mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-08 07:37:01 +02:00
Code Issues Projects Releases Wiki Activity
0b34b73c47
vault/plugins/database/postgresql/postgresql.go
Christopher Swenson 0b34b73c47
Check if plugin version matches running version (#17182) 
Check if plugin version matches running version

When registering a plugin, we check if the request version matches the
self-reported version from the plugin. If these do not match, we log a
warning.

This uncovered a few missing pieces for getting the database version
code fully working.

We added an environment variable that helps us unit test the running
version behavior as well, but only for approle, postgresql, and consul
plugins.

Return 400 on plugin not found or version mismatch

Populate the running SHA256 of plugins in the mount and auth tables (#17217)
2022-09-21 12:25:04 -07:00

517 lines
14 KiB
Go
Raw Blame History

package postgresql
import (
"context"
"database/sql"
"fmt"
"regexp"
"strings"
"github.com/hashicorp/go-multierror"
"github.com/hashicorp/go-secure-stdlib/strutil"
"github.com/hashicorp/vault/sdk/database/dbplugin/v5"
"github.com/hashicorp/vault/sdk/database/helper/connutil"
"github.com/hashicorp/vault/sdk/database/helper/dbutil"
"github.com/hashicorp/vault/sdk/helper/dbtxn"
"github.com/hashicorp/vault/sdk/helper/template"
"github.com/hashicorp/vault/sdk/logical"
_ "github.com/jackc/pgx/v4/stdlib"
)
const (
postgreSQLTypeName = "pgx"
defaultExpirationStatement = `
ALTER ROLE "{{name}}" VALID UNTIL '{{expiration}}';
`
defaultChangePasswordStatement = `
ALTER ROLE "{{username}}" WITH PASSWORD '{{password}}';
`
expirationFormat = "2006-01-02 15:04:05-0700"
defaultUserNameTemplate = `{{ printf "v-%s-%s-%s-%s" (.DisplayName | truncate 8) (.RoleName | truncate 8) (random 20) (unix_time) | truncate 63 }}`
)
var (
_ dbplugin.Database = (*PostgreSQL)(nil)
_ logical.PluginVersioner = (*PostgreSQL)(nil)
// postgresEndStatement is basically the word "END" but
// surrounded by a word boundary to differentiate it from
// other words like "APPEND".
postgresEndStatement = regexp.MustCompile(`\bEND\b`)
// doubleQuotedPhrases finds substrings like "hello"
// and pulls them out with the quotes included.
doubleQuotedPhrases = regexp.MustCompile(`(".*?")`)
// singleQuotedPhrases finds substrings like 'hello'
// and pulls them out with the quotes included.
singleQuotedPhrases = regexp.MustCompile(`('.*?')`)
// ReportedVersion is used to report a specific version to Vault.
ReportedVersion = ""
)
func New() (interface{}, error) {
db := new()
// Wrap the plugin with middleware to sanitize errors
dbType := dbplugin.NewDatabaseErrorSanitizerMiddleware(db, db.secretValues)
return dbType, nil
}
func new() *PostgreSQL {
connProducer := &connutil.SQLConnectionProducer{}
connProducer.Type = postgreSQLTypeName
db := &PostgreSQL{
SQLConnectionProducer: connProducer,
}
return db
}
type PostgreSQL struct {
*connutil.SQLConnectionProducer
usernameProducer template.StringTemplate
}
func (p *PostgreSQL) Initialize(ctx context.Context, req dbplugin.InitializeRequest) (dbplugin.InitializeResponse, error) {
newConf, err := p.SQLConnectionProducer.Init(ctx, req.Config, req.VerifyConnection)
if err != nil {
return dbplugin.InitializeResponse{}, err
}
usernameTemplate, err := strutil.GetString(req.Config, "username_template")
if err != nil {
return dbplugin.InitializeResponse{}, fmt.Errorf("failed to retrieve username_template: %w", err)
}
if usernameTemplate == "" {
usernameTemplate = defaultUserNameTemplate
}
up, err := template.NewTemplate(template.Template(usernameTemplate))
if err != nil {
return dbplugin.InitializeResponse{}, fmt.Errorf("unable to initialize username template: %w", err)
}
p.usernameProducer = up
_, err = p.usernameProducer.Generate(dbplugin.UsernameMetadata{})
if err != nil {
return dbplugin.InitializeResponse{}, fmt.Errorf("invalid username template: %w", err)
}
resp := dbplugin.InitializeResponse{
Config: newConf,
}
return resp, nil
}
func (p *PostgreSQL) Type() (string, error) {
return postgreSQLTypeName, nil
}
func (p *PostgreSQL) getConnection(ctx context.Context) (*sql.DB, error) {
db, err := p.Connection(ctx)
if err != nil {
return nil, err
}
return db.(*sql.DB), nil
}
func (p *PostgreSQL) UpdateUser(ctx context.Context, req dbplugin.UpdateUserRequest) (dbplugin.UpdateUserResponse, error) {
if req.Username == "" {
return dbplugin.UpdateUserResponse{}, fmt.Errorf("missing username")
}
if req.Password == nil && req.Expiration == nil {
return dbplugin.UpdateUserResponse{}, fmt.Errorf("no changes requested")
}
merr := &multierror.Error{}
if req.Password != nil {
err := p.changeUserPassword(ctx, req.Username, req.Password)
merr = multierror.Append(merr, err)
}
if req.Expiration != nil {
err := p.changeUserExpiration(ctx, req.Username, req.Expiration)
merr = multierror.Append(merr, err)
}
return dbplugin.UpdateUserResponse{}, merr.ErrorOrNil()
}
func (p *PostgreSQL) changeUserPassword(ctx context.Context, username string, changePass *dbplugin.ChangePassword) error {
stmts := changePass.Statements.Commands
if len(stmts) == 0 {
stmts = []string{defaultChangePasswordStatement}
}
password := changePass.NewPassword
if password == "" {
return fmt.Errorf("missing password")
}
p.Lock()
defer p.Unlock()
db, err := p.getConnection(ctx)
if err != nil {
return fmt.Errorf("unable to get connection: %w", err)
}
// Check if the role exists
var exists bool
err = db.QueryRowContext(ctx, "SELECT exists (SELECT rolname FROM pg_roles WHERE rolname=$1);", username).Scan(&exists)
if err != nil && err != sql.ErrNoRows {
return fmt.Errorf("user does not appear to exist: %w", err)
}
tx, err := db.BeginTx(ctx, nil)
if err != nil {
return fmt.Errorf("unable to start transaction: %w", err)
}
defer tx.Rollback()
for _, stmt := range stmts {
for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
query = strings.TrimSpace(query)
if len(query) == 0 {
continue
}
m := map[string]string{
"name": username,
"username": username,
"password": password,
}
if err := dbtxn.ExecuteTxQueryDirect(ctx, tx, m, query); err != nil {
return fmt.Errorf("failed to execute query: %w", err)
}
}
}
if err := tx.Commit(); err != nil {
return err
}
return nil
}
func (p *PostgreSQL) changeUserExpiration(ctx context.Context, username string, changeExp *dbplugin.ChangeExpiration) error {
p.Lock()
defer p.Unlock()
renewStmts := changeExp.Statements.Commands
if len(renewStmts) == 0 {
renewStmts = []string{defaultExpirationStatement}
}
db, err := p.getConnection(ctx)
if err != nil {
return err
}
tx, err := db.BeginTx(ctx, nil)
if err != nil {
return err
}
defer func() {
tx.Rollback()
}()
expirationStr := changeExp.NewExpiration.Format(expirationFormat)
for _, stmt := range renewStmts {
for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
query = strings.TrimSpace(query)
if len(query) == 0 {
continue
}
m := map[string]string{
"name": username,
"username": username,
"expiration": expirationStr,
}
if err := dbtxn.ExecuteTxQueryDirect(ctx, tx, m, query); err != nil {
return err
}
}
}
return tx.Commit()
}
func (p *PostgreSQL) NewUser(ctx context.Context, req dbplugin.NewUserRequest) (dbplugin.NewUserResponse, error) {
if len(req.Statements.Commands) == 0 {
return dbplugin.NewUserResponse{}, dbutil.ErrEmptyCreationStatement
}
p.Lock()
defer p.Unlock()
username, err := p.usernameProducer.Generate(req.UsernameConfig)
if err != nil {
return dbplugin.NewUserResponse{}, err
}
expirationStr := req.Expiration.Format(expirationFormat)
db, err := p.getConnection(ctx)
if err != nil {
return dbplugin.NewUserResponse{}, fmt.Errorf("unable to get connection: %w", err)
}
tx, err := db.BeginTx(ctx, nil)
if err != nil {
return dbplugin.NewUserResponse{}, fmt.Errorf("unable to start transaction: %w", err)
}
defer tx.Rollback()
for _, stmt := range req.Statements.Commands {
if containsMultilineStatement(stmt) {
// Execute it as-is.
m := map[string]string{
"name": username,
"username": username,
"password": req.Password,
"expiration": expirationStr,
}
if err := dbtxn.ExecuteTxQueryDirect(ctx, tx, m, stmt); err != nil {
return dbplugin.NewUserResponse{}, fmt.Errorf("failed to execute query: %w", err)
}
continue
}
// Otherwise, it's fine to split the statements on the semicolon.
for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
query = strings.TrimSpace(query)
if len(query) == 0 {
continue
}
m := map[string]string{
"name": username,
"username": username,
"password": req.Password,
"expiration": expirationStr,
}
if err := dbtxn.ExecuteTxQueryDirect(ctx, tx, m, query); err != nil {
return dbplugin.NewUserResponse{}, fmt.Errorf("failed to execute query: %w", err)
}
}
}
if err := tx.Commit(); err != nil {
return dbplugin.NewUserResponse{}, err
}
resp := dbplugin.NewUserResponse{
Username: username,
}
return resp, nil
}
func (p *PostgreSQL) DeleteUser(ctx context.Context, req dbplugin.DeleteUserRequest) (dbplugin.DeleteUserResponse, error) {
p.Lock()
defer p.Unlock()
if len(req.Statements.Commands) == 0 {
return dbplugin.DeleteUserResponse{}, p.defaultDeleteUser(ctx, req.Username)
}
return dbplugin.DeleteUserResponse{}, p.customDeleteUser(ctx, req.Username, req.Statements.Commands)
}
func (p *PostgreSQL) customDeleteUser(ctx context.Context, username string, revocationStmts []string) error {
db, err := p.getConnection(ctx)
if err != nil {
return err
}
tx, err := db.BeginTx(ctx, nil)
if err != nil {
return err
}
defer func() {
tx.Rollback()
}()
for _, stmt := range revocationStmts {
for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
query = strings.TrimSpace(query)
if len(query) == 0 {
continue
}
m := map[string]string{
"name": username,
"username": username,
}
if err := dbtxn.ExecuteTxQueryDirect(ctx, tx, m, query); err != nil {
return err
}
}
}
return tx.Commit()
}
func (p *PostgreSQL) defaultDeleteUser(ctx context.Context, username string) error {
db, err := p.getConnection(ctx)
if err != nil {
return err
}
// Check if the role exists
var exists bool
err = db.QueryRowContext(ctx, "SELECT exists (SELECT rolname FROM pg_roles WHERE rolname=$1);", username).Scan(&exists)
if err != nil && err != sql.ErrNoRows {
return err
}
if !exists {
return nil
}
// Query for permissions; we need to revoke permissions before we can drop
// the role
// This isn't done in a transaction because even if we fail along the way,
// we want to remove as much access as possible
stmt, err := db.PrepareContext(ctx, "SELECT DISTINCT table_schema FROM information_schema.role_column_grants WHERE grantee=$1;")
if err != nil {
return err
}
defer stmt.Close()
rows, err := stmt.QueryContext(ctx, username)
if err != nil {
return err
}
defer rows.Close()
const initialNumRevocations = 16
revocationStmts := make([]string, 0, initialNumRevocations)
for rows.Next() {
var schema string
err = rows.Scan(&schema)
if err != nil {
// keep going; remove as many permissions as possible right now
continue
}
revocationStmts = append(revocationStmts, fmt.Sprintf(
`REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA %s FROM %s;`,
(schema),
dbutil.QuoteIdentifier(username)))
revocationStmts = append(revocationStmts, fmt.Sprintf(
`REVOKE USAGE ON SCHEMA %s FROM %s;`,
dbutil.QuoteIdentifier(schema),
dbutil.QuoteIdentifier(username)))
}
// for good measure, revoke all privileges and usage on schema public
revocationStmts = append(revocationStmts, fmt.Sprintf(
`REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM %s;`,
dbutil.QuoteIdentifier(username)))
revocationStmts = append(revocationStmts, fmt.Sprintf(
"REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public FROM %s;",
dbutil.QuoteIdentifier(username)))
revocationStmts = append(revocationStmts, fmt.Sprintf(
"REVOKE USAGE ON SCHEMA public FROM %s;",
dbutil.QuoteIdentifier(username)))
// get the current database name so we can issue a REVOKE CONNECT for
// this username
var dbname sql.NullString
if err := db.QueryRowContext(ctx, "SELECT current_database();").Scan(&dbname); err != nil {
return err
}
if dbname.Valid {
revocationStmts = append(revocationStmts, fmt.Sprintf(
`REVOKE CONNECT ON DATABASE %s FROM %s;`,
dbutil.QuoteIdentifier(dbname.String),
dbutil.QuoteIdentifier(username)))
}
// again, here, we do not stop on error, as we want to remove as
// many permissions as possible right now
var lastStmtError error
for _, query := range revocationStmts {
if err := dbtxn.ExecuteDBQueryDirect(ctx, db, nil, query); err != nil {
lastStmtError = err
}
}
// can't drop if not all privileges are revoked
if rows.Err() != nil {
return fmt.Errorf("could not generate revocation statements for all rows: %w", rows.Err())
}
if lastStmtError != nil {
return fmt.Errorf("could not perform all revocation statements: %w", lastStmtError)
}
// Drop this user
stmt, err = db.PrepareContext(ctx, fmt.Sprintf(
`DROP ROLE IF EXISTS %s;`, dbutil.QuoteIdentifier(username)))
if err != nil {
return err
}
defer stmt.Close()
if _, err := stmt.ExecContext(ctx); err != nil {
return err
}
return nil
}
func (p *PostgreSQL) secretValues() map[string]string {
return map[string]string{
p.Password: "[password]",
}
}
func (p *PostgreSQL) PluginVersion() logical.PluginVersion {
return logical.PluginVersion{Version: ReportedVersion}
}
// containsMultilineStatement is a best effort to determine whether
// a particular statement is multiline, and therefore should not be
// split upon semicolons. If it's unsure, it defaults to false.
func containsMultilineStatement(stmt string) bool {
// We're going to look for the word "END", but first let's ignore
// anything the user provided within single or double quotes since
// we're looking for an "END" within the Postgres syntax.
literals, err := extractQuotedStrings(stmt)
if err != nil {
return false
}
stmtWithoutLiterals := stmt
for _, literal := range literals {
stmtWithoutLiterals = strings.ReplaceAll(stmt, literal, "")
}
// Now look for the word "END" specifically. This will miss any
// representations of END that aren't surrounded by spaces, but
// it should be easy to change on the user's side.
return postgresEndStatement.MatchString(stmtWithoutLiterals)
}
// extractQuotedStrings extracts 0 or many substrings
// that have been single- or double-quoted. Ex:
// `"Hello", silly 'elephant' from the "zoo".`
// returns [ `Hello`, `'elephant'`, `"zoo"` ]
func extractQuotedStrings(s string) ([]string, error) {
var found []string
toFind := []*regexp.Regexp{
doubleQuotedPhrases,
singleQuotedPhrases,
}
for _, typeOfPhrase := range toFind {
found = append(found, typeOfPhrase.FindAllString(s, -1)...)
}
return found, nil
}
Reference in New Issue View Git Blame Copy Permalink