Merge pull request #1053 from mwielgoszewski/postgresql-revocation

Fix PostgreSQL secret backend issues revoking users
2025-11-03 03:58:01 +00:00 · 2016-02-11 12:52:37 -05:00
parent b034ffc257 48660ddba5
commit a1a7c11154
1 changed files with 27 additions and 0 deletions
--- a/builtin/logical/postgresql/secret_creds.go
+++ b/builtin/logical/postgresql/secret_creds.go
@@ -1,6 +1,7 @@
 package postgresql

 import (
+	"database/sql"
 	"fmt"

 	"github.com/hashicorp/vault/logical"
@@ -125,6 +126,32 @@ func (b *backend) secretCredsRevoke(
 		revocationStmts = append(revocationStmts, fmt.Sprintf(
 			"REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA %s FROM %s;",
 			schema, pq.QuoteIdentifier(username)))
+
+		revocationStmts = append(revocationStmts, fmt.Sprintf(
+			"REVOKE USAGE ON SCHEMA %s FROM %s;",
+			schema, pq.QuoteIdentifier(username)))
+	}
+
+	// for good measure, revoke all privileges and usage on schema public
+	revocationStmts = append(revocationStmts, fmt.Sprintf(
+		"REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM %s;",
+		pq.QuoteIdentifier(username)))
+
+	revocationStmts = append(revocationStmts, fmt.Sprintf(
+		"REVOKE USAGE ON SCHEMA public FROM %s;",
+		pq.QuoteIdentifier(username)))
+
+	// get the current database name so we can issue a REVOKE CONNECT for
+	// this username
+	var dbname sql.NullString
+	if err := db.QueryRow("SELECT current_database();").Scan(&dbname); err != nil {
+		return nil, err
+	}
+
+	if dbname.Valid {
+		revocationStmts = append(revocationStmts, fmt.Sprintf(
+			"REVOKE CONNECT ON DATABASE %s FROM %s;",
+			dbname.String, pq.QuoteIdentifier(username)))
 	}

 	// again, here, we do not stop on error, as we want to remove as