Merge pull request supabase#214 from supabase/j0/add_cognito_wrapper

feat: add cognito wrapper
dymium-io · Jan 25, 2024 · 95239dd · 95239dd
2 parents 42f5095 + 4c5d8f0
commit 95239dd
Show file tree

Hide file tree

Showing 18 changed files with 1,031 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -17,6 +17,7 @@
 | [Auth0](./wrappers/src/fdw/auth0_fdw)           | A FDW for [Auth0](https://auth0.com/)                          | ✅   | ❌     |
 | [SQL Server](./wrappers/src/fdw/mssql_fdw)      | A FDW for [Microsoft SQL Server](https://www.microsoft.com/en-au/sql-server/) | ✅   | ❌     |
 | [Redis](./wrappers/src/fdw/redis_fdw)           | A FDW for [Redis](https://redis.io/) | ✅   | ❌     |
+| [AWS Cognito](./wrappers/src/fdw/cognito_fdw) | A FDW for [AWS Cognito](https://aws.amazon.com/cognito/) | ✅   | ❌     |
 
 ## Features
 

diff --git a/docs/cognito.md b/docs/cognito.md
@@ -0,0 +1,119 @@
+[AWS Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html) is an identity platform for web and mobile apps. 
+
+The Cognito wrapper allows you to read data from your Cognito Userpool within your Postgres database.
+
+## Preparation
+
+Before you get started, make sure the `wrappers` extension is installed on your database:
+
+```sql
+create extension if not exists wrappers with schema extensions;
+```
+
+and then create the foreign data wrapper:
+
+```sql
+create foreign data wrapper cognito_wrapper
+  handler cognito_fdw_handler
+  validator cognito_fdw_validator;
+```
+
+### Secure your credentials (optional)
+
+By default, Postgres stores FDW credentials inide `pg_catalog.pg_foreign_server` in plain text. Anyone with access to this table will be able to view these credentials. Wrappers are designed to work with [Vault](https://supabase.com/docs/guides/database/vault), which provides an additional level of security for storing credentials. We recommend using Vault to store your credentials.
+
+```sql
+insert into vault.secrets (name, secret)
+values (
+  'cognito_secret_access_key',
+  '<secret access key>'
+)
+returning key_id;
+```
+
+### Connecting to Cognito
+
+We need to provide Postgres with the credentials to connect to Cognito, and any additional options. We can do this using the `create server` command:
+
+=== "With Vault"
+
+    ```sql
+    create server cognito_server
+      foreign data wrapper cognito_wrapper
+      options (
+        aws_access_key_id '<your_access_key>',
+        api_key_id '<your_secret_key_id_in_vault>',
+        region '<your_aws_region>',
+        user_pool_id '<your_user_pool_id>'
+      );
+    ```
+
+=== "Without Vault"
+
+    ```sql
+    create server cognito_server
+      foreign data wrapper cognito_wrapper
+      options (
+        aws_access_key_id '<your_access_key>',
+        aws_secret_access_key '<your_secret_key>',
+        region '<your_aws_region>',
+        user_pool_id '<your_user_pool_id>'
+      );
+    ```
+
+## Creating Foreign Tables
+
+The Cognito Wrapper supports data reads from Cognito's [User Records](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) endpoint (_read only_).
+
+| Cognito  | Select | Insert | Update | Delete | Truncate |
+| -------- | :----: | :----: | :----: | :----: | :------: |
+| Records  |   ✅   |   ❌   |   ❌   |   ❌   |    ❌    |
+
+For example:
+
+```sql
+create foreign table cognito (
+    email text,
+    username text
+)
+server cognito_server
+options (
+    object 'users'
+);
+```
+
+### Foreign table options
+
+The full list of foreign table options are below:
+
+- `object`: type of object we are querying. For now, only `users` is supported
+
+
+## Query Pushdown Support
+
+This FDW doesn't support query pushdown.
+
+## Examples
+
+Some examples on how to use Cognito foreign tables.
+
+### Basic example
+
+This will create a "foreign table" inside your Postgres database called `cognito_table`:
+
+```sql
+create foreign table cognito_table (
+  email text,
+  username text
+)
+server cognito_server
+options (
+   object 'users'
+);
+```
+
+You can now fetch your Cognito data from within your Postgres database:
+
+```sql
+select * from cognito_table;
+```
diff --git a/mkdocs.yaml b/mkdocs.yaml
@@ -11,6 +11,7 @@ nav:
     - Wrappers:
       - Airtable: 'airtable.md'
       - Auth0: 'auth0.md'
+      - AWS Cognito: 'cognito.md'
       - BigQuery: 'bigquery.md'
       - ClickHouse: 'clickhouse.md'
       - Firebase: 'firebase.md'

diff --git a/wrappers/.ci/docker-compose.yaml b/wrappers/.ci/docker-compose.yaml
@@ -38,7 +38,17 @@ services:
       interval: 10s
       timeout: 5s
       retries: 20
-
+  cognito:
+    image: jagregory/cognito-local
+    ports:
+      - "9229:9229"
+    volumes:
+      - ../dockerfiles/cognito/.cognito:/app/.cognito
+    healthcheck:
+      test: curl --fail http://0.0.0.0:9229/ || exit 1
+      interval: 11s
+      timeout: 6s
+      retries: 3
   stripe:
     image: stripe/stripe-mock:v0.144.0
     container_name: stripe-mock

diff --git a/wrappers/Cargo.lock b/wrappers/Cargo.lock
diff --git a/wrappers/Cargo.toml b/wrappers/Cargo.toml
@@ -73,6 +73,20 @@ airtable_fdw = [
     "url",
     "thiserror",
 ]
+cognito_fdw = [
+    "aws-sdk-cognitoidentityprovider",
+    "aws-config",
+    "reqwest",
+    "reqwest-middleware",
+    "reqwest-retry",
+    "http",
+    "serde_json",
+    "tokio",
+    "serde",
+    "url",
+    "thiserror",
+    "chrono",
+]
 logflare_fdw = [
     "http",
     "reqwest",
@@ -116,6 +130,7 @@ all_fdws = [
     "auth0_fdw",
     "mssql_fdw",
     "redis_fdw",
+    "cognito_fdw",
 ]
 
 [dependencies]
@@ -130,6 +145,7 @@ clickhouse-rs = { git = "https://github.com/suharev7/clickhouse-rs", rev = "ecf2
 chrono = { version = "0.4", optional = true }
 chrono-tz = { version = "0.6", optional = true }
 
+
 # for bigquery_fdw, firebase_fdw, airtable_fdw and etc.
 gcp-bigquery-client = { version = "0.17.0", optional = true }
 serde = { version = "1", optional = true }
@@ -154,6 +170,11 @@ aws-config = { version = "1.1.1", optional = true }
 aws-sdk-s3 = { version = "1.11.0", optional = true }
 aws-smithy-http = { version = "0.60.1", optional = true }
 aws-smithy-runtime-api = { version = "1.1.1", optional = true }
+
+# for cognito fdw
+aws-sdk-cognitoidentityprovider = {version ="1.10.0", optional = true}
+
+
 csv = { version = "1.2", optional = true }
 tokio = { version = "1", features = ["full"], optional = true }
 tokio-util = { version = "0.7", features = ["full"], optional = true }

diff --git a/wrappers/README.md b/wrappers/README.md
@@ -11,6 +11,7 @@ This is a collection of FDWs built by [Supabase](https://www.supabase.com). We c
 - [S3](./src/fdw/s3_fdw): A FDW for [AWS S3](https://aws.amazon.com/s3/). Currently read-only.
 - [Logflare](./src/fdw/logflare_fdw): A FDW for [Logflare](https://logflare.app/) which supports data read only.
 - [Auth0](./src/fdw/auth0_fdw): A FDW for [Auth0](https://auth0.com/).
+- [Cognito](./src/fdw/cognito_fdw): A FDW for [AWS Cogntio](https://aws.amazon.com/pm/cognito/).
 - [SQL Server](./src/fdw/mssql_fdw): A FDW for [Microsoft SQL Server](https://www.microsoft.com/en-au/sql-server/) which supports data read only.
 - [Redis](./src/fdw/redis_fdw): A FDW for [Redis](https://redis.io/) which supports data read only.
 
diff --git a/wrappers/dockerfiles/cognito/.cognito/config.json b/wrappers/dockerfiles/cognito/.cognito/config.json
@@ -0,0 +1 @@
+{}
diff --git a/wrappers/dockerfiles/cognito/.cognito/db/clients.json b/wrappers/dockerfiles/cognito/.cognito/db/clients.json
@@ -0,0 +1,3 @@
+{
+  "Clients": {}
+}