scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-03 12:07:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

DBPW - Update Cassandra to adhere to v5 Database interface (#10051)

Browse Source
This commit is contained in:
Michael Golowka
2020-10-12 14:46:17 -06:00
committed by GitHub
parent ee6391b691
commit 1eff3f7daa
3 changed files with 270 additions and 237 deletions
Download Patch File Download Diff File Expand all files Collapse all files

231
plugins/database/cassandra/cassandra.go
View File

@@ -2,37 +2,36 @@ package cassandra
import (
"context"
"fmt"
"strings"
"time"
"github.com/gocql/gocql"
multierror "github.com/hashicorp/go-multierror"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/sdk/database/dbplugin"
"github.com/hashicorp/vault/sdk/database/helper/credsutil"
"github.com/hashicorp/vault/sdk/database/helper/dbutil"
"github.com/hashicorp/vault/sdk/database/newdbplugin"
"github.com/hashicorp/vault/sdk/helper/strutil"
)
const (
defaultUserCreationCQL = `CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER;`
defaultUserDeletionCQL = `DROP USER '{{username}}';`
defaultRootCredentialRotationCQL = `ALTER USER {{username}} WITH PASSWORD '{{password}}';`
cassandraTypeName = "cassandra"
defaultUserCreationCQL = `CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER;`
defaultUserDeletionCQL = `DROP USER '{{username}}';`
defaultChangePasswordCQL = `ALTER USER {{username}} WITH PASSWORD '{{password}}';`
cassandraTypeName = "cassandra"
)
var _ dbplugin.Database = &Cassandra{}
var _ newdbplugin.Database = &Cassandra{}
// Cassandra is an implementation of Database interface
type Cassandra struct {
*cassandraConnectionProducer
credsutil.CredentialsProducer
}
// New returns a new Cassandra instance
func New() (interface{}, error) {
db := new()
dbType := dbplugin.NewDatabaseErrorSanitizerMiddleware(db, db.secretValues)
dbType := newdbplugin.NewDatabaseErrorSanitizerMiddleware(db, db.secretValues)
return dbType, nil
}
@@ -41,16 +40,8 @@ func new() *Cassandra {
connProducer := &cassandraConnectionProducer{}
connProducer.Type = cassandraTypeName
credsProducer := &credsutil.SQLCredentialsProducer{
DisplayNameLen: 15,
RoleNameLen: 15,
UsernameLen: 100,
Separator: "_",
}
return &Cassandra{
cassandraConnectionProducer: connProducer,
CredentialsProducer: credsProducer,
}
}
@@ -61,7 +52,7 @@ func Run(apiTLSConfig *api.TLSConfig) error {
return err
}
dbplugin.Serve(dbType.(dbplugin.Database), api.VaultPluginTLSProvider(apiTLSConfig))
newdbplugin.Serve(dbType.(newdbplugin.Database), api.VaultPluginTLSProvider(apiTLSConfig))
return nil
}
@@ -80,45 +71,39 @@ func (c *Cassandra) getConnection(ctx context.Context) (*gocql.Session, error) {
return session.(*gocql.Session), nil
}
// CreateUser generates the username/password on the underlying Cassandra secret backend as instructed by
// the CreationStatement provided.
func (c *Cassandra) CreateUser(ctx context.Context, statements dbplugin.Statements, usernameConfig dbplugin.UsernameConfig, expiration time.Time) (username string, password string, err error) {
// Grab the lock
// NewUser generates the username/password on the underlying Cassandra secret backend as instructed by
// the statements provided.
func (c *Cassandra) NewUser(ctx context.Context, req newdbplugin.NewUserRequest) (newdbplugin.NewUserResponse, error) {
c.Lock()
defer c.Unlock()
statements = dbutil.StatementCompatibilityHelper(statements)
// Get the connection
session, err := c.getConnection(ctx)
if err != nil {
return "", "", err
return newdbplugin.NewUserResponse{}, err
}
creationCQL := statements.Creation
creationCQL := req.Statements.Commands
if len(creationCQL) == 0 {
creationCQL = []string{defaultUserCreationCQL}
}
rollbackCQL := statements.Rollback
rollbackCQL := req.RollbackStatements.Commands
if len(rollbackCQL) == 0 {
rollbackCQL = []string{defaultUserDeletionCQL}
}
username, err = c.GenerateUsername(usernameConfig)
username = strings.Replace(username, "-", "_", -1)
username, err := credsutil.GenerateUsername(
credsutil.DisplayName(req.UsernameConfig.DisplayName, 15),
credsutil.RoleName(req.UsernameConfig.RoleName, 15),
credsutil.Separator("_"),
credsutil.MaxLength(100),
credsutil.ToLower(),
)
if err != nil {
return "", "", err
return newdbplugin.NewUserResponse{}, err
}
// Cassandra doesn't like the uppercase usernames
username = strings.ToLower(username)
username = strings.ReplaceAll(username, "-", "_")
password, err = c.GeneratePassword()
if err != nil {
return "", "", err
}
// Execute each query
for _, stmt := range creationCQL {
for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
query = strings.TrimSpace(query)
@@ -126,51 +111,111 @@ func (c *Cassandra) CreateUser(ctx context.Context, statements dbplugin.Statemen
continue
}
err = session.Query(dbutil.QueryHelper(query, map[string]string{
m := map[string]string{
"username": username,
"password": password,
})).WithContext(ctx).Exec()
"password": req.Password,
}
err = session.
Query(dbutil.QueryHelper(query, m)).
WithContext(ctx).
Exec()
if err != nil {
for _, stmt := range rollbackCQL {
for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
query = strings.TrimSpace(query)
if len(query) == 0 {
continue
}
session.Query(dbutil.QueryHelper(query, map[string]string{
"username": username,
})).WithContext(ctx).Exec()
}
rollbackErr := rollbackUser(ctx, session, username, rollbackCQL)
if rollbackErr != nil {
err = multierror.Append(err, rollbackErr)
}
return "", "", err
return newdbplugin.NewUserResponse{}, err
}
}
}
return username, password, nil
resp := newdbplugin.NewUserResponse{
Username: username,
}
return resp, nil
}
// RenewUser is not supported on Cassandra, so this is a no-op.
func (c *Cassandra) RenewUser(ctx context.Context, statements dbplugin.Statements, username string, expiration time.Time) error {
// NOOP
func rollbackUser(ctx context.Context, session *gocql.Session, username string, rollbackCQL []string) error {
for _, stmt := range rollbackCQL {
for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
query = strings.TrimSpace(query)
if len(query) == 0 {
continue
}
m := map[string]string{
"username": username,
}
err := session.
Query(dbutil.QueryHelper(query, m)).
WithContext(ctx).
Exec()
if err != nil {
return fmt.Errorf("failed to roll back user %s: %w", username, err)
}
}
}
return nil
}
// RevokeUser attempts to drop the specified user.
func (c *Cassandra) RevokeUser(ctx context.Context, statements dbplugin.Statements, username string) error {
// Grab the lock
c.Lock()
defer c.Unlock()
func (c *Cassandra) UpdateUser(ctx context.Context, req newdbplugin.UpdateUserRequest) (newdbplugin.UpdateUserResponse, error) {
if req.Password == nil && req.Expiration == nil {
return newdbplugin.UpdateUserResponse{}, fmt.Errorf("no changes requested")
}
statements = dbutil.StatementCompatibilityHelper(statements)
if req.Password != nil {
err := c.changeUserPassword(ctx, req.Username, req.Password)
return newdbplugin.UpdateUserResponse{}, err
}
// Expiration is no-op
return newdbplugin.UpdateUserResponse{}, nil
}
func (c *Cassandra) changeUserPassword(ctx context.Context, username string, changePass *newdbplugin.ChangePassword) error {
session, err := c.getConnection(ctx)
if err != nil {
return err
}
revocationCQL := statements.Revocation
rotateCQL := changePass.Statements.Commands
if len(rotateCQL) == 0 {
rotateCQL = []string{defaultChangePasswordCQL}
}
var result *multierror.Error
for _, stmt := range rotateCQL {
for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
query = strings.TrimSpace(query)
if len(query) == 0 {
continue
}
m := map[string]string{
"username": username,
"password": changePass.NewPassword,
}
err := session.
Query(dbutil.QueryHelper(query, m)).
WithContext(ctx).
Exec()
result = multierror.Append(result, err)
}
}
return result.ErrorOrNil()
}
// DeleteUser attempts to drop the specified user.
func (c *Cassandra) DeleteUser(ctx context.Context, req newdbplugin.DeleteUserRequest) (newdbplugin.DeleteUserResponse, error) {
c.Lock()
defer c.Unlock()
session, err := c.getConnection(ctx)
if err != nil {
return newdbplugin.DeleteUserResponse{}, err
}
revocationCQL := req.Statements.Commands
if len(revocationCQL) == 0 {
revocationCQL = []string{defaultUserDeletionCQL}
}
@@ -183,59 +228,17 @@ func (c *Cassandra) RevokeUser(ctx context.Context, statements dbplugin.Statemen
continue
}
err := session.Query(dbutil.QueryHelper(query, map[string]string{
"username": username,
})).WithContext(ctx).Exec()
result = multierror.Append(result, err)
}
}
return result.ErrorOrNil()
}
func (c *Cassandra) RotateRootCredentials(ctx context.Context, statements []string) (map[string]interface{}, error) {
// Grab the lock
c.Lock()
defer c.Unlock()
session, err := c.getConnection(ctx)
if err != nil {
return nil, err
}
rotateCQL := statements
if len(rotateCQL) == 0 {
rotateCQL = []string{defaultRootCredentialRotationCQL}
}
password, err := c.GeneratePassword()
if err != nil {
return nil, err
}
var result *multierror.Error
for _, stmt := range rotateCQL {
for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
query = strings.TrimSpace(query)
if len(query) == 0 {
continue
m := map[string]string{
"username": req.Username,
}
err := session.Query(dbutil.QueryHelper(query, map[string]string{
"username": c.Username,
"password": password,
})).WithContext(ctx).Exec()
err := session.
Query(dbutil.QueryHelper(query, m)).
WithContext(ctx).
Exec()
result = multierror.Append(result, err)
}
}
err = result.ErrorOrNil()
if err != nil {
return nil, err
}
c.rawConfig["password"] = password
return c.rawConfig, nil
return newdbplugin.DeleteUserResponse{}, result.ErrorOrNil()
}