allow the CredentialsProvider to indiciate if cleartext tokens are re…

…quired
authzed · Apr 19, 2024 · 2a1aa40 · 2a1aa40
1 parent 36f968d
commit 2a1aa40
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 6 deletions.
diff --git a/internal/datastore/mysql/common/credentials.go b/internal/datastore/mysql/common/credentials.go
@@ -17,12 +17,14 @@ func MaybeAddCredentialsProviderHook(dbConfig *mysql.Config, credentialsProvider
 
 	log.Debug().Str("name", credentialsProvider.Name()).Msg("using credentials provider")
 
-	// we must transmit the token over the connection, and not a hash
-	dbConfig.AllowCleartextPasswords = true
-
-	// log a warning if we don't detect TLS to be enabled
-	if dbConfig.TLSConfig == "false" || dbConfig.TLS == nil {
-		log.Warn().Msg("Tokens originating from credential provider are sent in cleartext. We recommend enabling TLS for the connection.")
+	if credentialsProvider.IsCleartextToken() {
+		// we must transmit the token over the connection, and not a hash
+		dbConfig.AllowCleartextPasswords = true
+
+		// log a warning if we don't detect TLS to be enabled
+		if dbConfig.TLSConfig == "false" || dbConfig.TLS == nil {
+			log.Warn().Msg("Tokens originating from credential provider are sent in cleartext. We recommend enabling TLS for the connection.")
+		}
 	}
 
 	// add a before connect callback to trigger the token retrieval from the credentials provider

diff --git a/pkg/datastore/credentials.go b/pkg/datastore/credentials.go
@@ -18,6 +18,10 @@ import (
 type CredentialsProvider interface {
 	// Name returns the name of the provider
 	Name() string
+	// IsCleartextToken returns true the tokens should be sent to the datastore in cleartext, or false otherwise.
+	// This may be used to configure the datastore options to avoid sending a hash of the token instead of its value.
+	// Note that it is always recommended that communication channel be encrypted.
+	IsCleartextToken() bool
 	// Get returns the username and password to use when connecting to the underlying datastore
 	Get(ctx context.Context, dbEndpoint string, dbUser string) (string, string, error)
 }
@@ -74,6 +78,10 @@ func (d awsIamCredentialsProvider) Name() string {
 	return AWSIAMCredentialProvider
 }
 
+func (d awsIamCredentialsProvider) IsCleartextToken() bool {
+	return true
+}
+
 func (d awsIamCredentialsProvider) Get(ctx context.Context, dbEndpoint string, dbUser string) (string, string, error) {
 	authToken, err := rdsauth.BuildAuthToken(ctx, dbEndpoint, d.awsSdkConfig.Region, dbUser, d.awsSdkConfig.Credentials)
 	if err != nil {

diff --git a/pkg/datastore/credentials_test.go b/pkg/datastore/credentials_test.go
@@ -31,6 +31,8 @@ func TestAWSIAMCredentialsProvider(t *testing.T) {
 	require.NotNil(t, credentialsProvider)
 	require.NoError(t, err)
 
+	require.True(t, credentialsProvider.IsCleartextToken(), "AWS IAM tokens should be communicated in cleartext")
+
 	username, password, err := credentialsProvider.Get(context.Background(), "some-hostname:5432", "some-user")
 	require.NoError(t, err)
 	require.Equal(t, "some-user", username)