open-vault/builtin/logical/postgresql/path_role_create.go

package postgresql

import (
	"context"
	"fmt"
	"strings"
	"time"

	"github.com/hashicorp/go-secure-stdlib/strutil"
	uuid "github.com/hashicorp/go-uuid"
	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/helper/dbtxn"
	"github.com/hashicorp/vault/sdk/logical"
	_ "github.com/jackc/pgx/v4/stdlib"
)

func pathRoleCreate(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "creds/" + framework.GenericNameRegex("name"),
		Fields: map[string]*framework.FieldSchema{
			"name": {
				Type:        framework.TypeString,
				Description: "Name of the role.",
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.ReadOperation: b.pathRoleCreateRead,
		},

		HelpSynopsis:    pathRoleCreateReadHelpSyn,
		HelpDescription: pathRoleCreateReadHelpDesc,
	}
}

func (b *backend) pathRoleCreateRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
	name := data.Get("name").(string)

	// Get the role
	role, err := b.Role(ctx, req.Storage, name)
	if err != nil {
		return nil, err
	}
	if role == nil {
		return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", name)), nil
	}

	// Determine if we have a lease
	lease, err := b.Lease(ctx, req.Storage)
	if err != nil {
		return nil, err
	}
	// Unlike some other backends we need a lease here (can't leave as 0 and
	// let core fill it in) because Postgres also expires users as a safety
	// measure, so cannot be zero
	if lease == nil {
		lease = &configLease{
			Lease: b.System().DefaultLeaseTTL(),
		}
	}

	// Generate the username, password and expiration. PG limits user to 63 characters
	displayName := req.DisplayName
	if len(displayName) > 26 {
		displayName = displayName[:26]
	}
	userUUID, err := uuid.GenerateUUID()
	if err != nil {
		return nil, err
	}
	username := fmt.Sprintf("%s-%s", displayName, userUUID)
	if len(username) > 63 {
		username = username[:63]
	}
	password, err := uuid.GenerateUUID()
	if err != nil {
		return nil, err
	}

	ttl, _, err := framework.CalculateTTL(b.System(), 0, lease.Lease, 0, lease.LeaseMax, 0, time.Time{})
	if err != nil {
		return nil, err
	}
	expiration := time.Now().
		Add(ttl).
		Format("2006-01-02 15:04:05-0700")

	// Get our handle
	db, err := b.DB(ctx, req.Storage)
	if err != nil {
		return nil, err
	}

	// Start a transaction
	tx, err := db.Begin()
	if err != nil {
		return nil, err
	}
	defer func() {
		tx.Rollback()
	}()

	// Execute each query
	for _, query := range strutil.ParseArbitraryStringSlice(role.SQL, ";") {
		query = strings.TrimSpace(query)
		if len(query) == 0 {
			continue
		}

		m := map[string]string{
			"name":       username,
			"password":   password,
			"expiration": expiration,
		}

		if err := dbtxn.ExecuteTxQueryDirect(ctx, tx, m, query); err != nil {
			return nil, err
		}
	}

	// Commit the transaction

	if err := tx.Commit(); err != nil {
		return nil, err
	}

	// Return the secret

	resp := b.Secret(SecretCredsType).Response(map[string]interface{}{
		"username": username,
		"password": password,
	}, map[string]interface{}{
		"username": username,
		"role":     name,
	})
	resp.Secret.TTL = lease.Lease
	resp.Secret.MaxTTL = lease.LeaseMax
	return resp, nil
}

const pathRoleCreateReadHelpSyn = `
Request database credentials for a certain role.
`

const pathRoleCreateReadHelpDesc = `
This path reads database credentials for a certain role. The
database credentials will be generated on demand and will be automatically
revoked when the lease is up.
`
logical/postgresql: create DB credentials 2015-04-19 01:37:27 +00:00			`package postgresql`

			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`
logical/postgresql: create DB credentials 2015-04-19 01:37:27 +00:00			`"fmt"`
Add arbitrary string slice parsing. Like the KV function, this supports either separated strings or JSON strings, base64-encoded or not. Fixes #1619 in theory. 2016-08-03 18:18:22 +00:00			`"strings"`
logical/postgresql: create DB credentials 2015-04-19 01:37:27 +00:00			`"time"`

Migrate to sdk/internalshared libs in go-secure-stdlib (#12090) * Swap sdk/helper libs to go-secure-stdlib * Migrate to go-secure-stdlib reloadutil * Migrate to go-secure-stdlib kv-builder * Migrate to go-secure-stdlib gatedwriter 2021-07-16 00:17:31 +00:00			`"github.com/hashicorp/go-secure-stdlib/strutil"`
Run goimports across the repository (#6010) The result will still pass gofmtcheck and won't trigger additional changes if someone isn't using goimports, but it will avoid the piecemeal imports changes we've been seeing. 2019-01-09 00:48:57 +00:00			`uuid "github.com/hashicorp/go-uuid"`
Switch to go modules (#6585) * Switch to go modules * Make fmt 2019-04-13 07:44:06 +00:00			`"github.com/hashicorp/vault/sdk/framework"`
Update to api 1.0.1 and sdk 0.1.8 2019-04-15 18:10:07 +00:00			`"github.com/hashicorp/vault/sdk/helper/dbtxn"`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
postgres: replace the package lib/pq with pgx (#15343) * WIP replacing lib/pq * change timezome param to be URI format * add changelog * add changelog for redshift * update changelog * add test for DSN style connection string * more parseurl and quoteidentify to sdk; include copyright and license * call dbutil.ParseURL instead, fix import ordering Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com> 2022-05-23 19:49:18 +00:00			`_ "github.com/jackc/pgx/v4/stdlib"`
logical/postgresql: create DB credentials 2015-04-19 01:37:27 +00:00			`)`

			`func pathRoleCreate(b backend) framework.Path {`
			`return &framework.Path{`
Vault: Fix wild card paths for all backends 2015-08-21 07:56:13 +00:00			`Pattern: "creds/" + framework.GenericNameRegex("name"),`
logical/postgresql: create DB credentials 2015-04-19 01:37:27 +00:00			`Fields: map[string]*framework.FieldSchema{`
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"name": {`
logical/postgresql: create DB credentials 2015-04-19 01:37:27 +00:00			`Type: framework.TypeString,`
			`Description: "Name of the role.",`
			`},`
			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.ReadOperation: b.pathRoleCreateRead,`
			`},`

			`HelpSynopsis: pathRoleCreateReadHelpSyn,`
			`HelpDescription: pathRoleCreateReadHelpDesc,`
			`}`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathRoleCreateRead(ctx context.Context, req logical.Request, data framework.FieldData) (logical.Response, error) {`
logical/postgresql: create DB credentials 2015-04-19 01:37:27 +00:00			`name := data.Get("name").(string)`

			`// Get the role`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`role, err := b.Role(ctx, req.Storage, name)`
logical/postgresql: create DB credentials 2015-04-19 01:37:27 +00:00			`if err != nil {`
			`return nil, err`
			`}`
logical/postgresql: support deleting roles and reading them 2015-04-19 04:59:59 +00:00			`if role == nil {`
logical/postgresql: create DB credentials 2015-04-19 01:37:27 +00:00			`return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", name)), nil`
			`}`

logical/postgresql: leasing 2015-04-19 04:45:05 +00:00			`// Determine if we have a lease`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`lease, err := b.Lease(ctx, req.Storage)`
logical/postgresql: leasing 2015-04-19 04:45:05 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Make backends much more consistent: 1) Use the new LeaseExtend 2) Use default values controlled by mount tuning/system defaults instead of a random hard coded value 3) Remove grace periods 2016-01-29 22:44:09 +00:00			`// Unlike some other backends we need a lease here (can't leave as 0 and`
			`// let core fill it in) because Postgres also expires users as a safety`
			`// measure, so cannot be zero`
logical/postgresql: leasing 2015-04-19 04:45:05 +00:00			`if lease == nil {`
Make backends much more consistent: 1) Use the new LeaseExtend 2) Use default values controlled by mount tuning/system defaults instead of a random hard coded value 3) Remove grace periods 2016-01-29 22:44:09 +00:00			`lease = &configLease{`
			`Lease: b.System().DefaultLeaseTTL(),`
			`}`
logical/postgresql: leasing 2015-04-19 04:45:05 +00:00			`}`

secret/postgres: Ensure sane username length. Fixes #326 2015-06-17 20:31:56 +00:00			`// Generate the username, password and expiration. PG limits user to 63 characters`
			`displayName := req.DisplayName`
			`if len(displayName) > 26 {`
			`displayName = displayName[:26]`
			`}`
Update deps, and adjust usage of go-uuid to match new return values 2016-01-13 18:40:08 +00:00			`userUUID, err := uuid.GenerateUUID()`
			`if err != nil {`
			`return nil, err`
			`}`
			`username := fmt.Sprintf("%s-%s", displayName, userUUID)`
secret/postgres: Ensure sane username length. Fixes #326 2015-06-17 20:31:56 +00:00			`if len(username) > 63 {`
			`username = username[:63]`
			`}`
Update deps, and adjust usage of go-uuid to match new return values 2016-01-13 18:40:08 +00:00			`password, err := uuid.GenerateUUID()`
			`if err != nil {`
			`return nil, err`
			`}`
Fix a few missing TTL core changes (#4265) * Fix missing ttl handling in backends * fix test 2018-04-04 10:43:21 +00:00
			`ttl, _, err := framework.CalculateTTL(b.System(), 0, lease.Lease, 0, lease.LeaseMax, 0, time.Time{})`
			`if err != nil {`
			`return nil, err`
			`}`
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC 2016-07-07 21:44:14 +00:00			`expiration := time.Now().`
Fix max_ttl not being honored in database backend when default_ttl is zero (#3814) Fixes #3812 2018-01-18 06:43:38 +00:00			`Add(ttl).`
Explicitly set timezone with PostgreSQL timestamps. 2015-09-10 15:11:49 +00:00			`Format("2006-01-02 15:04:05-0700")`
logical/postgresql: create DB credentials 2015-04-19 01:37:27 +00:00
Run prepare on the transaction, not the db 2016-06-29 21:20:41 +00:00			`// Get our handle`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`db, err := b.DB(ctx, req.Storage)`
secret/postgresql: support multiple sql statements 2015-04-27 18:31:27 +00:00			`if err != nil {`
			`return nil, err`
			`}`

			`// Start a transaction`
			`tx, err := db.Begin()`
logical/postgresql: create DB credentials 2015-04-19 01:37:27 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Add more debug output 2016-06-28 15:03:56 +00:00			`defer func() {`
			`tx.Rollback()`
			`}()`
secret/postgresql: support multiple sql statements 2015-04-27 18:31:27 +00:00
			`// Execute each query`
Add arbitrary string slice parsing. Like the KV function, this supports either separated strings or JSON strings, base64-encoded or not. Fixes #1619 in theory. 2016-08-03 18:18:22 +00:00			`for _, query := range strutil.ParseArbitraryStringSlice(role.SQL, ";") {`
			`query = strings.TrimSpace(query)`
			`if len(query) == 0 {`
			`continue`
			`}`

Release database resources on each iteration of a loop (#4305) 2018-04-17 23:31:09 +00:00			`m := map[string]string{`
secret/postgresql: support multiple sql statements 2015-04-27 18:31:27 +00:00			`"name": username,`
			`"password": password,`
			`"expiration": expiration,`
			`}`
Release database resources on each iteration of a loop (#4305) 2018-04-17 23:31:09 +00:00
VAULT-5827 Don't prepare SQL queries before executing them (#15166) VAULT-5827 Don't prepare SQL queries before executing them We don't support proper prepared statements, i.e., preparing once and executing many times since we do our own templating. So preparing our queries does not really accomplish anything, and can have severe performance impacts (see https://github.com/hashicorp/vault-plugin-database-snowflake/issues/13 for example). This behavior seems to have been copy-pasted for many years but not for any particular reason that we have been able to find. First use was in https://github.com/hashicorp/vault/pull/15 So here we switch to new methods suffixed with `Direct` to indicate that they don't `Prepare` before running `Exec`, and switch everything here to use those. We maintain the older methods with the existing behavior (with `Prepare`) for backwards compatibility. 2022-04-26 19:47:06 +00:00			`if err := dbtxn.ExecuteTxQueryDirect(ctx, tx, m, query); err != nil {`
secret/postgresql: support multiple sql statements 2015-04-27 18:31:27 +00:00			`return nil, err`
			`}`
			`}`

			`// Commit the transaction`
Add more debug output 2016-06-28 15:03:56 +00:00
secret/postgresql: support multiple sql statements 2015-04-27 18:31:27 +00:00			`if err := tx.Commit(); err != nil {`
logical/postgresql: create DB credentials 2015-04-19 01:37:27 +00:00			`return nil, err`
			`}`

			`// Return the secret`
Add more debug output 2016-06-28 15:03:56 +00:00
logical/postgresql: leasing 2015-04-19 04:45:05 +00:00			`resp := b.Secret(SecretCredsType).Response(map[string]interface{}{`
logical/postgresql: create DB credentials 2015-04-19 01:37:27 +00:00			`"username": username,`
			`"password": password,`
			`}, map[string]interface{}{`
			`"username": username,`
Postgres revocation sql, beta mode (#1972) 2016-10-05 17:52:59 +00:00			`"role": name,`
logical/postgresql: leasing 2015-04-19 04:45:05 +00:00			`})`
Fix a few missing TTL core changes (#4265) * Fix missing ttl handling in backends * fix test 2018-04-04 10:43:21 +00:00			`resp.Secret.TTL = lease.Lease`
			`resp.Secret.MaxTTL = lease.LeaseMax`
logical/postgresql: leasing 2015-04-19 04:45:05 +00:00			`return resp, nil`
logical/postgresql: create DB credentials 2015-04-19 01:37:27 +00:00			`}`

			const pathRoleCreateReadHelpSyn = `
			`Request database credentials for a certain role.`
			`

			const pathRoleCreateReadHelpDesc = `
			`This path reads database credentials for a certain role. The`
			`database credentials will be generated on demand and will be automatically`
			`revoked when the lease is up.`
			`