b55303eddb
* Add priority queue to sdk * fix issue of storing pointers and now copy * update to use copy structure * Remove file, put Item struct def. into other file * add link * clean up docs * refactor internal data structure to hide heap method implementations. Other cleanup after feedback * rename PushItem and PopItem to just Push/Pop, after encapsulating the heap methods * updates after feedback * refactoring/renaming * guard against pushing a nil item * minor updates after feedback * Add SetCredentials, GenerateCredentials gRPC methods to combined database backend gPRC * Initial Combined database backend implementation of static accounts and automatic rotation * vendor updates * initial implementation of static accounts with Combined database backend, starting with PostgreSQL implementation * add lock and setup of rotation queue * vendor the queue * rebase on new method signature of queue * remove mongo tests for now * update default role sql * gofmt after rebase * cleanup after rebasing to remove checks for ErrNotFound error * rebase cdcr-priority-queue * vendor dependencies with 'go mod vendor' * website database docs for Static Role support * document the rotate-role API endpoint * postgres specific static role docs * use constants for paths * updates from review * remove dead code * combine and clarify error message for older plugins * Update builtin/logical/database/backend.go Co-Authored-By: Jim Kalafut <jim@kalafut.net> * cleanups from feedback * code and comment cleanups * move db.RLock higher to protect db.GenerateCredentials call * Return output with WALID if we failed to delete the WAL * Update builtin/logical/database/path_creds_create.go Co-Authored-By: Jim Kalafut <jim@kalafut.net> * updates after running 'make fmt' * update after running 'make proto' * Update builtin/logical/database/path_roles.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * Update builtin/logical/database/path_roles.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * update comment and remove and rearrange some dead code * Update website/source/api/secret/databases/index.html.md Co-Authored-By: Jim Kalafut <jim@kalafut.net> * cleanups after review * Update sdk/database/dbplugin/grpc_transport.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * code cleanup after feedback * remove PasswordLastSet; it's not used * document GenerateCredentials and SetCredentials * Update builtin/logical/database/path_rotate_credentials.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * wrap pop and popbykey in backend methods to protect against nil cred rotation queue * use strings.HasPrefix instead of direct equality check for path * Forgot to commit this * updates after feedback * re-purpose an outdated test to now check that static and dynamic roles cannot share a name * check for unique name across dynamic and static roles * refactor loadStaticWALs to return a map of name/setCredentialsWAL struct to consolidate where we're calling set credentials * remove commented out code * refactor to have loadstaticwals filter out wals for roles that no longer exist * return error if nil input given * add nil check for input into setStaticAccount * Update builtin/logical/database/path_roles.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * add constant for queue tick time in seconds, used for comparrison in updates * Update builtin/logical/database/path_roles.go Co-Authored-By: Jim Kalafut <jim@kalafut.net> * code cleanup after review * remove misplaced code comment * remove commented out code * create a queue in the Factory method, even if it's never used * update path_roles to use a common set of fields, with specific overrides for dynamic/static roles by type * document new method * move rotation things into a specific file * rename test file and consolidate some static account tests * Update builtin/logical/database/path_roles.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * Update builtin/logical/database/rotation.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * Update builtin/logical/database/rotation.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * Update builtin/logical/database/rotation.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * Update builtin/logical/database/rotation.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * Update builtin/logical/database/rotation.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * update code comments, method names, and move more methods into rotation.go * update comments to be capitalized * remove the item from the queue before we try to destroy it * findStaticWAL returns an error * use lowercase keys when encoding WAL entries * small cleanups * remove vestigial static account check * remove redundant DeleteWAL call in populate queue * if we error on loading role, push back to queue with 10 second backoff * poll in initqueue to make sure the backend is setup and can write/delete data * add revoke_user_on_delete flag to allow users to opt-in to revoking the static database user on delete of the Vault role. Default false * add code comments on read-only loop * code comment updates * re-push if error returned from find static wal * add locksutil and acquire locks when pop'ing from the queue * grab exclusive locks for updating static roles * Add SetCredentials and GenerateCredentials stubs to mockPlugin * add a switch in initQueue to listen for cancelation * remove guard on zero time, it should have no affect * create a new context in Factory to pass on and use for closing the backend queue * restore master copy of vendor dir
182 lines
6.5 KiB
Go
182 lines
6.5 KiB
Go
package dbplugin
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"time"
|
|
|
|
"google.golang.org/grpc"
|
|
|
|
"github.com/hashicorp/errwrap"
|
|
log "github.com/hashicorp/go-hclog"
|
|
plugin "github.com/hashicorp/go-plugin"
|
|
"github.com/hashicorp/vault/sdk/helper/consts"
|
|
"github.com/hashicorp/vault/sdk/helper/pluginutil"
|
|
)
|
|
|
|
// Database is the interface that all database objects must implement.
|
|
type Database interface {
|
|
// Type returns the TypeName for the particular database backend
|
|
// implementation. This type name is usually set as a constant within the
|
|
// database backend implementation, e.g. "mysql" for the MySQL database
|
|
// backend.
|
|
Type() (string, error)
|
|
|
|
// CreateUser is called on `$ vault read database/creds/:role-name` and it's
|
|
// also the first time anything is touched from `$ vault write
|
|
// database/roles/:role-name`. This is likely to be the highest-throughput
|
|
// method for most plugins.
|
|
CreateUser(ctx context.Context, statements Statements, usernameConfig UsernameConfig, expiration time.Time) (username string, password string, err error)
|
|
|
|
// RenewUser is triggered by a renewal call to the API. In many database
|
|
// backends, this triggers a call on the underlying database that extends a
|
|
// VALID UNTIL clause on a user. However, if no such need exists, setting
|
|
// this as a NO-OP means that when renewal is called, the lease renewal time
|
|
// is pushed further out as appropriate, thus pushing out the time until the
|
|
// RevokeUser method is called.
|
|
RenewUser(ctx context.Context, statements Statements, username string, expiration time.Time) error
|
|
|
|
// RevokeUser is triggered either automatically by a lease expiration, or by
|
|
// a revocation call to the API.
|
|
RevokeUser(ctx context.Context, statements Statements, username string) error
|
|
|
|
// RotateRootCredentials is triggered by a root credential rotation call to
|
|
// the API.
|
|
RotateRootCredentials(ctx context.Context, statements []string) (config map[string]interface{}, err error)
|
|
|
|
// GenerateCredentials returns a generated password for the plugin. This is
|
|
// used in combination with SetCredentials to set a specific password for a
|
|
// database user and preserve the password in WAL entries.
|
|
GenerateCredentials(ctx context.Context) (string, error)
|
|
|
|
// SetCredentials uses provided information to create or set the credentials
|
|
// for a database user. Unlike CreateUser, this method requires both a
|
|
// username and a password given instead of generating them. This is used for
|
|
// creating and setting the password of static accounts, as well as rolling
|
|
// back passwords in the database in the event an updated database fails to
|
|
// save in Vault's storage.
|
|
SetCredentials(ctx context.Context, statements Statements, staticConfig StaticUserConfig) (username string, password string, err error)
|
|
|
|
// Init is called on `$ vault write database/config/:db-name`, or when you
|
|
// do a creds call after Vault's been restarted. The config provided won't
|
|
// hold all the keys and values provided in the API call, some will be
|
|
// stripped by the database engine before the config is provided. The config
|
|
// returned will be stored, which will persist it across shutdowns.
|
|
Init(ctx context.Context, config map[string]interface{}, verifyConnection bool) (saveConfig map[string]interface{}, err error)
|
|
|
|
// Close attempts to close the underlying database connection that was
|
|
// established by the backend.
|
|
Close() error
|
|
|
|
// DEPRECATED: Will be removed in a future plugin version bump.
|
|
// Initialize is a backwards-compatible implementation that simply calls
|
|
// Init, dropping the saveConfig, and returning the err.
|
|
Initialize(ctx context.Context, config map[string]interface{}, verifyConnection bool) (err error)
|
|
}
|
|
|
|
// PluginFactory is used to build plugin database types. It wraps the database
|
|
// object in a logging and metrics middleware.
|
|
func PluginFactory(ctx context.Context, pluginName string, sys pluginutil.LookRunnerUtil, logger log.Logger) (Database, error) {
|
|
// Look for plugin in the plugin catalog
|
|
pluginRunner, err := sys.LookupPlugin(ctx, pluginName, consts.PluginTypeDatabase)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
namedLogger := logger.Named(pluginName)
|
|
|
|
var transport string
|
|
var db Database
|
|
if pluginRunner.Builtin {
|
|
// Plugin is builtin so we can retrieve an instance of the interface
|
|
// from the pluginRunner. Then cast it to a Database.
|
|
dbRaw, err := pluginRunner.BuiltinFactory()
|
|
if err != nil {
|
|
return nil, errwrap.Wrapf("error initializing plugin: {{err}}", err)
|
|
}
|
|
|
|
var ok bool
|
|
db, ok = dbRaw.(Database)
|
|
if !ok {
|
|
return nil, fmt.Errorf("unsupported database type: %q", pluginName)
|
|
}
|
|
|
|
transport = "builtin"
|
|
|
|
} else {
|
|
// create a DatabasePluginClient instance
|
|
db, err = NewPluginClient(ctx, sys, pluginRunner, namedLogger, false)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Switch on the underlying database client type to get the transport
|
|
// method.
|
|
switch db.(*DatabasePluginClient).Database.(type) {
|
|
case *gRPCClient:
|
|
transport = "gRPC"
|
|
}
|
|
|
|
}
|
|
|
|
typeStr, err := db.Type()
|
|
if err != nil {
|
|
return nil, errwrap.Wrapf("error getting plugin type: {{err}}", err)
|
|
}
|
|
|
|
// Wrap with metrics middleware
|
|
db = &databaseMetricsMiddleware{
|
|
next: db,
|
|
typeStr: typeStr,
|
|
}
|
|
|
|
// Wrap with tracing middleware
|
|
if namedLogger.IsTrace() {
|
|
db = &databaseTracingMiddleware{
|
|
next: db,
|
|
logger: namedLogger.With("transport", transport),
|
|
}
|
|
}
|
|
|
|
return db, nil
|
|
}
|
|
|
|
// handshakeConfigs are used to just do a basic handshake between
|
|
// a plugin and host. If the handshake fails, a user friendly error is shown.
|
|
// This prevents users from executing bad plugins or executing a plugin
|
|
// directory. It is a UX feature, not a security feature.
|
|
var handshakeConfig = plugin.HandshakeConfig{
|
|
ProtocolVersion: 4,
|
|
MagicCookieKey: "VAULT_DATABASE_PLUGIN",
|
|
MagicCookieValue: "926a0820-aea2-be28-51d6-83cdf00e8edb",
|
|
}
|
|
|
|
var _ plugin.Plugin = &GRPCDatabasePlugin{}
|
|
var _ plugin.GRPCPlugin = &GRPCDatabasePlugin{}
|
|
|
|
// GRPCDatabasePlugin is the plugin.Plugin implementation that only supports GRPC
|
|
// transport
|
|
type GRPCDatabasePlugin struct {
|
|
Impl Database
|
|
|
|
// Embeding this will disable the netRPC protocol
|
|
plugin.NetRPCUnsupportedPlugin
|
|
}
|
|
|
|
func (d GRPCDatabasePlugin) GRPCServer(_ *plugin.GRPCBroker, s *grpc.Server) error {
|
|
impl := &DatabaseErrorSanitizerMiddleware{
|
|
next: d.Impl,
|
|
}
|
|
|
|
RegisterDatabaseServer(s, &gRPCServer{impl: impl})
|
|
return nil
|
|
}
|
|
|
|
func (GRPCDatabasePlugin) GRPCClient(doneCtx context.Context, _ *plugin.GRPCBroker, c *grpc.ClientConn) (interface{}, error) {
|
|
return &gRPCClient{
|
|
client: NewDatabaseClient(c),
|
|
clientConn: c,
|
|
doneCtx: doneCtx,
|
|
}, nil
|
|
}
|