aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat(db): Add db migration to support vault password credential (#6129)

Browse Source
pull/6207/head
Justin Nguyen 7 months ago committed by Bharath Gajjala
parent 1c2bc2cc74
commit 3ab1019bc2
3 changed files with 226 additions and 3 deletions
Show Stats Download Patch File Download Diff File

4
internal/db/schema/migrations/oss/postgres/98/01_credential_static_username_password_domain_credential.up.sql
Unescape View File

@ -154,7 +154,7 @@ begin;
'credential_static_username_password_domain_credential_hst_aggregate contains the username password credential history data along with its store and purpose data.';
-- This constraint replaces the previous constraint created in 63/01_credential_vault_ssh_cert_library.up.sql
-- This constraint is replaced in 99/01_credential_static_password_credential.up.sql
alter table credential_type_enm
drop constraint only_predefined_credential_types_allowed;
@ -174,7 +174,7 @@ begin;
values ('username_password_domain');
-- This function replaces the previous function created in 71/14_recording_static_credential.up.sql
-- This function is updated in 99/01_credential_static_password_credential.up.sql.
create or replace function insert_recording_static_credentials() returns trigger
as $$
begin

2
internal/db/schema/migrations/oss/postgres/99/01_credential_static_password_credential.up.sql
Unescape View File

@ -135,7 +135,7 @@ begin;
comment on view credential_static_password_credential_hst_aggregate is
'credential_static_password_credential_hst_aggregate contains the password credential history data along with its store and purpose data.';
-- This constraint replaces the previous constraint created in 98/01_credential_static_username_password_domain_credential.up.sql
-- This constraint replaces the previous constraint created in 98/01_credential_static_username_password_domain_credential.up.sql
alter table credential_type_enm
drop constraint only_predefined_credential_types_allowed;

223
internal/db/schema/migrations/oss/postgres/99/02_credential_vault_password_library.up.sql
Unescape View File

@ -0,0 +1,223 @@
-- Copyright (c) HashiCorp, Inc.
-- SPDX-License-Identifier: BUSL-1.1
begin;
create table credential_vault_library_password_mapping_override (
library_id wt_public_id primary key
constraint credential_vault_library_fkey
references credential_vault_library (public_id)
on delete cascade
on update cascade
constraint credential_vault_library_mapping_override_fkey
references credential_vault_library_mapping_override (library_id)
on delete cascade
on update cascade,
password_attribute wt_sentinel
default wt_to_sentinel('no override')
not null
);
comment on table credential_vault_library_password_mapping_override is
'credential_vault_library_password_mapping_override is a table '
'where each row represents a mapping that overrides the default mapping '
'from a generic vault secret to a password credential type '
'for a vault credential library.';
create trigger insert_credential_vault_library_mapping_override_subtype before insert on credential_vault_library_password_mapping_override
for each row execute procedure insert_credential_vault_library_mapping_override_subtype();
create trigger delete_credential_vault_library_mapping_override_subtype after delete on credential_vault_library_password_mapping_override
for each row execute procedure delete_credential_vault_library_mapping_override_subtype();
-- Replaces view from 98/02_username_password_domain_vault.up.sql
drop view credential_vault_library_issue_credentials;
create view credential_vault_library_issue_credentials as
with
username_password_override (library_id, username_attribute, password_attribute) as (
select library_id,
nullif(username_attribute, wt_to_sentinel('no override')),
nullif(password_attribute, wt_to_sentinel('no override'))
from credential_vault_library_username_password_mapping_override
),
ssh_private_key_override (library_id, username_attribute, private_key_attribute, private_key_passphrase_attribute) as (
select library_id,
nullif(username_attribute, wt_to_sentinel('no override')),
nullif(private_key_attribute, wt_to_sentinel('no override')),
nullif(private_key_passphrase_attribute, wt_to_sentinel('no override'))
from credential_vault_library_ssh_private_key_mapping_override
),
username_password_domain_override (library_id, username_attribute, password_attribute, domain_attribute) as (
select library_id,
nullif(username_attribute, wt_to_sentinel('no override')),
nullif(password_attribute, wt_to_sentinel('no override')),
nullif(domain_attribute, wt_to_sentinel('no override'))
from credential_vault_library_username_password_domain_mapping_ovrd
),
password_override (library_id, password_attribute) as (
select library_id,
nullif(password_attribute, wt_to_sentinel('no override'))
from credential_vault_library_password_mapping_override
)
select library.public_id as public_id,
library.store_id as store_id,
library.name as name,
library.description as description,
library.create_time as create_time,
library.update_time as update_time,
library.version as version,
library.vault_path as vault_path,
library.http_method as http_method,
library.http_request_body as http_request_body,
library.credential_type as credential_type,
null as key_type,
null as key_bits,
null as username,
null as ttl,
null as key_id,
null as critical_options,
null as extensions,
store.project_id as project_id,
store.vault_address as vault_address,
store.namespace as namespace,
store.ca_cert as ca_cert,
store.tls_server_name as tls_server_name,
store.tls_skip_verify as tls_skip_verify,
store.worker_filter as worker_filter,
store.ct_token as ct_token, -- encrypted
store.token_hmac as token_hmac,
store.token_status as token_status,
store.token_key_id as token_key_id,
store.client_cert as client_cert,
store.ct_client_key as ct_client_key, -- encrypted
store.client_key_id as client_key_id,
coalesce(upasso.username_attribute, sshpk.username_attribute, pd.username_attribute)
as username_attribute,
coalesce(upasso.password_attribute, pd.password_attribute, po.password_attribute)
as password_attribute,
pd.domain_attribute as domain_attribute,
sshpk.private_key_attribute as private_key_attribute,
sshpk.private_key_passphrase_attribute as private_key_passphrase_attribute,
'generic' as cred_lib_type, -- used to switch on
null as additional_valid_principals
from credential_vault_library library
join credential_vault_store_client store
on library.store_id = store.public_id
left join username_password_override upasso
on library.public_id = upasso.library_id
left join ssh_private_key_override sshpk
on library.public_id = sshpk.library_id
left join username_password_domain_override pd
on library.public_id = pd.library_id
left join password_override po
on library.public_id = po.library_id
union
select library.public_id as public_id,
library.store_id as store_id,
library.name as name,
library.description as description,
library.create_time as create_time,
library.update_time as update_time,
library.version as version,
library.vault_path as vault_path,
null as http_method,
null as http_request_body,
library.credential_type as credential_type,
library.key_type as key_type,
library.key_bits as key_bits,
library.username as username,
library.ttl as ttl,
library.key_id as key_id,
library.critical_options as critical_options,
library.extensions as extensions,
store.project_id as project_id,
store.vault_address as vault_address,
store.namespace as namespace,
store.ca_cert as ca_cert,
store.tls_server_name as tls_server_name,
store.tls_skip_verify as tls_skip_verify,
store.worker_filter as worker_filter,
store.ct_token as ct_token, -- encrypted
store.token_hmac as token_hmac,
store.token_status as token_status,
store.token_key_id as token_key_id,
store.client_cert as client_cert,
store.ct_client_key as ct_client_key, -- encrypted
store.client_key_id as client_key_id,
null as username_attribute,
null as password_attribute,
null as domain_attribute,
null as private_key_attribute,
null as private_key_passphrase_attribute,
'ssh-signed-cert' as cred_lib_type, -- used to switch on
additional_valid_principals as additional_valid_principals
from credential_vault_ssh_cert_library library
join credential_vault_store_client store
on library.store_id = store.public_id;
comment on view credential_vault_library_issue_credentials is
'credential_vault_library_issue_credentials is a view where each row contains a credential library and the credential library''s data needed to connect to Vault. '
'This view should only be used when issuing credentials from a Vault credential library. Each row may contain encrypted data. '
'This view should not be used to retrieve data which will be returned external to boundary.';
-- Replaces view created in 98/02_username_password_domain_vault.up.sql
drop view credential_vault_library_list_lookup;
create view credential_vault_library_list_lookup as
with
username_password_override (library_id, username_attribute, password_attribute) as (
select library_id,
nullif(username_attribute, wt_to_sentinel('no override')),
nullif(password_attribute, wt_to_sentinel('no override'))
from credential_vault_library_username_password_mapping_override
),
ssh_private_key_override (library_id, username_attribute, private_key_attribute, private_key_passphrase_attribute) as (
select library_id,
nullif(username_attribute, wt_to_sentinel('no override')),
nullif(private_key_attribute, wt_to_sentinel('no override')),
nullif(private_key_passphrase_attribute, wt_to_sentinel('no override'))
from credential_vault_library_ssh_private_key_mapping_override
),
username_password_domain_override (library_id, username_attribute, password_attribute, domain_attribute) as (
select library_id,
nullif(username_attribute, wt_to_sentinel('no override')),
nullif(password_attribute, wt_to_sentinel('no override')),
nullif(domain_attribute, wt_to_sentinel('no override'))
from credential_vault_library_username_password_domain_mapping_ovrd
),
password_override (library_id, password_attribute) as (
select library_id,
nullif(password_attribute, wt_to_sentinel('no override'))
from credential_vault_library_password_mapping_override
)
select library.public_id as public_id,
library.store_id as store_id,
library.name as name,
library.description as description,
library.create_time as create_time,
library.update_time as update_time,
library.version as version,
library.vault_path as vault_path,
library.http_method as http_method,
library.http_request_body as http_request_body,
library.credential_type as credential_type,
coalesce(upasso.username_attribute, sshpk.username_attribute, pd.username_attribute)
as username_attribute,
coalesce(upasso.password_attribute, pd.password_attribute, po.password_attribute)
as password_attribute,
sshpk.private_key_attribute as private_key_attribute,
sshpk.private_key_passphrase_attribute as private_key_passphrase_attribute,
pd.domain_attribute as domain_attribute
from credential_vault_library library
left join username_password_override upasso
on library.public_id = upasso.library_id
left join ssh_private_key_override sshpk
on library.public_id = sshpk.library_id
left join username_password_domain_override pd
on library.public_id = pd.library_id
left join password_override po
on library.public_id = po.library_id;
comment on view credential_vault_library_list_lookup is
'credential_vault_library_list_lookup is a view where each row contains a credential library and any of library''s credential mapping overrides. '
'No encrypted data is returned. This view can be used to retrieve data which will be returned external to boundary.';
commit;
Write Preview
Loading…
Cancel
Save