mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-08 07:37:01 +02:00
0b12cdcfd1
* Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License. Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUS-1.1 * Fix test that expected exact offset on hcl file --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Co-authored-by: Sarah Thompson <sthompson@hashicorp.com> Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
560 lines
15 KiB
Go
560 lines
15 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package postgresql
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
"fmt"
|
|
"regexp"
|
|
"strings"
|
|
|
|
"github.com/hashicorp/go-multierror"
|
|
"github.com/hashicorp/go-secure-stdlib/strutil"
|
|
"github.com/hashicorp/vault/plugins/database/postgresql/scram"
|
|
"github.com/hashicorp/vault/sdk/database/dbplugin/v5"
|
|
"github.com/hashicorp/vault/sdk/database/helper/connutil"
|
|
"github.com/hashicorp/vault/sdk/database/helper/dbutil"
|
|
"github.com/hashicorp/vault/sdk/helper/dbtxn"
|
|
"github.com/hashicorp/vault/sdk/helper/template"
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
_ "github.com/jackc/pgx/v4/stdlib"
|
|
)
|
|
|
|
const (
|
|
postgreSQLTypeName = "pgx"
|
|
defaultExpirationStatement = `
|
|
ALTER ROLE "{{name}}" VALID UNTIL '{{expiration}}';
|
|
`
|
|
defaultChangePasswordStatement = `
|
|
ALTER ROLE "{{username}}" WITH PASSWORD '{{password}}';
|
|
`
|
|
|
|
expirationFormat = "2006-01-02 15:04:05-0700"
|
|
|
|
defaultUserNameTemplate = `{{ printf "v-%s-%s-%s-%s" (.DisplayName | truncate 8) (.RoleName | truncate 8) (random 20) (unix_time) | truncate 63 }}`
|
|
)
|
|
|
|
var (
|
|
_ dbplugin.Database = (*PostgreSQL)(nil)
|
|
_ logical.PluginVersioner = (*PostgreSQL)(nil)
|
|
|
|
// postgresEndStatement is basically the word "END" but
|
|
// surrounded by a word boundary to differentiate it from
|
|
// other words like "APPEND".
|
|
postgresEndStatement = regexp.MustCompile(`\bEND\b`)
|
|
|
|
// doubleQuotedPhrases finds substrings like "hello"
|
|
// and pulls them out with the quotes included.
|
|
doubleQuotedPhrases = regexp.MustCompile(`(".*?")`)
|
|
|
|
// singleQuotedPhrases finds substrings like 'hello'
|
|
// and pulls them out with the quotes included.
|
|
singleQuotedPhrases = regexp.MustCompile(`('.*?')`)
|
|
|
|
// ReportedVersion is used to report a specific version to Vault.
|
|
ReportedVersion = ""
|
|
)
|
|
|
|
func New() (interface{}, error) {
|
|
db := new()
|
|
// Wrap the plugin with middleware to sanitize errors
|
|
dbType := dbplugin.NewDatabaseErrorSanitizerMiddleware(db, db.secretValues)
|
|
return dbType, nil
|
|
}
|
|
|
|
func new() *PostgreSQL {
|
|
connProducer := &connutil.SQLConnectionProducer{}
|
|
connProducer.Type = postgreSQLTypeName
|
|
|
|
db := &PostgreSQL{
|
|
SQLConnectionProducer: connProducer,
|
|
passwordAuthentication: passwordAuthenticationPassword,
|
|
}
|
|
|
|
return db
|
|
}
|
|
|
|
type PostgreSQL struct {
|
|
*connutil.SQLConnectionProducer
|
|
|
|
usernameProducer template.StringTemplate
|
|
passwordAuthentication passwordAuthentication
|
|
}
|
|
|
|
func (p *PostgreSQL) Initialize(ctx context.Context, req dbplugin.InitializeRequest) (dbplugin.InitializeResponse, error) {
|
|
newConf, err := p.SQLConnectionProducer.Init(ctx, req.Config, req.VerifyConnection)
|
|
if err != nil {
|
|
return dbplugin.InitializeResponse{}, err
|
|
}
|
|
|
|
usernameTemplate, err := strutil.GetString(req.Config, "username_template")
|
|
if err != nil {
|
|
return dbplugin.InitializeResponse{}, fmt.Errorf("failed to retrieve username_template: %w", err)
|
|
}
|
|
if usernameTemplate == "" {
|
|
usernameTemplate = defaultUserNameTemplate
|
|
}
|
|
|
|
up, err := template.NewTemplate(template.Template(usernameTemplate))
|
|
if err != nil {
|
|
return dbplugin.InitializeResponse{}, fmt.Errorf("unable to initialize username template: %w", err)
|
|
}
|
|
p.usernameProducer = up
|
|
|
|
_, err = p.usernameProducer.Generate(dbplugin.UsernameMetadata{})
|
|
if err != nil {
|
|
return dbplugin.InitializeResponse{}, fmt.Errorf("invalid username template: %w", err)
|
|
}
|
|
|
|
passwordAuthenticationRaw, err := strutil.GetString(req.Config, "password_authentication")
|
|
if err != nil {
|
|
return dbplugin.InitializeResponse{}, fmt.Errorf("failed to retrieve password_authentication: %w", err)
|
|
}
|
|
|
|
if passwordAuthenticationRaw != "" {
|
|
pwAuthentication, err := parsePasswordAuthentication(passwordAuthenticationRaw)
|
|
if err != nil {
|
|
return dbplugin.InitializeResponse{}, err
|
|
}
|
|
|
|
p.passwordAuthentication = pwAuthentication
|
|
}
|
|
|
|
resp := dbplugin.InitializeResponse{
|
|
Config: newConf,
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
func (p *PostgreSQL) Type() (string, error) {
|
|
return postgreSQLTypeName, nil
|
|
}
|
|
|
|
func (p *PostgreSQL) getConnection(ctx context.Context) (*sql.DB, error) {
|
|
db, err := p.Connection(ctx)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return db.(*sql.DB), nil
|
|
}
|
|
|
|
func (p *PostgreSQL) UpdateUser(ctx context.Context, req dbplugin.UpdateUserRequest) (dbplugin.UpdateUserResponse, error) {
|
|
if req.Username == "" {
|
|
return dbplugin.UpdateUserResponse{}, fmt.Errorf("missing username")
|
|
}
|
|
if req.Password == nil && req.Expiration == nil {
|
|
return dbplugin.UpdateUserResponse{}, fmt.Errorf("no changes requested")
|
|
}
|
|
|
|
merr := &multierror.Error{}
|
|
if req.Password != nil {
|
|
err := p.changeUserPassword(ctx, req.Username, req.Password)
|
|
merr = multierror.Append(merr, err)
|
|
}
|
|
if req.Expiration != nil {
|
|
err := p.changeUserExpiration(ctx, req.Username, req.Expiration)
|
|
merr = multierror.Append(merr, err)
|
|
}
|
|
return dbplugin.UpdateUserResponse{}, merr.ErrorOrNil()
|
|
}
|
|
|
|
func (p *PostgreSQL) changeUserPassword(ctx context.Context, username string, changePass *dbplugin.ChangePassword) error {
|
|
stmts := changePass.Statements.Commands
|
|
if len(stmts) == 0 {
|
|
stmts = []string{defaultChangePasswordStatement}
|
|
}
|
|
|
|
password := changePass.NewPassword
|
|
if password == "" {
|
|
return fmt.Errorf("missing password")
|
|
}
|
|
|
|
p.Lock()
|
|
defer p.Unlock()
|
|
|
|
db, err := p.getConnection(ctx)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to get connection: %w", err)
|
|
}
|
|
|
|
// Check if the role exists
|
|
var exists bool
|
|
err = db.QueryRowContext(ctx, "SELECT exists (SELECT rolname FROM pg_roles WHERE rolname=$1);", username).Scan(&exists)
|
|
if err != nil && err != sql.ErrNoRows {
|
|
return fmt.Errorf("user does not appear to exist: %w", err)
|
|
}
|
|
|
|
tx, err := db.BeginTx(ctx, nil)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to start transaction: %w", err)
|
|
}
|
|
defer tx.Rollback()
|
|
|
|
for _, stmt := range stmts {
|
|
for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
|
|
query = strings.TrimSpace(query)
|
|
if len(query) == 0 {
|
|
continue
|
|
}
|
|
|
|
m := map[string]string{
|
|
"name": username,
|
|
"username": username,
|
|
"password": password,
|
|
}
|
|
|
|
if p.passwordAuthentication == passwordAuthenticationSCRAMSHA256 {
|
|
hashedPassword, err := scram.Hash(password)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to scram-sha256 password: %w", err)
|
|
}
|
|
m["password"] = hashedPassword
|
|
}
|
|
|
|
if err := dbtxn.ExecuteTxQueryDirect(ctx, tx, m, query); err != nil {
|
|
return fmt.Errorf("failed to execute query: %w", err)
|
|
}
|
|
}
|
|
}
|
|
|
|
if err := tx.Commit(); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (p *PostgreSQL) changeUserExpiration(ctx context.Context, username string, changeExp *dbplugin.ChangeExpiration) error {
|
|
p.Lock()
|
|
defer p.Unlock()
|
|
|
|
renewStmts := changeExp.Statements.Commands
|
|
if len(renewStmts) == 0 {
|
|
renewStmts = []string{defaultExpirationStatement}
|
|
}
|
|
|
|
db, err := p.getConnection(ctx)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
tx, err := db.BeginTx(ctx, nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer func() {
|
|
tx.Rollback()
|
|
}()
|
|
|
|
expirationStr := changeExp.NewExpiration.Format(expirationFormat)
|
|
|
|
for _, stmt := range renewStmts {
|
|
for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
|
|
query = strings.TrimSpace(query)
|
|
if len(query) == 0 {
|
|
continue
|
|
}
|
|
|
|
m := map[string]string{
|
|
"name": username,
|
|
"username": username,
|
|
"expiration": expirationStr,
|
|
}
|
|
if err := dbtxn.ExecuteTxQueryDirect(ctx, tx, m, query); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
|
|
return tx.Commit()
|
|
}
|
|
|
|
func (p *PostgreSQL) NewUser(ctx context.Context, req dbplugin.NewUserRequest) (dbplugin.NewUserResponse, error) {
|
|
if len(req.Statements.Commands) == 0 {
|
|
return dbplugin.NewUserResponse{}, dbutil.ErrEmptyCreationStatement
|
|
}
|
|
|
|
p.Lock()
|
|
defer p.Unlock()
|
|
|
|
username, err := p.usernameProducer.Generate(req.UsernameConfig)
|
|
if err != nil {
|
|
return dbplugin.NewUserResponse{}, err
|
|
}
|
|
|
|
expirationStr := req.Expiration.Format(expirationFormat)
|
|
|
|
db, err := p.getConnection(ctx)
|
|
if err != nil {
|
|
return dbplugin.NewUserResponse{}, fmt.Errorf("unable to get connection: %w", err)
|
|
}
|
|
|
|
tx, err := db.BeginTx(ctx, nil)
|
|
if err != nil {
|
|
return dbplugin.NewUserResponse{}, fmt.Errorf("unable to start transaction: %w", err)
|
|
}
|
|
defer tx.Rollback()
|
|
|
|
m := map[string]string{
|
|
"name": username,
|
|
"username": username,
|
|
"password": req.Password,
|
|
"expiration": expirationStr,
|
|
}
|
|
|
|
if p.passwordAuthentication == passwordAuthenticationSCRAMSHA256 {
|
|
hashedPassword, err := scram.Hash(req.Password)
|
|
if err != nil {
|
|
return dbplugin.NewUserResponse{}, fmt.Errorf("unable to scram-sha256 password: %w", err)
|
|
}
|
|
m["password"] = hashedPassword
|
|
}
|
|
|
|
for _, stmt := range req.Statements.Commands {
|
|
if containsMultilineStatement(stmt) {
|
|
// Execute it as-is.
|
|
if err := dbtxn.ExecuteTxQueryDirect(ctx, tx, m, stmt); err != nil {
|
|
return dbplugin.NewUserResponse{}, fmt.Errorf("failed to execute query: %w", err)
|
|
}
|
|
continue
|
|
}
|
|
// Otherwise, it's fine to split the statements on the semicolon.
|
|
for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
|
|
query = strings.TrimSpace(query)
|
|
if len(query) == 0 {
|
|
continue
|
|
}
|
|
|
|
if err := dbtxn.ExecuteTxQueryDirect(ctx, tx, m, query); err != nil {
|
|
return dbplugin.NewUserResponse{}, fmt.Errorf("failed to execute query: %w", err)
|
|
}
|
|
}
|
|
}
|
|
|
|
if err := tx.Commit(); err != nil {
|
|
return dbplugin.NewUserResponse{}, err
|
|
}
|
|
|
|
resp := dbplugin.NewUserResponse{
|
|
Username: username,
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
func (p *PostgreSQL) DeleteUser(ctx context.Context, req dbplugin.DeleteUserRequest) (dbplugin.DeleteUserResponse, error) {
|
|
p.Lock()
|
|
defer p.Unlock()
|
|
|
|
if len(req.Statements.Commands) == 0 {
|
|
return dbplugin.DeleteUserResponse{}, p.defaultDeleteUser(ctx, req.Username)
|
|
}
|
|
|
|
return dbplugin.DeleteUserResponse{}, p.customDeleteUser(ctx, req.Username, req.Statements.Commands)
|
|
}
|
|
|
|
func (p *PostgreSQL) customDeleteUser(ctx context.Context, username string, revocationStmts []string) error {
|
|
db, err := p.getConnection(ctx)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
tx, err := db.BeginTx(ctx, nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer func() {
|
|
tx.Rollback()
|
|
}()
|
|
|
|
for _, stmt := range revocationStmts {
|
|
if containsMultilineStatement(stmt) {
|
|
// Execute it as-is.
|
|
m := map[string]string{
|
|
"name": username,
|
|
"username": username,
|
|
}
|
|
if err := dbtxn.ExecuteTxQueryDirect(ctx, tx, m, stmt); err != nil {
|
|
return err
|
|
}
|
|
continue
|
|
}
|
|
for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
|
|
query = strings.TrimSpace(query)
|
|
if len(query) == 0 {
|
|
continue
|
|
}
|
|
|
|
m := map[string]string{
|
|
"name": username,
|
|
"username": username,
|
|
}
|
|
if err := dbtxn.ExecuteTxQueryDirect(ctx, tx, m, query); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
|
|
return tx.Commit()
|
|
}
|
|
|
|
func (p *PostgreSQL) defaultDeleteUser(ctx context.Context, username string) error {
|
|
db, err := p.getConnection(ctx)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Check if the role exists
|
|
var exists bool
|
|
err = db.QueryRowContext(ctx, "SELECT exists (SELECT rolname FROM pg_roles WHERE rolname=$1);", username).Scan(&exists)
|
|
if err != nil && err != sql.ErrNoRows {
|
|
return err
|
|
}
|
|
|
|
if !exists {
|
|
return nil
|
|
}
|
|
|
|
// Query for permissions; we need to revoke permissions before we can drop
|
|
// the role
|
|
// This isn't done in a transaction because even if we fail along the way,
|
|
// we want to remove as much access as possible
|
|
stmt, err := db.PrepareContext(ctx, "SELECT DISTINCT table_schema FROM information_schema.role_column_grants WHERE grantee=$1;")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer stmt.Close()
|
|
|
|
rows, err := stmt.QueryContext(ctx, username)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer rows.Close()
|
|
|
|
const initialNumRevocations = 16
|
|
revocationStmts := make([]string, 0, initialNumRevocations)
|
|
for rows.Next() {
|
|
var schema string
|
|
err = rows.Scan(&schema)
|
|
if err != nil {
|
|
// keep going; remove as many permissions as possible right now
|
|
continue
|
|
}
|
|
revocationStmts = append(revocationStmts, fmt.Sprintf(
|
|
`REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA %s FROM %s;`,
|
|
(schema),
|
|
dbutil.QuoteIdentifier(username)))
|
|
|
|
revocationStmts = append(revocationStmts, fmt.Sprintf(
|
|
`REVOKE USAGE ON SCHEMA %s FROM %s;`,
|
|
dbutil.QuoteIdentifier(schema),
|
|
dbutil.QuoteIdentifier(username)))
|
|
}
|
|
|
|
// for good measure, revoke all privileges and usage on schema public
|
|
revocationStmts = append(revocationStmts, fmt.Sprintf(
|
|
`REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM %s;`,
|
|
dbutil.QuoteIdentifier(username)))
|
|
|
|
revocationStmts = append(revocationStmts, fmt.Sprintf(
|
|
"REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public FROM %s;",
|
|
dbutil.QuoteIdentifier(username)))
|
|
|
|
revocationStmts = append(revocationStmts, fmt.Sprintf(
|
|
"REVOKE USAGE ON SCHEMA public FROM %s;",
|
|
dbutil.QuoteIdentifier(username)))
|
|
|
|
// get the current database name so we can issue a REVOKE CONNECT for
|
|
// this username
|
|
var dbname sql.NullString
|
|
if err := db.QueryRowContext(ctx, "SELECT current_database();").Scan(&dbname); err != nil {
|
|
return err
|
|
}
|
|
|
|
if dbname.Valid {
|
|
revocationStmts = append(revocationStmts, fmt.Sprintf(
|
|
`REVOKE CONNECT ON DATABASE %s FROM %s;`,
|
|
dbutil.QuoteIdentifier(dbname.String),
|
|
dbutil.QuoteIdentifier(username)))
|
|
}
|
|
|
|
// again, here, we do not stop on error, as we want to remove as
|
|
// many permissions as possible right now
|
|
var lastStmtError error
|
|
for _, query := range revocationStmts {
|
|
if err := dbtxn.ExecuteDBQueryDirect(ctx, db, nil, query); err != nil {
|
|
lastStmtError = err
|
|
}
|
|
}
|
|
|
|
// can't drop if not all privileges are revoked
|
|
if rows.Err() != nil {
|
|
return fmt.Errorf("could not generate revocation statements for all rows: %w", rows.Err())
|
|
}
|
|
if lastStmtError != nil {
|
|
return fmt.Errorf("could not perform all revocation statements: %w", lastStmtError)
|
|
}
|
|
|
|
// Drop this user
|
|
stmt, err = db.PrepareContext(ctx, fmt.Sprintf(
|
|
`DROP ROLE IF EXISTS %s;`, dbutil.QuoteIdentifier(username)))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer stmt.Close()
|
|
if _, err := stmt.ExecContext(ctx); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (p *PostgreSQL) secretValues() map[string]string {
|
|
return map[string]string{
|
|
p.Password: "[password]",
|
|
}
|
|
}
|
|
|
|
func (p *PostgreSQL) PluginVersion() logical.PluginVersion {
|
|
return logical.PluginVersion{Version: ReportedVersion}
|
|
}
|
|
|
|
// containsMultilineStatement is a best effort to determine whether
|
|
// a particular statement is multiline, and therefore should not be
|
|
// split upon semicolons. If it's unsure, it defaults to false.
|
|
func containsMultilineStatement(stmt string) bool {
|
|
// We're going to look for the word "END", but first let's ignore
|
|
// anything the user provided within single or double quotes since
|
|
// we're looking for an "END" within the Postgres syntax.
|
|
literals, err := extractQuotedStrings(stmt)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
stmtWithoutLiterals := stmt
|
|
for _, literal := range literals {
|
|
stmtWithoutLiterals = strings.ReplaceAll(stmt, literal, "")
|
|
}
|
|
// Now look for the word "END" specifically. This will miss any
|
|
// representations of END that aren't surrounded by spaces, but
|
|
// it should be easy to change on the user's side.
|
|
return postgresEndStatement.MatchString(stmtWithoutLiterals)
|
|
}
|
|
|
|
// extractQuotedStrings extracts 0 or many substrings
|
|
// that have been single- or double-quoted. Ex:
|
|
// `"Hello", silly 'elephant' from the "zoo".`
|
|
// returns [ `Hello`, `'elephant'`, `"zoo"` ]
|
|
func extractQuotedStrings(s string) ([]string, error) {
|
|
var found []string
|
|
toFind := []*regexp.Regexp{
|
|
doubleQuotedPhrases,
|
|
singleQuotedPhrases,
|
|
}
|
|
for _, typeOfPhrase := range toFind {
|
|
found = append(found, typeOfPhrase.FindAllString(s, -1)...)
|
|
}
|
|
return found, nil
|
|
}
|