VAULT-13614 Support SCRAM-SHA-256 encrypted passwords for PostgreSQL #19616
Conversation
* don't error for other message events Signed-off-by: David van der Spek <vanderspek.david@gmail.com> * add changelog Signed-off-by: David van der Spek <vanderspek.david@gmail.com> * rename release note for changelog Signed-off-by: David van der Spek <vanderspek.david@gmail.com> --------- Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
* glimmerize alert-banner * structure for the DocLink todo: css important remove * styling done. kind of strange, but should help in future * clean up * test coverage * changelog * address pr comments * clean up * amended language on banner to match most recent change. * add return * clean up * modify the banner title and shorten message * update language
* fix delete not working for ssh config * add test * add changelog;
* bug: correct handling of the zero int64 value * Update changelog/18729.txt --------- Co-authored-by: valli_0x <personallune@mail.ru> Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* VAULT-14215 Fix panic for non-TLS listeners during SIGHUP * VAULT-14215 Changelog * VAULT-14215 Godoc for test
* replace use of os.Unsetenv in test with t.Setenv and remove t.Parallel from test that rely on env being modified. * experiment with using fromJSON function * revert previous experiment * including double quotes in the output value for the string ubuntu-latest * use go run to launch gofumpt
* Un-hiding link to 1.13 upgrade guide * Removing draft notice
* sdk: Fix fmt + add FieldType test * Add test comment
* Add support for importing RSA-PSS keys in Transit Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
) * fix data race on plugin reload * add changelog * add comment for posterity * revert comment and return assignment in router.go * rework plugin continue on error tests to use compilePlugin * fix race condition on route entry * add test for plugin reload and rollback race detection * add go doc for test
* remove oracle banner * add back extra test coverage for other banner * add description
raymonstah
changed the title
| var ( | ||
| PasswordEncryptionSCRAMSHA256 PasswordEncryption = "scram-sha-256" | ||
| PasswordEncryptionPlainText PasswordEncryption = "plaintext" | ||
| ) |
There was a problem hiding this comment.
Would PasswordEncryptionNone PasswordEncryption = "none" be a more appropriate name?
Plaintext encryption sounds a bit funky to me, curious to hear from others.
There was a problem hiding this comment.
+1 for PasswordEncryptionNone
| @@ -10,6 +10,8 @@ import ( | |||
| "regexp" | |||
| "strings" | |||
|
|
|||
| "github.com/hashicorp/vault/plugins/database/postgresql/scram" | |||
There was a problem hiding this comment.
Curious why we copied to code instead of importing github.com/supercaracal/scram-sha-256?
There was a problem hiding this comment.
Unfortunately when I last checked, it wasn't an option since all of the source code was in a main package and un-exported.
There was a problem hiding this comment.
Aight, surprised there are no packages that would do what we need but it's simple enough and open sourced so I think copying is fine.
There was a problem hiding this comment.
Also, wondering if it would be worthwhile to have the Crypto team take a look?
There was a problem hiding this comment.
Sure, tagged @hashicorp/vault-crypto
There was a problem hiding this comment.
woops somehow forgot we have our own resident Crypto expert! Thanks for jumping in @swenson !
| return h.Sum(nil) | ||
| } | ||
|
|
||
| func encryptPassword(rawPassword, salt []byte, iter, keyLen int) string { |
There was a problem hiding this comment.
This isn't encryption.
| func encryptPassword(rawPassword, salt []byte, iter, keyLen int) string { | |
| func hashPassword(rawPassword, salt []byte, iter, keyLen int) string { |
There was a problem hiding this comment.
Not to bikeshed, I'm fine with hash, but I had some un-submitted comments potentially suggesting crypt here as a name. IIRC, this format that's returned here is the Unix crypt format (man crypt), which is used for password hashing.
|
|
||
| func encodeB64(src []byte) (dst []byte) { | ||
| dst = make([]byte, base64.StdEncoding.EncodedLen(len(src))) | ||
| base64.StdEncoding.Encode(dst, src) |
There was a problem hiding this comment.
Out of curiosity, why not just return []byte(base64.StdEncoding.EncodeToString(dst, src))?
There was a problem hiding this comment.
oh, most of the source code in this file is copied over from here.
Not opposed to changing it, including handling the errors you mentioned below.
|
|
||
| func getHMACSum(key, msg []byte) []byte { | ||
| h := hmac.New(sha256.New, key) | ||
| _, _ = h.Write(msg) |
There was a problem hiding this comment.
HMAC and SHA-256 may error with BoringCrypto fwiw.
I believe this mostly occurs with large inputs, which this shouldn't really have in general, but still worth noting.
There was a problem hiding this comment.
Good to know. The docs for the functions in the Go standard library say they will "never" return an error.
There was a problem hiding this comment.
Yeah, the Go standard library doesn't really document the BoringCrypto behavior from what I've seen, especially since its not officially supported.
| @@ -77,7 +79,8 @@ func new() *PostgreSQL { | |||
| type PostgreSQL struct { | |||
| *connutil.SQLConnectionProducer | |||
|
|
|||
| usernameProducer template.StringTemplate | |||
| usernameProducer template.StringTemplate | |||
| PasswordEncryption passwordAuthentication | |||
There was a problem hiding this comment.
Not sure if this is used outside of this directory, but would be good to update this to PasswordAuthenticator as well.
Co-authored-by: Max Coulombe <109547106+maxcoulombe@users.noreply.github.com>
|
This PR addresses #6910 |
This PR introduces the ability to encrypt passwords in Vault before sending them to PostgreSQL. Doing so will prevent plaintext passwords from showing up in the PostgreSQL logs.
To enable scram-sha-256 password encryption, set
password_encryptionwhen writing the database configuration.$ vault write database/config/my-postgresql-database \ plugin_name="postgresql-database-plugin" \ allowed_roles="my-role" \ connection_url="postgresql://{{username}}:{{password}}@localhost:5432/database-name" \ username="vaultuser" \ password="vaultpass" \ password_authentication="scram-sha-256"It makes use of this library to perform the encryption.