db: allow updates to self_managed_password

hashicorp · Jan 3, 2025 · 39efb8e · 39efb8e
1 parent 39365aa
commit 39efb8e
Showing 1 changed file with 13 additions and 6 deletions.
diff --git a/builtin/logical/database/path_roles.go b/builtin/logical/database/path_roles.go
@@ -649,11 +649,12 @@ func (b *databaseBackend) pathStaticRoleCreateUpdate(ctx context.Context, req *l
 	}
 
 	lastVaultRotation := role.StaticAccount.LastVaultRotation
+	updateAllowed := lastVaultRotation.IsZero()
+
 	if passwordRaw, ok := data.GetOk("password"); ok {
 		// We will allow users to update the password until the point where
 		// Vault assumes management of the account so that we don't break the
 		// promise of Vault being the source of truth.
-		updateAllowed := lastVaultRotation.IsZero()
 		if updateAllowed {
 			role.StaticAccount.Password = passwordRaw.(string)
 
@@ -663,21 +664,27 @@ func (b *databaseBackend) pathStaticRoleCreateUpdate(ctx context.Context, req *l
 			}
 
 			if connDetails != nil && connDetails.SelfManaged {
-				// Password and SelfManagedPassword should map to the same value
+				// SelfManagedPassword was deprecated in favor of Password, so they
+				// should map to the same value
 				role.StaticAccount.SelfManagedPassword = passwordRaw.(string)
 			}
 		} else {
 			return logical.ErrorResponse("%s: role=%s, lastVaultRotation=%s", errNoUpdateAfterRotation, name, lastVaultRotation), nil
 		}
 	}
 
-	if smPasswordRaw, ok := data.GetOk("self_managed_password"); ok && createRole {
+	if smPasswordRaw, ok := data.GetOk("self_managed_password"); ok {
 		if _, ok := data.GetOk("password"); ok {
 			return logical.ErrorResponse(errNoPasswordAndSelfManagedPassword), nil
 		}
-		// Password and SelfManagedPassword should map to the same value
-		role.StaticAccount.SelfManagedPassword = smPasswordRaw.(string)
-		role.StaticAccount.Password = smPasswordRaw.(string)
+		if updateAllowed {
+			// SelfManagedPassword was deprecated in favor of Password, so they
+			// should map to the same value
+			role.StaticAccount.SelfManagedPassword = smPasswordRaw.(string)
+			role.StaticAccount.Password = smPasswordRaw.(string)
+		} else {
+			return logical.ErrorResponse("%s: role=%s, lastVaultRotation=%s", errNoUpdateAfterRotation, name, lastVaultRotation), nil
+		}
 	}
 
 	if skipImportRotationRaw, ok := data.GetOk("skip_import_rotation"); ok {