Using url.PathEscape on passwords

jonthegimp · October 13, 2021, 6:20pm

Hello,

I am looking at the following code from connutil/sql.go

	// Don't escape special characters for MySQL password
	password := c.Password
	if c.Type != "mysql" {
		password = url.PathEscape(c.Password)
	}

I’ve got a use case where my Postgres instance password has a special char in it - the password is valid, is there a reason only mysql is not escaped here? It seems like any backend that supports such passwords should not be escaped.

Best,
Jon

jonthegimp · October 13, 2021, 7:10pm

Looks like this was as a result of #8040 and #7089

In any case, there are still special chars that are allowed in postgres passwords.

jonthegimp · October 14, 2021, 1:51pm

A bit confused here - the mechanics of the password template work a little differently based on the connection_url used, specifically between a TCP vs a Socket connection.

Example:

Works - TCP w/password containing special chars as template var

vault write secrets/database/config/my-post-tcp \
 plugin_name=postgresql-database-plugin\ 
 connection_url="postgresql://{{username}}:{{password}}@<addr>:54342/" \
 username="postgres" \
 password="some%password"

Works - Socket w/password containing special chars, non-template

vault write secrets/database/config/my-post-sock \
 plugin_name=postgresql-database-plugin \
 allowed_roles="my-roles" \
 connection_url="dbname=postgres user={{username}} host=<socket-loc> 
 password=some%password" \
 username="postgres"

Works - Socket w/password not containing special chars as template var

vault write secrets/database/config/my-post-sock \
 plugin_name=postgresql-database-plugin \
 allowed_roles="my-roles" \
 connection_url="dbname=postgres user={{username}} host=<socket-loc> password={{password}}" \
 username="postgres" \
 password="somepassword"

Does not work - Socket w/password containing special chars as template

vault write secrets/database/config/my-post-sock \
 plugin_name=postgresql-database-plugin \
 allowed_roles="my-roles" \
 connection_url="dbname=postgres user={{username}} host=<socket-loc> password={{password}}" \
 username="postgres" \
 password="some%password"

Error writing data to secrets/database/config/my-post-sock: Error making API request.

URL: PUT https://<vault-addr>/v1/secrets/database/config/my-post-sock
Code: 400. Errors:

* error creating database object: error verifying connection: pq: password authentication failed for user "postgres"