Add DatabaseAuthenticationConfig and other changes for improved passwordless db configuration (#40)

Author: chad-cwc

.changes/unreleased/ENHANCEMENTS-20231011-122738.yaml

@@ -0,0 +1,6 @@
+kind: ENHANCEMENTS
+body: 'targets/database: Add new field DatabaseAuthenticationConfig and deprecate
+  SplitCert and DatabaseType'
+time: 2023-10-11T12:27:38.297052484-05:00
+custom:
+  Issues: "40"

.changes/unreleased/FEATURES-20231006-135721.yaml

@@ -0,0 +1,5 @@
+kind: FEATURES
+body: 'targets/database: Add support for GET list of database authentication configs'
+time: 2023-10-06T13:57:21.309141752-05:00
+custom:
+  Issues: "40"

bastionzero/service/connections/connections.go

@@ -122,7 +122,10 @@ type CreateUniversalConnectionResponse struct {
 	AgentVersion          string                `json:"agentVersion"`
 	ConnectionAuthDetails ConnectionAuthDetails `json:"connectionAuthDetails"`
 	SshScpOnly            bool                  `json:"sshScpOnly"`
-	SplitCert             bool                  `json:"splitCert"`
+	// Deprecated: SplitCert exists for historical compatibility and should not be used.
+	// Use IsPasswordless instead.
+	SplitCert      bool `json:"splitCert"`
+	IsPasswordless bool `json:"isPasswordless"`
 }
 
 // ConnectionAuthDetails contains details needed to connect to a connection node

bastionzero/service/targets/database.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 
 	"github.com/bastionzero/bastionzero-sdk-go/bastionzero/service/policies"
+	"github.com/bastionzero/bastionzero-sdk-go/bastionzero/service/targets/dbauthconfig"
 	"github.com/bastionzero/bastionzero-sdk-go/bastionzero/types/targettype"
 	"github.com/bastionzero/bastionzero-sdk-go/internal/client"
 )
@@ -17,16 +18,26 @@ const (
 
 // CreateDatabaseTargetRequest is used to create a new Database target
 type CreateDatabaseTargetRequest struct {
-	TargetName      string `json:"targetName"`
-	ProxyTargetID   string `json:"proxyTargetId"`
-	RemoteHost      string `json:"remoteHost"`
-	RemotePort      Port   `json:"remotePort"`
-	LocalPort       *Port  `json:"localPort,omitempty"`
-	LocalHost       string `json:"localHost,omitempty"`
-	IsSplitCert     bool   `json:"splitCert,omitempty"`
-	DatabaseType    string `json:"databaseType,omitempty"`
-	EnvironmentID   string `json:"environmentId,omitempty"`
-	EnvironmentName string `json:"environmentName,omitempty"`
+	TargetName    string `json:"targetName"`
+	ProxyTargetID string `json:"proxyTargetId"`
+	RemoteHost    string `json:"remoteHost"`
+	// TODO: To match REST API, change to: RemotePort *Port  `json:"remotePort,omitempty"`
+	// and update the comment below in a batched breaking changes release
+
+	// RemotePort is required for all databases; however, for GCP-hosted databases, the
+	// value specified for Port.Value will be ignored when connecting to the database.
+	RemotePort Port   `json:"remotePort"`
+	LocalPort  *Port  `json:"localPort,omitempty"`
+	LocalHost  string `json:"localHost,omitempty"`
+	// Deprecated: IsSplitCert exists for historical compatibility and should not be used.
+	// Set AuthenticationType in DatabaseAuthenticationConfig appropriately instead.
+	IsSplitCert bool `json:"splitCert,omitempty"`
+	// Deprecated: DatabaseType exists for historical compatibility and should not be used.
+	// Set Database in DatabaseAuthenticationConfig appropriately instead.
+	DatabaseType                 string                                     `json:"databaseType,omitempty"`
+	EnvironmentID                string                                     `json:"environmentId,omitempty"`
+	EnvironmentName              string                                     `json:"environmentName,omitempty"`
+	DatabaseAuthenticationConfig *dbauthconfig.DatabaseAuthenticationConfig `json:"databaseAuthenticationConfig,omitempty"`
 }
 
 // CreateDatabaseTargetResponse is the response returned if a Database target is
@@ -43,9 +54,14 @@ type ModifyDatabaseTargetRequest struct {
 	RemotePort    *Port   `json:"remotePort,omitempty"`
 	LocalPort     *Port   `json:"localPort,omitempty"`
 	LocalHost     *string `json:"localHost,omitempty"`
-	IsSplitCert   *bool   `json:"splitCert,omitempty"`
-	DatabaseType  *string `json:"databaseType,omitempty"`
-	EnvironmentID *string `json:"environmentId,omitempty"`
+	// Deprecated: IsSplitCert exists for historical compatibility and should not be used.
+	// Set AuthenticationType in DatabaseAuthenticationConfig appropriately instead.
+	IsSplitCert *bool `json:"splitCert,omitempty"`
+	// Deprecated: DatabaseType exists for historical compatibility and should not be used.
+	// Set Database in DatabaseAuthenticationConfig appropriately instead.
+	DatabaseType                 *string                                    `json:"databaseType,omitempty"`
+	EnvironmentID                *string                                    `json:"environmentId,omitempty"`
+	DatabaseAuthenticationConfig *dbauthconfig.DatabaseAuthenticationConfig `json:"databaseAuthenticationConfig,omitempty"`
 }
 
 // ListDatabaseTargetsOptions specifies the optional parameters when querying
@@ -81,9 +97,14 @@ type ListSplitCertDatabaseTypesResponse struct {
 type DatabaseTarget struct {
 	VirtualTarget
 
-	IsSplitCert        bool                  `json:"splitCert"`
-	DatabaseType       *string               `json:"databaseType"`
-	AllowedTargetUsers []policies.TargetUser `json:"allowedTargetUsers"`
+	// Deprecated: IsSplitCert exists for historical compatibility and should not be used.
+	// Set AuthenticationType in DatabaseAuthenticationConfig appropriately instead.
+	IsSplitCert bool `json:"splitCert"`
+	// Deprecated: DatabaseType exists for historical compatibility and should not be used.
+	// Set Database in DatabaseAuthenticationConfig appropriately instead.
+	DatabaseType                 *string                                   `json:"databaseType"`
+	AllowedTargetUsers           []policies.TargetUser                     `json:"allowedTargetUsers"`
+	DatabaseAuthenticationConfig dbauthconfig.DatabaseAuthenticationConfig `json:"databaseAuthenticationConfig"`
 }
 
 // ListDatabaseTargets lists all Database targets.
@@ -215,6 +236,7 @@ func (s *TargetsService) ModifyDatabaseTarget(ctx context.Context, targetID stri
 // ListSplitCertDatabaseTypes lists all Database types for which SplitCert
 // access is supported.
 //
+// Deprecated: Use ListDatabaseAuthenticationConfigs
 // BastionZero API docs: https://cloud.bastionzero.com/api/#get-/api/v2/targets/database/supported-databases
 func (s *TargetsService) ListSplitCertDatabaseTypes(ctx context.Context) (*ListSplitCertDatabaseTypesResponse, *http.Response, error) {
 	u := databaseBasePath + "/supported-databases"
@@ -232,6 +254,25 @@ func (s *TargetsService) ListSplitCertDatabaseTypes(ctx context.Context) (*ListS
 	return listResp, resp, nil
 }
 
+// ListDatabaseAuthenticationConfigs lists all database authentication configurations supported by BasionZero.
+//
+// BastionZero API docs: https://cloud.bastionzero.com/api/#get-/api/v2/targets/database/supported-database-configs
+func (s *TargetsService) ListDatabaseAuthenticationConfigs(ctx context.Context) ([]dbauthconfig.DatabaseAuthenticationConfig, *http.Response, error) {
+	u := databaseBasePath + "/supported-database-configs"
+	req, err := s.Client.NewRequest(ctx, http.MethodGet, u, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	dbAuthConfigList := new([]dbauthconfig.DatabaseAuthenticationConfig)
+	resp, err := s.Client.Do(req, dbAuthConfigList)
+	if err != nil {
+		return nil, resp, err
+	}
+
+	return *dbAuthConfigList, resp, nil
+}
+
 // Ensure DatabaseTarget implementation satisfies the expected interfaces.
 var (
 	// DatabaseTarget implements VirtualTargetInterface

bastionzero/service/targets/dbauthconfig/authenticationtype.go

@@ -0,0 +1,8 @@
+package dbauthconfig
+
+// These constants represent the supported values for the AuthenticationType field in DatabaseAuthenticationConfig.
+const (
+	Default                 string = "Default"
+	SplitCert               string = "SplitCert"
+	ServiceAccountInjection string = "ServiceAccountInjection"
+)

bastionzero/service/targets/dbauthconfig/cloudserviceprovider.go

@@ -0,0 +1,7 @@
+package dbauthconfig
+
+// These constants represent the supported values for the CloudServiceProvider field in DatabaseAuthenticationConfig.
+const (
+	AWS string = "AWS"
+	GCP string = "GCP"
+)

bastionzero/service/targets/dbauthconfig/database.go

@@ -0,0 +1,10 @@
+package dbauthconfig
+
+// These constants represent the supported values for the Database field in DatabaseAuthenticationConfig.
+const (
+	CockroachDB        string = "CockroachDB"
+	MicrosoftSQLServer string = "MicrosoftSQLServer"
+	MongoDB            string = "MongoDB"
+	MySQL              string = "MySQL"
+	Postgres           string = "Postgres"
+)

bastionzero/service/targets/dbauthconfig/dbauthconfig.go

@@ -0,0 +1,13 @@
+package dbauthconfig
+
+// DatabaseAuthenticationConfig defines a database authentication configuration supported
+// by BastionZero. When using a non-null DatabaseAuthenticationConfig in a request, it
+// is recommended that the supported configurations are retrieved from a GET request to
+// /api/v2/targets/database/supported-database-configs and then one of the returned
+// configurations is used in any subsequent create or update request as needed.
+type DatabaseAuthenticationConfig struct {
+	AuthenticationType   *string `json:"authenticationType,omitempty"`
+	CloudServiceProvider *string `json:"cloudServiceProvider,omitempty"`
+	Database             *string `json:"database,omitempty"`
+	Label                *string `json:"label,omitempty"`
+}

bastionzero/service/targets_disambiguated/database_target.go

@@ -3,19 +3,19 @@ package targets_disambiguated
 import (
 	"github.com/bastionzero/bastionzero-sdk-go/bastionzero/service/connections"
 	"github.com/bastionzero/bastionzero-sdk-go/bastionzero/service/policies"
+	"github.com/bastionzero/bastionzero-sdk-go/bastionzero/service/targets/dbauthconfig"
 )
 
 type DatabaseTarget struct {
 	Target
 
-	ProxyAgentId       string                     `json:"proxyAgentId"`
-	ProxyAgentName     string                     `json:"proxyAgentName"`
-	RemoteHost         string                     `json:"remoteHost"`
-	RemotePort         Port                       `json:"remotePort"`
-	LocalHost          string                     `json:"localHost"`
-	LocalPort          *Port                      `json:"localPort"`
-	SplitCert          bool                       `json:"splitCert"`
-	DatabaseType       string                     `json:"databaseType"`
-	AllowedTargetUsers []policies.TargetUser      `json:"allowedTargetUsers"`
-	Connections        []connections.DbConnection `json:"connections"`
+	ProxyAgentId                 string                                    `json:"proxyAgentId"`
+	ProxyAgentName               string                                    `json:"proxyAgentName"`
+	RemoteHost                   string                                    `json:"remoteHost"`
+	RemotePort                   Port                                      `json:"remotePort"`
+	LocalHost                    string                                    `json:"localHost"`
+	LocalPort                    *Port                                     `json:"localPort"`
+	AllowedTargetUsers           []policies.TargetUser                     `json:"allowedTargetUsers"`
+	Connections                  []connections.DbConnection                `json:"connections"`
+	DatabaseAuthenticationConfig dbauthconfig.DatabaseAuthenticationConfig `json:"databaseAuthenticationConfig"`
 }