open-vault/builtin/logical/mysql/secret_creds.go

package mysql

import (
	"context"
	"fmt"
	"strings"

	"github.com/hashicorp/vault/helper/strutil"
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

const SecretCredsType = "creds"

// defaultRevocationSQL is a default SQL statement for revoking a user. Revoking
// permissions for the user is done before the drop, because MySQL explicitly
// documents that open user connections will not be closed. By revoking all
// grants, at least we ensure that the open connection is useless. Dropping the
// user will only affect the next connection.
const defaultRevocationSQL = `
REVOKE ALL PRIVILEGES, GRANT OPTION FROM '{{name}}'@'%'; 
DROP USER '{{name}}'@'%'
`

func secretCreds(b *backend) *framework.Secret {
	return &framework.Secret{
		Type: SecretCredsType,
		Fields: map[string]*framework.FieldSchema{
			"username": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Username",
			},

			"password": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Password",
			},
		},

		Renew:  b.secretCredsRenew,
		Revoke: b.secretCredsRevoke,
	}
}

func (b *backend) secretCredsRenew(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	// Get the lease information
	lease, err := b.Lease(ctx, req.Storage)
	if err != nil {
		return nil, err
	}
	if lease == nil {
		lease = &configLease{}
	}

	resp := &logical.Response{Secret: req.Secret}
	resp.Secret.TTL = lease.Lease
	resp.Secret.MaxTTL = lease.LeaseMax
	return resp, nil
}

func (b *backend) secretCredsRevoke(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	var resp *logical.Response

	// Get the username from the internal data
	usernameRaw, ok := req.Secret.InternalData["username"]
	if !ok {
		return nil, fmt.Errorf("secret is missing username internal data")
	}
	username, ok := usernameRaw.(string)
	if !ok {
		return nil, fmt.Errorf("usernameRaw is not a string")
	}

	// Get our connection
	db, err := b.DB(ctx, req.Storage)
	if err != nil {
		return nil, err
	}

	roleName := ""
	roleNameRaw, ok := req.Secret.InternalData["role"]
	if ok {
		roleName = roleNameRaw.(string)
	}

	var role *roleEntry
	if roleName != "" {
		role, err = b.Role(ctx, req.Storage, roleName)
		if err != nil {
			return nil, err
		}
	}

	// Use a default SQL statement for revocation if one cannot be fetched from the role
	revocationSQL := defaultRevocationSQL

	if role != nil && role.RevocationSQL != "" {
		revocationSQL = role.RevocationSQL
	} else {
		if resp == nil {
			resp = &logical.Response{}
		}
		resp.AddWarning(fmt.Sprintf("Role %q cannot be found. Using default SQL for revoking user.", roleName))
	}

	// Start a transaction
	tx, err := db.Begin()
	if err != nil {
		return nil, err
	}
	defer tx.Rollback()

	for _, query := range strutil.ParseArbitraryStringSlice(revocationSQL, ";") {
		query = strings.TrimSpace(query)
		if len(query) == 0 {
			continue
		}

		// This is not a prepared statement because not all commands are supported
		// 1295: This command is not supported in the prepared statement protocol yet
		// Reference https://mariadb.com/kb/en/mariadb/prepare-statement/
		query = strings.Replace(query, "{{name}}", username, -1)
		_, err = tx.Exec(query)
		if err != nil {
			return nil, err
		}

	}

	// Commit the transaction
	if err := tx.Commit(); err != nil {
		return nil, err
	}

	return resp, nil
}
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00			`package mysql`

			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00			`"fmt"`
secretCredsRevoke command no longer uses hardcoded query The removal of a user from the db is now handled similar to the creation. The SQL is read out of a key from the role and then executed with values substituted for username. 2016-09-23 20:05:49 +00:00			`"strings"`
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00
secretCredsRevoke command no longer uses hardcoded query The removal of a user from the db is now handled similar to the creation. The SQL is read out of a key from the role and then executed with values substituted for username. 2016-09-23 20:05:49 +00:00			`"github.com/hashicorp/vault/helper/strutil"`
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

			`const SecretCredsType = "creds"`

Postgres revocation sql, beta mode (#1972) 2016-10-05 17:52:59 +00:00			`// defaultRevocationSQL is a default SQL statement for revoking a user. Revoking`
Refactor mysql's revoke SQL 2016-10-04 23:30:25 +00:00			`// permissions for the user is done before the drop, because MySQL explicitly`
			`// documents that open user connections will not be closed. By revoking all`
			`// grants, at least we ensure that the open connection is useless. Dropping the`
			`// user will only affect the next connection.`
Postgres revocation sql, beta mode (#1972) 2016-10-05 17:52:59 +00:00			const defaultRevocationSQL = `
Refactored logic some to make sure we can always fall back to default revoke statments Changed rolename to role made default sql revoke statments a const 2016-10-03 19:59:56 +00:00			`REVOKE ALL PRIVILEGES, GRANT OPTION FROM '{{name}}'@'%';`
			`DROP USER '{{name}}'@'%'`
			`

secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00			`func secretCreds(b backend) framework.Secret {`
			`return &framework.Secret{`
			`Type: SecretCredsType,`
			`Fields: map[string]*framework.FieldSchema{`
			`"username": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Username",`
			`},`

			`"password": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Password",`
			`},`
			`},`

			`Renew: b.secretCredsRenew,`
			`Revoke: b.secretCredsRevoke,`
			`}`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) secretCredsRenew(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00			`// Get the lease information`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`lease, err := b.Lease(ctx, req.Storage)`
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if lease == nil {`
Make backends much more consistent: 1) Use the new LeaseExtend 2) Use default values controlled by mount tuning/system defaults instead of a random hard coded value 3) Remove grace periods 2016-01-29 22:44:09 +00:00			`lease = &configLease{}`
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00			`}`

Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback 2018-04-03 16:20:20 +00:00			`resp := &logical.Response{Secret: req.Secret}`
			`resp.Secret.TTL = lease.Lease`
			`resp.Secret.MaxTTL = lease.LeaseMax`
			`return resp, nil`
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) secretCredsRevoke(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
Refactor mysql's revoke SQL 2016-10-04 23:30:25 +00:00			`var resp *logical.Response`
secretCredsRevoke command no longer uses hardcoded query The removal of a user from the db is now handled similar to the creation. The SQL is read out of a key from the role and then executed with values substituted for username. 2016-09-23 20:05:49 +00:00
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00			`// Get the username from the internal data`
			`usernameRaw, ok := req.Secret.InternalData["username"]`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing username internal data")`
			`}`
			`username, ok := usernameRaw.(string)`
Handle dropped checkok pattern in mysql package (#3082) 2017-08-02 23:34:58 +00:00			`if !ok {`
			`return nil, fmt.Errorf("usernameRaw is not a string")`
			`}`
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00
			`// Get our connection`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`db, err := b.DB(ctx, req.Storage)`
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00			`if err != nil {`
			`return nil, err`
			`}`

Refactor mysql's revoke SQL 2016-10-04 23:30:25 +00:00			`roleName := ""`
Refactored logic some to make sure we can always fall back to default revoke statments Changed rolename to role made default sql revoke statments a const 2016-10-03 19:59:56 +00:00			`roleNameRaw, ok := req.Secret.InternalData["role"]`
Refactor mysql's revoke SQL 2016-10-04 23:30:25 +00:00			`if ok {`
			`roleName = roleNameRaw.(string)`
More resilient around cases of missing role names and using the default when needed. 2016-10-04 00:20:00 +00:00			`}`
saving role name to the Secret Internal data. Default revoke query added The rolename is now saved to the secret internal data for fetching later during the user revocation process. No longer deriving the role name from request path Added support for default revoke SQL statements that will provide the same functionality as before. If not revoke SQL statements are provided the default statements are used. Cleaned up personal ignores from the .gitignore file 2016-10-02 22:53:16 +00:00
Refactor mysql's revoke SQL 2016-10-04 23:30:25 +00:00			`var role *roleEntry`
Refactored logic some to make sure we can always fall back to default revoke statments Changed rolename to role made default sql revoke statments a const 2016-10-03 19:59:56 +00:00			`if roleName != "" {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`role, err = b.Role(ctx, req.Storage, roleName)`
Refactored logic some to make sure we can always fall back to default revoke statments Changed rolename to role made default sql revoke statments a const 2016-10-03 19:59:56 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Refactor mysql's revoke SQL 2016-10-04 23:30:25 +00:00			`}`
removed an unused ok variable. Added warning and force use for default queries if role is nil 2016-10-04 21:15:29 +00:00
Refactor mysql's revoke SQL 2016-10-04 23:30:25 +00:00			`// Use a default SQL statement for revocation if one cannot be fetched from the role`
Postgres revocation sql, beta mode (#1972) 2016-10-05 17:52:59 +00:00			`revocationSQL := defaultRevocationSQL`
removed an unused ok variable. Added warning and force use for default queries if role is nil 2016-10-04 21:15:29 +00:00
Postgres revocation sql, beta mode (#1972) 2016-10-05 17:52:59 +00:00			`if role != nil && role.RevocationSQL != "" {`
			`revocationSQL = role.RevocationSQL`
Refactor mysql's revoke SQL 2016-10-04 23:30:25 +00:00			`} else {`
			`if resp == nil {`
			`resp = &logical.Response{}`
More resilient around cases of missing role names and using the default when needed. 2016-10-04 00:20:00 +00:00			`}`
Refactor mysql's revoke SQL 2016-10-04 23:30:25 +00:00			`resp.AddWarning(fmt.Sprintf("Role %q cannot be found. Using default SQL for revoking user.", roleName))`
secretCredsRevoke command no longer uses hardcoded query The removal of a user from the db is now handled similar to the creation. The SQL is read out of a key from the role and then executed with values substituted for username. 2016-09-23 20:05:49 +00:00			`}`
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00
secretCredsRevoke command no longer uses hardcoded query The removal of a user from the db is now handled similar to the creation. The SQL is read out of a key from the role and then executed with values substituted for username. 2016-09-23 20:05:49 +00:00			`// Start a transaction`
			`tx, err := db.Begin()`
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00			`if err != nil {`
			`return nil, err`
			`}`
secretCredsRevoke command no longer uses hardcoded query The removal of a user from the db is now handled similar to the creation. The SQL is read out of a key from the role and then executed with values substituted for username. 2016-09-23 20:05:49 +00:00			`defer tx.Rollback()`

Postgres revocation sql, beta mode (#1972) 2016-10-05 17:52:59 +00:00			`for _, query := range strutil.ParseArbitraryStringSlice(revocationSQL, ";") {`
secretCredsRevoke command no longer uses hardcoded query The removal of a user from the db is now handled similar to the creation. The SQL is read out of a key from the role and then executed with values substituted for username. 2016-09-23 20:05:49 +00:00			`query = strings.TrimSpace(query)`
			`if len(query) == 0 {`
			`continue`
			`}`

More resilient around cases of missing role names and using the default when needed. 2016-10-04 00:20:00 +00:00			`// This is not a prepared statement because not all commands are supported`
			`// 1295: This command is not supported in the prepared statement protocol yet`
			`// Reference https://mariadb.com/kb/en/mariadb/prepare-statement/`
secretCredsRevoke command no longer uses hardcoded query The removal of a user from the db is now handled similar to the creation. The SQL is read out of a key from the role and then executed with values substituted for username. 2016-09-23 20:05:49 +00:00			`query = strings.Replace(query, "{{name}}", username, -1)`
			`_, err = tx.Exec(query)`
			`if err != nil {`
			`return nil, err`
			`}`
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00
			`}`

			`// Commit the transaction`
			`if err := tx.Commit(); err != nil {`
			`return nil, err`
			`}`
removed an unused ok variable. Added warning and force use for default queries if role is nil 2016-10-04 21:15:29 +00:00
Refactor mysql's revoke SQL 2016-10-04 23:30:25 +00:00			`return resp, nil`
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00			`}`