mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-09-02 20:41:11 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #1584 from hashicorp/b-remove-sprintf

Browse Source 
Use `lib/pq`'s `QuoteIdentifier()` on all identifiers and Prepare for all literals.

LGTM from @jefferai out of band.
This commit is contained in:
Sean Chittenden 2016-07-03 17:00:55 -07:00 committed by GitHub
commit f665f23b3d
2 changed files with 19 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
builtin/logical/postgresql/backend_test.go
View File

@ -238,15 +238,13 @@ func testAccStepReadCreds(t *testing.T, b logical.Backend, s logical.Storage, na
} }
returnedRows := func() int { returnedRows := func() int {
stmt, err := db.Prepare(fmt.Sprintf( stmt, err := db.Prepare("SELECT DISTINCT schemaname FROM pg_tables WHERE has_table_privilege($1, 'information_schema.role_column_grants', 'select');")
"SELECT DISTINCT schemaname FROM pg_tables WHERE has_table_privilege('%s', 'information_schema.role_column_grants', 'select');",
d.Username))
if err != nil { if err != nil {
return -1 return -1
} }
defer stmt.Close() defer stmt.Close()
rows, err := stmt.Query() rows, err := stmt.Query(d.Username)
if err != nil { if err != nil {
return -1 return -1
} }

33
builtin/logical/postgresql/secret_creds.go
View File

@ -99,8 +99,7 @@ func (b *backend) secretCredsRevoke(
// Check if the role exists // Check if the role exists
var exists bool var exists bool
query := fmt.Sprintf("SELECT exists (SELECT rolname FROM pg_roles WHERE rolname='%s');", username) err = db.QueryRow("SELECT exists (SELECT rolname FROM pg_roles WHERE rolname=$1);", username).Scan(&exists)
err = db.QueryRow(query).Scan(&exists)
if err != nil && err != sql.ErrNoRows { if err != nil && err != sql.ErrNoRows {
return nil, err return nil, err
} }
@ -113,21 +112,20 @@ func (b *backend) secretCredsRevoke(
// the role // the role
// This isn't done in a transaction because even if we fail along the way, // This isn't done in a transaction because even if we fail along the way,
// we want to remove as much access as possible // we want to remove as much access as possible
stmt, err := db.Prepare(fmt.Sprintf( stmt, err := db.Prepare("SELECT DISTINCT table_schema FROM information_schema.role_column_grants WHERE grantee=$1;")
"SELECT DISTINCT table_schema FROM information_schema.role_column_grants WHERE grantee='%s';",
username))
if err != nil { if err != nil {
return nil, err return nil, err
} }
defer stmt.Close() defer stmt.Close()
rows, err := stmt.Query() rows, err := stmt.Query(username)
if err != nil { if err != nil {
return nil, err return nil, err
} }
defer rows.Close() defer rows.Close()
var revocationStmts []string const initialNumRevocations = 16
revocationStmts := make([]string, 0, initialNumRevocations)
for rows.Next() { for rows.Next() {
var schema string var schema string
err = rows.Scan(&schema) err = rows.Scan(&schema)
@ -136,21 +134,23 @@ func (b *backend) secretCredsRevoke(
continue continue
} }
revocationStmts = append(revocationStmts, fmt.Sprintf( revocationStmts = append(revocationStmts, fmt.Sprintf(
"REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA %s FROM %s;", `REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA %s FROM %s;`,
schema, pq.QuoteIdentifier(username))) pq.QuoteIdentifier(schema),
pq.QuoteIdentifier(username)))
revocationStmts = append(revocationStmts, fmt.Sprintf( revocationStmts = append(revocationStmts, fmt.Sprintf(
"REVOKE USAGE ON SCHEMA %s FROM %s;", `REVOKE USAGE ON SCHEMA %s FROM %s;`,
schema, pq.QuoteIdentifier(username))) pq.QuoteIdentifier(schema),
pq.QuoteIdentifier(username)))
} }
// for good measure, revoke all privileges and usage on schema public // for good measure, revoke all privileges and usage on schema public
revocationStmts = append(revocationStmts, fmt.Sprintf( revocationStmts = append(revocationStmts, fmt.Sprintf(
"REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM %s;", `REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM %s;`,
pq.QuoteIdentifier(username))) pq.QuoteIdentifier(username)))
revocationStmts = append(revocationStmts, fmt.Sprintf( revocationStmts = append(revocationStmts, fmt.Sprintf(
"REVOKE USAGE ON SCHEMA public FROM %s;", `REVOKE USAGE ON SCHEMA public FROM %s;`,
pq.QuoteIdentifier(username))) pq.QuoteIdentifier(username)))
// get the current database name so we can issue a REVOKE CONNECT for // get the current database name so we can issue a REVOKE CONNECT for
@ -162,8 +162,9 @@ func (b *backend) secretCredsRevoke(
if dbname.Valid { if dbname.Valid {
revocationStmts = append(revocationStmts, fmt.Sprintf( revocationStmts = append(revocationStmts, fmt.Sprintf(
"REVOKE CONNECT ON DATABASE %s FROM %s;", `REVOKE CONNECT ON DATABASE %s FROM %s;`,
dbname.String, pq.QuoteIdentifier(username))) pq.QuoteIdentifier(dbname.String),
pq.QuoteIdentifier(username)))
} }
// again, here, we do not stop on error, as we want to remove as // again, here, we do not stop on error, as we want to remove as
@ -192,7 +193,7 @@ func (b *backend) secretCredsRevoke(
// Drop this user // Drop this user
stmt, err = db.Prepare(fmt.Sprintf( stmt, err = db.Prepare(fmt.Sprintf(
"DROP ROLE IF EXISTS %s;", pq.QuoteIdentifier(username))) `DROP ROLE IF EXISTS %s;`, pq.QuoteIdentifier(username)))
if err != nil { if err != nil {
return nil, err return nil, err
} }