VAULT-9451 Fix data race in entity merge (#17631)

2022-10-21 16:47:59 -04:00 · 2022-10-21 16:47:59 -04:00 · 73f9b13762
parent 85d759faf0
commit 73f9b13762
2 changed files with 20 additions and 20 deletions
--- a/vault/identity_store_entities.go
+++ b/vault/identity_store_entities.go
@ -791,8 +791,6 @@ func (i *IdentityStore) mergeEntity(ctx context.Context, txn *memdb.Txn, toEntit
 	// can be understood by the UI
 	aliasesInvolvedInClashes := make([]aliasClashInformation, 0)

-	i.UpdateEntityWithMountInformation(toEntity)
-
 	// An error detailing if any alias clashes happen (shared mount accessor)
 	var aliasClashError error

@ -814,8 +812,6 @@ func (i *IdentityStore) mergeEntity(ctx context.Context, txn *memdb.Txn, toEntit
 			return errors.New("entity id to merge from does not belong to this namespace"), nil, nil
 		}

-		i.UpdateEntityWithMountInformation(fromEntity)
-
 		// If we're not resolving a conflict, we check to see if
 		// any aliases conflict between the toEntity and this fromEntity:
 		if !forceMergeAliases && len(conflictingAliasIDsToKeep) == 0 {
@ -838,20 +834,36 @@ func (i *IdentityStore) mergeEntity(ctx context.Context, txn *memdb.Txn, toEntit
 							fmt.Errorf("mountAccessor: %s, toEntity ID: %s, fromEntity ID: %s, conflicting toEntity alias ID: %s, conflicting fromEntity alias ID: %s",
 								toAlias.MountAccessor, toEntity.ID, fromEntityID, toAlias.ID, fromAlias.ID))

+						var toAliasMountType string
+						var toAliasMountPath string
+						mountValidationRespToAlias := i.router.ValidateMountByAccessor(toAlias.MountAccessor)
+						if mountValidationRespToAlias != nil {
+							toAliasMountType = mountValidationRespToAlias.MountType
+							toAliasMountPath = mountValidationRespToAlias.MountPath
+						}
+
+						var fromAliasMountType string
+						var fromAliasMountPath string
+						mountValidationRespFromAlias := i.router.ValidateMountByAccessor(fromAlias.MountAccessor)
+						if mountValidationRespFromAlias != nil {
+							fromAliasMountType = mountValidationRespFromAlias.MountType
+							fromAliasMountPath = mountValidationRespFromAlias.MountPath
+						}
+
 						// Also add both to our summary of all clashes:
 						aliasesInvolvedInClashes = append(aliasesInvolvedInClashes, aliasClashInformation{
 							Entity:    toEntity.Name,
 							EntityId:  toEntity.ID,
 							Alias:     toAlias.Name,
-							Mount:     toAlias.MountType,
-							MountPath: toAlias.MountPath,
+							Mount:     toAliasMountType,
+							MountPath: toAliasMountPath,
 						})
 						aliasesInvolvedInClashes = append(aliasesInvolvedInClashes, aliasClashInformation{
 							Entity:    fromEntity.Name,
 							EntityId:  fromEntityID,
 							Alias:     fromAlias.Name,
-							Mount:     fromAlias.MountType,
-							MountPath: fromAlias.MountPath,
+							Mount:     fromAliasMountType,
+							MountPath: fromAliasMountPath,
 						})
 					}
 				}
--- a/vault/identity_store_util.go
+++ b/vault/identity_store_util.go
@ -1092,18 +1092,6 @@ func (i *IdentityStore) MemDBEntityByIDInTxn(txn *memdb.Txn, entityID string, cl
 	return entity, nil
 }

-func (i *IdentityStore) UpdateEntityWithMountInformation(entity *identity.Entity) {
-	if entity != nil {
-		for _, alias := range entity.Aliases {
-			mountValidationResp := i.router.ValidateMountByAccessor(alias.MountAccessor)
-			if mountValidationResp != nil {
-				alias.MountType = mountValidationResp.MountType
-				alias.MountPath = mountValidationResp.MountPath
-			}
-		}
-	}
-}
-
 func (i *IdentityStore) MemDBEntityByID(entityID string, clone bool) (*identity.Entity, error) {
 	if entityID == "" {
 		return nil, fmt.Errorf("missing entity id")