hypercall_db_diesel/

rds_iam.rs

use std::sync::Arc;

use anyhow::{Context, Result};
use arc_swap::ArcSwap;
use tracing::{error, info};

/// Components parsed from a `DATABASE_URL` for IAM token injection.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct ParsedDbUrl {
    pub hostname: String,
    pub port: u16,
    pub username: String,
    pub dbname: String,
    pub query_params: String,
}

impl ParsedDbUrl {
    pub fn parse(database_url: &str) -> Result<Self> {
        let parsed = url::Url::parse(database_url)
            .with_context(|| "DATABASE_URL is not a valid URL for RDS IAM parsing")?;

        let hostname = parsed
            .host_str()
            .context("DATABASE_URL missing host")?
            .to_string();
        let port = parsed.port().unwrap_or(5432);
        let username = if parsed.username().is_empty() {
            anyhow::bail!("DATABASE_URL missing username (required for RDS IAM)");
        } else {
            parsed.username().to_string()
        };
        let dbname = parsed.path().trim_start_matches('/').to_string();
        if dbname.is_empty() {
            anyhow::bail!("DATABASE_URL missing database name");
        }
        let query_params = parsed.query().map(|q| format!("?{q}")).unwrap_or_default();

        Ok(Self {
            hostname,
            port,
            username,
            dbname,
            query_params,
        })
    }

    /// Build a full database URL with the given token as password.
    pub fn url_with_token(&self, token: &str) -> Result<String> {
        // The IAM token contains URL-encoded chars (%2F, etc.) that must survive
        // libpq's single percent-decode pass intact. We percent-encode the token
        // ourselves so that after libpq decodes, the proxy receives the original
        // token byte-for-byte. url::Url::set_password would double-encode the
        // existing %XX sequences, corrupting them.
        let encoded = url::form_urlencoded::byte_serialize(token.as_bytes()).collect::<String>();
        Ok(format!(
            "postgres://{}:{}@{}:{}/{}{}",
            self.username, encoded, self.hostname, self.port, self.dbname, self.query_params,
        ))
    }
}

/// Trait for generating database auth tokens. Production uses AWS IAM,
/// tests can inject mock implementations.
#[async_trait::async_trait]
pub(crate) trait TokenGenerator: Send + Sync {
    async fn generate(&self, parsed: &ParsedDbUrl) -> Result<String>;
}

/// Production token generator using AWS RDS IAM auth tokens.
#[cfg(feature = "rds-iam")]
struct AwsTokenGenerator {
    aws_config: aws_config::SdkConfig,
}

#[cfg(feature = "rds-iam")]
#[async_trait::async_trait]
impl TokenGenerator for AwsTokenGenerator {
    async fn generate(&self, parsed: &ParsedDbUrl) -> Result<String> {
        let config = aws_sdk_rds::auth_token::Config::builder()
            .hostname(&parsed.hostname)
            .port(parsed.port as u64)
            .username(&parsed.username)
            .build()
            .map_err(|e| anyhow::anyhow!("failed to build IAM auth token config: {e}"))?;
        let token = aws_sdk_rds::auth_token::AuthTokenGenerator::new(config)
            .auth_token(&self.aws_config)
            .await
            .map_err(|e| anyhow::anyhow!("failed to generate RDS IAM auth token: {e}"))?;
        Ok(token.to_string())
    }
}

/// Refresh interval and retry delays (extracted as constants for test visibility).
pub(crate) const REFRESH_INTERVAL_SECS: u64 = 600;
pub(crate) const RETRY_DELAYS_SECS: [u64; 3] = [30, 60, 120];

/// Generates RDS IAM auth tokens and caches a ready-to-use database URL.
///
/// The cached URL is atomically swapped via `ArcSwap` so both sync (r2d2) and
/// async (deadpool) pools can read it lock-free. A background tokio task
/// refreshes the token well before the 15-minute AWS expiry.
pub struct RdsIamTokenProvider {
    pub(crate) parsed: ParsedDbUrl,
    pub(crate) cached_url: Arc<ArcSwap<String>>,
    generator: Box<dyn TokenGenerator>,
}

impl RdsIamTokenProvider {
    /// Initialize the provider: load AWS credentials, generate the first token,
    /// and return a ready provider. Call [`Self::spawn_refresh_task`] after to
    /// keep the token fresh.
    #[cfg(feature = "rds-iam")]
    pub async fn new(database_url: &str) -> Result<Arc<Self>> {
        let parsed = ParsedDbUrl::parse(database_url)?;
        let aws_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;

        let provider = Arc::new(Self {
            parsed,
            cached_url: Arc::new(ArcSwap::from_pointee(String::new())),
            generator: Box::new(AwsTokenGenerator { aws_config }),
        });

        provider
            .refresh()
            .await
            .context("failed to generate initial RDS IAM token")?;

        Ok(provider)
    }

    /// Create a provider with a custom token generator. Used for testing
    /// without AWS credentials. Does NOT call `refresh()` — caller must
    /// seed the URL via [`Self::store_url`] or call [`Self::refresh`].
    pub(crate) fn with_generator(
        parsed: ParsedDbUrl,
        generator: Box<dyn TokenGenerator>,
    ) -> Arc<Self> {
        Arc::new(Self {
            parsed,
            cached_url: Arc::new(ArcSwap::from_pointee(String::new())),
            generator,
        })
    }

    /// Return the current database URL with a valid IAM token as password.
    pub fn current_url(&self) -> Arc<String> {
        self.cached_url.load_full()
    }

    /// Atomically store a new URL (used by `refresh` and tests).
    pub fn store_url(&self, url: String) {
        self.cached_url.store(Arc::new(url));
    }

    /// Generate a fresh auth token and update the cached URL.
    pub async fn refresh(&self) -> Result<()> {
        let token = self.generator.generate(&self.parsed).await?;
        let url = self.parsed.url_with_token(&token)?;
        self.cached_url.store(Arc::new(url));
        info!(host = %self.parsed.hostname, "refreshed RDS IAM auth token");
        Ok(())
    }

    /// Spawn a background task that refreshes the token every 10 minutes.
    /// On failure, retries with exponential backoff (30s, 60s, 120s) before
    /// falling back to the normal 10-minute cadence.
    pub fn spawn_refresh_task(self: &Arc<Self>) -> tokio::task::JoinHandle<()> {
        let provider = Arc::clone(self);
        tokio::spawn(async move {
            let normal_interval = std::time::Duration::from_secs(REFRESH_INTERVAL_SECS);
            let retry_delays: Vec<std::time::Duration> = RETRY_DELAYS_SECS
                .iter()
                .map(|s| std::time::Duration::from_secs(*s))
                .collect();

            loop {
                tokio::time::sleep(normal_interval).await;
                if provider.refresh().await.is_ok() {
                    continue;
                }
                error!("RDS IAM token refresh failed, starting retry backoff");
                let mut recovered = false;
                for delay in &retry_delays {
                    tokio::time::sleep(*delay).await;
                    match provider.refresh().await {
                        Ok(()) => {
                            recovered = true;
                            break;
                        }
                        Err(e) => error!("RDS IAM retry failed: {e:#}"),
                    }
                }
                if !recovered {
                    error!("RDS IAM token refresh exhausted retries, resuming normal cadence");
                }
            }
        })
    }
}

/// Test support types for mocking token generation.
#[cfg(test)]
pub(crate) mod test_support {
    use super::*;
    use std::collections::VecDeque;
    use std::sync::Mutex;

    /// Mock token generator that returns pre-programmed results.
    pub(crate) struct MockTokenGenerator {
        pub(crate) results: Arc<Mutex<VecDeque<Result<String>>>>,
        pub(crate) call_count: Arc<std::sync::atomic::AtomicUsize>,
    }

    impl MockTokenGenerator {
        pub(crate) fn new(results: Vec<Result<String>>) -> Self {
            Self {
                results: Arc::new(Mutex::new(VecDeque::from(results))),
                call_count: Arc::new(std::sync::atomic::AtomicUsize::new(0)),
            }
        }
    }

    #[async_trait::async_trait]
    impl TokenGenerator for MockTokenGenerator {
        async fn generate(&self, _parsed: &ParsedDbUrl) -> Result<String> {
            self.call_count
                .fetch_add(1, std::sync::atomic::Ordering::SeqCst);
            self.results
                .lock()
                .unwrap()
                .pop_front()
                .unwrap_or_else(|| Err(anyhow::anyhow!("no more mock tokens")))
        }
    }
}

#[cfg(test)]
mod tests {
    use super::test_support::*;
    use super::*;
    use std::collections::VecDeque;
    use std::sync::Mutex;

    #[test]
    fn parse_full_url() {
        let parsed =
            ParsedDbUrl::parse("postgres://myuser:mypass@db.example.com:5432/mydb?sslmode=require")
                .unwrap();
        assert_eq!(parsed.hostname, "db.example.com");
        assert_eq!(parsed.port, 5432);
        assert_eq!(parsed.username, "myuser");
        assert_eq!(parsed.dbname, "mydb");
        assert_eq!(parsed.query_params, "?sslmode=require");
    }

    #[test]
    fn parse_default_port() {
        let parsed = ParsedDbUrl::parse("postgres://user@host/db").unwrap();
        assert_eq!(parsed.port, 5432);
    }

    #[test]
    fn parse_no_query_params() {
        let parsed = ParsedDbUrl::parse("postgres://user@host/db").unwrap();
        assert_eq!(parsed.query_params, "");
    }

    #[test]
    fn parse_multiple_query_params() {
        let parsed =
            ParsedDbUrl::parse("postgres://user@host/db?sslmode=require&connect_timeout=10")
                .unwrap();
        assert_eq!(parsed.query_params, "?sslmode=require&connect_timeout=10");
    }

    #[test]
    fn parse_missing_host_fails() {
        assert!(ParsedDbUrl::parse("postgres:///db").is_err());
    }

    #[test]
    fn parse_missing_username_fails() {
        assert!(ParsedDbUrl::parse("postgres://host/db").is_err());
    }

    #[test]
    fn parse_missing_dbname_fails() {
        assert!(ParsedDbUrl::parse("postgres://user@host/").is_err());
        assert!(ParsedDbUrl::parse("postgres://user@host").is_err());
    }

    #[test]
    fn parse_invalid_url_fails() {
        assert!(ParsedDbUrl::parse("not-a-url").is_err());
    }

    #[test]
    fn url_with_token_preserves_structure() {
        let parsed = ParsedDbUrl::parse("postgres://user@host:5432/db?sslmode=require").unwrap();
        let url = parsed.url_with_token("mytoken123").unwrap();
        assert!(url.starts_with("postgres://user:mytoken123@host:5432/db"));
        assert!(url.contains("sslmode=require"));

        let url2 = parsed.url_with_token("tok/en=val").unwrap();
        let reparsed = url::Url::parse(&url2).unwrap();
        assert_eq!(reparsed.host_str(), Some("host"));
        assert_eq!(reparsed.port(), Some(5432));
        assert_eq!(reparsed.path(), "/db");
        assert_eq!(reparsed.query(), Some("sslmode=require"));
    }

    #[test]
    fn url_with_token_round_trip() {
        let parsed = ParsedDbUrl::parse(
            "postgres://admin@mydb.cluster.us-east-1.rds.amazonaws.com:5432/hypercall?sslmode=require",
        )
        .unwrap();
        let url = parsed.url_with_token("simpletoken123").unwrap();
        let reparsed = url::Url::parse(&url).unwrap();
        assert_eq!(reparsed.username(), "admin");
        assert_eq!(reparsed.password(), Some("simpletoken123"));
        assert_eq!(
            reparsed.host_str(),
            Some("mydb.cluster.us-east-1.rds.amazonaws.com")
        );
        assert_eq!(reparsed.port(), Some(5432));
        assert_eq!(reparsed.path(), "/hypercall");
        assert_eq!(reparsed.query(), Some("sslmode=require"));
    }

    #[test]
    fn store_url_visible_via_current_url() {
        let parsed = ParsedDbUrl::parse("postgres://user@host/db").unwrap();
        let provider =
            RdsIamTokenProvider::with_generator(parsed, Box::new(MockTokenGenerator::new(vec![])));

        assert_eq!(provider.current_url().as_ref(), "");

        provider.store_url("postgres://user:token1@host/db".into());
        assert_eq!(
            provider.current_url().as_ref(),
            "postgres://user:token1@host/db"
        );

        provider.store_url("postgres://user:token2@host/db".into());
        assert_eq!(
            provider.current_url().as_ref(),
            "postgres://user:token2@host/db"
        );
    }

    #[tokio::test]
    async fn refresh_uses_generator_and_updates_url() {
        let parsed = ParsedDbUrl::parse("postgres://user@host:5432/db").unwrap();
        let provider = RdsIamTokenProvider::with_generator(
            parsed,
            Box::new(MockTokenGenerator::new(vec![
                Ok("first_token".into()),
                Ok("second_token".into()),
            ])),
        );

        provider.refresh().await.unwrap();
        let url1 = provider.current_url();
        assert!(url1.contains("first_token"), "url={url1}");

        provider.refresh().await.unwrap();
        let url2 = provider.current_url();
        assert!(url2.contains("second_token"), "url={url2}");
    }

    #[tokio::test]
    async fn refresh_failure_preserves_old_url() {
        let parsed = ParsedDbUrl::parse("postgres://user@host/db").unwrap();
        let provider = RdsIamTokenProvider::with_generator(
            parsed,
            Box::new(MockTokenGenerator::new(vec![
                Ok("good_token".into()),
                Err(anyhow::anyhow!("AWS timeout")),
            ])),
        );

        provider.refresh().await.unwrap();
        let good_url = provider.current_url().as_ref().clone();

        let err = provider.refresh().await;
        assert!(err.is_err());

        // Old URL preserved after failed refresh
        assert_eq!(provider.current_url().as_ref().clone(), good_url);
    }

    #[tokio::test(start_paused = true)]
    async fn refresh_task_runs_on_schedule() {
        let call_count = Arc::new(std::sync::atomic::AtomicUsize::new(0));
        let cc = call_count.clone();

        let parsed = ParsedDbUrl::parse("postgres://user@host/db").unwrap();
        let gen = MockTokenGenerator {
            results: Arc::new(Mutex::new(VecDeque::from(vec![
                Ok("t1".into()),
                Ok("t2".into()),
                Ok("t3".into()),
                Ok("t4".into()),
                Ok("t5".into()),
            ]))),
            call_count: cc,
        };
        let provider = RdsIamTokenProvider::with_generator(parsed, Box::new(gen));

        let handle = provider.spawn_refresh_task();
        // Let the spawned task start and register its first sleep
        tokio::task::yield_now().await;

        // No calls yet (first refresh happens after REFRESH_INTERVAL_SECS)
        assert_eq!(call_count.load(std::sync::atomic::Ordering::SeqCst), 0);

        // Advance past first interval
        tokio::time::advance(std::time::Duration::from_secs(REFRESH_INTERVAL_SECS + 1)).await;
        for _ in 0..10 {
            tokio::task::yield_now().await;
        }
        assert_eq!(call_count.load(std::sync::atomic::Ordering::SeqCst), 1);

        // Advance past second interval
        tokio::time::advance(std::time::Duration::from_secs(REFRESH_INTERVAL_SECS)).await;
        for _ in 0..10 {
            tokio::task::yield_now().await;
        }
        assert_eq!(call_count.load(std::sync::atomic::Ordering::SeqCst), 2);

        handle.abort();
    }

    #[tokio::test(start_paused = true)]
    async fn refresh_task_retries_on_failure() {
        let call_count = Arc::new(std::sync::atomic::AtomicUsize::new(0));
        let cc = call_count.clone();

        let parsed = ParsedDbUrl::parse("postgres://user@host/db").unwrap();
        let gen = MockTokenGenerator {
            results: Arc::new(Mutex::new(VecDeque::from(vec![
                // First scheduled refresh: fails
                Err(anyhow::anyhow!("fail")),
                // Retry 1 (30s): fails
                Err(anyhow::anyhow!("fail")),
                // Retry 2 (60s): succeeds
                Ok("recovered_token".into()),
            ]))),
            call_count: cc,
        };
        let provider = RdsIamTokenProvider::with_generator(parsed, Box::new(gen));

        let handle = provider.spawn_refresh_task();
        tokio::task::yield_now().await;

        // Advance past normal interval — triggers first (failing) refresh
        tokio::time::advance(std::time::Duration::from_secs(REFRESH_INTERVAL_SECS + 1)).await;
        for _ in 0..10 {
            tokio::task::yield_now().await;
        }
        assert_eq!(call_count.load(std::sync::atomic::Ordering::SeqCst), 1);

        // Advance 30s — first retry (also fails)
        tokio::time::advance(std::time::Duration::from_secs(31)).await;
        for _ in 0..10 {
            tokio::task::yield_now().await;
        }
        assert_eq!(call_count.load(std::sync::atomic::Ordering::SeqCst), 2);

        // Advance 60s — second retry (succeeds)
        tokio::time::advance(std::time::Duration::from_secs(61)).await;
        for _ in 0..10 {
            tokio::task::yield_now().await;
        }
        assert_eq!(call_count.load(std::sync::atomic::Ordering::SeqCst), 3);
        assert!(
            provider.current_url().contains("recovered_token"),
            "url={}",
            provider.current_url()
        );

        handle.abort();
    }

    #[tokio::test(start_paused = true)]
    async fn refresh_task_exhausts_retries_then_resumes_normal_cadence() {
        let call_count = Arc::new(std::sync::atomic::AtomicUsize::new(0));
        let cc = call_count.clone();

        let parsed = ParsedDbUrl::parse("postgres://user@host/db").unwrap();
        let gen = MockTokenGenerator {
            results: Arc::new(Mutex::new(VecDeque::from(vec![
                // Normal refresh: fail
                Err(anyhow::anyhow!("fail")),
                // Retry 1 (30s): fail
                Err(anyhow::anyhow!("fail")),
                // Retry 2 (60s): fail
                Err(anyhow::anyhow!("fail")),
                // Retry 3 (120s): fail — exhausted
                Err(anyhow::anyhow!("fail")),
                // Back to normal cadence (600s): succeeds
                Ok("finally".into()),
            ]))),
            call_count: cc,
        };
        let provider = RdsIamTokenProvider::with_generator(parsed, Box::new(gen));
        provider.store_url("postgres://user:initial@host/db".into());

        let handle = provider.spawn_refresh_task();
        tokio::task::yield_now().await;

        // Normal interval → fail
        tokio::time::advance(std::time::Duration::from_secs(REFRESH_INTERVAL_SECS + 1)).await;
        for _ in 0..10 {
            tokio::task::yield_now().await;
        }
        // Retry 1 (30s) → fail
        tokio::time::advance(std::time::Duration::from_secs(31)).await;
        for _ in 0..10 {
            tokio::task::yield_now().await;
        }
        // Retry 2 (60s) → fail
        tokio::time::advance(std::time::Duration::from_secs(61)).await;
        for _ in 0..10 {
            tokio::task::yield_now().await;
        }
        // Retry 3 (120s) → fail, exhausted
        tokio::time::advance(std::time::Duration::from_secs(121)).await;
        for _ in 0..10 {
            tokio::task::yield_now().await;
        }

        assert_eq!(call_count.load(std::sync::atomic::Ordering::SeqCst), 4);
        // Old URL still cached
        assert!(provider.current_url().contains("initial"));

        // Back to normal cadence → succeeds
        tokio::time::advance(std::time::Duration::from_secs(REFRESH_INTERVAL_SECS + 1)).await;
        for _ in 0..10 {
            tokio::task::yield_now().await;
        }

        assert_eq!(call_count.load(std::sync::atomic::Ordering::SeqCst), 5);
        assert!(
            provider.current_url().contains("finally"),
            "url={}",
            provider.current_url()
        );

        handle.abort();
    }
}