package mysql import ( "fmt" "github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical/framework" ) const SecretCredsType = "creds" func secretCreds(b *backend) *framework.Secret { return &framework.Secret{ Type: SecretCredsType, Fields: map[string]*framework.FieldSchema{ "username": &framework.FieldSchema{ Type: framework.TypeString, Description: "Username", }, "password": &framework.FieldSchema{ Type: framework.TypeString, Description: "Password", }, }, Renew: b.secretCredsRenew, Revoke: b.secretCredsRevoke, } } func (b *backend) secretCredsRenew( req *logical.Request, d *framework.FieldData) (*logical.Response, error) { // Get the lease information lease, err := b.Lease(req.Storage) if err != nil { return nil, err } if lease == nil { lease = &configLease{} } f := framework.LeaseExtend(lease.Lease, lease.LeaseMax, b.System()) return f(req, d) } func (b *backend) secretCredsRevoke( req *logical.Request, d *framework.FieldData) (*logical.Response, error) { // Get the username from the internal data usernameRaw, ok := req.Secret.InternalData["username"] if !ok { return nil, fmt.Errorf("secret is missing username internal data") } username, ok := usernameRaw.(string) // Get our connection db, err := b.DB(req.Storage) if err != nil { return nil, err } // Start a transaction tx, err := db.Begin() if err != nil { return nil, err } defer tx.Rollback() // Revoke all permissions for the user. This is done before the // drop, because MySQL explicitly documents that open user connections // will not be closed. By revoking all grants, at least we ensure // that the open connection is useless. _, err = tx.Exec("REVOKE ALL PRIVILEGES, GRANT OPTION FROM '" + username + "'@'%'") if err != nil { return nil, err } // Drop this user. This only affects the next connection, which is // why we do the revoke initially. _, err = tx.Exec("DROP USER '" + username + "'@'%'") if err != nil { return nil, err } // Commit the transaction if err := tx.Commit(); err != nil { return nil, err } return nil, nil }