Sync the locking behavior between logical/auth backend (#2280)

2017-01-17 13:02:29 -05:00 · 2017-01-17 13:02:29 -05:00 · 8e62acbd59
parent dd0e44ca10
commit 8e62acbd59
2 changed files with 26 additions and 16 deletions
--- a/vault/auth.go
+++ b/vault/auth.go
@ -66,6 +66,10 @@ func (c *Core) enableCredential(entry *MountEntry) error {
 		return fmt.Errorf("token credential backend cannot be instantiated")
 	}

+	if match := c.router.MatchingMount(credentialRoutePrefix + entry.Path); match != "" {
+		return logical.CodedError(409, fmt.Sprintf("existing mount at %s", match))
+	}
+
 	// Generate a new UUID and view
 	entryUUID, err := uuid.GenerateUUID()
 	if err != nil {
@ -80,6 +84,13 @@ func (c *Core) enableCredential(entry *MountEntry) error {
 		return err
 	}

+	// Mount the backend; we do this here so that if we can't successfully
+	// mount we haven't persisted the table.
+	path := credentialRoutePrefix + entry.Path
+	if err := c.router.Mount(backend, path, entry, view); err != nil {
+		return err
+	}
+
 	// Update the auth table
 	newTable := c.auth.shallowClone()
 	newTable.Entries = append(newTable.Entries, entry)
@ -89,11 +100,6 @@ func (c *Core) enableCredential(entry *MountEntry) error {

 	c.auth = newTable

-	// Mount the backend
-	path := credentialRoutePrefix + entry.Path
-	if err := c.router.Mount(backend, path, entry, view); err != nil {
-		return err
-	}
 	if c.logger.IsInfo() {
 		c.logger.Info("core: enabled credential backend", "path", entry.Path, "type", entry.Type)
 	}
@ -120,9 +126,6 @@ func (c *Core) disableCredential(path string) (bool, error) {
 		return false, fmt.Errorf("no matching backend")
 	}

-	c.authLock.Lock()
-	defer c.authLock.Unlock()
-
 	// Mark the entry as tainted
 	if err := c.taintCredEntry(path); err != nil {
 		return true, err
@ -162,6 +165,9 @@ func (c *Core) disableCredential(path string) (bool, error) {

 // removeCredEntry is used to remove an entry in the auth table
 func (c *Core) removeCredEntry(path string) error {
+	c.authLock.Lock()
+	defer c.authLock.Unlock()
+
 	// Taint the entry from the auth table
 	newTable := c.auth.shallowClone()
 	newTable.remove(path)
@ -178,6 +184,9 @@ func (c *Core) removeCredEntry(path string) error {

 // taintCredEntry is used to mark an entry in the auth table as tainted
 func (c *Core) taintCredEntry(path string) error {
+	c.authLock.Lock()
+	defer c.authLock.Unlock()
+
 	// Taint the entry from the auth table
 	// We do this on the original since setting the taint operates
 	// on the entries which a shallow clone shares anyways
--- a/vault/mount.go
+++ b/vault/mount.go
@ -172,6 +172,9 @@ func (c *Core) mount(me *MountEntry) error {
 		}
 	}

+	c.mountsLock.Lock()
+	defer c.mountsLock.Unlock()
+
 	// Verify there is no conflicting mount
 	if match := c.router.MatchingMount(me.Path); match != "" {
 		return logical.CodedError(409, fmt.Sprintf("existing mount at %s", match))
@ -190,22 +193,20 @@ func (c *Core) mount(me *MountEntry) error {
 		return err
 	}

-	// Update the mount table
-	c.mountsLock.Lock()
+	// Mount the backend; we do this here so that if we can't successfully
+	// mount we haven't persisted the table.
+	if err := c.router.Mount(backend, me.Path, me, view); err != nil {
+		return err
+	}
+
 	newTable := c.mounts.shallowClone()
 	newTable.Entries = append(newTable.Entries, me)
 	if err := c.persistMounts(newTable); err != nil {
-		c.mountsLock.Unlock()
 		c.logger.Error("core: failed to update mount table", "error", err)
 		return logical.CodedError(500, "failed to update mount table")
 	}
 	c.mounts = newTable
-	c.mountsLock.Unlock()

-	// Mount the backend
-	if err := c.router.Mount(backend, me.Path, me, view); err != nil {
-		return err
-	}
 	if c.logger.IsInfo() {
 		c.logger.Info("core: successful mount", "path", me.Path, "type", me.Type)
 	}