From 386d78180c1b65812d7a1142507d44fd6f7a0063 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Fri, 18 Aug 2023 09:09:32 -0400 Subject: [PATCH] backport of commit 4654c15248013edeb36fdeae28ab3631bebe0a8e (#21188) --- changelog/21110.txt | 4 ++++ vault/core.go | 4 ++-- vault/logical_system.go | 4 ++-- vault/request_handling.go | 4 +--- 4 files changed, 9 insertions(+), 7 deletions(-) create mode 100644 changelog/21110.txt diff --git a/changelog/21110.txt b/changelog/21110.txt new file mode 100644 index 000000000..2471fac77 --- /dev/null +++ b/changelog/21110.txt @@ -0,0 +1,4 @@ +```release-note:bug +core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context. +Also fix a related potential deadlock. +``` \ No newline at end of file diff --git a/vault/core.go b/vault/core.go index faf1659bc..9ecf6282a 100644 --- a/vault/core.go +++ b/vault/core.go @@ -361,7 +361,7 @@ type Core struct { // mountsLock is used to ensure that the mounts table does not // change underneath a calling function - mountsLock sync.RWMutex + mountsLock locking.DeadlockRWMutex // mountMigrationTracker tracks past and ongoing remount operations // against their migration ids @@ -373,7 +373,7 @@ type Core struct { // authLock is used to ensure that the auth table does not // change underneath a calling function - authLock sync.RWMutex + authLock locking.DeadlockRWMutex // audit is loaded after unseal since it is a protected // configuration diff --git a/vault/logical_system.go b/vault/logical_system.go index 842ee3014..a332276b9 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -20,7 +20,6 @@ import ( "sort" "strconv" "strings" - "sync" "time" "unicode" @@ -34,6 +33,7 @@ import ( "github.com/hashicorp/vault/helper/experiments" "github.com/hashicorp/vault/helper/hostutil" "github.com/hashicorp/vault/helper/identity" + "github.com/hashicorp/vault/helper/locking" "github.com/hashicorp/vault/helper/logging" "github.com/hashicorp/vault/helper/metricsutil" "github.com/hashicorp/vault/helper/monitor" @@ -1720,7 +1720,7 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, return nil, logical.ErrReadOnly } - var lock *sync.RWMutex + var lock *locking.DeadlockRWMutex switch { case strings.HasPrefix(path, credentialRoutePrefix): lock = &b.Core.authLock diff --git a/vault/request_handling.go b/vault/request_handling.go index 93903d9ef..9900deb2e 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -1022,11 +1022,9 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp } leaseGenerated := false - loginRole := c.DetermineRoleFromLoginRequest(req.MountPoint, req.Data, ctx) quotaResp, quotaErr := c.applyLeaseCountQuota(ctx, "as.Request{ Path: req.Path, MountPath: strings.TrimPrefix(req.MountPoint, ns.Path), - Role: loginRole, NamespacePath: ns.Path, }) if quotaErr != nil { @@ -1166,7 +1164,7 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp return nil, auth, retErr } - leaseID, err := registerFunc(ctx, req, resp, loginRole) + leaseID, err := registerFunc(ctx, req, resp, "") if err != nil { c.logger.Error("failed to register lease", "request_path", req.Path, "error", err) retErr = multierror.Append(retErr, ErrInternalError)