Add locking for revocation/CRL generation. I originally was going to use an RWMutex but punted, because it's not worth trying to save some milliseconds with the possibility of getting something wrong. So the entire operations are now wrapped, which is minimally slower but very safe.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>

builtin/logical/pki/crl_util.go

@@ -5,6 +5,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
+	"sync"
 	"time"
 
 	"github.com/hashicorp/vault/logical"
@@ -16,7 +17,8 @@ type revocationInfo struct {
 }
 
 var (
-	crlLifetime = time.Hour * 72
+	crlLifetime       = time.Hour * 72
+	revokeStorageLock = &sync.Mutex{}
 )
 
 func revokeCert(req *logical.Request, serial string) (*logical.Response, error) {
@@ -37,6 +39,7 @@ func revokeCert(req *logical.Request, serial string) (*logical.Response, error)
 			if err != nil {
 				return nil, fmt.Errorf("Error getting existing revocation info")
 			}
+
 			err = revEntry.DecodeJSON(&revInfo)
 			if err != nil {
 				return nil, fmt.Errorf("Error decoding existing revocation info")

builtin/logical/pki/path_revoke.go

@@ -45,10 +45,16 @@ func (b *backend) pathRevokeWrite(req *logical.Request, data *framework.FieldDat
 		return logical.ErrorResponse("The serial number must be provided"), nil
 	}
 
+	revokeStorageLock.Lock()
+	defer revokeStorageLock.Unlock()
+
 	return revokeCert(req, serial)
 }
 
 func (b *backend) pathRotateCRLRead(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	revokeStorageLock.Lock()
+	defer revokeStorageLock.Unlock()
+
 	err := buildCRL(req)
 	if err != nil {
 		return logical.ErrorResponse(fmt.Sprintf("Error building CRL: %s", err)), err

builtin/logical/pki/secret_certs.go

@@ -50,5 +50,8 @@ func (b *backend) secretCredsRevoke(
 
 	serial := strings.Replace(strings.ToLower(serialInt.(string)), "-", ":", -1)
 
+	revokeStorageLock.Lock()
+	defer revokeStorageLock.Unlock()
+
 	return revokeCert(req, serial)
 }