[DBPW 4/X] Update DB engine to support v4 and v5 interfaces with password policies (#9878)

2025-11-01 19:17:58 +00:00 · 2020-09-18 15:10:54 -06:00
parent 7c49c094fa
commit 1cd0c0599b
76 changed files with 21485 additions and 424 deletions
--- a/builtin/logical/database/rollback.go
+++ b/builtin/logical/database/rollback.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"errors"

-	"github.com/hashicorp/vault/sdk/database/dbplugin"
+	"github.com/hashicorp/vault/sdk/database/newdbplugin"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/mitchellh/mapstructure"
 	"google.golang.org/grpc/codes"
@@ -73,13 +73,13 @@ func (b *databaseBackend) walRollback(ctx context.Context, req *logical.Request,
 }

 // rollbackDatabaseCredentials rolls back root database credentials for
-// the connection associated with the passed WAL entry. It will creates
+// the connection associated with the passed WAL entry. It will create
 // a connection to the database using the WAL entry new password in
 // order to alter the password to be the WAL entry old password.
 func (b *databaseBackend) rollbackDatabaseCredentials(ctx context.Context, config *DatabaseConfig, entry rotateRootCredentialsWAL) error {
 	// Attempt to get a connection with the WAL entry new password.
 	config.ConnectionDetails["password"] = entry.NewPassword
-	dbc, err := b.GetConnectionWithConfig(ctx, entry.ConnectionName, config)
+	dbi, err := b.GetConnectionWithConfig(ctx, entry.ConnectionName, config)
 	if err != nil {
 		return err
 	}
@@ -91,22 +91,21 @@ func (b *databaseBackend) rollbackDatabaseCredentials(ctx context.Context, confi
 		}
 	}()

-	// Roll back the database password to the WAL entry old password
-	statements := dbplugin.Statements{Rotation: config.RootCredentialsRotateStatements}
-	userConfig := dbplugin.StaticUserConfig{
+	updateReq := newdbplugin.UpdateUserRequest{
 		Username: entry.UserName,
-		Password: entry.OldPassword,
-	}
-	if _, _, err := dbc.SetCredentials(ctx, statements, userConfig); err != nil {
-		// If the database plugin doesn't implement SetCredentials, the root
-		// credentials can't be rolled back. This means the root credential
-		// rotation happened via the plugin RotateRootCredentials RPC.
-		if status.Code(err) == codes.Unimplemented {
-			return nil
-		}
-
-		return err
+		Password: &newdbplugin.ChangePassword{
+			NewPassword: entry.OldPassword,
+			Statements: newdbplugin.Statements{
+				Commands: config.RootCredentialsRotateStatements,
+			},
+		},
 	}

-	return nil
+	// It actually is the root user here, but we only want to use SetCredentials since
+	// RotateRootCredentials doesn't give any control over what password is used
+	_, err = dbi.database.UpdateUser(ctx, updateReq, false)
+	if status.Code(err) == codes.Unimplemented {
+		return nil
+	}
+	return err
 }