From 474c4e8134f82015959ed82288fb5c1deecbf6e1 Mon Sep 17 00:00:00 2001
From: Nick Cabatoff <ncabatoff@hashicorp.com>
Date: Mon, 19 Apr 2021 17:28:04 -0400
Subject: [PATCH] Make cubbyhole revocation/tidying compatible with cubbys in
 namespaces. (#11408)

---
 changelog/11408.txt        |  3 +++
 vault/logical_cubbyhole.go |  4 ++--
 vault/token_store.go       | 20 ++++++++++++++++----
 3 files changed, 21 insertions(+), 6 deletions(-)
 create mode 100644 changelog/11408.txt

diff --git a/changelog/11408.txt b/changelog/11408.txt
new file mode 100644
index 000000000..e4c47e3ad
--- /dev/null
+++ b/changelog/11408.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: Fix cleanup of storage entries from cubbyholes within namespaces.
+```
\ No newline at end of file
diff --git a/vault/logical_cubbyhole.go b/vault/logical_cubbyhole.go
index 9e944f7c7..719be7552 100644
--- a/vault/logical_cubbyhole.go
+++ b/vault/logical_cubbyhole.go
@@ -83,12 +83,12 @@ func (b *CubbyholeBackend) paths() []*framework.Path {
 	}
 }
 
-func (b *CubbyholeBackend) revoke(ctx context.Context, saltedToken string) error {
+func (b *CubbyholeBackend) revoke(ctx context.Context, view *BarrierView, saltedToken string) error {
 	if saltedToken == "" {
 		return fmt.Errorf("client token empty during revocation")
 	}
 
-	if err := logical.ClearView(ctx, b.storageView.(*BarrierView).SubView(saltedToken+"/")); err != nil {
+	if err := logical.ClearView(ctx, view.SubView(saltedToken+"/")); err != nil {
 		return err
 	}
 
diff --git a/vault/token_store.go b/vault/token_store.go
index 3c17c61b3..7864a2159 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -86,19 +86,25 @@ var (
 			return errors.New("nil token entry")
 		}
 
+		storage := ts.core.router.MatchingStorageByAPIPath(ctx, cubbyholeMountPath)
+		if storage == nil {
+			return fmt.Errorf("no cubby mount entry")
+		}
+		view := storage.(*BarrierView)
+
 		switch {
 		case te.NamespaceID == namespace.RootNamespaceID && !strings.HasPrefix(te.ID, "s."):
 			saltedID, err := ts.SaltID(ctx, te.ID)
 			if err != nil {
 				return err
 			}
-			return ts.cubbyholeBackend.revoke(ctx, salt.SaltID(ts.cubbyholeBackend.saltUUID, saltedID, salt.SHA1Hash))
+			return ts.cubbyholeBackend.revoke(ctx, view, salt.SaltID(ts.cubbyholeBackend.saltUUID, saltedID, salt.SHA1Hash))
 
 		default:
 			if te.CubbyholeID == "" {
 				return fmt.Errorf("missing cubbyhole ID while destroying")
 			}
-			return ts.cubbyholeBackend.revoke(ctx, te.CubbyholeID)
+			return ts.cubbyholeBackend.revoke(ctx, view, te.CubbyholeID)
 		}
 	}
 )
@@ -1819,7 +1825,13 @@ func (ts *TokenStore) handleTidy(ctx context.Context, req *logical.Request, data
 			}
 
 			// List all the cubbyhole storage keys
-			cubbyholeKeys, err := ts.cubbyholeBackend.storageView.List(quitCtx, "")
+			view := ts.core.router.MatchingStorageByAPIPath(ctx, cubbyholeMountPath)
+			if view == nil {
+				return fmt.Errorf("no cubby mount entry")
+			}
+			bview := view.(*BarrierView)
+
+			cubbyholeKeys, err := bview.List(quitCtx, "")
 			if err != nil {
 				return errwrap.Wrapf("failed to fetch cubbyhole storage keys: {{err}}", err)
 			}
@@ -2016,7 +2028,7 @@ func (ts *TokenStore) handleTidy(ctx context.Context, req *logical.Request, data
 				key := strings.TrimSuffix(key, "/")
 				if !validCubbyholeKeys[key] {
 					ts.logger.Info("deleting invalid cubbyhole", "key", key)
-					err = ts.cubbyholeBackend.revoke(quitCtx, key)
+					err = ts.cubbyholeBackend.revoke(quitCtx, bview, key)
 					if err != nil {
 						tidyErrors = multierror.Append(tidyErrors, errwrap.Wrapf(fmt.Sprintf("failed to revoke cubbyhole key %q: {{err}}", key), err))
 					}