package influxdb import ( "context" "strings" "time" multierror "github.com/hashicorp/go-multierror" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/sdk/database/dbplugin" "github.com/hashicorp/vault/sdk/database/helper/credsutil" "github.com/hashicorp/vault/sdk/database/helper/dbutil" "github.com/hashicorp/vault/sdk/helper/strutil" influx "github.com/influxdata/influxdb/client/v2" ) const ( defaultUserCreationIFQL = `CREATE USER "{{username}}" WITH PASSWORD '{{password}}';` defaultUserDeletionIFQL = `DROP USER "{{username}}";` defaultRootCredentialRotationIFQL = `SET PASSWORD FOR "{{username}}" = '{{password}}';` influxdbTypeName = "influxdb" ) var _ dbplugin.Database = &Influxdb{} // Influxdb is an implementation of Database interface type Influxdb struct { *influxdbConnectionProducer credsutil.CredentialsProducer } // New returns a new Cassandra instance func New() (interface{}, error) { db := new() dbType := dbplugin.NewDatabaseErrorSanitizerMiddleware(db, db.secretValues) return dbType, nil } func new() *Influxdb { connProducer := &influxdbConnectionProducer{} connProducer.Type = influxdbTypeName credsProducer := &credsutil.SQLCredentialsProducer{ DisplayNameLen: 15, RoleNameLen: 15, UsernameLen: 100, Separator: "_", } return &Influxdb{ influxdbConnectionProducer: connProducer, CredentialsProducer: credsProducer, } } // Run instantiates a Influxdb object, and runs the RPC server for the plugin func Run(apiTLSConfig *api.TLSConfig) error { dbType, err := New() if err != nil { return err } dbplugin.Serve(dbType.(dbplugin.Database), api.VaultPluginTLSProvider(apiTLSConfig)) return nil } // Type returns the TypeName for this backend func (i *Influxdb) Type() (string, error) { return influxdbTypeName, nil } func (i *Influxdb) getConnection(ctx context.Context) (influx.Client, error) { cli, err := i.Connection(ctx) if err != nil { return nil, err } return cli.(influx.Client), nil } // CreateUser generates the username/password on the underlying Influxdb secret backend as instructed by // the CreationStatement provided. func (i *Influxdb) CreateUser(ctx context.Context, statements dbplugin.Statements, usernameConfig dbplugin.UsernameConfig, expiration time.Time) (username string, password string, err error) { // Grab the lock i.Lock() defer i.Unlock() statements = dbutil.StatementCompatibilityHelper(statements) // Get the connection cli, err := i.getConnection(ctx) if err != nil { return "", "", err } creationIFQL := statements.Creation if len(creationIFQL) == 0 { creationIFQL = []string{defaultUserCreationIFQL} } rollbackIFQL := statements.Rollback if len(rollbackIFQL) == 0 { rollbackIFQL = []string{defaultUserDeletionIFQL} } username, err = i.GenerateUsername(usernameConfig) username = strings.Replace(username, "-", "_", -1) if err != nil { return "", "", err } username = strings.ToLower(username) password, err = i.GeneratePassword() if err != nil { return "", "", err } // Execute each query for _, stmt := range creationIFQL { for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") { query = strings.TrimSpace(query) if len(query) == 0 { continue } q := influx.NewQuery(dbutil.QueryHelper(query, map[string]string{ "username": username, "password": password, }), "", "") response, err := cli.Query(q) if err != nil { if response != nil && response.Error() != nil { attemptRollback(cli, username, rollbackIFQL) } return "", "", err } } } return username, password, nil } // attemptRollback will attempt to roll back user creation if an error occurs in // CreateUser func attemptRollback(cli influx.Client, username string, rollbackStatements []string) error { for _, stmt := range rollbackStatements { for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") { query = strings.TrimSpace(query) if len(query) == 0 { continue } q := influx.NewQuery(dbutil.QueryHelper(query, map[string]string{ "username": username, }), "", "") response, err := cli.Query(q) if err != nil { if response != nil && response.Error() != nil { return err } } } } return nil } // RenewUser is not supported on Influxdb, so this is a no-op. func (i *Influxdb) RenewUser(ctx context.Context, statements dbplugin.Statements, username string, expiration time.Time) error { // NOOP return nil } // RevokeUser attempts to drop the specified user. func (i *Influxdb) RevokeUser(ctx context.Context, statements dbplugin.Statements, username string) error { // Grab the lock i.Lock() defer i.Unlock() statements = dbutil.StatementCompatibilityHelper(statements) cli, err := i.getConnection(ctx) if err != nil { return err } revocationIFQL := statements.Revocation if len(revocationIFQL) == 0 { revocationIFQL = []string{defaultUserDeletionIFQL} } var result *multierror.Error for _, stmt := range revocationIFQL { for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") { query = strings.TrimSpace(query) if len(query) == 0 { continue } q := influx.NewQuery(dbutil.QueryHelper(query, map[string]string{ "username": username, }), "", "") response, err := cli.Query(q) result = multierror.Append(result, err) if response != nil { result = multierror.Append(result, response.Error()) } } } return result.ErrorOrNil() } // RotateRootCredentials is useful when we try to change root credential func (i *Influxdb) RotateRootCredentials(ctx context.Context, statements []string) (map[string]interface{}, error) { // Grab the lock i.Lock() defer i.Unlock() cli, err := i.getConnection(ctx) if err != nil { return nil, err } rotateIFQL := statements if len(rotateIFQL) == 0 { rotateIFQL = []string{defaultRootCredentialRotationIFQL} } password, err := i.GeneratePassword() if err != nil { return nil, err } var result *multierror.Error for _, stmt := range rotateIFQL { for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") { query = strings.TrimSpace(query) if len(query) == 0 { continue } q := influx.NewQuery(dbutil.QueryHelper(query, map[string]string{ "username": i.Username, "password": password, }), "", "") response, err := cli.Query(q) result = multierror.Append(result, err) if response != nil { result = multierror.Append(result, response.Error()) } } } err = result.ErrorOrNil() if err != nil { return nil, err } i.rawConfig["password"] = password return i.rawConfig, nil }