scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-02 03:27:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Migrate MySQL db to v5 database engine (#10110)

Browse Source 
* Migrate MySQL db to v5 database engine
This commit is contained in:
Lauren Voswinkel
2020-10-09 10:32:38 -07:00
committed by GitHub
parent 738891a069
commit ae27bf5d26
6 changed files with 245 additions and 214 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
helper/builtinplugins/registry.go
View File

@@ -30,7 +30,6 @@ import (
dbMysql "github.com/hashicorp/vault/plugins/database/mysql" dbMysql "github.com/hashicorp/vault/plugins/database/mysql"
dbPostgres "github.com/hashicorp/vault/plugins/database/postgresql" dbPostgres "github.com/hashicorp/vault/plugins/database/postgresql"
dbRedshift "github.com/hashicorp/vault/plugins/database/redshift" dbRedshift "github.com/hashicorp/vault/plugins/database/redshift"
"github.com/hashicorp/vault/sdk/database/helper/credsutil"
"github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/sdk/logical"
@@ -94,10 +93,10 @@ func newRegistry() *registry {
databasePlugins: map[string]BuiltinFactory{ databasePlugins: map[string]BuiltinFactory{
// These four plugins all use the same mysql implementation but with // These four plugins all use the same mysql implementation but with
// different username settings passed by the constructor. // different username settings passed by the constructor.
"mysql-database-plugin": dbMysql.New(dbMysql.MetadataLen, dbMysql.MetadataLen, dbMysql.UsernameLen), "mysql-database-plugin": dbMysql.New(false),
"mysql-aurora-database-plugin": dbMysql.New(credsutil.NoneLength, dbMysql.LegacyMetadataLen, dbMysql.LegacyUsernameLen), "mysql-aurora-database-plugin": dbMysql.New(true),
"mysql-rds-database-plugin": dbMysql.New(credsutil.NoneLength, dbMysql.LegacyMetadataLen, dbMysql.LegacyUsernameLen), "mysql-rds-database-plugin": dbMysql.New(true),
"mysql-legacy-database-plugin": dbMysql.New(credsutil.NoneLength, dbMysql.LegacyMetadataLen, dbMysql.LegacyUsernameLen), "mysql-legacy-database-plugin": dbMysql.New(true),
"cassandra-database-plugin": dbCass.New, "cassandra-database-plugin": dbCass.New,
"couchbase-database-plugin": dbCouchbase.New, "couchbase-database-plugin": dbCouchbase.New,

5
plugins/database/mysql/connection_producer.go
View File

@@ -37,6 +37,7 @@ type mySQLConnectionProducer struct {
RawConfig map[string]interface{} RawConfig map[string]interface{}
maxConnectionLifetime time.Duration maxConnectionLifetime time.Duration
Legacy bool
Initialized bool Initialized bool
db *sql.DB db *sql.DB
sync.Mutex sync.Mutex
@@ -158,8 +159,8 @@ func (c *mySQLConnectionProducer) Connection(ctx context.Context) (interface{},
return c.db, nil return c.db, nil
} }
func (c *mySQLConnectionProducer) SecretValues() map[string]interface{} { func (c *mySQLConnectionProducer) SecretValues() map[string]string {
return map[string]interface{}{ return map[string]string{
c.Password: "[password]", c.Password: "[password]",
} }
} }

2
plugins/database/mysql/connection_producer_test.go
View File

@@ -124,7 +124,7 @@ ssl-key=/etc/mysql/server-key.pem`
// ////////////////////////////////////////////////////// // //////////////////////////////////////////////////////
// Test // Test
mysql := new(25, 25, 25) mysql := new(false)
conf := map[string]interface{}{ conf := map[string]interface{}{
"connection_url": retURL, "connection_url": retURL,

221
plugins/database/mysql/mysql.go
View File

@@ -4,15 +4,17 @@ import (
"context" "context"
"database/sql" "database/sql"
"errors" "errors"
"fmt"
"strings" "strings"
"time"
stdmysql "github.com/go-sql-driver/mysql" "github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/api" "github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/sdk/database/dbplugin"
"github.com/hashicorp/vault/sdk/database/helper/credsutil" "github.com/hashicorp/vault/sdk/database/helper/credsutil"
"github.com/hashicorp/vault/sdk/database/helper/dbutil" "github.com/hashicorp/vault/sdk/database/helper/dbutil"
"github.com/hashicorp/vault/sdk/database/newdbplugin"
"github.com/hashicorp/vault/sdk/helper/strutil" "github.com/hashicorp/vault/sdk/helper/strutil"
stdmysql "github.com/go-sql-driver/mysql"
) )
const ( const (
@@ -35,37 +37,30 @@ var (
LegacyUsernameLen int = 16 LegacyUsernameLen int = 16
) )
var _ dbplugin.Database = (*MySQL)(nil) var _ newdbplugin.Database = (*MySQL)(nil)
type MySQL struct { type MySQL struct {
*mySQLConnectionProducer *mySQLConnectionProducer
credsutil.CredentialsProducer legacy bool
} }
// New implements builtinplugins.BuiltinFactory // New implements builtinplugins.BuiltinFactory
func New(displayNameLen, roleNameLen, usernameLen int) func() (interface{}, error) { func New(legacy bool) func() (interface{}, error) {
return func() (interface{}, error) { return func() (interface{}, error) {
db := new(displayNameLen, roleNameLen, usernameLen) db := new(legacy)
// Wrap the plugin with middleware to sanitize errors // Wrap the plugin with middleware to sanitize errors
dbType := dbplugin.NewDatabaseErrorSanitizerMiddleware(db, db.SecretValues) dbType := newdbplugin.NewDatabaseErrorSanitizerMiddleware(db, db.SecretValues)
return dbType, nil return dbType, nil
} }
} }
func new(displayNameLen, roleNameLen, usernameLen int) *MySQL { func new(legacy bool) *MySQL {
connProducer := &mySQLConnectionProducer{} connProducer := &mySQLConnectionProducer{}
credsProducer := &credsutil.SQLCredentialsProducer{
DisplayNameLen: displayNameLen,
RoleNameLen: roleNameLen,
UsernameLen: usernameLen,
Separator: "-",
}
return &MySQL{ return &MySQL{
mySQLConnectionProducer: connProducer, mySQLConnectionProducer: connProducer,
CredentialsProducer: credsProducer, legacy: legacy,
} }
} }
@@ -81,17 +76,13 @@ func RunLegacy(apiTLSConfig *api.TLSConfig) error {
func runCommon(legacy bool, apiTLSConfig *api.TLSConfig) error { func runCommon(legacy bool, apiTLSConfig *api.TLSConfig) error {
var f func() (interface{}, error) var f func() (interface{}, error)
if legacy { f = New(legacy)
f = New(credsutil.NoneLength, LegacyMetadataLen, LegacyUsernameLen)
} else {
f = New(MetadataLen, MetadataLen, UsernameLen)
}
dbType, err := f() dbType, err := f()
if err != nil { if err != nil {
return err return err
} }
dbplugin.Serve(dbType.(dbplugin.Database), api.VaultPluginTLSProvider(apiTLSConfig)) newdbplugin.Serve(dbType.(newdbplugin.Database), api.VaultPluginTLSProvider(apiTLSConfig))
return nil return nil
} }
@@ -109,27 +100,30 @@ func (m *MySQL) getConnection(ctx context.Context) (*sql.DB, error) {
return db.(*sql.DB), nil return db.(*sql.DB), nil
} }
func (m *MySQL) CreateUser(ctx context.Context, statements dbplugin.Statements, usernameConfig dbplugin.UsernameConfig, expiration time.Time) (username string, password string, err error) { func (m *MySQL) Initialize(ctx context.Context, req newdbplugin.InitializeRequest) (newdbplugin.InitializeResponse, error) {
statements = dbutil.StatementCompatibilityHelper(statements) err := m.mySQLConnectionProducer.Initialize(ctx, req.Config, req.VerifyConnection)
if len(statements.Creation) == 0 {
return "", "", dbutil.ErrEmptyCreationStatement
}
username, err = m.GenerateUsername(usernameConfig)
if err != nil { if err != nil {
return "", "", err return newdbplugin.InitializeResponse{}, err
}
resp := newdbplugin.InitializeResponse{
Config: req.Config,
}
return resp, nil
}
func (m *MySQL) NewUser(ctx context.Context, req newdbplugin.NewUserRequest) (newdbplugin.NewUserResponse, error) {
if len(req.Statements.Commands) == 0 {
return newdbplugin.NewUserResponse{}, dbutil.ErrEmptyCreationStatement
} }
password, err = m.GeneratePassword() username, err := m.generateUsername(req)
if err != nil { if err != nil {
return "", "", err return newdbplugin.NewUserResponse{}, err
} }
expirationStr, err := m.GenerateExpiration(expiration) password := req.Password
if err != nil {
return "", "", err expirationStr := req.Expiration.Format("2006-01-02 15:04:05-0700")
}
queryMap := map[string]string{ queryMap := map[string]string{
"name": username, "name": username,
@@ -138,31 +132,53 @@ func (m *MySQL) CreateUser(ctx context.Context, statements dbplugin.Statements,
"expiration": expirationStr, "expiration": expirationStr,
} }
if err := m.executePreparedStatmentsWithMap(ctx, statements.Creation, queryMap); err != nil { if err := m.executePreparedStatementsWithMap(ctx, req.Statements.Commands, queryMap); err != nil {
return "", "", err return newdbplugin.NewUserResponse{}, err
} }
return username, password, nil
resp := newdbplugin.NewUserResponse{
Username: username,
}
return resp, nil
} }
// NOOP func (m *MySQL) generateUsername(req newdbplugin.NewUserRequest) (string, error) {
func (m *MySQL) RenewUser(ctx context.Context, statements dbplugin.Statements, username string, expiration time.Time) error { var dispNameLen, roleNameLen, maxLen int
return nil
if m.legacy {
dispNameLen = LegacyUsernameLen
roleNameLen = LegacyMetadataLen
maxLen = LegacyUsernameLen
} else {
dispNameLen = UsernameLen
roleNameLen = MetadataLen
maxLen = UsernameLen
}
username, err := credsutil.GenerateUsername(
credsutil.DisplayName(req.UsernameConfig.DisplayName, dispNameLen),
credsutil.RoleName(req.UsernameConfig.RoleName, roleNameLen),
credsutil.MaxLength(maxLen),
)
if err != nil {
return "", errwrap.Wrapf("error generating username: {{err}}", err)
}
return username, nil
} }
func (m *MySQL) RevokeUser(ctx context.Context, statements dbplugin.Statements, username string) error { func (m *MySQL) DeleteUser(ctx context.Context, req newdbplugin.DeleteUserRequest) (newdbplugin.DeleteUserResponse, error) {
// Grab the read lock // Grab the read lock
m.Lock() m.Lock()
defer m.Unlock() defer m.Unlock()
statements = dbutil.StatementCompatibilityHelper(statements)
// Get the connection // Get the connection
db, err := m.getConnection(ctx) db, err := m.getConnection(ctx)
if err != nil { if err != nil {
return err return newdbplugin.DeleteUserResponse{}, err
} }
revocationStmts := statements.Revocation revocationStmts := req.Statements.Commands
// Use a default SQL statement for revocation if one cannot be fetched from the role // Use a default SQL statement for revocation if one cannot be fetched from the role
if len(revocationStmts) == 0 { if len(revocationStmts) == 0 {
revocationStmts = []string{defaultMysqlRevocationStmts} revocationStmts = []string{defaultMysqlRevocationStmts}
@@ -171,7 +187,7 @@ func (m *MySQL) RevokeUser(ctx context.Context, statements dbplugin.Statements,
// Start a transaction // Start a transaction
tx, err := db.BeginTx(ctx, nil) tx, err := db.BeginTx(ctx, nil)
if err != nil { if err != nil {
return err return newdbplugin.DeleteUserResponse{}, err
} }
defer tx.Rollback() defer tx.Rollback()
@@ -185,101 +201,44 @@ func (m *MySQL) RevokeUser(ctx context.Context, statements dbplugin.Statements,
// This is not a prepared statement because not all commands are supported // This is not a prepared statement because not all commands are supported
// 1295: This command is not supported in the prepared statement protocol yet // 1295: This command is not supported in the prepared statement protocol yet
// Reference https://mariadb.com/kb/en/mariadb/prepare-statement/ // Reference https://mariadb.com/kb/en/mariadb/prepare-statement/
query = strings.Replace(query, "{{name}}", username, -1) query = strings.Replace(query, "{{name}}", req.Username, -1)
query = strings.Replace(query, "{{username}}", username, -1) query = strings.Replace(query, "{{username}}", req.Username, -1)
_, err = tx.ExecContext(ctx, query) _, err = tx.ExecContext(ctx, query)
if err != nil { if err != nil {
return err return newdbplugin.DeleteUserResponse{}, err
} }
} }
} }
// Commit the transaction // Commit the transaction
if err := tx.Commit(); err != nil { err = tx.Commit()
return err return newdbplugin.DeleteUserResponse{}, err
}
return nil
} }
func (m *MySQL) RotateRootCredentials(ctx context.Context, statements []string) (map[string]interface{}, error) { func (m *MySQL) UpdateUser(ctx context.Context, req newdbplugin.UpdateUserRequest) (newdbplugin.UpdateUserResponse, error) {
m.Lock() if req.Password == nil && req.Expiration == nil {
defer m.Unlock() return newdbplugin.UpdateUserResponse{}, fmt.Errorf("no change requested")
if len(m.Username) == 0 || len(m.Password) == 0 {
return nil, errors.New("username and password are required to rotate")
} }
rotateStatements := statements if req.Password != nil {
if len(rotateStatements) == 0 { err := m.changeUserPassword(ctx, req.Username, req.Password.NewPassword, req.Password.Statements.Commands)
rotateStatements = []string{defaultMySQLRotateCredentialsSQL} if err != nil {
} return newdbplugin.UpdateUserResponse{}, fmt.Errorf("failed to change password: %w", err)
db, err := m.getConnection(ctx)
if err != nil {
return nil, err
}
tx, err := db.BeginTx(ctx, nil)
if err != nil {
return nil, err
}
defer func() {
tx.Rollback()
}()
password, err := m.GeneratePassword()
if err != nil {
return nil, err
}
for _, stmt := range rotateStatements {
for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
query = strings.TrimSpace(query)
if len(query) == 0 {
continue
}
// This is not a prepared statement because not all commands are supported
// 1295: This command is not supported in the prepared statement protocol yet
// Reference https://mariadb.com/kb/en/mariadb/prepare-statement/
query = strings.Replace(query, "{{username}}", m.Username, -1)
query = strings.Replace(query, "{{name}}", m.Username, -1)
query = strings.Replace(query, "{{password}}", password, -1)
if _, err := tx.ExecContext(ctx, query); err != nil {
return nil, err
}
} }
} }
if err := tx.Commit(); err != nil { // Expiration change/update is currently a no-op
return nil, err
}
if err := db.Close(); err != nil { return newdbplugin.UpdateUserResponse{}, nil
return nil, err
}
m.RawConfig["password"] = password
return m.RawConfig, nil
} }
// SetCredentials uses provided information to set the password to a user in the func (m *MySQL) changeUserPassword(ctx context.Context, username, password string, rotateStatements []string) error {
// database. Unlike CreateUser, this method requires a username be provided and if username == "" || password == "" {
// uses the name given, instead of generating a name. This is used for setting return errors.New("must provide both username and password")
// the password of static accounts, as well as rolling back passwords in the
// database in the event an updated database fails to save in Vault's storage.
func (m *MySQL) SetCredentials(ctx context.Context, statements dbplugin.Statements, staticUser dbplugin.StaticUserConfig) (username, password string, err error) {
rotateStatements := statements.Rotation
if len(rotateStatements) == 0 {
rotateStatements = []string{defaultMySQLRotateCredentialsSQL}
} }
username = staticUser.Username if len(rotateStatements) == 0 {
password = staticUser.Password rotateStatements = []string{defaultMySQLRotateCredentialsSQL}
if username == "" || password == "" {
return "", "", errors.New("must provide both username and password")
} }
queryMap := map[string]string{ queryMap := map[string]string{
@@ -288,16 +247,16 @@ func (m *MySQL) SetCredentials(ctx context.Context, statements dbplugin.Statemen
"password": password, "password": password,
} }
if err := m.executePreparedStatmentsWithMap(ctx, rotateStatements, queryMap); err != nil { if err := m.executePreparedStatementsWithMap(ctx, rotateStatements, queryMap); err != nil {
return "", "", err return err
} }
return username, password, nil return nil
} }
// executePreparedStatmentsWithMap loops through the given templated SQL statements and // executePreparedStatementsWithMap loops through the given templated SQL statements and
// applies the map to them, interpolating values into the templates, returning // applies the map to them, interpolating values into the templates, returning
// the resulting username and password // the resulting username and password
func (m *MySQL) executePreparedStatmentsWithMap(ctx context.Context, statements []string, queryMap map[string]string) error { func (m *MySQL) executePreparedStatementsWithMap(ctx context.Context, statements []string, queryMap map[string]string) error {
// Grab the lock // Grab the lock
m.Lock() m.Lock()
defer m.Unlock() defer m.Unlock()

220
plugins/database/mysql/mysql_test.go
View File

@@ -9,13 +9,14 @@ import (
stdmysql "github.com/go-sql-driver/mysql" stdmysql "github.com/go-sql-driver/mysql"
mysqlhelper "github.com/hashicorp/vault/helper/testhelpers/mysql" mysqlhelper "github.com/hashicorp/vault/helper/testhelpers/mysql"
"github.com/hashicorp/vault/sdk/database/dbplugin"
"github.com/hashicorp/vault/sdk/database/helper/credsutil" "github.com/hashicorp/vault/sdk/database/helper/credsutil"
"github.com/hashicorp/vault/sdk/database/helper/dbutil" "github.com/hashicorp/vault/sdk/database/helper/dbutil"
"github.com/hashicorp/vault/sdk/database/newdbplugin"
"github.com/hashicorp/vault/sdk/helper/strutil" "github.com/hashicorp/vault/sdk/helper/strutil"
) )
var _ dbplugin.Database = (*MySQL)(nil) var _ newdbplugin.Database = (*MySQL)(nil)
func TestMySQL_Initialize(t *testing.T) { func TestMySQL_Initialize(t *testing.T) {
cleanup, connURL := mysqlhelper.PrepareTestContainer(t, false, "secret") cleanup, connURL := mysqlhelper.PrepareTestContainer(t, false, "secret")
@@ -25,8 +26,13 @@ func TestMySQL_Initialize(t *testing.T) {
"connection_url": connURL, "connection_url": connURL,
} }
db := new(MetadataLen, MetadataLen, UsernameLen) initReq := newdbplugin.InitializeRequest{
_, err := db.Init(context.Background(), connectionDetails, true) Config: connectionDetails,
VerifyConnection: true,
}
db := new(false)
_, err := db.Initialize(context.Background(), initReq)
if err != nil { if err != nil {
t.Fatalf("err: %s", err) t.Fatalf("err: %s", err)
} }
@@ -46,7 +52,13 @@ func TestMySQL_Initialize(t *testing.T) {
"max_open_connections": "5", "max_open_connections": "5",
} }
_, err = db.Init(context.Background(), connectionDetails, true) initReq = newdbplugin.InitializeRequest{
Config: connectionDetails,
VerifyConnection: true,
}
db = new(false)
_, err = db.Initialize(context.Background(), initReq)
if err != nil { if err != nil {
t.Fatalf("err: %s", err) t.Fatalf("err: %s", err)
} }
@@ -54,22 +66,31 @@ func TestMySQL_Initialize(t *testing.T) {
func TestMySQL_CreateUser(t *testing.T) { func TestMySQL_CreateUser(t *testing.T) {
t.Run("missing creation statements", func(t *testing.T) { t.Run("missing creation statements", func(t *testing.T) {
db := new(MetadataLen, MetadataLen, UsernameLen) db := new(false)
usernameConfig := dbplugin.UsernameConfig{ password, err := credsutil.RandomAlphaNumeric(32, false)
DisplayName: "test-long-displayname", if err != nil {
RoleName: "test-long-rolename", t.Fatalf("unable to generate password: %s", err)
} }
username, password, err := db.CreateUser(context.Background(), dbplugin.Statements{}, usernameConfig, time.Now().Add(time.Minute)) createReq := newdbplugin.NewUserRequest{
UsernameConfig: newdbplugin.UsernameMetadata{
DisplayName: "test",
RoleName: "test",
},
Statements: newdbplugin.Statements{
Commands: []string{},
},
Password: password,
Expiration: time.Now().Add(time.Minute),
}
userResp, err := db.NewUser(context.Background(), createReq)
if err == nil { if err == nil {
t.Fatalf("expected err, got nil") t.Fatalf("expected err, got nil")
} }
if username != "" { if userResp.Username != "" {
t.Fatalf("expected empty username, got [%s]", username) t.Fatalf("expected empty username, got [%s]", userResp.Username)
}
if password != "" {
t.Fatalf("expected empty password, got [%s]", password)
} }
}) })
@@ -82,8 +103,13 @@ func TestMySQL_CreateUser(t *testing.T) {
"connection_url": connURL, "connection_url": connURL,
} }
db := new(MetadataLen, MetadataLen, UsernameLen) initReq := newdbplugin.InitializeRequest{
_, err := db.Init(context.Background(), connectionDetails, true) Config: connectionDetails,
VerifyConnection: true,
}
db := new(false)
_, err := db.Initialize(context.Background(), initReq)
if err != nil { if err != nil {
t.Fatalf("err: %s", err) t.Fatalf("err: %s", err)
} }
@@ -100,8 +126,13 @@ func TestMySQL_CreateUser(t *testing.T) {
"connection_url": connURL, "connection_url": connURL,
} }
db := new(credsutil.NoneLength, LegacyMetadataLen, LegacyUsernameLen) initReq := newdbplugin.InitializeRequest{
_, err := db.Init(context.Background(), connectionDetails, true) Config: connectionDetails,
VerifyConnection: true,
}
db := new(true)
_, err := db.Initialize(context.Background(), initReq)
if err != nil { if err != nil {
t.Fatalf("err: %s", err) t.Fatalf("err: %s", err)
} }
@@ -152,31 +183,39 @@ func testCreateUser(t *testing.T, db *MySQL, connURL string) {
for name, test := range tests { for name, test := range tests {
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
usernameConfig := dbplugin.UsernameConfig{ password, err := credsutil.RandomAlphaNumeric(32, false)
DisplayName: "test-long-displayname", if err != nil {
RoleName: "test-long-rolename", t.Fatalf("unable to generate password: %s", err)
} }
statements := dbplugin.Statements{ createReq := newdbplugin.NewUserRequest{
Creation: test.createStmts, UsernameConfig: newdbplugin.UsernameMetadata{
DisplayName: "test",
RoleName: "test",
},
Statements: newdbplugin.Statements{
Commands: test.createStmts,
},
Password: password,
Expiration: time.Now().Add(time.Minute),
} }
username, password, err := db.CreateUser(context.Background(), statements, usernameConfig, time.Now().Add(time.Minute)) userResp, err := db.NewUser(context.Background(), createReq)
if err != nil { if err != nil {
t.Fatalf("err: %s", err) t.Fatalf("err: %s", err)
} }
if err := mysqlhelper.TestCredsExist(t, connURL, username, password); err != nil { if err := mysqlhelper.TestCredsExist(t, connURL, userResp.Username, password); err != nil {
t.Fatalf("Could not connect with new credentials: %s", err) t.Fatalf("Could not connect with new credentials: %s", err)
} }
// Test a second time to make sure usernames don't collide // Test a second time to make sure usernames don't collide
username, password, err = db.CreateUser(context.Background(), statements, usernameConfig, time.Now().Add(time.Minute)) userResp, err = db.NewUser(context.Background(), createReq)
if err != nil { if err != nil {
t.Fatalf("err: %s", err) t.Fatalf("err: %s", err)
} }
if err := mysqlhelper.TestCredsExist(t, connURL, username, password); err != nil { if err := mysqlhelper.TestCredsExist(t, connURL, userResp.Username, password); err != nil {
t.Fatalf("Could not connect with new credentials: %s", err) t.Fatalf("Could not connect with new credentials: %s", err)
} }
}) })
@@ -207,8 +246,6 @@ func TestMySQL_RotateRootCredentials(t *testing.T) {
cleanup, connURL := mysqlhelper.PrepareTestContainer(t, false, "secret") cleanup, connURL := mysqlhelper.PrepareTestContainer(t, false, "secret")
defer cleanup() defer cleanup()
connURL = strings.Replace(connURL, "root:secret", `{{username}}:{{password}}`, -1)
connectionDetails := map[string]interface{}{ connectionDetails := map[string]interface{}{
"connection_url": connURL, "connection_url": connURL,
"username": "root", "username": "root",
@@ -219,8 +256,13 @@ func TestMySQL_RotateRootCredentials(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel() defer cancel()
db := new(MetadataLen, MetadataLen, UsernameLen) initReq := newdbplugin.InitializeRequest{
_, err := db.Init(ctx, connectionDetails, true) Config: connectionDetails,
VerifyConnection: true,
}
db := new(false)
_, err := db.Initialize(context.Background(), initReq)
if err != nil { if err != nil {
t.Fatalf("err: %s", err) t.Fatalf("err: %s", err)
} }
@@ -229,12 +271,28 @@ func TestMySQL_RotateRootCredentials(t *testing.T) {
t.Fatal("Database should be initialized") t.Fatal("Database should be initialized")
} }
newConf, err := db.RotateRootCredentials(ctx, test.statements) updateReq := newdbplugin.UpdateUserRequest{
Username: "root",
Password: &newdbplugin.ChangePassword{
NewPassword: "different_sercret",
Statements: newdbplugin.Statements{
Commands: test.statements,
},
},
}
_, err = db.UpdateUser(ctx, updateReq)
if err != nil { if err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
if newConf["password"] == "secret" { err = mysqlhelper.TestCredsExist(t, connURL, updateReq.Username, updateReq.Password.NewPassword)
t.Fatal("password was not updated") if err != nil {
t.Fatalf("Could not connect with new credentials: %s", err)
}
// verify old password doesn't work
if err := mysqlhelper.TestCredsExist(t, connURL, updateReq.Username, "secret"); err == nil {
t.Fatalf("Should not be able to connect with initial credentials")
} }
err = db.Close() err = db.Close()
@@ -245,7 +303,7 @@ func TestMySQL_RotateRootCredentials(t *testing.T) {
} }
} }
func TestMySQL_RevokeUser(t *testing.T) { func TestMySQL_DeleteUser(t *testing.T) {
type testCase struct { type testCase struct {
revokeStmts []string revokeStmts []string
} }
@@ -273,57 +331,71 @@ func TestMySQL_RevokeUser(t *testing.T) {
"connection_url": connURL, "connection_url": connURL,
} }
// Give a timeout just in case the test decides to be problematic initReq := newdbplugin.InitializeRequest{
initCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second) Config: connectionDetails,
defer cancel() VerifyConnection: true,
}
db := new(MetadataLen, MetadataLen, UsernameLen) db := new(false)
_, err := db.Init(initCtx, connectionDetails, true) _, err := db.Initialize(context.Background(), initReq)
if err != nil { if err != nil {
t.Fatalf("err: %s", err) t.Fatalf("err: %s", err)
} }
for name, test := range tests { for name, test := range tests {
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
statements := dbplugin.Statements{ password, err := credsutil.RandomAlphaNumeric(32, false)
Creation: []string{` if err != nil {
CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; t.Fatalf("unable to generate password: %s", err)
GRANT SELECT ON *.* TO '{{name}}'@'%';`,
},
Revocation: test.revokeStmts,
} }
usernameConfig := dbplugin.UsernameConfig{ createReq := newdbplugin.NewUserRequest{
DisplayName: "test", UsernameConfig: newdbplugin.UsernameMetadata{
RoleName: "test", DisplayName: "test",
RoleName: "test",
},
Statements: newdbplugin.Statements{
Commands: []string{`
CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
GRANT SELECT ON *.* TO '{{name}}'@'%';`,
},
},
Password: password,
Expiration: time.Now().Add(time.Minute),
} }
// Give a timeout just in case the test decides to be problematic // Give a timeout just in case the test decides to be problematic
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel() defer cancel()
username, password, err := db.CreateUser(ctx, statements, usernameConfig, time.Now().Add(time.Minute)) userResp, err := db.NewUser(ctx, createReq)
if err != nil { if err != nil {
t.Fatalf("err: %s", err) t.Fatalf("err: %s", err)
} }
if err := mysqlhelper.TestCredsExist(t, connURL, username, password); err != nil { if err := mysqlhelper.TestCredsExist(t, connURL, userResp.Username, password); err != nil {
t.Fatalf("Could not connect with new credentials: %s", err) t.Fatalf("Could not connect with new credentials: %s", err)
} }
err = db.RevokeUser(context.Background(), statements, username) deleteReq := newdbplugin.DeleteUserRequest{
Username: userResp.Username,
Statements: newdbplugin.Statements{
Commands: test.revokeStmts,
},
}
_, err = db.DeleteUser(context.Background(), deleteReq)
if err != nil { if err != nil {
t.Fatalf("err: %s", err) t.Fatalf("err: %s", err)
} }
if err := mysqlhelper.TestCredsExist(t, connURL, username, password); err == nil { if err := mysqlhelper.TestCredsExist(t, connURL, userResp.Username, password); err == nil {
t.Fatal("Credentials were not revoked") t.Fatalf("Credentials were not revoked!")
} }
}) })
} }
} }
func TestMySQL_SetCredentials(t *testing.T) { func TestMySQL_UpdateUser(t *testing.T) {
type testCase struct { type testCase struct {
rotateStmts []string rotateStmts []string
} }
@@ -356,7 +428,7 @@ func TestMySQL_SetCredentials(t *testing.T) {
GRANT SELECT ON *.* TO '{{name}}'@'%';` GRANT SELECT ON *.* TO '{{name}}'@'%';`
createTestMySQLUser(t, connURL, dbUser, initPassword, createStatements) createTestMySQLUser(t, connURL, dbUser, initPassword, createStatements)
if err := mysqlhelper.TestCredsExist(t, connURL, dbUser, "password"); err != nil { if err := mysqlhelper.TestCredsExist(t, connURL, dbUser, initPassword); err != nil {
t.Fatalf("Could not connect with credentials: %s", err) t.Fatalf("Could not connect with credentials: %s", err)
} }
@@ -364,40 +436,40 @@ func TestMySQL_SetCredentials(t *testing.T) {
"connection_url": connURL, "connection_url": connURL,
} }
initReq := newdbplugin.InitializeRequest{
Config: connectionDetails,
VerifyConnection: true,
}
// Give a timeout just in case the test decides to be problematic // Give a timeout just in case the test decides to be problematic
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel() defer cancel()
db := new(MetadataLen, MetadataLen, UsernameLen) db := new(false)
_, err := db.Init(ctx, connectionDetails, true) _, err := db.Initialize(context.Background(), initReq)
if err != nil { if err != nil {
t.Fatalf("err: %s", err) t.Fatalf("err: %s", err)
} }
newPassword, err := db.GenerateCredentials(ctx) newPassword, err := credsutil.RandomAlphaNumeric(32, false)
if err != nil { if err != nil {
t.Fatalf("unable to generate password: %s", err) t.Fatalf("unable to generate password: %s", err)
} }
userConfig := dbplugin.StaticUserConfig{ updateReq := newdbplugin.UpdateUserRequest{
Username: dbUser, Username: dbUser,
Password: newPassword, Password: &newdbplugin.ChangePassword{
NewPassword: newPassword,
Statements: newdbplugin.Statements{
Commands: test.rotateStmts,
},
},
} }
statements := dbplugin.Statements{ _, err = db.UpdateUser(ctx, updateReq)
Rotation: test.rotateStmts,
}
username, password, err := db.SetCredentials(ctx, statements, userConfig)
if err != nil { if err != nil {
t.Fatalf("err: %s", err) t.Fatalf("err: %s", err)
} }
if username != userConfig.Username {
t.Fatalf("expected username [%s], got [%s]", userConfig.Username, username)
}
if password != userConfig.Password {
t.Fatalf("expected password [%s] got [%s]", userConfig.Password, password)
}
// verify new password works // verify new password works
if err := mysqlhelper.TestCredsExist(t, connURL, dbUser, newPassword); err != nil { if err := mysqlhelper.TestCredsExist(t, connURL, dbUser, newPassword); err != nil {
@@ -425,7 +497,7 @@ func TestMySQL_Initialize_ReservedChars(t *testing.T) {
"password": pw, "password": pw,
} }
db := new(MetadataLen, MetadataLen, UsernameLen) db := new(false)
_, err := db.Init(context.Background(), connectionDetails, true) _, err := db.Init(context.Background(), connectionDetails, true)
if err != nil { if err != nil {
t.Fatalf("err: %s", err) t.Fatalf("err: %s", err)

2
vault/testing.go
View File

@@ -2025,7 +2025,7 @@ func (m *mockBuiltinRegistry) Get(name string, pluginType consts.PluginType) (fu
if name == "postgresql-database-plugin" { if name == "postgresql-database-plugin" {
return dbPostgres.New, true return dbPostgres.New, true
} }
return dbMysql.New(dbMysql.MetadataLen, dbMysql.MetadataLen, dbMysql.UsernameLen), true return dbMysql.New(false), true
} }
// Keys only supports getting a realistic list of the keys for database plugins. // Keys only supports getting a realistic list of the keys for database plugins.