fix crossplane-contrib#106 add ability to set auth_plugin for mysql users

cten · cten · commit b582eb9b0e25 · 2024-06-17T23:24:29.000-05:00
diff --git a/apis/mysql/v1alpha1/user_types.go b/apis/mysql/v1alpha1/user_types.go
@@ -49,6 +49,11 @@ type UserParameters struct {
 	// BinLog defines whether the create, delete, update operations of this user are propagated to replicas. Defaults to true
 	// +optional
 	BinLog *bool `json:"binlog,omitempty" default:"true"`
+
+	// AuthPlugin defines the MySQL auth plugin (ie. AWSAuthenticationPlugin for AWS IAM authentication when using AWS RDS )
+	// See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html
+	// +optional
+	AuthPlugin string `json:"authPlugin,omitempty" default:"mysql_native_password"`
 }
 
 // ResourceOptions define the account specific resource limits.
diff --git a/examples/mysql/user.yaml b/examples/mysql/user.yaml
@@ -4,6 +4,7 @@ metadata:
   name: example-user
 spec:
   forProvider:
+    authPlugin: AWSAuthenticationPlugin
     passwordSecretRef:
       name: example-pw
       namespace: default
diff --git a/package/crds/mysql.sql.crossplane.io_users.yaml b/package/crds/mysql.sql.crossplane.io_users.yaml
@@ -71,6 +71,10 @@ spec:
                 description: UserParameters define the desired state of a MySQL user
                   instance.
                 properties:
+                  authPlugin:
+                    description: AuthPlugin defines the authentication plugin to be used.
+                      Meant to add support for AWS IAM DB authentication (ie. AWSAuthenticationPlugin)
+                    type: string
                   binlog:
                     description: BinLog defines whether the create, delete, update
                       operations of this user are propagated to replicas. Defaults
diff --git a/pkg/controller/mysql/user/reconciler.go b/pkg/controller/mysql/user/reconciler.go
@@ -54,6 +54,7 @@ const (
 	errUpdateUser              = "cannot update user"
 	errGetPasswordSecretFailed = "cannot get password secret"
 	errCompareResourceOptions  = "cannot compare desired and observed resource options"
+	errAuthPluginNotSupported  = "auth plugin not supported"
 
 	maxConcurrency = 5
 )
@@ -238,21 +239,41 @@ func (c *external) Create(ctx context.Context, mg resource.Managed) (managed.Ext
 	cr.SetConditions(xpv1.Creating())
 
 	username, host := mysql.SplitUserHost(meta.GetExternalName(cr))
-	pw, _, err := c.getPassword(ctx, cr)
-	if err != nil {
-		return managed.ExternalCreation{}, err
+
+	var auth string
+
+	ro := resourceOptionsToClauses(cr.Spec.ForProvider.ResourceOptions)
+	binlog := cr.Spec.ForProvider.BinLog
+
+	var authplugin string 
+	if cr.Spec.ForProvider.AuthPlugin != "" {
+		authplugin = cr.Spec.ForProvider.AuthPlugin
+	} else {
+		authplugin = "mysql_native_password"
 	}
+	var pw string
 
-	if pw == "" {
-		pw, err = password.Generate()
+	if authplugin == "mysql_native_password" {
+		var err error
+		pw, _, err = c.getPassword(ctx, cr)
 		if err != nil {
 			return managed.ExternalCreation{}, err
 		}
+
+		if pw == "" {
+			pw, err = password.Generate()
+			if err != nil {
+				return managed.ExternalCreation{}, err
+			}
+		}
+		auth = fmt.Sprintf("%s BY %s", authplugin, mysql.QuoteValue(pw))
+	} else if authplugin == "AWSAuthenticationPlugin" {
+		auth = fmt.Sprintf("%s AS %s", authplugin, mysql.QuoteValue("RDS"))
+	} else {
+		return managed.ExternalCreation{},  errors.New(errAuthPluginNotSupported)
 	}
 
-	ro := resourceOptionsToClauses(cr.Spec.ForProvider.ResourceOptions)
-	binlog := cr.Spec.ForProvider.BinLog
-	if err := c.executeCreateUserQuery(ctx, username, host, ro, pw, binlog); err != nil {
+	if err := c.executeCreateUserQuery(ctx, username, host, ro, auth, binlog); err != nil {
 		return managed.ExternalCreation{}, err
 	}
 
@@ -265,19 +286,20 @@ func (c *external) Create(ctx context.Context, mg resource.Managed) (managed.Ext
 	}, nil
 }
 
-func (c *external) executeCreateUserQuery(ctx context.Context, username string, host string, resourceOptionsClauses []string, pw string, binlog *bool) error {
+func (c *external) executeCreateUserQuery(ctx context.Context, username string, host string, resourceOptionsClauses []string, auth string, binlog *bool) error {
 	resourceOptions := ""
 	if len(resourceOptionsClauses) != 0 {
 		resourceOptions = fmt.Sprintf(" WITH %s", strings.Join(resourceOptionsClauses, " "))
 	}
 
 	query := fmt.Sprintf(
-		"CREATE USER %s@%s IDENTIFIED BY %s%s",
+		"CREATE USER %s@%s IDENTIFIED WITH %s%s",
 		mysql.QuoteValue(username),
 		mysql.QuoteValue(host),
-		mysql.QuoteValue(pw),
+		auth,
 		resourceOptions,
 	)
+	fmt.Println(query)
 
 	if err := mysql.ExecWithBinlogAndFlush(ctx, c.db, mysql.ExecQuery{Query: query, ErrorValue: errCreateUser}, mysql.ExecOptions{Binlog: binlog}); err != nil {
 		return err
diff --git a/pkg/controller/mysql/user/reconciler_test.go b/pkg/controller/mysql/user/reconciler_test.go
@@ -501,6 +501,39 @@ func TestCreate(t *testing.T) {
 				},
 			},
 		},
+		"UserWithAuthPluign": {
+			reason: "The username must be split if it contains a host",
+			fields: fields{
+				db: &mockDB{
+					MockExec: func(ctx context.Context, q xsql.Query) error { return nil },
+				},
+			},
+			args: args{
+				mg: &v1alpha1.User{
+					ObjectMeta: v1.ObjectMeta{
+						Annotations: map[string]string{
+							meta.AnnotationKeyExternalName: "example",
+						},
+					},
+					Spec: v1alpha1.UserSpec{
+						ForProvider: v1alpha1.UserParameters{
+							AuthPlugin: "AWSAuthenticationPlugin",
+						},
+					},
+				},
+			},
+			want: want{
+				err: nil,
+				c: managed.ExternalCreation{
+					ConnectionDetails: managed.ConnectionDetails{
+						xpv1.ResourceCredentialsSecretUserKey:     []byte("example"),
+						xpv1.ResourceCredentialsSecretPasswordKey: []byte(""),
+						xpv1.ResourceCredentialsSecretEndpointKey: []byte("localhost"),
+						xpv1.ResourceCredentialsSecretPortKey:     []byte("3306"),
+					},
+				},
+			},
+		},
 	}
 
 	for name, tc := range cases {
