Migrate MySQL db to v5 database engine (#10110)

* Migrate MySQL db to v5 database engine
2025-11-01 02:57:59 +00:00 · 2020-10-09 10:32:38 -07:00
parent 738891a069
commit ae27bf5d26
6 changed files with 245 additions and 214 deletions
--- a/plugins/database/mysql/mysql_test.go
+++ b/plugins/database/mysql/mysql_test.go
@@ -9,13 +9,14 @@ import (

 	stdmysql "github.com/go-sql-driver/mysql"
 	mysqlhelper "github.com/hashicorp/vault/helper/testhelpers/mysql"
-	"github.com/hashicorp/vault/sdk/database/dbplugin"
+
 	"github.com/hashicorp/vault/sdk/database/helper/credsutil"
 	"github.com/hashicorp/vault/sdk/database/helper/dbutil"
+	"github.com/hashicorp/vault/sdk/database/newdbplugin"
 	"github.com/hashicorp/vault/sdk/helper/strutil"
 )

-var _ dbplugin.Database = (*MySQL)(nil)
+var _ newdbplugin.Database = (*MySQL)(nil)

 func TestMySQL_Initialize(t *testing.T) {
 	cleanup, connURL := mysqlhelper.PrepareTestContainer(t, false, "secret")
@@ -25,8 +26,13 @@ func TestMySQL_Initialize(t *testing.T) {
 		"connection_url": connURL,
 	}

-	db := new(MetadataLen, MetadataLen, UsernameLen)
-	_, err := db.Init(context.Background(), connectionDetails, true)
+	initReq := newdbplugin.InitializeRequest{
+		Config:           connectionDetails,
+		VerifyConnection: true,
+	}
+
+	db := new(false)
+	_, err := db.Initialize(context.Background(), initReq)
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -46,7 +52,13 @@ func TestMySQL_Initialize(t *testing.T) {
 		"max_open_connections": "5",
 	}

-	_, err = db.Init(context.Background(), connectionDetails, true)
+	initReq = newdbplugin.InitializeRequest{
+		Config:           connectionDetails,
+		VerifyConnection: true,
+	}
+
+	db = new(false)
+	_, err = db.Initialize(context.Background(), initReq)
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -54,22 +66,31 @@ func TestMySQL_Initialize(t *testing.T) {

 func TestMySQL_CreateUser(t *testing.T) {
 	t.Run("missing creation statements", func(t *testing.T) {
-		db := new(MetadataLen, MetadataLen, UsernameLen)
+		db := new(false)

-		usernameConfig := dbplugin.UsernameConfig{
-			DisplayName: "test-long-displayname",
-			RoleName:    "test-long-rolename",
+		password, err := credsutil.RandomAlphaNumeric(32, false)
+		if err != nil {
+			t.Fatalf("unable to generate password: %s", err)
 		}

-		username, password, err := db.CreateUser(context.Background(), dbplugin.Statements{}, usernameConfig, time.Now().Add(time.Minute))
+		createReq := newdbplugin.NewUserRequest{
+			UsernameConfig: newdbplugin.UsernameMetadata{
+				DisplayName: "test",
+				RoleName:    "test",
+			},
+			Statements: newdbplugin.Statements{
+				Commands: []string{},
+			},
+			Password:   password,
+			Expiration: time.Now().Add(time.Minute),
+		}
+
+		userResp, err := db.NewUser(context.Background(), createReq)
 		if err == nil {
 			t.Fatalf("expected err, got nil")
 		}
-		if username != "" {
-			t.Fatalf("expected empty username, got [%s]", username)
-		}
-		if password != "" {
-			t.Fatalf("expected empty password, got [%s]", password)
+		if userResp.Username != "" {
+			t.Fatalf("expected empty username, got [%s]", userResp.Username)
 		}
 	})

@@ -82,8 +103,13 @@ func TestMySQL_CreateUser(t *testing.T) {
 			"connection_url": connURL,
 		}

-		db := new(MetadataLen, MetadataLen, UsernameLen)
-		_, err := db.Init(context.Background(), connectionDetails, true)
+		initReq := newdbplugin.InitializeRequest{
+			Config:           connectionDetails,
+			VerifyConnection: true,
+		}
+
+		db := new(false)
+		_, err := db.Initialize(context.Background(), initReq)
 		if err != nil {
 			t.Fatalf("err: %s", err)
 		}
@@ -100,8 +126,13 @@ func TestMySQL_CreateUser(t *testing.T) {
 			"connection_url": connURL,
 		}

-		db := new(credsutil.NoneLength, LegacyMetadataLen, LegacyUsernameLen)
-		_, err := db.Init(context.Background(), connectionDetails, true)
+		initReq := newdbplugin.InitializeRequest{
+			Config:           connectionDetails,
+			VerifyConnection: true,
+		}
+
+		db := new(true)
+		_, err := db.Initialize(context.Background(), initReq)
 		if err != nil {
 			t.Fatalf("err: %s", err)
 		}
@@ -152,31 +183,39 @@ func testCreateUser(t *testing.T, db *MySQL, connURL string) {

 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
-			usernameConfig := dbplugin.UsernameConfig{
-				DisplayName: "test-long-displayname",
-				RoleName:    "test-long-rolename",
+			password, err := credsutil.RandomAlphaNumeric(32, false)
+			if err != nil {
+				t.Fatalf("unable to generate password: %s", err)
 			}

-			statements := dbplugin.Statements{
-				Creation: test.createStmts,
+			createReq := newdbplugin.NewUserRequest{
+				UsernameConfig: newdbplugin.UsernameMetadata{
+					DisplayName: "test",
+					RoleName:    "test",
+				},
+				Statements: newdbplugin.Statements{
+					Commands: test.createStmts,
+				},
+				Password:   password,
+				Expiration: time.Now().Add(time.Minute),
 			}

-			username, password, err := db.CreateUser(context.Background(), statements, usernameConfig, time.Now().Add(time.Minute))
+			userResp, err := db.NewUser(context.Background(), createReq)
 			if err != nil {
 				t.Fatalf("err: %s", err)
 			}

-			if err := mysqlhelper.TestCredsExist(t, connURL, username, password); err != nil {
+			if err := mysqlhelper.TestCredsExist(t, connURL, userResp.Username, password); err != nil {
 				t.Fatalf("Could not connect with new credentials: %s", err)
 			}

 			// Test a second time to make sure usernames don't collide
-			username, password, err = db.CreateUser(context.Background(), statements, usernameConfig, time.Now().Add(time.Minute))
+			userResp, err = db.NewUser(context.Background(), createReq)
 			if err != nil {
 				t.Fatalf("err: %s", err)
 			}

-			if err := mysqlhelper.TestCredsExist(t, connURL, username, password); err != nil {
+			if err := mysqlhelper.TestCredsExist(t, connURL, userResp.Username, password); err != nil {
 				t.Fatalf("Could not connect with new credentials: %s", err)
 			}
 		})
@@ -207,8 +246,6 @@ func TestMySQL_RotateRootCredentials(t *testing.T) {
 			cleanup, connURL := mysqlhelper.PrepareTestContainer(t, false, "secret")
 			defer cleanup()

-			connURL = strings.Replace(connURL, "root:secret", `{{username}}:{{password}}`, -1)
-
 			connectionDetails := map[string]interface{}{
 				"connection_url": connURL,
 				"username":       "root",
@@ -219,8 +256,13 @@ func TestMySQL_RotateRootCredentials(t *testing.T) {
 			ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 			defer cancel()

-			db := new(MetadataLen, MetadataLen, UsernameLen)
-			_, err := db.Init(ctx, connectionDetails, true)
+			initReq := newdbplugin.InitializeRequest{
+				Config:           connectionDetails,
+				VerifyConnection: true,
+			}
+
+			db := new(false)
+			_, err := db.Initialize(context.Background(), initReq)
 			if err != nil {
 				t.Fatalf("err: %s", err)
 			}
@@ -229,12 +271,28 @@ func TestMySQL_RotateRootCredentials(t *testing.T) {
 				t.Fatal("Database should be initialized")
 			}

-			newConf, err := db.RotateRootCredentials(ctx, test.statements)
+			updateReq := newdbplugin.UpdateUserRequest{
+				Username: "root",
+				Password: &newdbplugin.ChangePassword{
+					NewPassword: "different_sercret",
+					Statements: newdbplugin.Statements{
+						Commands: test.statements,
+					},
+				},
+			}
+
+			_, err = db.UpdateUser(ctx, updateReq)
 			if err != nil {
 				t.Fatalf("err: %v", err)
 			}
-			if newConf["password"] == "secret" {
-				t.Fatal("password was not updated")
+			err = mysqlhelper.TestCredsExist(t, connURL, updateReq.Username, updateReq.Password.NewPassword)
+			if err != nil {
+				t.Fatalf("Could not connect with new credentials: %s", err)
+			}
+
+			// verify old password doesn't work
+			if err := mysqlhelper.TestCredsExist(t, connURL, updateReq.Username, "secret"); err == nil {
+				t.Fatalf("Should not be able to connect with initial credentials")
 			}

 			err = db.Close()
@@ -245,7 +303,7 @@ func TestMySQL_RotateRootCredentials(t *testing.T) {
 	}
 }

-func TestMySQL_RevokeUser(t *testing.T) {
+func TestMySQL_DeleteUser(t *testing.T) {
 	type testCase struct {
 		revokeStmts []string
 	}
@@ -273,57 +331,71 @@ func TestMySQL_RevokeUser(t *testing.T) {
 		"connection_url": connURL,
 	}

-	// Give a timeout just in case the test decides to be problematic
-	initCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
+	initReq := newdbplugin.InitializeRequest{
+		Config:           connectionDetails,
+		VerifyConnection: true,
+	}

-	db := new(MetadataLen, MetadataLen, UsernameLen)
-	_, err := db.Init(initCtx, connectionDetails, true)
+	db := new(false)
+	_, err := db.Initialize(context.Background(), initReq)
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}

 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
-			statements := dbplugin.Statements{
-				Creation: []string{`
-					CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
-					GRANT SELECT ON *.* TO '{{name}}'@'%';`,
-				},
-				Revocation: test.revokeStmts,
+			password, err := credsutil.RandomAlphaNumeric(32, false)
+			if err != nil {
+				t.Fatalf("unable to generate password: %s", err)
 			}

-			usernameConfig := dbplugin.UsernameConfig{
-				DisplayName: "test",
-				RoleName:    "test",
+			createReq := newdbplugin.NewUserRequest{
+				UsernameConfig: newdbplugin.UsernameMetadata{
+					DisplayName: "test",
+					RoleName:    "test",
+				},
+				Statements: newdbplugin.Statements{
+					Commands: []string{`
+						CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
+						GRANT SELECT ON *.* TO '{{name}}'@'%';`,
+					},
+				},
+				Password:   password,
+				Expiration: time.Now().Add(time.Minute),
 			}

 			// Give a timeout just in case the test decides to be problematic
 			ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 			defer cancel()

-			username, password, err := db.CreateUser(ctx, statements, usernameConfig, time.Now().Add(time.Minute))
+			userResp, err := db.NewUser(ctx, createReq)
 			if err != nil {
 				t.Fatalf("err: %s", err)
 			}

-			if err := mysqlhelper.TestCredsExist(t, connURL, username, password); err != nil {
+			if err := mysqlhelper.TestCredsExist(t, connURL, userResp.Username, password); err != nil {
 				t.Fatalf("Could not connect with new credentials: %s", err)
 			}

-			err = db.RevokeUser(context.Background(), statements, username)
+			deleteReq := newdbplugin.DeleteUserRequest{
+				Username: userResp.Username,
+				Statements: newdbplugin.Statements{
+					Commands: test.revokeStmts,
+				},
+			}
+			_, err = db.DeleteUser(context.Background(), deleteReq)
 			if err != nil {
 				t.Fatalf("err: %s", err)
 			}

-			if err := mysqlhelper.TestCredsExist(t, connURL, username, password); err == nil {
-				t.Fatal("Credentials were not revoked")
+			if err := mysqlhelper.TestCredsExist(t, connURL, userResp.Username, password); err == nil {
+				t.Fatalf("Credentials were not revoked!")
 			}
 		})
 	}
 }

-func TestMySQL_SetCredentials(t *testing.T) {
+func TestMySQL_UpdateUser(t *testing.T) {
 	type testCase struct {
 		rotateStmts []string
 	}
@@ -356,7 +428,7 @@ func TestMySQL_SetCredentials(t *testing.T) {
 				GRANT SELECT ON *.* TO '{{name}}'@'%';`

 			createTestMySQLUser(t, connURL, dbUser, initPassword, createStatements)
-			if err := mysqlhelper.TestCredsExist(t, connURL, dbUser, "password"); err != nil {
+			if err := mysqlhelper.TestCredsExist(t, connURL, dbUser, initPassword); err != nil {
 				t.Fatalf("Could not connect with credentials: %s", err)
 			}

@@ -364,40 +436,40 @@ func TestMySQL_SetCredentials(t *testing.T) {
 				"connection_url": connURL,
 			}

+			initReq := newdbplugin.InitializeRequest{
+				Config:           connectionDetails,
+				VerifyConnection: true,
+			}
+
 			// Give a timeout just in case the test decides to be problematic
 			ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 			defer cancel()

-			db := new(MetadataLen, MetadataLen, UsernameLen)
-			_, err := db.Init(ctx, connectionDetails, true)
+			db := new(false)
+			_, err := db.Initialize(context.Background(), initReq)
 			if err != nil {
 				t.Fatalf("err: %s", err)
 			}

-			newPassword, err := db.GenerateCredentials(ctx)
+			newPassword, err := credsutil.RandomAlphaNumeric(32, false)
 			if err != nil {
 				t.Fatalf("unable to generate password: %s", err)
 			}

-			userConfig := dbplugin.StaticUserConfig{
+			updateReq := newdbplugin.UpdateUserRequest{
 				Username: dbUser,
-				Password: newPassword,
+				Password: &newdbplugin.ChangePassword{
+					NewPassword: newPassword,
+					Statements: newdbplugin.Statements{
+						Commands: test.rotateStmts,
+					},
+				},
 			}

-			statements := dbplugin.Statements{
-				Rotation: test.rotateStmts,
-			}
-
-			username, password, err := db.SetCredentials(ctx, statements, userConfig)
+			_, err = db.UpdateUser(ctx, updateReq)
 			if err != nil {
 				t.Fatalf("err: %s", err)
 			}
-			if username != userConfig.Username {
-				t.Fatalf("expected username [%s], got [%s]", userConfig.Username, username)
-			}
-			if password != userConfig.Password {
-				t.Fatalf("expected password [%s] got [%s]", userConfig.Password, password)
-			}

 			// verify new password works
 			if err := mysqlhelper.TestCredsExist(t, connURL, dbUser, newPassword); err != nil {
@@ -425,7 +497,7 @@ func TestMySQL_Initialize_ReservedChars(t *testing.T) {
 		"password":       pw,
 	}

-	db := new(MetadataLen, MetadataLen, UsernameLen)
+	db := new(false)
 	_, err := db.Init(context.Background(), connectionDetails, true)
 	if err != nil {
 		t.Fatalf("err: %s", err)