mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-12-10 05:55:34 +00:00
Database Root Credential Rotation (#3976)
* redoing connection handling * a little more cleanup * empty implementation of rotation * updating rotate signature * signature update * updating interfaces again :( * changing back to interface * adding templated url support and rotation for postgres * adding correct username * return updates * updating statements to be a list * adding error sanitizing middleware * fixing log sanitizier * adding postgres rotate test * removing conf from rotate * adding rotate command * adding mysql rotate * finishing up the endpoint in the db backend for rotate * no more structs, just store raw config * fixing tests * adding db instance lock * adding support for statement list in cassandra * wip redoing interface to support BC * adding falllback for Initialize implementation * adding backwards compat for statements * fix tests * fix more tests * fixing up tests, switching to new fields in statements * fixing more tests * adding mssql and mysql * wrapping all the things in middleware, implementing templating for mongodb * wrapping all db servers with error santizer * fixing test * store the name with the db instance * adding rotate to cassandra * adding compatibility translation to both server and plugin * reordering a few things * store the name with the db instance * reordering * adding a few more tests * switch secret values from slice to map * addressing some feedback * reinstate execute plugin after resetting connection * set database connection to closed * switching secret values func to map[string]interface for potential future uses * addressing feedback
This commit is contained in:
Chris Hoffman
@@ -2,8 +2,14 @@ package dbplugin
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"net/url"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/hashicorp/errwrap"
|
||||
|
||||
metrics "github.com/armon/go-metrics"
|
||||
log "github.com/mgutz/logxi/v1"
|
||||
)
|
||||
@@ -51,13 +57,27 @@ func (mw *databaseTracingMiddleware) RevokeUser(ctx context.Context, statements
|
||||
return mw.next.RevokeUser(ctx, statements, username)
|
||||
}
|
||||
|
||||
func (mw *databaseTracingMiddleware) Initialize(ctx context.Context, conf map[string]interface{}, verifyConnection bool) (err error) {
|
||||
func (mw *databaseTracingMiddleware) RotateRootCredentials(ctx context.Context, statements []string) (conf map[string]interface{}, err error) {
|
||||
defer func(then time.Time) {
|
||||
mw.logger.Trace("database", "operation", "RotateRootCredentials", "status", "finished", "type", mw.typeStr, "transport", mw.transport, "err", err, "took", time.Since(then))
|
||||
}(time.Now())
|
||||
|
||||
mw.logger.Trace("database", "operation", "RotateRootCredentials", "status", "started", "type", mw.typeStr, "transport", mw.transport)
|
||||
return mw.next.RotateRootCredentials(ctx, statements)
|
||||
}
|
||||
|
||||
func (mw *databaseTracingMiddleware) Initialize(ctx context.Context, conf map[string]interface{}, verifyConnection bool) error {
|
||||
_, err := mw.Init(ctx, conf, verifyConnection)
|
||||
return err
|
||||
}
|
||||
|
||||
func (mw *databaseTracingMiddleware) Init(ctx context.Context, conf map[string]interface{}, verifyConnection bool) (saveConf map[string]interface{}, err error) {
|
||||
defer func(then time.Time) {
|
||||
mw.logger.Trace("database", "operation", "Initialize", "status", "finished", "type", mw.typeStr, "transport", mw.transport, "verify", verifyConnection, "err", err, "took", time.Since(then))
|
||||
}(time.Now())
|
||||
|
||||
mw.logger.Trace("database", "operation", "Initialize", "status", "started", "type", mw.typeStr, "transport", mw.transport)
|
||||
return mw.next.Initialize(ctx, conf, verifyConnection)
|
||||
return mw.next.Init(ctx, conf, verifyConnection)
|
||||
}
|
||||
|
||||
func (mw *databaseTracingMiddleware) Close() (err error) {
|
||||
@@ -131,7 +151,28 @@ func (mw *databaseMetricsMiddleware) RevokeUser(ctx context.Context, statements
|
||||
return mw.next.RevokeUser(ctx, statements, username)
|
||||
}
|
||||
|
||||
func (mw *databaseMetricsMiddleware) Initialize(ctx context.Context, conf map[string]interface{}, verifyConnection bool) (err error) {
|
||||
func (mw *databaseMetricsMiddleware) RotateRootCredentials(ctx context.Context, statements []string) (conf map[string]interface{}, err error) {
|
||||
defer func(now time.Time) {
|
||||
metrics.MeasureSince([]string{"database", "RotateRootCredentials"}, now)
|
||||
metrics.MeasureSince([]string{"database", mw.typeStr, "RotateRootCredentials"}, now)
|
||||
|
||||
if err != nil {
|
||||
metrics.IncrCounter([]string{"database", "RotateRootCredentials", "error"}, 1)
|
||||
metrics.IncrCounter([]string{"database", mw.typeStr, "RotateRootCredentials", "error"}, 1)
|
||||
}
|
||||
}(time.Now())
|
||||
|
||||
metrics.IncrCounter([]string{"database", "RotateRootCredentials"}, 1)
|
||||
metrics.IncrCounter([]string{"database", mw.typeStr, "RotateRootCredentials"}, 1)
|
||||
return mw.next.RotateRootCredentials(ctx, statements)
|
||||
}
|
||||
|
||||
func (mw *databaseMetricsMiddleware) Initialize(ctx context.Context, conf map[string]interface{}, verifyConnection bool) error {
|
||||
_, err := mw.Init(ctx, conf, verifyConnection)
|
||||
return err
|
||||
}
|
||||
|
||||
func (mw *databaseMetricsMiddleware) Init(ctx context.Context, conf map[string]interface{}, verifyConnection bool) (saveConf map[string]interface{}, err error) {
|
||||
defer func(now time.Time) {
|
||||
metrics.MeasureSince([]string{"database", "Initialize"}, now)
|
||||
metrics.MeasureSince([]string{"database", mw.typeStr, "Initialize"}, now)
|
||||
@@ -144,7 +185,7 @@ func (mw *databaseMetricsMiddleware) Initialize(ctx context.Context, conf map[st
|
||||
|
||||
metrics.IncrCounter([]string{"database", "Initialize"}, 1)
|
||||
metrics.IncrCounter([]string{"database", mw.typeStr, "Initialize"}, 1)
|
||||
return mw.next.Initialize(ctx, conf, verifyConnection)
|
||||
return mw.next.Init(ctx, conf, verifyConnection)
|
||||
}
|
||||
|
||||
func (mw *databaseMetricsMiddleware) Close() (err error) {
|
||||
@@ -162,3 +203,76 @@ func (mw *databaseMetricsMiddleware) Close() (err error) {
|
||||
metrics.IncrCounter([]string{"database", mw.typeStr, "Close"}, 1)
|
||||
return mw.next.Close()
|
||||
}
|
||||
|
||||
// ---- Error Sanitizer Middleware Domain ----
|
||||
|
||||
// DatabaseErrorSanitizerMiddleware wraps an implementation of Databases and
|
||||
// sanitizes returned error messages
|
||||
type DatabaseErrorSanitizerMiddleware struct {
|
||||
l sync.RWMutex
|
||||
next Database
|
||||
secretsFn func() map[string]interface{}
|
||||
}
|
||||
|
||||
func NewDatabaseErrorSanitizerMiddleware(next Database, secretsFn func() map[string]interface{}) *DatabaseErrorSanitizerMiddleware {
|
||||
return &DatabaseErrorSanitizerMiddleware{
|
||||
next: next,
|
||||
secretsFn: secretsFn,
|
||||
}
|
||||
}
|
||||
|
||||
func (mw *DatabaseErrorSanitizerMiddleware) Type() (string, error) {
|
||||
dbType, err := mw.next.Type()
|
||||
return dbType, mw.sanitize(err)
|
||||
}
|
||||
|
||||
func (mw *DatabaseErrorSanitizerMiddleware) CreateUser(ctx context.Context, statements Statements, usernameConfig UsernameConfig, expiration time.Time) (username string, password string, err error) {
|
||||
username, password, err = mw.next.CreateUser(ctx, statements, usernameConfig, expiration)
|
||||
return username, password, mw.sanitize(err)
|
||||
}
|
||||
|
||||
func (mw *DatabaseErrorSanitizerMiddleware) RenewUser(ctx context.Context, statements Statements, username string, expiration time.Time) (err error) {
|
||||
return mw.sanitize(mw.next.RenewUser(ctx, statements, username, expiration))
|
||||
}
|
||||
|
||||
func (mw *DatabaseErrorSanitizerMiddleware) RevokeUser(ctx context.Context, statements Statements, username string) (err error) {
|
||||
return mw.sanitize(mw.next.RevokeUser(ctx, statements, username))
|
||||
}
|
||||
|
||||
func (mw *DatabaseErrorSanitizerMiddleware) RotateRootCredentials(ctx context.Context, statements []string) (conf map[string]interface{}, err error) {
|
||||
conf, err = mw.next.RotateRootCredentials(ctx, statements)
|
||||
return conf, mw.sanitize(err)
|
||||
}
|
||||
|
||||
func (mw *DatabaseErrorSanitizerMiddleware) Initialize(ctx context.Context, conf map[string]interface{}, verifyConnection bool) error {
|
||||
_, err := mw.Init(ctx, conf, verifyConnection)
|
||||
return err
|
||||
}
|
||||
|
||||
func (mw *DatabaseErrorSanitizerMiddleware) Init(ctx context.Context, conf map[string]interface{}, verifyConnection bool) (saveConf map[string]interface{}, err error) {
|
||||
saveConf, err = mw.next.Init(ctx, conf, verifyConnection)
|
||||
return saveConf, mw.sanitize(err)
|
||||
}
|
||||
|
||||
func (mw *DatabaseErrorSanitizerMiddleware) Close() (err error) {
|
||||
return mw.sanitize(mw.next.Close())
|
||||
}
|
||||
|
||||
// sanitize
|
||||
func (mw *DatabaseErrorSanitizerMiddleware) sanitize(err error) error {
|
||||
if err == nil {
|
||||
return nil
|
||||
}
|
||||
if errwrap.ContainsType(err, new(url.Error)) {
|
||||
return errors.New("unable to parse connection url")
|
||||
}
|
||||
if mw.secretsFn != nil {
|
||||
for k, v := range mw.secretsFn() {
|
||||
if k == "" {
|
||||
continue
|
||||
}
|
||||
err = errors.New(strings.Replace(err.Error(), k, v.(string), -1))
|
||||
}
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user