Merge pull request #571 from aws/add-global-cert

Add global-bundle.pem to default cert list and Implement Dynamic .taco Filename Handling

.github/workflows/gradle.yml

@@ -196,7 +196,7 @@ jobs:
           MINOR_VERSION=$(grep "MINOR_VERSION" ${file} | cut -d'=' -f2)
           PATCH_VERSION=$(grep "PATCH_VERSION" ${file} | cut -d'=' -f2)
           echo "version=$MAJOR_VERSION.$MINOR_VERSION.$PATCH_VERSION" >> $GITHUB_ENV
-          mv  tableau-connector/target/documentdbjdbc.taco tableau-connector/target/documentdbjdbc-$MAJOR_VERSION.$MINOR_VERSION.$PATCH_VERSION.taco
+          mv  tableau-connector/target/*.taco tableau-connector/target/documentdbjdbc-$MAJOR_VERSION.$MINOR_VERSION.$PATCH_VERSION.taco
 
       - name: "Configure AWS credentials"
         if: ${{env.SIGNING_ENABLED == 'true'}}

src/main/java/software/amazon/documentdb/jdbc/DocumentDbConnectionProperties.java

@@ -68,7 +68,7 @@ public class DocumentDbConnectionProperties extends Properties {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(DocumentDbConnectionProperties.class.getName());
     private static final Pattern WHITE_SPACE_PATTERN = Pattern.compile("^\\s*$");
-    private static final String ROOT_2019_PEM_RESOURCE_FILE_NAME = "/rds-ca-2019-root.pem";
+    private static final String GLOBAL_BUNDLE_PEM_RESOURCE_FILE_NAME = "/global-bundle.pem";
     private static final String ROOT_2021_PEM_RESOURCE_FILE_NAME = "/rds-prod-root-ca-2021.pem";
     public static final String HOME_PATH_PREFIX_REG_EXPR = "^~[/\\\\].*$";
     public static final int FETCH_SIZE_DEFAULT = 2000;
@@ -1431,9 +1431,9 @@ void appendEmbeddedAndOptionalCaCertificates(final List<Certificate> caCertifica
             }
         }
         // Load embedded CA root certificates.
-        try (InputStream pem2019ResourceAsStream = getClass().getResourceAsStream(ROOT_2019_PEM_RESOURCE_FILE_NAME);
+        try (InputStream globalBundleResourceAsStream = getClass().getResourceAsStream(GLOBAL_BUNDLE_PEM_RESOURCE_FILE_NAME);
              InputStream pem2021ResourceAsStream = getClass().getResourceAsStream(ROOT_2021_PEM_RESOURCE_FILE_NAME)) {
-            caCertificates.addAll(CertificateUtils.loadCertificate(pem2019ResourceAsStream));
+            caCertificates.addAll(CertificateUtils.loadCertificate(globalBundleResourceAsStream));
             caCertificates.addAll(CertificateUtils.loadCertificate(pem2021ResourceAsStream));
         }
     }

src/markdown/setup/setup.md

@@ -36,12 +36,12 @@ If you are connecting to a TLS-enabled cluster, you may want to specify the Amaz
 on your connection string. By default, an Amazon RDS Certificate Authority root certificate has been embedded in the 
 JDBC driver JAR file which should work when connecting to Amazon DocumentDB clusters using SSL/TLS encryption. However, 
 if you want to provide a new Amazon RDS Certificate Authority root certificate, follow the directions below:
-1. [Download the root CA certificate](https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem)
+1. [Download the root CA certificate](https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem)
 2. It is recommended to relocate the file to your user's home directory: `$HOME` for Windows or `~` for MacOS/Linux.
 3. Add the `tlsCAFile` option to your [JDBC connection string](connection-string.md). For example: 
 
     ~~~
-    jdbc:documentdb://localhost:27017/<database-name>?tlsAllowInvalidHostnames=true&tlsCAFile=rds-ca-2019-root.pem
+    jdbc:documentdb://localhost:27017/<database-name>?tlsAllowInvalidHostnames=true&tlsCAFile=global-bundle.pem
     ~~~
 
 To determine whether your cluster is TLS-enabled, you can 

src/markdown/support/troubleshooting-guide.md

@@ -119,8 +119,8 @@ The online security resources may give a pointer how to fix this.
    See [Specifying the Amazon RDS Certificate Authority Certificate File](../setup/setup.md#specifying-the-amazon-rds-certificate-authority-certificate-file). 
 1. Copy the file to your home directory.
 1. Provide the root certificate file name in the connection. 
-   - Tableau: *TLS Certificate Authority File (Optional)* : `~/rds-ca-2019-root.pem`
-   - DbVisualizer: `jdbc:documentdb://localhost:27017/test?tls=true&tlsAllowInvalidHostnames=true&tlsCAFile=~/rds-ca-2019-root.pem`
+   - Tableau: *TLS Certificate Authority File (Optional)* : `~/global-bundle.pem`
+   - DbVisualizer: `jdbc:documentdb://localhost:27017/test?tls=true&tlsAllowInvalidHostnames=true&tlsCAFile=~/global-bundle.pem`
 
 ### Invalid hostname 
 #### What to look for: 

src/test/java/software/amazon/documentdb/jdbc/DocumentDbConnectionPropertiesTest.java

@@ -65,7 +65,7 @@ public void testValidProperties() {
         properties.setTlsAllowInvalidHostnames("true");
         properties.setTlsEnabled("true");
         properties.setRetryReadsEnabled("true");
-        properties.setTlsCAFilePath("src/main/resources/rds-ca-2019-root.pem");
+        properties.setTlsCAFilePath("src/main/resources/global-bundle.pem");
         properties.setSshUser("SSHUSER");
         properties.setSshHostname("SSHHOST");
         properties.setSshPrivateKeyFile("~/.ssh/test-file-name.pem");
@@ -89,7 +89,7 @@ public void testValidProperties() {
         Assertions.assertTrue(properties.getTlsEnabled());
         Assertions.assertTrue(properties.getTlsAllowInvalidHostnames());
         Assertions.assertTrue(properties.getRetryReadsEnabled());
-        Assertions.assertEquals("src/main/resources/rds-ca-2019-root.pem",
+        Assertions.assertEquals("src/main/resources/global-bundle.pem",
                 properties.getTlsCAFilePath());
         Assertions.assertEquals("SSHUSER", properties.getSshUser());
         Assertions.assertEquals("SSHHOST", properties.getSshHostname());
@@ -109,7 +109,7 @@ public void testValidProperties() {
                         + "&scanLimit=100"
                         + "&replicaSet=rs0"
                         + "&tlsAllowInvalidHostnames=true"
-                        + "&tlsCAFile=src%2Fmain%2Fresources%2Frds-ca-2019-root.pem"
+                        + "&tlsCAFile=src%2Fmain%2Fresources%2Fglobal-bundle.pem"
                         + "&sshUser=SSHUSER"
                         + "&sshHost=SSHHOST"
                         + "&sshPrivateKeyFile=%7E%2F.ssh%2Ftest-file-name.pem"
@@ -241,7 +241,7 @@ public void testSetPropertiesFromConnectionString() throws SQLException {
                 "&" + DocumentDbConnectionProperty.REPLICA_SET.getName() + "=" + "rs0" +
                 "&" + DocumentDbConnectionProperty.TLS_ENABLED.getName() + "=" + "true" +
                 "&" + DocumentDbConnectionProperty.TLS_ALLOW_INVALID_HOSTNAMES.getName() + "=" + "true" +
-                "&" + DocumentDbConnectionProperty.TLS_CA_FILE.getName() + "=" + "~/rds-ca-2019-root.pem" +
+                "&" + DocumentDbConnectionProperty.TLS_CA_FILE.getName() + "=" + "~/global-bundle.pem" +
                 "&" + DocumentDbConnectionProperty.LOGIN_TIMEOUT_SEC.getName() + "=" + "4" +
                 "&" + DocumentDbConnectionProperty.RETRY_READS_ENABLED.getName() + "=" + "true" +
                 "&" + DocumentDbConnectionProperty.METADATA_SCAN_METHOD.getName() + "=" + "random" +
@@ -419,11 +419,11 @@ void testAppendEmbeddedAndOptionalCaCertificates() throws SQLException, IOExcept
                 .getPropertiesFromConnectionString(info, connectionString, DOCUMENT_DB_SCHEME);
         final List<Certificate> caCertificates = new ArrayList<>();
         properties.appendEmbeddedAndOptionalCaCertificates(caCertificates);
-        Assertions.assertEquals(2, caCertificates.size());
+        Assertions.assertEquals(122, caCertificates.size());
         caCertificates.clear();
-        properties.setTlsCAFilePath("src/main/resources/rds-ca-2019-root.pem");
+        properties.setTlsCAFilePath("src/main/resources/global-bundle.pem");
         properties.appendEmbeddedAndOptionalCaCertificates(caCertificates);
-        Assertions.assertEquals(3, caCertificates.size());
+        Assertions.assertEquals(243, caCertificates.size());
         caCertificates.clear();
         properties.setTlsCAFilePath("invalid-path.pem");
         Assertions.assertThrows(SQLException.class,
@@ -447,7 +447,7 @@ void testBuildSshConnectionProperties() throws SQLException {
         properties.setTlsAllowInvalidHostnames("true");
         properties.setTlsEnabled("true");
         properties.setRetryReadsEnabled("true");
-        properties.setTlsCAFilePath("src/main/resources/rds-ca-2019-root.pem");
+        properties.setTlsCAFilePath("src/main/resources/global-bundle.pem");
         properties.setSshUser("SSHUSER");
         properties.setSshHostname("SSHHOST");
         properties.setSshPrivateKeyFile("~/.ssh/test-file-name.pem");

tableau-connector/Dockerfile

@@ -4,9 +4,11 @@ WORKDIR /tableau-connector
 ADD ./src .
 WORKDIR /tableau-sdk
 RUN git clone https://github.com/tableau/connector-plugin-sdk.git &&\
-    cd ./connector-plugin-sdk/connector-packager &&\
+    cd ./connector-plugin-sdk &&\
+    git checkout tags/tdvt-2.13.7 &&\
+    cd connector-packager &&\
     python3 -m venv .venv &&\
     source ./.venv/bin/activate &&\
     python3 setup.py install &&\
     python3 -m connector_packager.package /tableau-connector
-ENTRYPOINT ["bash"]
+ENTRYPOINT ["bash"]

tableau-connector/build.sh

@@ -12,20 +12,49 @@ echo "CURRENT_FOLDER=${CURRENT_FOLDER}"
 TARGET_FOLDER="$CURRENT_FOLDER"/target
 echo TARGET_FOLDER=${TARGET_FOLDER}
 mkdir -p $TARGET_FOLDER
-
+echo "Created directory at: $TARGET_FOLDER"
 echo "Building Docker Image"
 docker build -t taco-builder $CURRENT_FOLDER
 
 echo "Assembling Tableau Connector"
 docker run -d -it --name=taco-builder --mount type=bind,source=$TARGET_FOLDER,target=/output taco-builder
-echo "Copying Tableau Connector"
-docker exec taco-builder sh -c "cp /tableau-sdk/connector-plugin-sdk/connector-packager/packaged-connector/documentdbjdbc.taco  /output"
+if [ $? -ne 0 ]; then
+    echo "Failed to run Docker container."
+    exit 1
+fi
+
+# Dynamically find the taco file to copy. Only one .taco file exists.
+echo "Copying Tableau Connector to output directory"
+docker exec taco-builder sh -c 'cp /tableau-sdk/connector-plugin-sdk/connector-packager/packaged-connector/*.taco /output/'
+if [ $? -ne 0 ]; then
+    echo "Failed to copy .taco file to /output directory."
+    exit 1
+fi
+
+# Verify the Tableau Connector in the output directory
 echo "Verifying Tableau Connector"
 docker exec taco-builder sh -c "ls -l /output"
 docker exec taco-builder pwd
-echo "Extracting Tableau Connector"
-docker cp taco-builder:/output/documentdbjdbc.taco $TARGET_FOLDER
+echo "Extracting Tableau Connector to $TARGET_FOLDER"
+TACO_FILE_NAME=$(docker exec taco-builder sh -c "ls /output/*.taco")
+docker cp "taco-builder:$TACO_FILE_NAME" "$TARGET_FOLDER"
+if [ $? -ne 0 ]; then
+    echo "Failed to copy .taco file from Docker container to target folder."
+    exit 1
+fi
+echo "Connector extracted to $TARGET_FOLDER/"
 echo "Checking Resulting TACO FILE in $TARGET_FOLDER"
 ls -l $TARGET_FOLDER
+if [ $? -ne 0 ]; then
+    echo "Failed to list contents of $TARGET_FOLDER."
+    exit 1
+fi
+# Stop and remove Docker container
+echo "Stopping and removing Docker container"
 docker stop taco-builder
 docker rm taco-builder
+if [ $? -ne 0 ]; then
+    echo "Failed to stop or remove Docker container."
+    exit 1
+fi
+echo "Build process completed successfully."