open-vault/plugins/database/mongodb/mongodb.go

package mongodb

import (
	"time"

	"encoding/json"

	"fmt"

	"github.com/hashicorp/vault/api"
	"github.com/hashicorp/vault/builtin/logical/database/dbplugin"
	"github.com/hashicorp/vault/plugins"
	"github.com/hashicorp/vault/plugins/helper/database/connutil"
	"github.com/hashicorp/vault/plugins/helper/database/credsutil"
	"github.com/hashicorp/vault/plugins/helper/database/dbutil"
	"gopkg.in/mgo.v2"
)

const mongoDBTypeName = "mongodb"

// MongoDB is an implementation of Database interface
type MongoDB struct {
	connutil.ConnectionProducer
	credsutil.CredentialsProducer
}

// New returns a new MongoDB instance
func New() (interface{}, error) {
	connProducer := &mongoDBConnectionProducer{}
	connProducer.Type = mongoDBTypeName

	credsProducer := &credsutil.SQLCredentialsProducer{
		DisplayNameLen: 15,
		RoleNameLen:    15,
		UsernameLen:    100,
		Separator:      "-",
	}

	dbType := &MongoDB{
		ConnectionProducer:  connProducer,
		CredentialsProducer: credsProducer,
	}
	return dbType, nil
}

// Run instantiates a MongoDB object, and runs the RPC server for the plugin
func Run(apiTLSConfig *api.TLSConfig) error {
	dbType, err := New()
	if err != nil {
		return err
	}

	plugins.Serve(dbType.(*MongoDB), apiTLSConfig)

	return nil
}

// Type returns the TypeName for this backend
func (m *MongoDB) Type() (string, error) {
	return mongoDBTypeName, nil
}

func (m *MongoDB) getConnection() (*mgo.Session, error) {
	session, err := m.Connection()
	if err != nil {
		return nil, err
	}

	return session.(*mgo.Session), nil
}

// CreateUser generates the username/password on the underlying secret backend as instructed by
// the CreationStatement provided. The creation statement is a JSON blob that has a db value,
// and an array of roles that accepts a role, and an optional db value pair. This array will
// be normalized the format specified in the mongoDB docs:
// https://docs.mongodb.com/manual/reference/command/createUser/#dbcmd.createUser
//
// JSON Example:
//  { "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }
func (m *MongoDB) CreateUser(statements dbplugin.Statements, usernameConfig dbplugin.UsernameConfig, expiration time.Time) (username string, password string, err error) {
	// Grab the lock
	m.Lock()
	defer m.Unlock()

	if statements.CreationStatements == "" {
		return "", "", dbutil.ErrEmptyCreationStatement
	}

	session, err := m.getConnection()
	if err != nil {
		return "", "", err
	}

	username, err = m.GenerateUsername(usernameConfig)
	if err != nil {
		return "", "", err
	}

	password, err = m.GeneratePassword()
	if err != nil {
		return "", "", err
	}

	// Unmarshal statements.CreationStatements into mongodbRoles
	var mongoCS mongoDBStatement
	err = json.Unmarshal([]byte(statements.CreationStatements), &mongoCS)
	if err != nil {
		return "", "", err
	}

	// Default to "admin" if no db provided
	if mongoCS.DB == "" {
		mongoCS.DB = "admin"
	}

	if len(mongoCS.Roles) == 0 {
		return "", "", fmt.Errorf("roles array is required in creation statement")
	}

	createUserCmd := createUserCommand{
		Username: username,
		Password: password,
		Roles:    mongoCS.Roles.toStandardRolesArray(),
	}

	err = session.DB(mongoCS.DB).Run(createUserCmd, nil)
	if err != nil {
		return "", "", err
	}

	return username, password, nil
}

// RenewUser is not supported on MongoDB, so this is a no-op.
func (m *MongoDB) RenewUser(statements dbplugin.Statements, username string, expiration time.Time) error {
	// NOOP
	return nil
}

// RevokeUser drops the specified user from the authentication databse. If none is provided
// in the revocation statement, the default "admin" authentication database will be assumed.
func (m *MongoDB) RevokeUser(statements dbplugin.Statements, username string) error {
	session, err := m.getConnection()
	if err != nil {
		return err
	}

	// If no revocation statements provided, pass in empty JSON
	revocationStatement := statements.RevocationStatements
	if revocationStatement == "" {
		revocationStatement = `{}`
	}

	// Unmarshal revocation statements into mongodbRoles
	var mongoCS mongoDBStatement
	err = json.Unmarshal([]byte(revocationStatement), &mongoCS)
	if err != nil {
		return err
	}

	db := mongoCS.DB
	// If db is not specified, use the default authenticationDatabase "admin"
	if db == "" {
		db = "admin"
	}

	err = session.DB(db).RemoveUser(username)
	if err != nil && err != mgo.ErrNotFound {
		return err
	}

	return nil
}
Mongodb plugin (#2698) * WIP on mongodb plugin * Add mongodb plugin * Add tests * Update mongodb.CreateUser() comment * Update docs * Add missing docs * Fix mongodb docs * Minor comment and test updates * Fix imports * Fix dockertest import * Set c.Initialized at the end, check for empty CreationStmts first on CreateUser * Remove Initialized check on Connection() * Add back Initialized check * Update docs * Move connProducer and credsProducer into pkg for mongodb and cassandra * Chage parseMongoURL to be a private func * Default to admin if no db is provided in creation_statements * Update comments and docs 2017-05-11 21:38:54 +00:00			`package mongodb`

			`import (`
			`"time"`

			`"encoding/json"`

			`"fmt"`

			`"github.com/hashicorp/vault/api"`
			`"github.com/hashicorp/vault/builtin/logical/database/dbplugin"`
			`"github.com/hashicorp/vault/plugins"`
			`"github.com/hashicorp/vault/plugins/helper/database/connutil"`
			`"github.com/hashicorp/vault/plugins/helper/database/credsutil"`
			`"github.com/hashicorp/vault/plugins/helper/database/dbutil"`
			`"gopkg.in/mgo.v2"`
			`)`

			`const mongoDBTypeName = "mongodb"`

			`// MongoDB is an implementation of Database interface`
			`type MongoDB struct {`
			`connutil.ConnectionProducer`
			`credsutil.CredentialsProducer`
			`}`

			`// New returns a new MongoDB instance`
			`func New() (interface{}, error) {`
			`connProducer := &mongoDBConnectionProducer{}`
			`connProducer.Type = mongoDBTypeName`

Use the role name in the db username (#2812) 2017-06-06 13:49:49 +00:00			`credsProducer := &credsutil.SQLCredentialsProducer{`
			`DisplayNameLen: 15,`
			`RoleNameLen: 15,`
			`UsernameLen: 100,`
			`Separator: "-",`
			`}`
Mongodb plugin (#2698) * WIP on mongodb plugin * Add mongodb plugin * Add tests * Update mongodb.CreateUser() comment * Update docs * Add missing docs * Fix mongodb docs * Minor comment and test updates * Fix imports * Fix dockertest import * Set c.Initialized at the end, check for empty CreationStmts first on CreateUser * Remove Initialized check on Connection() * Add back Initialized check * Update docs * Move connProducer and credsProducer into pkg for mongodb and cassandra * Chage parseMongoURL to be a private func * Default to admin if no db is provided in creation_statements * Update comments and docs 2017-05-11 21:38:54 +00:00
			`dbType := &MongoDB{`
			`ConnectionProducer: connProducer,`
			`CredentialsProducer: credsProducer,`
			`}`
			`return dbType, nil`
			`}`

			`// Run instantiates a MongoDB object, and runs the RPC server for the plugin`
			`func Run(apiTLSConfig *api.TLSConfig) error {`
			`dbType, err := New()`
			`if err != nil {`
			`return err`
			`}`

			`plugins.Serve(dbType.(*MongoDB), apiTLSConfig)`

			`return nil`
			`}`

			`// Type returns the TypeName for this backend`
			`func (m *MongoDB) Type() (string, error) {`
			`return mongoDBTypeName, nil`
			`}`

			`func (m MongoDB) getConnection() (mgo.Session, error) {`
			`session, err := m.Connection()`
			`if err != nil {`
			`return nil, err`
			`}`

			`return session.(*mgo.Session), nil`
			`}`

			`// CreateUser generates the username/password on the underlying secret backend as instructed by`
			`// the CreationStatement provided. The creation statement is a JSON blob that has a db value,`
			`// and an array of roles that accepts a role, and an optional db value pair. This array will`
			`// be normalized the format specified in the mongoDB docs:`
			`// https://docs.mongodb.com/manual/reference/command/createUser/#dbcmd.createUser`
			`//`
			`// JSON Example:`
			`// { "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }`
Use the role name in the db username (#2812) 2017-06-06 13:49:49 +00:00			`func (m *MongoDB) CreateUser(statements dbplugin.Statements, usernameConfig dbplugin.UsernameConfig, expiration time.Time) (username string, password string, err error) {`
Mongodb plugin (#2698) * WIP on mongodb plugin * Add mongodb plugin * Add tests * Update mongodb.CreateUser() comment * Update docs * Add missing docs * Fix mongodb docs * Minor comment and test updates * Fix imports * Fix dockertest import * Set c.Initialized at the end, check for empty CreationStmts first on CreateUser * Remove Initialized check on Connection() * Add back Initialized check * Update docs * Move connProducer and credsProducer into pkg for mongodb and cassandra * Chage parseMongoURL to be a private func * Default to admin if no db is provided in creation_statements * Update comments and docs 2017-05-11 21:38:54 +00:00			`// Grab the lock`
			`m.Lock()`
			`defer m.Unlock()`

			`if statements.CreationStatements == "" {`
			`return "", "", dbutil.ErrEmptyCreationStatement`
			`}`

			`session, err := m.getConnection()`
			`if err != nil {`
			`return "", "", err`
			`}`

Use the role name in the db username (#2812) 2017-06-06 13:49:49 +00:00			`username, err = m.GenerateUsername(usernameConfig)`
Mongodb plugin (#2698) * WIP on mongodb plugin * Add mongodb plugin * Add tests * Update mongodb.CreateUser() comment * Update docs * Add missing docs * Fix mongodb docs * Minor comment and test updates * Fix imports * Fix dockertest import * Set c.Initialized at the end, check for empty CreationStmts first on CreateUser * Remove Initialized check on Connection() * Add back Initialized check * Update docs * Move connProducer and credsProducer into pkg for mongodb and cassandra * Chage parseMongoURL to be a private func * Default to admin if no db is provided in creation_statements * Update comments and docs 2017-05-11 21:38:54 +00:00			`if err != nil {`
			`return "", "", err`
			`}`

			`password, err = m.GeneratePassword()`
			`if err != nil {`
			`return "", "", err`
			`}`

			`// Unmarshal statements.CreationStatements into mongodbRoles`
			`var mongoCS mongoDBStatement`
			`err = json.Unmarshal([]byte(statements.CreationStatements), &mongoCS)`
			`if err != nil {`
			`return "", "", err`
			`}`

			`// Default to "admin" if no db provided`
			`if mongoCS.DB == "" {`
			`mongoCS.DB = "admin"`
			`}`

			`if len(mongoCS.Roles) == 0 {`
			`return "", "", fmt.Errorf("roles array is required in creation statement")`
			`}`

			`createUserCmd := createUserCommand{`
			`Username: username,`
			`Password: password,`
			`Roles: mongoCS.Roles.toStandardRolesArray(),`
			`}`

			`err = session.DB(mongoCS.DB).Run(createUserCmd, nil)`
			`if err != nil {`
			`return "", "", err`
			`}`

			`return username, password, nil`
			`}`

			`// RenewUser is not supported on MongoDB, so this is a no-op.`
			`func (m *MongoDB) RenewUser(statements dbplugin.Statements, username string, expiration time.Time) error {`
			`// NOOP`
			`return nil`
			`}`

			`// RevokeUser drops the specified user from the authentication databse. If none is provided`
			`// in the revocation statement, the default "admin" authentication database will be assumed.`
			`func (m *MongoDB) RevokeUser(statements dbplugin.Statements, username string) error {`
			`session, err := m.getConnection()`
			`if err != nil {`
			`return err`
			`}`

			`// If no revocation statements provided, pass in empty JSON`
			`revocationStatement := statements.RevocationStatements`
			`if revocationStatement == "" {`
			revocationStatement = `{}`
			`}`

			`// Unmarshal revocation statements into mongodbRoles`
			`var mongoCS mongoDBStatement`
			`err = json.Unmarshal([]byte(revocationStatement), &mongoCS)`
			`if err != nil {`
			`return err`
			`}`

			`db := mongoCS.DB`
			`// If db is not specified, use the default authenticationDatabase "admin"`
			`if db == "" {`
			`db = "admin"`
			`}`

			`err = session.DB(db).RemoveUser(username)`
			`if err != nil && err != mgo.ErrNotFound {`
			`return err`
			`}`

			`return nil`
			`}`