Allow registering custom CredentialProviders for per-conn passwords

[KJTsanaktsidis]

Sorry - this is the second copy of this PR, because go modules is apparently very unhappy about the use of branches with slashes in them...

Description

When using a temporary credential system for MySQL, for example IAM database authenticaiton on AWS or the Database secret backend for Hashicorp Vault, it may not be the case that the same username and password be used for opening every connection in a sql.DB.

This PR adds funcionality whereby the caller can, instead of specifying cfg.User and cfg.Passwd (or in the DSN as user:pass@...), specify a credentialProvider= argument which refers to a callback registered with RegisterCredentialProvider.

When a new connection is to be opened, if the CredentialProvider callback is specified, that is called to obtain a username/password pair rather than using the values from the DSN.

We need this in order to use it with IAM database authentication for Aurora. With IAM database authentication, the "password" you use to connect is in fact a signed token generated with https://docs.aws.amazon.com/sdk-for-go/api/service/rds/rdsutils/#BuildAuthToken. However, the token is signed with an expiry of 15 minutes; so, if a sql.DB is constructed with such a token as the password, the database driver will fail to open any new connections after 15 minutes. By allowing a callback to be used to generate the password, we can re-sign it each time, so that it stays valid.

Although the AWS Aurora usecase only requires changing the password, I suspect some users of the database secrets engine in Hashicorp vault (https://www.vaultproject.io/docs/secrets/databases/mysql-maria.html) will find it useful to be able to change the username as well; Vault works by creating temporary users in the database, so when they expire, vault deletes the actual users out of MySQL and replaces it with one named differently. So this usecase would require being able to change the username in the callback as well as the password.

Anyway, keen to get some 👀 on this and see if people think this would be a useful addition to the library!

Checklist

• Code compiles correctly
• Created tests which fail without the change (if possible)
• All tests passing
• Extended the README / documentation, if necessary
• Added myself / the copyright holder to the AUTHORS file

[catkins]

small typo: "registerd" -> "registered"

[KJTsanaktsidis]

oops. Pushed a fix now.

[catkins]

For the purposes of documentation could it be useful to name the return values?

Suggested change

	type CredentialProviderFunc func() (string, string, error)
	type CredentialProviderFunc func() (user string, password string, err error)

[KJTsanaktsidis]

Agreed, this makes the purpose of the return values clearer, I have updated it.

[methane]

I don't like adding DSN option + registry.
Since we have Connector interface now, complex option which can not be representable as simple string can be implemented in Config obj, instead of adding registry.

[KJTsanaktsidis]

Oh I totally didn't realise that the Connector interface existed! That's definitely way cleaner. Is the best approach to just put the CredentialProvider callback directly on the config object, and delete all the registry + DSN stuff?

Second question - If I added a commit to this PR (or open a new PR?) to do add a tls.Config to the config object so that we could configure that without the registry too, would that get merged too? (there's already a private tls field, we could just make it public?)

[methane]

Is the best approach to just put the CredentialProvider callback directly on the config object, and delete all the registry + DSN stuff?

I don't consider about the best API design carefully yet.
But I think it should be like DB.SetMaxIdleConns(): No public field in Config object. Just add Setter.
And I don't like to add more registries. Please remove it.

Second question - If I added a commit to this PR (or open a new PR?) to do add a tls.Config to the config object so that we could configure that without the registry too, would that get merged too? (there's already a private tls field, we could just make it public?)

It should be separated PR. And it might be (*Config).SetTLSConfig(conf *tls.Config).
But again, I have not decided about design of new APIs yet.
I don't expect we can merge any new feature in this year.

[KJTsanaktsidis]

@methane I pushed a commit to get rid of the registry and put the CredentialProvider callback on the Config object as a field.

I had a look at doing what you suggested with a setter instead. However, since all of the other config options are on the config struct as plain fields, and since the config struct is just passed into NewConnector and then not used by the client anymore, it seemed to make more sense to continue with the field thing rather than making a special kind of interface for just one option.

Thinking about this a bit more, a good API for making a Config object using the builder pattern or something like that might be a good idea? However, I think if we implement such an API, it should probably cover all options, not just new ones that get added - e.g. something like

connector, _ := mysql.NewConnector(mysql.NewConfig().
    WithAddress("localhost:3600").
    WithCredentials("username", "password"). // this for creds...
    WithCredentialFunc(callback). // or this (pick one)
    AllowPlainTextPasswords().
    .Config(),
)

What do you think? I'm happy to put together a builder like this for all the fields if that's something you're interested in.

[KJTsanaktsidis]

(I broke my test that I added to driver_test.go, I need to work out the collation thing) figured it out and pushed a fix.

[methane]

@KJTsanaktsidis I still feel this proposal is ugly. If we accept this, why not dynamic Hostname and Port? or SSL Cert?

Please look #1045 for my counter proposal. You can modify any config value dynamically.

[shogo82148]

+1 to #1045
I've implemented IAM database authentication driver on AWS https://github.com/shogo82148/rdsmysql

---

If anything, I want to overwrite TLS configure of existing *mysql.Config.
I need to write mysql.ParseDSN(config.FormatDSN()) to do it now.
https://github.com/shogo82148/rdsmysql/blob/4de22cc423bcf88585a8f3f7f07618500bfae29b/connector.go#L53

[KJTsanaktsidis]

Oh, that makes... a ton of sense. I didn't realise it would be OK to use driver.Conn instances from multiple mysql.Connector instances.

I'm on holiday at the moment, but when I get back I'll swap our app over to use an approach like #1045 (unless @catkins beats me to the punch :) ).

Thanks a lot for your help! I'll go ahead and close this PR.

[dolmen]

@KJTsanaktsidis You also have the option of writing an alternate database/sql.Driver that wraps this one and does what you want on Connect.

See mine as a reference: it wraps the MySQL driver to load creadentials from the ~/.mylogin.cnf.
See my packages:

• github.com/dolmen-go/mylogin-driver
• github.com/dolmen-go/mylogin-driver/register