAuthPlugin.generatedNewIamToken=Generated new IAM token = ''{0}'' | |||
There was a problem hiding this comment.
Why do we need two sets of the same messages for iam auth and federated auth plugin
wrapper/src/main/resources/aws_advanced_jdbc_wrapper_messages.properties
Outdated
Show resolved
Hide resolved
karenc-bq
reviewed
Dec 7, 2023
| } else if (html.startsWith("<", i)) { | ||
| sb.append('<'); | ||
| i += 4; | ||
| } else if (html.startsWith(">", i)) { |
There was a problem hiding this comment.
Can we use replaceAll to simplify this logic?
karenc-bq
reviewed
Dec 13, 2023
.../src/main/java/software/amazon/jdbc/plugin/federatedauth/AdfsCredentialsProviderFactory.java
Outdated
Show resolved
Hide resolved
joyc-bq
reviewed
Dec 13, 2023
|
|
||
| private String getSignInPageBody(final CloseableHttpClient httpClient, final String uri) throws IOException { | ||
| LOGGER.finest(Messages.get("AdfsCredentialsProviderFactory.signOnPageUrl", new Object[] {uri})); | ||
| validateURL(uri); |
There was a problem hiding this comment.
nit: other method names use "Url", so should be validateUrl()
karenc-bq
reviewed
Dec 13, 2023
.../src/main/java/software/amazon/jdbc/plugin/federatedauth/AdfsCredentialsProviderFactory.java
Outdated
Show resolved
Hide resolved
karenc-bq
reviewed
Dec 13, 2023
.../src/main/java/software/amazon/jdbc/plugin/federatedauth/AdfsCredentialsProviderFactory.java
Outdated
Show resolved
Hide resolved
karenc-bq
reviewed
Dec 13, 2023
.../src/main/java/software/amazon/jdbc/plugin/federatedauth/AdfsCredentialsProviderFactory.java
Outdated
Show resolved
Hide resolved
karenc-bq
reviewed
Dec 13, 2023
.../src/main/java/software/amazon/jdbc/plugin/federatedauth/AdfsCredentialsProviderFactory.java
Outdated
Show resolved
Hide resolved
joyc-bq
reviewed
Dec 13, 2023
wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthPlugin.java
Outdated
Show resolved
Hide resolved
karenc-bq
reviewed
Dec 13, 2023
karenc-bq
reviewed
Dec 13, 2023
wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthPlugin.java
Outdated
Show resolved
Hide resolved
aaronchung-bitquill
force-pushed
the
feature/federated-auth-plugin
branch
3 times, most recently
from
c3ef0ad
to
e13a560
Compare
karenc-bq
reviewed
Dec 13, 2023
Comment on lines
+269
to
+284
| final Optional<Region> regionOptional = Region.regions().stream() | ||
| .filter(r -> r.id().equalsIgnoreCase(rdsRegion)) | ||
| .findFirst(); | ||
|
|
||
| if (!regionOptional.isPresent()) { | ||
| final String exceptionMessage = Messages.get( | ||
| "AwsSdk.unsupportedRegion", | ||
| new Object[] {rdsRegion}); | ||
|
|
||
| LOGGER.fine(exceptionMessage); | ||
| throw new SQLException(exceptionMessage); | ||
| } | ||
|
|
||
| return regionOptional.get(); |
There was a problem hiding this comment.
Can we move this validation to RdsUtils? Duplicated code as the IAM plugin.
karenc-bq
reviewed
Dec 13, 2023
| } | ||
| } | ||
|
|
||
| private void updateAuthenticationToken(HostSpec hostSpec, Properties props, Region region, String cacheKey) |
There was a problem hiding this comment.
Can we move these IAM specific methods to IamAuthUtils to reduce duplicated code?
karenc-bq
reviewed
Dec 13, 2023
Comment on lines
107
to
109
| FederatedAuthPlugin plugin = | ||
| new FederatedAuthPlugin(mockPluginService, mockCredentialsProviderFactory); | ||
| FederatedAuthPlugin spyPlugin = Mockito.spy(plugin); |
There was a problem hiding this comment.
Suggested change
| FederatedAuthPlugin plugin = | |
| new FederatedAuthPlugin(mockPluginService, mockCredentialsProviderFactory); | |
| FederatedAuthPlugin spyPlugin = Mockito.spy(plugin); | |
| FederatedAuthPlugin spyPlugin = Mockito.spy(new FederatedAuthPlugin(mockPluginService, mockCredentialsProviderFactory)); |
karenc-bq
reviewed
Dec 13, 2023
| new FederatedAuthPlugin(mockPluginService, mockCredentialsProviderFactory); | ||
|
|
||
| String key = "us-east-2:pg.testdb.us-east-2.rds.amazonaws.com:" + DEFAULT_PORT + ":iamUser"; | ||
| TokenInfo tokenInfo = new TokenInfo( |
There was a problem hiding this comment.
can we make tokenInfo a private static final variable?
aaronchung-bitquill
force-pushed
the
feature/federated-auth-plugin
branch
3 times, most recently
from
ea01672
to
820dbef
Compare
aaronchung-bitquill
force-pushed
the
feature/federated-auth-plugin
branch
from
820dbef
to
02cdd53
Compare
joyc-bq
approved these changes
Dec 14, 2023
| @@ -14,6 +14,15 @@ | |||
| # limitations under the License. | |||
| # | |||
|
|
|||
| # ADFS Credentials Provider Getter | |||
| AdfsCredentialsProviderFactory.failedLogin=Failed login. Could not obtain SAML Assertion from ADFS SignOn Page POST response: \n''{0}'' | |||
| AdfsCredentialsProviderFactory.getSamlAssertionFailed=Failed to get Saml Assertion due to exception: ''{0}'' | |||
There was a problem hiding this comment.
Suggested change
| AdfsCredentialsProviderFactory.getSamlAssertionFailed=Failed to get Saml Assertion due to exception: ''{0}'' | |
| AdfsCredentialsProviderFactory.getSamlAssertionFailed=Failed to get SAML Assertion due to exception: ''{0}'' |
sergiyv-improving
added a commit
to Bit-Quill/aws-advanced-jdbc-wrapper
that referenced
this pull request
Jan 11, 2024
* Configuration Profiles (aws#711) Co-authored-by: sergiyvamz <[email protected]> * chore(deps): bump org.testcontainers:postgresql from 1.19.1 to 1.19.2 (aws#743) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump io.vertx:vertx-stack-depchain from 4.4.6 to 4.5.0 (aws#745) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump org.testcontainers:junit-jupiter from 1.19.1 to 1.19.2 (aws#747) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump io.opentelemetry:opentelemetry-api from 1.31.0 to 1.32.0 (aws#746) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump com.fasterxml.jackson.core:jackson-databind from 2.15.3 to 2.16.0 (aws#744) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Disable failing integration test for PG driver (aws#742) * Configuration Profiles documentation (aws#738) * feat: Autoregister a target driver (aws#748) * chore: reduce log level for intentionally ignored exceptions (aws#751) * chore(deps): bump org.testcontainers:mariadb from 1.19.1 to 1.19.3 (aws#756) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump software.amazon.awssdk:secretsmanager from 2.21.21 to 2.21.31 (aws#762) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump io.opentelemetry:opentelemetry-sdk from 1.31.0 to 1.32.0 (aws#758) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump org.testcontainers:postgresql from 1.19.2 to 1.19.3 (aws#757) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump org.testcontainers:junit-jupiter from 1.19.2 to 1.19.3 (aws#759) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: node fastest response time strategy (aws#755) * chore: update changelog and versioning for version 2.3.1 (aws#754) * chore(deps): bump org.testcontainers:testcontainers from 1.19.1 to 1.19.3 (aws#771) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump org.mariadb.jdbc:mariadb-java-client from 3.3.0 to 3.3.1 (aws#767) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump org.apache.poi:poi-ooxml from 5.2.4 to 5.2.5 (aws#769) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump software.amazon.awssdk:secretsmanager from 2.21.31 to 2.21.38 (aws#772) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump software.amazon.awssdk:rds from 2.21.11 to 2.21.38 (aws#773) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump software.amazon.awssdk:rds from 2.21.38 to 2.21.42 (aws#776) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump org.postgresql:postgresql from 42.6.0 to 42.7.1 (aws#778) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump software.amazon.awssdk:secretsmanager from 2.21.38 to 2.21.43 (aws#781) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump io.opentelemetry:opentelemetry-exporter-otlp from 1.32.0 to 1.33.0 (aws#777) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: use existing entries to update the round robin cache (aws#739) * set hostId in HostSpec (aws#782) * docs: update HikariCP example to include configuring the datasource with a JDBC URL (aws#749) * Enhanced host monitoring plugin ver.2 (aws#764) * Fix: expose AuroraInitialConnectionStrategyPlugin with a plugin code (aws#784) * feat: FederatedAuthConnectionPlugin (aws#741) * chore: replace synchronized with locks in AwsCredentialsManager (aws#785) * docs: FederatedAuthPlugin (aws#787) Co-authored-by: Karen <[email protected]> * chore(deps): bump io.opentelemetry:opentelemetry-sdk-metrics from 1.32.0 to 1.33.0 (aws#792) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump software.amazon.awssdk:ec2 from 2.21.12 to 2.22.1 (aws#795) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump io.opentelemetry:opentelemetry-api from 1.32.0 to 1.33.0 (aws#794) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump org.junit.jupiter:junit-jupiter-params from 5.10.0 to 5.10.1 (aws#793) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Improve efm2 failure detection timing (aws#797) * chore: update versioning and changelog (aws#791) * fix: SqlMethodAnalyzer to handle empty SQL query and not throw IndexOutOfBoundsException (aws#798) * Add documentation for read/write splitting Spring limitations (aws#800) * Add example code for Read/Write Splitting sample (aws#765) * fix: restructuring try blocks in dialects for exception handling (aws#799) * chore(deps): bump software.amazon.awssdk:secretsmanager from 2.21.43 to 2.22.5 (aws#802) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump io.vertx:vertx-stack-depchain from 4.5.0 to 4.5.1 (aws#803) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump com.amazonaws:aws-xray-recorder-sdk-core from 2.14.0 to 2.15.0 (aws#804) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: add missing log message (aws#801) Co-authored-by: Bruno Paiva Lima da Silva <[email protected]> * fix: making a variable volatile in RdsHostListProvider (aws#806) * chore(deps): bump software.amazon.awssdk:ec2 from 2.22.1 to 2.22.9 (aws#808) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump io.opentelemetry:opentelemetry-sdk from 1.32.0 to 1.33.0 (aws#809) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump org.postgresql:postgresql from 42.6.0 to 42.7.1 (aws#810) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump tj-actions/changed-files from 37 to 41 in /.github/workflows (aws#811) * transfer session state during failover (aws#814) * feat: Session state transfer redesign (aws#821) * chore(deps): bump software.amazon.awssdk:rds from 2.21.42 to 2.22.13 (aws#822) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump software.amazon.awssdk:sts from 2.21.42 to 2.22.13 (aws#823) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump com.fasterxml.jackson.core:jackson-databind from 2.16.0 to 2.16.1 (aws#818) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump com.github.spotbugs from 5.2.+ to 6.0.6 (aws#820) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Improve Multi-AZ cluster detection (aws#824) --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: Bruno Paiva Lima da Silva <[email protected]> Co-authored-by: sergiyvamz <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: sergiyvamz <[email protected]> Co-authored-by: Karen <[email protected]> Co-authored-by: crystall-bitquill <[email protected]> Co-authored-by: aaronchung-bitquill <[email protected]> Co-authored-by: congoamz <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Description
Implement a new connection plugin for Federated Authentication. Currently, supports SAML authentication through ADFS. and authorization by assuming an AWS IAM role.
Additional Reviewers
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.