database/mssql: set default root rotation stmt for contained db (#29399)

* database/mssql: set default root rotation stmt for contained db * changelog * add rotate root test * fix test * update passwords to make mssql happy * create admin user * update contained user create query * remove test
2025-10-30 02:02:43 +00:00 · 2025-01-24 14:42:27 -06:00
parent 9d31bb8586
commit 04e75372fb
4 changed files with 44 additions and 10 deletions
--- a/plugins/database/mssql/mssql.go
+++ b/plugins/database/mssql/mssql.go
@@ -345,8 +345,11 @@ func (m *MSSQL) UpdateUser(ctx context.Context, req dbplugin.UpdateUserRequest)

 func (m *MSSQL) updateUserPass(ctx context.Context, username string, changePass *dbplugin.ChangePassword) error {
 	stmts := changePass.Statements.Commands
-	if len(stmts) == 0 && !m.containedDB {
+	if len(stmts) == 0 {
 		stmts = []string{alterLoginSQL}
+		if m.containedDB {
+			stmts = []string{alterUserContainedSQL}
+		}
 	}

 	password := changePass.NewPassword
@@ -384,6 +387,11 @@ func (m *MSSQL) updateUserPass(ctx context.Context, username string, changePass
 		_ = tx.Rollback()
 	}()

+	if len(stmts) == 0 {
+		// should not happen, but guard against it anyway
+		return errors.New("no statement provided")
+	}
+
 	for _, stmt := range stmts {
 		for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
 			query = strings.TrimSpace(query)
@@ -431,3 +439,7 @@ EXEC (@stmt)`
 const alterLoginSQL = `
 ALTER LOGIN [{{username}}] WITH PASSWORD = '{{password}}'
 `
+
+const alterUserContainedSQL = `
+ALTER USER [{{username}}] WITH PASSWORD = '{{password}}'
+`
--- a/plugins/database/mssql/mssql_test.go
+++ b/plugins/database/mssql/mssql_test.go
@@ -20,7 +20,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )

-func TestInitialize(t *testing.T) {
+func TestMSSQLInitialize(t *testing.T) {
 	cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
 	defer cleanup()

@@ -79,7 +79,7 @@ func TestInitialize(t *testing.T) {
 	}
 }

-func TestNewUser(t *testing.T) {
+func TestMSSQLNewUser(t *testing.T) {
 	cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
 	defer cleanup()

@@ -185,7 +185,7 @@ func TestNewUser(t *testing.T) {
 	}
 }

-func TestUpdateUser_password(t *testing.T) {
+func TestMSSQLUpdateUser_password(t *testing.T) {
 	type testCase struct {
 		req              dbplugin.UpdateUserRequest
 		expectErr        bool
@@ -312,7 +312,7 @@ func TestUpdateUser_password(t *testing.T) {
 	}
 }

-func TestDeleteUser(t *testing.T) {
+func TestMSSQLDeleteUser(t *testing.T) {
 	cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
 	defer cleanup()

@@ -358,7 +358,7 @@ func TestDeleteUser(t *testing.T) {
 	assertCredsDoNotExist(t, connURL, dbUser, initPassword)
 }

-func TestDeleteUserContainedDB(t *testing.T) {
+func TestMSSQLDeleteUserContainedDB(t *testing.T) {
 	cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
 	defer cleanup()

@@ -405,7 +405,7 @@ func TestDeleteUserContainedDB(t *testing.T) {
 	assertContainedDBCredsDoNotExist(t, connURL, dbUser)
 }

-func TestContainedDBSQLSanitization(t *testing.T) {
+func TestMSSQLContainedDBSQLSanitization(t *testing.T) {
 	cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
 	defer cleanup()

@@ -443,7 +443,7 @@ func TestContainedDBSQLSanitization(t *testing.T) {
 	assert.EqualError(t, err, "mssql: Cannot alter the login 'vaultuser]', because it does not exist or you do not have permission.")
 }

-func TestSQLSanitization(t *testing.T) {
+func TestMSSQLSanitization(t *testing.T) {
 	cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
 	defer cleanup()

@@ -576,3 +576,11 @@ const testMSSQLContainedLogin = `
 CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';
 CREATE USER [{{name}}] FOR LOGIN [{{name}}];
 `
+
+const testMSSQLContainedLoginAdmin = `
+CREATE USER [{{name}}] WITH PASSWORD = '{{password}}';
+
+ALTER ROLE db_datareader ADD MEMBER [{{name}}];
+ALTER ROLE db_datawriter ADD MEMBER [{{name}}];
+ALTER ROLE db_owner ADD MEMBER [{{name}}];
+`