Commit Graph

161 Commits

Author SHA1 Message Date
mr-miles 9e031b5766
Mongo doesnt allow periods in usernames (#11872)
* mongo doesnt allow periods in usernames

* Update mongodb.mdx

Update template in docs

* Move replace to the end

* Adding a test for dot replacement

* Create 11872.txt
2021-06-24 13:26:31 -04:00
Michael Golowka 7f6a1739a3
Cassandra: Refactor PEM parsing logic (#11861)
* Refactor TLS parsing

The ParsePEMBundle and ParsePKIJSON functions in the certutil package assumes
both a client certificate and a custom CA are specified. Cassandra needs to
allow for either a client certificate, a custom CA, or both. This revamps the
parsing of pem_json and pem_bundle to accomodate for any of these configurations
2021-06-21 11:38:08 -06:00
Jason O'Donnell 5533b28ecf
plugins/cassandra: add tls_server_name (#11820)
* db/cassandra: add tls_server_name

* Remove changes from deprecated engine
2021-06-10 16:22:20 -04:00
MilenaHC 413f655412
InfluxDB - Add username customization (#11796)
* Add username_template to influxdb

* go fmt

* goimport for influxdb.go
2021-06-09 16:08:59 -05:00
Lars Lehtonen f7416ddc92
plugins: deprecate errwrap.Wrapf() (#11590)
* plugins/database/redshift: deprecate errwrap.Wrapf()

* plugins/database/postgresql: deprecate errwrap.Wrapf()

* plugins/database/mysql: deprecate errwrap.Wrapf()

* plugins/database/mssql: deprecate errwrap.Wrapf()

* plugins/database/mongodb: deprecate errwrap.Wrapf()

* plugins/database/influxdb: deprecate errwrap.Wrapf()
2021-05-21 10:22:29 -04:00
Michael Golowka 056a59859f
Add ability to customize some timeouts in MongoDB database plugin (#11600) 2021-05-17 11:40:35 -06:00
Michael Golowka f7e2b55ccc
Update MongoDB tests to not fail in Go 1.16 (#11533) 2021-05-12 15:22:02 -06:00
Michael Golowka 4279bc8b34
Validate hostnames when using TLS in Cassandra (#11365) 2021-04-16 15:52:35 -06:00
Michael Golowka 771b963a04
Cassandra DB plugin: Allow special chars in usernames (#11262) 2021-04-16 14:01:15 -06:00
Brian Kassouf 303c2aee7c
Run a more strict formatter over the code (#11312)
* Update tooling

* Run gofumpt

* go mod vendor
2021-04-08 09:43:39 -07:00
Johan Leinfors 820b3b1bf0
fix uninitialized tlsConfig in influxdb plugin (#10899) 2021-03-18 20:14:15 -07:00
Nick Cabatoff 6d2eb44c14
InfluxDB has released a 2.x series of docker images, which is breaking our tests. Use the 1.8 image instead. (#11005) 2021-02-25 10:50:14 -05:00
Michael Golowka e494e8a141
Cassandra - Add username customization (#10906) 2021-02-16 12:39:24 -07:00
Michael Golowka 108d4c6a68
MySQL - Add username customization (#10834) 2021-02-11 14:08:32 -07:00
Michael Golowka 34c29a38e9
MongoDB - add username customization (#10858) 2021-02-11 14:07:58 -07:00
Michael Golowka baf50061e9
MSSQL - Add username customization (#10767) 2021-02-05 11:14:24 -07:00
Michael Golowka 43a05c5e84
PostgreSQL - Add username customization (#10766) 2021-02-04 16:05:56 -07:00
Michael Golowka 075048ad27
Fix compilation of MySQL & Redshift plugins (#10640) 2021-01-04 13:44:11 -07:00
Michael Golowka 7269d32e50
InfluxDB - Check for errors in the response too (#10384) 2020-12-07 16:18:59 -07:00
Michael Golowka cc7efd393d
MySQL - Fix username generation length bug (#10433) 2020-12-01 15:24:51 -07:00
Tom Proctor 53875004df
DBPW - Migrate Redshift database plugin to v5 interface (#10195) 2020-10-23 14:10:57 +01:00
Michael Golowka e6c8ee24ea
DBPW - Enables AutoMTLS for DB plugins (#10220)
This also temporarily disables couchbase, elasticsearch, and
mongodbatlas because the `Serve` function needs to change signatures
and those plugins are vendored in from external repos, causing problems
when building.
2020-10-22 15:43:19 -06:00
Lauren Voswinkel 3328a2a2b7
Update HanaDb to v5 Database interface (#10142)
* Update HanaDb to v5 dbplugin
* Add ability to update passwords for HANA db
2020-10-21 15:55:56 -07:00
Michael Golowka 1888323243
DBPW - Copy `newdbplugin` package to `dbplugin/v5` (#10151)
This is part 1 of 4 for renaming the `newdbplugin` package. This copies the existing package to the new location but keeps the current one in place so we can migrate the existing references over more easily.
2020-10-15 13:20:12 -06:00
Michael Golowka a62ffcab2a
DBPW - Update MSSQL to adhere to v5 Database interface (#10128) 2020-10-13 11:11:00 -06:00
Michael Golowka c8393a8006
DBPW - Update InfluxDB to adhere to v5 Database interface (#10118) 2020-10-12 15:54:26 -06:00
Michael Golowka 41149a0e7c
DBPW - Update Cassandra to adhere to v5 Database interface (#10051) 2020-10-12 14:46:17 -06:00
Lauren Voswinkel 55761c1d43
Migrate MySQL db to v5 database engine (#10110)
* Migrate MySQL db to v5 database engine
2020-10-09 10:32:38 -07:00
Michael Golowka c5472ca697
DBPW - Update PostgreSQL to adhere to v5 Database interface (#10061) 2020-10-07 12:58:11 -06:00
Michael Golowka 65a5e866e5
DBPW - Update MongoDB to adhere to v5 Database interface (#10053) 2020-10-02 15:35:11 -06:00
Lauren Voswinkel 5740e1ff9e
5844 AWS Root Credential Rotation (#9921)
* strip redundant field type declarations

* root credential rotation for aws creds plugin

* Change location of mocks awsutil and update methods that no longer exist

* Update website/pages/docs/auth/aws.mdx

Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>

* Update sdk version to get the awsutil mock file

* Re-vendor modules to pass CI

* Use write lock for the entirety of AWS root cred rotation

* Update docs for AWS root cred rotation for clarity

Co-authored-by: Becca Petrin <beccapetrin@gmail.com>
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
2020-09-15 15:26:56 -07:00
ncabatoff b615da43d7
Run CI tests in docker instead of a machine. (#8948) 2020-09-15 10:01:26 -04:00
arnis 4deacf2b50
Conditionally overwrite TLS parameters for MySQL secrets engine (#9729)
* Conditionally overwrite TLS parameters in MySQL DSN

Overwrite MySQL TLS configuration in MySQL DSN only if have `tls_ca` or `tls_certificate_key` set
Current logic always overwrites it

* Add test for MySQL DSN with a valid TLS parameter in query string
2020-08-17 15:30:15 -07:00
cyrus-mc 193bb226a2
Merge writeOpts and tlsAuthOpts after call to ApplyURI (#9519) 2020-07-22 12:09:02 -04:00
Calvin Leung Huang c45bdca0b3
raft: add support for using backend for ha_storage (#9193)
* raft: initial work on raft ha storage support

* add note on join

* add todo note

* raft: add support for bootstrapping and joining existing nodes

* raft: gate bootstrap join by reading leader api address from storage

* raft: properly check for raft-only for certain conditionals

* raft: add bootstrap to api and cli

* raft: fix bootstrap cli command

* raft: add test for setting up new cluster with raft HA

* raft: extend TestRaft_HA_NewCluster to include inmem and consul backends

* raft: add test for updating an existing cluster to use raft HA

* raft: remove debug log lines, clean up verifyRaftPeers

* raft: minor cleanup

* raft: minor cleanup

* Update physical/raft/raft.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/ha.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/ha.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/logical_system_raft.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/raft.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/raft.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* address feedback comments

* address feedback comments

* raft: refactor tls keyring logic

* address feedback comments

* Update vault/raft.go

Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>

* Update vault/raft.go

Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>

* address feedback comments

* testing: fix import ordering

* raft: rename var, cleanup comment line

* docs: remove ha_storage restriction note on raft

* docs: more raft HA interaction updates with migration and recovery mode

* docs: update the raft join command

* raft: update comments

* raft: add missing isRaftHAOnly check for clearing out state set earlier

* raft: update a few ha_storage config checks

* Update command/operator_raft_bootstrap.go

Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>

* raft: address feedback comments

* raft: fix panic when checking for config.HAStorage.Type

* Update vault/raft.go

Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>

* Update website/pages/docs/commands/operator/raft.mdx

Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>

* raft: remove bootstrap cli command

* Update vault/raft.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/raft.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* raft: address review feedback

* raft: revert vendored sdk

* raft: don't send applied index and node ID info if we're HA-only

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>
Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
2020-06-23 12:04:13 -07:00
Johnathan Schmidt ab4e072bb6
Add the static-roles feature for MSSQL (#9062) 2020-06-19 23:01:06 -07:00
Lauren Voswinkel a5ae18d285
Allow mTLS for mysql secrets engine (#9181)
* Extract certificate helpers for use in non-mongodb packages
* Created mTLS/X509 test for MySQL secrets engine.
* Ensure mysql username and passwords aren't url encoded
* Skip mTLS test for circleCI
2020-06-17 11:46:01 -07:00
Gideon 8aee6262c1
Allow InfluxDB to use insecure TLS without cert bundle (#8778)
Moves the configuration of insecure TLS and TLS version outside of the certificate bundle.
2020-06-09 10:38:58 -04:00
ncabatoff 8870b2e51c
Add mongodbatlas static roles support (#8987)
* Refactor PG container creation.
* Rework rotation tests to use shorter sleeps.
* Refactor rotation tests.
* Add a static role rotation test for MongoDB Atlas.
2020-05-29 14:21:23 -04:00
Lauren Voswinkel 4d98430964
Use parameters when executing prepared statements rather than fmt.Sprintf (#9013)
* Don't use string formatting to prepare queries.

We should, when possible, use the built-in params and ? format when
preparing and executing a query. This is done to prevent SQL Injection
attacks.

* Revert some changes due to failing tests, update mssql go driver

* Add docker container startup for some MSSQL tests

* Remove acceptance test flagging, add more SQL injection protection

* Refactor MSSQL prepareTestContainer to a test helper

Also, remove all ? references and convert them to @p*
2020-05-21 16:07:18 -07:00
Michael Golowka 8d754f552b
Enable root user credential rotation in MongoDB (#8540)
* Enable root user credential rotation in MongoDB

This takes its logic from the SetCredentials function with some changes
(ex: it's generating a password rather than taking one as a parameter).

This will error if the username isn't specified in the config. Since
Mongo defaults to unauthorized, this seemed like an easy check to make
to prevent strange behaviors when it tries to rotate the "" user.
2020-05-15 11:24:10 -06:00
Calvin Leung Huang c1ac2af9f2
database/mongodb: revert to old retry behavior (#8863)
* database/mongodb: revert to old retry behavior

* add a default case for non-EOF errors
2020-04-27 17:20:25 -07:00
Austin Gebauer 01e701f008
Fix: rotate root credentials for database plugins using WAL (#8782)
* fix: rotate root credentials for database plugins using WAL

* test: adds a test for WAL rollback logic

* fix: progress on wal rollback

* docs: updates some comments

* docs: updates some comments

* test: adds additional test coverage for WAL rollback

* chore: remove unneeded log

* style: error handling, imports, signature line wraps

* fix: always close db plugin connection
2020-04-22 16:21:28 -07:00
Becca Petrin 0e0c16b11a
Postgres: Correct parsing of multiline statements (#8512)
* add test reproducing issue

* add code fixing issue

* check for END in unquoted string frags

* move delimiters inside parens

* begin checking with stmt

* PR feedback

* fix comment

* add tests with templates

* update test name

* remove unnecessary backslashes from test
2020-03-17 12:45:25 -07:00
Michael Golowka 635b957e76
Add x509 Client Auth to MongoDB Database Plugin (#8329)
* Mark deprecated plugins as deprecated

* Add redaction capability to database plugins

* Add x509 client auth

* Update vendored files

* Add integration test for x509 client auth

* Remove redaction logic pending further discussion

* Update vendored files

* Minor updates from code review

* Updated docs with x509 client auth

* Roles are required

* Disable x509 test because it doesn't work in CircleCI

* Add timeouts for container lifetime
2020-02-13 15:54:00 -07:00
Michael Golowka ee2843a3b2
Update Oracle DB secrets docs to reflect support for static roles (#8168)
* Fix typos

* Update Oracle DB secrets docs to show support for Static Roles

* Add warning about username case sensitivity

* Remove warning about casing

* Fix typo

Co-Authored-By: Becca Petrin <beccapetrin@gmail.com>

Co-authored-by: Becca Petrin <beccapetrin@gmail.com>
2020-02-13 15:11:33 -07:00
Jeff Malnick 27ad920399
Add redshift database plugin (#8299)
* feat: add redshift database plugin

* build: update vendored libraries

* docs: add reference doc for redshift variant of the database secrets engine

* feat: set middlewear type name for better metrics naming (#8346)

Co-authored-by: Becca Petrin <beccapetrin@gmail.com>
2020-02-13 09:42:30 -08:00
Jeff Malnick f46769b441
fix: rotateStatents -> rotateStatements (#8306) 2020-02-06 14:05:00 -08:00
Clint 074f897ae4
secret/database: Guard against panic with InfluxDB plugin (#8282)
* database/influx: fix panic when trying to revoke user

Guard against other nil responses

* return an error if response is nil, which is unlikely but best safe than sorry

* refactor a deeply nested statement into a function
2020-02-05 13:49:02 -06:00
Michael Golowka 70bcd2cc05
plugins/database: Allow both {{name}} and {{username}} in MySQL & Postgres (#8240)
* Allow {{name}} or {{username}} in psql templates

* Fix default rotation bug; allow {{user}} and {{username}}
2020-02-03 13:57:28 -07:00