use password in favor of self_managed_password

hashicorp · Dec 9, 2024 · 63daa27 · 63daa27
1 parent 0f69018
commit 63daa27
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 8 deletions.
diff --git a/builtin/logical/database/backend_test.go b/builtin/logical/database/backend_test.go
@@ -421,7 +421,7 @@ func TestBackend_basic(t *testing.T) {
 	defer b.Cleanup(context.Background())
 
 	cleanup, connURL := postgreshelper.PrepareTestContainer(t)
-	defer cleanup()
+	t.Cleanup(cleanup)
 
 	// Configure a connection
 	data := map[string]interface{}{

diff --git a/builtin/logical/database/path_roles.go b/builtin/logical/database/path_roles.go
@@ -636,15 +636,33 @@ func (b *databaseBackend) pathStaticRoleCreateUpdate(ctx context.Context, req *l
 		}
 	}
 
-	if smPasswordRaw, ok := data.GetOk("self_managed_password"); ok && createRole {
-		role.StaticAccount.SelfManagedPassword = smPasswordRaw.(string)
-	}
-
 	dbConfig, err := b.DatabaseConfig(ctx, req.Storage, role.DBName)
 	if err != nil {
 		return nil, err
 	}
 
+	lastVaultRotation := role.StaticAccount.LastVaultRotation
+	if passwordRaw, ok := data.GetOk("password"); ok {
+		// We will allow users to update the password until the point where
+		// Vault assumes management of the account so that we don't break the
+		// promise of Vault being the source of truth.
+		updateAllowed := lastVaultRotation.IsZero() || lastVaultRotation.After(time.Now())
+		if updateAllowed {
+			role.StaticAccount.Password = passwordRaw.(string)
+			if dbConfig.ConnectionDetails["self_managed"].(bool) {
+				// continue to support the deprecated self_managed_password field
+				role.StaticAccount.SelfManagedPassword = passwordRaw.(string)
+			}
+		} else {
+			return logical.ErrorResponse("update not allowed after rotation", "role", name, "lastVaultRotation", lastVaultRotation), nil
+		}
+	}
+
+	if smPasswordRaw, ok := data.GetOk("self_managed_password"); ok && createRole {
+		role.StaticAccount.SelfManagedPassword = smPasswordRaw.(string)
+		role.StaticAccount.Password = smPasswordRaw.(string)
+	}
+
 	if skipImportRotationRaw, ok := data.GetOk("skip_import_rotation"); ok {
 		if !createRole {
 			response.AddWarning("skip_import_rotation has no effect on updates")
@@ -665,8 +683,6 @@ func (b *databaseBackend) pathStaticRoleCreateUpdate(ctx context.Context, req *l
 		return logical.ErrorResponse("credential_config validation failed: %s", err), nil
 	}
 
-	lastVaultRotation := role.StaticAccount.LastVaultRotation
-
 	// Only call setStaticAccount if we're creating the role for the
 	// first time
 	var item *queue.Item

diff --git a/builtin/logical/database/rotation_test.go b/builtin/logical/database/rotation_test.go
@@ -64,7 +64,7 @@ func TestBackend_StaticRole_Rotation_basic(t *testing.T) {
 	b.schedule = &TestSchedule{}
 
 	cleanup, connURL := postgreshelper.PrepareTestContainer(t)
-	defer cleanup()
+	t.Cleanup(cleanup)
 
 	// create the database user
 	createTestPGUser(t, connURL, dbUser, dbUserDefaultPassword, testRoleStaticCreate)