scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 17:52:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

db: allow updates to self_managed_password (#29283)

Browse Source
This commit is contained in:
John-Michael Faircloth
2025-01-06 12:05:41 -06:00
committed by GitHub
parent 031c5d6d20
commit 6110ee084f
1 changed files with 13 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
builtin/logical/database/path_roles.go
View File

@@ -649,11 +649,12 @@ func (b *databaseBackend) pathStaticRoleCreateUpdate(ctx context.Context, req *l
}
lastVaultRotation := role.StaticAccount.LastVaultRotation
updateAllowed := lastVaultRotation.IsZero()
if passwordRaw, ok := data.GetOk("password"); ok {
// We will allow users to update the password until the point where
// Vault assumes management of the account so that we don't break the
// promise of Vault being the source of truth.
updateAllowed := lastVaultRotation.IsZero()
if updateAllowed {
role.StaticAccount.Password = passwordRaw.(string)
@@ -663,7 +664,8 @@ func (b *databaseBackend) pathStaticRoleCreateUpdate(ctx context.Context, req *l
}
if connDetails != nil && connDetails.SelfManaged {
// Password and SelfManagedPassword should map to the same value
// SelfManagedPassword was deprecated in favor of Password, so they
// should map to the same value
role.StaticAccount.SelfManagedPassword = passwordRaw.(string)
}
} else {
@@ -671,13 +673,18 @@ func (b *databaseBackend) pathStaticRoleCreateUpdate(ctx context.Context, req *l
}
}
if smPasswordRaw, ok := data.GetOk("self_managed_password"); ok && createRole {
if smPasswordRaw, ok := data.GetOk("self_managed_password"); ok {
if _, ok := data.GetOk("password"); ok {
return logical.ErrorResponse(errNoPasswordAndSelfManagedPassword), nil
}
// Password and SelfManagedPassword should map to the same value
role.StaticAccount.SelfManagedPassword = smPasswordRaw.(string)
role.StaticAccount.Password = smPasswordRaw.(string)
if updateAllowed {
// SelfManagedPassword was deprecated in favor of Password, so they
// should map to the same value
role.StaticAccount.SelfManagedPassword = smPasswordRaw.(string)
role.StaticAccount.Password = smPasswordRaw.(string)
} else {
return logical.ErrorResponse("%s: role=%s, lastVaultRotation=%s", errNoUpdateAfterRotation, name, lastVaultRotation), nil
}
}
if skipImportRotationRaw, ok := data.GetOk("skip_import_rotation"); ok {