Fix a panic in MongoDB backend with concurrent create/revoke (#5463)

When Vault is concurrently creating and revoking leases for MongoDB
users as part of the database secrets engine, and then loses connection
to MongoDB, it can panic. This occurrs because the RevokeUser path does
_not_ lock the mutex, but the CreateUser path does. Both threads of
execution can concurently decide to call c.session.Close() in
mongodb/connection_producer.go:119, and then mgo panics when the second
close attempt occurs.
This commit is contained in:
Konstantinos Tsanaktsidis 2018-10-04 23:51:08 +10:00 committed by Jeff Mitchell
parent 4c9301a91f
commit 247d09a1fc

View file

@ -165,6 +165,9 @@ func (m *MongoDB) RenewUser(ctx context.Context, statements dbplugin.Statements,
// RevokeUser drops the specified user from the authentication database. If none is provided
// in the revocation statement, the default "admin" authentication database will be assumed.
func (m *MongoDB) RevokeUser(ctx context.Context, statements dbplugin.Statements, username string) error {
m.Lock()
defer m.Unlock()
statements = dbutil.StatementCompatibilityHelper(statements)
session, err := m.getConnection(ctx)