MSSQL: Credential rotation does not work with Azure SQL Databases

[g-psantos]

Describe the bug
Rotation of root credentials for Azure SQL Databases (MSSQL) ceased working with the changes that were made in support of static roles (#9062) and v5 of the Vault database interface (#10128). When attempting to rotate the root credentials for a contained user account created to enable Vault to issue dynamic credentials, the following error occurs:

$ vault write -force database/rotate-root/conn-name
Error writing data to database/rotate-root/conn-name: Error making API request.

URL: PUT https://vault-server:8200/v1/database/rotate-root/conn-name
Code: 500. Errors:

* 1 error occurred:
        * failed to update user: mssql: Reference to database and/or server name in 'master.sys.server_principals' is not supported in this version of SQL Server.

To Reproduce

1. Create an Azure SQL Database for testing (e.g., mydb).
2. Create a contained user in your database, so that Vault can issue dynamic credentials to that database:

CREATE USER vault WITH PASSWORD = 'secretPassword2021!';

3. Add a database connection to Vault along these lines; note that the root_credentials_rotate_statements parameter is what previously enabled root credentials to be successfully rotated without attempting to call the master database:

Key                                   Value
---                                   -----
connection_details          map[connection_url:sqlserver://{{username}}:{{password}}@my-server-name.database.windows.net:1433?encrypt=true&TrustServerCertificate=false&database=mydb&app+name=vault username:vault]
plugin_name                    mssql-database-plugin
root_credentials_rotate_statements    [ALTER USER {{username}} WITH PASSWORD='{{password}}']

4. Attempt to rotate the root credentials: vault write -force database/rotate-root/conn-name
5. See error

Expected behavior
The root credentials were previously rotated without issue (confirmed working with Vault 1.4.7).

Environment:

• Vault Server Version (retrieve with vault status): 1.6.1
• Vault CLI Version (retrieve with vault version): 1.6.0
• Server Operating System/Architecture: CentOS 7.x

Vault server configuration file(s):
Likely irrelevant so not posted, but can post if need be.

Additional context
The problem appears to stem from the new implementation of updateUserPass(), which is now assuming that it's dealing with a SQL Server Login (in the server's master database) and doesn't account for the possibility of contained users, which are associated exclusively with each database.

[g-psantos]

@johnathanschmidt I'm considering starting a PR to address this issue.

It looks like the PostgreSQL plugin also checks whether a user exists before changing its password, but others (MySQL, Cassandra) don't have that check built in.

So, I would propose to delete the check from the MSSQL plugin. This will allow the custom rotation statements to be the only ones executed, and those can target contained users or server logins, as appropriate. If a server login or contained user do not exist, the operation will fail anyway.

Am I missing anything?