backport of commit c040f901e57d2d04772827b52f7b052757986897 (#22135)

Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>

changelog/21925.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+kmip (enterprise): Add namespace lock and unlock support
+```

sdk/logical/system_view.go

@@ -107,6 +107,10 @@ type PasswordPolicy interface {
 type ExtendedSystemView interface {
 	Auditor() Auditor
 	ForwardGenericRequest(context.Context, *Request) (*Response, error)
+
+	// APILockShouldBlockRequest returns whether a namespace for the requested
+	// mount is locked and should be blocked
+	APILockShouldBlockRequest() (bool, error)
 }
 
 type PasswordGenerator func() (password string, err error)
@@ -128,6 +132,7 @@ type StaticSystemView struct {
 	PasswordPolicies             map[string]PasswordGenerator
 	VersionString                string
 	ClusterUUID                  string
+	APILockShouldBlockRequestVal bool
 }
 
 type noopAuditor struct{}
@@ -253,3 +258,7 @@ func (d *StaticSystemView) DeletePasswordPolicy(name string) (existed bool) {
 func (d StaticSystemView) ClusterID(ctx context.Context) (string, error) {
 	return d.ClusterUUID, nil
 }
+
+func (d StaticSystemView) APILockShouldBlockRequest() (bool, error) {
+	return d.APILockShouldBlockRequestVal, nil
+}

vault/dynamic_system_view.go

@@ -136,6 +136,20 @@ func (e extendedSystemViewImpl) SudoPrivilege(ctx context.Context, path string,
 	return authResults.RootPrivs
 }
 
+func (e extendedSystemViewImpl) APILockShouldBlockRequest() (bool, error) {
+	mountEntry := e.mountEntry
+	if mountEntry == nil {
+		return false, fmt.Errorf("no mount entry")
+	}
+	ns := mountEntry.Namespace()
+
+	if err := enterpriseBlockRequestIfError(e.core, ns.Path, mountEntry.Path); err != nil {
+		return true, nil
+	}
+
+	return false, nil
+}
+
 func (d dynamicSystemView) DefaultLeaseTTL() time.Duration {
 	def, _ := d.fetchTTLs()
 	return def