luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Make config load consistent with config write (#20059) 

When reading the config, we attempt to detect if the running Vault
instance has been changed from its Enterprise status on write.
Similarly, we should detect if the mount is a local mount instead. While
this isn't changeable at runtime, using sys/raw to side-load an invalid
config could be possible.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel 2023-04-11 11:05:43 -04:00 committed by GitHub
parent 3e36a58cf7
commit 5389477107
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
builtin/logical/pki/storage.go
View File

@ -1313,9 +1313,10 @@ func (sc *storageContext) getRevocationConfig() (*crlConfig, error) {
result.Expiry = defaultCrlConfig.Expiry
}
if !constants.IsEnterprise && (result.UnifiedCRLOnExistingPaths || result.UnifiedCRL || result.UseGlobalQueue) {
isLocalMount := sc.Backend.System().LocalMount()
if (!constants.IsEnterprise || isLocalMount) && (result.UnifiedCRLOnExistingPaths || result.UnifiedCRL || result.UseGlobalQueue) {
// An end user must have had Enterprise, enabled the unified config args and then downgraded to OSS.
sc.Backend.Logger().Warn("Not running Vault Enterprise, " +
sc.Backend.Logger().Warn("Not running Vault Enterprise or using a local mount, " +
"disabling unified_crl, unified_crl_on_existing_paths and cross_cluster_revocation config flags.")
result.UnifiedCRLOnExistingPaths = false
result.UnifiedCRL = false