github.com/hashicorp/vault/sdk@v0.13.0/database/dbplugin/v5/database.go (about) 1 // Copyright (c) HashiCorp, Inc. 2 // SPDX-License-Identifier: MPL-2.0 3 4 package dbplugin 5 6 import ( 7 "context" 8 "time" 9 ) 10 11 // Database to manipulate users within an external system (typically a database). 12 type Database interface { 13 // Initialize the database plugin. This is the equivalent of a constructor for the 14 // database object itself. 15 Initialize(ctx context.Context, req InitializeRequest) (InitializeResponse, error) 16 17 // NewUser creates a new user within the database. This user is temporary in that it 18 // will exist until the TTL expires. 19 NewUser(ctx context.Context, req NewUserRequest) (NewUserResponse, error) 20 21 // UpdateUser updates an existing user within the database. 22 UpdateUser(ctx context.Context, req UpdateUserRequest) (UpdateUserResponse, error) 23 24 // DeleteUser from the database. This should not error if the user didn't 25 // exist prior to this call. 26 DeleteUser(ctx context.Context, req DeleteUserRequest) (DeleteUserResponse, error) 27 28 // Type returns the Name for the particular database backend implementation. 29 // This type name is usually set as a constant within the database backend 30 // implementation, e.g. "mysql" for the MySQL database backend. This is used 31 // for things like metrics and logging. No behavior is switched on this. 32 Type() (string, error) 33 34 // Close attempts to close the underlying database connection that was 35 // established by the backend. 36 Close() error 37 } 38 39 // /////////////////////////////////////////////////////////////////////////// 40 // Database Request & Response Objects 41 // These request and response objects are *not* protobuf types because gRPC does not 42 // support all types that we need in a nice way. For instance, gRPC does not support 43 // map[string]interface{}. It does have an `Any` type, but converting it to a map 44 // requires extensive use of reflection and knowing what types to support ahead of 45 // time. Instead these types are made as user-friendly as possible so the conversion 46 // between protobuf types and request/response objects is handled by Vault developers 47 // rather than needing to be handled by external plugin developers. 48 // /////////////////////////////////////////////////////////////////////////// 49 50 // /////////////////////////////////////////////////////// 51 // Initialize() 52 // /////////////////////////////////////////////////////// 53 54 // InitializeRequest contains all information needed to initialize a database plugin. 55 type InitializeRequest struct { 56 // Config to initialize the database with. This can include things like connection details, 57 // a "root" username & password, etc. This will not include all configuration items specified 58 // when configuring the database. Some values will be stripped out by the database engine 59 // prior to being passed to the plugin. 60 Config map[string]interface{} 61 62 // VerifyConnection during initialization. If true, a connection should be made to the 63 // database to verify the connection can be made. If false, no connection should be made 64 // on initialization. 65 VerifyConnection bool 66 } 67 68 // InitializeResponse returns any information Vault needs to know after initializing 69 // a database plugin. 70 type InitializeResponse struct { 71 // Config that should be saved in Vault. This may differ from the config in the request, 72 // but should contain everything required to Initialize the database. 73 // REQUIRED in order to save the configuration into Vault after initialization 74 Config map[string]interface{} 75 } 76 77 // SupportedCredentialTypesKey is used to get and set the supported 78 // CredentialType values in database plugins and Vault. 79 const SupportedCredentialTypesKey = "supported_credential_types" 80 81 // SetSupportedCredentialTypes sets the CredentialType values that are 82 // supported by the database plugin. It can be used by database plugins 83 // to communicate what CredentialType values it supports managing. 84 func (ir InitializeResponse) SetSupportedCredentialTypes(credTypes []CredentialType) { 85 sct := make([]interface{}, 0, len(credTypes)) 86 for _, t := range credTypes { 87 sct = append(sct, t.String()) 88 } 89 90 ir.Config[SupportedCredentialTypesKey] = sct 91 } 92 93 // /////////////////////////////////////////////////////// 94 // NewUser() 95 // /////////////////////////////////////////////////////// 96 97 // NewUserRequest request a new user is created 98 type NewUserRequest struct { 99 // UsernameConfig is metadata that can be used to generate a username 100 // within the database plugin 101 UsernameConfig UsernameMetadata 102 103 // Statements is an ordered list of commands to run within the database when 104 // creating a new user. This frequently includes permissions to give the 105 // user or similar actions. 106 Statements Statements 107 108 // RollbackStatements is an ordered list of commands to run within the database 109 // if the new user creation process fails. 110 RollbackStatements Statements 111 112 // CredentialType is the type of credential to use when creating a user. 113 // Respective fields for the credential type will contain the credential 114 // value that was generated by Vault. 115 CredentialType CredentialType 116 117 // Password credential to use when creating the user. 118 // Value is set when the credential type is CredentialTypePassword. 119 Password string 120 121 // PublicKey credential to use when creating the user. 122 // The value is a PKIX marshaled, PEM encoded public key. 123 // The value is set when the credential type is CredentialTypeRSAPrivateKey. 124 PublicKey []byte 125 126 // Subject is the distinguished name for the client certificate credential. 127 // Value is set when the credential type is CredentialTypeClientCertificate. 128 Subject string 129 130 // Expiration of the user. Not all database plugins will support this. 131 Expiration time.Time 132 } 133 134 // UsernameMetadata is metadata the database plugin can use to generate a username 135 type UsernameMetadata struct { 136 DisplayName string 137 RoleName string 138 } 139 140 // NewUserResponse returns any information Vault needs to know after creating a new user. 141 type NewUserResponse struct { 142 // Username of the user created within the database. 143 // REQUIRED so Vault knows the name of the user that was created 144 Username string 145 } 146 147 //go:generate enumer -type=CredentialType -trimprefix=CredentialType -transform=snake 148 149 // CredentialType is a type of database credential. 150 type CredentialType int 151 152 const ( 153 CredentialTypePassword CredentialType = iota 154 CredentialTypeRSAPrivateKey 155 CredentialTypeClientCertificate 156 ) 157 158 // /////////////////////////////////////////////////////// 159 // UpdateUser() 160 // /////////////////////////////////////////////////////// 161 162 type UpdateUserRequest struct { 163 // Username to make changes to. 164 Username string 165 166 // CredentialType is the type of credential to use when updating a user. 167 // Respective fields for the credential type will contain the credential 168 // value that was generated by Vault. 169 CredentialType CredentialType 170 171 // Password indicates the new password to change to. 172 // The value is set when the credential type is CredentialTypePassword. 173 // If nil, no change is requested. 174 Password *ChangePassword 175 176 // PublicKey indicates the new public key to change to. 177 // The value is set when the credential type is CredentialTypeRSAPrivateKey. 178 // If nil, no change is requested. 179 PublicKey *ChangePublicKey 180 181 // Expiration indicates the new expiration date to change to. 182 // If nil, no change is requested. 183 Expiration *ChangeExpiration 184 } 185 186 // ChangePublicKey of a given user 187 type ChangePublicKey struct { 188 // NewPublicKey is the new public key credential for the user. 189 // The value is a PKIX marshaled, PEM encoded public key. 190 NewPublicKey []byte 191 192 // Statements is an ordered list of commands to run within the database 193 // when changing the user's public key credential. 194 Statements Statements 195 } 196 197 // ChangePassword of a given user 198 type ChangePassword struct { 199 // NewPassword for the user 200 NewPassword string 201 202 // Statements is an ordered list of commands to run within the database 203 // when changing the user's password. 204 Statements Statements 205 } 206 207 // ChangeExpiration of a given user 208 type ChangeExpiration struct { 209 // NewExpiration of the user 210 NewExpiration time.Time 211 212 // Statements is an ordered list of commands to run within the database 213 // when changing the user's expiration. 214 Statements Statements 215 } 216 217 type UpdateUserResponse struct{} 218 219 // /////////////////////////////////////////////////////// 220 // DeleteUser() 221 // /////////////////////////////////////////////////////// 222 223 type DeleteUserRequest struct { 224 // Username to delete from the database 225 Username string 226 227 // Statements is an ordered list of commands to run within the database 228 // when deleting a user. 229 Statements Statements 230 } 231 232 type DeleteUserResponse struct{} 233 234 // /////////////////////////////////////////////////////// 235 // Used across multiple functions 236 // /////////////////////////////////////////////////////// 237 238 // Statements wraps a collection of statements to run in a database when an 239 // operation is performed (create, update, etc.). This is a struct rather than 240 // a string slice so we can easily add more information to this in the future. 241 type Statements struct { 242 // Commands is an ordered list of commands to execute in the database. 243 // These commands may include templated fields such as {{username}} and {{password}} 244 Commands []string 245 }