feat(auth): support IAM credential authentication

Brooke-white · Brooke-white · commit 6af422501124 · 2021-01-25T09:14:04.000-08:00
diff --git a/redshift_connector/__init__.py b/redshift_connector/__init__.py
@@ -94,6 +94,10 @@ def connect(
     app_name: str = "amazon_aws_redshift",
     preferred_role: typing.Optional[str] = None,
     principal_arn: typing.Optional[str] = None,
+    access_key_id: typing.Optional[str] = None,
+    secret_access_key: typing.Optional[str] = None,
+    session_token: typing.Optional[str] = None,
+    profile: typing.Optional[str] = None,
     credentials_provider: typing.Optional[str] = None,
     region: typing.Optional[str] = None,
     cluster_identifier: typing.Optional[str] = None,
@@ -137,6 +141,10 @@ def connect(
         app_name=app_name,
         preferred_role=preferred_role,
         principal_arn=principal_arn,
+        access_key_id=access_key_id,
+        secret_access_key=secret_access_key,
+        session_token=session_token,
+        profile=profile,
         credentials_provider=credentials_provider,
         region=region,
         cluster_identifier=cluster_identifier,
diff --git a/redshift_connector/auth/__init__.py b/redshift_connector/auth/__init__.py
@@ -0,0 +1 @@
+from .aws_credentials_provider import AWSCredentialsProvider
diff --git a/redshift_connector/auth/aws_credentials_provider.py b/redshift_connector/auth/aws_credentials_provider.py
@@ -0,0 +1,114 @@
+import logging
+import typing
+
+from redshift_connector.credentials_holder import (
+    ABCCredentialsHolder,
+    AWSDirectCredentialsHolder,
+    AWSProfileCredentialsHolder,
+)
+from redshift_connector.error import InterfaceError
+
+_logger: logging.Logger = logging.getLogger(__name__)
+
+if typing.TYPE_CHECKING:
+    import boto3  # type: ignore
+
+    from redshift_connector.redshift_property import RedshiftProperty
+
+
+class AWSCredentialsProvider:
+    """
+    A credential provider class for AWS credentials specified via :func:`~redshift_connector.connect` using `profile` or AWS access keys.
+    """
+
+    def __init__(self: "AWSCredentialsProvider") -> None:
+        self.cache: typing.Dict[int, typing.Union[AWSDirectCredentialsHolder, AWSProfileCredentialsHolder]] = {}
+
+        self.access_key_id: typing.Optional[str] = None
+        self.secret_access_key: typing.Optional[str] = None
+        self.session_token: typing.Optional[str] = None
+        self.profile: typing.Optional["boto3.Session"] = None
+
+    def get_cache_key(self: "AWSCredentialsProvider") -> int:
+        """
+        Creates a cache key using the hash of either the end-user provided AWS credential information.
+
+        Returns
+        -------
+        An `int` hash representation of the non-secret portion of credential information: `int`
+        """
+        if self.profile:
+            return hash(self.profile)
+        else:
+            return hash(self.access_key_id)
+
+    def get_credentials(
+        self: "AWSCredentialsProvider",
+    ) -> typing.Union[AWSDirectCredentialsHolder, AWSProfileCredentialsHolder]:
+        """
+        Retrieves a :class`ABCCredentialsHolder` from cache or builds one.
+
+        Returns
+        -------
+        An `AWSCredentialsHolder` object containing end-user specified AWS credential information: :class`ABCAWSCredentialsHolder`
+        """
+        key: int = self.get_cache_key()
+        if key not in self.cache:
+            try:
+                self.refresh()
+            except Exception as e:
+                _logger.error("refresh failed: {}".format(str(e)))
+                raise InterfaceError(e)
+
+        credentials: typing.Union[AWSDirectCredentialsHolder, AWSProfileCredentialsHolder] = self.cache[key]
+
+        if credentials is None:
+            raise InterfaceError("Unable to load AWS credentials")
+
+        return credentials
+
+    def add_parameter(self: "AWSCredentialsProvider", info: "RedshiftProperty") -> None:
+        """
+        Defines instance variables used for creating a :class`ABCCredentialsHolder` object and associated :class:`boto3.Session`
+
+        Parameters
+        ----------
+        info : :class:`RedshiftProperty`
+            The :class:`RedshiftProperty` object created using end-user specified values passed to :func:`~redshift_connector.connect`
+        """
+        self.access_key_id = info.access_key_id
+        self.secret_access_key = info.secret_access_key
+        self.session_token = info.session_token
+        self.profile = info.profile
+
+    def refresh(self: "AWSCredentialsProvider") -> None:
+        """
+        Establishes a :class:`boto3.Session` using end-user specified AWS credential information
+        """
+        import boto3  # type: ignore
+
+        args: typing.Dict[str, str] = {}
+
+        if self.profile is not None:
+            args["profile_name"] = self.profile
+        elif self.access_key_id is not None:
+            args["aws_access_key_id"] = self.access_key_id
+            args["aws_secret_access_key"] = typing.cast(str, self.secret_access_key)
+            if self.session_token is not None:
+                args["aws_session_token"] = self.session_token
+
+        session: boto3.Session = boto3.Session(**args)
+        credentials: typing.Optional[typing.Union[AWSProfileCredentialsHolder, AWSDirectCredentialsHolder]] = None
+
+        if self.profile is not None:
+            credentials = AWSProfileCredentialsHolder(profile=self.profile, session=session)
+        else:
+            credentials = AWSDirectCredentialsHolder(
+                access_key_id=typing.cast(str, self.access_key_id),
+                secret_access_key=typing.cast(str, self.secret_access_key),
+                session_token=self.session_token,
+                session=session,
+            )
+
+        key = self.get_cache_key()
+        self.cache[key] = credentials
diff --git a/redshift_connector/credentials_holder.py b/redshift_connector/credentials_holder.py
@@ -1,10 +1,105 @@
 import datetime
 import typing
+from abc import ABC, abstractmethod
 
+if typing.TYPE_CHECKING:
+    import boto3  # type: ignore
+
+
+class ABCCredentialsHolder(ABC):
+    """
+    Abstract base class used to store credentials for establishing a connection to an Amazon Redshift cluster.
+    """
+
+    @abstractmethod
+    def get_session_credentials(self: "ABCCredentialsHolder"):
+        """
+        A dictionary mapping end-user specified AWS credential value to :func:`boto3.client` parameters.
+
+        Returns
+        _______
+        A dictionary mapping parameter names to end-user specified values: `typing.Dict[str,str]`
+        """
+        pass
+
+    @property
+    def has_associated_session(self: "ABCCredentialsHolder") -> bool:
+        """
+         A boolean value indicating if the current class stores AWS credentials in a :class:`boto3.Session`.
+
+         Returns
+         -------
+        `True` if the current class provides a :class:`boto3.Session` object, otherwise `False` : `bool`
+        """
+        return False
+
+
+class ABCAWSCredentialsHolder(ABC):
+    """
+    Abstract base class used to store AWS credentials provided by user.
+    """
+
+    def __init__(self: "ABCAWSCredentialsHolder", session: "boto3.Session"):
+        self.boto_session = session
+
+    @property
+    def has_associated_session(self: "ABCAWSCredentialsHolder") -> bool:
+        return True
+
+    def get_boto_session(self: "ABCAWSCredentialsHolder") -> "boto3.Session":
+        """
+        The :class:`boto3.Session` created using the end-user's AWS Credentials.
+        Returns
+        -------
+        A boto3 session created with the end-user's AWS Credentials: :class:`boto3.Session`
+        """
+        return self.boto_session
+
+
+class AWSDirectCredentialsHolder(ABCAWSCredentialsHolder):
+    """
+    Credential class used to store AWS credentials provided in :func:`~redshift_connector.connect`.
+    """
+
+    def __init__(
+        self, access_key_id: str, secret_access_key: str, session_token: typing.Optional[str], session: "boto3.Session"
+    ):
+        super().__init__(session)
+        self.access_key_id: str = access_key_id
+        self.secret_access_key: str = secret_access_key
+        self.session_token: typing.Optional[str] = session_token
+        self._session: "boto3.Session" = session
+
+    def get_session_credentials(self: "AWSDirectCredentialsHolder") -> typing.Dict[str, str]:
+        creds: typing.Dict[str, str] = {
+            "aws_access_key_id": self.access_key_id,
+            "aws_secret_access_key": self.secret_access_key,
+        }
+
+        if self.session_token is not None:
+            creds["aws_session_token"] = self.session_token
+
+        return creds
+
+
+class AWSProfileCredentialsHolder(ABCAWSCredentialsHolder):
+    """
+    Credential class used to store AWS Credentials provided in environment IAM credentials.
+    """
+
+    def __init__(self, profile: str, session: "boto3.Session"):
+        super().__init__(session)
+        self.profile = profile
+
+    def get_session_credentials(self: "AWSProfileCredentialsHolder") -> typing.Dict[str, str]:
+        return {"profile": self.profile}
+
+
+class CredentialsHolder(ABCCredentialsHolder):
+    """
+    credentials class used to store credentials and metadata from SAML assertion.
+    """
 
-# credentials class used to store credentials
-# and metadata from SAML assertion
-class CredentialsHolder:
     def __init__(self: "CredentialsHolder", credentials: typing.Dict[str, typing.Any]) -> None:
         self.metadata: "CredentialsHolder.IamMetadata" = CredentialsHolder.IamMetadata()
         self.credentials: typing.Dict[str, typing.Any] = credentials
@@ -28,15 +123,25 @@ def get_aws_secret_key(self: "CredentialsHolder") -> str:
     def get_session_token(self: "CredentialsHolder") -> str:
         return typing.cast(str, self.credentials["SessionToken"])
 
+    def get_session_credentials(self: "CredentialsHolder") -> typing.Dict[str, str]:
+        return {
+            "aws_access_key_id": self.get_aws_access_key_id(),
+            "aws_secret_access_key": self.get_aws_secret_key(),
+            "aws_session_token": self.get_session_token(),
+        }
+
     # The date on which the current credentials expire.
     def get_expiration(self: "CredentialsHolder") -> datetime.datetime:
         return self.expiration
 
     def is_expired(self: "CredentialsHolder") -> bool:
         return datetime.datetime.now() > self.expiration.replace(tzinfo=None)
 
-    # metadata used to store information from SAML assertion
     class IamMetadata:
+        """
+        Metadata used to store information from SAML assertion
+        """
+
         def __init__(self: "CredentialsHolder.IamMetadata") -> None:
             self.auto_create: bool = False
             self.db_user: typing.Optional[str] = None
diff --git a/redshift_connector/iam_helper.py b/redshift_connector/iam_helper.py
diff --git a/redshift_connector/redshift_property.py b/redshift_connector/redshift_property.py

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+from .aws_credentials_provider import AWSCredentialsProvider`