database/mssql: set default root rotation stmt for contained db (#29399)

* database/mssql: set default root rotation stmt for contained db * changelog * add rotate root test * fix test * update passwords to make mssql happy * create admin user * update contained user create query * remove test
2025-10-31 18:48:08 +00:00 · 2025-01-24 14:42:27 -06:00
parent 9d31bb8586
commit 04e75372fb
4 changed files with 44 additions and 10 deletions
--- a/changelog/29399.txt
+++ b/changelog/29399.txt
@@ -0,0 +1,3 @@
 ```release-note:bug
 database/mssql: Fix a bug where contained databases would silently fail root rotation if a custom root rotation statement was not provided.
 ```
--- a/plugins/database/mssql/mssql.go
+++ b/plugins/database/mssql/mssql.go
@@ -345,8 +345,11 @@ func (m *MSSQL) UpdateUser(ctx context.Context, req dbplugin.UpdateUserRequest)
 func (m *MSSQL) updateUserPass(ctx context.Context, username string, changePass *dbplugin.ChangePassword) error {
 	stmts := changePass.Statements.Commands
-	if len(stmts) == 0 && !m.containedDB {
+	if len(stmts) == 0 {
 		stmts = []string{alterLoginSQL}
 		if m.containedDB {
 			stmts = []string{alterUserContainedSQL}
 		}
 	}
 	password := changePass.NewPassword
@@ -384,6 +387,11 @@ func (m *MSSQL) updateUserPass(ctx context.Context, username string, changePass
 		_ = tx.Rollback()
 	}()
 	if len(stmts) == 0 {
 		// should not happen, but guard against it anyway
 		return errors.New("no statement provided")
 	}
 	for _, stmt := range stmts {
 		for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
 			query = strings.TrimSpace(query)
@@ -431,3 +439,7 @@ EXEC (@stmt)`
 const alterLoginSQL = `
 ALTER LOGIN [{{username}}] WITH PASSWORD = '{{password}}'
 `
 const alterUserContainedSQL = `
 ALTER USER [{{username}}] WITH PASSWORD = '{{password}}'
 `
--- a/plugins/database/mssql/mssql_test.go
+++ b/plugins/database/mssql/mssql_test.go
@@ -20,7 +20,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )
-func TestInitialize(t *testing.T) {
+func TestMSSQLInitialize(t *testing.T) {
 	cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
 	defer cleanup()
@@ -79,7 +79,7 @@ func TestInitialize(t *testing.T) {
 	}
 }
-func TestNewUser(t *testing.T) {
+func TestMSSQLNewUser(t *testing.T) {
 	cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
 	defer cleanup()
@@ -185,7 +185,7 @@ func TestNewUser(t *testing.T) {
 	}
 }
-func TestUpdateUser_password(t *testing.T) {
+func TestMSSQLUpdateUser_password(t *testing.T) {
 	type testCase struct {
 		req              dbplugin.UpdateUserRequest
 		expectErr        bool
@@ -312,7 +312,7 @@ func TestUpdateUser_password(t *testing.T) {
 	}
 }
-func TestDeleteUser(t *testing.T) {
+func TestMSSQLDeleteUser(t *testing.T) {
 	cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
 	defer cleanup()
@@ -358,7 +358,7 @@ func TestDeleteUser(t *testing.T) {
 	assertCredsDoNotExist(t, connURL, dbUser, initPassword)
 }
-func TestDeleteUserContainedDB(t *testing.T) {
+func TestMSSQLDeleteUserContainedDB(t *testing.T) {
 	cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
 	defer cleanup()
@@ -405,7 +405,7 @@ func TestDeleteUserContainedDB(t *testing.T) {
 	assertContainedDBCredsDoNotExist(t, connURL, dbUser)
 }
-func TestContainedDBSQLSanitization(t *testing.T) {
+func TestMSSQLContainedDBSQLSanitization(t *testing.T) {
 	cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
 	defer cleanup()
@@ -443,7 +443,7 @@ func TestContainedDBSQLSanitization(t *testing.T) {
 	assert.EqualError(t, err, "mssql: Cannot alter the login 'vaultuser]', because it does not exist or you do not have permission.")
 }
-func TestSQLSanitization(t *testing.T) {
+func TestMSSQLSanitization(t *testing.T) {
 	cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
 	defer cleanup()
@@ -576,3 +576,11 @@ const testMSSQLContainedLogin = `
 CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';
 CREATE USER [{{name}}] FOR LOGIN [{{name}}];
 `
 const testMSSQLContainedLoginAdmin = `
 CREATE USER [{{name}}] WITH PASSWORD = '{{password}}';
 ALTER ROLE db_datareader ADD MEMBER [{{name}}];
 ALTER ROLE db_datawriter ADD MEMBER [{{name}}];
 ALTER ROLE db_owner ADD MEMBER [{{name}}];
 `
--- a/website/content/docs/secrets/databases/mssql.mdx
+++ b/website/content/docs/secrets/databases/mssql.mdx
@@ -115,13 +115,23 @@ the proper permission, it can generate credentials.
 ## Example for Azure SQL database
-Here is a complete example using Azure SQL Database. Note that databases in Azure SQL Database are [contained databases](https://docs.microsoft.com/en-us/sql/relational-databases/databases/contained-databases) and that we do not create a login for the user; instead, we associate the password directly with the user itself. Also note that you will need a separate connection and role for each Azure SQL database for which you want to generate dynamic credentials. You can use a single database backend mount for all these databases or use a separate mount for each of them. In this example, we use a custom path for the database backend.
+Here is a complete example using Azure SQL Database. Note that databases in
 Azure SQL Database are [contained databases](https://docs.microsoft.com/en-us/sql/relational-databases/databases/contained-databases)
 and that we do not create a login for the user; instead, we associate the
 password directly with the user itself. Also note that you will need a separate
 connection and role for each Azure SQL database for which you want to generate
 dynamic credentials. You can use a single database backend mount for all these
 databases or use a separate mount for each of them. In this example, we use a
 custom path for the database backend.
 <Note>
  Azure SQL databases may use different authentication mechanism that are configured on the SQL server. Vault only supports SQL authentication. Azure AD authentication is not supported.
 </Note>
-First, we mount a database backend at the azuresql path with `vault secrets enable -path=azuresql database`. Then we configure a connection called "testvault" to connect to a database called "test-vault", using "azuresql" at the beginning of our path:
+First, we mount a database backend at the azuresql path with `vault secrets
 enable -path=azuresql database`. Then we configure a connection called
 "testvault" to connect to a database called "test-vault", using "azuresql" at
 the beginning of our path and set the `contained_db` field:
    ~> Note: If you are using a windows vault client with cmd.exe, change the single quotes to double quotes in the connection string.  Windows cmd.exe does not interpret single quotes as a continous string
@@ -129,6 +139,7 @@ First, we mount a database backend at the azuresql path with `vault secrets enab
 $ vault write azuresql/config/testvault \
    plugin_name=mssql-database-plugin \
    connection_url='server=hashisqlserver.database.windows.net;port=1433;user id=admin;password=pAssw0rd;database=test-vault;app name=vault;' \
    contained_db=true \
    allowed_roles="test"
 ```