open-vault/builtin/logical/mysql/secret_creds.go

package mysql

import (
	"fmt"

	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

const SecretCredsType = "creds"

func secretCreds(b *backend) *framework.Secret {
	return &framework.Secret{
		Type: SecretCredsType,
		Fields: map[string]*framework.FieldSchema{
			"username": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Username",
			},

			"password": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Password",
			},
		},

		Renew:  b.secretCredsRenew,
		Revoke: b.secretCredsRevoke,
	}
}

func (b *backend) secretCredsRenew(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	// Get the lease information
	lease, err := b.Lease(req.Storage)
	if err != nil {
		return nil, err
	}
	if lease == nil {
		lease = &configLease{}
	}

	f := framework.LeaseExtend(lease.Lease, lease.LeaseMax, b.System())
	return f(req, d)
}

func (b *backend) secretCredsRevoke(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	// Get the username from the internal data
	usernameRaw, ok := req.Secret.InternalData["username"]
	if !ok {
		return nil, fmt.Errorf("secret is missing username internal data")
	}
	username, ok := usernameRaw.(string)

	// Get our connection
	db, err := b.DB(req.Storage)
	if err != nil {
		return nil, err
	}

	// Start a transaction
	tx, err := db.Begin()
	if err != nil {
		return nil, err
	}
	defer tx.Rollback()

	// Revoke all permissions for the user. This is done before the
	// drop, because MySQL explicitly documents that open user connections
	// will not be closed. By revoking all grants, at least we ensure
	// that the open connection is useless.
	_, err = tx.Exec("REVOKE ALL PRIVILEGES, GRANT OPTION FROM '" + username + "'@'%'")
	if err != nil {
		return nil, err
	}

	// Drop this user. This only affects the next connection, which is
	// why we do the revoke initially.
	_, err = tx.Exec("DROP USER '" + username + "'@'%'")
	if err != nil {
		return nil, err
	}

	// Commit the transaction
	if err := tx.Commit(); err != nil {
		return nil, err
	}
	return nil, nil
}
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00			`package mysql`

			`import (`
			`"fmt"`

			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

			`const SecretCredsType = "creds"`

			`func secretCreds(b backend) framework.Secret {`
			`return &framework.Secret{`
			`Type: SecretCredsType,`
			`Fields: map[string]*framework.FieldSchema{`
			`"username": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Username",`
			`},`

			`"password": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Password",`
			`},`
			`},`

			`Renew: b.secretCredsRenew,`
			`Revoke: b.secretCredsRevoke,`
			`}`
			`}`

			`func (b *backend) secretCredsRenew(`
			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`// Get the lease information`
			`lease, err := b.Lease(req.Storage)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if lease == nil {`
Make backends much more consistent: 1) Use the new LeaseExtend 2) Use default values controlled by mount tuning/system defaults instead of a random hard coded value 3) Remove grace periods 2016-01-29 22:44:09 +00:00			`lease = &configLease{}`
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00			`}`

Make backends much more consistent: 1) Use the new LeaseExtend 2) Use default values controlled by mount tuning/system defaults instead of a random hard coded value 3) Remove grace periods 2016-01-29 22:44:09 +00:00			`f := framework.LeaseExtend(lease.Lease, lease.LeaseMax, b.System())`
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00			`return f(req, d)`
			`}`

			`func (b *backend) secretCredsRevoke(`
			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`// Get the username from the internal data`
			`usernameRaw, ok := req.Secret.InternalData["username"]`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing username internal data")`
			`}`
			`username, ok := usernameRaw.(string)`

			`// Get our connection`
			`db, err := b.DB(req.Storage)`
			`if err != nil {`
			`return nil, err`
			`}`

			`// Start a transaction`
			`tx, err := db.Begin()`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer tx.Rollback()`

			`// Revoke all permissions for the user. This is done before the`
			`// drop, because MySQL explicitly documents that open user connections`
			`// will not be closed. By revoking all grants, at least we ensure`
			`// that the open connection is useless.`
secret/mysql: fixing mysql oddities 2015-04-25 19:56:11 +00:00			`_, err = tx.Exec("REVOKE ALL PRIVILEGES, GRANT OPTION FROM '" + username + "'@'%'")`
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00			`if err != nil {`
			`return nil, err`
			`}`

			`// Drop this user. This only affects the next connection, which is`
			`// why we do the revoke initially.`
secret/mysql: fixing mysql oddities 2015-04-25 19:56:11 +00:00			`_, err = tx.Exec("DROP USER '" + username + "'@'%'")`
secret/mysql: initial pass at mysql secret backend 2015-04-25 19:05:26 +00:00			`if err != nil {`
			`return nil, err`
			`}`

			`// Commit the transaction`
			`if err := tx.Commit(); err != nil {`
			`return nil, err`
			`}`
			`return nil, nil`
			`}`