diff --git a/CHANGELOG.md b/CHANGELOG.md index bd660f6bce..b4181635f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,10 @@ Canonical reference for changes, improvements, and bugfixes for Boundary. ### Deprecations/Changes +* Credential Libraries: The `user_password` credential type has been renamed to + `username_password` to remove any inconsistency over what the credential type is. + All existing `user_password` typed credential libraries will be migrated to + `username_password` ([PR](https://github.com/hashicorp/boundary/pull/2154)). * controller: Change the default behavior of the session list endpoint to no longer include sessions in a terminated state and introduces a new query parameter/cli flag to include the terminated sessions. @@ -28,8 +32,6 @@ Canonical reference for changes, improvements, and bugfixes for Boundary. documentation](https://www.boundaryproject.io/docs/concepts/security/permissions/assignable-permissions) for more details. -### Bug Fixes - ## 0.8.1 (2022/05/13) ### Bug Fixes diff --git a/internal/credential/credential.go b/internal/credential/credential.go index fbb8d2afb5..33e46cb0b9 100644 --- a/internal/credential/credential.go +++ b/internal/credential/credential.go @@ -26,8 +26,8 @@ type Type string // Credential type values. const ( - UnspecifiedType Type = "unspecified" - UserPasswordType Type = "user_password" + UnspecifiedType Type = "unspecified" + UsernamePasswordType Type = "username_password" ) // A Library is a resource that provides credentials that are of the same diff --git a/internal/credential/vault/credential_library_test.go b/internal/credential/vault/credential_library_test.go index c6e165b7e8..b4eb68c1ff 100644 --- a/internal/credential/vault/credential_library_test.go +++ b/internal/credential/vault/credential_library_test.go @@ -214,7 +214,7 @@ func TestCredentialLibrary_New(t *testing.T) { vaultPath: "vault/path", opts: []Option{ WithMethod(MethodGet), - WithCredentialType(credential.UserPasswordType), + WithCredentialType(credential.UsernamePasswordType), }, }, want: &CredentialLibrary{ @@ -222,7 +222,7 @@ func TestCredentialLibrary_New(t *testing.T) { StoreId: cs.PublicId, VaultPath: "vault/path", HttpMethod: string(MethodGet), - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, }, @@ -233,7 +233,7 @@ func TestCredentialLibrary_New(t *testing.T) { vaultPath: "vault/path", opts: []Option{ WithMethod(MethodGet), - WithCredentialType(credential.UserPasswordType), + WithCredentialType(credential.UsernamePasswordType), WithMappingOverride(NewUserPasswordOverride(WithOverrideUsernameAttribute("test"))), }, }, @@ -243,7 +243,7 @@ func TestCredentialLibrary_New(t *testing.T) { StoreId: cs.PublicId, VaultPath: "vault/path", HttpMethod: string(MethodGet), - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, }, @@ -262,8 +262,8 @@ func TestCredentialLibrary_New(t *testing.T) { assert.Equal(tt.want, got) switch ct := tt.want.GetCredentialType(); ct { - case string(credential.UserPasswordType): - assert.Equal(credential.UserPasswordType, got.CredentialType()) + case string(credential.UsernamePasswordType): + assert.Equal(credential.UsernamePasswordType, got.CredentialType()) case string(credential.UnspecifiedType), "": assert.Equal(credential.UnspecifiedType, got.CredentialType()) default: diff --git a/internal/credential/vault/mapping_overriders.go b/internal/credential/vault/mapping_overriders.go index cf2b4d8897..29d1d8e13a 100644 --- a/internal/credential/vault/mapping_overriders.go +++ b/internal/credential/vault/mapping_overriders.go @@ -15,7 +15,7 @@ func validMappingOverride(m MappingOverride, ct credential.Type) bool { case nil: return true // it is always valid to not specify a mapping override case *UserPasswordOverride: - return ct == credential.UserPasswordType + return ct == credential.UsernamePasswordType default: return false // an unknown mapping override type is never valid } diff --git a/internal/credential/vault/mapping_overriders_test.go b/internal/credential/vault/mapping_overriders_test.go index 735645ed11..a7f35e9807 100644 --- a/internal/credential/vault/mapping_overriders_test.go +++ b/internal/credential/vault/mapping_overriders_test.go @@ -34,7 +34,7 @@ func TestValidMappingOverrides(t *testing.T) { }, { m: nil, - ct: credential.UserPasswordType, + ct: credential.UsernamePasswordType, want: true, }, { @@ -44,7 +44,7 @@ func TestValidMappingOverrides(t *testing.T) { }, { m: unknownMapper(1), - ct: credential.UserPasswordType, + ct: credential.UsernamePasswordType, want: false, }, { @@ -54,7 +54,7 @@ func TestValidMappingOverrides(t *testing.T) { }, { m: allocUserPasswordOverride(), - ct: credential.UserPasswordType, + ct: credential.UsernamePasswordType, want: true, }, } diff --git a/internal/credential/vault/options_test.go b/internal/credential/vault/options_test.go index eabbb98bb4..759abb7939 100644 --- a/internal/credential/vault/options_test.go +++ b/internal/credential/vault/options_test.go @@ -85,9 +85,9 @@ func Test_GetOpts(t *testing.T) { assert.Equal(t, opts, testOpts) }) t.Run("WithCredentialType", func(t *testing.T) { - opts := getOpts(WithCredentialType(credential.UserPasswordType)) + opts := getOpts(WithCredentialType(credential.UsernamePasswordType)) testOpts := getDefaultOptions() - testOpts.withCredentialType = credential.UserPasswordType + testOpts.withCredentialType = credential.UsernamePasswordType assert.Equal(t, opts, testOpts) }) t.Run("WithOverrideUsernameAttribute", func(t *testing.T) { diff --git a/internal/credential/vault/private_library.go b/internal/credential/vault/private_library.go index e3947fcb57..76f7505174 100644 --- a/internal/credential/vault/private_library.go +++ b/internal/credential/vault/private_library.go @@ -47,7 +47,7 @@ func (bc *baseCred) getExpiration() time.Duration { return bc.expiration } // UnspecifiedType. func convert(ctx context.Context, bc *baseCred) (dynamicCred, error) { switch bc.Library().CredentialType() { - case credential.UserPasswordType: + case credential.UsernamePasswordType: return baseToUsrPass(ctx, bc) } return bc, nil @@ -59,7 +59,7 @@ func baseToUsrPass(ctx context.Context, bc *baseCred) (*usrPassCred, error) { return nil, errors.E(ctx, errors.WithCode(errors.InvalidParameter), errors.WithMsg("nil baseCred")) case bc.lib == nil: return nil, errors.E(ctx, errors.WithCode(errors.InvalidParameter), errors.WithMsg("nil baseCred.lib")) - case bc.Library().CredentialType() != credential.UserPasswordType: + case bc.Library().CredentialType() != credential.UsernamePasswordType: return nil, errors.E(ctx, errors.WithCode(errors.InvalidParameter), errors.WithMsg("invalid credential type")) } diff --git a/internal/credential/vault/private_library_test.go b/internal/credential/vault/private_library_test.go index c2f71b62ff..76bdb94f4b 100644 --- a/internal/credential/vault/private_library_test.go +++ b/internal/credential/vault/private_library_test.go @@ -115,7 +115,7 @@ func TestRepository_getPrivateLibraries(t *testing.T) { } { opts := []Option{ - WithCredentialType(credential.UserPasswordType), + WithCredentialType(credential.UsernamePasswordType), } libIn, err := NewCredentialLibrary(origStore.GetPublicId(), "/vault/path", opts...) assert.NoError(err) @@ -129,7 +129,7 @@ func TestRepository_getPrivateLibraries(t *testing.T) { } { opts := []Option{ - WithCredentialType(credential.UserPasswordType), + WithCredentialType(credential.UsernamePasswordType), WithMappingOverride(NewUserPasswordOverride( WithOverrideUsernameAttribute("test-username"), )), @@ -146,7 +146,7 @@ func TestRepository_getPrivateLibraries(t *testing.T) { } { opts := []Option{ - WithCredentialType(credential.UserPasswordType), + WithCredentialType(credential.UsernamePasswordType), WithMappingOverride(NewUserPasswordOverride( WithOverridePasswordAttribute("test-password"), )), @@ -163,7 +163,7 @@ func TestRepository_getPrivateLibraries(t *testing.T) { } { opts := []Option{ - WithCredentialType(credential.UserPasswordType), + WithCredentialType(credential.UsernamePasswordType), WithMappingOverride(NewUserPasswordOverride( WithOverrideUsernameAttribute("test-username"), WithOverridePasswordAttribute("test-password"), @@ -336,7 +336,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "invalid-no-username-default-password-attribute", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), }, secretData: map[string]interface{}{ "password": "my-password", @@ -348,7 +348,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "invalid-no-password-default-username-attribute", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), }, secretData: map[string]interface{}{ "username": "my-username", @@ -360,7 +360,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "valid-default-attributes", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), }, secretData: map[string]interface{}{ "username": "my-username", @@ -376,7 +376,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "valid-override-attributes", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), UsernameAttribute: "test-username", PasswordAttribute: "test-password", }, @@ -396,7 +396,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "valid-default-username-override-password", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), PasswordAttribute: "test-password", }, secretData: map[string]interface{}{ @@ -415,7 +415,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "valid-override-username-default-password", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), UsernameAttribute: "test-username", }, secretData: map[string]interface{}{ @@ -434,7 +434,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "invalid-username-override", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), UsernameAttribute: "missing-username", }, secretData: map[string]interface{}{ @@ -450,7 +450,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "invalid-password-override", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), UsernameAttribute: "missing-password", }, secretData: map[string]interface{}{ @@ -466,7 +466,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "invalid-kv2-no-metadata-field", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), }, secretData: map[string]interface{}{ "data": map[string]interface{}{ @@ -481,7 +481,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "invalid-kv2-no-data-field", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), }, secretData: map[string]interface{}{ "metadata": map[string]interface{}{}, @@ -493,7 +493,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "invalid-kv2-no-username-default-password-attribute", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), }, secretData: map[string]interface{}{ "metadata": map[string]interface{}{}, @@ -508,7 +508,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "invalid-kv2-no-passsword-default-username-attribute", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), }, secretData: map[string]interface{}{ "metadata": map[string]interface{}{}, @@ -523,7 +523,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "invalid-kv2-invalid-metadata-type", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), }, secretData: map[string]interface{}{ "metadata": "hello", @@ -539,7 +539,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "invalid-kv2-invalid-metadata-type", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), }, secretData: map[string]interface{}{ "metadata": map[string]interface{}{}, @@ -552,7 +552,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "invalid-kv2-additional-field", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), }, secretData: map[string]interface{}{ "bad-field": "hello", @@ -569,7 +569,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "valid-kv2-default-attributes", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), }, secretData: map[string]interface{}{ "metadata": map[string]interface{}{}, @@ -588,7 +588,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "valid-kv2-override-attributes", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), UsernameAttribute: "test-username", PasswordAttribute: "test-password", }, @@ -611,7 +611,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "valid-kv2-default-username-override-password", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), PasswordAttribute: "test-password", }, secretData: map[string]interface{}{ @@ -633,7 +633,7 @@ func TestBaseToUsrPass(t *testing.T) { name: "valid-kv2-override-username-default-password", given: &baseCred{ lib: &privateLibrary{ - CredType: string(credential.UserPasswordType), + CredType: string(credential.UsernamePasswordType), UsernameAttribute: "test-username", }, secretData: map[string]interface{}{ diff --git a/internal/credential/vault/repository_credential_library_test.go b/internal/credential/vault/repository_credential_library_test.go index 968e1cb06d..6676f973cc 100644 --- a/internal/credential/vault/repository_credential_library_test.go +++ b/internal/credential/vault/repository_credential_library_test.go @@ -171,7 +171,7 @@ func TestRepository_CreateCredentialLibrary(t *testing.T) { StoreId: cs.GetPublicId(), HttpMethod: "GET", VaultPath: "/some/path", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, want: &CredentialLibrary{ @@ -179,7 +179,7 @@ func TestRepository_CreateCredentialLibrary(t *testing.T) { StoreId: cs.GetPublicId(), HttpMethod: "GET", VaultPath: "/some/path", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, }, @@ -191,7 +191,7 @@ func TestRepository_CreateCredentialLibrary(t *testing.T) { StoreId: cs.GetPublicId(), HttpMethod: "GET", VaultPath: "/some/path", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, wantErr: errors.VaultInvalidMappingOverride, @@ -218,7 +218,7 @@ func TestRepository_CreateCredentialLibrary(t *testing.T) { StoreId: cs.GetPublicId(), HttpMethod: "GET", VaultPath: "/some/path", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, want: &CredentialLibrary{ @@ -229,7 +229,7 @@ func TestRepository_CreateCredentialLibrary(t *testing.T) { StoreId: cs.GetPublicId(), HttpMethod: "GET", VaultPath: "/some/path", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, }, @@ -243,7 +243,7 @@ func TestRepository_CreateCredentialLibrary(t *testing.T) { StoreId: cs.GetPublicId(), HttpMethod: "GET", VaultPath: "/some/path", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, want: &CredentialLibrary{ @@ -254,7 +254,7 @@ func TestRepository_CreateCredentialLibrary(t *testing.T) { StoreId: cs.GetPublicId(), HttpMethod: "GET", VaultPath: "/some/path", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, }, @@ -269,7 +269,7 @@ func TestRepository_CreateCredentialLibrary(t *testing.T) { StoreId: cs.GetPublicId(), HttpMethod: "GET", VaultPath: "/some/path", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, want: &CredentialLibrary{ @@ -281,7 +281,7 @@ func TestRepository_CreateCredentialLibrary(t *testing.T) { StoreId: cs.GetPublicId(), HttpMethod: "GET", VaultPath: "/some/path", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, }, @@ -761,7 +761,7 @@ func TestRepository_UpdateCredentialLibrary(t *testing.T) { CredentialLibrary: &store.CredentialLibrary{ HttpMethod: "GET", VaultPath: "/old/path", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, chgFn: changeVaultPath("/new/path"), @@ -771,7 +771,7 @@ func TestRepository_UpdateCredentialLibrary(t *testing.T) { CredentialLibrary: &store.CredentialLibrary{ HttpMethod: "GET", VaultPath: "/new/path", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, wantCount: 1, @@ -921,7 +921,7 @@ func TestRepository_UpdateCredentialLibrary(t *testing.T) { HttpMethod: "GET", VaultPath: "/some/path", Name: "test-name-repo", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, chgFn: changeCredentialType(credential.UnspecifiedType), @@ -939,7 +939,7 @@ func TestRepository_UpdateCredentialLibrary(t *testing.T) { HttpMethod: "GET", VaultPath: "/some/path", Name: "test-name-repo", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, chgFn: changeMappingOverride( @@ -956,7 +956,7 @@ func TestRepository_UpdateCredentialLibrary(t *testing.T) { HttpMethod: "GET", VaultPath: "/some/path", Name: "test-name-repo", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, wantCount: 1, @@ -972,7 +972,7 @@ func TestRepository_UpdateCredentialLibrary(t *testing.T) { HttpMethod: "GET", VaultPath: "/some/path", Name: "test-name-repo", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, chgFn: changeMappingOverride( @@ -989,7 +989,7 @@ func TestRepository_UpdateCredentialLibrary(t *testing.T) { HttpMethod: "GET", VaultPath: "/some/path", Name: "test-name-repo", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, wantCount: 1, @@ -1005,7 +1005,7 @@ func TestRepository_UpdateCredentialLibrary(t *testing.T) { HttpMethod: "GET", VaultPath: "/some/path", Name: "test-name-repo", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, chgFn: changeMappingOverride( @@ -1024,7 +1024,7 @@ func TestRepository_UpdateCredentialLibrary(t *testing.T) { HttpMethod: "GET", VaultPath: "/some/path", Name: "test-name-repo", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, wantCount: 1, @@ -1036,7 +1036,7 @@ func TestRepository_UpdateCredentialLibrary(t *testing.T) { HttpMethod: "GET", VaultPath: "/some/path", Name: "test-name-repo", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, chgFn: changeMappingOverride( @@ -1055,7 +1055,7 @@ func TestRepository_UpdateCredentialLibrary(t *testing.T) { HttpMethod: "GET", VaultPath: "/some/path", Name: "test-name-repo", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, wantCount: 1, @@ -1071,7 +1071,7 @@ func TestRepository_UpdateCredentialLibrary(t *testing.T) { HttpMethod: "GET", VaultPath: "/some/path", Name: "test-name-repo", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, chgFn: changeMappingOverride(nil), @@ -1081,7 +1081,7 @@ func TestRepository_UpdateCredentialLibrary(t *testing.T) { HttpMethod: "GET", VaultPath: "/some/path", Name: "test-name-repo", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, wantCount: 1, @@ -1324,7 +1324,7 @@ func TestRepository_LookupCredentialLibrary(t *testing.T) { StoreId: cs.GetPublicId(), HttpMethod: "GET", VaultPath: "/some/path", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, }, @@ -1338,7 +1338,7 @@ func TestRepository_LookupCredentialLibrary(t *testing.T) { StoreId: cs.GetPublicId(), HttpMethod: "GET", VaultPath: "/some/path", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, }, @@ -1352,7 +1352,7 @@ func TestRepository_LookupCredentialLibrary(t *testing.T) { StoreId: cs.GetPublicId(), HttpMethod: "GET", VaultPath: "/some/path", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, }, @@ -1367,7 +1367,7 @@ func TestRepository_LookupCredentialLibrary(t *testing.T) { StoreId: cs.GetPublicId(), HttpMethod: "GET", VaultPath: "/some/path", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, }, }, @@ -1528,7 +1528,7 @@ func TestRepository_DeleteCredentialLibrary(t *testing.T) { HttpMethod: "GET", VaultPath: "/some/path", Name: "test-name-repo", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, } @@ -1572,7 +1572,7 @@ func TestRepository_ListCredentialLibraries(t *testing.T) { HttpMethod: "GET", VaultPath: "/some/path", Name: "test-name-repo", - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }, } diff --git a/internal/credential/vault/repository_credentials_test.go b/internal/credential/vault/repository_credentials_test.go index 5dc45294d1..69cc145de2 100644 --- a/internal/credential/vault/repository_credentials_test.go +++ b/internal/credential/vault/repository_credentials_test.go @@ -128,7 +128,7 @@ func TestRepository_IssueCredentials(t *testing.T) { { libPath := path.Join("database", "creds", "opened") opts := []vault.Option{ - vault.WithCredentialType(credential.UserPasswordType), + vault.WithCredentialType(credential.UsernamePasswordType), } libIn, err := vault.NewCredentialLibrary(origStore.GetPublicId(), libPath, opts...) assert.NoError(t, err) @@ -141,7 +141,7 @@ func TestRepository_IssueCredentials(t *testing.T) { { libPath := path.Join("database", "creds", "opened") opts := []vault.Option{ - vault.WithCredentialType(credential.UserPasswordType), + vault.WithCredentialType(credential.UsernamePasswordType), vault.WithMappingOverride(vault.NewUserPasswordOverride( vault.WithOverrideUsernameAttribute("test-username"), vault.WithOverridePasswordAttribute("test-password"), @@ -158,7 +158,7 @@ func TestRepository_IssueCredentials(t *testing.T) { { libPath := path.Join("secret", "data", "my-secret") opts := []vault.Option{ - vault.WithCredentialType(credential.UserPasswordType), + vault.WithCredentialType(credential.UsernamePasswordType), } libIn, err := vault.NewCredentialLibrary(origStore.GetPublicId(), libPath, opts...) assert.NoError(t, err) @@ -326,7 +326,7 @@ func TestRepository_IssueCredentials(t *testing.T) { assert.NotZero(len(got)) for _, dc := range got { switch dc.Library().CredentialType() { - case credential.UserPasswordType: + case credential.UsernamePasswordType: if upc, ok := dc.(credential.UserPassword); ok { assert.NotEmpty(upc.Username()) assert.NotEmpty(upc.Password()) diff --git a/internal/daemon/controller/handlers/credentiallibraries/credentiallibrary_service.go b/internal/daemon/controller/handlers/credentiallibraries/credentiallibrary_service.go index 1df38bffdc..c3f00856f2 100644 --- a/internal/daemon/controller/handlers/credentiallibraries/credentiallibrary_service.go +++ b/internal/daemon/controller/handlers/credentiallibraries/credentiallibrary_service.go @@ -579,7 +579,7 @@ func toStorageVaultLibrary(storeId string, in *pb.CredentialLibrary) (out *vault credentialType := credential.Type(in.GetCredentialType()) switch credentialType { - case credential.UserPasswordType: + case credential.UsernamePasswordType: opts = append(opts, vault.WithCredentialType(credentialType)) overrides := in.CredentialMappingOverrides.AsMap() var mapOpts []vault.Option @@ -694,7 +694,7 @@ func validateMapping(badFields map[string]string, credentialType credential.Type badFields[globals.CredentialMappingOverridesField] = fmt.Sprintf("This field can only be set if %q is set", globals.CredentialTypeField) } return - case credential.UserPasswordType: + case credential.UsernamePasswordType: validFields[usernameAttribute] = true validFields[passwordAttribute] = true default: @@ -734,7 +734,7 @@ func getMappingUpdates(credentialType credential.Type, current vault.MappingOver } switch credentialType { - case credential.UserPasswordType: + case credential.UsernamePasswordType: var currentUser, currentPass interface{} if overrides, ok := current.(*vault.UserPasswordOverride); ok { currentUser = overrides.UsernameAttribute diff --git a/internal/daemon/controller/handlers/credentiallibraries/credentiallibrary_service_test.go b/internal/daemon/controller/handlers/credentiallibraries/credentiallibrary_service_test.go index 94d53b8291..6209941ed8 100644 --- a/internal/daemon/controller/handlers/credentiallibraries/credentiallibrary_service_test.go +++ b/internal/daemon/controller/handlers/credentiallibraries/credentiallibrary_service_test.go @@ -318,7 +318,7 @@ func TestCreate(t *testing.T) { err: handlers.ApiErrorWithCode(codes.InvalidArgument), }, { - name: "Invalid user_password mapping", + name: "Invalid username_password mapping", req: &pbs.CreateCredentialLibraryRequest{Item: &pb.CredentialLibrary{ CredentialStoreId: store.GetPublicId(), Attrs: &pb.CredentialLibrary_VaultCredentialLibraryAttributes{ @@ -326,7 +326,7 @@ func TestCreate(t *testing.T) { Path: wrapperspb.String("something"), }, }, - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), CredentialMappingOverrides: func() *structpb.Struct { v := map[string]interface{}{ usernameAttribute: "user-test", @@ -410,7 +410,7 @@ func TestCreate(t *testing.T) { }, }, { - name: "Create a valid vault CredentialLibrary user_password type", + name: "Create a valid vault CredentialLibrary username_password type", req: &pbs.CreateCredentialLibraryRequest{Item: &pb.CredentialLibrary{ CredentialStoreId: store.GetPublicId(), Attrs: &pb.CredentialLibrary_VaultCredentialLibraryAttributes{ @@ -418,7 +418,7 @@ func TestCreate(t *testing.T) { Path: wrapperspb.String("something"), }, }, - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }}, idPrefix: vault.CredentialLibraryPrefix + "_", res: &pbs.CreateCredentialLibraryResponse{ @@ -437,13 +437,13 @@ func TestCreate(t *testing.T) { HttpMethod: wrapperspb.String("GET"), }, }, - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), AuthorizedActions: testAuthorizedActions, }, }, }, { - name: "Create a valid vault CredentialLibrary user_password type with username mapping", + name: "Create a valid vault CredentialLibrary username_password type with username mapping", req: &pbs.CreateCredentialLibraryRequest{Item: &pb.CredentialLibrary{ CredentialStoreId: store.GetPublicId(), Attrs: &pb.CredentialLibrary_VaultCredentialLibraryAttributes{ @@ -459,7 +459,7 @@ func TestCreate(t *testing.T) { require.NoError(t, err) return ret }(), - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }}, idPrefix: vault.CredentialLibraryPrefix + "_", res: &pbs.CreateCredentialLibraryResponse{ @@ -478,7 +478,7 @@ func TestCreate(t *testing.T) { HttpMethod: wrapperspb.String("GET"), }, }, - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), CredentialMappingOverrides: func() *structpb.Struct { v := map[string]interface{}{ usernameAttribute: "user-test", @@ -492,7 +492,7 @@ func TestCreate(t *testing.T) { }, }, { - name: "Create a valid vault CredentialLibrary user_password type with username/password mapping", + name: "Create a valid vault CredentialLibrary username_password type with username/password mapping", req: &pbs.CreateCredentialLibraryRequest{Item: &pb.CredentialLibrary{ CredentialStoreId: store.GetPublicId(), Attrs: &pb.CredentialLibrary_VaultCredentialLibraryAttributes{ @@ -509,7 +509,7 @@ func TestCreate(t *testing.T) { require.NoError(t, err) return ret }(), - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), }}, idPrefix: vault.CredentialLibraryPrefix + "_", res: &pbs.CreateCredentialLibraryResponse{ @@ -528,7 +528,7 @@ func TestCreate(t *testing.T) { HttpMethod: wrapperspb.String("GET"), }, }, - CredentialType: string(credential.UserPasswordType), + CredentialType: string(credential.UsernamePasswordType), CredentialMappingOverrides: func() *structpb.Struct { v := map[string]interface{}{ usernameAttribute: "user-test", @@ -607,7 +607,7 @@ func TestGet(t *testing.T) { repo, err := repoFn() require.NoError(t, err) lib, err := vault.NewCredentialLibrary(store.GetPublicId(), "vault/path", - vault.WithCredentialType("user_password"), + vault.WithCredentialType("username_password"), vault.WithMappingOverride( vault.NewUserPasswordOverride( vault.WithOverrideUsernameAttribute("user"), @@ -664,7 +664,7 @@ func TestGet(t *testing.T) { HttpMethod: wrapperspb.String(userPassLib.GetHttpMethod()), }, }, - CredentialType: "user_password", + CredentialType: "username_password", CredentialMappingOverrides: func() *structpb.Struct { v := map[string]interface{}{ usernameAttribute: "user", @@ -903,7 +903,7 @@ func TestUpdate(t *testing.T) { { name: "user-password-attributes-change-username-attribute", opts: []vault.Option{ - vault.WithCredentialType("user_password"), + vault.WithCredentialType("username_password"), vault.WithMappingOverride( vault.NewUserPasswordOverride( vault.WithOverrideUsernameAttribute("orig-user"), @@ -932,7 +932,7 @@ func TestUpdate(t *testing.T) { { name: "user-password-attributes-change-password-attribute", opts: []vault.Option{ - vault.WithCredentialType("user_password"), + vault.WithCredentialType("username_password"), vault.WithMappingOverride( vault.NewUserPasswordOverride( vault.WithOverrideUsernameAttribute("orig-user"), @@ -961,7 +961,7 @@ func TestUpdate(t *testing.T) { { name: "user-password-attributes-change-username-and-password-attributes", opts: []vault.Option{ - vault.WithCredentialType("user_password"), + vault.WithCredentialType("username_password"), vault.WithMappingOverride( vault.NewUserPasswordOverride( vault.WithOverrideUsernameAttribute("orig-user"), @@ -992,7 +992,7 @@ func TestUpdate(t *testing.T) { { name: "no-mapping-override-change-username-and-password-attributes", opts: []vault.Option{ - vault.WithCredentialType("user_password"), + vault.WithCredentialType("username_password"), }, req: &pbs.UpdateCredentialLibraryRequest{ UpdateMask: fieldmask(passwordAttrField, usernameAttrField), @@ -1023,7 +1023,7 @@ func TestUpdate(t *testing.T) { { name: "user-password-attributes-delete-mapping-override", opts: []vault.Option{ - vault.WithCredentialType("user_password"), + vault.WithCredentialType("username_password"), vault.WithMappingOverride( vault.NewUserPasswordOverride( vault.WithOverrideUsernameAttribute("orig-user"), @@ -1045,7 +1045,7 @@ func TestUpdate(t *testing.T) { { name: "no-mapping-override-delete-mapping-override", opts: []vault.Option{ - vault.WithCredentialType("user_password"), + vault.WithCredentialType("username_password"), }, req: &pbs.UpdateCredentialLibraryRequest{ UpdateMask: fieldmask(credentialMappingPathField), @@ -1062,7 +1062,7 @@ func TestUpdate(t *testing.T) { { name: "user-password-attributes-delete-mapping-override-field-specific", opts: []vault.Option{ - vault.WithCredentialType("user_password"), + vault.WithCredentialType("username_password"), vault.WithMappingOverride( vault.NewUserPasswordOverride( vault.WithOverrideUsernameAttribute("orig-user"), @@ -1092,7 +1092,7 @@ func TestUpdate(t *testing.T) { { name: "no-mapping-override-delete-mapping-override-field-specific", opts: []vault.Option{ - vault.WithCredentialType("user_password"), + vault.WithCredentialType("username_password"), }, req: &pbs.UpdateCredentialLibraryRequest{ UpdateMask: fieldmask(passwordAttrField, usernameAttrField), @@ -1185,7 +1185,7 @@ func TestUpdate(t *testing.T) { { name: "read only credential type", path: "credential_type", - item: &pb.CredentialLibrary{CredentialType: string(credential.UserPasswordType)}, + item: &pb.CredentialLibrary{CredentialType: string(credential.UsernamePasswordType)}, }, } for _, tc := range errCases { diff --git a/internal/daemon/controller/handlers/targets/tcp/target_service_test.go b/internal/daemon/controller/handlers/targets/tcp/target_service_test.go index 2aa37128d4..36a061dab3 100644 --- a/internal/daemon/controller/handlers/targets/tcp/target_service_test.go +++ b/internal/daemon/controller/handlers/targets/tcp/target_service_test.go @@ -3002,7 +3002,7 @@ func TestAuthorizeSessionTypedCredentials(t *testing.T) { HttpMethod: wrapperspb.String("GET"), }, }, - CredentialType: "user_password", + CredentialType: "username_password", }}) require.NoError(t, err) @@ -3033,7 +3033,7 @@ func TestAuthorizeSessionTypedCredentials(t *testing.T) { HttpMethod: wrapperspb.String("GET"), }, }, - CredentialType: "user_password", + CredentialType: "username_password", CredentialMappingOverrides: &structpb.Struct{Fields: map[string]*structpb.Value{ "username_attribute": structpb.NewStringValue("non-default-user"), "password_attribute": structpb.NewStringValue("non-default-pass"), @@ -3072,7 +3072,7 @@ func TestAuthorizeSessionTypedCredentials(t *testing.T) { require.NoError(t, err) return st }(), - wantedCredType: string(credential.UserPasswordType), + wantedCredType: string(credential.UsernamePasswordType), }, { name: "userpassword-with-mapping", @@ -3089,7 +3089,7 @@ func TestAuthorizeSessionTypedCredentials(t *testing.T) { require.NoError(t, err) return st }(), - wantedCredType: string(credential.UserPasswordType), + wantedCredType: string(credential.UsernamePasswordType), }, } diff --git a/internal/db/schema/migrations/oss/postgres/22/02_credential_type.up.sql b/internal/db/schema/migrations/oss/postgres/22/02_credential_type.up.sql index 3bd027cc3f..3eb30caca2 100644 --- a/internal/db/schema/migrations/oss/postgres/22/02_credential_type.up.sql +++ b/internal/db/schema/migrations/oss/postgres/22/02_credential_type.up.sql @@ -2,6 +2,7 @@ begin; create table credential_type_enm ( name text primary key + -- This constraint is replaced in 32/01_credential_type.up.sql constraint only_predefined_credential_types_allowed check ( name in ( diff --git a/internal/db/schema/migrations/oss/postgres/32/01_credential_type.up.sql b/internal/db/schema/migrations/oss/postgres/32/01_credential_type.up.sql new file mode 100644 index 0000000000..56ab30bf81 --- /dev/null +++ b/internal/db/schema/migrations/oss/postgres/32/01_credential_type.up.sql @@ -0,0 +1,23 @@ +begin; + + -- drop constraint so we can migrate user_password to username_password + alter table credential_type_enm + drop constraint only_predefined_credential_types_allowed; + + -- Next: we will update user_password to username_password + update credential_type_enm + set name = 'username_password' + where name = 'user_password'; + + -- Add new constraint that only allows unspecified and new username_password + -- This replaces the constraint defined in 2/02_credential_type.up.sql + alter table credential_type_enm + add constraint only_predefined_credential_types_allowed + check ( + name in ( + 'unspecified', + 'username_password' + ) + ); + +commit; diff --git a/internal/db/schema/migrations/oss/postgres_32_01_test.go b/internal/db/schema/migrations/oss/postgres_32_01_test.go new file mode 100644 index 0000000000..45163b1023 --- /dev/null +++ b/internal/db/schema/migrations/oss/postgres_32_01_test.go @@ -0,0 +1,111 @@ +package oss_test + +import ( + "context" + "testing" + + "github.com/hashicorp/boundary/internal/credential/vault" + "github.com/hashicorp/boundary/internal/db" + "github.com/hashicorp/boundary/internal/db/common" + "github.com/hashicorp/boundary/internal/db/schema" + "github.com/hashicorp/boundary/internal/iam" + "github.com/hashicorp/boundary/testing/dbtest" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestMigrations_user_password_Migration(t *testing.T) { + const ( + priorMigration = 31002 + currentMigration = 32001 + ) + + t.Parallel() + ctx := context.Background() + dialect := dbtest.Postgres + + c, u, _, err := dbtest.StartUsingTemplate(dialect, dbtest.WithTemplate(dbtest.Template1)) + require.NoError(t, err) + t.Cleanup(func() { + require.NoError(t, c()) + }) + d, err := common.SqlOpen(dialect, u) + require.NoError(t, err) + + // migration to the prior migration (before the one we want to test) + m, err := schema.NewManager(ctx, schema.Dialect(dialect), d, schema.WithEditions( + schema.TestCreatePartialEditions(schema.Dialect(dialect), schema.PartialEditions{"oss": priorMigration}), + )) + require.NoError(t, err) + + require.NoError(t, m.ApplyMigrations(ctx)) + state, err := m.CurrentState(ctx) + require.NoError(t, err) + want := &schema.State{ + Initialized: true, + Editions: []schema.EditionState{ + { + Name: "oss", + BinarySchemaVersion: priorMigration, + DatabaseSchemaVersion: priorMigration, + DatabaseSchemaState: schema.Equal, + }, + }, + } + require.Equal(t, want, state) + + // get a connection + dbType, err := db.StringToDbType(dialect) + require.NoError(t, err) + conn, err := db.Open(dbType, u) + require.NoError(t, err) + rw := db.New(conn) + + rootWrapper := db.TestWrapper(t) + iamRepo := iam.TestRepo(t, conn, rootWrapper) + _, prj := iam.TestScopes(t, iamRepo) + + cs, err := vault.NewCredentialStore(prj.PublicId, "https://vault", []byte("token")) + cs.PublicId = "csvlt_test1234" + require.NoError(t, rw.Create(context.Background(), cs)) + + upLib, err := vault.NewCredentialLibrary(cs.PublicId, "vault_path", vault.WithMethod("GET"), vault.WithCredentialType("user_password")) + upLib.PublicId = "clvlt_testuplib" + require.NoError(t, rw.Create(context.Background(), upLib)) + + lib, err := vault.NewCredentialLibrary(cs.PublicId, "vault_path", vault.WithMethod("GET")) + lib.PublicId = "clvlt_testlib" + require.NoError(t, rw.Create(context.Background(), lib)) + + // now we're ready for the migration we want to test. + m, err = schema.NewManager(ctx, schema.Dialect(dialect), d, schema.WithEditions( + schema.TestCreatePartialEditions(schema.Dialect(dialect), schema.PartialEditions{"oss": currentMigration}), + )) + require.NoError(t, err) + + require.NoError(t, m.ApplyMigrations(ctx)) + state, err = m.CurrentState(ctx) + require.NoError(t, err) + want = &schema.State{ + Initialized: true, + Editions: []schema.EditionState{ + { + Name: "oss", + BinarySchemaVersion: currentMigration, + DatabaseSchemaVersion: currentMigration, + DatabaseSchemaState: schema.Equal, + }, + }, + } + require.Equal(t, want, state) + + // Validate uplib was migrated to username_password + err = rw.LookupByPublicId(context.Background(), upLib) + require.NoError(t, err) + assert.Equal(t, "username_password", upLib.GetCredentialType()) + + // Validate lib was left as unspecified + err = rw.LookupByPublicId(context.Background(), lib) + require.NoError(t, err) + assert.Equal(t, "unspecified", lib.GetCredentialType()) +} diff --git a/internal/db/sqltest/initdb.d/03_widgets_persona.sql b/internal/db/sqltest/initdb.d/03_widgets_persona.sql index c6aef2661d..cbd970038b 100644 --- a/internal/db/sqltest/initdb.d/03_widgets_persona.sql +++ b/internal/db/sqltest/initdb.d/03_widgets_persona.sql @@ -346,11 +346,11 @@ begin; values ('vs_______wvs', 'vl______wvl1', 'widget vault library', 'None', '/secrets', 'GET', 'unspecified'), ('vs_______wvs', 'vl______wvl2', 'widget vault ssh', 'None', '/secrets/ssh/admin', 'GET', 'unspecified'), - ('vs_______wvs', 'vl______wvl3', 'widget vault kv one', 'None', '/secrets/kv/one', 'GET', 'user_password'), - ('vs_______wvs', 'vl______wvl4', 'widget vault kv two', 'None', '/secrets/kv/two', 'GET', 'user_password'), - ('vs_______wvs', 'vl______wvl5', 'widget vault kv three', 'None', '/secrets/kv/three', 'GET', 'user_password'), - ('vs_______wvs', 'vl______wvl6', 'widget vault kv four', 'None', '/secrets/kv/four', 'GET', 'user_password'), - ('vs_______wvs', 'vl______wvl7', 'widget vault kv five', 'None', '/secrets/kv/five', 'GET', 'user_password'); + ('vs_______wvs', 'vl______wvl3', 'widget vault kv one', 'None', '/secrets/kv/one', 'GET', 'username_password'), + ('vs_______wvs', 'vl______wvl4', 'widget vault kv two', 'None', '/secrets/kv/two', 'GET', 'username_password'), + ('vs_______wvs', 'vl______wvl5', 'widget vault kv three', 'None', '/secrets/kv/three', 'GET', 'username_password'), + ('vs_______wvs', 'vl______wvl6', 'widget vault kv four', 'None', '/secrets/kv/four', 'GET', 'username_password'), + ('vs_______wvs', 'vl______wvl7', 'widget vault kv five', 'None', '/secrets/kv/five', 'GET', 'username_password'); insert into credential_vault_library_user_password_mapping_override (library_id) diff --git a/internal/db/sqltest/tests/credential/vault/credential_vault_library.sql b/internal/db/sqltest/tests/credential/vault/credential_vault_library.sql index 566dc0a4e2..2e625e991f 100644 --- a/internal/db/sqltest/tests/credential/vault/credential_vault_library.sql +++ b/internal/db/sqltest/tests/credential/vault/credential_vault_library.sql @@ -11,19 +11,19 @@ begin; select is(count(*), 1::bigint) from credential_vault_library where public_id = 'vl______wvl1' and credential_type = 'unspecified'; select is(count(*), 1::bigint) from credential_library where public_id = 'vl______wvl1' and credential_type = 'unspecified'; - select is(count(*), 1::bigint) from credential_vault_library where public_id = 'vl______wvl3' and credential_type = 'user_password'; - select is(count(*), 1::bigint) from credential_library where public_id = 'vl______wvl3' and credential_type = 'user_password'; + select is(count(*), 1::bigint) from credential_vault_library where public_id = 'vl______wvl3' and credential_type = 'username_password'; + select is(count(*), 1::bigint) from credential_library where public_id = 'vl______wvl3' and credential_type = 'username_password'; -- validate the insert triggers prepare insert_vault_library as insert into credential_vault_library (store_id, public_id, vault_path, http_method, credential_type) values - ('vs_______wvs', 'vl_______tt1', '/secrets/kv', 'GET', 'user_password'); + ('vs_______wvs', 'vl_______tt1', '/secrets/kv', 'GET', 'username_password'); select lives_ok('insert_vault_library'); - select is(count(*), 1::bigint) from credential_vault_library where public_id = 'vl_______tt1' and credential_type = 'user_password'; - select is(count(*), 1::bigint) from credential_library where public_id = 'vl_______tt1' and credential_type = 'user_password'; + select is(count(*), 1::bigint) from credential_vault_library where public_id = 'vl_______tt1' and credential_type = 'username_password'; + select is(count(*), 1::bigint) from credential_library where public_id = 'vl_______tt1' and credential_type = 'username_password'; -- validate the delete triggers prepare delete_vault_library as diff --git a/internal/db/sqltest/tests/credential/vault/credential_vault_library_user_password_mapping_override.sql b/internal/db/sqltest/tests/credential/vault/credential_vault_library_user_password_mapping_override.sql index 139992c87b..febb377744 100644 --- a/internal/db/sqltest/tests/credential/vault/credential_vault_library_user_password_mapping_override.sql +++ b/internal/db/sqltest/tests/credential/vault/credential_vault_library_user_password_mapping_override.sql @@ -26,11 +26,11 @@ begin; 'select_private_libraries', $$VALUES ('vl______wvl2', 'unspecified', null, null), - ('vl______wvl3', 'user_password', null, null), - ('vl______wvl4', 'user_password', null, null), - ('vl______wvl5', 'user_password', 'my_username', null), - ('vl______wvl6', 'user_password', null, 'my_password'), - ('vl______wvl7', 'user_password', 'my_username', 'my_password')$$ + ('vl______wvl3', 'username_password', null, null), + ('vl______wvl4', 'username_password', null, null), + ('vl______wvl5', 'username_password', 'my_username', null), + ('vl______wvl6', 'username_password', null, 'my_password'), + ('vl______wvl7', 'username_password', 'my_username', 'my_password')$$ ); -- validate the insert triggers