secret/mysql: fixing mysql oddities

builtin/logical/mysql/path_role_create.go

@@ -2,7 +2,6 @@ package mysql
 
 import (
 	"fmt"
-	"math/rand"
 	"time"
 
 	"github.com/hashicorp/vault/logical"
@@ -51,10 +50,15 @@ func (b *backend) pathRoleCreateRead(
 		lease = &configLease{Lease: 1 * time.Hour}
 	}
 
-	// Generate our username and password
-	username := fmt.Sprintf(
-		"vault-%s-%d-%d",
-		req.DisplayName, time.Now().Unix(), rand.Int31n(10000))
+	// Generate our username and password. MySQL limits user to 16 characters
+	displayName := req.DisplayName
+	if len(displayName) > 10 {
+		displayName = displayName[:10]
+	}
+	username := fmt.Sprintf("%s-%s", displayName, generateUUID())
+	if len(username) > 16 {
+		username = username[:16]
+	}
 	password := generateUUID()
 
 	// Get our connection

builtin/logical/mysql/secret_creds.go

@@ -74,23 +74,17 @@ func (b *backend) secretCredsRevoke(
 	// drop, because MySQL explicitly documents that open user connections
 	// will not be closed. By revoking all grants, at least we ensure
 	// that the open connection is useless.
-	stmt, err := tx.Prepare("REVOKE ALL PRIVILEGES, GRANT OPTION FROM ?")
+	_, err = tx.Exec("REVOKE ALL PRIVILEGES, GRANT OPTION FROM '" + username + "'@'%'")
 	if err != nil {
 		return nil, err
 	}
-	if _, err := stmt.Exec(username); err != nil {
-		return nil, err
-	}
 
 	// Drop this user. This only affects the next connection, which is
 	// why we do the revoke initially.
-	stmt, err = db.Prepare("DROP USER ?")
+	_, err = tx.Exec("DROP USER '" + username + "'@'%'")
 	if err != nil {
 		return nil, err
 	}
-	if _, err := stmt.Exec(username); err != nil {
-		return nil, err
-	}
 
 	// Commit the transaction
 	if err := tx.Commit(); err != nil {