open-vault/plugins/database/influxdb/influxdb.go

260 lines
6.5 KiB
Go
Raw Normal View History

package influxdb
import (
"context"
"strings"
"time"
multierror "github.com/hashicorp/go-multierror"
"github.com/hashicorp/vault/api"
2019-04-15 18:10:07 +00:00
"github.com/hashicorp/vault/sdk/database/dbplugin"
"github.com/hashicorp/vault/sdk/database/helper/credsutil"
"github.com/hashicorp/vault/sdk/database/helper/dbutil"
"github.com/hashicorp/vault/sdk/helper/strutil"
influx "github.com/influxdata/influxdb/client/v2"
)
const (
defaultUserCreationIFQL = `CREATE USER "{{username}}" WITH PASSWORD '{{password}}';`
defaultUserDeletionIFQL = `DROP USER "{{username}}";`
defaultRootCredentialRotationIFQL = `SET PASSWORD FOR "{{username}}" = '{{password}}';`
influxdbTypeName = "influxdb"
)
var _ dbplugin.Database = &Influxdb{}
// Influxdb is an implementation of Database interface
type Influxdb struct {
*influxdbConnectionProducer
credsutil.CredentialsProducer
}
// New returns a new Cassandra instance
func New() (interface{}, error) {
db := new()
dbType := dbplugin.NewDatabaseErrorSanitizerMiddleware(db, db.secretValues)
return dbType, nil
}
func new() *Influxdb {
connProducer := &influxdbConnectionProducer{}
connProducer.Type = influxdbTypeName
credsProducer := &credsutil.SQLCredentialsProducer{
DisplayNameLen: 15,
RoleNameLen: 15,
UsernameLen: 100,
Separator: "_",
}
return &Influxdb{
influxdbConnectionProducer: connProducer,
CredentialsProducer: credsProducer,
}
}
// Run instantiates a Influxdb object, and runs the RPC server for the plugin
func Run(apiTLSConfig *api.TLSConfig) error {
dbType, err := New()
if err != nil {
return err
}
2019-04-15 18:10:07 +00:00
dbplugin.Serve(dbType.(dbplugin.Database), api.VaultPluginTLSProvider(apiTLSConfig))
return nil
}
// Type returns the TypeName for this backend
func (i *Influxdb) Type() (string, error) {
return influxdbTypeName, nil
}
func (i *Influxdb) getConnection(ctx context.Context) (influx.Client, error) {
cli, err := i.Connection(ctx)
if err != nil {
return nil, err
}
return cli.(influx.Client), nil
}
// CreateUser generates the username/password on the underlying Influxdb secret backend as instructed by
// the CreationStatement provided.
func (i *Influxdb) CreateUser(ctx context.Context, statements dbplugin.Statements, usernameConfig dbplugin.UsernameConfig, expiration time.Time) (username string, password string, err error) {
// Grab the lock
i.Lock()
defer i.Unlock()
statements = dbutil.StatementCompatibilityHelper(statements)
// Get the connection
cli, err := i.getConnection(ctx)
if err != nil {
return "", "", err
}
creationIFQL := statements.Creation
if len(creationIFQL) == 0 {
creationIFQL = []string{defaultUserCreationIFQL}
}
rollbackIFQL := statements.Rollback
if len(rollbackIFQL) == 0 {
rollbackIFQL = []string{defaultUserDeletionIFQL}
}
username, err = i.GenerateUsername(usernameConfig)
username = strings.Replace(username, "-", "_", -1)
if err != nil {
return "", "", err
}
username = strings.ToLower(username)
password, err = i.GeneratePassword()
if err != nil {
return "", "", err
}
// Execute each query
for _, stmt := range creationIFQL {
for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
query = strings.TrimSpace(query)
if len(query) == 0 {
continue
}
q := influx.NewQuery(dbutil.QueryHelper(query, map[string]string{
"username": username,
"password": password,
}), "", "")
response, err := cli.Query(q)
if err != nil {
if response != nil && response.Error() != nil {
attemptRollback(cli, username, rollbackIFQL)
}
return "", "", err
}
}
}
return username, password, nil
}
// attemptRollback will attempt to roll back user creation if an error occurs in
// CreateUser
func attemptRollback(cli influx.Client, username string, rollbackStatements []string) error {
for _, stmt := range rollbackStatements {
for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
query = strings.TrimSpace(query)
if len(query) == 0 {
continue
}
q := influx.NewQuery(dbutil.QueryHelper(query, map[string]string{
"username": username,
}), "", "")
response, err := cli.Query(q)
if err != nil {
if response != nil && response.Error() != nil {
return err
}
}
}
}
return nil
}
// RenewUser is not supported on Influxdb, so this is a no-op.
func (i *Influxdb) RenewUser(ctx context.Context, statements dbplugin.Statements, username string, expiration time.Time) error {
// NOOP
return nil
}
// RevokeUser attempts to drop the specified user.
func (i *Influxdb) RevokeUser(ctx context.Context, statements dbplugin.Statements, username string) error {
// Grab the lock
i.Lock()
defer i.Unlock()
statements = dbutil.StatementCompatibilityHelper(statements)
cli, err := i.getConnection(ctx)
if err != nil {
return err
}
revocationIFQL := statements.Revocation
if len(revocationIFQL) == 0 {
revocationIFQL = []string{defaultUserDeletionIFQL}
}
var result *multierror.Error
for _, stmt := range revocationIFQL {
for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
query = strings.TrimSpace(query)
if len(query) == 0 {
continue
}
q := influx.NewQuery(dbutil.QueryHelper(query, map[string]string{
"username": username,
}), "", "")
response, err := cli.Query(q)
result = multierror.Append(result, err)
if response != nil {
result = multierror.Append(result, response.Error())
}
}
}
return result.ErrorOrNil()
}
// RotateRootCredentials is useful when we try to change root credential
func (i *Influxdb) RotateRootCredentials(ctx context.Context, statements []string) (map[string]interface{}, error) {
// Grab the lock
i.Lock()
defer i.Unlock()
cli, err := i.getConnection(ctx)
if err != nil {
return nil, err
}
rotateIFQL := statements
if len(rotateIFQL) == 0 {
rotateIFQL = []string{defaultRootCredentialRotationIFQL}
}
password, err := i.GeneratePassword()
if err != nil {
return nil, err
}
var result *multierror.Error
for _, stmt := range rotateIFQL {
for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
query = strings.TrimSpace(query)
if len(query) == 0 {
continue
}
q := influx.NewQuery(dbutil.QueryHelper(query, map[string]string{
"username": i.Username,
"password": password,
}), "", "")
response, err := cli.Query(q)
result = multierror.Append(result, err)
if response != nil {
result = multierror.Append(result, response.Error())
}
}
}
err = result.ErrorOrNil()
if err != nil {
return nil, err
}
i.rawConfig["password"] = password
return i.rawConfig, nil
}