open-vault/builtin/logical/database/path_rotate_credentials.go

package database

import (
	"context"
	"fmt"

	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

func pathRotateCredentials(b *databaseBackend) *framework.Path {
	return &framework.Path{
		Pattern: "rotate-root/" + framework.GenericNameRegex("name"),
		Fields: map[string]*framework.FieldSchema{
			"name": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Name of this database connection",
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.ReadOperation: b.pathRotateCredentialsUpdate(),
		},

		HelpSynopsis:    pathCredsCreateReadHelpSyn,
		HelpDescription: pathCredsCreateReadHelpDesc,
	}
}

func (b *databaseBackend) pathRotateCredentialsUpdate() framework.OperationFunc {
	return func(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
		name := data.Get("name").(string)
		if name == "" {
			return logical.ErrorResponse(respErrEmptyName), nil
		}

		config, err := b.DatabaseConfig(ctx, req.Storage, name)
		if err != nil {
			return nil, err
		}

		db, err := b.GetConnection(ctx, req.Storage, name)
		if err != nil {
			return nil, err
		}

		// Take the write lock instead of read since we are updating the
		// connection
		db.Lock()
		defer db.Unlock()

		connectionDetails, err := db.RotateRootCredentials(ctx, config.RootCredentialsRotateStatements)
		if err != nil {
			return nil, err
		}

		config.ConnectionDetails = connectionDetails
		entry, err := logical.StorageEntryJSON(fmt.Sprintf("config/%s", name), config)
		if err != nil {
			return nil, err
		}
		if err := req.Storage.Put(ctx, entry); err != nil {
			return nil, err
		}

		if err := b.ClearConnection(name); err != nil {
			return nil, err
		}

		return nil, nil
	}
}

const pathRotateCredentialsUpdateHelpSyn = `
Request to rotate the root credentials for a certain database connection.
`

const pathRotateCredentialsUpdateHelpDesc = `
This path attempts to rotate the root credentials for the given database. 
`
Database Root Credential Rotation (#3976) * redoing connection handling * a little more cleanup * empty implementation of rotation * updating rotate signature * signature update * updating interfaces again :( * changing back to interface * adding templated url support and rotation for postgres * adding correct username * return updates * updating statements to be a list * adding error sanitizing middleware * fixing log sanitizier * adding postgres rotate test * removing conf from rotate * adding rotate command * adding mysql rotate * finishing up the endpoint in the db backend for rotate * no more structs, just store raw config * fixing tests * adding db instance lock * adding support for statement list in cassandra * wip redoing interface to support BC * adding falllback for Initialize implementation * adding backwards compat for statements * fix tests * fix more tests * fixing up tests, switching to new fields in statements * fixing more tests * adding mssql and mysql * wrapping all the things in middleware, implementing templating for mongodb * wrapping all db servers with error santizer * fixing test * store the name with the db instance * adding rotate to cassandra * adding compatibility translation to both server and plugin * reordering a few things * store the name with the db instance * reordering * adding a few more tests * switch secret values from slice to map * addressing some feedback * reinstate execute plugin after resetting connection * set database connection to closed * switching secret values func to map[string]interface for potential future uses * addressing feedback 2018-03-21 19:05:56 +00:00			`package database`

			`import (`
			`"context"`
			`"fmt"`

			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

			`func pathRotateCredentials(b databaseBackend) framework.Path {`
			`return &framework.Path{`
			`Pattern: "rotate-root/" + framework.GenericNameRegex("name"),`
			`Fields: map[string]*framework.FieldSchema{`
			`"name": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Name of this database connection",`
			`},`
			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.ReadOperation: b.pathRotateCredentialsUpdate(),`
			`},`

			`HelpSynopsis: pathCredsCreateReadHelpSyn,`
			`HelpDescription: pathCredsCreateReadHelpDesc,`
			`}`
			`}`

			`func (b *databaseBackend) pathRotateCredentialsUpdate() framework.OperationFunc {`
			`return func(ctx context.Context, req logical.Request, data framework.FieldData) (*logical.Response, error) {`
			`name := data.Get("name").(string)`
			`if name == "" {`
			`return logical.ErrorResponse(respErrEmptyName), nil`
			`}`

			`config, err := b.DatabaseConfig(ctx, req.Storage, name)`
			`if err != nil {`
			`return nil, err`
			`}`

			`db, err := b.GetConnection(ctx, req.Storage, name)`
			`if err != nil {`
			`return nil, err`
			`}`

			`// Take the write lock instead of read since we are updating the`
			`// connection`
			`db.Lock()`
			`defer db.Unlock()`

			`connectionDetails, err := db.RotateRootCredentials(ctx, config.RootCredentialsRotateStatements)`
			`if err != nil {`
			`return nil, err`
			`}`

			`config.ConnectionDetails = connectionDetails`
			`entry, err := logical.StorageEntryJSON(fmt.Sprintf("config/%s", name), config)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if err := req.Storage.Put(ctx, entry); err != nil {`
			`return nil, err`
			`}`

			`if err := b.ClearConnection(name); err != nil {`
			`return nil, err`
			`}`

			`return nil, nil`
			`}`
			`}`

			const pathRotateCredentialsUpdateHelpSyn = `
			`Request to rotate the root credentials for a certain database connection.`
			`

			const pathRotateCredentialsUpdateHelpDesc = `
			`This path attempts to rotate the root credentials for the given database.`
			`