luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

backport of commit 4654c15248013edeb36fdeae28ab3631bebe0a8e (#21188)

This commit is contained in:
hc-github-team-secure-vault-core 2023-08-18 09:09:32 -04:00 committed by GitHub
parent bce718efbf
commit 386d78180c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
changelog/21110.txt Normal file
View File

@ -0,0 +1,4 @@
```release-note:bug
core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
Also fix a related potential deadlock.
```

4
vault/core.go
View File

@ -361,7 +361,7 @@ type Core struct {
// mountsLock is used to ensure that the mounts table does not // mountsLock is used to ensure that the mounts table does not
// change underneath a calling function // change underneath a calling function
mountsLock sync.RWMutex mountsLock locking.DeadlockRWMutex
// mountMigrationTracker tracks past and ongoing remount operations // mountMigrationTracker tracks past and ongoing remount operations
// against their migration ids // against their migration ids
@ -373,7 +373,7 @@ type Core struct {
// authLock is used to ensure that the auth table does not // authLock is used to ensure that the auth table does not
// change underneath a calling function // change underneath a calling function
authLock sync.RWMutex authLock locking.DeadlockRWMutex
// audit is loaded after unseal since it is a protected // audit is loaded after unseal since it is a protected
// configuration // configuration

4
vault/logical_system.go
View File

@ -20,7 +20,6 @@ import (
"sort" "sort"
"strconv" "strconv"
"strings" "strings"
"sync"
"time" "time"
"unicode" "unicode"
@ -34,6 +33,7 @@ import (
"github.com/hashicorp/vault/helper/experiments" "github.com/hashicorp/vault/helper/experiments"
"github.com/hashicorp/vault/helper/hostutil" "github.com/hashicorp/vault/helper/hostutil"
"github.com/hashicorp/vault/helper/identity" "github.com/hashicorp/vault/helper/identity"
"github.com/hashicorp/vault/helper/locking"
"github.com/hashicorp/vault/helper/logging" "github.com/hashicorp/vault/helper/logging"
"github.com/hashicorp/vault/helper/metricsutil" "github.com/hashicorp/vault/helper/metricsutil"
"github.com/hashicorp/vault/helper/monitor" "github.com/hashicorp/vault/helper/monitor"
@ -1720,7 +1720,7 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string,
return nil, logical.ErrReadOnly return nil, logical.ErrReadOnly
} }
var lock *sync.RWMutex var lock *locking.DeadlockRWMutex
switch { switch {
case strings.HasPrefix(path, credentialRoutePrefix): case strings.HasPrefix(path, credentialRoutePrefix):
lock = &b.Core.authLock lock = &b.Core.authLock

4
vault/request_handling.go
View File

@ -1022,11 +1022,9 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
} }
leaseGenerated := false leaseGenerated := false
loginRole := c.DetermineRoleFromLoginRequest(req.MountPoint, req.Data, ctx)
quotaResp, quotaErr := c.applyLeaseCountQuota(ctx, &quotas.Request{ quotaResp, quotaErr := c.applyLeaseCountQuota(ctx, &quotas.Request{
Path: req.Path, Path: req.Path,
MountPath: strings.TrimPrefix(req.MountPoint, ns.Path), MountPath: strings.TrimPrefix(req.MountPoint, ns.Path),
Role: loginRole,
NamespacePath: ns.Path, NamespacePath: ns.Path,
}) })
if quotaErr != nil { if quotaErr != nil {
@ -1166,7 +1164,7 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
return nil, auth, retErr return nil, auth, retErr
} }
leaseID, err := registerFunc(ctx, req, resp, loginRole) leaseID, err := registerFunc(ctx, req, resp, "")
if err != nil { if err != nil {
c.logger.Error("failed to register lease", "request_path", req.Path, "error", err) c.logger.Error("failed to register lease", "request_path", req.Path, "error", err)
retErr = multierror.Append(retErr, ErrInternalError) retErr = multierror.Append(retErr, ErrInternalError)