fix(auth): include DbGroups when getting temp credentials from boto

Author: Brooke-white

redshift_connector/__init__.py

@@ -107,7 +107,7 @@ def connect(
     listen_port: int = 7890,
     login_url: typing.Optional[str] = None,
     auto_create: bool = False,
-    db_groups: typing.Optional[typing.List[str]] = None,
+    db_groups: typing.List[str] = list(),
     force_lowercase: bool = False,
     allow_db_user_override: bool = False,
     log_level: int = 0,

redshift_connector/credentials_holder.py

@@ -42,7 +42,7 @@ def __init__(self: "CredentialsHolder.IamMetadata") -> None:
             self.db_user: typing.Optional[str] = None
             self.saml_db_user: typing.Optional[str] = None
             self.profile_db_user: typing.Optional[str] = None
-            self.db_groups: typing.Optional[str] = None
+            self.db_groups: typing.List[str] = list()
             self.allow_db_user_override: bool = False
             self.force_lowercase: bool = False
 
@@ -73,10 +73,10 @@ def get_profile_db_user(self: "CredentialsHolder.IamMetadata") -> typing.Optiona
         def set_profile_db_user(self: "CredentialsHolder.IamMetadata", profile_db_user: str) -> None:
             self.profile_db_user = profile_db_user
 
-        def get_db_groups(self: "CredentialsHolder.IamMetadata") -> typing.Optional[str]:
+        def get_db_groups(self: "CredentialsHolder.IamMetadata") -> typing.List[str]:
             return self.db_groups
 
-        def set_db_groups(self: "CredentialsHolder.IamMetadata", db_groups: str) -> None:
+        def set_db_groups(self: "CredentialsHolder.IamMetadata", db_groups: typing.List[str]) -> None:
             self.db_groups = db_groups
 
         def get_allow_db_user_override(self: "CredentialsHolder.IamMetadata") -> bool:

redshift_connector/iam_helper.py

@@ -62,7 +62,7 @@ def set_iam_properties(
     listen_port: int,
     login_url: typing.Optional[str],
     auto_create: bool,
-    db_groups: typing.Optional[typing.List[str]],
+    db_groups: typing.List[str],
     force_lowercase: bool,
     allow_db_user_override: bool,
 ) -> None:
@@ -190,7 +190,7 @@ def set_iam_credentials(info: RedshiftProperty) -> None:
         db_user: typing.Optional[str] = metadata.get_db_user()
         saml_db_user: typing.Optional[str] = metadata.get_saml_db_user()
         profile_db_user: typing.Optional[str] = metadata.get_profile_db_user()
-        db_groups: typing.Optional[str] = metadata.get_db_groups()
+        db_groups: typing.List[str] = metadata.get_db_groups()
         force_lowercase: bool = metadata.get_force_lowercase()
         allow_db_user_override: bool = metadata.get_allow_db_user_override()
         if auto_create is True:
@@ -214,9 +214,8 @@ def set_iam_credentials(info: RedshiftProperty) -> None:
             if saml_db_user is not None:
                 info.db_user = saml_db_user
 
-        if (info.db_groups is None) and (db_groups is not None):
-            tmp: typing.List[str] = db_groups.split(",")
-            info.db_groups = [group.lower() for group in tmp]
+        if (len(info.db_groups) == 0) and (len(db_groups) > 0):
+            info.db_groups = db_groups
 
     set_cluster_credentials(provider, info)
 
@@ -240,6 +239,7 @@ def set_cluster_credentials(cred_provider: SamlCredentialsProvider, info: Redshi
         cred: dict = client.get_cluster_credentials(
             DbUser=info.db_user,
             DbName=info.db_name,
+            DbGroups=info.db_groups,
             ClusterIdentifier=info.cluster_identifier,
             AutoCreate=info.auto_create,
         )

redshift_connector/plugin/saml_credentials_provider.py

@@ -26,7 +26,7 @@ def __init__(self: "SamlCredentialsProvider") -> None:
         self.preferred_role: typing.Optional[str] = None
         self.sslInsecure: typing.Optional[bool] = None
         self.db_user: typing.Optional[str] = None
-        self.db_groups: typing.Optional[typing.List[str]] = None
+        self.db_groups: typing.List[str] = list()
         self.force_lowercase: typing.Optional[bool] = None
         self.auto_create: typing.Optional[bool] = None
         self.region: typing.Optional[str] = None
@@ -212,8 +212,7 @@ def read_metadata(self: "SamlCredentialsProvider", doc: bytes) -> CredentialsHol
                 elif name == "https://redshift.amazon.com/SAML/Attributes/AutoCreate":
                     metadata.set_auto_create(value)
                 elif name == "https://redshift.amazon.com/SAML/Attributes/DbGroups":
-                    groups = ",".join([value.contents[0] for value in values])
-                    metadata.set_db_groups(groups)
+                    metadata.set_db_groups([value.contents[0].lower() for value in values])
                 elif name == "https://redshift.amazon.com/SAML/Attributes/ForceLowercase":
                     metadata.set_force_lowercase(value)
 

redshift_connector/redshift_property.py

@@ -27,7 +27,7 @@ class RedshiftProperty:
     credentials_provider: typing.Optional[str] = None
     # A comma-separated list of existing database group names that the DbUser joins for the current session.
     # If not specified, defaults to PUBLIC.
-    db_groups: typing.Optional[typing.List[str]] = None
+    db_groups: typing.List[str] = list()
     # Forces the database group names to be lower case.
     force_lowercase: bool = False
     # This option specifies whether the driver uses the DbUser value from the SAML assertion