Combined Database backend: Add Static Account support to MySQL (#6970)

* temp support for mysql+static accounts

* remove create/update database user for static accounts

* update tests after create/delete removed

* small cleanups

* update postgresql setcredentials test

* temp support for mysql+static accounts

* Add Static Account support to MySQL

* add note that MySQL supports static roles

* remove code comment

* tidy up tests

* Update plugins/database/mysql/mysql_test.go

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* Update plugins/database/mysql/mysql.go

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* update what password we test

* refactor CreateUser and SetCredentials to use a common helper

* add close statements for statements in loops

* remove some redundant checks in the mysql test

* use root rotation statements as default for static accounts

* missed a file save

plugins/database/mysql/mysql_test.go

@@ -9,12 +9,17 @@ import (
 	"testing"
 	"time"
 
+	stdmysql "github.com/go-sql-driver/mysql"
 	"github.com/hashicorp/vault/helper/testhelpers/docker"
 	"github.com/hashicorp/vault/sdk/database/dbplugin"
 	"github.com/hashicorp/vault/sdk/database/helper/credsutil"
+	"github.com/hashicorp/vault/sdk/database/helper/dbutil"
+	"github.com/hashicorp/vault/sdk/helper/strutil"
 	"github.com/ory/dockertest"
 )
 
+var _ dbplugin.Database = (*MySQL)(nil)
+
 func prepareMySQLTestContainer(t *testing.T, legacy bool) (cleanup func(), retURL string) {
 	if os.Getenv("MYSQL_URL") != "" {
 		return func() {}, os.Getenv("MYSQL_URL")
@@ -305,6 +310,64 @@ func TestMySQL_RevokeUser(t *testing.T) {
 	}
 }
 
+func TestMySQL_SetCredentials(t *testing.T) {
+	cleanup, connURL := prepareMySQLTestContainer(t, false)
+	defer cleanup()
+
+	// create the database user and verify we can access
+	dbUser := "vaultstatictest"
+	createTestMySQLUser(t, connURL, dbUser, "password", testRoleStaticCreate)
+	if err := testCredsExist(t, connURL, dbUser, "password"); err != nil {
+		t.Fatalf("Could not connect with credentials: %s", err)
+	}
+
+	connectionDetails := map[string]interface{}{
+		"connection_url": connURL,
+	}
+
+	db := new(MetadataLen, MetadataLen, UsernameLen)
+	_, err := db.Init(context.Background(), connectionDetails, true)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	newPassword, err := db.GenerateCredentials(context.Background())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	userConfig := dbplugin.StaticUserConfig{
+		Username: dbUser,
+		Password: newPassword,
+	}
+
+	statements := dbplugin.Statements{
+		Rotation: []string{testRoleStaticRotate},
+	}
+
+	_, _, err = db.SetCredentials(context.Background(), statements, userConfig)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	// verify new password works
+	if err := testCredsExist(t, connURL, dbUser, newPassword); err != nil {
+		t.Fatalf("Could not connect with new credentials: %s", err)
+	}
+
+	// call SetCredentials again, password will change
+	newPassword, _ = db.GenerateCredentials(context.Background())
+	userConfig.Password = newPassword
+	_, _, err = db.SetCredentials(context.Background(), statements, userConfig)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	if err := testCredsExist(t, connURL, dbUser, newPassword); err != nil {
+		t.Fatalf("Could not connect with new credentials: %s", err)
+	}
+}
+
 func testCredsExist(t testing.TB, connURL, username, password string) error {
 	// Log in with the new creds
 	connURL = strings.Replace(connURL, "root:secret", fmt.Sprintf("%s:%s", username, password), 1)
@@ -316,6 +379,56 @@ func testCredsExist(t testing.TB, connURL, username, password string) error {
 	return db.Ping()
 }
 
+func createTestMySQLUser(t *testing.T, connURL, username, password, query string) {
+	t.Helper()
+	db, err := sql.Open("mysql", connURL)
+	defer db.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Start a transaction
+	ctx := context.Background()
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	// copied from mysql.go
+	for _, query := range strutil.ParseArbitraryStringSlice(query, ";") {
+		query = strings.TrimSpace(query)
+		if len(query) == 0 {
+			continue
+		}
+		query = dbutil.QueryHelper(query, map[string]string{
+			"name":     username,
+			"password": password,
+		})
+
+		stmt, err := tx.PrepareContext(ctx, query)
+		if err != nil {
+			if e, ok := err.(*stdmysql.MySQLError); ok && e.Number == 1295 {
+				_, err = tx.ExecContext(ctx, query)
+				if err != nil {
+					t.Fatal(err)
+				}
+				stmt.Close()
+				continue
+			}
+
+			t.Fatal(err)
+		}
+		if _, err := stmt.ExecContext(ctx); err != nil {
+			stmt.Close()
+			t.Fatal(err)
+		}
+		stmt.Close()
+	}
+}
+
 const testMySQLRolePreparedStmt = `
 CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
 set @grants=CONCAT("GRANT SELECT ON ", "*", ".* TO '{{name}}'@'%'");
@@ -331,3 +444,12 @@ const testMySQLRevocationSQL = `
 REVOKE ALL PRIVILEGES, GRANT OPTION FROM '{{name}}'@'%'; 
 DROP USER '{{name}}'@'%';
 `
+
+const testRoleStaticCreate = `
+CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
+GRANT SELECT ON *.* TO '{{name}}'@'%';
+`
+
+const testRoleStaticRotate = `
+ALTER USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
+`