diff --git a/changelog/10995.txt b/changelog/10995.txt new file mode 100644 index 000000000..bf8b41cbd --- /dev/null +++ b/changelog/10995.txt @@ -0,0 +1,3 @@ +```release-note:feature +secrets/database/couchbase: Add ability to customize dynamic usernames +``` diff --git a/go.mod b/go.mod index 300a0d61e..2abcb4f92 100644 --- a/go.mod +++ b/go.mod @@ -83,7 +83,7 @@ require ( github.com/hashicorp/vault-plugin-auth-kerberos v0.2.0 github.com/hashicorp/vault-plugin-auth-kubernetes v0.8.0 github.com/hashicorp/vault-plugin-auth-oci v0.6.0 - github.com/hashicorp/vault-plugin-database-couchbase v0.2.1 + github.com/hashicorp/vault-plugin-database-couchbase v0.3.0 github.com/hashicorp/vault-plugin-database-elasticsearch v0.6.1 github.com/hashicorp/vault-plugin-database-mongodbatlas v0.2.1 github.com/hashicorp/vault-plugin-database-snowflake v0.1.1 @@ -98,7 +98,7 @@ require ( github.com/hashicorp/vault-plugin-secrets-openldap v0.1.6-0.20210201204049-4f0f91977798 github.com/hashicorp/vault-plugin-secrets-terraform v0.1.0 github.com/hashicorp/vault/api v1.0.5-0.20210210214158-405eced08457 - github.com/hashicorp/vault/sdk v0.1.14-0.20210127185906-6b455835fa8c + github.com/hashicorp/vault/sdk v0.1.14-0.20210204230556-cf85a862b7c6 github.com/influxdata/influxdb v0.0.0-20190411212539-d24b7ba8c4c4 github.com/jcmturner/gokrb5/v8 v8.0.0 github.com/jefferai/isbadcipher v0.0.0-20190226160619-51d2077c035f diff --git a/go.sum b/go.sum index 7994f097f..0aeb32e3d 100644 --- a/go.sum +++ b/go.sum @@ -535,8 +535,6 @@ github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMWxXQ9wFIaZeTI9F+hmhFiGpFmhOHzyShyFUhRm0H4= github.com/hashicorp/cap v0.0.0-20210204173447-5fcddadbf7c7 h1:6OHvaQs9ys66bR1yqHuoI231JAoalgGgxeqzQuVOfX0= github.com/hashicorp/cap v0.0.0-20210204173447-5fcddadbf7c7/go.mod h1:tIk5rB1nihW5+9bZjI7xlc8LGw8FYfiFMKOpHPbWgug= -github.com/hashicorp/consul-template v0.25.2-0.20210123001810-166043f8559d h1:DSrhJ8Nqyr3oleIu0rCjRV4j6f4CJSPUp5DljXKKu4w= -github.com/hashicorp/consul-template v0.25.2-0.20210123001810-166043f8559d/go.mod h1:kNLSN13aPJz/P0we1XNU+ZDsjkbzX+iHJ+dJOqFZck0= github.com/hashicorp/consul-template v0.25.2 h1:4xTeLZR/pWX2mESkXSvriOy+eI5vp9z3p7DF5wBlch0= github.com/hashicorp/consul-template v0.25.2/go.mod h1:5kVbPpbJvxZl3r9aV1Plqur9bszus668jkx6z2umb6o= github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE= @@ -663,8 +661,8 @@ github.com/hashicorp/vault-plugin-auth-kubernetes v0.8.0 h1:v1jOqR70chxRxONey7g/ github.com/hashicorp/vault-plugin-auth-kubernetes v0.8.0/go.mod h1:2c/k3nsoGPKV+zpAWCiajt4e66vncEq8Li/eKLqErAc= github.com/hashicorp/vault-plugin-auth-oci v0.6.0 h1:ag69AcGbWvFADQ0TQxiJiJAztCiY5/CXMItF02oi5oY= github.com/hashicorp/vault-plugin-auth-oci v0.6.0/go.mod h1:Cn5cjR279Y+snw8LTaiLTko3KGrbigRbsQPOd2D5xDw= -github.com/hashicorp/vault-plugin-database-couchbase v0.2.1 h1:WIxp5tCiDZqmd01h9WCcD+wMum+A9KKi/4qIebrxWD8= -github.com/hashicorp/vault-plugin-database-couchbase v0.2.1/go.mod h1:/746Pabh8/0b/4vEcJWYYVgiCaGgM4ntk1ULuxk9Uuw= +github.com/hashicorp/vault-plugin-database-couchbase v0.3.0 h1:C3Lfwr7xtdhOTnOf+UgFZWDyBwTGqk0BuzG2GhNHD6k= +github.com/hashicorp/vault-plugin-database-couchbase v0.3.0/go.mod h1:Seivjno/BOtkqX41d/DDYtTg6zNoxIgNaUVZ3ObZYi4= github.com/hashicorp/vault-plugin-database-elasticsearch v0.6.1 h1:C3NF3pVF7/Emxy2r6nPDkR5Njfh+uviFggcr4yHaDhs= github.com/hashicorp/vault-plugin-database-elasticsearch v0.6.1/go.mod h1:813Nvr1IQqAKdlk3yIY97M5WyxMhWOrXtYioPf9PqJg= github.com/hashicorp/vault-plugin-database-mongodbatlas v0.2.1 h1:Yc8ZJJINvCH6JcJ8uvNkZ6W33KYzVdG4zI98dvbQ8lE= diff --git a/vendor/github.com/hashicorp/vault-plugin-database-couchbase/README.md b/vendor/github.com/hashicorp/vault-plugin-database-couchbase/README.md index d69b5178e..126e3b028 100644 --- a/vendor/github.com/hashicorp/vault-plugin-database-couchbase/README.md +++ b/vendor/github.com/hashicorp/vault-plugin-database-couchbase/README.md @@ -19,6 +19,8 @@ The Vault plugin system is documented on the [Vault documentation site](https:// You will need to define a plugin directory using the `plugin_directory` configuration directive, then place the `vault-plugin-database-couchbase` executable generated above, into the directory. +**Please note:** Versions v0.2.0 onwards of this plugin are incompatible with Vault versions before 1.6.0 due to an update of the database plugin interface. + Sample commands for registering and starting to use the plugin: ```bash diff --git a/vendor/github.com/hashicorp/vault-plugin-database-couchbase/couchbase.go b/vendor/github.com/hashicorp/vault-plugin-database-couchbase/couchbase.go index 5f2d83c53..7a4af6850 100644 --- a/vendor/github.com/hashicorp/vault-plugin-database-couchbase/couchbase.go +++ b/vendor/github.com/hashicorp/vault-plugin-database-couchbase/couchbase.go @@ -12,13 +12,16 @@ import ( hclog "github.com/hashicorp/go-hclog" dbplugin "github.com/hashicorp/vault/sdk/database/dbplugin/v5" "github.com/hashicorp/vault/sdk/database/helper/credsutil" + "github.com/hashicorp/vault/sdk/helper/strutil" + "github.com/hashicorp/vault/sdk/helper/template" ) const ( couchbaseTypeName = "couchbase" defaultCouchbaseUserRole = `{"Roles": [{"role":"ro_admin"}]}` defaultTimeout = 20000 * time.Millisecond - maxKeyLength = 64 + + defaultUserNameTemplate = `V_{{.DisplayName | uppercase | truncate 64}}_{{.RoleName | uppercase | truncate 64}}_{{random 20 | uppercase}}_{{unix_time}}` ) var ( @@ -30,6 +33,8 @@ var ( type CouchbaseDB struct { *couchbaseDBConnectionProducer credsutil.CredentialsProducer + + usernameProducer template.StringTemplate } // Type that combines the Couchbase Roles and Groups representing specific account permissions. Used to pass roles and or @@ -59,7 +64,21 @@ func new() *CouchbaseDB { } func (c *CouchbaseDB) Initialize(ctx context.Context, req dbplugin.InitializeRequest) (dbplugin.InitializeResponse, error) { - err := c.couchbaseDBConnectionProducer.Initialize(ctx, req.Config, req.VerifyConnection) + usernameTemplate, err := strutil.GetString(req.Config, "username_template") + if err != nil { + return dbplugin.InitializeResponse{}, fmt.Errorf("failed to retrieve username_template: %w", err) + } + if usernameTemplate == "" { + usernameTemplate = defaultUserNameTemplate + } + + up, err := template.NewTemplate(template.Template(usernameTemplate)) + if err != nil { + return dbplugin.InitializeResponse{}, fmt.Errorf("unable to initialize username template: %w", err) + } + c.usernameProducer = up + + err = c.couchbaseDBConnectionProducer.Initialize(ctx, req.Config, req.VerifyConnection) if err != nil { return dbplugin.InitializeResponse{}, err } @@ -74,9 +93,7 @@ func (c *CouchbaseDB) NewUser(ctx context.Context, req dbplugin.NewUserRequest) c.Lock() defer c.Unlock() - username, err := credsutil.GenerateUsername( - credsutil.DisplayName(req.UsernameConfig.DisplayName, maxKeyLength), - credsutil.RoleName(req.UsernameConfig.RoleName, maxKeyLength)) + username, err := c.usernameProducer.Generate(req.UsernameConfig) if err != nil { return dbplugin.NewUserResponse{}, fmt.Errorf("failed to generate username: %w", err) } diff --git a/vendor/github.com/hashicorp/vault-plugin-database-couchbase/go.mod b/vendor/github.com/hashicorp/vault-plugin-database-couchbase/go.mod index 5f60e7ea5..8176acc33 100644 --- a/vendor/github.com/hashicorp/vault-plugin-database-couchbase/go.mod +++ b/vendor/github.com/hashicorp/vault-plugin-database-couchbase/go.mod @@ -11,10 +11,11 @@ require ( github.com/hashicorp/errwrap v1.0.0 github.com/hashicorp/go-hclog v0.14.1 github.com/hashicorp/go-version v1.2.1 - github.com/hashicorp/vault/sdk v0.1.14-0.20201022214319-d87657199d4b + github.com/hashicorp/vault/sdk v0.1.14-0.20210204230556-cf85a862b7c6 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d // indirect github.com/lib/pq v1.8.0 // indirect github.com/mitchellh/mapstructure v1.3.3 github.com/ory/dockertest v3.3.5+incompatible github.com/sirupsen/logrus v1.6.0 // indirect + github.com/stretchr/testify v1.5.1 ) diff --git a/vendor/github.com/hashicorp/vault-plugin-database-couchbase/go.sum b/vendor/github.com/hashicorp/vault-plugin-database-couchbase/go.sum index 17ff27972..4857e1d24 100644 --- a/vendor/github.com/hashicorp/vault-plugin-database-couchbase/go.sum +++ b/vendor/github.com/hashicorp/vault-plugin-database-couchbase/go.sum @@ -166,6 +166,10 @@ github.com/hashicorp/vault/api v1.0.5-0.20200519221902-385fac77e20f/go.mod h1:eu github.com/hashicorp/vault/sdk v0.1.14-0.20200519221530-14615acda45f/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10= github.com/hashicorp/vault/sdk v0.1.14-0.20201022214319-d87657199d4b h1:kT0HPwthAisVgxAkm/kNGI2IHm0rAco28dOs3geL90E= github.com/hashicorp/vault/sdk v0.1.14-0.20201022214319-d87657199d4b/go.mod h1:cAGI4nVnEfAyMeqt9oB+Mase8DNn3qA/LDNHURiwssY= +github.com/hashicorp/vault/sdk v0.1.14-0.20210127185906-6b455835fa8c h1:CSvbHEivYEK8njYzPB1Wn972h4U0z+xMGFZnTdVK+s4= +github.com/hashicorp/vault/sdk v0.1.14-0.20210127185906-6b455835fa8c/go.mod h1:cAGI4nVnEfAyMeqt9oB+Mase8DNn3qA/LDNHURiwssY= +github.com/hashicorp/vault/sdk v0.1.14-0.20210204230556-cf85a862b7c6 h1:1G91ESn5mCFH7J61P7JKMF1KVYcVsN+HCEJ1Jab4U6M= +github.com/hashicorp/vault/sdk v0.1.14-0.20210204230556-cf85a862b7c6/go.mod h1:cAGI4nVnEfAyMeqt9oB+Mase8DNn3qA/LDNHURiwssY= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1vq2e6IsrXKrZit1bv/TDYFGMp4BQ= github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= diff --git a/vendor/github.com/hashicorp/vault-plugin-database-couchbase/httputils.go b/vendor/github.com/hashicorp/vault-plugin-database-couchbase/httputils.go index 97527c4ea..527f0f14e 100644 --- a/vendor/github.com/hashicorp/vault-plugin-database-couchbase/httputils.go +++ b/vendor/github.com/hashicorp/vault-plugin-database-couchbase/httputils.go @@ -8,6 +8,8 @@ import ( "net/http" "net/url" "strings" + "testing" + "time" "github.com/cenkalti/backoff" "github.com/hashicorp/go-version" @@ -108,15 +110,27 @@ func createGroup(hostname string, port int, adminuser, adminpassword, group, rol return nil } -func waitForBucketInstalled(address, username, password, bucket string) (bucketFound, bucketInstalled bool, err error) { +func waitForBucket(t *testing.T, address, username, password, bucketName string) { + t.Logf("Waiting for bucket %s...", bucketName) + f := func() error { + return checkBucketReady(address, username, password, bucketName) + } + bo := backoff.WithMaxRetries(backoff.NewConstantBackOff(1*time.Second), 10) + err := backoff.Retry(f, bo) + if err != nil { + t.Fatalf("bucket %s installed check failed: %s", bucketName, err) + } +} + +func checkBucketReady(address, username, password, bucket string) (err error) { resp, err := http.Get(fmt.Sprintf("http://%s:%s@%s:8091/sampleBuckets", username, password, address)) if err != nil { - return false, false, err + return err } defer resp.Body.Close() body, err := ioutil.ReadAll(resp.Body) if err != nil { - return false, false, err + return err } type installed []struct { @@ -129,20 +143,26 @@ func waitForBucketInstalled(address, username, password, bucket string) (bucketF err = json.Unmarshal(body, &iresult) if err != nil { - err := backoff.PermanentError{ + err := &backoff.PermanentError{ Err: fmt.Errorf("error unmarshaling JSON %s", err), } - return false, false, &err + return err } + bucketFound := false for _, s := range iresult { if s.Name == bucket { bucketFound = true if s.Installed == true { - bucketInstalled = true + return nil // Found & installed } } - } - return bucketFound, bucketInstalled, nil + + err = fmt.Errorf("bucket not found") + + if !bucketFound { + return backoff.Permanent(err) + } + return err } diff --git a/vendor/modules.txt b/vendor/modules.txt index ad35adb8b..fdfc31841 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -562,7 +562,7 @@ github.com/hashicorp/vault-plugin-auth-kerberos github.com/hashicorp/vault-plugin-auth-kubernetes # github.com/hashicorp/vault-plugin-auth-oci v0.6.0 github.com/hashicorp/vault-plugin-auth-oci -# github.com/hashicorp/vault-plugin-database-couchbase v0.2.1 +# github.com/hashicorp/vault-plugin-database-couchbase v0.3.0 github.com/hashicorp/vault-plugin-database-couchbase # github.com/hashicorp/vault-plugin-database-elasticsearch v0.6.1 github.com/hashicorp/vault-plugin-database-elasticsearch @@ -598,7 +598,7 @@ github.com/hashicorp/vault-plugin-secrets-openldap/client github.com/hashicorp/vault-plugin-secrets-terraform # github.com/hashicorp/vault/api v1.0.5-0.20210210214158-405eced08457 => ./api github.com/hashicorp/vault/api -# github.com/hashicorp/vault/sdk v0.1.14-0.20210127185906-6b455835fa8c => ./sdk +# github.com/hashicorp/vault/sdk v0.1.14-0.20210204230556-cf85a862b7c6 => ./sdk github.com/hashicorp/vault/sdk/database/dbplugin github.com/hashicorp/vault/sdk/database/dbplugin/v5 github.com/hashicorp/vault/sdk/database/dbplugin/v5/proto