diff --git a/.gitignore b/.gitignore index 400fe7bed..011a52f52 100644 --- a/.gitignore +++ b/.gitignore @@ -60,5 +60,3 @@ tags *.ipr *.iml - -testsetup.sh diff --git a/builtin/logical/mysql/path_role_create.go b/builtin/logical/mysql/path_role_create.go index 05b396c3a..ee6edeef7 100644 --- a/builtin/logical/mysql/path_role_create.go +++ b/builtin/logical/mysql/path_role_create.go @@ -127,6 +127,7 @@ func (b *backend) pathRoleCreateRead( "password": password, }, map[string]interface{}{ "username": username, + "rolename": name, }) resp.Secret.TTL = lease.Lease return resp, nil diff --git a/builtin/logical/mysql/secret_creds.go b/builtin/logical/mysql/secret_creds.go index ce12aacd5..492bc7d62 100644 --- a/builtin/logical/mysql/secret_creds.go +++ b/builtin/logical/mysql/secret_creds.go @@ -2,6 +2,7 @@ package mysql import ( "fmt" + "log" "strings" "github.com/hashicorp/vault/helper/strutil" @@ -24,6 +25,11 @@ func secretCreds(b *backend) *framework.Secret { Type: framework.TypeString, Description: "Password", }, + + "rolename": &framework.FieldSchema{ + Type: framework.TypeString, + Description: "Rolename", + }, }, Renew: b.secretCredsRenew, @@ -63,17 +69,21 @@ func (b *backend) secretCredsRevoke( } // Get the role - pathParts := strings.Split(req.Path, "/") - if len(pathParts) < 1 { - return nil, fmt.Errorf("Role name could not be determined") + // pathParts := strings.Split(req.Path, "/") + log.Println("InternalData") + log.Printf("%+v", req.Secret.InternalData) + rolenameRaw, ok := req.Secret.InternalData["rolename"] + if !ok { + return nil, fmt.Errorf("secret is missing rollname internal data") } - name := pathParts[len(pathParts)-1] - role, err := b.Role(req.Storage, name) + rolename, ok := rolenameRaw.(string) + + role, err := b.Role(req.Storage, rolename) if err != nil { return nil, err } if role == nil { - return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", name)), nil + return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", rolename)), nil } // Start a transaction @@ -83,6 +93,12 @@ func (b *backend) secretCredsRevoke( } defer tx.Rollback() + // Check for an empty revokeSQL string + // set it to a default query if the string is empty + if role.RevokeSQL == "" { + role.RevokeSQL = "REVOKE ALL PRIVILEGES, GRANT OPTION FROM '" + username + "'@'%'; DROP USER '" + username + "'@'%'" + } + for _, query := range strutil.ParseArbitraryStringSlice(role.RevokeSQL, ";") { query = strings.TrimSpace(query) if len(query) == 0 { diff --git a/testsetup.sh b/testsetup.sh new file mode 100755 index 000000000..b51ee6d16 --- /dev/null +++ b/testsetup.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +vault mount -description="RDS DEV" -path=rds.dev mysql +vault write rds.dev/config/connection connection_url="root:lco9Cwuoh64b97FW4nUL@tcp(rds.dev.crosschx.com:3306)/" +vault write rds.dev/config/lease lease=10s lease_max=24h +#vault write rds.dev/roles/identity-api-dev revoke_sql="REVOKE ALL PRIVILEGES, GRANT OPTION FROM '{{name}}'@'10.0.0.1'; DROP USER '{{name}}'@'10.0.0.1';" sql="CREATE USER '{{name}}'@'10.0.0.1' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'10.0.0.1';" +vault write rds.dev/roles/identity-api-dev sql="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" +vault read rds.dev/roles/identity-api-dev +date ; vault read rds.dev/creds/identity-api-dev