dbplugin

package
v0.14.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 10, 2024 License: MPL-2.0 Imports: 23 Imported by: 92

Documentation

Index

Constants

View Source 
const SupportedCredentialTypesKey = "supported_credential_types"

SupportedCredentialTypesKey is used to get and set the supported CredentialType values in database plugins and Vault.

Variables

View Source 
var (
	ErrPluginShutdown = errors.New("plugin shutdown")
)
View Source 
var HandshakeConfig = plugin.HandshakeConfig{
	MagicCookieKey:   "VAULT_DATABASE_PLUGIN",
	MagicCookieValue: "926a0820-aea2-be28-51d6-83cdf00e8edb",
}

handshakeConfigs are used to just do a basic handshake between a plugin and host. If the handshake fails, a user friendly error is shown. This prevents users from executing bad plugins or executing a plugin directory. It is a UX feature, not a security feature.

View Source 
var PluginSets = map[int]plugin.PluginSet{
	5: {
		"database": &GRPCDatabasePlugin{},
	},
	6: {
		"database": &GRPCDatabasePlugin{},
	},
}

pluginSets is the map of plugins we can dispense.

Functions

func Serve 

func Serve(db Database)

Serve is called from within a plugin and wraps the provided Database implementation in a databasePluginRPCServer object and starts a RPC server.

func ServeConfig 

func ServeConfig(db Database) *plugin.ServeConfig

func ServeConfigMultiplex added in v0.4.0 

func ServeConfigMultiplex(factory Factory) *plugin.ServeConfig

func ServeMultiplex added in v0.4.0 

func ServeMultiplex(factory Factory)

Types

type ChangeExpiration 

type ChangeExpiration struct {
	// NewExpiration of the user
	NewExpiration time.Time

	// Statements is an ordered list of commands to run within the database
	// when changing the user's expiration.
	Statements Statements
}

ChangeExpiration of a given user

type ChangePassword 

type ChangePassword struct {
	// NewPassword for the user
	NewPassword string

	// Statements is an ordered list of commands to run within the database
	// when changing the user's password.
	Statements Statements
}

ChangePassword of a given user

type ChangePublicKey added in v0.5.0 

type ChangePublicKey struct {
	// NewPublicKey is the new public key credential for the user.
	// The value is a PKIX marshaled, PEM encoded public key.
	NewPublicKey []byte

	// Statements is an ordered list of commands to run within the database
	// when changing the user's public key credential.
	Statements Statements
}

ChangePublicKey of a given user

type CredentialType added in v0.5.0 

type CredentialType int

CredentialType is a type of database credential. 

const (
	CredentialTypePassword CredentialType = iota
	CredentialTypeRSAPrivateKey
	CredentialTypeClientCertificate
)

func CredentialTypeString added in v0.13.0 

func CredentialTypeString(s string) (CredentialType, error)

CredentialTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.

func CredentialTypeValues added in v0.13.0 

func CredentialTypeValues() []CredentialType

CredentialTypeValues returns all values of the enum

func (CredentialType) IsACredentialType added in v0.13.0 

func (i CredentialType) IsACredentialType() bool

IsACredentialType returns "true" if the value is listed in the enum definition. "false" otherwise

func (CredentialType) String added in v0.5.0 

func (i CredentialType) String() string

type Database 

type Database interface {
	// Initialize the database plugin. This is the equivalent of a constructor for the
	// database object itself.
	Initialize(ctx context.Context, req InitializeRequest) (InitializeResponse, error)

	// NewUser creates a new user within the database. This user is temporary in that it
	// will exist until the TTL expires.
	NewUser(ctx context.Context, req NewUserRequest) (NewUserResponse, error)

	// UpdateUser updates an existing user within the database.
	UpdateUser(ctx context.Context, req UpdateUserRequest) (UpdateUserResponse, error)

	// DeleteUser from the database. This should not error if the user didn't
	// exist prior to this call.
	DeleteUser(ctx context.Context, req DeleteUserRequest) (DeleteUserResponse, error)

	// Type returns the Name for the particular database backend implementation.
	// This type name is usually set as a constant within the database backend
	// implementation, e.g. "mysql" for the MySQL database backend. This is used
	// for things like metrics and logging. No behavior is switched on this.
	Type() (string, error)

	// Close attempts to close the underlying database connection that was
	// established by the backend.
	Close() error
}

Database to manipulate users within an external system (typically a database).

func NewPluginClient 

func NewPluginClient(ctx context.Context, sys pluginutil.RunnerUtil, config pluginutil.PluginClientConfig) (Database, error)

NewPluginClient returns a databaseRPCClient with a connection to a running plugin.

func PluginFactory 

func PluginFactory(ctx context.Context, pluginName string, sys pluginutil.LookRunnerUtil, logger log.Logger) (Database, error)

PluginFactory is used to build plugin database types. It wraps the database object in a logging and metrics middleware.

func PluginFactoryVersion added in v0.6.0 

func PluginFactoryVersion(ctx context.Context, pluginName string, pluginVersion string, sys pluginutil.LookRunnerUtil, logger log.Logger) (Database, error)

PluginFactoryVersion is used to build plugin database types with a version specified. It wraps the database object in a logging and metrics middleware.

type DatabaseErrorSanitizerMiddleware 

type DatabaseErrorSanitizerMiddleware struct {
	// contains filtered or unexported fields
}

DatabaseErrorSanitizerMiddleware wraps an implementation of Databases and sanitizes returned error messages

func NewDatabaseErrorSanitizerMiddleware 

func NewDatabaseErrorSanitizerMiddleware(next Database, secrets secretsFn) DatabaseErrorSanitizerMiddleware

func (DatabaseErrorSanitizerMiddleware) Close 

func (mw DatabaseErrorSanitizerMiddleware) Close() (err error)

func (DatabaseErrorSanitizerMiddleware) DeleteUser 

func (mw DatabaseErrorSanitizerMiddleware) DeleteUser(ctx context.Context, req DeleteUserRequest) (DeleteUserResponse, error)

func (DatabaseErrorSanitizerMiddleware) Initialize 

func (mw DatabaseErrorSanitizerMiddleware) Initialize(ctx context.Context, req InitializeRequest) (resp InitializeResponse, err error)

func (DatabaseErrorSanitizerMiddleware) NewUser 

func (mw DatabaseErrorSanitizerMiddleware) NewUser(ctx context.Context, req NewUserRequest) (resp NewUserResponse, err error)

func (DatabaseErrorSanitizerMiddleware) PluginVersion added in v0.6.1 

func (mw DatabaseErrorSanitizerMiddleware) PluginVersion() logical.PluginVersion

func (DatabaseErrorSanitizerMiddleware) Type 

func (mw DatabaseErrorSanitizerMiddleware) Type() (string, error)

func (DatabaseErrorSanitizerMiddleware) UpdateUser 

func (mw DatabaseErrorSanitizerMiddleware) UpdateUser(ctx context.Context, req UpdateUserRequest) (UpdateUserResponse, error)

type DatabasePluginClient 

type DatabasePluginClient struct {
	Database
	// contains filtered or unexported fields
}

func (*DatabasePluginClient) Close 

func (dc *DatabasePluginClient) Close() error

This wraps the Close call and ensures we both close the database connection and kill the plugin.

func (*DatabasePluginClient) PluginVersion added in v0.6.0 

func (dc *DatabasePluginClient) PluginVersion() logical.PluginVersion

type DeleteUserRequest 

type DeleteUserRequest struct {
	// Username to delete from the database
	Username string

	// Statements is an ordered list of commands to run within the database
	// when deleting a user.
	Statements Statements
}

type DeleteUserResponse 

type DeleteUserResponse struct{}

type Factory added in v0.4.0 

type Factory func() (interface{}, error)

Factory is the factory function to create a dbplugin Database.

type GRPCDatabasePlugin 

type GRPCDatabasePlugin struct {
	FactoryFunc Factory
	Impl        Database

	// Embeding this will disable the netRPC protocol
	plugin.NetRPCUnsupportedPlugin
}

func (GRPCDatabasePlugin) GRPCClient 

func (GRPCDatabasePlugin) GRPCClient(doneCtx context.Context, _ *plugin.GRPCBroker, c *grpc.ClientConn) (interface{}, error)

func (GRPCDatabasePlugin) GRPCServer 

func (d GRPCDatabasePlugin) GRPCServer(_ *plugin.GRPCBroker, s *grpc.Server) error

type InitializeRequest 

type InitializeRequest struct {
	// Config to initialize the database with. This can include things like connection details,
	// a "root" username & password, etc. This will not include all configuration items specified
	// when configuring the database. Some values will be stripped out by the database engine
	// prior to being passed to the plugin.
	Config map[string]interface{}

	// VerifyConnection during initialization. If true, a connection should be made to the
	// database to verify the connection can be made. If false, no connection should be made
	// on initialization.
	VerifyConnection bool
}

InitializeRequest contains all information needed to initialize a database plugin.

type InitializeResponse 

type InitializeResponse struct {
	// Config that should be saved in Vault. This may differ from the config in the request,
	// but should contain everything required to Initialize the database.
	// REQUIRED in order to save the configuration into Vault after initialization
	Config map[string]interface{}
}

InitializeResponse returns any information Vault needs to know after initializing a database plugin.

func (InitializeResponse) SetSupportedCredentialTypes added in v0.5.0 

func (ir InitializeResponse) SetSupportedCredentialTypes(credTypes []CredentialType)

SetSupportedCredentialTypes sets the CredentialType values that are supported by the database plugin. It can be used by database plugins to communicate what CredentialType values it supports managing.

type NewUserRequest 

type NewUserRequest struct {
	// UsernameConfig is metadata that can be used to generate a username
	// within the database plugin
	UsernameConfig UsernameMetadata

	// Statements is an ordered list of commands to run within the database when
	// creating a new user. This frequently includes permissions to give the
	// user or similar actions.
	Statements Statements

	// RollbackStatements is an ordered list of commands to run within the database
	// if the new user creation process fails.
	RollbackStatements Statements

	// CredentialType is the type of credential to use when creating a user.
	// Respective fields for the credential type will contain the credential
	// value that was generated by Vault.
	CredentialType CredentialType

	// Password credential to use when creating the user.
	// Value is set when the credential type is CredentialTypePassword.
	Password string

	// PublicKey credential to use when creating the user.
	// The value is a PKIX marshaled, PEM encoded public key.
	// The value is set when the credential type is CredentialTypeRSAPrivateKey.
	PublicKey []byte

	// Subject is the distinguished name for the client certificate credential.
	// Value is set when the credential type is CredentialTypeClientCertificate.
	Subject string

	// Expiration of the user. Not all database plugins will support this.
	Expiration time.Time
}

NewUserRequest request a new user is created

type NewUserResponse 

type NewUserResponse struct {
	// Username of the user created within the database.
	// REQUIRED so Vault knows the name of the user that was created
	Username string
}

NewUserResponse returns any information Vault needs to know after creating a new user.

type Statements 

type Statements struct {
	// Commands is an ordered list of commands to execute in the database.
	// These commands may include templated fields such as {{username}} and {{password}}
	Commands []string
}

Statements wraps a collection of statements to run in a database when an operation is performed (create, update, etc.). This is a struct rather than a string slice so we can easily add more information to this in the future.

type UpdateUserRequest 

type UpdateUserRequest struct {
	// Username to make changes to.
	Username string

	// CredentialType is the type of credential to use when updating a user.
	// Respective fields for the credential type will contain the credential
	// value that was generated by Vault.
	CredentialType CredentialType

	// Password indicates the new password to change to.
	// The value is set when the credential type is CredentialTypePassword.
	// If nil, no change is requested.
	Password *ChangePassword

	// PublicKey indicates the new public key to change to.
	// The value is set when the credential type is CredentialTypeRSAPrivateKey.
	// If nil, no change is requested.
	PublicKey *ChangePublicKey

	// Expiration indicates the new expiration date to change to.
	// If nil, no change is requested.
	Expiration *ChangeExpiration

	// SelfManagedPassword is the password for an externally managed user in the DB.
	// If this field is supplied, a DB connection is retrieved from the static
	// account cache for the particular DB plugin and used to update the password of
	// the self-managed static role.
	// *ENTERPRISE-ONLY*
	SelfManagedPassword string
}

type UpdateUserResponse 

type UpdateUserResponse struct{}

type UsernameMetadata 

type UsernameMetadata struct {
	DisplayName string
	RoleName    string
}

UsernameMetadata is metadata the database plugin can use to generate a username

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.