pg-aws_rds_iam 0.6.2 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6ca9285880d14457835d0b91196653cf230f6d8a269945c65b40af0031653987
-  data.tar.gz: 1749a70b4736c35fa0a9fffff961b3d9101df73cdef9ecffc8fadad2f6401daf
+  metadata.gz: 033ab6c71e67b76950791800722751b6f00ac7403c0269f19a9b135875d17fec
+  data.tar.gz: c8e53189801821043e80c7a692c81b140ac29ad337c250434c8a00ec6f8b6464
 SHA512:
-  metadata.gz: 65188829a0c75e07b7c7809643999a0b9d65924437240909aed32e3b7e32f8f8289e6df699724e250b57401e2a0437cdd675eddf7cc29335278e09e7d446ec6a
-  data.tar.gz: 2818e00188696512b5dc89b513e9c2d8110af3d337ec9f0e4b229027c2f9f7d339770c91462bc7bb3a83afcd263cfec099d38c8d7736be870428358ad97492a3
+  metadata.gz: '097fcef5922b2485a79e26a608c546711bbcf7d6a4ee129db557b6324bb280cf06944f9008336e14c84699f99e440d7f2c300baa90b4e113b334c33fc8f58cf7'
+  data.tar.gz: 0ad4fa689960fc2e4f0587743033d842b6e2faf8248051877339f134cd77176ddc4379c60d7b5aec0befcd59d5c6ae7ccb169ed8500399a315846ce9743e5d1e

data/CHANGELOG.md

@@ -8,6 +8,19 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 No notable changes.
 
+## [0.8.0] - 2026-03-27
+
+### Changed
+* Test against Ruby 3.4 ([#697](https://github.com/haines/pg-aws_rds_iam/pull/697))
+* Test against Ruby 4.0 ([#779](https://github.com/haines/pg-aws_rds_iam/pull/779))
+* Require Ruby ≥ 3.2, Active Record ≥ 7.0, and PG ≥ 1.3 ([#726](https://github.com/haines/pg-aws_rds_iam/pull/726))
+* Test against Sequel ([#756](https://github.com/haines/pg-aws_rds_iam/pull/756))
+
+## [0.7.0] - 2024-12-04
+
+### Changed
+* Reuse tokens ([#690](https://github.com/haines/pg-aws_rds_iam/pull/690))
+
 ## [0.6.2] - 2024-11-12
 
 ### Changed
@@ -96,7 +109,9 @@ No notable changes.
 * A plugin for the [`pg` gem](https://rubygems.org/gems/pg) that adds support for [IAM authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html) when connecting to PostgreSQL databases hosted in Amazon RDS. ([#1](https://github.com/haines/pg-aws_rds_iam/pull/1))
 * ActiveRecord support. ([#3](https://github.com/haines/pg-aws_rds_iam/pull/3))
 
-[Unreleased]: https://github.com/haines/pg-aws_rds_iam/compare/v0.6.2...HEAD
+[Unreleased]: https://github.com/haines/pg-aws_rds_iam/compare/v0.8.0...HEAD
+[0.8.0]: https://github.com/haines/pg-aws_rds_iam/compare/v0.7.0...v0.8.0
+[0.7.0]: https://github.com/haines/pg-aws_rds_iam/compare/v0.6.2...v0.7.0
 [0.6.2]: https://github.com/haines/pg-aws_rds_iam/compare/v0.6.1...v0.6.2
 [0.6.1]: https://github.com/haines/pg-aws_rds_iam/compare/v0.6.0...v0.6.1
 [0.6.0]: https://github.com/haines/pg-aws_rds_iam/compare/v0.5.0...v0.6.0

data/README.md

@@ -99,6 +99,14 @@ You can set this parameter in
     aws_rds_iam_auth_token_generator: default
   ```
 
+* `driver_options`, if you're using Sequel:
+
+  ```ruby
+  Sequel.connect("postgresql://andrew@postgresql.example.com:5432/blog", driver_options: {
+    aws_rds_iam_auth_token_generator: "default"
+  })
+  ```
+
 If the default authentication token generator doesn't meet your needs, you can register an alternative with
 
 ```ruby
@@ -112,14 +120,26 @@ To use this alternative authentication token generator, set the `aws_rds_iam_aut
 The block you give to `add` must construct and return the authentication token generator, which can either be an instance of `PG::AWS_RDS_IAM::AuthTokenGenerator` or another object that returns a string token in response to `call(host:, port:, user:)`.
 The block will be called once, when the first token is generated, and the returned authentication token generator will be re-used to generate all future tokens.
 
+### 4. Set `sslmode` to `verify-full` (recommended)
+
+Although not required to use IAM authentication, to further improve security when connecting to your database, you should consider setting the `sslmode` connection parameter to `verify-full`.
+This ensures that your application is connecting to an RDS instance, preventing man-in-the-middle attacks.
+
+You'll need to [download the RDS certificate bundle from AWS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) and set the `sslrootcert` connection parameter to the path to the downloaded file.
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies.
 Then, run `bin/rake` to run the tests.
 You can also run `bin/console` for an interactive prompt that will allow you to experiment.
 
-To install this gem onto your local machine, run `bin/rake install`.
-To release a new version, update the version number in `version.rb`, and then run `bin/rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+To release a new version:
+
+1. Update the version number in [version.rb](lib/pg/aws_rds_iam/version.rb), and run `bundle install` to update [Gemfile.lock](Gemfile.lock).
+2. Update [CHANGELOG.md](CHANGELOG.md).
+3. Submit the changes as a pull request.
+4. Once merged, run `bin/rake release:tag` to tag the release and push the tag to GitHub.
+   The gem is published to [rubygems.org](https://rubygems.org/gems/pg-aws_rds_iam) using [trusted publishing](https://guides.rubygems.org/trusted-publishing/) via GitHub Actions.
 
 ## Contributing
 

data/lib/pg/aws_rds_iam/active_record_postgresql_database_tasks.rb

@@ -3,14 +3,15 @@
 module PG
   module AWS_RDS_IAM
     module ActiveRecordPostgreSQLDatabaseTasks
+      private
+
+      def psql_env
+        super.tap do |psql_env|
+          AuthTokenInjector.new.inject_into_psql_env! configuration_hash, psql_env
+        end
+      end
     end
 
     private_constant :ActiveRecordPostgreSQLDatabaseTasks
   end
 end
-
-if ActiveRecord::Tasks::PostgreSQLDatabaseTasks.private_instance_methods.include?(:psql_env)
-  require_relative "active_record_postgresql_database_tasks/psql_env"
-else
-  require_relative "active_record_postgresql_database_tasks/set_psql_env"
-end

data/lib/pg/aws_rds_iam/auth_token.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module PG
+  module AWS_RDS_IAM
+    class AuthToken
+      def initialize(token)
+        @token = token
+        @generated_at = now
+        @expiry = parse_expiry || 900
+      end
+
+      def valid?
+        (now - @generated_at) < (@expiry - 60)
+      end
+
+      def to_str
+        @token
+      end
+
+      private
+
+      def now
+        Process.clock_gettime(Process::CLOCK_MONOTONIC)
+      end
+
+      def parse_expiry
+        URI
+          .decode_www_form(URI.parse("https://#{@token}").query)
+          .lazy
+          .filter_map { |(key, value)| Integer(value, 10) if key.downcase == "x-amz-expires" }
+          .first
+      rescue StandardError
+        nil
+      end
+    end
+
+    private_constant :AuthToken
+  end
+end

data/lib/pg/aws_rds_iam/auth_token_generator.rb

@@ -13,16 +13,39 @@ module PG
       def initialize(credentials:, region:)
         @generator = Aws::RDS::AuthTokenGenerator.new(credentials:)
         @region = region
+        @mutex = Mutex.new
+        @cache = {}
       end
 
       # Generates an authentication token for connecting to an Amazon RDS instance.
+      # Generated tokens are cached and reused until 1 minute before they are due to expire.
       #
       # @param host [String] the host name of the RDS instance that you want to access
       # @param port [String] the port number used for connecting to your RDS instance
       # @param user [String] the database account that you want to access
       # @return [String] the generated authentication token
       def call(host:, port:, user:)
-        @generator.auth_token(region: @region, endpoint: "#{host}:#{port}", user_name: user)
+        endpoint = "#{host}:#{port}"
+        key = "#{user}@#{endpoint}"
+
+        token = cached_token(key)
+        return token if token
+
+        @mutex.synchronize do
+          token = cached_token(key)
+          break token if token
+
+          @generator.auth_token(region: @region, endpoint:, user_name: user).tap do |new_token|
+            @cache[key] = AuthToken.new(new_token)
+          end
+        end
+      end
+
+      private
+
+      def cached_token(key)
+        token = @cache[key]
+        token.to_str if token&.valid?
       end
     end
   end

data/lib/pg/aws_rds_iam/connection_info/parse_error.rb

@@ -3,7 +3,8 @@
 module PG
   module AWS_RDS_IAM
     module ConnectionInfo
-      ParseError = Class.new(StandardError)
+      class ParseError < StandardError
+      end
     end
   end
 end

data/lib/pg/aws_rds_iam/connection_info/uri.rb

@@ -5,14 +5,7 @@ module PG
     module ConnectionInfo
       class URI
         def self.match?(connection_string)
-          regexp =
-            if defined?(::URI::RFC2396_PARSER)
-              ::URI::RFC2396_PARSER.regexp[:ABS_URI_REF]
-            else
-              ::URI::ABS_URI_REF
-            end
-
-          /\A#{regexp}\z/.match?(connection_string)
+          /\A#{::URI::RFC2396_PARSER.regexp[:ABS_URI_REF]}\z/.match?(connection_string)
         end
 
         attr_reader :auth_token_generator_name

data/lib/pg/aws_rds_iam/version.rb

@@ -3,6 +3,6 @@
 module PG
   module AWS_RDS_IAM
     # The current version of the gem.
-    VERSION = "0.6.2"
+    VERSION = "0.8.0"
   end
 end

data/lib/pg/aws_rds_iam.rb

@@ -5,6 +5,7 @@ require "pg"
 require "strscan"
 require "uri"
 
+require_relative "aws_rds_iam/auth_token"
 require_relative "aws_rds_iam/auth_token_generator"
 require_relative "aws_rds_iam/auth_token_generator_registry"
 require_relative "aws_rds_iam/auth_token_injector"
@@ -41,7 +42,7 @@ module PG
       ActiveRecord::Tasks::PostgreSQLDatabaseTasks.prepend ActiveRecordPostgreSQLDatabaseTasks
     end
 
-    if defined?(Rails::DBConsole) && Rails::DBConsole.private_instance_methods.include?(:find_cmd_and_exec)
+    if defined?(Rails::DBConsole) && Rails::DBConsole.private_method_defined?(:find_cmd_and_exec)
       require_relative "aws_rds_iam/rails_dbconsole"
 
       Rails::DBConsole.prepend RailsDBConsole

data/pg-aws_rds_iam.gemspec

@@ -34,8 +34,8 @@ Gem::Specification.new do |spec|
 
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = ">= 3.1"
+  spec.required_ruby_version = ">= 3.2"
 
   spec.add_dependency "aws-sdk-rds", "~> 1.0"
-  spec.add_dependency "pg", "~> 1.1"
+  spec.add_dependency "pg", "~> 1.3"
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: pg-aws_rds_iam
 version: !ruby/object:Gem::Version
-  version: 0.6.2
+  version: 0.8.0
 platform: ruby
 authors:
 - Andrew Haines
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-11-12 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-rds
@@ -30,14 +29,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.3'
 description: PG::AWS_RDS_IAM is a plugin for the pg gem that adds support for IAM
   authentication when connecting to PostgreSQL databases hosted in Amazon RDS.
 email:
@@ -53,8 +52,7 @@ files:
 - lib/pg/aws_rds_iam.rb
 - lib/pg/aws_rds_iam/active_record_postgresql_adapter.rb
 - lib/pg/aws_rds_iam/active_record_postgresql_database_tasks.rb
-- lib/pg/aws_rds_iam/active_record_postgresql_database_tasks/psql_env.rb
-- lib/pg/aws_rds_iam/active_record_postgresql_database_tasks/set_psql_env.rb
+- lib/pg/aws_rds_iam/auth_token.rb
 - lib/pg/aws_rds_iam/auth_token_generator.rb
 - lib/pg/aws_rds_iam/auth_token_generator_registry.rb
 - lib/pg/aws_rds_iam/auth_token_injector.rb
@@ -73,11 +71,10 @@ licenses:
 metadata:
   bug_tracker_uri: https://github.com/haines/pg-aws_rds_iam/issues
   changelog_uri: https://github.com/haines/pg-aws_rds_iam/blob/main/CHANGELOG.md
-  documentation_uri: https://rubydoc.info/gems/pg-aws_rds_iam/0.6.2
+  documentation_uri: https://rubydoc.info/gems/pg-aws_rds_iam/0.8.0
   homepage_uri: https://github.com/haines/pg-aws_rds_iam
   source_code_uri: https://github.com/haines/pg-aws_rds_iam
   rubygems_mfa_required: 'true'
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -85,15 +82,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '3.1'
+      version: '3.2'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.23
-signing_key:
+rubygems_version: 4.0.9
 specification_version: 4
 summary: IAM authentication for PostgreSQL on Amazon RDS
 test_files: []

data/lib/pg/aws_rds_iam/active_record_postgresql_database_tasks/psql_env.rb

@@ -1,15 +0,0 @@
-# frozen_string_literal: true
-
-module PG
-  module AWS_RDS_IAM
-    module ActiveRecordPostgreSQLDatabaseTasks
-      private
-
-      def psql_env
-        super.tap do |psql_env|
-          AuthTokenInjector.new.inject_into_psql_env! configuration_hash, psql_env
-        end
-      end
-    end
-  end
-end

data/lib/pg/aws_rds_iam/active_record_postgresql_database_tasks/set_psql_env.rb

@@ -1,14 +0,0 @@
-# frozen_string_literal: true
-
-module PG
-  module AWS_RDS_IAM
-    module ActiveRecordPostgreSQLDatabaseTasks
-      private
-
-      def set_psql_env
-        super
-        AuthTokenInjector.new.inject_into_psql_env! configuration_hash, ENV
-      end
-    end
-  end
-end