From 7cf1f186ede17dc0864cc1d8ff9a8bf59be276c6 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jemitche@akamai.com>
Date: Thu, 11 Jun 2015 22:28:13 -0400
Subject: [PATCH] Add locking for revocation/CRL generation. I originally was
 going to use an RWMutex but punted, because it's not worth trying to save
 some milliseconds with the possibility of getting something wrong. So the
 entire operations are now wrapped, which is minimally slower but very safe.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
---
 builtin/logical/pki/crl_util.go     | 5 ++++-
 builtin/logical/pki/path_revoke.go  | 6 ++++++
 builtin/logical/pki/secret_certs.go | 3 +++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/builtin/logical/pki/crl_util.go b/builtin/logical/pki/crl_util.go
index 1fc00d465..eb4c58da3 100644
--- a/builtin/logical/pki/crl_util.go
+++ b/builtin/logical/pki/crl_util.go
@@ -5,6 +5,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
+	"sync"
 	"time"
 
 	"github.com/hashicorp/vault/logical"
@@ -16,7 +17,8 @@ type revocationInfo struct {
 }
 
 var (
-	crlLifetime = time.Hour * 72
+	crlLifetime       = time.Hour * 72
+	revokeStorageLock = &sync.Mutex{}
 )
 
 func revokeCert(req *logical.Request, serial string) (*logical.Response, error) {
@@ -37,6 +39,7 @@ func revokeCert(req *logical.Request, serial string) (*logical.Response, error)
 			if err != nil {
 				return nil, fmt.Errorf("Error getting existing revocation info")
 			}
+
 			err = revEntry.DecodeJSON(&revInfo)
 			if err != nil {
 				return nil, fmt.Errorf("Error decoding existing revocation info")
diff --git a/builtin/logical/pki/path_revoke.go b/builtin/logical/pki/path_revoke.go
index eb8955597..3c2c9ec5a 100644
--- a/builtin/logical/pki/path_revoke.go
+++ b/builtin/logical/pki/path_revoke.go
@@ -45,10 +45,16 @@ func (b *backend) pathRevokeWrite(req *logical.Request, data *framework.FieldDat
 		return logical.ErrorResponse("The serial number must be provided"), nil
 	}
 
+	revokeStorageLock.Lock()
+	defer revokeStorageLock.Unlock()
+
 	return revokeCert(req, serial)
 }
 
 func (b *backend) pathRotateCRLRead(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	revokeStorageLock.Lock()
+	defer revokeStorageLock.Unlock()
+
 	err := buildCRL(req)
 	if err != nil {
 		return logical.ErrorResponse(fmt.Sprintf("Error building CRL: %s", err)), err
diff --git a/builtin/logical/pki/secret_certs.go b/builtin/logical/pki/secret_certs.go
index d09159a64..28c8a2dc4 100644
--- a/builtin/logical/pki/secret_certs.go
+++ b/builtin/logical/pki/secret_certs.go
@@ -50,5 +50,8 @@ func (b *backend) secretCredsRevoke(
 
 	serial := strings.Replace(strings.ToLower(serialInt.(string)), "-", ":", -1)
 
+	revokeStorageLock.Lock()
+	defer revokeStorageLock.Unlock()
+
 	return revokeCert(req, serial)
 }