github.com/authzed/spicedb@v1.32.1-0.20240520085336-ebda56537386/internal/datastore/mysql/common/credentials.go

github.com/authzed/spicedb@v1.32.1-0.20240520085336-ebda56537386/internal/datastore/mysql/common/credentials.go (about)

     1  package common
     2  
     3  import (
     4  	"context"
     5  
     6  	"github.com/go-sql-driver/mysql"
     7  
     8  	log "github.com/authzed/spicedb/internal/logging"
     9  	"github.com/authzed/spicedb/pkg/datastore"
    10  )
    11  
    12  // MaybeAddCredentialsProviderHook adds a hook that retrieves the configuration from the CredentialsProvider if the given credentialsProvider is not nil
    13  func MaybeAddCredentialsProviderHook(dbConfig *mysql.Config, credentialsProvider datastore.CredentialsProvider) error {
    14  	if credentialsProvider == nil {
    15  		// a noop for a nil CredentialsProvider
    16  		return nil
    17  	}
    18  
    19  	log.Debug().Str("name", credentialsProvider.Name()).Msg("using credentials provider")
    20  
    21  	if credentialsProvider.IsCleartextToken() {
    22  		// we must transmit the token over the connection, and not a hash
    23  		dbConfig.AllowCleartextPasswords = true
    24  
    25  		// log a warning if we don't detect TLS to be enabled
    26  		if dbConfig.TLSConfig == "false" || dbConfig.TLS == nil {
    27  			log.Warn().Msg("Tokens originating from credential provider are sent in cleartext. We recommend enabling TLS for the connection.")
    28  		}
    29  	}
    30  
    31  	// add a before connect callback to trigger the token retrieval from the credentials provider
    32  	return dbConfig.Apply(mysql.BeforeConnect(func(ctx context.Context, config *mysql.Config) error {
    33  		var err error
    34  		config.User, config.Passwd, err = credentialsProvider.Get(ctx, config.Addr, config.User)
    35  		return err
    36  	}))
    37  }