2019-04-15 15:36:10 +00:00
|
|
|
package dbplugin
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"fmt"
|
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
"google.golang.org/grpc"
|
|
|
|
|
|
|
|
|
|
"github.com/hashicorp/errwrap"
|
|
|
|
|
log "github.com/hashicorp/go-hclog"
|
|
|
|
|
plugin "github.com/hashicorp/go-plugin"
|
|
|
|
|
"github.com/hashicorp/vault/sdk/helper/consts"
|
|
|
|
|
"github.com/hashicorp/vault/sdk/helper/pluginutil"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Database is the interface that all database objects must implement.
|
|
|
|
|
type Database interface {
|
2019-04-15 16:14:20 +00:00
|
|
|
// Type returns the TypeName for the particular database backend
|
|
|
|
|
// implementation. This type name is usually set as a constant within the
|
|
|
|
|
// database backend implementation, e.g. "mysql" for the MySQL database
|
|
|
|
|
// backend.
|
2019-04-15 15:36:10 +00:00
|
|
|
Type() (string, error)
|
2019-04-15 16:14:20 +00:00
|
|
|
|
|
|
|
|
// CreateUser is called on `$ vault read database/creds/:role-name` and it's
|
|
|
|
|
// also the first time anything is touched from `$ vault write
|
|
|
|
|
// database/roles/:role-name`. This is likely to be the highest-throughput
|
|
|
|
|
// method for most plugins.
|
2019-04-15 15:36:10 +00:00
|
|
|
CreateUser(ctx context.Context, statements Statements, usernameConfig UsernameConfig, expiration time.Time) (username string, password string, err error)
|
2019-04-15 16:14:20 +00:00
|
|
|
|
|
|
|
|
// RenewUser is triggered by a renewal call to the API. In many database
|
|
|
|
|
// backends, this triggers a call on the underlying database that extends a
|
|
|
|
|
// VALID UNTIL clause on a user. However, if no such need exists, setting
|
|
|
|
|
// this as a NO-OP means that when renewal is called, the lease renewal time
|
|
|
|
|
// is pushed further out as appropriate, thus pushing out the time until the
|
|
|
|
|
// RevokeUser method is called.
|
2019-04-15 15:36:10 +00:00
|
|
|
RenewUser(ctx context.Context, statements Statements, username string, expiration time.Time) error
|
2019-04-15 16:14:20 +00:00
|
|
|
|
|
|
|
|
// RevokeUser is triggered either automatically by a lease expiration, or by
|
|
|
|
|
// a revocation call to the API.
|
2019-04-15 15:36:10 +00:00
|
|
|
RevokeUser(ctx context.Context, statements Statements, username string) error
|
|
|
|
|
|
2019-04-15 16:14:20 +00:00
|
|
|
// RotateRootCredentials is triggered by a root credential rotation call to
|
|
|
|
|
// the API.
|
2019-04-15 15:36:10 +00:00
|
|
|
RotateRootCredentials(ctx context.Context, statements []string) (config map[string]interface{}, err error)
|
|
|
|
|
|
Combined Database Backend: Static Accounts (#6834)
* Add priority queue to sdk
* fix issue of storing pointers and now copy
* update to use copy structure
* Remove file, put Item struct def. into other file
* add link
* clean up docs
* refactor internal data structure to hide heap method implementations. Other cleanup after feedback
* rename PushItem and PopItem to just Push/Pop, after encapsulating the heap methods
* updates after feedback
* refactoring/renaming
* guard against pushing a nil item
* minor updates after feedback
* Add SetCredentials, GenerateCredentials gRPC methods to combined database backend gPRC
* Initial Combined database backend implementation of static accounts and automatic rotation
* vendor updates
* initial implementation of static accounts with Combined database backend, starting with PostgreSQL implementation
* add lock and setup of rotation queue
* vendor the queue
* rebase on new method signature of queue
* remove mongo tests for now
* update default role sql
* gofmt after rebase
* cleanup after rebasing to remove checks for ErrNotFound error
* rebase cdcr-priority-queue
* vendor dependencies with 'go mod vendor'
* website database docs for Static Role support
* document the rotate-role API endpoint
* postgres specific static role docs
* use constants for paths
* updates from review
* remove dead code
* combine and clarify error message for older plugins
* Update builtin/logical/database/backend.go
Co-Authored-By: Jim Kalafut <jim@kalafut.net>
* cleanups from feedback
* code and comment cleanups
* move db.RLock higher to protect db.GenerateCredentials call
* Return output with WALID if we failed to delete the WAL
* Update builtin/logical/database/path_creds_create.go
Co-Authored-By: Jim Kalafut <jim@kalafut.net>
* updates after running 'make fmt'
* update after running 'make proto'
* Update builtin/logical/database/path_roles.go
Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>
* Update builtin/logical/database/path_roles.go
Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>
* update comment and remove and rearrange some dead code
* Update website/source/api/secret/databases/index.html.md
Co-Authored-By: Jim Kalafut <jim@kalafut.net>
* cleanups after review
* Update sdk/database/dbplugin/grpc_transport.go
Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>
* code cleanup after feedback
* remove PasswordLastSet; it's not used
* document GenerateCredentials and SetCredentials
* Update builtin/logical/database/path_rotate_credentials.go
Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>
* wrap pop and popbykey in backend methods to protect against nil cred rotation queue
* use strings.HasPrefix instead of direct equality check for path
* Forgot to commit this
* updates after feedback
* re-purpose an outdated test to now check that static and dynamic roles cannot share a name
* check for unique name across dynamic and static roles
* refactor loadStaticWALs to return a map of name/setCredentialsWAL struct to consolidate where we're calling set credentials
* remove commented out code
* refactor to have loadstaticwals filter out wals for roles that no longer exist
* return error if nil input given
* add nil check for input into setStaticAccount
* Update builtin/logical/database/path_roles.go
Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>
* add constant for queue tick time in seconds, used for comparrison in updates
* Update builtin/logical/database/path_roles.go
Co-Authored-By: Jim Kalafut <jim@kalafut.net>
* code cleanup after review
* remove misplaced code comment
* remove commented out code
* create a queue in the Factory method, even if it's never used
* update path_roles to use a common set of fields, with specific overrides for dynamic/static roles by type
* document new method
* move rotation things into a specific file
* rename test file and consolidate some static account tests
* Update builtin/logical/database/path_roles.go
Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>
* Update builtin/logical/database/rotation.go
Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>
* Update builtin/logical/database/rotation.go
Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>
* Update builtin/logical/database/rotation.go
Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>
* Update builtin/logical/database/rotation.go
Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>
* Update builtin/logical/database/rotation.go
Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>
* update code comments, method names, and move more methods into rotation.go
* update comments to be capitalized
* remove the item from the queue before we try to destroy it
* findStaticWAL returns an error
* use lowercase keys when encoding WAL entries
* small cleanups
* remove vestigial static account check
* remove redundant DeleteWAL call in populate queue
* if we error on loading role, push back to queue with 10 second backoff
* poll in initqueue to make sure the backend is setup and can write/delete data
* add revoke_user_on_delete flag to allow users to opt-in to revoking the static database user on delete of the Vault role. Default false
* add code comments on read-only loop
* code comment updates
* re-push if error returned from find static wal
* add locksutil and acquire locks when pop'ing from the queue
* grab exclusive locks for updating static roles
* Add SetCredentials and GenerateCredentials stubs to mockPlugin
* add a switch in initQueue to listen for cancelation
* remove guard on zero time, it should have no affect
* create a new context in Factory to pass on and use for closing the backend queue
* restore master copy of vendor dir
2019-06-19 19:45:39 +00:00
|
|
|
// GenerateCredentials returns a generated password for the plugin. This is
|
|
|
|
|
// used in combination with SetCredentials to set a specific password for a
|
|
|
|
|
// database user and preserve the password in WAL entries.
|
|
|
|
|
GenerateCredentials(ctx context.Context) (string, error)
|
|
|
|
|
|
|
|
|
|
// SetCredentials uses provided information to create or set the credentials
|
|
|
|
|
// for a database user. Unlike CreateUser, this method requires both a
|
|
|
|
|
// username and a password given instead of generating them. This is used for
|
|
|
|
|
// creating and setting the password of static accounts, as well as rolling
|
|
|
|
|
// back passwords in the database in the event an updated database fails to
|
|
|
|
|
// save in Vault's storage.
|
|
|
|
|
SetCredentials(ctx context.Context, statements Statements, staticConfig StaticUserConfig) (username string, password string, err error)
|
|
|
|
|
|
2019-04-15 16:14:20 +00:00
|
|
|
// Init is called on `$ vault write database/config/:db-name`, or when you
|
|
|
|
|
// do a creds call after Vault's been restarted. The config provided won't
|
|
|
|
|
// hold all the keys and values provided in the API call, some will be
|
|
|
|
|
// stripped by the database engine before the config is provided. The config
|
|
|
|
|
// returned will be stored, which will persist it across shutdowns.
|
2019-04-15 15:36:10 +00:00
|
|
|
Init(ctx context.Context, config map[string]interface{}, verifyConnection bool) (saveConfig map[string]interface{}, err error)
|
2019-04-15 16:14:20 +00:00
|
|
|
|
|
|
|
|
// Close attempts to close the underlying database connection that was
|
|
|
|
|
// established by the backend.
|
2019-04-15 15:36:10 +00:00
|
|
|
Close() error
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// PluginFactory is used to build plugin database types. It wraps the database
|
|
|
|
|
// object in a logging and metrics middleware.
|
|
|
|
|
func PluginFactory(ctx context.Context, pluginName string, sys pluginutil.LookRunnerUtil, logger log.Logger) (Database, error) {
|
|
|
|
|
// Look for plugin in the plugin catalog
|
|
|
|
|
pluginRunner, err := sys.LookupPlugin(ctx, pluginName, consts.PluginTypeDatabase)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
namedLogger := logger.Named(pluginName)
|
|
|
|
|
|
|
|
|
|
var transport string
|
|
|
|
|
var db Database
|
|
|
|
|
if pluginRunner.Builtin {
|
|
|
|
|
// Plugin is builtin so we can retrieve an instance of the interface
|
|
|
|
|
// from the pluginRunner. Then cast it to a Database.
|
|
|
|
|
dbRaw, err := pluginRunner.BuiltinFactory()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errwrap.Wrapf("error initializing plugin: {{err}}", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var ok bool
|
|
|
|
|
db, ok = dbRaw.(Database)
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, fmt.Errorf("unsupported database type: %q", pluginName)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
transport = "builtin"
|
|
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
// create a DatabasePluginClient instance
|
|
|
|
|
db, err = NewPluginClient(ctx, sys, pluginRunner, namedLogger, false)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Switch on the underlying database client type to get the transport
|
|
|
|
|
// method.
|
|
|
|
|
switch db.(*DatabasePluginClient).Database.(type) {
|
|
|
|
|
case *gRPCClient:
|
|
|
|
|
transport = "gRPC"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
typeStr, err := db.Type()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errwrap.Wrapf("error getting plugin type: {{err}}", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Wrap with metrics middleware
|
|
|
|
|
db = &databaseMetricsMiddleware{
|
|
|
|
|
next: db,
|
|
|
|
|
typeStr: typeStr,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Wrap with tracing middleware
|
|
|
|
|
if namedLogger.IsTrace() {
|
|
|
|
|
db = &databaseTracingMiddleware{
|
|
|
|
|
next: db,
|
|
|
|
|
logger: namedLogger.With("transport", transport),
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return db, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// handshakeConfigs are used to just do a basic handshake between
|
|
|
|
|
// a plugin and host. If the handshake fails, a user friendly error is shown.
|
|
|
|
|
// This prevents users from executing bad plugins or executing a plugin
|
|
|
|
|
// directory. It is a UX feature, not a security feature.
|
|
|
|
|
var handshakeConfig = plugin.HandshakeConfig{
|
|
|
|
|
ProtocolVersion: 4,
|
|
|
|
|
MagicCookieKey: "VAULT_DATABASE_PLUGIN",
|
|
|
|
|
MagicCookieValue: "926a0820-aea2-be28-51d6-83cdf00e8edb",
|
|
|
|
|
}
|
|
|
|
|
|
2021-04-08 16:43:39 +00:00
|
|
|
var (
|
|
|
|
|
_ plugin.Plugin = &GRPCDatabasePlugin{}
|
|
|
|
|
_ plugin.GRPCPlugin = &GRPCDatabasePlugin{}
|
|
|
|
|
)
|
2019-04-15 15:36:10 +00:00
|
|
|
|
|
|
|
|
// GRPCDatabasePlugin is the plugin.Plugin implementation that only supports GRPC
|
|
|
|
|
// transport
|
|
|
|
|
type GRPCDatabasePlugin struct {
|
|
|
|
|
Impl Database
|
|
|
|
|
|
|
|
|
|
// Embeding this will disable the netRPC protocol
|
|
|
|
|
plugin.NetRPCUnsupportedPlugin
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (d GRPCDatabasePlugin) GRPCServer(_ *plugin.GRPCBroker, s *grpc.Server) error {
|
|
|
|
|
impl := &DatabaseErrorSanitizerMiddleware{
|
|
|
|
|
next: d.Impl,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
RegisterDatabaseServer(s, &gRPCServer{impl: impl})
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (GRPCDatabasePlugin) GRPCClient(doneCtx context.Context, _ *plugin.GRPCBroker, c *grpc.ClientConn) (interface{}, error) {
|
|
|
|
|
return &gRPCClient{
|
|
|
|
|
client: NewDatabaseClient(c),
|
|
|
|
|
clientConn: c,
|
|
|
|
|
doneCtx: doneCtx,
|
|
|
|
|
}, nil
|
|
|
|
|
}
|