Honor statements for RevokeUser on Cassandra backend, add method comments

plugins/database/cassandra/cassandra.go

@@ -1,11 +1,11 @@
 package cassandra
 
 import (
-	"fmt"
 	"strings"
 	"time"
 
 	"github.com/gocql/gocql"
+	multierror "github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/vault/builtin/logical/database/dbplugin"
 	"github.com/hashicorp/vault/helper/strutil"
 	"github.com/hashicorp/vault/plugins/helper/database/connutil"
@@ -14,16 +14,18 @@ import (
 )
 
 const (
-	defaultCreationCQL = `CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER;`
-	defaultRollbackCQL = `DROP USER '{{username}}';`
-	cassandraTypeName  = "cassandra"
+	defaultUserCreationCQL = `CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER;`
+	defaultUserDeletionCQL = `DROP USER '{{username}}';`
+	cassandraTypeName      = "cassandra"
 )
 
+// Cassandra is an implementation of Database interface
 type Cassandra struct {
 	connutil.ConnectionProducer
 	credsutil.CredentialsProducer
 }
 
+// New returns a new Cassandra instance
 func New() (interface{}, error) {
 	connProducer := &connutil.CassandraConnectionProducer{}
 	connProducer.Type = cassandraTypeName
@@ -38,7 +40,7 @@ func New() (interface{}, error) {
 	return dbType, nil
 }
 
-// Run instantiates a MySQL object, and runs the RPC server for the plugin
+// Run instantiates a Cassandra object, and runs the RPC server for the plugin
 func Run() error {
 	dbType, err := New()
 	if err != nil {
@@ -50,6 +52,7 @@ func Run() error {
 	return nil
 }
 
+// Type returns the TypeName for this backend
 func (c *Cassandra) Type() (string, error) {
 	return cassandraTypeName, nil
 }
@@ -63,6 +66,8 @@ func (c *Cassandra) getConnection() (*gocql.Session, error) {
 	return session.(*gocql.Session), nil
 }
 
+// CreateUser generates the username/password on the underlying Cassandra secret backend as instructed by
+// the CreationStatement provided.
 func (c *Cassandra) CreateUser(statements dbplugin.Statements, usernamePrefix string, expiration time.Time) (username string, password string, err error) {
 	// Grab the lock
 	c.Lock()
@@ -76,11 +81,11 @@ func (c *Cassandra) CreateUser(statements dbplugin.Statements, usernamePrefix st
 
 	creationCQL := statements.CreationStatements
 	if creationCQL == "" {
-		creationCQL = defaultCreationCQL
+		creationCQL = defaultUserCreationCQL
 	}
 	rollbackCQL := statements.RollbackStatements
 	if rollbackCQL == "" {
-		rollbackCQL = defaultRollbackCQL
+		rollbackCQL = defaultUserDeletionCQL
 	}
 
 	username, err = c.GenerateUsername(usernamePrefix)
@@ -113,7 +118,6 @@ func (c *Cassandra) CreateUser(statements dbplugin.Statements, usernamePrefix st
 
 				session.Query(dbutil.QueryHelper(query, map[string]string{
 					"username": username,
-					"password": password,
 				})).Exec()
 			}
 			return "", "", err
@@ -123,11 +127,13 @@ func (c *Cassandra) CreateUser(statements dbplugin.Statements, usernamePrefix st
 	return username, password, nil
 }
 
+// RenewUser is not supported on Cassandra, so this is a no-op.
 func (c *Cassandra) RenewUser(statements dbplugin.Statements, username string, expiration time.Time) error {
 	// NOOP
 	return nil
 }
 
+// RevokeUser attempts to drop the specified user.
 func (c *Cassandra) RevokeUser(statements dbplugin.Statements, username string) error {
 	// Grab the lock
 	c.Lock()
@@ -138,10 +144,24 @@ func (c *Cassandra) RevokeUser(statements dbplugin.Statements, username string)
 		return err
 	}
 
-	err = session.Query(fmt.Sprintf("DROP USER '%s'", username)).Exec()
-	if err != nil {
-		return fmt.Errorf("error removing user '%s': %s", username, err)
+	revocationCQL := statements.RevocationStatements
+	if revocationCQL == "" {
+		revocationCQL = defaultUserDeletionCQL
 	}
 
-	return nil
+	var result *multierror.Error
+	for _, query := range strutil.ParseArbitraryStringSlice(revocationCQL, ";") {
+		query = strings.TrimSpace(query)
+		if len(query) == 0 {
+			continue
+		}
+
+		err := session.Query(dbutil.QueryHelper(query, map[string]string{
+			"username": username,
+		})).Exec()
+
+		result = multierror.Append(result, err)
+	}
+
+	return result.ErrorOrNil()
 }

plugins/database/cassandra/test-fixtures/cassandra.yaml

@@ -421,7 +421,7 @@ seed_provider:
       parameters:
           # seeds is actually a comma-delimited list of addresses.
           # Ex: "<ip1>,<ip2>,<ip3>"
-          - seeds: "172.17.0.3"
+          - seeds: "172.17.0.2"
 
 # For workloads with more data than can fit in memory, Cassandra's
 # bottleneck will be reads that need to fetch data from
@@ -572,7 +572,7 @@ ssl_storage_port: 7001
 #
 # Setting listen_address to 0.0.0.0 is always wrong.
 #
-listen_address: 172.17.0.3
+listen_address: 172.17.0.2
 
 # Set listen_address OR listen_interface, not both. Interfaces must correspond
 # to a single address, IP aliasing is not supported.
@@ -586,7 +586,7 @@ listen_address: 172.17.0.3
 
 # Address to broadcast to other Cassandra nodes
 # Leaving this blank will set it to the same value as listen_address
-broadcast_address: 172.17.0.3
+broadcast_address: 172.17.0.2
 
 # When using multiple physical network interfaces, set this
 # to true to listen on broadcast_address in addition to
@@ -668,7 +668,7 @@ rpc_port: 9160
 # be set to 0.0.0.0. If left blank, this will be set to the value of
 # rpc_address. If rpc_address is set to 0.0.0.0, broadcast_rpc_address must
 # be set.
-broadcast_rpc_address: 172.17.0.3
+broadcast_rpc_address: 172.17.0.2
 
 # enable or disable keepalive on rpc/native connections
 rpc_keepalive: true