Remove pinned builtin plugin versions from storage (#18051) (#18102)

* Removes _builtin_ versions from mount storage where it already exists * Stops new builtin versions being put into storage on mount creation/tuning * Stops the plugin catalog from returning a builtin plugin that has been overridden, so it more accurately reflects the plugins that are available to actually run Conflicts: vault/mount.go Co-authored-by: Tom Proctor <[email protected]>
hashicorp · Nov 23, 2022 · 3cc6b6a · 3cc6b6a
1 parent f8786e5
commit 3cc6b6a
Show file tree

Hide file tree

Showing 16 changed files with 518 additions and 28 deletions.
diff --git a/builtin/logical/database/backend_test.go b/builtin/logical/database/backend_test.go
@@ -13,7 +13,9 @@ import (
 	"time"
 
 	"github.com/go-test/deep"
+	"github.com/hashicorp/go-hclog"
 	mongodbatlas "github.com/hashicorp/vault-plugin-database-mongodbatlas"
+	"github.com/hashicorp/vault/helper/builtinplugins"
 	"github.com/hashicorp/vault/helper/namespace"
 	postgreshelper "github.com/hashicorp/vault/helper/testhelpers/postgresql"
 	vaulthttp "github.com/hashicorp/vault/http"
@@ -36,6 +38,7 @@ func getCluster(t *testing.T) (*vault.TestCluster, logical.SystemView) {
 		LogicalBackends: map[string]logical.Factory{
 			"database": Factory,
 		},
+		BuiltinRegistry: builtinplugins.Registry,
 	}
 
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
@@ -1550,6 +1553,15 @@ func TestBackend_AsyncClose(t *testing.T) {
 	}
 }
 
+func TestNewDatabaseWrapper_IgnoresBuiltinVersion(t *testing.T) {
+	cluster, sys := getCluster(t)
+	t.Cleanup(cluster.Cleanup)
+	_, err := newDatabaseWrapper(context.Background(), "hana-database-plugin", "v1.0.0+builtin", sys, hclog.Default())
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
 func testCredsExist(t *testing.T, resp *logical.Response, connURL string) bool {
 	t.Helper()
 	var d struct {

diff --git a/builtin/logical/database/path_config_connection.go b/builtin/logical/database/path_config_connection.go
@@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/go-version"
 
+	"github.com/hashicorp/vault/helper/versions"
 	v5 "github.com/hashicorp/vault/sdk/database/dbplugin/v5"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/consts"
@@ -228,6 +229,12 @@ func (b *databaseBackend) connectionReadHandler() framework.OperationFunc {
 			}
 		}
 
+		if versions.IsBuiltinVersion(config.PluginVersion) {
+			// This gets treated as though it's empty when mounting, and will get
+			// overwritten to be empty when the config is next written. See #18051.
+			config.PluginVersion = ""
+		}
+
 		delete(config.ConnectionDetails, "password")
 		delete(config.ConnectionDetails, "private_key")
 
@@ -295,7 +302,10 @@ func (b *databaseBackend) connectionWriteHandler() framework.OperationFunc {
 			config.PluginVersion = pluginVersionRaw.(string)
 		}
 
-		unversionedPlugin, err := b.System().LookupPlugin(ctx, config.PluginName, consts.PluginTypeDatabase)
+		var builtinShadowed bool
+		if unversionedPlugin, err := b.System().LookupPlugin(ctx, config.PluginName, consts.PluginTypeDatabase); err == nil && !unversionedPlugin.Builtin {
+			builtinShadowed = true
+		}
 		switch {
 		case config.PluginVersion != "":
 			semanticVersion, err := version.NewVersion(config.PluginVersion)
@@ -305,7 +315,16 @@ func (b *databaseBackend) connectionWriteHandler() framework.OperationFunc {
 
 			// Canonicalize the version.
 			config.PluginVersion = "v" + semanticVersion.String()
-		case err == nil && !unversionedPlugin.Builtin:
+
+			if config.PluginVersion == versions.GetBuiltinVersion(consts.PluginTypeDatabase, config.PluginName) {
+				if builtinShadowed {
+					return logical.ErrorResponse("database plugin %q, version %s not found, as it is"+
+						" overridden by an unversioned plugin of the same name. Omit `plugin_version` to use the unversioned plugin", config.PluginName, config.PluginVersion), nil
+				}
+
+				config.PluginVersion = ""
+			}
+		case builtinShadowed:
 			// We'll select the unversioned plugin that's been registered.
 		case req.Operation == logical.CreateOperation:
 			// No version provided and no unversioned plugin of that name available.
@@ -407,6 +426,11 @@ func (b *databaseBackend) connectionWriteHandler() framework.OperationFunc {
 			oldConn.Close()
 		}
 
+		// 1.12.0 and 1.12.1 stored builtin plugins in storage, but 1.12.2 reverted
+		// that, so clean up any pre-existing stored builtin versions on write.
+		if versions.IsBuiltinVersion(config.PluginVersion) {
+			config.PluginVersion = ""
+		}
 		err = storeConfig(ctx, req.Storage, name, config)
 		if err != nil {
 			return nil, err

diff --git a/builtin/logical/database/path_config_connection_test.go b/builtin/logical/database/path_config_connection_test.go
@@ -0,0 +1,166 @@
+package database
+
+import (
+	"context"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/versions"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+func TestWriteConfig_PluginVersionInStorage(t *testing.T) {
+	cluster, sys := getCluster(t)
+	t.Cleanup(cluster.Cleanup)
+
+	config := logical.TestBackendConfig()
+	config.StorageView = &logical.InmemStorage{}
+	config.System = sys
+
+	b, err := Factory(context.Background(), config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer b.Cleanup(context.Background())
+
+	const hdb = "hana-database-plugin"
+	hdbBuiltin := versions.GetBuiltinVersion(consts.PluginTypeDatabase, hdb)
+
+	// Configure a connection
+	writePluginVersion := func() {
+		t.Helper()
+		req := &logical.Request{
+			Operation: logical.UpdateOperation,
+			Path:      "config/plugin-test",
+			Storage:   config.StorageView,
+			Data: map[string]interface{}{
+				"connection_url":    "test",
+				"plugin_name":       hdb,
+				"plugin_version":    hdbBuiltin,
+				"verify_connection": false,
+			},
+		}
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil || (resp != nil && resp.IsError()) {
+			t.Fatalf("err:%s resp:%#v\n", err, resp)
+		}
+	}
+	writePluginVersion()
+
+	getPluginVersionFromAPI := func() string {
+		t.Helper()
+		req := &logical.Request{
+			Operation: logical.ReadOperation,
+			Path:      "config/plugin-test",
+			Storage:   config.StorageView,
+		}
+
+		resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil || (resp != nil && resp.IsError()) {
+			t.Fatalf("err:%s resp:%#v\n", err, resp)
+		}
+
+		return resp.Data["plugin_version"].(string)
+	}
+	pluginVersion := getPluginVersionFromAPI()
+	if pluginVersion != "" {
+		t.Fatalf("expected plugin_version empty but got %s", pluginVersion)
+	}
+
+	// Directly store config to get the builtin plugin version into storage,
+	// simulating a write that happened before upgrading to 1.12.2+
+	err = storeConfig(context.Background(), config.StorageView, "plugin-test", &DatabaseConfig{
+		PluginName:    hdb,
+		PluginVersion: hdbBuiltin,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Now replay the read request, and we still shouldn't get the builtin version back.
+	pluginVersion = getPluginVersionFromAPI()
+	if pluginVersion != "" {
+		t.Fatalf("expected plugin_version empty but got %s", pluginVersion)
+	}
+
+	// Check the underlying data, which should still have the version in storage.
+	getPluginVersionFromStorage := func() string {
+		t.Helper()
+		entry, err := config.StorageView.Get(context.Background(), "config/plugin-test")
+		if err != nil {
+			t.Fatal(err)
+		}
+		if entry == nil {
+			t.Fatal()
+		}
+
+		var config DatabaseConfig
+		if err := entry.DecodeJSON(&config); err != nil {
+			t.Fatal(err)
+		}
+		return config.PluginVersion
+	}
+
+	storagePluginVersion := getPluginVersionFromStorage()
+	if storagePluginVersion != hdbBuiltin {
+		t.Fatalf("Expected %s, got: %s", hdbBuiltin, storagePluginVersion)
+	}
+
+	// Trigger a write to storage, which should clean up plugin version in the storage entry.
+	writePluginVersion()
+
+	storagePluginVersion = getPluginVersionFromStorage()
+	if storagePluginVersion != "" {
+		t.Fatalf("Expected empty, got: %s", storagePluginVersion)
+	}
+
+	// Finally, confirm API requests still return empty plugin version too
+	pluginVersion = getPluginVersionFromAPI()
+	if pluginVersion != "" {
+		t.Fatalf("expected plugin_version empty but got %s", pluginVersion)
+	}
+}
+
+func TestWriteConfig_HelpfulErrorMessageWhenBuiltinOverridden(t *testing.T) {
+	cluster, sys := getCluster(t)
+	t.Cleanup(cluster.Cleanup)
+
+	config := logical.TestBackendConfig()
+	config.StorageView = &logical.InmemStorage{}
+	config.System = sys
+
+	b, err := Factory(context.Background(), config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer b.Cleanup(context.Background())
+
+	const pg = "postgresql-database-plugin"
+	pgBuiltin := versions.GetBuiltinVersion(consts.PluginTypeDatabase, pg)
+
+	// Configure a connection
+	data := map[string]interface{}{
+		"connection_url":    "test",
+		"plugin_name":       pg,
+		"plugin_version":    pgBuiltin,
+		"verify_connection": false,
+	}
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "config/plugin-test",
+		Storage:   config.StorageView,
+		Data:      data,
+	}
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil || !resp.IsError() {
+		t.Fatalf("resp:%#v", resp)
+	}
+	if !strings.Contains(resp.Error().Error(), "overridden by an unversioned plugin") {
+		t.Fatalf("expected overridden error but got: %s", resp.Error())
+	}
+}
diff --git a/builtin/logical/database/path_rotate_credentials.go b/builtin/logical/database/path_rotate_credentials.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/hashicorp/vault/helper/versions"
 	v5 "github.com/hashicorp/vault/sdk/database/dbplugin/v5"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
@@ -137,6 +138,11 @@ func (b *databaseBackend) pathRotateRootCredentialsUpdate() framework.OperationF
 			config.ConnectionDetails = newConfigDetails
 		}
 
+		// 1.12.0 and 1.12.1 stored builtin plugins in storage, but 1.12.2 reverted
+		// that, so clean up any pre-existing stored builtin versions on write.
+		if versions.IsBuiltinVersion(config.PluginVersion) {
+			config.PluginVersion = ""
+		}
 		err = storeConfig(ctx, req.Storage, name, config)
 		if err != nil {
 			return nil, err

diff --git a/builtin/logical/database/version_wrapper.go b/builtin/logical/database/version_wrapper.go
@@ -6,6 +6,7 @@ import (
 
 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/vault/helper/versions"
 	v4 "github.com/hashicorp/vault/sdk/database/dbplugin"
 	v5 "github.com/hashicorp/vault/sdk/database/dbplugin/v5"
 	"github.com/hashicorp/vault/sdk/helper/pluginutil"
@@ -22,8 +23,15 @@ type databaseVersionWrapper struct {
 var _ logical.PluginVersioner = databaseVersionWrapper{}
 
 // newDatabaseWrapper figures out which version of the database the pluginName is referring to and returns a wrapper object
-// that can be used to make operations on the underlying database plugin.
+// that can be used to make operations on the underlying database plugin. If a builtin pluginVersion is provided, it will
+// be ignored.
 func newDatabaseWrapper(ctx context.Context, pluginName string, pluginVersion string, sys pluginutil.LookRunnerUtil, logger log.Logger) (dbw databaseVersionWrapper, err error) {
+	// 1.12.0 and 1.12.1 stored plugin version in the config, but that stored
+	// builtin version may disappear from the plugin catalog when Vault is
+	// upgraded, so always reference builtin plugins by an empty version.
+	if versions.IsBuiltinVersion(pluginVersion) {
+		pluginVersion = ""
+	}
 	newDB, err := v5.PluginFactoryVersion(ctx, pluginName, pluginVersion, sys, logger)
 	if err == nil {
 		dbw = databaseVersionWrapper{

diff --git a/changelog/18051.txt b/changelog/18051.txt
@@ -0,0 +1,6 @@
+```release-note:change
+plugins: Mounts can no longer be pinned to a specific _builtin_ version. Mounts previously pinned to a specific builtin version will now automatically upgrade to the latest builtin version, and may now be overridden if an unversioned plugin of the same name and type is registered. Mounts using plugin versions without `builtin` in their metadata remain unaffected.
+```
+```release-note:bug
+plugins: Vault upgrades will no longer fail if a mount has been created using an explicit builtin plugin version.
+```
diff --git a/helper/versions/version.go b/helper/versions/version.go
@@ -6,14 +6,19 @@ import (
 	"strings"
 	"sync"
 
+	semver "github.com/hashicorp/go-version"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/version"
 )
 
+const (
+	BuiltinMetadata = "builtin"
+)
+
 var (
 	buildInfoOnce         sync.Once // once is used to ensure we only parse build info once.
 	buildInfo             *debug.BuildInfo
-	DefaultBuiltinVersion = "v" + version.GetVersion().Version + "+builtin.vault"
+	DefaultBuiltinVersion = fmt.Sprintf("v%s+%s.vault", version.GetVersion().Version, BuiltinMetadata)
 )
 
 func GetBuiltinVersion(pluginType consts.PluginType, pluginName string) string {
@@ -46,9 +51,28 @@ func GetBuiltinVersion(pluginType consts.PluginType, pluginName string) string {
 
 	for _, dep := range buildInfo.Deps {
 		if dep.Path == pluginModulePath {
-			return dep.Version + "+builtin"
+			return dep.Version + "+" + BuiltinMetadata
 		}
 	}
 
 	return DefaultBuiltinVersion
 }
+
+// IsBuiltinVersion checks for the "builtin" metadata identifier in a plugin's
+// semantic version. Vault rejects any plugin registration requests with this
+// identifier, so we can be certain it's a builtin plugin if it's present.
+func IsBuiltinVersion(v string) bool {
+	semanticVersion, err := semver.NewSemver(v)
+	if err != nil {
+		return false
+	}
+
+	metadataIdentifiers := strings.Split(semanticVersion.Metadata(), ".")
+	for _, identifier := range metadataIdentifiers {
+		if identifier == BuiltinMetadata {
+			return true
+		}
+	}
+
+	return false
+}
diff --git a/helper/versions/version_test.go b/helper/versions/version_test.go
@@ -0,0 +1,23 @@
+package versions
+
+import "testing"
+
+func TestIsBuiltinVersion(t *testing.T) {
+	for _, tc := range []struct {
+		version string
+		builtin bool
+	}{
+		{"v1.0.0+builtin", true},
+		{"v2.3.4+builtin.vault", true},
+		{"1.0.0+builtin.anythingelse", true},
+		{"v1.0.0+other.builtin", true},
+		{"v1.0.0+builtinbutnot", false},
+		{"v1.0.0", false},
+		{"not-a-semver", false},
+	} {
+		builtin := IsBuiltinVersion(tc.version)
+		if builtin != tc.builtin {
+			t.Fatalf("%s should give: %v, but got %v", tc.version, tc.builtin, builtin)
+		}
+	}
+}