scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 18:17:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

MySQL - Add username customization (#10834)

Browse Source
This commit is contained in:
Michael Golowka
2021-02-11 14:08:32 -07:00
committed by GitHub
parent b08870db30
commit 7bfe785092
9 changed files with 479 additions and 250 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
plugins/database/mysql/connection_producer.go
View File

@@ -37,7 +37,6 @@ type mySQLConnectionProducer struct {
RawConfig map[string]interface{}
maxConnectionLifetime time.Duration
Legacy bool
Initialized bool
db *sql.DB
sync.Mutex

2
plugins/database/mysql/connection_producer_test.go
View File

@@ -124,7 +124,7 @@ ssl-key=/etc/mysql/server-key.pem`
// //////////////////////////////////////////////////////
// Test
mysql := newMySQL(MetadataLen, MetadataLen, UsernameLen)
mysql := newMySQL(DefaultUserNameTemplate)
conf := map[string]interface{}{
"connection_url": retURL,

2
plugins/database/mysql/mysql-database-plugin/main.go
View File

@@ -19,7 +19,7 @@ func main() {
// Run instantiates a MySQL object, and runs the RPC server for the plugin
func Run() error {
var f func() (interface{}, error)
f = mysql.New(mysql.MetadataLen, mysql.MetadataLen, mysql.UsernameLen)
f = mysql.New(mysql.DefaultUserNameTemplate)
dbType, err := f()
if err != nil {
return err

3
plugins/database/mysql/mysql-legacy-database-plugin/main.go
View File

@@ -6,7 +6,6 @@ import (
"github.com/hashicorp/vault/plugins/database/mysql"
dbplugin "github.com/hashicorp/vault/sdk/database/dbplugin/v5"
"github.com/hashicorp/vault/sdk/database/helper/credsutil"
)
func main() {
@@ -20,7 +19,7 @@ func main() {
// Run instantiates a MySQL object, and runs the RPC server for the plugin
func Run() error {
var f func() (interface{}, error)
f = mysql.New(credsutil.NoneLength, mysql.LegacyMetadataLen, mysql.LegacyUsernameLen)
f = mysql.New(mysql.DefaultLegacyUserNameTemplate)
dbType, err := f()
if err != nil {
return err

69
plugins/database/mysql/mysql.go
View File

@@ -8,11 +8,10 @@ import (
"strings"
stdmysql "github.com/go-sql-driver/mysql"
"github.com/hashicorp/errwrap"
dbplugin "github.com/hashicorp/vault/sdk/database/dbplugin/v5"
"github.com/hashicorp/vault/sdk/database/helper/credsutil"
"github.com/hashicorp/vault/sdk/database/helper/dbutil"
"github.com/hashicorp/vault/sdk/helper/strutil"
"github.com/hashicorp/vault/sdk/helper/template"
)
const (
@@ -26,13 +25,9 @@ const (
`
mySQLTypeName = "mysql"
)
var (
MetadataLen int = 10
LegacyMetadataLen int = 4
UsernameLen int = 32
LegacyUsernameLen int = 16
DefaultUserNameTemplate = `{{ printf "v-%s-%s-%s-%s" (.DisplayName | truncate 10) (.RoleName | truncate 10) (random 20) (unix_time) | truncate 32 }}`
DefaultLegacyUserNameTemplate = `{{ printf "v-%s-%s-%s" (.RoleName | truncate 4) (random 20) | truncate 16 }}`
)
var _ dbplugin.Database = (*MySQL)(nil)
@@ -40,15 +35,17 @@ var _ dbplugin.Database = (*MySQL)(nil)
type MySQL struct {
*mySQLConnectionProducer
displayNameLen int
roleNameLen int
maxUsernameLen int
usernameProducer template.StringTemplate
defaultUsernameTemplate string
}
// New implements builtinplugins.BuiltinFactory
func New(displayNameLen int, roleNameLen int, maxUsernameLen int) func() (interface{}, error) {
func New(defaultUsernameTemplate string) func() (interface{}, error) {
return func() (interface{}, error) {
db := newMySQL(displayNameLen, roleNameLen, maxUsernameLen)
if defaultUsernameTemplate == "" {
return nil, fmt.Errorf("missing default username template")
}
db := newMySQL(defaultUsernameTemplate)
// Wrap the plugin with middleware to sanitize errors
dbType := dbplugin.NewDatabaseErrorSanitizerMiddleware(db, db.SecretValues)
@@ -56,14 +53,12 @@ func New(displayNameLen int, roleNameLen int, maxUsernameLen int) func() (interf
}
}
func newMySQL(displayNameLen int, roleNameLen int, maxUsernameLen int) *MySQL {
func newMySQL(defaultUsernameTemplate string) *MySQL {
connProducer := &mySQLConnectionProducer{}
return &MySQL{
mySQLConnectionProducer: connProducer,
displayNameLen: displayNameLen,
roleNameLen: roleNameLen,
maxUsernameLen: maxUsernameLen,
defaultUsernameTemplate: defaultUsernameTemplate,
}
}
@@ -81,13 +76,36 @@ func (m *MySQL) getConnection(ctx context.Context) (*sql.DB, error) {
}
func (m *MySQL) Initialize(ctx context.Context, req dbplugin.InitializeRequest) (dbplugin.InitializeResponse, error) {
err := m.mySQLConnectionProducer.Initialize(ctx, req.Config, req.VerifyConnection)
usernameTemplate, err := strutil.GetString(req.Config, "username_template")
if err != nil {
return dbplugin.InitializeResponse{}, err
}
if usernameTemplate == "" {
usernameTemplate = m.defaultUsernameTemplate
}
up, err := template.NewTemplate(template.Template(usernameTemplate))
if err != nil {
return dbplugin.InitializeResponse{}, fmt.Errorf("unable to initialize username template: %w", err)
}
m.usernameProducer = up
_, err = m.usernameProducer.Generate(dbplugin.UsernameMetadata{})
if err != nil {
return dbplugin.InitializeResponse{}, fmt.Errorf("invalid username template: %w", err)
}
err = m.mySQLConnectionProducer.Initialize(ctx, req.Config, req.VerifyConnection)
if err != nil {
return dbplugin.InitializeResponse{}, err
}
resp := dbplugin.InitializeResponse{
Config: req.Config,
}
return resp, nil
}
@@ -96,7 +114,7 @@ func (m *MySQL) NewUser(ctx context.Context, req dbplugin.NewUserRequest) (dbplu
return dbplugin.NewUserResponse{}, dbutil.ErrEmptyCreationStatement
}
username, err := m.generateUsername(req)
username, err := m.usernameProducer.Generate(req.UsernameConfig)
if err != nil {
return dbplugin.NewUserResponse{}, err
}
@@ -122,19 +140,6 @@ func (m *MySQL) NewUser(ctx context.Context, req dbplugin.NewUserRequest) (dbplu
return resp, nil
}
func (m *MySQL) generateUsername(req dbplugin.NewUserRequest) (string, error) {
username, err := credsutil.GenerateUsername(
credsutil.DisplayName(req.UsernameConfig.DisplayName, m.displayNameLen),
credsutil.RoleName(req.UsernameConfig.RoleName, m.roleNameLen),
credsutil.MaxLength(m.maxUsernameLen),
)
if err != nil {
return "", errwrap.Wrapf("error generating username: {{err}}", err)
}
return username, nil
}
func (m *MySQL) DeleteUser(ctx context.Context, req dbplugin.DeleteUserRequest) (dbplugin.DeleteUserResponse, error) {
// Grab the read lock
m.Lock()

639
plugins/database/mysql/mysql_test.go
View File

@@ -3,6 +3,7 @@ package mysql
import (
"context"
"database/sql"
"fmt"
"strings"
"testing"
"time"
@@ -10,213 +11,465 @@ import (
stdmysql "github.com/go-sql-driver/mysql"
mysqlhelper "github.com/hashicorp/vault/helper/testhelpers/mysql"
dbplugin "github.com/hashicorp/vault/sdk/database/dbplugin/v5"
dbtesting "github.com/hashicorp/vault/sdk/database/dbplugin/v5/testing"
"github.com/hashicorp/vault/sdk/database/helper/credsutil"
"github.com/hashicorp/vault/sdk/database/helper/dbutil"
"github.com/hashicorp/vault/sdk/helper/strutil"
"github.com/stretchr/testify/require"
)
var _ dbplugin.Database = (*MySQL)(nil)
func TestMySQL_Initialize(t *testing.T) {
cleanup, connURL := mysqlhelper.PrepareTestContainer(t, false, "secret")
defer cleanup()
connectionDetails := map[string]interface{}{
"connection_url": connURL,
}
initReq := dbplugin.InitializeRequest{
Config: connectionDetails,
VerifyConnection: true,
}
db := newMySQL(MetadataLen, MetadataLen, UsernameLen)
_, err := db.Initialize(context.Background(), initReq)
if err != nil {
t.Fatalf("err: %s", err)
}
if !db.Initialized {
t.Fatal("Database should be initialized")
}
err = db.Close()
if err != nil {
t.Fatalf("err: %s", err)
}
// Test decoding a string value for max_open_connections
connectionDetails = map[string]interface{}{
"connection_url": connURL,
"max_open_connections": "5",
}
initReq = dbplugin.InitializeRequest{
Config: connectionDetails,
VerifyConnection: true,
}
db = newMySQL(MetadataLen, MetadataLen, UsernameLen)
_, err = db.Initialize(context.Background(), initReq)
if err != nil {
t.Fatalf("err: %s", err)
}
}
func TestMySQL_CreateUser(t *testing.T) {
t.Run("missing creation statements", func(t *testing.T) {
db := newMySQL(MetadataLen, MetadataLen, UsernameLen)
password, err := credsutil.RandomAlphaNumeric(32, false)
if err != nil {
t.Fatalf("unable to generate password: %s", err)
}
createReq := dbplugin.NewUserRequest{
UsernameConfig: dbplugin.UsernameMetadata{
DisplayName: "test",
RoleName: "test",
},
Statements: dbplugin.Statements{
Commands: []string{},
},
Password: password,
Expiration: time.Now().Add(time.Minute),
}
userResp, err := db.NewUser(context.Background(), createReq)
if err == nil {
t.Fatalf("expected err, got nil")
}
if userResp.Username != "" {
t.Fatalf("expected empty username, got [%s]", userResp.Username)
}
})
t.Run("non-legacy", func(t *testing.T) {
// Shared test container for speed - there should not be any overlap between the tests
cleanup, connURL := mysqlhelper.PrepareTestContainer(t, false, "secret")
defer cleanup()
connectionDetails := map[string]interface{}{
"connection_url": connURL,
}
initReq := dbplugin.InitializeRequest{
Config: connectionDetails,
VerifyConnection: true,
}
db := newMySQL(MetadataLen, MetadataLen, UsernameLen)
_, err := db.Initialize(context.Background(), initReq)
if err != nil {
t.Fatalf("err: %s", err)
}
testCreateUser(t, db, connURL)
})
t.Run("legacy", func(t *testing.T) {
// Shared test container for speed - there should not be any overlap between the tests
cleanup, connURL := mysqlhelper.PrepareTestContainer(t, true, "secret")
defer cleanup()
connectionDetails := map[string]interface{}{
"connection_url": connURL,
}
initReq := dbplugin.InitializeRequest{
Config: connectionDetails,
VerifyConnection: true,
}
db := newMySQL(credsutil.NoneLength, LegacyMetadataLen, LegacyUsernameLen)
_, err := db.Initialize(context.Background(), initReq)
if err != nil {
t.Fatalf("err: %s", err)
}
testCreateUser(t, db, connURL)
})
}
func testCreateUser(t *testing.T, db *MySQL, connURL string) {
type testCase struct {
createStmts []string
rootPassword string
}
tests := map[string]testCase{
"create name": {
createStmts: []string{`
CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
GRANT SELECT ON *.* TO '{{name}}'@'%';`,
},
"non-special characters in root password": {
rootPassword: "B44a30c4C04D0aAaE140",
},
"create username": {
createStmts: []string{`
CREATE USER '{{username}}'@'%' IDENTIFIED BY '{{password}}';
GRANT SELECT ON *.* TO '{{username}}'@'%';`,
},
},
"prepared statement name": {
createStmts: []string{`
CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
set @grants=CONCAT("GRANT SELECT ON ", "*", ".* TO '{{name}}'@'%'");
PREPARE grantStmt from @grants;
EXECUTE grantStmt;
DEALLOCATE PREPARE grantStmt;
`,
},
},
"prepared statement username": {
createStmts: []string{`
CREATE USER '{{username}}'@'%' IDENTIFIED BY '{{password}}';
set @grants=CONCAT("GRANT SELECT ON ", "*", ".* TO '{{username}}'@'%'");
PREPARE grantStmt from @grants;
EXECUTE grantStmt;
DEALLOCATE PREPARE grantStmt;
`,
},
"special characters in root password": {
rootPassword: "#secret!%25#{@}",
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
password, err := credsutil.RandomAlphaNumeric(32, false)
if err != nil {
t.Fatalf("unable to generate password: %s", err)
}
testInitialize(t, test.rootPassword)
})
}
}
createReq := dbplugin.NewUserRequest{
func testInitialize(t *testing.T, rootPassword string) {
cleanup, connURL := mysqlhelper.PrepareTestContainer(t, false, rootPassword)
defer cleanup()
mySQLConfig, err := stdmysql.ParseDSN(connURL)
if err != nil {
panic(fmt.Sprintf("Test failure: connection URL is invalid: %s", err))
}
rootUser := mySQLConfig.User
mySQLConfig.User = "{{username}}"
mySQLConfig.Passwd = "{{password}}"
tmplConnURL := mySQLConfig.FormatDSN()
type testCase struct {
initRequest dbplugin.InitializeRequest
expectedResp dbplugin.InitializeResponse
expectErr bool
expectInitialized bool
}
tests := map[string]testCase{
"missing connection_url": {
initRequest: dbplugin.InitializeRequest{
Config: map[string]interface{}{},
VerifyConnection: true,
},
expectedResp: dbplugin.InitializeResponse{},
expectErr: true,
expectInitialized: false,
},
"basic config": {
initRequest: dbplugin.InitializeRequest{
Config: map[string]interface{}{
"connection_url": connURL,
},
VerifyConnection: true,
},
expectedResp: dbplugin.InitializeResponse{
Config: map[string]interface{}{
"connection_url": connURL,
},
},
expectErr: false,
expectInitialized: true,
},
"username and password replacement in connection_url": {
initRequest: dbplugin.InitializeRequest{
Config: map[string]interface{}{
"connection_url": tmplConnURL,
"username": rootUser,
"password": rootPassword,
},
VerifyConnection: true,
},
expectedResp: dbplugin.InitializeResponse{
Config: map[string]interface{}{
"connection_url": tmplConnURL,
"username": rootUser,
"password": rootPassword,
},
},
expectErr: false,
expectInitialized: true,
},
"invalid username template": {
initRequest: dbplugin.InitializeRequest{
Config: map[string]interface{}{
"connection_url": connURL,
"username_template": "{{.FieldThatDoesNotExist}}",
},
VerifyConnection: true,
},
expectedResp: dbplugin.InitializeResponse{},
expectErr: true,
expectInitialized: false,
},
"bad username template": {
initRequest: dbplugin.InitializeRequest{
Config: map[string]interface{}{
"connection_url": connURL,
"username_template": "{{ .DisplayName", // Explicitly bad template
},
VerifyConnection: true,
},
expectedResp: dbplugin.InitializeResponse{},
expectErr: true,
expectInitialized: false,
},
"custom username template": {
initRequest: dbplugin.InitializeRequest{
Config: map[string]interface{}{
"connection_url": connURL,
"username_template": "foo-{{random 10}}-{{.DisplayName}}",
},
VerifyConnection: true,
},
expectedResp: dbplugin.InitializeResponse{
Config: map[string]interface{}{
"connection_url": connURL,
"username_template": "foo-{{random 10}}-{{.DisplayName}}",
},
},
expectErr: false,
expectInitialized: true,
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
db := newMySQL(DefaultUserNameTemplate)
defer dbtesting.AssertClose(t, db)
initResp, err := db.Initialize(context.Background(), test.initRequest)
if test.expectErr && err == nil {
t.Fatalf("err expected, got nil")
}
if !test.expectErr && err != nil {
t.Fatalf("no error expected, got: %s", err)
}
require.Equal(t, test.expectedResp, initResp)
require.Equal(t, test.expectInitialized, db.Initialized, "Initialized variable not set correctly")
})
}
}
func TestMySQL_NewUser_nonLegacy(t *testing.T) {
displayName := "token"
roleName := "testrole"
type testCase struct {
usernameTemplate string
newUserReq dbplugin.NewUserRequest
expectedUsernameRegex string
expectErr bool
}
tests := map[string]testCase{
"name statements": {
newUserReq: dbplugin.NewUserRequest{
UsernameConfig: dbplugin.UsernameMetadata{
DisplayName: "test",
RoleName: "test",
DisplayName: displayName,
RoleName: roleName,
},
Statements: dbplugin.Statements{
Commands: test.createStmts,
Commands: []string{
`CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
GRANT SELECT ON *.* TO '{{name}}'@'%';`,
},
},
Password: password,
Password: "09g8hanbdfkVSM",
Expiration: time.Now().Add(time.Minute),
},
expectedUsernameRegex: `^v-token-testrole-[a-zA-Z0-9]{15}$`,
expectErr: false,
},
"username statements": {
newUserReq: dbplugin.NewUserRequest{
UsernameConfig: dbplugin.UsernameMetadata{
DisplayName: displayName,
RoleName: roleName,
},
Statements: dbplugin.Statements{
Commands: []string{
`CREATE USER '{{username}}'@'%' IDENTIFIED BY '{{password}}';
GRANT SELECT ON *.* TO '{{username}}'@'%';`,
},
},
Password: "09g8hanbdfkVSM",
Expiration: time.Now().Add(time.Minute),
},
expectedUsernameRegex: `^v-token-testrole-[a-zA-Z0-9]{15}$`,
expectErr: false,
},
"prepared name statements": {
newUserReq: dbplugin.NewUserRequest{
UsernameConfig: dbplugin.UsernameMetadata{
DisplayName: displayName,
RoleName: roleName,
},
Statements: dbplugin.Statements{
Commands: []string{
`CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
set @grants=CONCAT("GRANT SELECT ON ", "*", ".* TO '{{name}}'@'%'");
PREPARE grantStmt from @grants;
EXECUTE grantStmt;
DEALLOCATE PREPARE grantStmt;`,
},
},
Password: "09g8hanbdfkVSM",
Expiration: time.Now().Add(time.Minute),
},
expectedUsernameRegex: `^v-token-testrole-[a-zA-Z0-9]{15}$`,
expectErr: false,
},
"prepared username statements": {
newUserReq: dbplugin.NewUserRequest{
UsernameConfig: dbplugin.UsernameMetadata{
DisplayName: displayName,
RoleName: roleName,
},
Statements: dbplugin.Statements{
Commands: []string{
`CREATE USER '{{username}}'@'%' IDENTIFIED BY '{{password}}';
set @grants=CONCAT("GRANT SELECT ON ", "*", ".* TO '{{username}}'@'%'");
PREPARE grantStmt from @grants;
EXECUTE grantStmt;
DEALLOCATE PREPARE grantStmt;`,
},
},
Password: "09g8hanbdfkVSM",
Expiration: time.Now().Add(time.Minute),
},
expectedUsernameRegex: `^v-token-testrole-[a-zA-Z0-9]{15}$`,
expectErr: false,
},
"custom username template": {
usernameTemplate: "foo-{{random 10}}-{{.RoleName | uppercase}}",
newUserReq: dbplugin.NewUserRequest{
UsernameConfig: dbplugin.UsernameMetadata{
DisplayName: displayName,
RoleName: roleName,
},
Statements: dbplugin.Statements{
Commands: []string{
`CREATE USER '{{username}}'@'%' IDENTIFIED BY '{{password}}';
GRANT SELECT ON *.* TO '{{username}}'@'%';`,
},
},
Password: "09g8hanbdfkVSM",
Expiration: time.Now().Add(time.Minute),
},
expectedUsernameRegex: `^foo-[a-zA-Z0-9]{10}-TESTROLE$`,
expectErr: false,
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
cleanup, connURL := mysqlhelper.PrepareTestContainer(t, false, "secret")
defer cleanup()
connectionDetails := map[string]interface{}{
"connection_url": connURL,
"username_template": test.usernameTemplate,
}
userResp, err := db.NewUser(context.Background(), createReq)
if err != nil {
t.Fatalf("err: %s", err)
initReq := dbplugin.InitializeRequest{
Config: connectionDetails,
VerifyConnection: true,
}
if err := mysqlhelper.TestCredsExist(t, connURL, userResp.Username, password); err != nil {
t.Fatalf("Could not connect with new credentials: %s", err)
db := newMySQL(DefaultUserNameTemplate)
defer db.Close()
_, err := db.Initialize(context.Background(), initReq)
require.NoError(t, err)
userResp, err := db.NewUser(context.Background(), test.newUserReq)
if test.expectErr && err == nil {
t.Fatalf("err expected, got nil")
}
if !test.expectErr && err != nil {
t.Fatalf("no error expected, got: %s", err)
}
require.Regexp(t, test.expectedUsernameRegex, userResp.Username)
err = mysqlhelper.TestCredsExist(t, connURL, userResp.Username, test.newUserReq.Password)
require.NoError(t, err, "Failed to connect with credentials")
})
}
}
func TestMySQL_NewUser_legacy(t *testing.T) {
displayName := "token"
roleName := "testrole"
type testCase struct {
usernameTemplate string
newUserReq dbplugin.NewUserRequest
expectedUsernameRegex string
expectErr bool
}
tests := map[string]testCase{
"name statements": {
newUserReq: dbplugin.NewUserRequest{
UsernameConfig: dbplugin.UsernameMetadata{
DisplayName: displayName,
RoleName: roleName,
},
Statements: dbplugin.Statements{
Commands: []string{
`CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
GRANT SELECT ON *.* TO '{{name}}'@'%';`,
},
},
Password: "09g8hanbdfkVSM",
Expiration: time.Now().Add(time.Minute),
},
expectedUsernameRegex: `^v-test-[a-zA-Z0-9]{9}$`,
expectErr: false,
},
"username statements": {
newUserReq: dbplugin.NewUserRequest{
UsernameConfig: dbplugin.UsernameMetadata{
DisplayName: displayName,
RoleName: roleName,
},
Statements: dbplugin.Statements{
Commands: []string{
`CREATE USER '{{username}}'@'%' IDENTIFIED BY '{{password}}';
GRANT SELECT ON *.* TO '{{username}}'@'%';`,
},
},
Password: "09g8hanbdfkVSM",
Expiration: time.Now().Add(time.Minute),
},
expectedUsernameRegex: `^v-test-[a-zA-Z0-9]{9}$`,
expectErr: false,
},
"prepared name statements": {
newUserReq: dbplugin.NewUserRequest{
UsernameConfig: dbplugin.UsernameMetadata{
DisplayName: displayName,
RoleName: roleName,
},
Statements: dbplugin.Statements{
Commands: []string{
`CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
set @grants=CONCAT("GRANT SELECT ON ", "*", ".* TO '{{name}}'@'%'");
PREPARE grantStmt from @grants;
EXECUTE grantStmt;
DEALLOCATE PREPARE grantStmt;`,
},
},
Password: "09g8hanbdfkVSM",
Expiration: time.Now().Add(time.Minute),
},
expectedUsernameRegex: `^v-test-[a-zA-Z0-9]{9}$`,
expectErr: false,
},
"prepared username statements": {
newUserReq: dbplugin.NewUserRequest{
UsernameConfig: dbplugin.UsernameMetadata{
DisplayName: displayName,
RoleName: roleName,
},
Statements: dbplugin.Statements{
Commands: []string{
`CREATE USER '{{username}}'@'%' IDENTIFIED BY '{{password}}';
set @grants=CONCAT("GRANT SELECT ON ", "*", ".* TO '{{username}}'@'%'");
PREPARE grantStmt from @grants;
EXECUTE grantStmt;
DEALLOCATE PREPARE grantStmt;`,
},
},
Password: "09g8hanbdfkVSM",
Expiration: time.Now().Add(time.Minute),
},
expectedUsernameRegex: `^v-test-[a-zA-Z0-9]{9}$`,
expectErr: false,
},
"custom username template": {
usernameTemplate: `{{printf "foo-%s-%s" (random 5) (.RoleName | uppercase) | truncate 16}}`,
newUserReq: dbplugin.NewUserRequest{
UsernameConfig: dbplugin.UsernameMetadata{
DisplayName: displayName,
RoleName: roleName,
},
Statements: dbplugin.Statements{
Commands: []string{
`CREATE USER '{{username}}'@'%' IDENTIFIED BY '{{password}}';
GRANT SELECT ON *.* TO '{{username}}'@'%';`,
},
},
Password: "09g8hanbdfkVSM",
Expiration: time.Now().Add(time.Minute),
},
expectedUsernameRegex: `^foo-[a-zA-Z0-9]{5}-TESTRO$`,
expectErr: false,
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
cleanup, connURL := mysqlhelper.PrepareTestContainer(t, false, "secret")
defer cleanup()
connectionDetails := map[string]interface{}{
"connection_url": connURL,
"username_template": test.usernameTemplate,
}
// Test a second time to make sure usernames don't collide
userResp, err = db.NewUser(context.Background(), createReq)
if err != nil {
t.Fatalf("err: %s", err)
initReq := dbplugin.InitializeRequest{
Config: connectionDetails,
VerifyConnection: true,
}
if err := mysqlhelper.TestCredsExist(t, connURL, userResp.Username, password); err != nil {
t.Fatalf("Could not connect with new credentials: %s", err)
db := newMySQL(DefaultLegacyUserNameTemplate)
defer db.Close()
_, err := db.Initialize(context.Background(), initReq)
require.NoError(t, err)
userResp, err := db.NewUser(context.Background(), test.newUserReq)
if test.expectErr && err == nil {
t.Fatalf("err expected, got nil")
}
if !test.expectErr && err != nil {
t.Fatalf("no error expected, got: %s", err)
}
require.Regexp(t, test.expectedUsernameRegex, userResp.Username)
err = mysqlhelper.TestCredsExist(t, connURL, userResp.Username, test.newUserReq.Password)
require.NoError(t, err, "Failed to connect with credentials")
})
}
}
@@ -260,7 +513,8 @@ func TestMySQL_RotateRootCredentials(t *testing.T) {
VerifyConnection: true,
}
db := newMySQL(MetadataLen, MetadataLen, UsernameLen)
db := newMySQL(DefaultUserNameTemplate)
defer db.Close()
_, err := db.Initialize(context.Background(), initReq)
if err != nil {
t.Fatalf("err: %s", err)
@@ -335,7 +589,8 @@ func TestMySQL_DeleteUser(t *testing.T) {
VerifyConnection: true,
}
db := newMySQL(MetadataLen, MetadataLen, UsernameLen)
db := newMySQL(DefaultUserNameTemplate)
defer db.Close()
_, err := db.Initialize(context.Background(), initReq)
if err != nil {
t.Fatalf("err: %s", err)
@@ -444,7 +699,8 @@ func TestMySQL_UpdateUser(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
db := newMySQL(MetadataLen, MetadataLen, UsernameLen)
db := newMySQL(DefaultUserNameTemplate)
defer db.Close()
_, err := db.Initialize(context.Background(), initReq)
if err != nil {
t.Fatalf("err: %s", err)
@@ -483,35 +739,6 @@ func TestMySQL_UpdateUser(t *testing.T) {
}
}
func TestMySQL_Initialize_ReservedChars(t *testing.T) {
pw := "#secret!%25#{@}"
cleanup, connURL := mysqlhelper.PrepareTestContainer(t, false, pw)
defer cleanup()
// Revert password set to test replacement by db.Init
connURL = strings.ReplaceAll(connURL, pw, "{{password}}")
connectionDetails := map[string]interface{}{
"connection_url": connURL,
"password": pw,
}
db := newMySQL(MetadataLen, MetadataLen, UsernameLen)
_, err := db.Init(context.Background(), connectionDetails, true)
if err != nil {
t.Fatalf("err: %s", err)
}
if !db.Initialized {
t.Fatal("Database should be initialized")
}
err = db.Close()
if err != nil {
t.Fatalf("err: %s", err)
}
}
func createTestMySQLUser(t *testing.T, connURL, username, password, query string) {
t.Helper()
db, err := sql.Open("mysql", connURL)