database/mssql: set default root rotation stmt for contained db (#29399)

* database/mssql: set default root rotation stmt for contained db * changelog * add rotate root test * fix test * update passwords to make mssql happy * create admin user * update contained user create query * remove test
2025-10-31 18:48:08 +00:00 · 2025-01-24 14:42:27 -06:00
parent 9d31bb8586
commit 04e75372fb
4 changed files with 44 additions and 10 deletions
--- a/plugins/database/mssql/mssql.go
+++ b/plugins/database/mssql/mssql.go
@@ -345,8 +345,11 @@ func (m *MSSQL) UpdateUser(ctx context.Context, req dbplugin.UpdateUserRequest)

 func (m *MSSQL) updateUserPass(ctx context.Context, username string, changePass *dbplugin.ChangePassword) error {
 	stmts := changePass.Statements.Commands
-	if len(stmts) == 0 && !m.containedDB {
+	if len(stmts) == 0 {
 		stmts = []string{alterLoginSQL}
+		if m.containedDB {
+			stmts = []string{alterUserContainedSQL}
+		}
 	}

 	password := changePass.NewPassword
@@ -384,6 +387,11 @@ func (m *MSSQL) updateUserPass(ctx context.Context, username string, changePass
 		_ = tx.Rollback()
 	}()

+	if len(stmts) == 0 {
+		// should not happen, but guard against it anyway
+		return errors.New("no statement provided")
+	}
+
 	for _, stmt := range stmts {
 		for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
 			query = strings.TrimSpace(query)
@@ -431,3 +439,7 @@ EXEC (@stmt)`
 const alterLoginSQL = `
 ALTER LOGIN [{{username}}] WITH PASSWORD = '{{password}}'
 `
+
+const alterUserContainedSQL = `
+ALTER USER [{{username}}] WITH PASSWORD = '{{password}}'
+`