BACK-560: Support AWS token based authentication (#1)

* BACK-560: Support AWS token based authentication * BACK-560: Add separate release workflow
rainbow-me · Mar 29, 2023 · d4e238c · d4e238c
1 parent 75ad487
commit d4e238c
Show file tree

Hide file tree

Showing 5 changed files with 837 additions and 2 deletions.
diff --git a/.github/workflows/rainbow-release.yml b/.github/workflows/rainbow-release.yml
@@ -0,0 +1,82 @@
+name: Release (rainbow)
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+env:
+  GHCR_IMAGE: ghcr.io/${{ github.repository }}
+
+jobs:
+  create-release:
+    name: Create Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Create release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release create "$GITHUB_REF_NAME" --notes "Directus $GITHUB_REF_NAME"
+
+  build-images:
+    name: Build Images
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Cache Docker layers
+        uses: actions/cache@v3
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Extract metadata for Docker image
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.GHCR_IMAGE }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+
+      - name: Login to GHCR
+        uses: docker/login-action@v2
+        if: env.GHCR_IMAGE
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          file: ./Dockerfile
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new
+
+      # Temp fix:
+      # https://github.com/docker/build-push-action/issues/252
+      # https://github.com/moby/buildkit/issues/1896
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
diff --git a/Dockerfile b/Dockerfile
@@ -28,6 +28,10 @@ RUN cd pruned \
 	&& rm -r *.tgz package \
 	&& mkdir database extensions uploads
 
+# Certs needed to verify RDS endpoints
+RUN apk update && apk add ca-certificates
+RUN wget https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem -P /usr/local/share/ca-certificates -O /usr/local/share/ca-certificates/aws-rds-global-bundle.crt && update-ca-certificates
+
 ####################################################################################################
 ## Create Production Image
 
@@ -45,6 +49,7 @@ ENV NODE_ENV="production"
 ENV NPM_CONFIG_UPDATE_NOTIFIER="false"
 
 COPY --from=pruned --chown=node:node /workspace/pruned .
+COPY --from=pruned /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
 VOLUME /directus/database
 VOLUME /directus/extensions

diff --git a/api/package.json b/api/package.json
@@ -75,6 +75,7 @@
 	"dependencies": {
 		"@authenio/samlify-node-xmllint": "2.0.0",
 		"@aws-sdk/client-ses": "3.292.0",
+		"@aws-sdk/rds-signer": "v3.300.0",
 		"@directus/app": "workspace:*",
 		"@directus/extensions-sdk": "workspace:*",
 		"@directus/format-title": "9.15.0",

diff --git a/api/src/database/index.ts b/api/src/database/index.ts
@@ -11,6 +11,8 @@ import type { DatabaseClient } from '../types';
 import { getConfigFromEnv } from '../utils/get-config-from-env';
 import { validateEnv } from '../utils/validate-env';
 import { getHelpers } from './helpers';
+import { Signer } from '@aws-sdk/rds-signer';
+import fs from "fs";
 
 let database: Knex | null = null;
 let inspector: ReturnType<typeof SchemaInspector> | null = null;
@@ -68,7 +70,32 @@ export default function getDatabase(): Knex {
 		client,
 		version,
 		searchPath,
-		connection: connectionString || connectionConfig,
+		// HACK: Support IAM RDS authentication for Postgres
+		// This is the only reason we forked directus
+		connection: async () => {
+			const signer = new Signer({
+				hostname: connectionConfig['host'] as string,
+				port: parseInt(connectionConfig['port'] as string, 10),
+				username: connectionConfig['user'] as string,
+				region: connectionConfig['region'] as string,
+			});
+
+			const token = await signer.getAuthToken();
+			const tokenExpiration = Date.now() + 10 * 60 * 1000;
+
+			const dbConfig = {
+				...connectionConfig,
+				password: token,
+				ssl: {
+					ca: fs.readFileSync('/etc/ssl/certs/ca-certificates.crt').toString(),
+				},
+				expirationChecker: () => {
+					return tokenExpiration <= Date.now();
+				},
+			};
+
+			return dbConfig;
+		},
 		log: {
 			warn: (msg) => {
 				// Ignore warnings about returning not being supported in some DBs
@@ -87,6 +114,8 @@ export default function getDatabase(): Knex {
 		pool: poolConfig,
 	};
 
+	logger.info(`Using following db config: ${JSON.stringify(knexConfig)}`);
+
 	if (client === 'sqlite3') {
 		knexConfig.useNullAsDefault = true;