backport of commit 9019203e9f052b6e58a14cbfab4a559d5e7e5883 (#23491)
Co-authored-by: Conor McCullough <103977699+conor-mccullough@users.noreply.github.com>
This commit is contained in:
hc-github-team-secure-vault-core
GitHub
parent
7624576e39
commit
c90b7cddb7
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
mongo-db: allow non-admin database for root credential rotation
|
||||
```
|
||||
|
|
@ -176,7 +176,7 @@ func (m *MongoDB) changeUserPassword(ctx context.Context, username, password str
|
|||
}
|
||||
|
||||
database := cs.Database
|
||||
if username == m.Username || database == "" {
|
||||
if database == "" {
|
||||
database = "admin"
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -27,7 +27,10 @@ import (
|
|||
"go.mongodb.org/mongo-driver/mongo/readpref"
|
||||
)
|
||||
|
||||
const mongoAdminRole = `{ "db": "admin", "roles": [ { "role": "readWrite" } ] }`
|
||||
const (
|
||||
mongoAdminRole = `{ "db": "admin", "roles": [ { "role": "readWrite" } ] }`
|
||||
mongoTestDBAdminRole = `{ "db": "test", "roles": [ { "role": "readWrite" } ] }`
|
||||
)
|
||||
|
||||
func TestMongoDB_Initialize(t *testing.T) {
|
||||
cleanup, connURL := mongodb.PrepareTestContainer(t, "latest")
|
||||
|
|
@ -119,6 +122,23 @@ func TestNewUser_usernameTemplate(t *testing.T) {
|
|||
|
||||
expectedUsernameRegex: "^[A-Z0-9]{2}_[0-9]{10}_TESTROLENAMEWITHMANYCHARACTERS_TOKEN$",
|
||||
},
|
||||
"admin in test database username template": {
|
||||
usernameTemplate: "",
|
||||
|
||||
newUserReq: dbplugin.NewUserRequest{
|
||||
UsernameConfig: dbplugin.UsernameMetadata{
|
||||
DisplayName: "token",
|
||||
RoleName: "testrolenamewithmanycharacters",
|
||||
},
|
||||
Statements: dbplugin.Statements{
|
||||
Commands: []string{mongoTestDBAdminRole},
|
||||
},
|
||||
Password: "98yq3thgnakjsfhjkl",
|
||||
Expiration: time.Now().Add(time.Minute),
|
||||
},
|
||||
|
||||
expectedUsernameRegex: "^v-token-testrolenamewit-[a-zA-Z0-9]{20}-[0-9]{10}$",
|
||||
},
|
||||
}
|
||||
|
||||
for name, test := range tests {
|
||||
|
|
@ -126,6 +146,10 @@ func TestNewUser_usernameTemplate(t *testing.T) {
|
|||
cleanup, connURL := mongodb.PrepareTestContainer(t, "latest")
|
||||
defer cleanup()
|
||||
|
||||
if name == "admin in test database username template" {
|
||||
connURL = connURL + "/test?authSource=test"
|
||||
}
|
||||
|
||||
db := new()
|
||||
defer dbtesting.AssertClose(t, db)
|
||||
|
||||
|
|
@ -290,6 +314,39 @@ func TestMongoDB_UpdateUser_Password(t *testing.T) {
|
|||
assertCredsExist(t, dbUser, newPassword, connURL)
|
||||
}
|
||||
|
||||
func TestMongoDB_RotateRoot_NonAdminDB(t *testing.T) {
|
||||
cleanup, connURL := mongodb.PrepareTestContainer(t, "latest")
|
||||
defer cleanup()
|
||||
|
||||
connURL = connURL + "/test?authSource=test"
|
||||
db := new()
|
||||
defer dbtesting.AssertClose(t, db)
|
||||
|
||||
initReq := dbplugin.InitializeRequest{
|
||||
Config: map[string]interface{}{
|
||||
"connection_url": connURL,
|
||||
},
|
||||
VerifyConnection: true,
|
||||
}
|
||||
dbtesting.AssertInitialize(t, db, initReq)
|
||||
|
||||
dbUser := "testmongouser"
|
||||
startingPassword := "password"
|
||||
createDBUser(t, connURL, "test", dbUser, startingPassword)
|
||||
|
||||
newPassword := "myreallysecurecredentials"
|
||||
|
||||
updateReq := dbplugin.UpdateUserRequest{
|
||||
Username: dbUser,
|
||||
Password: &dbplugin.ChangePassword{
|
||||
NewPassword: newPassword,
|
||||
},
|
||||
}
|
||||
dbtesting.AssertUpdateUser(t, db, updateReq)
|
||||
|
||||
assertCredsExist(t, dbUser, newPassword, connURL)
|
||||
}
|
||||
|
||||
func TestGetTLSAuth(t *testing.T) {
|
||||
ca := certhelpers.NewCert(t,
|
||||
certhelpers.CommonName("certificate authority"),
|
||||
|
|
|
|||
Loading…
Reference in New Issue