luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

backport of commit 9019203e9f052b6e58a14cbfab4a559d5e7e5883 (#23491) 

Co-authored-by: Conor McCullough <103977699+conor-mccullough@users.noreply.github.com>
This commit is contained in:
hc-github-team-secure-vault-core 2023-10-04 10:13:33 -04:00 committed by GitHub
parent 7624576e39
commit c90b7cddb7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 62 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/23240.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
mongo-db: allow non-admin database for root credential rotation
```

2
plugins/database/mongodb/mongodb.go
View File

@ -176,7 +176,7 @@ func (m *MongoDB) changeUserPassword(ctx context.Context, username, password str
} }
database := cs.Database database := cs.Database
if username == m.Username || database == "" { if database == "" {
database = "admin" database = "admin"
} }

59
plugins/database/mongodb/mongodb_test.go
View File

@ -27,7 +27,10 @@ import (
"go.mongodb.org/mongo-driver/mongo/readpref" "go.mongodb.org/mongo-driver/mongo/readpref"
) )
const mongoAdminRole = `{ "db": "admin", "roles": [ { "role": "readWrite" } ] }` const (
mongoAdminRole = `{ "db": "admin", "roles": [ { "role": "readWrite" } ] }`
mongoTestDBAdminRole = `{ "db": "test", "roles": [ { "role": "readWrite" } ] }`
)
func TestMongoDB_Initialize(t *testing.T) { func TestMongoDB_Initialize(t *testing.T) {
cleanup, connURL := mongodb.PrepareTestContainer(t, "latest") cleanup, connURL := mongodb.PrepareTestContainer(t, "latest")
@ -119,6 +122,23 @@ func TestNewUser_usernameTemplate(t *testing.T) {
expectedUsernameRegex: "^[A-Z0-9]{2}_[0-9]{10}_TESTROLENAMEWITHMANYCHARACTERS_TOKEN$", expectedUsernameRegex: "^[A-Z0-9]{2}_[0-9]{10}_TESTROLENAMEWITHMANYCHARACTERS_TOKEN$",
}, },
"admin in test database username template": {
usernameTemplate: "",
newUserReq: dbplugin.NewUserRequest{
UsernameConfig: dbplugin.UsernameMetadata{
DisplayName: "token",
RoleName: "testrolenamewithmanycharacters",
},
Statements: dbplugin.Statements{
Commands: []string{mongoTestDBAdminRole},
},
Password: "98yq3thgnakjsfhjkl",
Expiration: time.Now().Add(time.Minute),
},
expectedUsernameRegex: "^v-token-testrolenamewit-[a-zA-Z0-9]{20}-[0-9]{10}$",
},
} }
for name, test := range tests { for name, test := range tests {
@ -126,6 +146,10 @@ func TestNewUser_usernameTemplate(t *testing.T) {
cleanup, connURL := mongodb.PrepareTestContainer(t, "latest") cleanup, connURL := mongodb.PrepareTestContainer(t, "latest")
defer cleanup() defer cleanup()
if name == "admin in test database username template" {
connURL = connURL + "/test?authSource=test"
}
db := new() db := new()
defer dbtesting.AssertClose(t, db) defer dbtesting.AssertClose(t, db)
@ -290,6 +314,39 @@ func TestMongoDB_UpdateUser_Password(t *testing.T) {
assertCredsExist(t, dbUser, newPassword, connURL) assertCredsExist(t, dbUser, newPassword, connURL)
} }
func TestMongoDB_RotateRoot_NonAdminDB(t *testing.T) {
cleanup, connURL := mongodb.PrepareTestContainer(t, "latest")
defer cleanup()
connURL = connURL + "/test?authSource=test"
db := new()
defer dbtesting.AssertClose(t, db)
initReq := dbplugin.InitializeRequest{
Config: map[string]interface{}{
"connection_url": connURL,
},
VerifyConnection: true,
}
dbtesting.AssertInitialize(t, db, initReq)
dbUser := "testmongouser"
startingPassword := "password"
createDBUser(t, connURL, "test", dbUser, startingPassword)
newPassword := "myreallysecurecredentials"
updateReq := dbplugin.UpdateUserRequest{
Username: dbUser,
Password: &dbplugin.ChangePassword{
NewPassword: newPassword,
},
}
dbtesting.AssertUpdateUser(t, db, updateReq)
assertCredsExist(t, dbUser, newPassword, connURL)
}
func TestGetTLSAuth(t *testing.T) { func TestGetTLSAuth(t *testing.T) {
ca := certhelpers.NewCert(t, ca := certhelpers.NewCert(t,
certhelpers.CommonName("certificate authority"), certhelpers.CommonName("certificate authority"),