Add parameter to disable escaping the username and password for datab…

…ase connections
hashicorp · Dec 14, 2021 · 968c977 · 968c977
1 parent ed89970
commit 968c977
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 2 deletions.
diff --git a/builtin/logical/database/path_config_connection.go b/builtin/logical/database/path_config_connection.go
@@ -31,6 +31,8 @@ type DatabaseConfig struct {
 	RootCredentialsRotateStatements []string `json:"root_credentials_rotate_statements" structs:"root_credentials_rotate_statements" mapstructure:"root_credentials_rotate_statements"`
 
 	PasswordPolicy string `json:"password_policy" structs:"password_policy" mapstructure:"password_policy"`
+
+	DisableEscaping bool `json:"disable_escaping" structs:"disable_escaping" mapstructure:"disable_escaping"`
 }
 
 // pathResetConnection configures a path to reset a plugin.
@@ -119,6 +121,11 @@ func pathConfigurePluginConnection(b *databaseBackend) *framework.Path {
 				Type:        framework.TypeString,
 				Description: `Password policy to use when generating passwords.`,
 			},
+			"disable_escaping": {
+				Type: framework.TypeBool,
+				Description: `If true, special characters in the username and
+				password will not be escaped when connecting to the database.`,
+			},
 		},
 
 		ExistenceCheck: b.connectionExistenceCheck(),
@@ -284,6 +291,10 @@ func (b *databaseBackend) connectionWriteHandler() framework.OperationFunc {
 			config.PasswordPolicy = passwordPolicyRaw.(string)
 		}
 
+		if disableEscapingRaw, ok := data.GetOk("disable_escaping"); ok {
+			config.DisableEscaping = disableEscapingRaw.(bool)
+		}
+
 		// Remove these entries from the data before we store it keyed under
 		// ConnectionDetails.
 		delete(data.Raw, "name")
@@ -292,6 +303,7 @@ func (b *databaseBackend) connectionWriteHandler() framework.OperationFunc {
 		delete(data.Raw, "verify_connection")
 		delete(data.Raw, "root_rotation_statements")
 		delete(data.Raw, "password_policy")
+		delete(data.Raw, "disable_escaping")
 
 		id, err := uuid.GenerateUUID()
 		if err != nil {
@@ -311,6 +323,7 @@ func (b *databaseBackend) connectionWriteHandler() framework.OperationFunc {
 				config.ConnectionDetails[k] = v
 			}
 		}
+		config.ConnectionDetails["disable_escaping"] = config.DisableEscaping
 
 		// Create a database plugin and initialize it.
 		dbw, err := newDatabaseWrapper(ctx, config.PluginName, b.System(), b.logger)

diff --git a/sdk/database/helper/connutil/sql.go b/sdk/database/helper/connutil/sql.go
@@ -56,15 +56,22 @@ func (c *SQLConnectionProducer) Init(ctx context.Context, conf map[string]interf
 	}
 
 	// Don't escape special characters for MySQL password
+	// Also don't escape special characters for the username and password if
+	// the disable_escaping parameter is set to true
+	disableEscaping := c.RawConfig["disable_escaping"].(bool)
+	username := c.Username
 	password := c.Password
-	if c.Type != "mysql" {
+	if !disableEscaping {
+		username = url.PathEscape(c.Username)
+	}
+	if (c.Type != "mysql") && !disableEscaping {
 		password = url.PathEscape(c.Password)
 	}
 
 	// QueryHelper doesn't do any SQL escaping, but if it starts to do so
 	// then maybe we won't be able to use it to do URL substitution any more.
 	c.ConnectionURL = dbutil.QueryHelper(c.ConnectionURL, map[string]string{
-		"username": url.PathEscape(c.Username),
+		"username": username,
 		"password": password,
 	})