From 813a5a0dddafa82a9c43ae7f1eeea923f6cd4033 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Fri, 18 Nov 2022 20:41:06 +0000 Subject: [PATCH 1/9] Remove pinned builtin plugin versions from storage --- .../database/path_config_connection.go | 20 +++++++++++++++++-- builtin/logical/database/version_wrapper.go | 7 +++++++ helper/versions/version.go | 17 ++++++++++++++++ vault/auth.go | 6 ++++++ vault/logical_system.go | 13 ++++++++++++ vault/mount.go | 5 +++++ vault/plugin_catalog.go | 10 +++++++++- 7 files changed, 75 insertions(+), 3 deletions(-) diff --git a/builtin/logical/database/path_config_connection.go b/builtin/logical/database/path_config_connection.go index c0522bf9fb24..d149793635e4 100644 --- a/builtin/logical/database/path_config_connection.go +++ b/builtin/logical/database/path_config_connection.go @@ -11,6 +11,7 @@ import ( "github.com/hashicorp/go-uuid" "github.com/hashicorp/go-version" + "github.com/hashicorp/vault/helper/versions" v5 "github.com/hashicorp/vault/sdk/database/dbplugin/v5" "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/helper/consts" @@ -295,7 +296,10 @@ func (b *databaseBackend) connectionWriteHandler() framework.OperationFunc { config.PluginVersion = pluginVersionRaw.(string) } - unversionedPlugin, err := b.System().LookupPlugin(ctx, config.PluginName, consts.PluginTypeDatabase) + var builtinShadowed bool + if unversionedPlugin, err := b.System().LookupPlugin(ctx, config.PluginName, consts.PluginTypeDatabase); err == nil && !unversionedPlugin.Builtin { + builtinShadowed = true + } switch { case config.PluginVersion != "": semanticVersion, err := version.NewVersion(config.PluginVersion) @@ -305,7 +309,16 @@ func (b *databaseBackend) connectionWriteHandler() framework.OperationFunc { // Canonicalize the version. config.PluginVersion = "v" + semanticVersion.String() - case err == nil && !unversionedPlugin.Builtin: + + if config.PluginVersion == versions.GetBuiltinVersion(consts.PluginTypeDatabase, config.PluginName) { + if builtinShadowed { + return logical.ErrorResponse("database plugin %q, version %s not found, as it is"+ + " overridden by an unversioned plugin of the same name", config.PluginName, config.PluginVersion), nil + } + + config.PluginVersion = "" + } + case builtinShadowed: // We'll select the unversioned plugin that's been registered. case req.Operation == logical.CreateOperation: // No version provided and no unversioned plugin of that name available. @@ -439,6 +452,9 @@ func (b *databaseBackend) connectionWriteHandler() framework.OperationFunc { } func storeConfig(ctx context.Context, storage logical.Storage, name string, config *DatabaseConfig) error { + if versions.IsBuiltinVersion(config.PluginVersion) { + config.PluginVersion = "" + } entry, err := logical.StorageEntryJSON(fmt.Sprintf("config/%s", name), config) if err != nil { return fmt.Errorf("unable to marshal object to JSON: %w", err) diff --git a/builtin/logical/database/version_wrapper.go b/builtin/logical/database/version_wrapper.go index 734c36ca6bf1..0b84d4c756ae 100644 --- a/builtin/logical/database/version_wrapper.go +++ b/builtin/logical/database/version_wrapper.go @@ -6,6 +6,7 @@ import ( log "github.com/hashicorp/go-hclog" "github.com/hashicorp/go-multierror" + "github.com/hashicorp/vault/helper/versions" v4 "github.com/hashicorp/vault/sdk/database/dbplugin" v5 "github.com/hashicorp/vault/sdk/database/dbplugin/v5" "github.com/hashicorp/vault/sdk/helper/pluginutil" @@ -24,6 +25,12 @@ var _ logical.PluginVersioner = databaseVersionWrapper{} // newDatabaseWrapper figures out which version of the database the pluginName is referring to and returns a wrapper object // that can be used to make operations on the underlying database plugin. func newDatabaseWrapper(ctx context.Context, pluginName string, pluginVersion string, sys pluginutil.LookRunnerUtil, logger log.Logger) (dbw databaseVersionWrapper, err error) { + // 1.12.0 and 1.12.1 stored plugin version in the config, but that stored + // builtin version may disappear from the plugin catalog when Vault is + // upgraded, so always reference builtin plugins by an empty version. + if versions.IsBuiltinVersion(pluginVersion) { + pluginVersion = "" + } newDB, err := v5.PluginFactoryVersion(ctx, pluginName, pluginVersion, sys, logger) if err == nil { dbw = databaseVersionWrapper{ diff --git a/helper/versions/version.go b/helper/versions/version.go index 1fa4e36e27a7..344bce083dba 100644 --- a/helper/versions/version.go +++ b/helper/versions/version.go @@ -6,6 +6,7 @@ import ( "strings" "sync" + semver "github.com/hashicorp/go-version" "github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/version" ) @@ -52,3 +53,19 @@ func GetBuiltinVersion(pluginType consts.PluginType, pluginName string) string { return DefaultBuiltinVersion } + +func IsBuiltinVersion(v string) bool { + semanticVersion, err := semver.NewSemver(v) + if err != nil { + return false + } + + metadataIdentifiers := strings.Split(semanticVersion.Metadata(), ".") + for _, identifier := range metadataIdentifiers { + if identifier == "builtin" { + return true + } + } + + return false +} diff --git a/vault/auth.go b/vault/auth.go index 11b603d666f0..a9c4fd3a3d24 100644 --- a/vault/auth.go +++ b/vault/auth.go @@ -636,6 +636,12 @@ func (c *Core) loadCredentials(ctx context.Context) error { needPersist = true } + // Don't store built-in version in the mount table, to make upgrades smoother. + if versions.IsBuiltinVersion(entry.Version) { + entry.Version = "" + needPersist = true + } + if entry.NamespaceID == "" { entry.NamespaceID = namespace.RootNamespaceID needPersist = true diff --git a/vault/logical_system.go b/vault/logical_system.go index 118762712e0c..f0ebf6d7837d 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -2636,6 +2636,19 @@ func (b *SystemBackend) validateVersion(ctx context.Context, version string, plu // Canonicalize the version. version = "v" + semanticVersion.String() + + if version == versions.GetBuiltinVersion(pluginType, pluginName) { + unversionedPlugin, err := b.System().LookupPlugin(ctx, pluginName, pluginType) + if err == nil && !unversionedPlugin.Builtin { + // Builtin is overridden, return "not found" error. + return "", logical.ErrorResponse("%s plugin %q, version %s not found, as it is"+ + " overridden by an unversioned plugin of the same name", pluginType.String(), pluginName, version), nil + } + + // Don't put the builtin version in storage. Ensures that builtins + // can always be overridden, and upgrades are much simpler to handle. + version = "" + } } // if a non-builtin version is requested for a builtin plugin, return an error diff --git a/vault/mount.go b/vault/mount.go index 13735b802e40..dfccf6a91bc8 100644 --- a/vault/mount.go +++ b/vault/mount.go @@ -1317,6 +1317,11 @@ func (c *Core) runMountUpdates(ctx context.Context, needPersist bool) error { needPersist = true } + // Don't store built-in version in the mount table, to make upgrades smoother. + if versions.IsBuiltinVersion(entry.Version) { + entry.Version = "" + needPersist = true + } } // Done if we have restored the mount table and we don't need // to persist diff --git a/vault/plugin_catalog.go b/vault/plugin_catalog.go index 288e9fe56d2a..58166242d0db 100644 --- a/vault/plugin_catalog.go +++ b/vault/plugin_catalog.go @@ -832,7 +832,15 @@ func (c *PluginCatalog) get(ctx context.Context, name string, pluginType consts. } builtinVersion := versions.GetBuiltinVersion(pluginType, name) - if version == "" || version == builtinVersion { + if version == builtinVersion { + // Don't return the builtin if it's shadowed by an unversioned plugin. + unversioned, err := c.get(ctx, name, pluginType, "") + if err == nil && unversioned != nil && !unversioned.Builtin { + return nil, nil + } + version = "" + } + if version == "" { // Look for builtin plugins if factory, ok := c.builtinRegistry.Get(name, pluginType); ok { return &pluginutil.PluginRunner{ From affd18dbe438cbb8f4b76ca35d53cf632eed5e12 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Tue, 22 Nov 2022 15:37:08 +0000 Subject: [PATCH 2/9] Changelog, scrub db plugin builtin version on read, start tests --- .../database/path_config_connection.go | 6 ++++ changelog/18051.txt | 6 ++++ vault/logical_system_test.go | 32 +++++++++++++++++++ 3 files changed, 44 insertions(+) create mode 100644 changelog/18051.txt diff --git a/builtin/logical/database/path_config_connection.go b/builtin/logical/database/path_config_connection.go index d149793635e4..b04a12fbb58f 100644 --- a/builtin/logical/database/path_config_connection.go +++ b/builtin/logical/database/path_config_connection.go @@ -229,6 +229,12 @@ func (b *databaseBackend) connectionReadHandler() framework.OperationFunc { } } + if versions.IsBuiltinVersion(config.PluginVersion) { + // This gets treated as though it's empty when mounting, and will get + // overwritten to be empty when the config is next written. See #18051. + config.PluginVersion = "" + } + delete(config.ConnectionDetails, "password") delete(config.ConnectionDetails, "private_key") diff --git a/changelog/18051.txt b/changelog/18051.txt new file mode 100644 index 000000000000..c4c3232622e9 --- /dev/null +++ b/changelog/18051.txt @@ -0,0 +1,6 @@ +```release-note:change +plugins: Mounts can no longer be pinned to a specific _builtin_ version. Mounts previously pinned to a specific builtin version will now automatically upgrade to the latest builtin version, and may now be overridden if an unversioned plugin of the same name and type is registered. Mounts using plugin versions without `builtin` in their metadata remain unaffected. +``` +```release-note:bug +plugins: Vault upgrades will no longer fail if a mount has been created using an explicit builtin plugin version. +``` diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go index a890e1c17e17..840c545169f3 100644 --- a/vault/logical_system_test.go +++ b/vault/logical_system_test.go @@ -5113,3 +5113,35 @@ func TestSortVersionedPlugins(t *testing.T) { }) } } + +func TestValidateVersion(t *testing.T) { + b := testSystemBackend(t).(*SystemBackend) + k8sAuthBuiltin := versions.GetBuiltinVersion(consts.PluginTypeCredential, "kubernetes") + + for name, tc := range map[string]struct { + pluginName string + pluginVersion string + pluginType consts.PluginType + expectLogicalError bool + expectedVersion string + }{ + "default, nothing in nothing out": {"kubernetes", "", consts.PluginTypeCredential, false, ""}, + "builtin specified, empty out": {"kubernetes", k8sAuthBuiltin, consts.PluginTypeCredential, false, ""}, + "not canonical is ok": {"kubernetes", "1.0.0", consts.PluginTypeCredential, false, "v1.0.0"}, + "not a semantic version, error": {"kubernetes", "not-a-version", consts.PluginTypeCredential, true, ""}, + } { + t.Run(name, func(t *testing.T) { + version, resp, err := b.validateVersion(context.Background(), tc.pluginVersion, tc.pluginName, tc.pluginType) + if err != nil { + t.Fatal(err) + } + if tc.expectLogicalError { + if resp == nil || !resp.IsError() || resp.Error() == nil { + t.Errorf("expected logical error but got none, resp: %#v", resp) + } + } else if version != tc.expectedVersion { + t.Errorf("expected version %q but got %q", tc.expectedVersion, version) + } + }) + } +} From 2817eb0134ce2cf254b0e06ee6defd476b8c5663 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 23 Nov 2022 10:39:50 +0000 Subject: [PATCH 3/9] Comments, minor refactor, use IsBuiltinVersion in more places --- .../logical/database/path_config_connection.go | 4 +++- builtin/logical/database/version_wrapper.go | 3 ++- helper/versions/version.go | 13 ++++++++++--- vault/logical_system.go | 10 +--------- vault/mount.go | 3 +-- vault/mount_test.go | 3 ++- vault/plugin_catalog.go | 16 ++++++++-------- vault/plugin_catalog_test.go | 2 +- 8 files changed, 28 insertions(+), 26 deletions(-) diff --git a/builtin/logical/database/path_config_connection.go b/builtin/logical/database/path_config_connection.go index b04a12fbb58f..4f31cc66c8ef 100644 --- a/builtin/logical/database/path_config_connection.go +++ b/builtin/logical/database/path_config_connection.go @@ -319,7 +319,7 @@ func (b *databaseBackend) connectionWriteHandler() framework.OperationFunc { if config.PluginVersion == versions.GetBuiltinVersion(consts.PluginTypeDatabase, config.PluginName) { if builtinShadowed { return logical.ErrorResponse("database plugin %q, version %s not found, as it is"+ - " overridden by an unversioned plugin of the same name", config.PluginName, config.PluginVersion), nil + " overridden by an unversioned plugin of the same name. Omit `plugin_version` to use the unversioned plugin", config.PluginName, config.PluginVersion), nil } config.PluginVersion = "" @@ -458,6 +458,8 @@ func (b *databaseBackend) connectionWriteHandler() framework.OperationFunc { } func storeConfig(ctx context.Context, storage logical.Storage, name string, config *DatabaseConfig) error { + // 1.12.0 and 1.12.1 stored builtin plugins in storage, but 1.12.2 reverted + // that, so clean up any pre-existing stored builtin versions on write. if versions.IsBuiltinVersion(config.PluginVersion) { config.PluginVersion = "" } diff --git a/builtin/logical/database/version_wrapper.go b/builtin/logical/database/version_wrapper.go index 0b84d4c756ae..8c4db1388861 100644 --- a/builtin/logical/database/version_wrapper.go +++ b/builtin/logical/database/version_wrapper.go @@ -23,7 +23,8 @@ type databaseVersionWrapper struct { var _ logical.PluginVersioner = databaseVersionWrapper{} // newDatabaseWrapper figures out which version of the database the pluginName is referring to and returns a wrapper object -// that can be used to make operations on the underlying database plugin. +// that can be used to make operations on the underlying database plugin. If a builtin pluginVersion is provided, it will +// be ignored. func newDatabaseWrapper(ctx context.Context, pluginName string, pluginVersion string, sys pluginutil.LookRunnerUtil, logger log.Logger) (dbw databaseVersionWrapper, err error) { // 1.12.0 and 1.12.1 stored plugin version in the config, but that stored // builtin version may disappear from the plugin catalog when Vault is diff --git a/helper/versions/version.go b/helper/versions/version.go index 344bce083dba..6bbd18698414 100644 --- a/helper/versions/version.go +++ b/helper/versions/version.go @@ -11,10 +11,14 @@ import ( "github.com/hashicorp/vault/sdk/version" ) +const ( + BuiltinMetadata = "builtin" +) + var ( buildInfoOnce sync.Once // once is used to ensure we only parse build info once. buildInfo *debug.BuildInfo - DefaultBuiltinVersion = "v" + version.GetVersion().Version + "+builtin.vault" + DefaultBuiltinVersion = fmt.Sprintf("v%s+%s.vault", version.GetVersion().Version, BuiltinMetadata) ) func GetBuiltinVersion(pluginType consts.PluginType, pluginName string) string { @@ -47,13 +51,16 @@ func GetBuiltinVersion(pluginType consts.PluginType, pluginName string) string { for _, dep := range buildInfo.Deps { if dep.Path == pluginModulePath { - return dep.Version + "+builtin" + return dep.Version + "+" + BuiltinMetadata } } return DefaultBuiltinVersion } +// IsBuiltinVersion checks for the "builtin" metadata identifier in a plugin's +// semantic version. Vault rejects any plugin registration requests with this +// identifier, so we can be certain it's a builtin plugin if it's present. func IsBuiltinVersion(v string) bool { semanticVersion, err := semver.NewSemver(v) if err != nil { @@ -62,7 +69,7 @@ func IsBuiltinVersion(v string) bool { metadataIdentifiers := strings.Split(semanticVersion.Metadata(), ".") for _, identifier := range metadataIdentifiers { - if identifier == "builtin" { + if identifier == BuiltinMetadata { return true } } diff --git a/vault/logical_system.go b/vault/logical_system.go index f0ebf6d7837d..bd1cbebed028 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -635,20 +635,12 @@ func getVersion(d *framework.FieldData) (version string, builtin bool, err error return "", false, fmt.Errorf("version %q is not a valid semantic version: %w", version, err) } - metadataIdentifiers := strings.Split(semanticVersion.Metadata(), ".") - for _, identifier := range metadataIdentifiers { - if identifier == "builtin" { - builtin = true - break - } - } - // Canonicalize the version string. // Add the 'v' back in, since semantic version strips it out, and we want to be consistent with internal plugins. version = "v" + semanticVersion.String() } - return version, builtin, nil + return version, versions.IsBuiltinVersion(version), nil } func (b *SystemBackend) handlePluginReloadUpdate(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) { diff --git a/vault/mount.go b/vault/mount.go index dfccf6a91bc8..ca786465ec6a 100644 --- a/vault/mount.go +++ b/vault/mount.go @@ -727,8 +727,7 @@ func (c *Core) builtinTypeFromMountEntry(ctx context.Context, entry *MountEntry) return consts.PluginTypeUnknown } - // Builtin plugins should contain the "builtin" string in their RunningVersion - if !strings.Contains(entry.RunningVersion, "builtin") { + if !versions.IsBuiltinVersion(entry.RunningVersion) { return consts.PluginTypeUnknown } diff --git a/vault/mount_test.go b/vault/mount_test.go index 7a033ad45fd0..e217879cfe80 100644 --- a/vault/mount_test.go +++ b/vault/mount_test.go @@ -13,6 +13,7 @@ import ( "github.com/hashicorp/vault/audit" "github.com/hashicorp/vault/helper/metricsutil" "github.com/hashicorp/vault/helper/namespace" + "github.com/hashicorp/vault/helper/versions" "github.com/hashicorp/vault/sdk/helper/compressutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/logical" @@ -206,7 +207,7 @@ func TestCore_Mount_secrets_builtin_RunningVersion(t *testing.T) { raw, _ := c.router.root.Get(match) // we override the running version of builtins - if !strings.Contains(raw.(*routeEntry).mountEntry.RunningVersion, "builtin") { + if !versions.IsBuiltinVersion(raw.(*routeEntry).mountEntry.RunningVersion) { t.Errorf("Expected mount to have builtin version but got %s", raw.(*routeEntry).mountEntry.RunningVersion) } } diff --git a/vault/plugin_catalog.go b/vault/plugin_catalog.go index 58166242d0db..dd92f591d6af 100644 --- a/vault/plugin_catalog.go +++ b/vault/plugin_catalog.go @@ -832,15 +832,15 @@ func (c *PluginCatalog) get(ctx context.Context, name string, pluginType consts. } builtinVersion := versions.GetBuiltinVersion(pluginType, name) - if version == builtinVersion { - // Don't return the builtin if it's shadowed by an unversioned plugin. - unversioned, err := c.get(ctx, name, pluginType, "") - if err == nil && unversioned != nil && !unversioned.Builtin { - return nil, nil + if version == "" || version == builtinVersion { + if version == builtinVersion { + // Don't return the builtin if it's shadowed by an unversioned plugin. + unversioned, err := c.get(ctx, name, pluginType, "") + if err == nil && unversioned != nil && !unversioned.Builtin { + return nil, nil + } } - version = "" - } - if version == "" { + // Look for builtin plugins if factory, ok := c.builtinRegistry.Get(name, pluginType); ok { return &pluginutil.PluginRunner{ diff --git a/vault/plugin_catalog_test.go b/vault/plugin_catalog_test.go index ee6faca7113f..bce8397ab1cd 100644 --- a/vault/plugin_catalog_test.go +++ b/vault/plugin_catalog_test.go @@ -383,7 +383,7 @@ func TestPluginCatalog_ListVersionedPlugins(t *testing.T) { if !plugin.Builtin { t.Fatalf("expected %v plugin to be builtin", plugin) } - if plugin.SemanticVersion.Metadata() != "builtin" && plugin.SemanticVersion.Metadata() != "builtin.vault" { + if !versions.IsBuiltinVersion(plugin.Version) { t.Fatalf("expected +builtin metadata but got %s", plugin.Version) } } From 04880c71435d48990c104940d92db44cf2297612 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 23 Nov 2022 12:25:49 +0000 Subject: [PATCH 4/9] A few more tests, PR comments --- builtin/logical/database/backend_test.go | 2 + .../database/path_config_connection.go | 10 +- .../database/path_config_connection_test.go | 125 ++++++++++++++++++ .../database/path_rotate_credentials.go | 6 + vault/logical_system.go | 2 +- vault/logical_system_test.go | 54 +++++++- 6 files changed, 187 insertions(+), 12 deletions(-) create mode 100644 builtin/logical/database/path_config_connection_test.go diff --git a/builtin/logical/database/backend_test.go b/builtin/logical/database/backend_test.go index 191d2a5b9387..2c4f1ed6c8a3 100644 --- a/builtin/logical/database/backend_test.go +++ b/builtin/logical/database/backend_test.go @@ -14,6 +14,7 @@ import ( "github.com/go-test/deep" mongodbatlas "github.com/hashicorp/vault-plugin-database-mongodbatlas" + "github.com/hashicorp/vault/helper/builtinplugins" "github.com/hashicorp/vault/helper/namespace" postgreshelper "github.com/hashicorp/vault/helper/testhelpers/postgresql" vaulthttp "github.com/hashicorp/vault/http" @@ -36,6 +37,7 @@ func getCluster(t *testing.T) (*vault.TestCluster, logical.SystemView) { LogicalBackends: map[string]logical.Factory{ "database": Factory, }, + BuiltinRegistry: builtinplugins.Registry, } cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{ diff --git a/builtin/logical/database/path_config_connection.go b/builtin/logical/database/path_config_connection.go index 4f31cc66c8ef..9f1ad4cf5744 100644 --- a/builtin/logical/database/path_config_connection.go +++ b/builtin/logical/database/path_config_connection.go @@ -426,6 +426,11 @@ func (b *databaseBackend) connectionWriteHandler() framework.OperationFunc { oldConn.Close() } + // 1.12.0 and 1.12.1 stored builtin plugins in storage, but 1.12.2 reverted + // that, so clean up any pre-existing stored builtin versions on write. + if versions.IsBuiltinVersion(config.PluginVersion) { + config.PluginVersion = "" + } err = storeConfig(ctx, req.Storage, name, config) if err != nil { return nil, err @@ -458,11 +463,6 @@ func (b *databaseBackend) connectionWriteHandler() framework.OperationFunc { } func storeConfig(ctx context.Context, storage logical.Storage, name string, config *DatabaseConfig) error { - // 1.12.0 and 1.12.1 stored builtin plugins in storage, but 1.12.2 reverted - // that, so clean up any pre-existing stored builtin versions on write. - if versions.IsBuiltinVersion(config.PluginVersion) { - config.PluginVersion = "" - } entry, err := logical.StorageEntryJSON(fmt.Sprintf("config/%s", name), config) if err != nil { return fmt.Errorf("unable to marshal object to JSON: %w", err) diff --git a/builtin/logical/database/path_config_connection_test.go b/builtin/logical/database/path_config_connection_test.go new file mode 100644 index 000000000000..413f5589ccbc --- /dev/null +++ b/builtin/logical/database/path_config_connection_test.go @@ -0,0 +1,125 @@ +package database + +import ( + "context" + "strings" + "testing" + + "github.com/hashicorp/vault/helper/namespace" + "github.com/hashicorp/vault/helper/versions" + "github.com/hashicorp/vault/sdk/helper/consts" + "github.com/hashicorp/vault/sdk/logical" +) + +func TestWriteConfig_PluginVersionInStorage(t *testing.T) { + cluster, sys := getCluster(t) + defer cluster.Cleanup() + + config := logical.TestBackendConfig() + config.StorageView = &logical.InmemStorage{} + config.System = sys + + b, err := Factory(context.Background(), config) + if err != nil { + t.Fatal(err) + } + defer b.Cleanup(context.Background()) + + const hdb = "hana-database-plugin" + hdbBuiltin := versions.GetBuiltinVersion(consts.PluginTypeDatabase, hdb) + + // Configure a connection + data := map[string]interface{}{ + "connection_url": "test", + "plugin_name": hdb, + "plugin_version": hdbBuiltin, + "verify_connection": false, + } + req := &logical.Request{ + Operation: logical.UpdateOperation, + Path: "config/plugin-test", + Storage: config.StorageView, + Data: data, + } + resp, err := b.HandleRequest(namespace.RootContext(nil), req) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("err:%s resp:%#v\n", err, resp) + } + + req = &logical.Request{ + Operation: logical.ReadOperation, + Path: "config/plugin-test", + Storage: config.StorageView, + Data: data, + } + + resp, err = b.HandleRequest(namespace.RootContext(nil), req) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("err:%s resp:%#v\n", err, resp) + } + + if resp.Data["plugin_version"] != "" { + t.Fatalf("expected plugin_version empty but got %s", resp.Data["plugin_version"]) + } + + // Directly store config to get the builtin plugin version into storage, + // simulating a write that happened before upgrading to 1.12.2+ + err = storeConfig(context.Background(), config.StorageView, "plugin-test", &DatabaseConfig{ + PluginName: hdb, + PluginVersion: hdbBuiltin, + }) + if err != nil { + t.Fatal(err) + } + + // Now replay the read request, and we still shouldn't get the builtin version back. + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("err:%s resp:%#v\n", err, resp) + } + + if resp.Data["plugin_version"] != "" { + t.Fatalf("expected plugin_version empty but got %s", resp.Data["plugin_version"]) + } +} + +func TestWriteConfig_HelpfulErrorMessageWhenBuiltinOverridden(t *testing.T) { + cluster, sys := getCluster(t) + defer cluster.Cleanup() + + config := logical.TestBackendConfig() + config.StorageView = &logical.InmemStorage{} + config.System = sys + + b, err := Factory(context.Background(), config) + if err != nil { + t.Fatal(err) + } + defer b.Cleanup(context.Background()) + + const pg = "postgresql-database-plugin" + pgBuiltin := versions.GetBuiltinVersion(consts.PluginTypeDatabase, pg) + + // Configure a connection + data := map[string]interface{}{ + "connection_url": "test", + "plugin_name": pg, + "plugin_version": pgBuiltin, + "verify_connection": false, + } + req := &logical.Request{ + Operation: logical.UpdateOperation, + Path: "config/plugin-test", + Storage: config.StorageView, + Data: data, + } + resp, err := b.HandleRequest(namespace.RootContext(nil), req) + if err != nil { + t.Fatal(err) + } + if resp == nil || !resp.IsError() { + t.Fatalf("resp:%#v", resp) + } + if !strings.Contains(resp.Error().Error(), "overridden by an unversioned plugin") { + t.Fatalf("expected overridden error but got: %s", resp.Error()) + } +} diff --git a/builtin/logical/database/path_rotate_credentials.go b/builtin/logical/database/path_rotate_credentials.go index 4d05393b86ac..03a6845e1c57 100644 --- a/builtin/logical/database/path_rotate_credentials.go +++ b/builtin/logical/database/path_rotate_credentials.go @@ -5,6 +5,7 @@ import ( "fmt" "time" + "github.com/hashicorp/vault/helper/versions" v5 "github.com/hashicorp/vault/sdk/database/dbplugin/v5" "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/logical" @@ -137,6 +138,11 @@ func (b *databaseBackend) pathRotateRootCredentialsUpdate() framework.OperationF config.ConnectionDetails = newConfigDetails } + // 1.12.0 and 1.12.1 stored builtin plugins in storage, but 1.12.2 reverted + // that, so clean up any pre-existing stored builtin versions on write. + if versions.IsBuiltinVersion(config.PluginVersion) { + config.PluginVersion = "" + } err = storeConfig(ctx, req.Storage, name, config) if err != nil { return nil, err diff --git a/vault/logical_system.go b/vault/logical_system.go index bd1cbebed028..c10d7e82db68 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -2634,7 +2634,7 @@ func (b *SystemBackend) validateVersion(ctx context.Context, version string, plu if err == nil && !unversionedPlugin.Builtin { // Builtin is overridden, return "not found" error. return "", logical.ErrorResponse("%s plugin %q, version %s not found, as it is"+ - " overridden by an unversioned plugin of the same name", pluginType.String(), pluginName, version), nil + " overridden by an unversioned plugin of the same name. Omit `plugin_version` to use the unversioned plugin", pluginType.String(), pluginName, version), nil } // Don't put the builtin version in storage. Ensures that builtins diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go index 840c545169f3..c4d281d06a97 100644 --- a/vault/logical_system_test.go +++ b/vault/logical_system_test.go @@ -5122,26 +5122,68 @@ func TestValidateVersion(t *testing.T) { pluginName string pluginVersion string pluginType consts.PluginType - expectLogicalError bool + expectLogicalError string expectedVersion string }{ - "default, nothing in nothing out": {"kubernetes", "", consts.PluginTypeCredential, false, ""}, - "builtin specified, empty out": {"kubernetes", k8sAuthBuiltin, consts.PluginTypeCredential, false, ""}, - "not canonical is ok": {"kubernetes", "1.0.0", consts.PluginTypeCredential, false, "v1.0.0"}, - "not a semantic version, error": {"kubernetes", "not-a-version", consts.PluginTypeCredential, true, ""}, + "default, nothing in nothing out": {"kubernetes", "", consts.PluginTypeCredential, "", ""}, + "builtin specified, empty out": {"kubernetes", k8sAuthBuiltin, consts.PluginTypeCredential, "", ""}, + "not canonical is ok": {"kubernetes", "1.0.0", consts.PluginTypeCredential, "", "v1.0.0"}, + "not a semantic version, error": {"kubernetes", "not-a-version", consts.PluginTypeCredential, "not a valid semantic version", ""}, + "can't select non-builtin token": {"token", "v1.0.0", consts.PluginTypeCredential, "cannot select non-builtin version", ""}, + "can't select non-builtin identity": {"identity", "v1.0.0", consts.PluginTypeSecrets, "cannot select non-builtin version", ""}, } { t.Run(name, func(t *testing.T) { version, resp, err := b.validateVersion(context.Background(), tc.pluginVersion, tc.pluginName, tc.pluginType) if err != nil { t.Fatal(err) } - if tc.expectLogicalError { + if tc.expectLogicalError != "" { if resp == nil || !resp.IsError() || resp.Error() == nil { t.Errorf("expected logical error but got none, resp: %#v", resp) } + if !strings.Contains(resp.Error().Error(), tc.expectLogicalError) { + t.Errorf("expected logical error to contain %q, but got: %s", tc.expectLogicalError, resp.Error()) + } } else if version != tc.expectedVersion { t.Errorf("expected version %q but got %q", tc.expectedVersion, version) } }) } } + +func TestValidateVersion_HelpfulErrorWhenBuiltinOverridden(t *testing.T) { + core, _, _ := TestCoreUnsealed(t) + tempDir, err := filepath.EvalSymlinks(t.TempDir()) + if err != nil { + t.Fatal(err) + } + core.pluginCatalog.directory = tempDir + b := core.systemBackend + + // Shadow a builtin and test getting a helpful error back. + file, err := ioutil.TempFile(tempDir, "temp") + if err != nil { + t.Fatal(err) + } + defer file.Close() + + command := filepath.Base(file.Name()) + err = core.pluginCatalog.Set(context.Background(), "kubernetes", consts.PluginTypeCredential, "", command, nil, nil, nil) + if err != nil { + t.Fatal(err) + } + + // When we validate the version now, we should get a special error message + // about why the builtin isn't there. + k8sAuthBuiltin := versions.GetBuiltinVersion(consts.PluginTypeCredential, "kubernetes") + _, resp, err := b.validateVersion(context.Background(), k8sAuthBuiltin, "kubernetes", consts.PluginTypeCredential) + if err != nil { + t.Fatal(err) + } + if resp == nil || !resp.IsError() || resp.Error() == nil { + t.Errorf("expected logical error but got none, resp: %#v", resp) + } + if !strings.Contains(resp.Error().Error(), "overridden by an unversioned plugin of the same name") { + t.Errorf("expected logical error to contain overridden message, but got: %s", resp.Error()) + } +} From 3a0908c8ecdb13753badc23c14caff2bf1c38fa1 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 23 Nov 2022 12:37:38 +0000 Subject: [PATCH 5/9] Tests for IsBuiltinVersion and plugin catalog --- helper/versions/version_test.go | 23 +++++++++++++++++++++++ vault/plugin_catalog_test.go | 23 ++++++++++++++++++++++- 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 helper/versions/version_test.go diff --git a/helper/versions/version_test.go b/helper/versions/version_test.go new file mode 100644 index 000000000000..cc1b3e1c20f2 --- /dev/null +++ b/helper/versions/version_test.go @@ -0,0 +1,23 @@ +package versions + +import "testing" + +func TestIsBuiltinVersion(t *testing.T) { + for _, tc := range []struct { + version string + builtin bool + }{ + {"v1.0.0+builtin", true}, + {"v2.3.4+builtin.vault", true}, + {"1.0.0+builtin.anythingelse", true}, + {"v1.0.0+other.builtin", true}, + {"v1.0.0+builtinbutnot", false}, + {"v1.0.0", false}, + {"not-a-semver", false}, + } { + builtin := IsBuiltinVersion(tc.version) + if builtin != tc.builtin { + t.Fatalf("%s should give: %v, but got %v", tc.version, tc.builtin, builtin) + } + } +} diff --git a/vault/plugin_catalog_test.go b/vault/plugin_catalog_test.go index bce8397ab1cd..d1b469f05de1 100644 --- a/vault/plugin_catalog_test.go +++ b/vault/plugin_catalog_test.go @@ -40,11 +40,18 @@ func TestPluginCatalog_CRUD(t *testing.T) { t.Fatalf("unexpected error %v", err) } + // Get it again, explicitly specifying builtin version + builtinVersion := versions.GetBuiltinVersion(consts.PluginTypeDatabase, pluginName) + p2, err := core.pluginCatalog.Get(context.Background(), pluginName, consts.PluginTypeDatabase, builtinVersion) + if err != nil { + t.Fatalf("unexpected error %v", err) + } + expectedBuiltin := &pluginutil.PluginRunner{ Name: pluginName, Type: consts.PluginTypeDatabase, Builtin: true, - Version: versions.GetBuiltinVersion(consts.PluginTypeDatabase, pluginName), + Version: builtinVersion, } expectedBuiltin.BuiltinFactory, _ = builtinplugins.Registry.Get(pluginName, consts.PluginTypeDatabase) @@ -53,9 +60,13 @@ func TestPluginCatalog_CRUD(t *testing.T) { } expectedBuiltin.BuiltinFactory = nil p.BuiltinFactory = nil + p2.BuiltinFactory = nil if !reflect.DeepEqual(p, expectedBuiltin) { t.Fatalf("expected did not match actual, got %#v\n expected %#v\n", p, expectedBuiltin) } + if !reflect.DeepEqual(p2, expectedBuiltin) { + t.Fatalf("expected did not match actual, got %#v\n expected %#v\n", p2, expectedBuiltin) + } // Set a plugin, test overwriting a builtin plugin file, err := ioutil.TempFile(tempDir, "temp") @@ -76,6 +87,16 @@ func TestPluginCatalog_CRUD(t *testing.T) { t.Fatalf("unexpected error %v", err) } + // Get it again, explicitly specifying builtin version. + // This time it should fail because it was overwritten. + p2, err = core.pluginCatalog.Get(context.Background(), pluginName, consts.PluginTypeDatabase, builtinVersion) + if err != nil { + t.Fatalf("unexpected error %v", err) + } + if p2 != nil { + t.Fatalf("expected no result, got: %#v", p2) + } + expected := &pluginutil.PluginRunner{ Name: pluginName, Type: consts.PluginTypeDatabase, From 5f4d2ad8b4e05af5728d70ee2554dab0f31ba358 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 23 Nov 2022 13:42:04 +0000 Subject: [PATCH 6/9] tests: Tighter assertions around life cycle of version in storage for db plugins --- .../database/path_config_connection_test.go | 108 ++++++++++++------ 1 file changed, 73 insertions(+), 35 deletions(-) diff --git a/builtin/logical/database/path_config_connection_test.go b/builtin/logical/database/path_config_connection_test.go index 413f5589ccbc..fc29eb2133d9 100644 --- a/builtin/logical/database/path_config_connection_test.go +++ b/builtin/logical/database/path_config_connection_test.go @@ -29,37 +29,42 @@ func TestWriteConfig_PluginVersionInStorage(t *testing.T) { hdbBuiltin := versions.GetBuiltinVersion(consts.PluginTypeDatabase, hdb) // Configure a connection - data := map[string]interface{}{ - "connection_url": "test", - "plugin_name": hdb, - "plugin_version": hdbBuiltin, - "verify_connection": false, - } - req := &logical.Request{ - Operation: logical.UpdateOperation, - Path: "config/plugin-test", - Storage: config.StorageView, - Data: data, - } - resp, err := b.HandleRequest(namespace.RootContext(nil), req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err:%s resp:%#v\n", err, resp) - } - - req = &logical.Request{ - Operation: logical.ReadOperation, - Path: "config/plugin-test", - Storage: config.StorageView, - Data: data, - } - - resp, err = b.HandleRequest(namespace.RootContext(nil), req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err:%s resp:%#v\n", err, resp) - } - - if resp.Data["plugin_version"] != "" { - t.Fatalf("expected plugin_version empty but got %s", resp.Data["plugin_version"]) + writePluginVersion := func() { + req := &logical.Request{ + Operation: logical.UpdateOperation, + Path: "config/plugin-test", + Storage: config.StorageView, + Data: map[string]interface{}{ + "connection_url": "test", + "plugin_name": hdb, + "plugin_version": hdbBuiltin, + "verify_connection": false, + }, + } + resp, err := b.HandleRequest(namespace.RootContext(nil), req) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("err:%s resp:%#v\n", err, resp) + } + } + writePluginVersion() + + getPluginVersionFromAPI := func() string { + req := &logical.Request{ + Operation: logical.ReadOperation, + Path: "config/plugin-test", + Storage: config.StorageView, + } + + resp, err := b.HandleRequest(namespace.RootContext(nil), req) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("err:%s resp:%#v\n", err, resp) + } + + return resp.Data["plugin_version"].(string) + } + pluginVersion := getPluginVersionFromAPI() + if pluginVersion != "" { + t.Fatalf("expected plugin_version empty but got %s", pluginVersion) } // Directly store config to get the builtin plugin version into storage, @@ -73,12 +78,45 @@ func TestWriteConfig_PluginVersionInStorage(t *testing.T) { } // Now replay the read request, and we still shouldn't get the builtin version back. - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err:%s resp:%#v\n", err, resp) + pluginVersion = getPluginVersionFromAPI() + if pluginVersion != "" { + t.Fatalf("expected plugin_version empty but got %s", pluginVersion) + } + + // Check the underlying data, which should still have the version in storage. + getPluginVersionFromStorage := func() string { + entry, err := config.StorageView.Get(context.Background(), "config/plugin-test") + if err != nil { + t.Fatal(err) + } + if entry == nil { + t.Fatal() + } + + var config DatabaseConfig + if err := entry.DecodeJSON(&config); err != nil { + t.Fatal(err) + } + return config.PluginVersion + } + + storagePluginVersion := getPluginVersionFromStorage() + if storagePluginVersion != hdbBuiltin { + t.Fatalf("Expected %s, got: %s", hdbBuiltin, storagePluginVersion) + } + + // Trigger a write to storage, which should clean up plugin version in the storage entry. + writePluginVersion() + + storagePluginVersion = getPluginVersionFromStorage() + if storagePluginVersion != "" { + t.Fatalf("Expected empty, got: %s", storagePluginVersion) } - if resp.Data["plugin_version"] != "" { - t.Fatalf("expected plugin_version empty but got %s", resp.Data["plugin_version"]) + // Finally, confirm API requests still return empty plugin version too + pluginVersion = getPluginVersionFromAPI() + if pluginVersion != "" { + t.Fatalf("expected plugin_version empty but got %s", pluginVersion) } } From 12506c78778c103a26286157f6a636dc9262e87a Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 23 Nov 2022 14:20:07 +0000 Subject: [PATCH 7/9] Test newDatabaseWrapper correctly ignores builtin versions --- builtin/logical/database/backend_test.go | 10 ++++++++++ .../logical/database/path_config_connection_test.go | 4 ++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/builtin/logical/database/backend_test.go b/builtin/logical/database/backend_test.go index 2c4f1ed6c8a3..27ce027c959e 100644 --- a/builtin/logical/database/backend_test.go +++ b/builtin/logical/database/backend_test.go @@ -13,6 +13,7 @@ import ( "time" "github.com/go-test/deep" + "github.com/hashicorp/go-hclog" mongodbatlas "github.com/hashicorp/vault-plugin-database-mongodbatlas" "github.com/hashicorp/vault/helper/builtinplugins" "github.com/hashicorp/vault/helper/namespace" @@ -1552,6 +1553,15 @@ func TestBackend_AsyncClose(t *testing.T) { } } +func TestNewDatabaseWrapper_IgnoresBuiltinVersion(t *testing.T) { + cluster, sys := getCluster(t) + t.Cleanup(cluster.Cleanup) + _, err := newDatabaseWrapper(context.Background(), "hana-database-plugin", "v1.0.0+builtin", sys, hclog.Default()) + if err != nil { + t.Fatal(err) + } +} + func testCredsExist(t *testing.T, resp *logical.Response, connURL string) bool { t.Helper() var d struct { diff --git a/builtin/logical/database/path_config_connection_test.go b/builtin/logical/database/path_config_connection_test.go index fc29eb2133d9..54d75cde73ce 100644 --- a/builtin/logical/database/path_config_connection_test.go +++ b/builtin/logical/database/path_config_connection_test.go @@ -13,7 +13,7 @@ import ( func TestWriteConfig_PluginVersionInStorage(t *testing.T) { cluster, sys := getCluster(t) - defer cluster.Cleanup() + t.Cleanup(cluster.Cleanup) config := logical.TestBackendConfig() config.StorageView = &logical.InmemStorage{} @@ -122,7 +122,7 @@ func TestWriteConfig_PluginVersionInStorage(t *testing.T) { func TestWriteConfig_HelpfulErrorMessageWhenBuiltinOverridden(t *testing.T) { cluster, sys := getCluster(t) - defer cluster.Cleanup() + t.Cleanup(cluster.Cleanup) config := logical.TestBackendConfig() config.StorageView = &logical.InmemStorage{} From 70694416995504bfef244cea961b7c08da36571c Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 23 Nov 2022 15:42:33 +0000 Subject: [PATCH 8/9] Add test for upgrading on unseal --- vault/logical_system_test.go | 93 ++++++++++++++++++++++++++++++++++++ vault/testing.go | 25 ++++++---- 2 files changed, 109 insertions(+), 9 deletions(-) diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go index c4d281d06a97..1abc066e458a 100644 --- a/vault/logical_system_test.go +++ b/vault/logical_system_test.go @@ -5187,3 +5187,96 @@ func TestValidateVersion_HelpfulErrorWhenBuiltinOverridden(t *testing.T) { t.Errorf("expected logical error to contain overridden message, but got: %s", resp.Error()) } } + +func TestCanUnseal_WithNonExistentBuiltinPluginVersion_InMountStorage(t *testing.T) { + core, keys, _ := TestCoreUnsealed(t) + ctx := namespace.RootContext(nil) + testCases := []struct { + pluginName string + pluginType consts.PluginType + mountTable string + }{ + {"consul", consts.PluginTypeSecrets, "mounts"}, + {"approle", consts.PluginTypeCredential, "auth"}, + } + readMountConfig := func(pluginName, mountTable string) map[string]interface{} { + req := logical.TestRequest(t, logical.ReadOperation, mountTable+"/"+pluginName) + resp, err := core.systemBackend.HandleRequest(ctx, req) + if err != nil { + t.Fatalf("err: %v", err) + } + + return resp.Data + } + + for _, tc := range testCases { + req := logical.TestRequest(t, logical.UpdateOperation, tc.mountTable+"/"+tc.pluginName) + req.Data["type"] = tc.pluginName + req.Data["config"] = map[string]interface{}{ + "default_lease_ttl": "35m", + "max_lease_ttl": "45m", + "plugin_version": versions.GetBuiltinVersion(tc.pluginType, tc.pluginName), + } + + resp, err := core.systemBackend.HandleRequest(ctx, req) + if err != nil { + t.Fatalf("err: %v, resp: %#v", err, resp) + } + if resp != nil { + t.Fatalf("bad: %v", resp) + } + + config := readMountConfig(tc.pluginName, tc.mountTable) + pluginVersion, ok := config["plugin_version"] + if !ok || pluginVersion != "" { + t.Fatalf("expected empty plugin version in config: %#v", config) + } + + // Directly store plugin version in mount entry, so we can then simulate + // an upgrade from 1.12.1 to 1.12.2 by sealing and unsealing. + const nonExistentBuiltinVersion = "v1.0.0+builtin" + var mountEntry *MountEntry + if tc.mountTable == "mounts" { + mountEntry, err = core.mounts.find(ctx, tc.pluginName+"/") + } else { + mountEntry, err = core.auth.find(ctx, tc.pluginName+"/") + } + if err != nil { + t.Fatal(err) + } + if mountEntry == nil { + t.Fatal() + } + mountEntry.Version = nonExistentBuiltinVersion + err = core.persistMounts(ctx, core.mounts, &mountEntry.Local) + if err != nil { + t.Fatal(err) + } + + config = readMountConfig(tc.pluginName, tc.mountTable) + pluginVersion, ok = config["plugin_version"] + if !ok || pluginVersion != nonExistentBuiltinVersion { + t.Fatalf("expected plugin version %s but was %s, config: %#v", nonExistentBuiltinVersion, pluginVersion, config) + } + } + + err := TestCoreSeal(core) + if err != nil { + t.Fatal(err) + } + for _, key := range keys { + if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil { + t.Fatalf("unseal err: %s", err) + } + } + + for _, tc := range testCases { + // Storage should have been upgraded during the unseal, so plugin version + //should be empty again. + config := readMountConfig(tc.pluginName, tc.mountTable) + pluginVersion, ok := config["plugin_version"] + if !ok || pluginVersion != "" { + t.Fatalf("expected empty plugin version in config: %#v", config) + } + } +} diff --git a/vault/testing.go b/vault/testing.go index 021ad60d552e..5fc2862a8e43 100644 --- a/vault/testing.go +++ b/vault/testing.go @@ -2247,6 +2247,7 @@ func NewMockBuiltinRegistry() *mockBuiltinRegistry { "postgresql-database-plugin": consts.PluginTypeDatabase, "approle": consts.PluginTypeCredential, "aws": consts.PluginTypeCredential, + "consul": consts.PluginTypeSecrets, }, } } @@ -2255,7 +2256,6 @@ type mockBuiltinRegistry struct { forTesting map[string]consts.PluginType } -// Get only supports getting database plugins, and approle func (m *mockBuiltinRegistry) Get(name string, pluginType consts.PluginType) (func() (interface{}, error), bool) { testPluginType, ok := m.forTesting[name] if !ok { @@ -2265,28 +2265,35 @@ func (m *mockBuiltinRegistry) Get(name string, pluginType consts.PluginType) (fu return nil, false } - if name == "approle" { + switch name { + case "approle": return toFunc(approle.Factory), true - } - - if name == "aws" { + case "aws": return toFunc(func(ctx context.Context, config *logical.BackendConfig) (logical.Backend, error) { b := new(framework.Backend) b.Setup(ctx, config) b.BackendType = logical.TypeCredential return b, nil }), true - } - - if name == "postgresql-database-plugin" { + case "postgresql-database-plugin": + return toFunc(func(ctx context.Context, config *logical.BackendConfig) (logical.Backend, error) { + b := new(framework.Backend) + b.Setup(ctx, config) + b.BackendType = logical.TypeLogical + return b, nil + }), true + case "mysql-database-plugin": + return dbMysql.New(dbMysql.DefaultUserNameTemplate), true + case "consul": return toFunc(func(ctx context.Context, config *logical.BackendConfig) (logical.Backend, error) { b := new(framework.Backend) b.Setup(ctx, config) b.BackendType = logical.TypeLogical return b, nil }), true + default: + return nil, false } - return dbMysql.New(dbMysql.DefaultUserNameTemplate), true } // Keys only supports getting a realistic list of the keys for database plugins, From d005adde5ee0551271eb2e313528905885401fd7 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 23 Nov 2022 17:35:45 +0000 Subject: [PATCH 9/9] fmt, t.Helper() and Fatal->Error --- builtin/logical/database/path_config_connection_test.go | 3 +++ vault/logical_system_test.go | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/builtin/logical/database/path_config_connection_test.go b/builtin/logical/database/path_config_connection_test.go index 54d75cde73ce..18f850dbce92 100644 --- a/builtin/logical/database/path_config_connection_test.go +++ b/builtin/logical/database/path_config_connection_test.go @@ -30,6 +30,7 @@ func TestWriteConfig_PluginVersionInStorage(t *testing.T) { // Configure a connection writePluginVersion := func() { + t.Helper() req := &logical.Request{ Operation: logical.UpdateOperation, Path: "config/plugin-test", @@ -49,6 +50,7 @@ func TestWriteConfig_PluginVersionInStorage(t *testing.T) { writePluginVersion() getPluginVersionFromAPI := func() string { + t.Helper() req := &logical.Request{ Operation: logical.ReadOperation, Path: "config/plugin-test", @@ -85,6 +87,7 @@ func TestWriteConfig_PluginVersionInStorage(t *testing.T) { // Check the underlying data, which should still have the version in storage. getPluginVersionFromStorage := func() string { + t.Helper() entry, err := config.StorageView.Get(context.Background(), "config/plugin-test") if err != nil { t.Fatal(err) diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go index 1abc066e458a..e7fe7fa7387b 100644 --- a/vault/logical_system_test.go +++ b/vault/logical_system_test.go @@ -5200,6 +5200,7 @@ func TestCanUnseal_WithNonExistentBuiltinPluginVersion_InMountStorage(t *testing {"approle", consts.PluginTypeCredential, "auth"}, } readMountConfig := func(pluginName, mountTable string) map[string]interface{} { + t.Helper() req := logical.TestRequest(t, logical.ReadOperation, mountTable+"/"+pluginName) resp, err := core.systemBackend.HandleRequest(ctx, req) if err != nil { @@ -5272,11 +5273,11 @@ func TestCanUnseal_WithNonExistentBuiltinPluginVersion_InMountStorage(t *testing for _, tc := range testCases { // Storage should have been upgraded during the unseal, so plugin version - //should be empty again. + // should be empty again. config := readMountConfig(tc.pluginName, tc.mountTable) pluginVersion, ok := config["plugin_version"] if !ok || pluginVersion != "" { - t.Fatalf("expected empty plugin version in config: %#v", config) + t.Errorf("expected empty plugin version in config: %#v", config) } } }