AWS IAM auth for PostgreSQL

plugins/dbgate-plugin-postgres/src/backend/drivers.js

@@ -13,6 +13,8 @@ const {
   extractErrorLogData,
 } = global.DBGATE_PACKAGES['dbgate-tools'];
 
+let authProxy;
+
 const logger = getLogger('postreDriver');
 
 pg.types.setTypeParser(1082, 'text', val => val); // date
@@ -40,22 +42,27 @@ const drivers = driverBases.map(driverBase => ({
   ...driverBase,
   analyserClass: Analyser,
 
-  async connect({
-    engine,
-    server,
-    port,
-    user,
-    password,
-    database,
-    databaseUrl,
-    useDatabaseUrl,
-    ssl,
-    isReadOnly,
-    authType,
-    socketPath,
-  }) {
+  async connect(props) {
+    const {
+      engine,
+      server,
+      port,
+      user,
+      password,
+      database,
+      databaseUrl,
+      useDatabaseUrl,
+      ssl,
+      isReadOnly,
+      authType,
+      socketPath,
+    } = props;
     let options = null;
 
+    if (authType == 'awsIam') {
+      awsIamToken = await authProxy.getAwsIamToken(props);
+    }
+
     if (engine == 'redshift@dbgate-plugin-postgres') {
       let url = databaseUrl;
       if (url && url.startsWith('jdbc:redshift://')) {
@@ -82,9 +89,9 @@ const drivers = driverBases.map(driverBase => ({
             host: authType == 'socket' ? socketPath || driverBase.defaultSocketPath : server,
             port: authType == 'socket' ? null : port,
             user,
-            password,
+            password: awsIamToken || password,
             database: extractDbNameFromComposite(database) || 'postgres',
-            ssl,
+            ssl: authType == 'awsIam' ? ssl || { rejectUnauthorized: false } : ssl,
             application_name: 'DbGate',
           };
     }
@@ -276,7 +283,7 @@ const drivers = driverBases.map(driverBase => ({
   },
 
   getAuthTypes() {
-    return [
+    const res = [
       {
         title: 'Host and port',
         name: 'hostPort',
@@ -286,6 +293,13 @@ const drivers = driverBases.map(driverBase => ({
         name: 'socket',
       },
     ];
+    if (authProxy.supportsAwsIam()) {
+      res.push({
+        title: 'AWS IAM',
+        name: 'awsIam',
+      });
+    }
+    return res;
   },
 
   async listSchemas(dbhan) {
@@ -313,4 +327,8 @@ const drivers = driverBases.map(driverBase => ({
   },
 }));
 
+drivers.initialize = dbgateEnv => {
+  authProxy = dbgateEnv.authProxy;
+};
+
 module.exports = drivers;

plugins/dbgate-plugin-postgres/src/backend/index.js

@@ -3,4 +3,7 @@ const drivers = require('./drivers');
 module.exports = {
   packageName: 'dbgate-plugin-postgres',
   drivers,
+  initialize(dbgateEnv) {
+    drivers.initialize(dbgateEnv);
+  },
 };

plugins/dbgate-plugin-postgres/src/frontend/drivers.js

@@ -135,24 +135,31 @@ const postgresDriverBase = {
   databaseUrlPlaceholder: 'e.g. postgresql://user:password@localhost:5432/default_database',
 
   showConnectionField: (field, values) => {
-    if (field == 'useDatabaseUrl') return true;
-    if (values.useDatabaseUrl) {
-      return ['databaseUrl', 'isReadOnly'].includes(field);
+    const allowedFields = ['useDatabaseUrl', 'authType', 'user', 'isReadOnly', 'useSeparateSchemas'];
+
+    if (values.authType == 'awsIam') {
+      allowedFields.push('awsRegion', 'secretAccessKey', 'accessKeyId');
     }
 
-    return (
-      [
-        'authType',
-        'user',
-        'password',
-        'defaultDatabase',
-        'singleDatabase',
-        'isReadOnly',
-        'useSeparateSchemas',
-      ].includes(field) ||
-      (values.authType == 'socket' && ['socketPath'].includes(field)) ||
-      (values.authType != 'socket' && ['server', 'port'].includes(field))
-    );
+    if (values.authType == 'socket') {
+      allowedFields.push('socketPath');
+    } else {
+      if (values.useDatabaseUrl) {
+        allowedFields.push('databaseUrl');
+      } else {
+        allowedFields.push('server', 'port');
+      }
+    }
+
+    if (values.authType != 'awsIam' && values.authType != 'socket') {
+      allowedFields.push('password');
+    }
+
+    if (!values.useDatabaseUrl) {
+      allowedFields.push('defaultDatabase', 'singleDatabase');
+    }
+
+    return allowedFields.includes(field);
   },
 
   beforeConnectionSave: connection => {
@@ -162,6 +169,7 @@ const postgresDriverBase = {
       return {
         ...connection,
         singleDatabase: !!m,
+
         defaultDatabase: m ? m[1] : null,
       };
     }