package postgresql import ( "context" "fmt" "strings" "github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/logical" ) func pathListRoles(b *backend) *framework.Path { return &framework.Path{ Pattern: "roles/?$", Callbacks: map[logical.Operation]framework.OperationFunc{ logical.ListOperation: b.pathRoleList, }, HelpSynopsis: pathRoleHelpSyn, HelpDescription: pathRoleHelpDesc, } } func pathRoles(b *backend) *framework.Path { return &framework.Path{ Pattern: "roles/" + framework.GenericNameRegex("name"), Fields: map[string]*framework.FieldSchema{ "name": { Type: framework.TypeString, Description: "Name of the role.", }, "sql": { Type: framework.TypeString, Description: "SQL string to create a user. See help for more info.", }, "revocation_sql": { Type: framework.TypeString, Description: `SQL statements to be executed to revoke a user. Must be a semicolon-separated string, a base64-encoded semicolon-separated string, a serialized JSON string array, or a base64-encoded serialized JSON string array. The '{{name}}' value will be substituted.`, }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ logical.ReadOperation: b.pathRoleRead, logical.UpdateOperation: b.pathRoleCreate, logical.DeleteOperation: b.pathRoleDelete, }, HelpSynopsis: pathRoleHelpSyn, HelpDescription: pathRoleHelpDesc, } } func (b *backend) Role(ctx context.Context, s logical.Storage, n string) (*roleEntry, error) { entry, err := s.Get(ctx, "role/"+n) if err != nil { return nil, err } if entry == nil { return nil, nil } var result roleEntry if err := entry.DecodeJSON(&result); err != nil { return nil, err } return &result, nil } func (b *backend) pathRoleDelete(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { err := req.Storage.Delete(ctx, "role/"+data.Get("name").(string)) if err != nil { return nil, err } return nil, nil } func (b *backend) pathRoleRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { role, err := b.Role(ctx, req.Storage, data.Get("name").(string)) if err != nil { return nil, err } if role == nil { return nil, nil } return &logical.Response{ Data: map[string]interface{}{ "sql": role.SQL, "revocation_sql": role.RevocationSQL, }, }, nil } func (b *backend) pathRoleList(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) { entries, err := req.Storage.List(ctx, "role/") if err != nil { return nil, err } return logical.ListResponse(entries), nil } func (b *backend) pathRoleCreate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { name := data.Get("name").(string) sql := data.Get("sql").(string) // Get our connection db, err := b.DB(ctx, req.Storage) if err != nil { return nil, err } // Test the query by trying to prepare it for _, query := range strutil.ParseArbitraryStringSlice(sql, ";") { query = strings.TrimSpace(query) if len(query) == 0 { continue } stmt, err := db.Prepare(Query(query, map[string]string{ "name": "foo", "password": "bar", "expiration": "", })) if err != nil { return logical.ErrorResponse(fmt.Sprintf( "Error testing query: %s", err)), nil } stmt.Close() } // Store it entry, err := logical.StorageEntryJSON("role/"+name, &roleEntry{ SQL: sql, RevocationSQL: data.Get("revocation_sql").(string), }) if err != nil { return nil, err } if err := req.Storage.Put(ctx, entry); err != nil { return nil, err } return nil, nil } type roleEntry struct { SQL string `json:"sql" mapstructure:"sql" structs:"sql"` RevocationSQL string `json:"revocation_sql" mapstructure:"revocation_sql" structs:"revocation_sql"` } const pathRoleHelpSyn = ` Manage the roles that can be created with this backend. ` const pathRoleHelpDesc = ` This path lets you manage the roles that can be created with this backend. The "sql" parameter customizes the SQL string used to create the role. This can be a sequence of SQL queries. Some substitution will be done to the SQL string for certain keys. The names of the variables must be surrounded by "{{" and "}}" to be replaced. * "name" - The random username generated for the DB user. * "password" - The random password generated for the DB user. * "expiration" - The timestamp when this user will expire. Example of a decent SQL query to use: CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "{{name}}"; Note the above user would be able to access everything in schema public. For more complex GRANT clauses, see the PostgreSQL manual. The "revocation_sql" parameter customizes the SQL string used to revoke a user. Example of a decent revocation SQL query to use: REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM {{name}}; REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public FROM {{name}}; REVOKE USAGE ON SCHEMA public FROM {{name}}; DROP ROLE IF EXISTS {{name}}; `