Combined Database backend: remove create/delete support (#6951)

* remove create/update database user for static accounts * update tests after create/delete removed * small cleanups * update postgresql setcredentials test
2025-10-31 10:37:56 +00:00 · 2019-06-23 15:58:07 -05:00
parent d8e3c35af5
commit dc4e378f75
6 changed files with 279 additions and 281 deletions
--- a/plugins/database/postgresql/postgresql.go
+++ b/plugins/database/postgresql/postgresql.go
@@ -99,8 +99,8 @@ func (p *PostgreSQL) getConnection(ctx context.Context) (*sql.DB, error) {
 // passwords in the database in the event an updated database fails to save in
 // Vault's storage.
 func (p *PostgreSQL) SetCredentials(ctx context.Context, statements dbplugin.Statements, staticUser dbplugin.StaticUserConfig) (username, password string, err error) {
-	if len(statements.Creation) == 0 {
-		return "", "", errors.New("empty creation statements")
+	if len(statements.Rotation) == 0 {
+		return "", "", errors.New("empty rotation statements")
 	}

 	username = staticUser.Username
@@ -126,16 +126,9 @@ func (p *PostgreSQL) SetCredentials(ctx context.Context, statements dbplugin.Sta
 		return "", "", err
 	}

-	// Default to using Creation statements, which are required by the Vault
-	// backend. If the user exists, use the rotation statements, using the default
-	// ones if there are none provided
-	stmts := statements.Creation
-	if exists {
-		stmts = statements.Rotation
-		if len(stmts) == 0 {
-			stmts = []string{defaultPostgresRotateCredentialsSQL}
-		}
-	}
+	// Vault requires the database user already exist, and that the credentials
+	// used to execute the rotation statements has sufficient privileges.
+	stmts := statements.Rotation

 	// Start a transaction
 	tx, err := db.BeginTx(ctx, nil)
--- a/plugins/database/postgresql/postgresql_test.go
+++ b/plugins/database/postgresql/postgresql_test.go
@@ -12,6 +12,8 @@ import (

 	"github.com/hashicorp/vault/helper/testhelpers/docker"
 	"github.com/hashicorp/vault/sdk/database/dbplugin"
+	"github.com/hashicorp/vault/sdk/helper/dbtxn"
+	"github.com/lib/pq"
 	"github.com/ory/dockertest"
 )

@@ -321,6 +323,10 @@ func TestPostgresSQL_SetCredentials(t *testing.T) {
 	cleanup, connURL := preparePostgresTestContainer(t)
 	defer cleanup()

+	// create the database user
+	dbUser := "vaultstatictest"
+	createTestPGUser(t, connURL, dbUser, "password", testRoleStaticCreate)
+
 	connectionDetails := map[string]interface{}{
 		"connection_url": connURL,
 	}
@@ -337,18 +343,18 @@ func TestPostgresSQL_SetCredentials(t *testing.T) {
 	}

 	usernameConfig := dbplugin.StaticUserConfig{
-		Username: "test",
+		Username: dbUser,
 		Password: password,
 	}

-	// Test with no configured Creation Statement
+	// Test with no configured Rotation Statement
 	username, password, err := db.SetCredentials(context.Background(), dbplugin.Statements{}, usernameConfig)
 	if err == nil {
 		t.Fatalf("err: %s", err)
 	}

 	statements := dbplugin.Statements{
-		Creation: []string{testPostgresStaticRole},
+		Rotation: []string{testPostgresStaticRoleRotate},
 	}
 	// User should not exist, make sure we can create
 	username, password, err = db.SetCredentials(context.Background(), statements, usernameConfig)
@@ -360,8 +366,7 @@ func TestPostgresSQL_SetCredentials(t *testing.T) {
 		t.Fatalf("Could not connect with new credentials: %s", err)
 	}

-	// call SetCredentials again, the user will already exist, password will
-	// change. Without rotation statements, this should use the defaults
+	// call SetCredentials again, password will change
 	newPassword, _ := db.GenerateCredentials(context.Background())
 	usernameConfig.Password = newPassword
 	username, password, err = db.SetCredentials(context.Background(), statements, usernameConfig)
@@ -376,23 +381,6 @@ func TestPostgresSQL_SetCredentials(t *testing.T) {
 	if err := testCredsExist(t, connURL, username, password); err != nil {
 		t.Fatalf("Could not connect with new credentials: %s", err)
 	}
-
-	// generate a new password and supply owr own rotation statements
-	newPassword2, _ := db.GenerateCredentials(context.Background())
-	usernameConfig.Password = newPassword2
-	statements.Rotation = []string{testPostgresStaticRoleRotate, testPostgresStaticRoleGrant}
-	username, password, err = db.SetCredentials(context.Background(), statements, usernameConfig)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-
-	if password != newPassword2 {
-		t.Fatal("passwords should have changed")
-	}
-
-	if err := testCredsExist(t, connURL, username, password); err != nil {
-		t.Fatalf("Could not connect with new credentials: %s", err)
-	}
 }

 func testCredsExist(t testing.TB, connURL, username, password string) error {
@@ -484,6 +472,12 @@ CREATE ROLE "{{name}}" WITH
 GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "{{name}}";
 `

+const testRoleStaticCreate = `
+CREATE ROLE "{{name}}" WITH
+  LOGIN
+  PASSWORD '{{password}}';
+`
+
 const testPostgresStaticRoleRotate = `
 ALTER ROLE "{{name}}" WITH PASSWORD '{{password}}';
 `
@@ -491,3 +485,42 @@ ALTER ROLE "{{name}}" WITH PASSWORD '{{password}}';
 const testPostgresStaticRoleGrant = `
 GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "{{name}}";
 `
+
+// This is a copy of a test helper method also found in
+// builtin/logical/database/rotation_test.go , and should be moved into a shared
+// helper file in the future.
+func createTestPGUser(t *testing.T, connURL string, username, password, query string) {
+	t.Helper()
+	conn, err := pq.ParseURL(connURL)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	db, err := sql.Open("postgres", conn)
+	defer db.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Start a transaction
+	ctx := context.Background()
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	m := map[string]string{
+		"name":     username,
+		"password": password,
+	}
+	if err := dbtxn.ExecuteTxQuery(ctx, tx, m, query); err != nil {
+		t.Fatal(err)
+	}
+	// Commit the transaction
+	if err := tx.Commit(); err != nil {
+		t.Fatal(err)
+	}
+}