Skip to content

Commit

Permalink
Backport 1.7.x: #11585 & #11601 - DB Engine bugfix for falling back t…
Browse files Browse the repository at this point in the history
…o RotateRootCredentials (#11631)
  • Loading branch information
pcman312 authored May 17, 2021
1 parent f4cdca4 commit 8e96383
Show file tree
Hide file tree
Showing 4 changed files with 33 additions and 3 deletions.
4 changes: 3 additions & 1 deletion builtin/logical/database/rollback.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ import (
"context"
"errors"

"github.com/hashicorp/vault/sdk/database/dbplugin"

v5 "github.com/hashicorp/vault/sdk/database/dbplugin/v5"
"github.com/hashicorp/vault/sdk/logical"
"github.com/mitchellh/mapstructure"
Expand Down Expand Up @@ -104,7 +106,7 @@ func (b *databaseBackend) rollbackDatabaseCredentials(ctx context.Context, confi
// It actually is the root user here, but we only want to use SetCredentials since
// RotateRootCredentials doesn't give any control over what password is used
_, err = dbi.database.UpdateUser(ctx, updateReq, false)
if status.Code(err) == codes.Unimplemented {
if status.Code(err) == codes.Unimplemented || err == dbplugin.ErrPluginStaticUnsupported {
return nil
}
return err
Expand Down
2 changes: 1 addition & 1 deletion builtin/logical/database/version_wrapper.go
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ func (d databaseVersionWrapper) changePasswordLegacy(ctx context.Context, userna
err = d.changeUserPasswordLegacy(ctx, username, passwordChange)

// If changing the root user's password but SetCredentials is unimplemented, fall back to RotateRootCredentials
if isRootUser && status.Code(err) == codes.Unimplemented {
if isRootUser && (err == v4.ErrPluginStaticUnsupported || status.Code(err) == codes.Unimplemented) {
saveConfig, err = d.changeRootUserPasswordLegacy(ctx, passwordChange)
if err != nil {
return nil, err
Expand Down
27 changes: 26 additions & 1 deletion builtin/logical/database/version_wrapper_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"testing"
"time"

v4 "github.com/hashicorp/vault/sdk/database/dbplugin"
v5 "github.com/hashicorp/vault/sdk/database/dbplugin/v5"
"github.com/hashicorp/vault/sdk/logical"
"github.com/stretchr/testify/mock"
Expand Down Expand Up @@ -672,7 +673,7 @@ func TestUpdateUser_legacyDB(t *testing.T) {
expectedConfig: nil,
expectErr: true,
},
"change password - RotateRootCredentials": {
"change password - RotateRootCredentials (gRPC Unimplemented)": {
req: v5.UpdateUserRequest{
Username: "existing_user",
Password: &v5.ChangePassword{
Expand All @@ -696,6 +697,30 @@ func TestUpdateUser_legacyDB(t *testing.T) {
},
expectErr: false,
},
"change password - RotateRootCredentials (ErrPluginStaticUnsupported)": {
req: v5.UpdateUserRequest{
Username: "existing_user",
Password: &v5.ChangePassword{
NewPassword: "newpassowrd",
},
},
isRootUser: true,

setCredentialsErr: v4.ErrPluginStaticUnsupported,
setCredentialsCalls: 1,

rotateRootConfig: map[string]interface{}{
"foo": "bar",
},
rotateRootCalls: 1,

renewUserCalls: 0,

expectedConfig: map[string]interface{}{
"foo": "bar",
},
expectErr: false,
},
"change password - RotateRootCredentials failed": {
req: v5.UpdateUserRequest{
Username: "existing_user",
Expand Down
3 changes: 3 additions & 0 deletions changelog/11585.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
secrets/database: Fixes issue for V4 database interface where `SetCredentials` wasn't falling back to using `RotateRootCredentials` if `SetCredentials` is `Unimplemented`
```

0 comments on commit 8e96383

Please sign in to comment.