Support authentication via HashiCorp Vault

Author: issacg

pgjdbc/pom.xml

@@ -10,7 +10,7 @@
   <artifactId>postgresql</artifactId>
   <packaging>bundle</packaging>
   <name>PostgreSQL JDBC Driver - JDBC 4.2</name>
-  <version>42.1.2-SNAPSHOT</version>
+  <version>42.1.2-VAULT</version>
   <description>Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database</description>
   <url>https://github.com/pgjdbc/pgjdbc</url>
 
@@ -35,7 +35,13 @@
     <skip.assembly>false</skip.assembly>
     <checkstyle.version>7.4</checkstyle.version>
   </properties>
-
+<dependencies>
+<dependency>
+    <groupId>com.bettercloud</groupId>
+    <artifactId>vault-java-driver</artifactId>
+    <version>3.0.0-SNAPSHOT</version>
+</dependency>
+</dependencies>
   <profiles>
     <profile>
       <id>translate</id>

pgjdbc/src/main/java/org/postgresql/Driver.java

@@ -14,6 +14,8 @@
 import org.postgresql.util.PSQLState;
 import org.postgresql.util.SharedTimer;
 import org.postgresql.util.WriterHandler;
+import org.postgresql.util.VaultLookup;
+import org.postgresql.util.VaultRenewalTaskScheduler;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -190,7 +192,7 @@ private Properties loadDefaultProperties() throws IOException {
    * Our protocol takes the forms:
    *
    * <PRE>
-   *  jdbc:postgresql://host:port/database?param1=val1&amp;...
+   *  jdbc:postgresqlvault://host:port/database?param1=val1&amp;...
    * </PRE>
    *
    * @param url the URL of the database to connect to
@@ -202,8 +204,9 @@ private Properties loadDefaultProperties() throws IOException {
   public java.sql.Connection connect(String url, Properties info) throws SQLException {
     // get defaults
     Properties defaults;
+    Connection conn;
 
-    if (!url.startsWith("jdbc:postgresql:")) {
+    if (!url.startsWith("jdbc:postgresqlvault:")) {
       return null;
     }
     try {
@@ -234,10 +237,28 @@ public java.sql.Connection connect(String url, Properties info) throws SQLExcept
       return null;
     }
     try {
+      final VaultLookup vault;
       // Setup java.util.logging.Logger using connection properties.
       setupLoggerFromProperties(props);
+      
+      if (props.getProperty("vaultHost") != null) {
+        LOGGER.log(Level.INFO, "Attempting to authenticate with Vault server at {0}", props.getProperty("vaultHost"));
+        try {
+          vault = new VaultLookup(props.getProperty("vaultHost"), props.getProperty("vaultAuthPath", "userpass"), props.getProperty("vaultDBPath", "database/creds/default"), props.getProperty("user"), props.getProperty("password"));
+          props.setProperty("user", vault.getUser());
+          props.setProperty("password", vault.getPass());
+        } catch (Exception e) {
+          LOGGER.log(Level.SEVERE, "Vault exception: {0}", e.getMessage());
+          return null;
+        }
+      } else {
+        // Otherwise the Java compiler won't realize the if block above is identical
+        // to the guard before creating the renewal task, and think the variable isn't
+        // initialized
+        vault = null; 
+      }
 
-      LOGGER.log(Level.FINE, "Connecting with URL: {0}", url);
+      LOGGER.log(Level.INFO, "Connecting with URL: {0}", url);
 
       // Enforce login timeout, if specified, by running the connection
       // attempt in a separate thread. If we hit the timeout without the
@@ -249,14 +270,18 @@ public java.sql.Connection connect(String url, Properties info) throws SQLExcept
       // more details.
       long timeout = timeout(props);
       if (timeout <= 0) {
-        return makeConnection(url, props);
+        conn = makeConnection(url, props);
+      } else {
+        ConnectThread ct = new ConnectThread(url, props);
+        Thread thread = new Thread(ct, "PostgreSQL JDBC driver connection thread");
+        thread.setDaemon(true); // Don't prevent the VM from shutting down
+        thread.start();
+        conn = ct.getResult(timeout);
       }
-
-      ConnectThread ct = new ConnectThread(url, props);
-      Thread thread = new Thread(ct, "PostgreSQL JDBC driver connection thread");
-      thread.setDaemon(true); // Don't prevent the VM from shutting down
-      thread.start();
-      return ct.getResult(timeout);
+      if (props.getProperty("vaultHost") != null) {
+        final VaultRenewalTaskScheduler renewalThread = new VaultRenewalTaskScheduler((PgConnection)conn, vault.getRenewalConfig());
+      }
+      return conn;
     } catch (PSQLException ex1) {
       LOGGER.log(Level.SEVERE, "Connection error: ", ex1);
       // re-throw the exception, otherwise it will be caught next, and a
@@ -453,7 +478,7 @@ private static Connection makeConnection(String url, Properties props) throws SQ
   /**
    * Returns true if the driver thinks it can open a connection to the given URL. Typically, drivers
    * will return true if they understand the subprotocol specified in the URL and false if they
-   * don't. Our protocols start with jdbc:postgresql:
+   * don't. Our protocols start with jdbc:postgresqlvault:
    *
    * @param url the URL of the driver
    * @return true if this driver accepts the given URL
@@ -534,10 +559,10 @@ public static Properties parseURL(String url, Properties defaults) {
       l_urlArgs = url.substring(l_qPos + 1);
     }
 
-    if (!l_urlServer.startsWith("jdbc:postgresql:")) {
+    if (!l_urlServer.startsWith("jdbc:postgresqlvault:")) {
       return null;
     }
-    l_urlServer = l_urlServer.substring("jdbc:postgresql:".length());
+    l_urlServer = l_urlServer.substring("jdbc:postgresqlvault:".length());
 
     if (l_urlServer.startsWith("//")) {
       l_urlServer = l_urlServer.substring(2);

pgjdbc/src/main/java/org/postgresql/ds/common/BaseDataSource.java

@@ -1048,7 +1048,7 @@ public void setLoggerFile(String loggerFile) {
    */
   public String getUrl() {
     StringBuilder url = new StringBuilder(100);
-    url.append("jdbc:postgresql://");
+    url.append("jdbc:postgresqlvault://");
     url.append(serverName);
     if (portNumber != 0) {
       url.append(":").append(portNumber);

pgjdbc/src/main/java/org/postgresql/util/PGJDBCMain.java

@@ -18,7 +18,7 @@ public static void main(String[] args) {
     System.out.printf("The PgJDBC driver is not an executable Java program.%n%n"
                        + "You must install it according to the JDBC driver installation "
                        + "instructions for your application / container / appserver, "
-                       + "then use it by specifying a JDBC URL of the form %n    jdbc:postgresql://%n"
+                       + "then use it by specifying a JDBC URL of the form %n    jdbc:postgresqlvault://%n"
                        + "or using an application specific method.%n%n"
                        + "See the PgJDBC documentation: http://jdbc.postgresql.org/documentation/head/index.html%n%n"
                        + "This command has had no effect.%n");

pgjdbc/src/main/java/org/postgresql/util/VaultLookup.java

@@ -0,0 +1,63 @@
+package org.postgresql.util;
+
+import java.util.Map;
+import java.util.HashMap;
+import com.bettercloud.vault.Vault;
+import com.bettercloud.vault.VaultConfig;
+import com.bettercloud.vault.VaultException;
+import com.bettercloud.vault.response.LogicalResponse;
+
+
+public class VaultLookup {
+    private final String user;
+    private final String pass;
+    private final RenewalConfig renewConfig;
+    
+    public static final class RenewalConfig {
+        public final VaultConfig vltConfig;
+        public final String leaseId;
+        public final Number initialTTL;
+        
+        private RenewalConfig (VaultConfig vltConfig, String leaseId, Number initialTTL) {
+            this.vltConfig = vltConfig;
+            this.leaseId = leaseId;
+            this.initialTTL = initialTTL;
+        }
+    }
+    
+    public VaultLookup(String VaultAddr, String VaultAuthPath, String VaultDBPath, String VaultUser, String VaultPass) throws VaultException {
+        final VaultConfig vltConfig = new VaultConfig(VaultAddr);
+        final Vault vault = new Vault(vltConfig);
+        Number ttl = 1;
+        String token;
+    
+        token = vault.auth().loginByUserPass(VaultAuthPath, VaultUser, VaultPass).getAuthClientToken();
+        vltConfig.token(token);
+        try {
+            final LogicalResponse res = vault.logical().read(VaultDBPath);
+            user = res.getData().get("username");
+            pass = res.getData().get("password");
+            ttl = res.getLeaseDuration();
+            renewConfig = new RenewalConfig(vltConfig, res.getLeaseId(), ttl);
+        } finally {
+            // Don't logout immediately, as it would revoke the DB credentials before we login.
+            // Instead logout after the db creds expire (or in 1 second if we didn't get creds)
+            // This won't work in case the DB driver explicitly disconnects the user when the credentials are revoked.
+            // In that case, it would be better to create a token role which can create an orphaned token which can create the database credentials
+            final Map<String, Object> params = new HashMap();
+            params.put("increment", ttl);
+            vault.logical().write("auth/token/renew-self", params);
+        }
+        
+    }
+    
+    public String getUser() {
+        return user;
+    }
+    public String getPass() {
+        return pass;
+    }
+    public RenewalConfig getRenewalConfig() {
+        return renewConfig;
+    }
+}

pgjdbc/src/main/java/org/postgresql/util/VaultRenewalTaskScheduler.java

@@ -0,0 +1,84 @@
+package org.postgresql.util;
+
+import java.util.Map;
+import java.util.HashMap;
+import java.util.Timer;
+import java.util.TimerTask;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.postgresql.util.SharedTimer;
+import org.postgresql.util.VaultLookup;
+import org.postgresql.jdbc.PgConnection;
+import com.bettercloud.vault.Vault;
+import com.bettercloud.vault.VaultConfig;
+import com.bettercloud.vault.response.LogicalResponse;
+
+// The renewal task latches onto an existing thread scheduler on the connection object
+// Closing the connection will automatically purge the scheduler and stop renewing the lease
+
+public class VaultRenewalTaskScheduler {
+    private final SharedTimer timer;
+    private static final Logger LOGGER = Logger.getLogger(VaultRenewalTask.class.getName());
+    
+    private class RenewalTask extends TimerTask {
+        private final String leaseId;
+        private final PgConnection conn;
+        private final VaultConfig vltConfig;
+        public RenewalTask(PgConnection conn, VaultLookup.RenewalConfig renewConfig) {
+            this.conn = conn;
+            this.vltConfig = renewConfig.vltConfig;
+            this.leaseId = renewConfig.leaseId;
+        }
+        
+        /**
+        * Renew the lease and token with Vault and reschedule
+        */
+        @Override
+        public void run() {
+            final Vault vault = new Vault(vltConfig);
+            try {
+                LOGGER.log(Level.FINE, "Attempting to renew credentials for {0}", leaseId);
+                // First, renew the database lease according to the default TTL
+                final Map<String, Object> params = new HashMap();
+                params.put("lease_id", leaseId);
+                final LogicalResponse res = vault.logical().write("sys/renew", params); 
+                Number ttl = res.getLeaseDuration();
+                // Now renew the token to the same TTL as the database
+                params.clear();
+                params.put("increment", ttl);
+                vault.logical().write("auth/token/renew-self", params);
+            } catch (Exception e) {
+                LOGGER.log(Level.SEVERE, e.getMessage().toString());
+                // Retries are caught and dealt with by the Vault driver, so anything else is fatal.
+                // Attempt to close the connection.
+                try {
+                    conn.close();
+                    VaultRenewalTaskScheduler.this.shutdown();
+                } catch (Exception e2) {}
+            }
+        } 
+    }
+    
+    public VaultRenewalTaskScheduler(PgConnection conn, VaultLookup.RenewalConfig renewConfig) {
+        final RenewalTask task = new RenewalTask(conn, renewConfig);
+        this.timer = new SharedTimer();
+        final long nextInterval = this.interval(renewConfig.initialTTL);
+        timer.getTimer().schedule(task, nextInterval, nextInterval);
+        LOGGER.log(Level.INFO, "Scheduling vault renewal every {0}ms", String.valueOf(nextInterval));
+    }
+    
+
+    public void shutdown() {
+        LOGGER.log(Level.FINER, "Shut down timer");
+        timer.releaseTimer();
+    }
+    
+    /**
+    * Return the scheduling interval.  Defautls to 2/3 of the lease ttl
+    *
+    * @param ttl Lease ttl
+    */    
+    public long interval(Number ttl) {
+        return (long)((Long)ttl * 1000 * (2.0f / 3));
+    }
+}

pgjdbc/src/test/java/org/postgresql/test/TestUtil.java

@@ -73,7 +73,7 @@ public static String getURL(String server, int port) {
       ssl = "&ssl=" + getSSL();
     }
 
-    return "jdbc:postgresql://"
+    return "jdbc:postgresqlvault://"
         + server + ":"
         + port + "/"
         + getDatabase()

pgjdbc/src/test/java/org/postgresql/test/hostchooser/MultiHostsConnectionTest.java

@@ -101,7 +101,7 @@ private static Connection getConnection(HostRequirement hostType, boolean reset,
     }
 
     StringBuilder sb = new StringBuilder();
-    sb.append("jdbc:postgresql://");
+    sb.append("jdbc:postgresqlvault://");
     for (String target : targets) {
       sb.append(target).append(',');
     }

pgjdbc/src/test/java/org/postgresql/test/jdbc2/ConnectTimeoutTest.java

@@ -22,7 +22,7 @@
 public class ConnectTimeoutTest {
   // The IP below is non-routable (see http://stackoverflow.com/a/904609/1261287)
   private static final String UNREACHABLE_HOST = "10.255.255.1";
-  private static final String UNREACHABLE_URL = "jdbc:postgresql://" + UNREACHABLE_HOST + ":5432/test";
+  private static final String UNREACHABLE_URL = "jdbc:postgresqlvault://" + UNREACHABLE_HOST + ":5432/test";
   private static final int CONNECT_TIMEOUT = 5;
 
   @Before

pgjdbc/src/test/java/org/postgresql/test/jdbc2/DriverTest.java

@@ -46,26 +46,26 @@ public void testAcceptsURL() throws Exception {
     assertNotNull(drv);
 
     // These are always correct
-    verifyUrl(drv, "jdbc:postgresql:test", "localhost", "5432", "test");
-    verifyUrl(drv, "jdbc:postgresql://localhost/test", "localhost", "5432", "test");
-    verifyUrl(drv, "jdbc:postgresql://localhost:5432/test", "localhost", "5432", "test");
-    verifyUrl(drv, "jdbc:postgresql://127.0.0.1/anydbname", "127.0.0.1", "5432", "anydbname");
-    verifyUrl(drv, "jdbc:postgresql://127.0.0.1:5433/hidden", "127.0.0.1", "5433", "hidden");
-    verifyUrl(drv, "jdbc:postgresql://[::1]:5740/db", "[::1]", "5740", "db");
+    verifyUrl(drv, "jdbc:postgresqlvault:test", "localhost", "5432", "test");
+    verifyUrl(drv, "jdbc:postgresqlvault://localhost/test", "localhost", "5432", "test");
+    verifyUrl(drv, "jdbc:postgresqlvault://localhost:5432/test", "localhost", "5432", "test");
+    verifyUrl(drv, "jdbc:postgresqlvault://127.0.0.1/anydbname", "127.0.0.1", "5432", "anydbname");
+    verifyUrl(drv, "jdbc:postgresqlvault://127.0.0.1:5433/hidden", "127.0.0.1", "5433", "hidden");
+    verifyUrl(drv, "jdbc:postgresqlvault://[::1]:5740/db", "[::1]", "5740", "db");
 
     // Badly formatted url's
     assertTrue(!drv.acceptsURL("jdbc:postgres:test"));
     assertTrue(!drv.acceptsURL("postgresql:test"));
     assertTrue(!drv.acceptsURL("db"));
-    assertTrue(!drv.acceptsURL("jdbc:postgresql://localhost:5432a/test"));
+    assertTrue(!drv.acceptsURL("jdbc:postgresqlvault://localhost:5432a/test"));
 
     // failover urls
-    verifyUrl(drv, "jdbc:postgresql://localhost,127.0.0.1:5432/test", "localhost,127.0.0.1",
+    verifyUrl(drv, "jdbc:postgresqlvault://localhost,127.0.0.1:5432/test", "localhost,127.0.0.1",
         "5432,5432", "test");
-    verifyUrl(drv, "jdbc:postgresql://localhost:5433,127.0.0.1:5432/test", "localhost,127.0.0.1",
+    verifyUrl(drv, "jdbc:postgresqlvault://localhost:5433,127.0.0.1:5432/test", "localhost,127.0.0.1",
         "5433,5432", "test");
-    verifyUrl(drv, "jdbc:postgresql://[::1],[::1]:5432/db", "[::1],[::1]", "5432,5432", "db");
-    verifyUrl(drv, "jdbc:postgresql://[::1]:5740,127.0.0.1:5432/db", "[::1],127.0.0.1", "5740,5432",
+    verifyUrl(drv, "jdbc:postgresqlvault://[::1],[::1]:5432/db", "[::1],[::1]", "5432,5432", "db");
+    verifyUrl(drv, "jdbc:postgresqlvault://[::1]:5740,127.0.0.1:5432/db", "[::1],127.0.0.1", "5740,5432",
         "db");
   }
 
@@ -111,7 +111,7 @@ public void testConnect() throws Exception {
    */
   @Test
   public void testConnectFailover() throws Exception {
-    String url = "jdbc:postgresql://invalidhost.not.here," + TestUtil.getServer() + ":"
+    String url = "jdbc:postgresqlvault://invalidhost.not.here," + TestUtil.getServer() + ":"
         + TestUtil.getPort() + "/" + TestUtil.getDatabase() + "?connectTimeout=5";
     Connection con = DriverManager.getConnection(url, TestUtil.getUser(), TestUtil.getPassword());
     assertNotNull(con);

pgjdbc/src/test/java/org/postgresql/test/jdbc2/LoginTimeoutTest.java

@@ -139,7 +139,7 @@ public void testTimeoutOccurs() throws Exception {
     new Thread(helper, "timeout listen helper").start();
 
     try {
-      String url = "jdbc:postgresql://" + helper.getHost() + ":" + helper.getPort() + "/dummy";
+      String url = "jdbc:postgresqlvault://" + helper.getHost() + ":" + helper.getPort() + "/dummy";
       Properties props = new Properties();
       props.setProperty("user", "dummy");
       props.setProperty("loginTimeout", "5");