Merge pull request duckdb#110 from Mytherin/dontleaksecretinpath

Avoid modifying the path that is shown in duckdb_databases with the secret contents

Author: Mytherin

src/include/storage/mysql_catalog.hpp

@@ -18,10 +18,11 @@ class MySQLSchemaEntry;
 
 class MySQLCatalog : public Catalog {
 public:
-	explicit MySQLCatalog(AttachedDatabase &db_p, const string &path, AccessMode access_mode);
+	explicit MySQLCatalog(AttachedDatabase &db_p, string connection_string, string attach_path, AccessMode access_mode);
 	~MySQLCatalog();
 
-	string path;
+	string connection_string;
+	string attach_path;
 	AccessMode access_mode;
 
 public:
@@ -30,6 +31,8 @@ class MySQLCatalog : public Catalog {
 		return "mysql";
 	}
 
+	static string GetConnectionString(ClientContext &context, const string &attach_path, string secret_name);
+
 	optional_ptr<CatalogEntry> CreateSchema(CatalogTransaction transaction, CreateSchemaInfo &info) override;
 
 	void ScanSchemas(ClientContext &context, std::function<void(SchemaCatalogEntry &)> callback) override;

src/mysql_storage.cpp

@@ -4,55 +4,9 @@
 #include "storage/mysql_catalog.hpp"
 #include "duckdb/parser/parsed_data/attach_info.hpp"
 #include "storage/mysql_transaction_manager.hpp"
-#include "duckdb/main/secret/secret_manager.hpp"
 
 namespace duckdb {
 
-string EscapeConnectionString(const string &input) {
-	string result = "\"";
-	for (auto c : input) {
-		if (c == '\\') {
-			result += "\\\\";
-		} else if (c == '"') {
-			result += "\\\"";
-		} else {
-			result += c;
-		}
-	}
-	result += "\"";
-	return result;
-}
-
-string AddConnectionOption(const KeyValueSecret &kv_secret, const string &name) {
-	Value input_val = kv_secret.TryGetValue(name);
-	if (input_val.IsNull()) {
-		// not provided
-		return string();
-	}
-	string result;
-	result += name;
-	result += "=";
-	result += EscapeConnectionString(input_val.ToString());
-	result += " ";
-	return result;
-}
-
-unique_ptr<SecretEntry> GetSecret(ClientContext &context, const string &secret_name) {
-	auto &secret_manager = SecretManager::Get(context);
-	auto transaction = CatalogTransaction::GetSystemCatalogTransaction(context);
-	// FIXME: this should be adjusted once the `GetSecretByName` API supports this
-	// use case
-	auto secret_entry = secret_manager.GetSecretByName(transaction, secret_name, "memory");
-	if (secret_entry) {
-		return secret_entry;
-	}
-	secret_entry = secret_manager.GetSecretByName(transaction, secret_name, "local_file");
-	if (secret_entry) {
-		return secret_entry;
-	}
-	return nullptr;
-}
-
 static unique_ptr<Catalog> MySQLAttach(StorageExtensionInfo *storage_info, ClientContext &context, AttachedDatabase &db,
                                        const string &name, AttachInfo &info, AccessMode access_mode) {
 	// check if we have a secret provided
@@ -68,43 +22,9 @@ static unique_ptr<Catalog> MySQLAttach(StorageExtensionInfo *storage_info, Clien
 		}
 	}
 
-	// if no secret is specified we default to the unnamed mysql secret, if it
-	// exists
-	bool explicit_secret = !secret_name.empty();
-	if (!explicit_secret) {
-		// look up settings from the default unnamed mysql secret if none is
-		// provided
-		secret_name = "__default_mysql";
-	}
-
-	string connection_string = info.path;
-	auto secret_entry = GetSecret(context, secret_name);
-	if (secret_entry) {
-		// secret found - read data
-		const auto &kv_secret = dynamic_cast<const KeyValueSecret &>(*secret_entry->secret);
-		string new_connection_info;
-
-		new_connection_info += AddConnectionOption(kv_secret, "user");
-		new_connection_info += AddConnectionOption(kv_secret, "password");
-		new_connection_info += AddConnectionOption(kv_secret, "host");
-		new_connection_info += AddConnectionOption(kv_secret, "port");
-		new_connection_info += AddConnectionOption(kv_secret, "database");
-		new_connection_info += AddConnectionOption(kv_secret, "socket");
-		new_connection_info += AddConnectionOption(kv_secret, "ssl_mode");
-		new_connection_info += AddConnectionOption(kv_secret, "ssl_ca");
-		new_connection_info += AddConnectionOption(kv_secret, "ssl_capath");
-		new_connection_info += AddConnectionOption(kv_secret, "ssl_cert");
-		new_connection_info += AddConnectionOption(kv_secret, "ssl_cipher");
-		new_connection_info += AddConnectionOption(kv_secret, "ssl_crl");
-		new_connection_info += AddConnectionOption(kv_secret, "ssl_crlpath");
-		new_connection_info += AddConnectionOption(kv_secret, "ssl_key");
-		connection_string = new_connection_info + connection_string;
-	} else if (explicit_secret) {
-		// secret not found and one was explicitly provided - throw an error
-		throw BinderException("Secret with name \"%s\" not found", secret_name);
-	}
-
-	return make_uniq<MySQLCatalog>(db, connection_string, access_mode);
+	string attach_path = info.path;
+	auto connection_string = MySQLCatalog::GetConnectionString(context, attach_path, secret_name);
+	return make_uniq<MySQLCatalog>(db, std::move(connection_string), std::move(attach_path), access_mode);
 }
 
 static unique_ptr<TransactionManager> MySQLCreateTransactionManager(StorageExtensionInfo *storage_info,

src/storage/mysql_catalog.cpp

@@ -6,18 +6,102 @@
 #include "duckdb/parser/parsed_data/drop_info.hpp"
 #include "duckdb/parser/parsed_data/create_schema_info.hpp"
 #include "duckdb/main/attached_database.hpp"
+#include "duckdb/main/secret/secret_manager.hpp"
 
 namespace duckdb {
 
-MySQLCatalog::MySQLCatalog(AttachedDatabase &db_p, const string &path, AccessMode access_mode)
-    : Catalog(db_p), path(path), access_mode(access_mode), schemas(*this) {
-	default_schema = MySQLUtils::ParseConnectionParameters(path).db;
+MySQLCatalog::MySQLCatalog(AttachedDatabase &db_p, string connection_string_p, string attach_path_p, AccessMode access_mode)
+    : Catalog(db_p), connection_string(std::move(connection_string_p)), attach_path(std::move(attach_path_p)), access_mode(access_mode), schemas(*this) {
+	default_schema = MySQLUtils::ParseConnectionParameters(connection_string).db;
 	// try to connect
-	auto connection = MySQLConnection::Open(path);
+	auto connection = MySQLConnection::Open(connection_string);
 }
 
 MySQLCatalog::~MySQLCatalog() = default;
 
+string EscapeConnectionString(const string &input) {
+	string result = "\"";
+	for (auto c : input) {
+		if (c == '\\') {
+			result += "\\\\";
+		} else if (c == '"') {
+			result += "\\\"";
+		} else {
+			result += c;
+		}
+	}
+	result += "\"";
+	return result;
+}
+
+string AddConnectionOption(const KeyValueSecret &kv_secret, const string &name) {
+	Value input_val = kv_secret.TryGetValue(name);
+	if (input_val.IsNull()) {
+		// not provided
+		return string();
+	}
+	string result;
+	result += name;
+	result += "=";
+	result += EscapeConnectionString(input_val.ToString());
+	result += " ";
+	return result;
+}
+
+unique_ptr<SecretEntry> GetSecret(ClientContext &context, const string &secret_name) {
+	auto &secret_manager = SecretManager::Get(context);
+	auto transaction = CatalogTransaction::GetSystemCatalogTransaction(context);
+	// FIXME: this should be adjusted once the `GetSecretByName` API supports this
+	// use case
+	auto secret_entry = secret_manager.GetSecretByName(transaction, secret_name, "memory");
+	if (secret_entry) {
+		return secret_entry;
+	}
+	secret_entry = secret_manager.GetSecretByName(transaction, secret_name, "local_file");
+	if (secret_entry) {
+		return secret_entry;
+	}
+	return nullptr;
+}
+
+string MySQLCatalog::GetConnectionString(ClientContext &context, const string &attach_path, string secret_name) {
+	// if no secret is specified we default to the unnamed mysql secret, if it
+	// exists
+	bool explicit_secret = !secret_name.empty();
+	if (!explicit_secret) {
+		// look up settings from the default unnamed mysql secret if none is
+		// provided
+		secret_name = "__default_mysql";
+	}
+	auto secret_entry = GetSecret(context, secret_name);
+	auto connection_string = attach_path;
+	if (secret_entry) {
+		// secret found - read data
+		const auto &kv_secret = dynamic_cast<const KeyValueSecret &>(*secret_entry->secret);
+		string new_connection_info;
+
+		new_connection_info += AddConnectionOption(kv_secret, "user");
+		new_connection_info += AddConnectionOption(kv_secret, "password");
+		new_connection_info += AddConnectionOption(kv_secret, "host");
+		new_connection_info += AddConnectionOption(kv_secret, "port");
+		new_connection_info += AddConnectionOption(kv_secret, "database");
+		new_connection_info += AddConnectionOption(kv_secret, "socket");
+		new_connection_info += AddConnectionOption(kv_secret, "ssl_mode");
+		new_connection_info += AddConnectionOption(kv_secret, "ssl_ca");
+		new_connection_info += AddConnectionOption(kv_secret, "ssl_capath");
+		new_connection_info += AddConnectionOption(kv_secret, "ssl_cert");
+		new_connection_info += AddConnectionOption(kv_secret, "ssl_cipher");
+		new_connection_info += AddConnectionOption(kv_secret, "ssl_crl");
+		new_connection_info += AddConnectionOption(kv_secret, "ssl_crlpath");
+		new_connection_info += AddConnectionOption(kv_secret, "ssl_key");
+		connection_string = new_connection_info + connection_string;
+	} else if (explicit_secret) {
+		// secret not found and one was explicitly provided - throw an error
+		throw BinderException("Secret with name \"%s\" not found", secret_name);
+	}
+	return connection_string;
+}
+
 void MySQLCatalog::Initialize(bool load_builtin) {
 }
 
@@ -63,7 +147,7 @@ bool MySQLCatalog::InMemory() {
 }
 
 string MySQLCatalog::GetDBPath() {
-	return path;
+	return attach_path;
 }
 
 DatabaseSize MySQLCatalog::GetDatabaseSize(ClientContext &context) {

src/storage/mysql_transaction.cpp

@@ -9,7 +9,7 @@ namespace duckdb {
 
 MySQLTransaction::MySQLTransaction(MySQLCatalog &mysql_catalog, TransactionManager &manager, ClientContext &context)
     : Transaction(manager, context), access_mode(mysql_catalog.access_mode) {
-	connection = MySQLConnection::Open(mysql_catalog.path);
+	connection = MySQLConnection::Open(mysql_catalog.connection_string);
 }
 
 MySQLTransaction::~MySQLTransaction() = default;

test/sql/attach_secret.test

@@ -37,6 +37,11 @@ CREATE SECRET mysql_secret (
 statement ok
 ATTACH '' AS secret_attach (TYPE MYSQL, SECRET mysql_secret)
 
+query I
+SELECT path FROM duckdb_databases() WHERE database_name='secret_attach'
+----
+(empty)
+
 statement ok
 DETACH secret_attach