database/postgres: add inline certificate authentication fields (#28024)

* add inline cert auth to postres db plugin

* handle both sslinline and new TLS plugin fields

* refactor PrepareTestContainerWithSSL

* add tests for postgres inline TLS fields

* changelog

* revert back to errwrap since the middleware sanitizing depends on it

* enable only setting sslrootcert

Author: fairclothjm

builtin/logical/database/backend_test.go

@@ -345,6 +345,8 @@ func TestBackend_config_connection(t *testing.T) {
 	assert.Equal(t, "plugin-test", eventSender.Events[2].Event.Metadata.AsMap()["name"])
 }
 
+// TestBackend_BadConnectionString tests that an error response resulting from
+// a failed connection does not expose the URL. The middleware should sanitize it.
 func TestBackend_BadConnectionString(t *testing.T) {
 	cluster, sys := getClusterPostgresDB(t)
 	defer cluster.Cleanup()

changelog/28024.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+database/postgres: Add new fields to the plugin's config endpoint for client certificate authentication.
+```

helper/testhelpers/postgresql/postgresqlhelper.go

@@ -9,11 +9,13 @@ import (
 	"fmt"
 	"net/url"
 	"os"
+	"strconv"
 	"testing"
+	"time"
 
 	"github.com/hashicorp/vault/helper/testhelpers/certhelpers"
-	"github.com/hashicorp/vault/sdk/database/helper/connutil"
 	"github.com/hashicorp/vault/sdk/helper/docker"
+	"github.com/hashicorp/vault/sdk/helper/pluginutil"
 )
 
 const (
@@ -68,7 +70,13 @@ func PrepareTestContainerWithVaultUser(t *testing.T, ctx context.Context) (func(
 
 // PrepareTestContainerWithSSL will setup a test container with SSL enabled so
 // that we can test client certificate authentication.
-func PrepareTestContainerWithSSL(t *testing.T, ctx context.Context, sslMode string, useFallback bool) (func(), string) {
+func PrepareTestContainerWithSSL(
+	t *testing.T,
+	sslMode string,
+	caCert certhelpers.Certificate,
+	clientCert certhelpers.Certificate,
+	useFallback bool,
+) (func(), string) {
 	runOpts := defaultRunOpts(t)
 	runner, err := docker.NewServiceRunner(runOpts)
 	if err != nil {
@@ -82,21 +90,11 @@ func PrepareTestContainerWithSSL(t *testing.T, ctx context.Context, sslMode stri
 	}
 
 	// Create certificates for postgres authentication
-	caCert := certhelpers.NewCert(t,
-		certhelpers.CommonName("ca"),
-		certhelpers.IsCA(true),
-		certhelpers.SelfSign(),
-	)
 	serverCert := certhelpers.NewCert(t,
 		certhelpers.CommonName("server"),
 		certhelpers.DNS("localhost"),
 		certhelpers.Parent(caCert),
 	)
-	clientCert := certhelpers.NewCert(t,
-		certhelpers.CommonName("postgres"),
-		certhelpers.DNS("localhost"),
-		certhelpers.Parent(caCert),
-	)
 
 	bCtx := docker.NewBuildContext()
 	bCtx["ca.crt"] = docker.PathContentsFromBytes(caCert.CombinedPEM())
@@ -133,6 +131,9 @@ EOF
 		t.Fatalf("failed to copy to container: %v", err)
 	}
 
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
 	// overwrite the postgresql.conf config file with our ssl settings
 	mustRunCommand(t, ctx, runner, id,
 		[]string{"bash", "/var/lib/postgresql/pg-conf.sh"})
@@ -150,7 +151,7 @@ EOF
 		return svc.Cleanup, svc.Config.URL().String()
 	}
 
-	sslConfig, err := connectPostgresSSL(
+	sslConfig := getPostgresSSLConfig(
 		t,
 		svc.Config.URL().Host,
 		sslMode,
@@ -197,42 +198,40 @@ func prepareTestContainer(t *testing.T, runOpts docker.RunOptions, password stri
 	return runner, svc.Cleanup, svc.Config.URL().String(), containerID
 }
 
-// connectPostgresSSL is used to verify the connection of our test container
-// and construct the connection string that is used in tests.
-//
-// NOTE: The RawQuery component of the url sets the custom sslinline field and
-// inlines the certificate material in the sslrootcert, sslcert, and sslkey
-// fields. This feature will be removed in a future version of the SDK.
-func connectPostgresSSL(t *testing.T, host, sslMode, caCert, clientCert, clientKey string, useFallback bool) (docker.ServiceConfig, error) {
+func getPostgresSSLConfig(t *testing.T, host, sslMode, caCert, clientCert, clientKey string, useFallback bool) docker.ServiceConfig {
 	if useFallback {
 		// set the first host to a bad address so we can test the fallback logic
 		host = "localhost:55," + host
 	}
-	u := url.URL{
-		Scheme: "postgres",
-		User:   url.User("postgres"),
-		Host:   host,
-		Path:   "postgres",
-		RawQuery: url.Values{
-			"sslmode":     {sslMode},
-			"sslinline":   {"true"},
-			"sslrootcert": {caCert},
-			"sslcert":     {clientCert},
-			"sslkey":      {clientKey},
-		}.Encode(),
-	}
 
-	// TODO: remove this deprecated function call in a future SDK version
-	db, err := connutil.OpenPostgres("pgx", u.String())
-	if err != nil {
-		return nil, err
+	u := url.URL{}
+
+	if ok, _ := strconv.ParseBool(os.Getenv(pluginutil.PluginUsePostgresSSLInline)); ok {
+		// TODO: remove this when we remove the underlying feature in a future SDK version
+		u = url.URL{
+			Scheme: "postgres",
+			User:   url.User("postgres"),
+			Host:   host,
+			Path:   "postgres",
+			RawQuery: url.Values{
+				"sslmode":     {sslMode},
+				"sslinline":   {"true"},
+				"sslrootcert": {caCert},
+				"sslcert":     {clientCert},
+				"sslkey":      {clientKey},
+			}.Encode(),
+		}
+	} else {
+		u = url.URL{
+			Scheme:   "postgres",
+			User:     url.User("postgres"),
+			Host:     host,
+			Path:     "postgres",
+			RawQuery: url.Values{"sslmode": {sslMode}}.Encode(),
+		}
 	}
-	defer db.Close()
 
-	if err = db.Ping(); err != nil {
-		return nil, err
-	}
-	return docker.NewServiceURL(u), nil
+	return docker.NewServiceURL(u)
 }
 
 func connectPostgres(password, repo string, useFallback bool) docker.ServiceAdapter {

plugins/database/mysql/connection_producer.go

@@ -123,11 +123,8 @@ func (c *mySQLConnectionProducer) Init(ctx context.Context, conf map[string]inte
 	}
 
 	// validate auth_type if provided
-	authType := c.AuthType
-	if authType != "" {
-		if ok := connutil.ValidateAuthType(authType); !ok {
-			return nil, fmt.Errorf("invalid auth_type %s provided", authType)
-		}
+	if ok := connutil.ValidateAuthType(c.AuthType); !ok {
+		return nil, fmt.Errorf("invalid auth_type: %s", c.AuthType)
 	}
 
 	if c.AuthType == connutil.AuthTypeGCPIAM {

plugins/database/postgresql/postgresql.go

@@ -5,7 +5,11 @@ package postgresql
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"database/sql"
+	"encoding/pem"
+	"errors"
 	"fmt"
 	"regexp"
 	"strings"
@@ -79,11 +83,65 @@ func new() *PostgreSQL {
 type PostgreSQL struct {
 	*connutil.SQLConnectionProducer
 
+	TLSCertificateData []byte `json:"tls_certificate" structs:"-" mapstructure:"tls_certificate"`
+	TLSPrivateKey      []byte `json:"tls_private_key" structs:"-" mapstructure:"tls_private_key"`
+	TLSCAData          []byte `json:"tls_ca" structs:"-" mapstructure:"tls_ca"`
+
 	usernameProducer       template.StringTemplate
 	passwordAuthentication passwordAuthentication
 }
 
 func (p *PostgreSQL) Initialize(ctx context.Context, req dbplugin.InitializeRequest) (dbplugin.InitializeResponse, error) {
+	sslcert, err := strutil.GetString(req.Config, "tls_certificate")
+	if err != nil {
+		return dbplugin.InitializeResponse{}, fmt.Errorf("failed to retrieve tls_certificate: %w", err)
+	}
+
+	sslkey, err := strutil.GetString(req.Config, "tls_private_key")
+	if err != nil {
+		return dbplugin.InitializeResponse{}, fmt.Errorf("failed to retrieve tls_private_key: %w", err)
+	}
+
+	sslrootcert, err := strutil.GetString(req.Config, "tls_ca")
+	if err != nil {
+		return dbplugin.InitializeResponse{}, fmt.Errorf("failed to retrieve tls_ca: %w", err)
+	}
+
+	useTLS := false
+	tlsConfig := &tls.Config{}
+	if sslrootcert != "" {
+		caCertPool := x509.NewCertPool()
+		if !caCertPool.AppendCertsFromPEM([]byte(sslrootcert)) {
+			return dbplugin.InitializeResponse{}, errors.New("unable to add CA to cert pool")
+		}
+
+		tlsConfig.RootCAs = caCertPool
+		tlsConfig.ClientCAs = caCertPool
+		p.TLSConfig = tlsConfig
+		useTLS = true
+	}
+
+	if (sslcert != "" && sslkey == "") || (sslcert == "" && sslkey != "") {
+		return dbplugin.InitializeResponse{}, errors.New(`both "sslcert" and "sslkey" are required`)
+	}
+
+	if sslcert != "" && sslkey != "" {
+		block, _ := pem.Decode([]byte(sslkey))
+
+		cert, err := tls.X509KeyPair([]byte(sslcert), pem.EncodeToMemory(block))
+		if err != nil {
+			return dbplugin.InitializeResponse{}, fmt.Errorf("unable to load cert: %w", err)
+		}
+		tlsConfig.Certificates = []tls.Certificate{cert}
+		p.TLSConfig = tlsConfig
+		useTLS = true
+	}
+
+	if !useTLS {
+		// set to nil to flag that this connection does not use a custom TLS config
+		p.TLSConfig = nil
+	}
+
 	newConf, err := p.SQLConnectionProducer.Init(ctx, req.Config, req.VerifyConnection)
 	if err != nil {
 		return dbplugin.InitializeResponse{}, err