Vendor Couchbase DB plugin v0.3.0 (#10995)

changelog/10995.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+secrets/database/couchbase: Add ability to customize dynamic usernames
+```

go.mod

@@ -83,7 +83,7 @@ require (
 	github.com/hashicorp/vault-plugin-auth-kerberos v0.2.0
 	github.com/hashicorp/vault-plugin-auth-kubernetes v0.8.0
 	github.com/hashicorp/vault-plugin-auth-oci v0.6.0
-	github.com/hashicorp/vault-plugin-database-couchbase v0.2.1
+	github.com/hashicorp/vault-plugin-database-couchbase v0.3.0
 	github.com/hashicorp/vault-plugin-database-elasticsearch v0.6.1
 	github.com/hashicorp/vault-plugin-database-mongodbatlas v0.2.1
 	github.com/hashicorp/vault-plugin-database-snowflake v0.1.1
@@ -98,7 +98,7 @@ require (
 	github.com/hashicorp/vault-plugin-secrets-openldap v0.1.6-0.20210201204049-4f0f91977798
 	github.com/hashicorp/vault-plugin-secrets-terraform v0.1.0
 	github.com/hashicorp/vault/api v1.0.5-0.20210210214158-405eced08457
-	github.com/hashicorp/vault/sdk v0.1.14-0.20210127185906-6b455835fa8c
+	github.com/hashicorp/vault/sdk v0.1.14-0.20210204230556-cf85a862b7c6
 	github.com/influxdata/influxdb v0.0.0-20190411212539-d24b7ba8c4c4
 	github.com/jcmturner/gokrb5/v8 v8.0.0
 	github.com/jefferai/isbadcipher v0.0.0-20190226160619-51d2077c035f

go.sum

@@ -535,8 +535,6 @@ github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc
 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMWxXQ9wFIaZeTI9F+hmhFiGpFmhOHzyShyFUhRm0H4=
 github.com/hashicorp/cap v0.0.0-20210204173447-5fcddadbf7c7 h1:6OHvaQs9ys66bR1yqHuoI231JAoalgGgxeqzQuVOfX0=
 github.com/hashicorp/cap v0.0.0-20210204173447-5fcddadbf7c7/go.mod h1:tIk5rB1nihW5+9bZjI7xlc8LGw8FYfiFMKOpHPbWgug=
-github.com/hashicorp/consul-template v0.25.2-0.20210123001810-166043f8559d h1:DSrhJ8Nqyr3oleIu0rCjRV4j6f4CJSPUp5DljXKKu4w=
-github.com/hashicorp/consul-template v0.25.2-0.20210123001810-166043f8559d/go.mod h1:kNLSN13aPJz/P0we1XNU+ZDsjkbzX+iHJ+dJOqFZck0=
 github.com/hashicorp/consul-template v0.25.2 h1:4xTeLZR/pWX2mESkXSvriOy+eI5vp9z3p7DF5wBlch0=
 github.com/hashicorp/consul-template v0.25.2/go.mod h1:5kVbPpbJvxZl3r9aV1Plqur9bszus668jkx6z2umb6o=
 github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE=
@@ -663,8 +661,8 @@ github.com/hashicorp/vault-plugin-auth-kubernetes v0.8.0 h1:v1jOqR70chxRxONey7g/
 github.com/hashicorp/vault-plugin-auth-kubernetes v0.8.0/go.mod h1:2c/k3nsoGPKV+zpAWCiajt4e66vncEq8Li/eKLqErAc=
 github.com/hashicorp/vault-plugin-auth-oci v0.6.0 h1:ag69AcGbWvFADQ0TQxiJiJAztCiY5/CXMItF02oi5oY=
 github.com/hashicorp/vault-plugin-auth-oci v0.6.0/go.mod h1:Cn5cjR279Y+snw8LTaiLTko3KGrbigRbsQPOd2D5xDw=
-github.com/hashicorp/vault-plugin-database-couchbase v0.2.1 h1:WIxp5tCiDZqmd01h9WCcD+wMum+A9KKi/4qIebrxWD8=
+github.com/hashicorp/vault-plugin-database-couchbase v0.3.0 h1:C3Lfwr7xtdhOTnOf+UgFZWDyBwTGqk0BuzG2GhNHD6k=
-github.com/hashicorp/vault-plugin-database-couchbase v0.2.1/go.mod h1:/746Pabh8/0b/4vEcJWYYVgiCaGgM4ntk1ULuxk9Uuw=
+github.com/hashicorp/vault-plugin-database-couchbase v0.3.0/go.mod h1:Seivjno/BOtkqX41d/DDYtTg6zNoxIgNaUVZ3ObZYi4=
 github.com/hashicorp/vault-plugin-database-elasticsearch v0.6.1 h1:C3NF3pVF7/Emxy2r6nPDkR5Njfh+uviFggcr4yHaDhs=
 github.com/hashicorp/vault-plugin-database-elasticsearch v0.6.1/go.mod h1:813Nvr1IQqAKdlk3yIY97M5WyxMhWOrXtYioPf9PqJg=
 github.com/hashicorp/vault-plugin-database-mongodbatlas v0.2.1 h1:Yc8ZJJINvCH6JcJ8uvNkZ6W33KYzVdG4zI98dvbQ8lE=

vendor/github.com/hashicorp/vault-plugin-database-couchbase/README.md

@@ -19,6 +19,8 @@ The Vault plugin system is documented on the [Vault documentation site](https://
 You will need to define a plugin directory using the `plugin_directory` configuration directive, then place the
 `vault-plugin-database-couchbase` executable generated above, into the directory.
 
+**Please note:** Versions v0.2.0 onwards of this plugin are incompatible with Vault versions before 1.6.0 due to an update of the database plugin interface.
+
 Sample commands for registering and starting to use the plugin:
 
 ```bash

vendor/github.com/hashicorp/vault-plugin-database-couchbase/couchbase.go

@@ -12,13 +12,16 @@ import (
 	hclog "github.com/hashicorp/go-hclog"
 	dbplugin "github.com/hashicorp/vault/sdk/database/dbplugin/v5"
 	"github.com/hashicorp/vault/sdk/database/helper/credsutil"
+	"github.com/hashicorp/vault/sdk/helper/strutil"
+	"github.com/hashicorp/vault/sdk/helper/template"
 )
 
 const (
 	couchbaseTypeName        = "couchbase"
 	defaultCouchbaseUserRole = `{"Roles": [{"role":"ro_admin"}]}`
 	defaultTimeout           = 20000 * time.Millisecond
-	maxKeyLength             = 64
+
+	defaultUserNameTemplate = `V_{{.DisplayName | uppercase | truncate 64}}_{{.RoleName | uppercase | truncate 64}}_{{random 20 | uppercase}}_{{unix_time}}`
 )
 
 var (
@@ -30,6 +33,8 @@ var (
 type CouchbaseDB struct {
 	*couchbaseDBConnectionProducer
 	credsutil.CredentialsProducer
+
+	usernameProducer template.StringTemplate
 }
 
 // Type that combines the Couchbase Roles and Groups representing specific account permissions. Used to pass roles and or
@@ -59,7 +64,21 @@ func new() *CouchbaseDB {
 }
 
 func (c *CouchbaseDB) Initialize(ctx context.Context, req dbplugin.InitializeRequest) (dbplugin.InitializeResponse, error) {
-	err := c.couchbaseDBConnectionProducer.Initialize(ctx, req.Config, req.VerifyConnection)
+	usernameTemplate, err := strutil.GetString(req.Config, "username_template")
+	if err != nil {
+		return dbplugin.InitializeResponse{}, fmt.Errorf("failed to retrieve username_template: %w", err)
+	}
+	if usernameTemplate == "" {
+		usernameTemplate = defaultUserNameTemplate
+	}
+
+	up, err := template.NewTemplate(template.Template(usernameTemplate))
+	if err != nil {
+		return dbplugin.InitializeResponse{}, fmt.Errorf("unable to initialize username template: %w", err)
+	}
+	c.usernameProducer = up
+
+	err = c.couchbaseDBConnectionProducer.Initialize(ctx, req.Config, req.VerifyConnection)
 	if err != nil {
 		return dbplugin.InitializeResponse{}, err
 	}
@@ -74,9 +93,7 @@ func (c *CouchbaseDB) NewUser(ctx context.Context, req dbplugin.NewUserRequest)
 	c.Lock()
 	defer c.Unlock()
 
-	username, err := credsutil.GenerateUsername(
+	username, err := c.usernameProducer.Generate(req.UsernameConfig)
-		credsutil.DisplayName(req.UsernameConfig.DisplayName, maxKeyLength),
-		credsutil.RoleName(req.UsernameConfig.RoleName, maxKeyLength))
 	if err != nil {
 		return dbplugin.NewUserResponse{}, fmt.Errorf("failed to generate username: %w", err)
 	}

vendor/github.com/hashicorp/vault-plugin-database-couchbase/go.mod

@@ -11,10 +11,11 @@ require (
 	github.com/hashicorp/errwrap v1.0.0
 	github.com/hashicorp/go-hclog v0.14.1
 	github.com/hashicorp/go-version v1.2.1
-	github.com/hashicorp/vault/sdk v0.1.14-0.20201022214319-d87657199d4b
+	github.com/hashicorp/vault/sdk v0.1.14-0.20210204230556-cf85a862b7c6
 	github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d // indirect
 	github.com/lib/pq v1.8.0 // indirect
 	github.com/mitchellh/mapstructure v1.3.3
 	github.com/ory/dockertest v3.3.5+incompatible
 	github.com/sirupsen/logrus v1.6.0 // indirect
+	github.com/stretchr/testify v1.5.1
 )

vendor/github.com/hashicorp/vault-plugin-database-couchbase/go.sum

@@ -166,6 +166,10 @@ github.com/hashicorp/vault/api v1.0.5-0.20200519221902-385fac77e20f/go.mod h1:eu
 github.com/hashicorp/vault/sdk v0.1.14-0.20200519221530-14615acda45f/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10=
 github.com/hashicorp/vault/sdk v0.1.14-0.20201022214319-d87657199d4b h1:kT0HPwthAisVgxAkm/kNGI2IHm0rAco28dOs3geL90E=
 github.com/hashicorp/vault/sdk v0.1.14-0.20201022214319-d87657199d4b/go.mod h1:cAGI4nVnEfAyMeqt9oB+Mase8DNn3qA/LDNHURiwssY=
+github.com/hashicorp/vault/sdk v0.1.14-0.20210127185906-6b455835fa8c h1:CSvbHEivYEK8njYzPB1Wn972h4U0z+xMGFZnTdVK+s4=
+github.com/hashicorp/vault/sdk v0.1.14-0.20210127185906-6b455835fa8c/go.mod h1:cAGI4nVnEfAyMeqt9oB+Mase8DNn3qA/LDNHURiwssY=
+github.com/hashicorp/vault/sdk v0.1.14-0.20210204230556-cf85a862b7c6 h1:1G91ESn5mCFH7J61P7JKMF1KVYcVsN+HCEJ1Jab4U6M=
+github.com/hashicorp/vault/sdk v0.1.14-0.20210204230556-cf85a862b7c6/go.mod h1:cAGI4nVnEfAyMeqt9oB+Mase8DNn3qA/LDNHURiwssY=
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1vq2e6IsrXKrZit1bv/TDYFGMp4BQ=
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=

vendor/github.com/hashicorp/vault-plugin-database-couchbase/httputils.go

@@ -8,6 +8,8 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+	"testing"
+	"time"
 
 	"github.com/cenkalti/backoff"
 	"github.com/hashicorp/go-version"
@@ -108,15 +110,27 @@ func createGroup(hostname string, port int, adminuser, adminpassword, group, rol
 	return nil
 }
 
-func waitForBucketInstalled(address, username, password, bucket string) (bucketFound, bucketInstalled bool, err error) {
+func waitForBucket(t *testing.T, address, username, password, bucketName string) {
+	t.Logf("Waiting for bucket %s...", bucketName)
+	f := func() error {
+		return checkBucketReady(address, username, password, bucketName)
+	}
+	bo := backoff.WithMaxRetries(backoff.NewConstantBackOff(1*time.Second), 10)
+	err := backoff.Retry(f, bo)
+	if err != nil {
+		t.Fatalf("bucket %s installed check failed: %s", bucketName, err)
+	}
+}
+
+func checkBucketReady(address, username, password, bucket string) (err error) {
 	resp, err := http.Get(fmt.Sprintf("http://%s:%s@%s:8091/sampleBuckets", username, password, address))
 	if err != nil {
-		return false, false, err
+		return err
 	}
 	defer resp.Body.Close()
 	body, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
-		return false, false, err
+		return err
 	}
 
 	type installed []struct {
@@ -129,20 +143,26 @@ func waitForBucketInstalled(address, username, password, bucket string) (bucketF
 
 	err = json.Unmarshal(body, &iresult)
 	if err != nil {
-		err := backoff.PermanentError{
+		err := &backoff.PermanentError{
 			Err: fmt.Errorf("error unmarshaling JSON %s", err),
 		}
-		return false, false, &err
+		return err
 	}
 
+	bucketFound := false
 	for _, s := range iresult {
 		if s.Name == bucket {
 			bucketFound = true
 			if s.Installed == true {
-				bucketInstalled = true
+				return nil // Found & installed
 			}
 		}
-
 	}
-	return bucketFound, bucketInstalled, nil
+
+	err = fmt.Errorf("bucket not found")
+
+	if !bucketFound {
+		return backoff.Permanent(err)
+	}
+	return err
 }

vendor/modules.txt

@@ -562,7 +562,7 @@ github.com/hashicorp/vault-plugin-auth-kerberos
 github.com/hashicorp/vault-plugin-auth-kubernetes
 # github.com/hashicorp/vault-plugin-auth-oci v0.6.0
 github.com/hashicorp/vault-plugin-auth-oci
-# github.com/hashicorp/vault-plugin-database-couchbase v0.2.1
+# github.com/hashicorp/vault-plugin-database-couchbase v0.3.0
 github.com/hashicorp/vault-plugin-database-couchbase
 # github.com/hashicorp/vault-plugin-database-elasticsearch v0.6.1
 github.com/hashicorp/vault-plugin-database-elasticsearch
@@ -598,7 +598,7 @@ github.com/hashicorp/vault-plugin-secrets-openldap/client
 github.com/hashicorp/vault-plugin-secrets-terraform
 # github.com/hashicorp/vault/api v1.0.5-0.20210210214158-405eced08457 => ./api
 github.com/hashicorp/vault/api
-# github.com/hashicorp/vault/sdk v0.1.14-0.20210127185906-6b455835fa8c => ./sdk
+# github.com/hashicorp/vault/sdk v0.1.14-0.20210204230556-cf85a862b7c6 => ./sdk
 github.com/hashicorp/vault/sdk/database/dbplugin
 github.com/hashicorp/vault/sdk/database/dbplugin/v5
 github.com/hashicorp/vault/sdk/database/dbplugin/v5/proto