feat: signer using default creds #1
Conversation
| @@ -73,6 +73,9 @@ Metrics/ParameterLists: | |||
| Minitest/EmptyLineBeforeAssertionMethods: | |||
| Enabled: false | |||
|
|
|||
| Minitest/MultipleAssertions: | |||
There was a problem hiding this comment.
I split up credential tests into groups and moved creation of token into setup. Increased MultipleAssertions from default of 3 to 20. With the increase, could also just put all of the assertions back together.
|
|
||
| Naming/MethodParameterName: | ||
| AllowedNames: | ||
| - a |
There was a problem hiding this comment.
chose to add comparison helpers and needed to allow short names.
lib/aws/msk/iam/sasl/credentials.rb
Outdated
| module Sasl | ||
| module Signer | ||
| class Credentials | ||
| def load_default_credentials |
There was a problem hiding this comment.
put this here so that it could be stubbed with fake creds.
There was a problem hiding this comment.
It makes better sense to have the client created in the presigner module. You can use the stub responses feature of the client for testing:
stubbed_client = Aws::Kafka::Client.new(stub_responses: true)
which gives stubbed credentials. You can do something like:
expect(Aws::Kafka::Client).to receive(:new).and_return(stubbed_client)
lib/aws/msk/iam/sasl/credentials.rb
Outdated
| module Sasl | ||
| module Signer | ||
| class Credentials | ||
| def load_default_credentials |
There was a problem hiding this comment.
It makes better sense to have the client created in the presigner module. You can use the stub responses feature of the client for testing:
stubbed_client = Aws::Kafka::Client.new(stub_responses: true)
which gives stubbed credentials. You can do something like:
expect(Aws::Kafka::Client).to receive(:new).and_return(stubbed_client)
lib/aws/msk/iam/sasl/signer.rb
Outdated
| end | ||
|
|
||
| def endpoint_url | ||
| host = ENDPOINT_URL_TEMPLATE.gsub("{}", @region) |
There was a problem hiding this comment.
Instead of using the template here, use endpoint resolution pieces:
endpoint_params = Aws::Kafka::EndpointParameters.new(
region: region,
use_dual_stack: true/false # can be options
use_fips: true/false # can be options
)
endpoint = client.config.endpoint_provider.resolve_endpoint(endpoint_params)
lib/aws/msk/iam/sasl/signer.rb
Outdated
| def endpoint_url | ||
| host = ENDPOINT_URL_TEMPLATE.gsub("{}", @region) | ||
| query_params = { | ||
| Action: "kafka-cluster:Connect" |
There was a problem hiding this comment.
Is this the only query param ever supported for this to work?
There was a problem hiding this comment.
Yes. Once you connect, then MSK Cluster policy along with your IAM Policy governs what you can do in the cluster.
lib/aws/msk/iam/sasl/signer.rb
Outdated
| ENDPOINT_URL_TEMPLATE = "kafka.{}.amazonaws.com".freeze | ||
| DEFAULT_TOKEN_EXPIRY_SECONDS = 900 | ||
| ACTION_TYPE = "Action".freeze | ||
| ACTION_NAME = "kafka-cluster:Connect".freeze |
There was a problem hiding this comment.
Some of these aren't used
aws-msk-iam-sasl-signer.gemspec
Outdated
| spec.require_paths = ["lib"] | ||
|
|
||
| # Runtime dependencies | ||
| # spec.add_dependency "thor", "~> 1.2" |
There was a problem hiding this comment.
You'll want a dependency on aws-sdk-kafka.
Gemfile
Outdated
| @@ -1,11 +1,16 @@ | |||
| source "https://rubygems.org" | |||
| gemspec | |||
|
|
|||
| gem "aws-sdk-kafka", "~> 1.68" | |||
There was a problem hiding this comment.
Don't put this here since it will be read from gemspec above
Gemfile
Outdated
| gem "rake", "~> 13.0" | ||
| gem "rubocop", "1.60.2" | ||
| gem "rubocop-minitest", "0.34.5" | ||
| gem "rubocop-packaging", "0.5.2" | ||
| gem "rubocop-performance", "1.20.2" | ||
| gem "rubocop-rake", "0.6.0" | ||
| gem "simplecov", require: false, group: :test | ||
| gem "thor", "~> 1.3" |
There was a problem hiding this comment.
Don't put this here since it will be read from gemspec above
| sts.get_caller_identity.arn | ||
| ) | ||
|
|
||
| puts "Credentials Identity: #{caller_identity.to_h.to_json}" |
There was a problem hiding this comment.
I would avoid puts in the lib since it's not good practice with Rails apps. If we need to output something, we should look for Rails.logger to be defined, allow overriding it in a config, and have a default logger for non-Rails apps
bin/console
Outdated
| @@ -1,7 +1,7 @@ | |||
| #!/usr/bin/env ruby | |||
|
|
|||
| require "bundler/setup" | |||
| require "example" | |||
| require "aws/msk/iam/sasl/signer" | |||
There was a problem hiding this comment.
This needs to point to the flattened file now, right?
The msk iam sasl signer in Ruby, joining the family of msk iam sasl signers.
Waiting on OAuth support to be added to rdkafka-ruby