Commit graph

167 commits

Author SHA1 Message Date
Christopher Swenson aa6d61477e
VAULT-5827 Don't prepare SQL queries before executing them (#15166)
VAULT-5827 Don't prepare SQL queries before executing them

We don't support proper prepared statements, i.e., preparing once and
executing many times since we do our own templating. So preparing our
queries does not really accomplish anything, and can have severe
performance impacts (see
https://github.com/hashicorp/vault-plugin-database-snowflake/issues/13
for example).

This behavior seems to have been copy-pasted for many years but not for
any particular reason that we have been able to find. First use was in
https://github.com/hashicorp/vault/pull/15

So here we switch to new methods suffixed with `Direct` to indicate
that they don't `Prepare` before running `Exec`, and switch everything
here to use those. We maintain the older methods with the existing
behavior (with `Prepare`) for backwards compatibility.
2022-04-26 12:47:06 -07:00
swayne275 24d512f0d1
Cleanup bool checks (#14102)
* clean up == true cases

* cleanup == false where it didn't seem to hurt readability
2022-02-18 07:35:53 -07:00
John-Michael Faircloth 1cf74e1179
feature: multiplexing support for database plugins (#14033)
* feat: DB plugin multiplexing (#13734)

* WIP: start from main and get a plugin runner from core

* move MultiplexedClient map to plugin catalog
- call sys.NewPluginClient from PluginFactory
- updates to getPluginClient
- thread through isMetadataMode

* use go-plugin ClientProtocol interface
- call sys.NewPluginClient from dbplugin.NewPluginClient

* move PluginSets to dbplugin package
- export dbplugin HandshakeConfig
- small refactor of PluginCatalog.getPluginClient

* add removeMultiplexedClient; clean up on Close()
- call client.Kill from plugin catalog
- set rpcClient when muxed client exists

* add ID to dbplugin.DatabasePluginClient struct

* only create one plugin process per plugin type

* update NewPluginClient to return connection ID to sdk
- wrap grpc.ClientConn so we can inject the ID into context
- get ID from context on grpc server

* add v6 multiplexing  protocol version

* WIP: backwards compat for db plugins

* Ensure locking on plugin catalog access

- Create public GetPluginClient method for plugin catalog
- rename postgres db plugin

* use the New constructor for db plugins

* grpc server: use write lock for Close and rlock for CRUD

* cleanup MultiplexedClients on Close

* remove TODO

* fix multiplexing regression with grpc server connection

* cleanup grpc server instances on close

* embed ClientProtocol in Multiplexer interface

* use PluginClientConfig arg to make NewPluginClient plugin type agnostic

* create a new plugin process for non-muxed plugins

* feat: plugin multiplexing: handle plugin client cleanup (#13896)

* use closure for plugin client cleanup

* log and return errors; add comments

* move rpcClient wrapping to core for ID injection

* refactor core plugin client and sdk

* remove unused ID method

* refactor and only wrap clientConn on multiplexed plugins

* rename structs and do not export types

* Slight refactor of system view interface

* Revert "Slight refactor of system view interface"

This reverts commit 73d420e5cd2f0415e000c5a9284ea72a58016dd6.

* Revert "Revert "Slight refactor of system view interface""

This reverts commit f75527008a1db06d04a23e04c3059674be8adb5f.

* only provide pluginRunner arg to the internal newPluginClient method

* embed ClientProtocol in pluginClient and name logger

* Add back MLock support

* remove enableMlock arg from setupPluginCatalog

* rename plugin util interface to PluginClient

Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>

* feature: multiplexing: fix unit tests (#14007)

* fix grpc_server tests and add coverage

* update run_config tests

* add happy path test case for grpc_server ID from context

* update test helpers

* feat: multiplexing: handle v5 plugin compiled with new sdk

* add mux supported flag and increase test coverage

* set multiplexingSupport field in plugin server

* remove multiplexingSupport field in sdk

* revert postgres to non-multiplexed

* add comments on grpc server fields

* use pointer receiver on grpc server methods

* add changelog

* use pointer for grpcserver instance

* Use a gRPC server to determine if a plugin should be multiplexed

* Apply suggestions from code review

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* add lock to removePluginClient

* add multiplexingSupport field to externalPlugin struct

* do not send nil to grpc MultiplexingSupport

* check err before logging

* handle locking scenario for cleanupFunc

* allow ServeConfigMultiplex to dispense v5 plugin

* reposition structs, add err check and comments

* add comment on locking for cleanupExternalPlugin

Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2022-02-17 08:50:33 -06:00
Viljo Viitanen 8b7b57f3ec
change cassandra db plugin timeout to 5s as in docs (#12443)
* fix cassandra db plugin timeout to 5s as in docs

Documentation says timeout is 5s, but code uses 0s, which is too short any any real world usage, causing issues.
https://www.vaultproject.io/api/secret/databases/cassandra#connect_timeout
issues: https://github.com/hashicorp/vault/issues/8527 https://github.com/hashicorp/vault/issues/9400

* Create 12443.txt

changelog entry
2022-02-15 07:35:44 -08:00
Gary Frederick ac4804eae8
contained_db DeleteUser unit test (#13895)
* added TestDeleteUserContainedDB | testContainedDBCredsExist helper function

* unit test contained db sanitization

Co-authored-by: Gary Frederick <imtahghost@protonmail.com>
2022-02-09 15:23:13 -08:00
Tom Proctor 5032cfaf47
Add make fmt CI check (#13803)
* Add make fmt CI check

* Don't suppress patch output
2022-01-31 23:24:16 +00:00
Gary Frederick ff7a08c364
Remove fmt strings and replace with inline queries (#13799)
* removed fmt strings and replaced with inline SQL | added unit tests

* changelog++
2022-01-27 15:20:13 -08:00
Josh Black d249fad2df
reformat using 'make fmt' (#13794) 2022-01-27 10:06:34 -08:00
Tero Saarni f4eea60799
Switch/upgrade to influxdata/influxdb1-client (#12262)
* influxdb v1 client has been split into a separate module from the main influxdb
  code base. This changes uses the correct client, which also allows us to
  get updates and avoids confusing some vulnerability scanners that flagged 
  previous version incorrectly.

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
2022-01-25 13:30:24 -05:00
Ben Ash 9253abb2e1
Update mssql's contained_db field to accept a boolean (#13469)
Previously the `contained_db` parameter would only accept a string value
despite the fact that field type is documented as a boolean.
2021-12-20 10:04:43 -05:00
Steven Clark 2d21c00476
Add extra debugging to help identify failures within mssql test (#13142)
* Add extra debugging to help identify failures within mssql test
* Switch up the AssertInitialized method for mssql tests by marking the test as failed instead of
   immediately failing, this will also allow us to see what happens even if this assertion fails to the rest
   of the test.
2021-11-15 12:51:16 -05:00
Nick Cabatoff 83076bb58d
Set Cassandra connect timeout, not just regular timeout (#12903) 2021-10-22 11:02:28 -04:00
vinay-gopalan 1eb73d9ef4
[VAULT-3379] Add support for contained DBs in MSSQL root rotation and lease revocation (#12839) 2021-10-19 14:11:47 -07:00
Brian Kassouf c705adc79c
Fix some linting errors (#12860) 2021-10-18 17:29:47 -07:00
Calvin Leung Huang 3826042daf
test: pin docker image on postgres to 13.4-buster (#12636)
* test: pin docker image on postgres to 13.4-buster

* test: update all tests that uses postgres image to use 13.4-buster
2021-09-27 08:38:39 -07:00
Calvin Leung Huang d47db89b8b
database/cassandra: pin bitnami/cassandra docker image to 3.11 in test (#12311)
* database/cassandra: pin bitnami/cassandra docker image to 3.11 in test

* Update plugins/database/cassandra/connection_producer_test.go

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2021-08-11 19:11:12 -07:00
Nick Cabatoff 03b2208f04
Pin RabbitMQ and Cassandra docker image versions (#12174)
* Work around rabbitmq regression with UserInfo.Tags in rabbitmq 3.9: use v3.8 docker image in tests.

* Also pin cassandra docker image version to 3.11 (4.00 was making tests fail)
2021-07-27 08:45:32 -04:00
Jeff Mitchell f7147025dd
Migrate to sdk/internalshared libs in go-secure-stdlib (#12090)
* Swap sdk/helper libs to go-secure-stdlib

* Migrate to go-secure-stdlib reloadutil

* Migrate to go-secure-stdlib kv-builder

* Migrate to go-secure-stdlib gatedwriter
2021-07-15 20:17:31 -04:00
MilenaHC 3c3b6529fd
Redshift - Add username customization (#12016)
* username customization for redshift

* adding changelog and updating api-docs
2021-07-08 10:29:12 -05:00
mr-miles 9e031b5766
Mongo doesnt allow periods in usernames (#11872)
* mongo doesnt allow periods in usernames

* Update mongodb.mdx

Update template in docs

* Move replace to the end

* Adding a test for dot replacement

* Create 11872.txt
2021-06-24 13:26:31 -04:00
Michael Golowka 7f6a1739a3
Cassandra: Refactor PEM parsing logic (#11861)
* Refactor TLS parsing

The ParsePEMBundle and ParsePKIJSON functions in the certutil package assumes
both a client certificate and a custom CA are specified. Cassandra needs to
allow for either a client certificate, a custom CA, or both. This revamps the
parsing of pem_json and pem_bundle to accomodate for any of these configurations
2021-06-21 11:38:08 -06:00
Jason O'Donnell 5533b28ecf
plugins/cassandra: add tls_server_name (#11820)
* db/cassandra: add tls_server_name

* Remove changes from deprecated engine
2021-06-10 16:22:20 -04:00
MilenaHC 413f655412
InfluxDB - Add username customization (#11796)
* Add username_template to influxdb

* go fmt

* goimport for influxdb.go
2021-06-09 16:08:59 -05:00
Lars Lehtonen f7416ddc92
plugins: deprecate errwrap.Wrapf() (#11590)
* plugins/database/redshift: deprecate errwrap.Wrapf()

* plugins/database/postgresql: deprecate errwrap.Wrapf()

* plugins/database/mysql: deprecate errwrap.Wrapf()

* plugins/database/mssql: deprecate errwrap.Wrapf()

* plugins/database/mongodb: deprecate errwrap.Wrapf()

* plugins/database/influxdb: deprecate errwrap.Wrapf()
2021-05-21 10:22:29 -04:00
Michael Golowka 056a59859f
Add ability to customize some timeouts in MongoDB database plugin (#11600) 2021-05-17 11:40:35 -06:00
Michael Golowka f7e2b55ccc
Update MongoDB tests to not fail in Go 1.16 (#11533) 2021-05-12 15:22:02 -06:00
Michael Golowka 4279bc8b34
Validate hostnames when using TLS in Cassandra (#11365) 2021-04-16 15:52:35 -06:00
Michael Golowka 771b963a04
Cassandra DB plugin: Allow special chars in usernames (#11262) 2021-04-16 14:01:15 -06:00
Brian Kassouf 303c2aee7c
Run a more strict formatter over the code (#11312)
* Update tooling

* Run gofumpt

* go mod vendor
2021-04-08 09:43:39 -07:00
Johan Leinfors 820b3b1bf0
fix uninitialized tlsConfig in influxdb plugin (#10899) 2021-03-18 20:14:15 -07:00
Nick Cabatoff 6d2eb44c14
InfluxDB has released a 2.x series of docker images, which is breaking our tests. Use the 1.8 image instead. (#11005) 2021-02-25 10:50:14 -05:00
Michael Golowka e494e8a141
Cassandra - Add username customization (#10906) 2021-02-16 12:39:24 -07:00
Michael Golowka 108d4c6a68
MySQL - Add username customization (#10834) 2021-02-11 14:08:32 -07:00
Michael Golowka 34c29a38e9
MongoDB - add username customization (#10858) 2021-02-11 14:07:58 -07:00
Michael Golowka baf50061e9
MSSQL - Add username customization (#10767) 2021-02-05 11:14:24 -07:00
Michael Golowka 43a05c5e84
PostgreSQL - Add username customization (#10766) 2021-02-04 16:05:56 -07:00
Michael Golowka 075048ad27
Fix compilation of MySQL & Redshift plugins (#10640) 2021-01-04 13:44:11 -07:00
Michael Golowka 7269d32e50
InfluxDB - Check for errors in the response too (#10384) 2020-12-07 16:18:59 -07:00
Michael Golowka cc7efd393d
MySQL - Fix username generation length bug (#10433) 2020-12-01 15:24:51 -07:00
Tom Proctor 53875004df
DBPW - Migrate Redshift database plugin to v5 interface (#10195) 2020-10-23 14:10:57 +01:00
Michael Golowka e6c8ee24ea
DBPW - Enables AutoMTLS for DB plugins (#10220)
This also temporarily disables couchbase, elasticsearch, and
mongodbatlas because the `Serve` function needs to change signatures
and those plugins are vendored in from external repos, causing problems
when building.
2020-10-22 15:43:19 -06:00
Lauren Voswinkel 3328a2a2b7
Update HanaDb to v5 Database interface (#10142)
* Update HanaDb to v5 dbplugin
* Add ability to update passwords for HANA db
2020-10-21 15:55:56 -07:00
Michael Golowka 1888323243
DBPW - Copy newdbplugin package to dbplugin/v5 (#10151)
This is part 1 of 4 for renaming the `newdbplugin` package. This copies the existing package to the new location but keeps the current one in place so we can migrate the existing references over more easily.
2020-10-15 13:20:12 -06:00
Michael Golowka a62ffcab2a
DBPW - Update MSSQL to adhere to v5 Database interface (#10128) 2020-10-13 11:11:00 -06:00
Michael Golowka c8393a8006
DBPW - Update InfluxDB to adhere to v5 Database interface (#10118) 2020-10-12 15:54:26 -06:00
Michael Golowka 41149a0e7c
DBPW - Update Cassandra to adhere to v5 Database interface (#10051) 2020-10-12 14:46:17 -06:00
Lauren Voswinkel 55761c1d43
Migrate MySQL db to v5 database engine (#10110)
* Migrate MySQL db to v5 database engine
2020-10-09 10:32:38 -07:00
Michael Golowka c5472ca697
DBPW - Update PostgreSQL to adhere to v5 Database interface (#10061) 2020-10-07 12:58:11 -06:00
Michael Golowka 65a5e866e5
DBPW - Update MongoDB to adhere to v5 Database interface (#10053) 2020-10-02 15:35:11 -06:00
Lauren Voswinkel 5740e1ff9e
5844 AWS Root Credential Rotation (#9921)
* strip redundant field type declarations

* root credential rotation for aws creds plugin

* Change location of mocks awsutil and update methods that no longer exist

* Update website/pages/docs/auth/aws.mdx

Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>

* Update sdk version to get the awsutil mock file

* Re-vendor modules to pass CI

* Use write lock for the entirety of AWS root cred rotation

* Update docs for AWS root cred rotation for clarity

Co-authored-by: Becca Petrin <beccapetrin@gmail.com>
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
2020-09-15 15:26:56 -07:00