If password option is no_password, do not insert an empty string password into inputs, and don't return encrypted password data.

Author: ggreer

pkg/bsql/helpers_test.go

@@ -341,17 +341,19 @@ func TestGenerateCredentials(t *testing.T) {
 
 			require.NoError(t, err)
 			if tt.expectNonEmpty {
-				require.NotEmpty(t, password)
+				require.NotNil(t, password)
+				require.NotEmpty(t, *password)
 				// Verify the password length matches the requested length
 				if tt.credentialOptions.GetRandomPassword() != nil {
 					expectedLength := tt.credentialOptions.GetRandomPassword().GetLength()
 					if expectedLength > 0 {
-						require.Equal(t, int(expectedLength), len(password), "Password length should match requested length")
+						require.Equal(t, int(expectedLength), len(*password), "Password length should match requested length")
 					}
 				}
 			}
 			if tt.expectedValue != "" {
-				require.Equal(t, tt.expectedValue, password)
+				require.NotNil(t, password)
+				require.Equal(t, tt.expectedValue, *password)
 			}
 		})
 	}

pkg/bsql/provisioning.go

@@ -243,14 +243,16 @@ func (s *SQLSyncer) prepareQueryInputs(
 		if err != nil {
 			return nil, nil, err
 		}
-		queryInputs["password"] = password
-		credentials["password"] = password
-		// Create plaintext data for return
-		passwordData := &v2.PlaintextData{
-			Name:  "password",
-			Bytes: []byte(password),
+		if password != nil {
+			queryInputs["password"] = password
+			credentials["password"] = password
+			// Create plaintext data for return
+			passwordData := &v2.PlaintextData{
+				Name:  "password",
+				Bytes: []byte(*password),
+			}
+			plaintextDataList = append(plaintextDataList, passwordData)
 		}
-		plaintextDataList = append(plaintextDataList, passwordData)
 	}
 
 	// 3. Add namespaced access for advanced CEL expressions
@@ -269,26 +271,27 @@ func (s *SQLSyncer) prepareQueryInputs(
 	return queryInputs, plaintextDataList, nil
 }
 
-func generatePassword(ctx context.Context, credentialOptions *v2.LocalCredentialOptions) (string, error) {
+func generatePassword(ctx context.Context, credentialOptions *v2.LocalCredentialOptions) (*string, error) {
 	if credentialOptions == nil {
-		return "", errors.New("credential options are required")
+		return nil, errors.New("credential options are required")
 	}
 
 	var password string
 	var err error
 	switch credentialOptions.Options.(type) {
 	case *v2.LocalCredentialOptions_NoPassword_:
+		return nil, nil
 	case *v2.LocalCredentialOptions_RandomPassword_, *v2.LocalCredentialOptions_PlaintextPassword_:
 		password, err = crypto.GeneratePassword(ctx, credentialOptions)
 		if err != nil {
-			return "", fmt.Errorf("failed to generate password: %w", err)
+			return nil, fmt.Errorf("failed to generate password: %w", err)
 		}
 
 	default:
-		return "", fmt.Errorf("unsupported credential options: %v", credentialOptions)
+		return nil, fmt.Errorf("unsupported credential options: %v", credentialOptions)
 	}
 
-	return password, nil
+	return &password, nil
 }
 
 // validateAccountInfo validates that the required account information is provided.

pkg/bsql/user_syncer.go

@@ -174,14 +174,16 @@ func (s *userSyncer) Rotate(ctx context.Context, resourceId *v2.ResourceId, cred
 	if err != nil {
 		return nil, nil, err
 	}
-	queryInputs["password"] = password
-	credentials["password"] = password
-	// Create plaintext data for return
-	passwordData := &v2.PlaintextData{
-		Name:  "password",
-		Bytes: []byte(password),
-	}
-	plaintextDataList = append(plaintextDataList, passwordData)
+	if password != nil {
+		queryInputs["password"] = password
+		credentials["password"] = password
+		// Create plaintext data for return
+		passwordData := &v2.PlaintextData{
+			Name:  "password",
+			Bytes: []byte(*password),
+		}
+		plaintextDataList = append(plaintextDataList, passwordData)
+	}
 
 	// Execute account creation queries
 	useTransaction := !rotationConfig.Update.NoTransaction