respond to feedback

hashicorp · Dec 3, 2024 · a3e9910 · a3e9910
1 parent 92b4ba9
commit a3e9910
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## Unreleased
 
+BUG FIXES:
+
+* Update static role rotation to generate a new password after 2 failed attempts (https://github.com/hashicorp/vault-plugin-secrets-openldap/pull/125)
+
 ## v0.14.3
 
 BUG FIXES:

diff --git a/rotation.go b/rotation.go
@@ -321,7 +321,7 @@ func (b *backend) setStaticAccountPassword(ctx context.Context, s logical.Storag
 	}
 
 	var newPassword string
-	var usedExistingCredential bool
+	var usedCredentialFromPreviousRotation bool
 	if output.WALID != "" {
 		wal, err := b.findStaticWAL(ctx, s, output.WALID)
 		if err != nil {
@@ -345,7 +345,7 @@ func (b *backend) setStaticAccountPassword(ctx context.Context, s logical.Storag
 		default:
 			// Reuse the password from the existing WAL entry
 			newPassword = wal.NewPassword
-			usedExistingCredential = true
+			usedCredentialFromPreviousRotation = true
 		}
 	}
 
@@ -386,8 +386,7 @@ func (b *backend) setStaticAccountPassword(ctx context.Context, s logical.Storag
 		err = b.client.UpdateUserPassword(config.LDAP, input.Role.StaticAccount.Username, newPassword)
 	}
 	if err != nil {
-		if usedExistingCredential {
-			// A retried password has failed again. Delete WAL and try with fresh password
+		if usedCredentialFromPreviousRotation {
 			b.Logger().Debug("password stored in WAL failed, deleting WAL", "role", input.RoleName, "WAL ID", output.WALID)
 			if err := framework.DeleteWAL(ctx, s, output.WALID); err != nil {
 				b.Logger().Warn("failed to delete WAL", "error", err, "WAL ID", output.WALID)