enable fargate credentials

Signed-off-by: Tim Miller <[email protected]>

Author: els-tmiller

README.md

@@ -184,6 +184,20 @@ export IMMUDB_S3_ENDPOINT="https://${IMMUDB_S3_BUCKET_NAME}.s3.${IMMUDB_S3_LOCAT
 ./immudb
 ```
 
+If using Fargate, the credentials URL can be sourced automatically:
+
+```bash
+export IMMUDB_S3_STORAGE=true
+export IMMUDB_S3_ROLE_ENABLED=true
+export IMMUDB_S3_USE_FARGATE_CREDENTIALS=true
+export IMMUDB_S3_BUCKET_NAME=<BUCKET NAME>
+export IMMUDB_S3_LOCATION=<AWS S3 REGION>
+export IMMUDB_S3_PATH_PREFIX=testing-001
+export IMMUDB_S3_ENDPOINT="https://${IMMUDB_S3_BUCKET_NAME}.s3.${IMMUDB_S3_LOCATION}.amazonaws.com"
+
+./immudb
+```
+
 Optionally, you can specify the exact role immudb should be using with:
 
 ```bash

cmd/immudb/command/init.go

@@ -89,6 +89,7 @@ func (cl *Commandline) setupFlags(cmd *cobra.Command, options *server.Options) {
 	cmd.Flags().String("s3-path-prefix", "", "s3 path prefix (multiple immudb instances can share the same bucket if they have different prefixes)")
 	cmd.Flags().Bool("s3-external-identifier", false, "use the remote identifier if there is no local identifier")
 	cmd.Flags().String("s3-instance-metadata-url", "http://169.254.169.254", "s3 instance metadata url")
+	cmd.Flags().String("s3-use-fargate-credentials", "false", "use fargate credentials for s3 authentication: true/false")
 	cmd.Flags().Int("max-sessions", 100, "maximum number of simultaneously opened sessions")
 	cmd.Flags().Duration("max-session-inactivity-time", 3*time.Minute, "max session inactivity time is a duration after which an active session is declared inactive by the server. A session is kept active if server is still receiving requests from client (keep-alive or other methods)")
 	cmd.Flags().Duration("max-session-age-time", 0, "the current default value is infinity. max session age time is a duration after which session will be forcibly closed")

cmd/immudb/command/parse_options.go

@@ -106,6 +106,7 @@ func parseOptions() (options *server.Options, err error) {
 	s3PathPrefix := viper.GetString("s3-path-prefix")
 	s3ExternalIdentifier := viper.GetBool("s3-external-identifier")
 	s3MetadataURL := viper.GetString("s3-instance-metadata-url")
+	s3UseFargateCredentials := viper.GetBool("s3-use-fargate-credentials")
 
 	remoteStorageOptions := server.DefaultRemoteStorageOptions().
 		WithS3Storage(s3Storage).
@@ -118,7 +119,8 @@ func parseOptions() (options *server.Options, err error) {
 		WithS3Location(s3Location).
 		WithS3PathPrefix(s3PathPrefix).
 		WithS3ExternalIdentifier(s3ExternalIdentifier).
-		WithS3InstanceMetadataURL(s3MetadataURL)
+		WithS3InstanceMetadataURL(s3MetadataURL).
+		WithS3UseFargateCredentials(s3UseFargateCredentials)
 
 	sessionOptions := sessions.DefaultOptions().
 		WithMaxSessions(viper.GetInt("max-sessions")).

embedded/remotestorage/s3/s3.go

@@ -56,6 +56,8 @@ type Storage struct {
 
 	awsInstanceMetadataURL string
 	awsCredsRefreshPeriod  time.Duration
+
+	useFargateCredentials bool
 }
 
 var (
@@ -99,6 +101,7 @@ func Open(
 	location string,
 	prefix string,
 	awsInstanceMetadataURL string,
+	useFargateCredentials bool,
 ) (remotestorage.Storage, error) {
 
 	// Endpoint must always end with '/'
@@ -137,6 +140,7 @@ func Open(
 		},
 		awsInstanceMetadataURL: awsInstanceMetadataURL,
 		awsCredsRefreshPeriod:  time.Minute,
+		useFargateCredentials:     useFargateCredentials,
 	}
 
 	err := s3storage.getRoleCredentials()
@@ -807,6 +811,45 @@ func (s *Storage) getRoleCredentials() error {
 }
 
 func (s *Storage) requestCredentials() (string, string, string, error) {
+	if s.useFargateCredentials {
+		// Use Fargate credentials
+
+		const fargateMetadataEndpoint = "http://169.254.170.2"
+
+		fargateCredentialsRelativeURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
+		if fargateCredentialsRelativeURI == "" {
+			return "", "", "", errors.New("environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is not set or empty")
+		}
+		fargateCredentialsURL := fargateMetadataEndpoint + fargateCredentialsRelativeURI
+
+		fargateReq, err := http.NewRequest("GET", fargateCredentialsURL, nil)
+		if err != nil {
+			return "", "", "", errors.New("cannot form fargate credentials request")
+		}
+
+		fargateResp, err := http.DefaultClient.Do(fargateReq)
+		if err != nil {
+			return "", "", "", errors.New("cannot get fargate credentials")
+		}
+		defer fargateResp.Body.Close()
+
+		creds, err := io.ReadAll(fargateResp.Body)
+		if err != nil {
+			return "", "", "", errors.New("cannot read fargate credentials")
+		}
+
+		var credentials struct {
+			AccessKeyID     string `json:"AccessKeyId"`
+			SecretAccessKey string `json:"SecretAccessKey"`
+			SessionToken    string `json:"Token"`
+		}
+		if err := json.Unmarshal(creds, &credentials); err != nil {
+			return "", "", "", errors.New("cannot parse fargate credentials")
+		}
+
+		return credentials.AccessKeyID, credentials.SecretAccessKey, credentials.SessionToken, nil
+	}
+
 	tokenReq, err := http.NewRequest("PUT", fmt.Sprintf("%s%s",
 		s.awsInstanceMetadataURL,
 		"/latest/api/token",

embedded/remotestorage/s3/s3_test.go

@@ -41,6 +41,7 @@ func TestOpen(t *testing.T) {
 		"",
 		"prefix",
 		"",
+		false,
 	)
 	require.NoError(t, err)
 	require.NotNil(t, s)
@@ -90,6 +91,7 @@ func TestCornerCases(t *testing.T) {
 			"",
 			"",
 			"",
+			false,
 		)
 		require.ErrorIs(t, err, ErrInvalidArguments)
 		require.ErrorIs(t, err, ErrInvalidArgumentsBucketEmpty)
@@ -107,6 +109,7 @@ func TestCornerCases(t *testing.T) {
 			"",
 			"",
 			"",
+			false,
 		)
 		require.ErrorIs(t, err, ErrInvalidArguments)
 		require.ErrorIs(t, err, ErrInvalidArgumentsBucketSlash)
@@ -124,6 +127,7 @@ func TestCornerCases(t *testing.T) {
 			"",
 			"",
 			"",
+			false,
 		)
 		require.NoError(t, err)
 		require.Equal(t, "", s.(*Storage).prefix)
@@ -138,6 +142,7 @@ func TestCornerCases(t *testing.T) {
 			"",
 			"/test/",
 			"",
+			false,
 		)
 		require.NoError(t, err)
 		require.Equal(t, "test/", s.(*Storage).prefix)
@@ -152,6 +157,7 @@ func TestCornerCases(t *testing.T) {
 			"",
 			"/test",
 			"",
+			false,
 		)
 		require.NoError(t, err)
 		require.Equal(t, "test/", s.(*Storage).prefix)
@@ -168,6 +174,7 @@ func TestCornerCases(t *testing.T) {
 			"",
 			"",
 			"",
+			false,
 		)
 		require.NoError(t, err)
 		require.Equal(t, "s3(misconfigured)", s.String())
@@ -184,6 +191,7 @@ func TestCornerCases(t *testing.T) {
 			"",
 			"",
 			"",
+			false,
 		)
 		require.NoError(t, err)
 
@@ -211,6 +219,7 @@ func TestCornerCases(t *testing.T) {
 			"",
 			"",
 			"",
+			false,
 		)
 		require.NoError(t, err)
 
@@ -230,6 +239,7 @@ func TestCornerCases(t *testing.T) {
 			"",
 			"",
 			"",
+			false,
 		)
 		require.Error(t, err)
 		require.Nil(t, s)
@@ -246,6 +256,7 @@ func TestCornerCases(t *testing.T) {
 			"",
 			"",
 			"",
+			false,
 		)
 		require.NoError(t, err)
 
@@ -300,6 +311,7 @@ func TestSignatureV4(t *testing.T) {
 		"us-east-1",
 		"",
 		"",
+		false,
 	)
 	require.NoError(t, err)
 

embedded/remotestorage/s3/s3_with_minio_test.go

@@ -45,6 +45,7 @@ func TestS3WithServer(t *testing.T) {
 		"",
 		fmt.Sprintf("prefix_%x", randomBytes),
 		"",
+		false,
 	)
 	require.NoError(t, err)
 

embedded/sql/engine_test.go

@@ -3202,6 +3202,69 @@ func TestQuery(t *testing.T) {
 	})
 }
 
+func TestExtractFromTimestamp(t *testing.T) {
+	st, err := store.Open(t.TempDir(), store.DefaultOptions().WithMultiIndexing(true))
+	require.NoError(t, err)
+	defer closeStore(t, st)
+
+	engine, err := NewEngine(st, DefaultOptions().WithPrefix(sqlPrefix))
+	require.NoError(t, err)
+
+	t.Run("extract from constant expressions", func(t *testing.T) {
+		assertQueryShouldProduceResults(
+			t,
+			engine,
+			`SELECT
+			EXTRACT(YEAR FROM '2020-01-15'),
+			EXTRACT(MONTH FROM '2020-01-15'),
+			EXTRACT(DAY FROM '2020-01-15'::TIMESTAMP),
+			EXTRACT(HOUR FROM '2020-01-15 12:30:24'),
+			EXTRACT(MINUTE FROM '2020-01-15 12:30:24'),
+			EXTRACT(SECOND FROM '2020-01-15 12:30:24'::TIMESTAMP)
+		`,
+			`SELECT * FROM (
+			VALUES (2020, 01, 15, 12, 30, 24)
+		)`,
+		)
+	})
+
+	t.Run("extract from table", func(t *testing.T) {
+		_, _, err := engine.Exec(
+			context.Background(),
+			nil,
+			`CREATE TABLE events(ts TIMESTAMP PRIMARY KEY);
+
+			INSERT INTO events(ts) VALUES
+				('2021-07-04 14:45:30'::TIMESTAMP),
+				('1999-12-31 23:59:59'::TIMESTAMP);
+			`,
+			nil,
+		)
+		require.NoError(t, err)
+
+		assertQueryShouldProduceResults(
+			t,
+			engine,
+			`SELECT
+				EXTRACT(YEAR FROM ts),
+				EXTRACT(MONTH FROM ts),
+				EXTRACT(DAY FROM ts),
+				EXTRACT(HOUR FROM ts),
+				EXTRACT(MINUTE FROM ts),
+				EXTRACT(SECOND FROM ts)
+			FROM events
+			ORDER BY ts
+			`,
+			`SELECT * FROM (
+				VALUES
+					(1999, 12, 31, 23, 59, 59),
+					(2021, 07, 04, 14, 45, 30)
+			)`,
+		)
+	})
+
+}
+
 func TestJSON(t *testing.T) {
 	opts := store.DefaultOptions().WithMultiIndexing(true)
 	opts.WithIndexOptions(opts.IndexOpts.WithMaxActiveSnapshots(1))
@@ -9450,6 +9513,51 @@ func TestFunctions(t *testing.T) {
 	)
 	require.NoError(t, err)
 
+	t.Run("coalesce", func(t *testing.T) {
+		type testCase struct {
+			query          string
+			expectedValues string
+			err            error
+		}
+
+		cases := []testCase{
+			{
+				query:          "SELECT COALESCE (NULL)",
+				expectedValues: "NULL",
+			},
+			{
+				query:          "SELECT COALESCE (NULL, NULL)",
+				expectedValues: "NULL",
+			},
+			{
+				query:          "SELECT COALESCE(NULL, 1, 1.5, 3)",
+				expectedValues: "1",
+			},
+			{
+				query:          "SELECT COALESCE('one', 'two', 'three')",
+				expectedValues: "'one'",
+			},
+			{
+				query: "SELECT COALESCE(1, 'test')",
+				err:   ErrInvalidTypes,
+			},
+		}
+
+		for _, tc := range cases {
+			if tc.err != nil {
+				_, err := engine.queryAll(context.Background(), nil, tc.query, nil)
+				require.ErrorIs(t, err, tc.err)
+				continue
+			}
+
+			assertQueryShouldProduceResults(
+				t,
+				engine,
+				tc.query,
+				fmt.Sprintf("SELECT * FROM (VALUES (%s))", tc.expectedValues))
+		}
+	})
+
 	t.Run("timestamp functions", func(t *testing.T) {
 		_, err := engine.queryAll(context.Background(), nil, "SELECT NOW(1) FROM mytable", nil)
 		require.ErrorIs(t, err, ErrIllegalArguments)

embedded/sql/functions.go

@@ -25,6 +25,7 @@ import (
 )
 
 const (
+	CoalesceFnCall           string = "COALESCE"
 	LengthFnCall             string = "LENGTH"
 	SubstringFnCall          string = "SUBSTRING"
 	ConcatFnCall             string = "CONCAT"
@@ -47,6 +48,7 @@ const (
 )
 
 var builtinFunctions = map[string]Function{
+	CoalesceFnCall:           &CoalesceFn{},
 	LengthFnCall:             &LengthFn{},
 	SubstringFnCall:          &SubstringFn{},
 	ConcatFnCall:             &ConcatFn{},
@@ -67,6 +69,37 @@ type Function interface {
 	Apply(tx *SQLTx, params []TypedValue) (TypedValue, error)
 }
 
+type CoalesceFn struct{}
+
+func (f *CoalesceFn) InferType(cols map[string]ColDescriptor, params map[string]SQLValueType, implicitTable string) (SQLValueType, error) {
+	return AnyType, nil
+}
+
+func (f *CoalesceFn) RequiresType(t SQLValueType, cols map[string]ColDescriptor, params map[string]SQLValueType, implicitTable string) error {
+	return nil
+}
+
+func (f *CoalesceFn) Apply(tx *SQLTx, params []TypedValue) (TypedValue, error) {
+	t := AnyType
+
+	for _, p := range params {
+		if !p.IsNull() {
+			if t == AnyType {
+				t = p.Type()
+			} else if p.Type() != t && !(IsNumericType(t) && IsNumericType(p.Type())) {
+				return nil, fmt.Errorf("coalesce: %w", ErrInvalidTypes)
+			}
+		}
+	}
+
+	for _, p := range params {
+		if !p.IsNull() {
+			return p, nil
+		}
+	}
+	return NewNull(t), nil
+}
+
 // -------------------------------------
 // String Functions
 // -------------------------------------