aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix(db): vault password library migration adjustments and mapping overrides (#6229)

Browse Source
pull/6207/head
Bharath Gajjala 6 months ago
parent 1ac444d0a8
commit c39a50570a
8 changed files with 203 additions and 175 deletions
Show Stats Download Patch File Download Diff File

16
internal/api/genapi/input.go
Unescape View File

@ -752,22 +752,6 @@ var inputStructs = []*structInfo{
mapstructureConversionTemplate,
},
},
{
inProto: &credentials.PasswordAttributes{},
outFile: "credentials/password_attributes.gen.go",
subtypeName: "PasswordCredential",
subtype: "password",
fieldOverrides: []fieldInfo{
{
Name: "Password",
SkipDefault: true,
},
},
parentTypeName: "Credential",
templates: []*template.Template{
mapstructureConversionTemplate,
},
},
{
inProto: &credentials.SshPrivateKeyAttributes{},
outFile: "credentials/ssh_private_key_attributes.gen.go",

2
internal/credential/vault/mapping_overriders.go
Unescape View File

@ -224,7 +224,7 @@ func (o *PasswordOverride) TableName() string {
if o.tableName != "" {
return o.tableName
}
return "credential_vault_library_password_mapping_override"
return "credential_vault_generic_library_password_mapping_override"
}
// SetTableName sets the table name.

1
internal/db/schema/migrations/oss/postgres/100/01_credential_vault_ldap_library.up.sql
Unescape View File

@ -79,6 +79,7 @@ begin;
for each row execute procedure default_vault_ldap_credential_type();
-- Replaces view from 99/01_credential_vault_library_refactor.up.sql
-- Replaced in 101/02_credential_vault_password_library.up.sql
drop view credential_vault_library_issue_credentials;
create view credential_vault_library_issue_credentials as
with

336
internal/db/schema/migrations/oss/postgres/101/02_credential_vault_password_library.up.sql
Unescape View File

@ -3,191 +3,235 @@
begin;
create table credential_vault_library_password_mapping_override (
create table credential_vault_generic_library_password_mapping_override (
library_id wt_public_id primary key
constraint credential_vault_library_fkey
references credential_vault_library (public_id)
constraint credential_vault_generic_library_fkey
references credential_vault_generic_library (public_id)
on delete cascade
on update cascade
constraint credential_vault_library_mapping_override_fkey
references credential_vault_library_mapping_override (library_id)
constraint credential_vault_generic_library_mapping_override_fkey
references credential_vault_generic_library_mapping_override (library_id)
on delete cascade
on update cascade,
password_attribute wt_sentinel
default wt_to_sentinel('no override')
not null
);
comment on table credential_vault_library_password_mapping_override is
'credential_vault_library_password_mapping_override is a table '
comment on table credential_vault_generic_library_password_mapping_override is
'credential_vault_generic_library_password_mapping_override is a table '
'where each row represents a mapping that overrides the default mapping '
'from a generic vault secret to a password credential type '
'for a vault credential library.';
create trigger insert_credential_vault_library_mapping_override_subtype before insert on credential_vault_library_password_mapping_override
for each row execute procedure insert_credential_vault_library_mapping_override_subtype();
create trigger insert_credential_vault_generic_library_mapping_override_subtyp before insert on credential_vault_generic_library_password_mapping_override
for each row execute procedure insert_credential_vault_generic_library_mapping_override_subtyp();
create trigger delete_credential_vault_library_mapping_override_subtype after delete on credential_vault_library_password_mapping_override
for each row execute procedure delete_credential_vault_library_mapping_override_subtype();
create trigger delete_credential_vault_generic_library_mapping_override_subtyp after delete on credential_vault_generic_library_password_mapping_override
for each row execute procedure delete_credential_vault_generic_library_mapping_override_subtyp();
-- Replaces view from 98/02_username_password_domain_vault.up.sql
-- Replaces view from 100/01_credential_vault_ldap_library.up.sql
drop view credential_vault_library_issue_credentials;
create view credential_vault_library_issue_credentials as
with
username_password_override (library_id, username_attribute, password_attribute) as (
select library_id,
nullif(username_attribute, wt_to_sentinel('no override')),
nullif(password_attribute, wt_to_sentinel('no override'))
from credential_vault_library_username_password_mapping_override
),
ssh_private_key_override (library_id, username_attribute, private_key_attribute, private_key_passphrase_attribute) as (
select library_id,
nullif(username_attribute, wt_to_sentinel('no override')),
nullif(private_key_attribute, wt_to_sentinel('no override')),
nullif(private_key_passphrase_attribute, wt_to_sentinel('no override'))
from credential_vault_library_ssh_private_key_mapping_override
),
username_password_domain_override (library_id, username_attribute, password_attribute, domain_attribute) as (
select library_id,
nullif(username_attribute, wt_to_sentinel('no override')),
nullif(password_attribute, wt_to_sentinel('no override')),
nullif(domain_attribute, wt_to_sentinel('no override'))
from credential_vault_library_username_password_domain_mapping_ovrd
),
password_override (library_id, password_attribute) as (
select library_id,
nullif(password_attribute, wt_to_sentinel('no override'))
from credential_vault_library_password_mapping_override
)
select library.public_id as public_id,
library.store_id as store_id,
library.name as name,
library.description as description,
library.create_time as create_time,
library.update_time as update_time,
library.version as version,
library.vault_path as vault_path,
library.http_method as http_method,
library.http_request_body as http_request_body,
library.credential_type as credential_type,
null as key_type,
null as key_bits,
null as username,
null as ttl,
null as key_id,
null as critical_options,
null as extensions,
store.project_id as project_id,
store.vault_address as vault_address,
store.namespace as namespace,
store.ca_cert as ca_cert,
store.tls_server_name as tls_server_name,
store.tls_skip_verify as tls_skip_verify,
store.worker_filter as worker_filter,
store.ct_token as ct_token, -- encrypted
store.token_hmac as token_hmac,
store.token_status as token_status,
store.token_key_id as token_key_id,
store.client_cert as client_cert,
store.ct_client_key as ct_client_key, -- encrypted
store.client_key_id as client_key_id,
coalesce(upasso.username_attribute, sshpk.username_attribute, pd.username_attribute)
as username_attribute,
coalesce(upasso.password_attribute, pd.password_attribute, po.password_attribute)
as password_attribute,
pd.domain_attribute as domain_attribute,
sshpk.private_key_attribute as private_key_attribute,
sshpk.private_key_passphrase_attribute as private_key_passphrase_attribute,
'generic' as cred_lib_type, -- used to switch on
null as additional_valid_principals
from credential_vault_library library
join credential_vault_store_client store
on library.store_id = store.public_id
left join username_password_override upasso
on library.public_id = upasso.library_id
left join ssh_private_key_override sshpk
on library.public_id = sshpk.library_id
left join username_password_domain_override pd
on library.public_id = pd.library_id
left join password_override po
on library.public_id = po.library_id
union
select library.public_id as public_id,
library.store_id as store_id,
library.name as name,
library.description as description,
library.create_time as create_time,
library.update_time as update_time,
library.version as version,
library.vault_path as vault_path,
null as http_method,
null as http_request_body,
library.credential_type as credential_type,
library.key_type as key_type,
library.key_bits as key_bits,
library.username as username,
library.ttl as ttl,
library.key_id as key_id,
library.critical_options as critical_options,
library.extensions as extensions,
store.project_id as project_id,
store.vault_address as vault_address,
store.namespace as namespace,
store.ca_cert as ca_cert,
store.tls_server_name as tls_server_name,
store.tls_skip_verify as tls_skip_verify,
store.worker_filter as worker_filter,
store.ct_token as ct_token, -- encrypted
store.token_hmac as token_hmac,
store.token_status as token_status,
store.token_key_id as token_key_id,
store.client_cert as client_cert,
store.ct_client_key as ct_client_key, -- encrypted
store.client_key_id as client_key_id,
null as username_attribute,
null as password_attribute,
null as domain_attribute,
null as private_key_attribute,
null as private_key_passphrase_attribute,
'ssh-signed-cert' as cred_lib_type, -- used to switch on
additional_valid_principals as additional_valid_principals
from credential_vault_ssh_cert_library library
join credential_vault_store_client store
on library.store_id = store.public_id;
with
username_password_override (library_id, username_attribute, password_attribute) as (
select library_id,
nullif(username_attribute, wt_to_sentinel('no override')),
nullif(password_attribute, wt_to_sentinel('no override'))
from credential_vault_generic_library_username_password_mapping_ovrd
),
ssh_private_key_override (library_id, username_attribute, private_key_attribute, private_key_passphrase_attribute) as (
select library_id,
nullif(username_attribute, wt_to_sentinel('no override')),
nullif(private_key_attribute, wt_to_sentinel('no override')),
nullif(private_key_passphrase_attribute, wt_to_sentinel('no override'))
from credential_vault_generic_library_ssh_private_key_mapping_ovrd
),
username_password_domain_override (library_id, username_attribute, password_attribute, domain_attribute) as (
select library_id,
nullif(username_attribute, wt_to_sentinel('no override')),
nullif(password_attribute, wt_to_sentinel('no override')),
nullif(domain_attribute, wt_to_sentinel('no override'))
from credential_vault_generic_library_usern_pass_domain_mapping_ovrd
),
password_override (library_id, password_attribute) as (
select library_id,
nullif(password_attribute, wt_to_sentinel('no override'))
from credential_vault_generic_library_password_mapping_override
)
select library.public_id as public_id,
library.store_id as store_id,
library.name as name,
library.description as description,
library.create_time as create_time,
library.update_time as update_time,
library.version as version,
library.vault_path as vault_path,
library.http_method as http_method,
library.http_request_body as http_request_body,
library.credential_type as credential_type,
null as key_type,
null as key_bits,
null as username,
null as ttl,
null as key_id,
null as critical_options,
null as extensions,
store.project_id as project_id,
store.vault_address as vault_address,
store.namespace as namespace,
store.ca_cert as ca_cert,
store.tls_server_name as tls_server_name,
store.tls_skip_verify as tls_skip_verify,
store.worker_filter as worker_filter,
store.ct_token as ct_token, -- encrypted
store.token_hmac as token_hmac,
store.token_status as token_status,
store.token_key_id as token_key_id,
store.client_cert as client_cert,
store.ct_client_key as ct_client_key, -- encrypted
store.client_key_id as client_key_id,
coalesce(upasso.username_attribute, sshpk.username_attribute, pd.username_attribute)
as username_attribute,
coalesce(upasso.password_attribute, pd.password_attribute, po.password_attribute)
as password_attribute,
pd.domain_attribute as domain_attribute,
sshpk.private_key_attribute as private_key_attribute,
sshpk.private_key_passphrase_attribute as private_key_passphrase_attribute,
'generic' as cred_lib_type, -- used to switch on
null as additional_valid_principals
from credential_vault_generic_library library
join credential_vault_store_client store
on library.store_id = store.public_id
left join username_password_override upasso
on library.public_id = upasso.library_id
left join ssh_private_key_override sshpk
on library.public_id = sshpk.library_id
left join username_password_domain_override pd
on library.public_id = pd.library_id
left join password_override po
on library.public_id = po.library_id
union
select library.public_id as public_id,
library.store_id as store_id,
library.name as name,
library.description as description,
library.create_time as create_time,
library.update_time as update_time,
library.version as version,
library.vault_path as vault_path,
null as http_method,
null as http_request_body,
library.credential_type as credential_type,
library.key_type as key_type,
library.key_bits as key_bits,
library.username as username,
library.ttl as ttl,
library.key_id as key_id,
library.critical_options as critical_options,
library.extensions as extensions,
store.project_id as project_id,
store.vault_address as vault_address,
store.namespace as namespace,
store.ca_cert as ca_cert,
store.tls_server_name as tls_server_name,
store.tls_skip_verify as tls_skip_verify,
store.worker_filter as worker_filter,
store.ct_token as ct_token, -- encrypted
store.token_hmac as token_hmac,
store.token_status as token_status,
store.token_key_id as token_key_id,
store.client_cert as client_cert,
store.ct_client_key as ct_client_key, -- encrypted
store.client_key_id as client_key_id,
null as username_attribute,
null as password_attribute,
null as domain_attribute,
null as private_key_attribute,
null as private_key_passphrase_attribute,
'ssh-signed-cert' as cred_lib_type, -- used to switch on
additional_valid_principals as additional_valid_principals
from credential_vault_ssh_cert_library library
join credential_vault_store_client store
on library.store_id = store.public_id
union
select library.public_id as public_id,
library.store_id as store_id,
library.name as name,
library.description as description,
library.create_time as create_time,
library.update_time as update_time,
library.version as version,
library.vault_path as vault_path,
null as http_method,
null as http_request_body,
library.credential_type as credential_type,
null as key_type,
null as key_bits,
null as username,
null as ttl,
null as key_id,
null as critical_options,
null as extensions,
store.project_id as project_id,
store.vault_address as vault_address,
store.namespace as namespace,
store.ca_cert as ca_cert,
store.tls_server_name as tls_server_name,
store.tls_skip_verify as tls_skip_verify,
store.worker_filter as worker_filter,
store.ct_token as ct_token, -- encrypted
store.token_hmac as token_hmac,
store.token_status as token_status,
store.token_key_id as token_key_id,
store.client_cert as client_cert,
store.ct_client_key as ct_client_key, -- encrypted
store.client_key_id as client_key_id,
pd.username_attribute as username_attribute,
pd.password_attribute as password_attribute,
pd.domain_attribute as domain_attribute,
null as private_key_attribute,
null as private_key_passphrase_attribute,
'ldap' as cred_lib_type, -- used to switch on
null as additional_valid_principals
from credential_vault_ldap_library library
join credential_vault_store_client store
on library.store_id = store.public_id
left join username_password_domain_override pd
on library.public_id = pd.library_id;
comment on view credential_vault_library_issue_credentials is
'credential_vault_library_issue_credentials is a view where each row contains a credential library and the credential library''s data needed to connect to Vault. '
'This view should only be used when issuing credentials from a Vault credential library. Each row may contain encrypted data. '
'This view should not be used to retrieve data which will be returned external to boundary.';
-- Replaces view created in 98/02_username_password_domain_vault.up.sql
drop view credential_vault_library_list_lookup;
create view credential_vault_library_list_lookup as
-- Replaces view created in 99/01_credential_vault_library_refactor.up.sql
drop view credential_vault_generic_library_list_lookup;
create view credential_vault_generic_library_list_lookup as
with
username_password_override (library_id, username_attribute, password_attribute) as (
select library_id,
nullif(username_attribute, wt_to_sentinel('no override')),
nullif(password_attribute, wt_to_sentinel('no override'))
from credential_vault_library_username_password_mapping_override
from credential_vault_generic_library_username_password_mapping_ovrd
),
ssh_private_key_override (library_id, username_attribute, private_key_attribute, private_key_passphrase_attribute) as (
select library_id,
nullif(username_attribute, wt_to_sentinel('no override')),
nullif(private_key_attribute, wt_to_sentinel('no override')),
nullif(private_key_passphrase_attribute, wt_to_sentinel('no override'))
from credential_vault_library_ssh_private_key_mapping_override
from credential_vault_generic_library_ssh_private_key_mapping_ovrd
),
username_password_domain_override (library_id, username_attribute, password_attribute, domain_attribute) as (
select library_id,
nullif(username_attribute, wt_to_sentinel('no override')),
nullif(password_attribute, wt_to_sentinel('no override')),
nullif(domain_attribute, wt_to_sentinel('no override'))
from credential_vault_library_username_password_domain_mapping_ovrd
from credential_vault_generic_library_usern_pass_domain_mapping_ovrd
),
password_override (library_id, password_attribute) as (
select library_id,
nullif(password_attribute, wt_to_sentinel('no override'))
from credential_vault_library_password_mapping_override
from credential_vault_generic_library_password_mapping_override
)
select library.public_id as public_id,
library.store_id as store_id,
@ -207,7 +251,7 @@ begin;
sshpk.private_key_attribute as private_key_attribute,
sshpk.private_key_passphrase_attribute as private_key_passphrase_attribute,
pd.domain_attribute as domain_attribute
from credential_vault_library library
from credential_vault_generic_library library
left join username_password_override upasso
on library.public_id = upasso.library_id
left join ssh_private_key_override sshpk
@ -216,8 +260,8 @@ begin;
on library.public_id = pd.library_id
left join password_override po
on library.public_id = po.library_id;
comment on view credential_vault_library_list_lookup is
'credential_vault_library_list_lookup is a view where each row contains a credential library and any of library''s credential mapping overrides. '
comment on view credential_vault_generic_library_list_lookup is
'credential_vault_generic_library_list_lookup is a view where each row contains a credential library and any of library''s credential mapping overrides. '
'No encrypted data is returned. This view can be used to retrieve data which will be returned external to boundary.';
commit;
commit;

8
internal/db/schema/migrations/oss/postgres/98/01_credential_static_username_password_domain_credential.up.sql
Unescape View File

@ -153,8 +153,8 @@ begin;
comment on view credential_static_username_password_domain_credential_hst_agg is
'credential_static_username_password_domain_credential_hst_aggregate contains the username password credential history data along with its store and purpose data.';
-- This constraint is replaced in 99/01_credential_static_password_credential.up.sql
-- This constraint replaces the previous constraint created in 63/01_credential_vault_ssh_cert_library.up.sql
-- This constraint is replaced in 101/01_credential_static_password_credential.up.sql
alter table credential_type_enm
drop constraint only_predefined_credential_types_allowed;
@ -173,8 +173,8 @@ begin;
insert into credential_type_enm (name)
values ('username_password_domain');
-- This function is updated in 99/01_credential_static_password_credential.up.sql.
-- This function replaces the previous function created in 71/14_recording_static_credential.up.sql
-- This function is replaced in 101/01_credential_static_password_credential.up.sql
create or replace function insert_recording_static_credentials() returns trigger
as $$
begin

12
internal/db/schema/migrations/oss/postgres/98/02_username_password_domain_vault.up.sql
Unescape View File

@ -37,9 +37,8 @@ begin;
create trigger delete_credential_vault_library_mapping_override_subtype after delete on credential_vault_library_username_password_domain_mapping_ovrd
for each row execute procedure delete_credential_vault_library_mapping_override_subtype();
-- Replaces view from 78/01_ssh_signed_certs_additional_valid_principals.up.sql
-- Replaced in 99/01_credential_vault_library_refactor.up.sql
-- Replaces view from 78/01_ssh_signed_certs_additional_valid_principals.up.sql
-- Replaced in 99/01_credential_vault_library_refactor.up.sql
drop view credential_vault_library_issue_credentials;
create view credential_vault_library_issue_credentials as
with
@ -161,10 +160,9 @@ begin;
'This view should only be used when issuing credentials from a Vault credential library. Each row may contain encrypted data. '
'This view should not be used to retrieve data which will be returned external to boundary.';
-- Replaces view created in 49/01_vault_credentials.up.sql
-- Replaced in 99/01_credential_vault_library_refactor.up.sql where this
-- view's name changed to credential_vault_generic_library_list_lookup.
-- Replaces view created in 49/01_vault_credentials.up.sql
-- Replaced in 99/01_credential_vault_library_refactor.up.sql where this
-- view's name changed to credential_vault_generic_library_list_lookup.
drop view credential_vault_library_list_lookup;
create view credential_vault_library_list_lookup as
with

1
internal/db/schema/migrations/oss/postgres/99/01_credential_vault_library_refactor.up.sql
Unescape View File

@ -503,6 +503,7 @@ begin;
'This view should not be used to retrieve data which will be returned external to boundary.';
-- Replaces and renames view defined in 98/02_username_password_domain_vault.up.sql.
-- Replaced in 101/02_credential_vault_password_library.up.sql
alter view credential_vault_library_list_lookup
rename to credential_vault_generic_library_list_lookup;
drop view credential_vault_generic_library_list_lookup;

2
testing/internal/e2e/tests/base/target_tcp_connect_redis_password_test.go
Unescape View File

@ -44,7 +44,7 @@ func TestCliTcpTargetConnectRedisPassword(t *testing.T) {
ctx,
projectId,
redisInfo.Port,
target.WithAddress(redisInfo.Hostname),
[]target.Option{target.WithAddress(redisInfo.Hostname)},
)
require.NoError(t, err)

Write Preview
Loading…
Cancel
Save