Combined Database Backend: Static Accounts

builtin/credential/cert/backend_test.go

@@ -1163,8 +1163,8 @@ func TestBackend_email_singleCert(t *testing.T) {
 		Subject: pkix.Name{
 			CommonName: "example.com",
 		},
-		EmailAddresses:    []string{"[email protected]"},
-		IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
+		EmailAddresses: []string{"[email protected]"},
+		IPAddresses:    []net.IP{net.ParseIP("127.0.0.1")},
 		ExtKeyUsage: []x509.ExtKeyUsage{
 			x509.ExtKeyUsageServerAuth,
 			x509.ExtKeyUsageClientAuth,

builtin/logical/database/backend.go

@@ -14,11 +14,17 @@ import (
 	"github.com/hashicorp/vault/sdk/database/dbplugin"
 	"github.com/hashicorp/vault/sdk/database/helper/dbutil"
 	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/locksutil"
 	"github.com/hashicorp/vault/sdk/helper/strutil"
 	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/sdk/queue"
 )
 
-const databaseConfigPath = "database/config/"
+const (
+	databaseConfigPath     = "database/config/"
+	databaseRolePath       = "role/"
+	databaseStaticRolePath = "static-role/"
+)
 
 type dbPluginInstance struct {
 	sync.RWMutex
@@ -46,6 +52,14 @@ func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend,
 	if err := b.Setup(ctx, conf); err != nil {
 		return nil, err
 	}
+
+	b.credRotationQueue = queue.New()
+	// Create a context with a cancel method for processing any WAL entries and
+	// populating the queue
+	ctx, cancel := context.WithCancel(ctx)
+	b.cancelQueue = cancel
+	// Load queue and kickoff new periodic ticker
+	go b.initQueue(ctx, conf)
 	return b, nil
 }
 
@@ -55,31 +69,39 @@ func Backend(conf *logical.BackendConfig) *databaseBackend {
 		Help: strings.TrimSpace(backendHelp),
 
 		PathsSpecial: &logical.Paths{
+			LocalStorage: []string{
+				framework.WALPrefix,
+			},
 			SealWrapStorage: []string{
 				"config/*",
+				"static-role/*",
 			},
 		},
-
-		Paths: []*framework.Path{
-			pathListPluginConnection(&b),
-			pathConfigurePluginConnection(&b),
+		Paths: framework.PathAppend(
+			[]*framework.Path{
+				pathListPluginConnection(&b),
+				pathConfigurePluginConnection(&b),
+				pathResetConnection(&b),
+			},
 			pathListRoles(&b),
 			pathRoles(&b),
 			pathCredsCreate(&b),
-			pathResetConnection(&b),
 			pathRotateCredentials(&b),
-		},
+		),
 
 		Secrets: []*framework.Secret{
 			secretCreds(&b),
 		},
-		Clean:       b.closeAllDBs,
+		Clean:       b.clean,
 		Invalidate:  b.invalidate,
 		BackendType: logical.TypeLogical,
 	}
 
 	b.logger = conf.Logger
 	b.connections = make(map[string]*dbPluginInstance)
+
+	b.roleLocks = locksutil.CreateLocks()
+
 	return &b
 }
 
@@ -89,6 +111,20 @@ type databaseBackend struct {
 
 	*framework.Backend
 	sync.RWMutex
+	// CredRotationQueue is an in-memory priority queue used to track Static Roles
+	// that require periodic rotation. Backends will have a PriorityQueue
+	// initialized on setup, but only backends that are mounted by a primary
+	// server or mounted as a local mount will perform the rotations.
+	//
+	// cancelQueue is used to remove the priority queue and terminate the
+	// background ticker.
+	credRotationQueue *queue.PriorityQueue
+	cancelQueue       context.CancelFunc
+
+	// roleLocks is used to lock modifications to roles in the queue, to ensure
+	// concurrent requests are not modifying the same role and possibly causing
+	// issues with the priority queue.
+	roleLocks []*locksutil.LockEntry
 }
 
 func (b *databaseBackend) DatabaseConfig(ctx context.Context, s logical.Storage, name string) (*DatabaseConfig, error) {
@@ -124,7 +160,15 @@ type upgradeCheck struct {
 }
 
 func (b *databaseBackend) Role(ctx context.Context, s logical.Storage, roleName string) (*roleEntry, error) {
-	entry, err := s.Get(ctx, "role/"+roleName)
+	return b.roleAtPath(ctx, s, roleName, databaseRolePath)
+}
+
+func (b *databaseBackend) StaticRole(ctx context.Context, s logical.Storage, roleName string) (*roleEntry, error) {
+	return b.roleAtPath(ctx, s, roleName, databaseStaticRolePath)
+}
+
+func (b *databaseBackend) roleAtPath(ctx context.Context, s logical.Storage, roleName string, pathPrefix string) (*roleEntry, error) {
+	entry, err := s.Get(ctx, pathPrefix+roleName)
 	if err != nil {
 		return nil, err
 	}
@@ -228,6 +272,17 @@ func (b *databaseBackend) GetConnection(ctx context.Context, s logical.Storage,
 	return db, nil
 }
 
+// invalidateQueue cancels any background queue loading and destroys the queue.
+func (b *databaseBackend) invalidateQueue() {
+	b.Lock()
+	defer b.Unlock()
+
+	if b.cancelQueue != nil {
+		b.cancelQueue()
+	}
+	b.credRotationQueue = nil
+}
+
 // ClearConnection closes the database connection and
 // removes it from the b.connections map.
 func (b *databaseBackend) ClearConnection(name string) error {
@@ -267,8 +322,13 @@ func (b *databaseBackend) CloseIfShutdown(db *dbPluginInstance, err error) {
 	}
 }
 
-// closeAllDBs closes all connections from all database types
-func (b *databaseBackend) closeAllDBs(ctx context.Context) {
+// clean closes all connections from all database types
+// and cancels any rotation queue loading operation.
+func (b *databaseBackend) clean(ctx context.Context) {
+	// invalidateQueue acquires it's own lock on the backend, removes queue, and
+	// terminates the background ticker
+	b.invalidateQueue()
+
 	b.Lock()
 	defer b.Unlock()
 

builtin/logical/database/backend_test.go

@@ -56,7 +56,7 @@ func preparePostgresTestContainer(t *testing.T, s logical.Storage, b logical.Bac
 
 	retURL = fmt.Sprintf("postgres://postgres:secret@localhost:%s/database?sslmode=disable", resource.GetPort("5432/tcp"))
 
-	// exponential backoff-retry
+	// Exponential backoff-retry
 	if err = pool.Retry(func() error {
 		// This will cause a validation to run
 		resp, err := b.HandleRequest(namespace.RootContext(nil), &logical.Request{
@@ -101,12 +101,12 @@ func getCluster(t *testing.T) (*vault.TestCluster, logical.SystemView) {
 	os.Setenv(pluginutil.PluginCACertPEMEnv, cluster.CACertPEMFile)
 
 	sys := vault.TestDynamicSystemView(cores[0].Core)
-	vault.TestAddTestPlugin(t, cores[0].Core, "postgresql-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain", []string{}, "")
+	vault.TestAddTestPlugin(t, cores[0].Core, "postgresql-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_Postgres", []string{}, "")
 
 	return cluster, sys
 }
 
-func TestBackend_PluginMain(t *testing.T) {
+func TestBackend_PluginMain_Postgres(t *testing.T) {
 	if os.Getenv(pluginutil.PluginUnwrapTokenEnv) == "" {
 		return
 	}
@@ -850,17 +850,6 @@ func TestBackend_roleCrud(t *testing.T) {
 			t.Fatalf("err:%s resp:%#v\n", err, resp)
 		}
 
-		exists, err := b.pathRoleExistenceCheck()(context.Background(), req, &framework.FieldData{
-			Raw:    data,
-			Schema: pathRoles(b).Fields,
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-		if exists {
-			t.Fatal("expected not exists")
-		}
-
 		// Read the role
 		data = map[string]interface{}{}
 		req = &logical.Request{
@@ -920,17 +909,6 @@ func TestBackend_roleCrud(t *testing.T) {
 			t.Fatalf("err:%v resp:%#v\n", err, resp)
 		}
 
-		exists, err := b.pathRoleExistenceCheck()(context.Background(), req, &framework.FieldData{
-			Raw:    data,
-			Schema: pathRoles(b).Fields,
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-		if !exists {
-			t.Fatal("expected exists")
-		}
-
 		// Read the role
 		data = map[string]interface{}{}
 		req = &logical.Request{
@@ -994,17 +972,6 @@ func TestBackend_roleCrud(t *testing.T) {
 			t.Fatalf("err:%v resp:%#v\n", err, resp)
 		}
 
-		exists, err := b.pathRoleExistenceCheck()(context.Background(), req, &framework.FieldData{
-			Raw:    data,
-			Schema: pathRoles(b).Fields,
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-		if !exists {
-			t.Fatal("expected exists")
-		}
-
 		// Read the role
 		data = map[string]interface{}{}
 		req = &logical.Request{

builtin/logical/database/dbplugin/plugin_test.go

@@ -22,6 +22,8 @@ type mockPlugin struct {
 	users map[string][]string
 }
 
+var _ dbplugin.Database = &mockPlugin{}
+
 func (m *mockPlugin) Type() (string, error) { return "mock", nil }
 func (m *mockPlugin) CreateUser(_ context.Context, statements dbplugin.Statements, usernameConf dbplugin.UsernameConfig, expiration time.Time) (username string, password string, err error) {
 	err = errors.New("err")
@@ -86,6 +88,14 @@ func (m *mockPlugin) Close() error {
 	return nil
 }
 
+func (m *mockPlugin) GenerateCredentials(ctx context.Context) (password string, err error) {
+	return password, err
+}
+
+func (m *mockPlugin) SetCredentials(ctx context.Context, statements dbplugin.Statements, staticConfig dbplugin.StaticUserConfig) (username string, password string, err error) {
+	return username, password, err
+}
+
 func getCluster(t *testing.T) (*vault.TestCluster, logical.SystemView) {
 	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,

builtin/logical/database/path_creds_create.go

@@ -11,22 +11,40 @@ import (
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
-func pathCredsCreate(b *databaseBackend) *framework.Path {
-	return &framework.Path{
-		Pattern: "creds/" + framework.GenericNameRegex("name"),
-		Fields: map[string]*framework.FieldSchema{
-			"name": &framework.FieldSchema{
-				Type:        framework.TypeString,
-				Description: "Name of the role.",
+func pathCredsCreate(b *databaseBackend) []*framework.Path {
+	return []*framework.Path{
+		&framework.Path{
+			Pattern: "creds/" + framework.GenericNameRegex("name"),
+			Fields: map[string]*framework.FieldSchema{
+				"name": &framework.FieldSchema{
+					Type:        framework.TypeString,
+					Description: "Name of the role.",
+				},
+			},
+
+			Callbacks: map[logical.Operation]framework.OperationFunc{
+				logical.ReadOperation: b.pathCredsCreateRead(),
 			},
-		},
 
-		Callbacks: map[logical.Operation]framework.OperationFunc{
-			logical.ReadOperation: b.pathCredsCreateRead(),
+			HelpSynopsis:    pathCredsCreateReadHelpSyn,
+			HelpDescription: pathCredsCreateReadHelpDesc,
 		},
+		&framework.Path{
+			Pattern: "static-creds/" + framework.GenericNameRegex("name"),
+			Fields: map[string]*framework.FieldSchema{
+				"name": &framework.FieldSchema{
+					Type:        framework.TypeString,
+					Description: "Name of the static role.",
+				},
+			},
 
-		HelpSynopsis:    pathCredsCreateReadHelpSyn,
-		HelpDescription: pathCredsCreateReadHelpDesc,
+			Callbacks: map[logical.Operation]framework.OperationFunc{
+				logical.ReadOperation: b.pathStaticCredsRead(),
+			},
+
+			HelpSynopsis:    pathStaticCredsReadHelpSyn,
+			HelpDescription: pathStaticCredsReadHelpDesc,
+		},
 	}
 }
 
@@ -99,6 +117,41 @@ func (b *databaseBackend) pathCredsCreateRead() framework.OperationFunc {
 	}
 }
 
+func (b *databaseBackend) pathStaticCredsRead() framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+		name := data.Get("name").(string)
+
+		role, err := b.StaticRole(ctx, req.Storage, name)
+		if err != nil {
+			return nil, err
+		}
+		if role == nil {
+			return logical.ErrorResponse("unknown role: %s", name), nil
+		}
+
+		dbConfig, err := b.DatabaseConfig(ctx, req.Storage, role.DBName)
+		if err != nil {
+			return nil, err
+		}
+
+		// If role name isn't in the database's allowed roles, send back a
+		// permission denied.
+		if !strutil.StrListContains(dbConfig.AllowedRoles, "*") && !strutil.StrListContainsGlob(dbConfig.AllowedRoles, name) {
+			return nil, fmt.Errorf("%q is not an allowed role", name)
+		}
+
+		return &logical.Response{
+			Data: map[string]interface{}{
+				"username":            role.StaticAccount.Username,
+				"password":            role.StaticAccount.Password,
+				"ttl":                 role.StaticAccount.PasswordTTL().Seconds(),
+				"rotation_period":     role.StaticAccount.RotationPeriod.Seconds(),
+				"last_vault_rotation": role.StaticAccount.LastVaultRotation,
+			},
+		}, nil
+	}
+}
+
 const pathCredsCreateReadHelpSyn = `
 Request database credentials for a certain role.
 `
@@ -108,3 +161,14 @@ This path reads database credentials for a certain role. The
 database credentials will be generated on demand and will be automatically
 revoked when the lease is up.
 `
+
+const pathStaticCredsReadHelpSyn = `
+Request database credentials for a certain static role. These credentials are
+rotated periodically.
+`
+
+const pathStaticCredsReadHelpDesc = `
+This path reads database credentials for a certain static role. The database
+credentials are rotated periodically according to their configuration, and will
+return the same password until they are rotated.
+`