luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

identity/oidc: prevent key rotation on performance secondary clusters (#14426)

This commit is contained in:
Austin Gebauer 2022-03-09 15:41:02 -08:00 committed by GitHub
parent 0667cb8b76
commit d016b67915
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/14426.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
identity/oidc: Fixes potential write to readonly storage on performance secondary clusters during key rotation
```

16
vault/identity_store_oidc.go
View File

@ -24,6 +24,7 @@ import (
"github.com/hashicorp/vault/helper/identity" "github.com/hashicorp/vault/helper/identity"
"github.com/hashicorp/vault/helper/namespace" "github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/helper/identitytpl" "github.com/hashicorp/vault/sdk/helper/identitytpl"
"github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/sdk/logical"
"github.com/patrickmn/go-cache" "github.com/patrickmn/go-cache"
@ -1773,11 +1774,13 @@ func (i *IdentityStore) expireOIDCPublicKeys(ctx context.Context, s logical.Stor
key.KeyRing = keyRing key.KeyRing = keyRing
entry, err := logical.StorageEntryJSON(entry.Key, key) entry, err := logical.StorageEntryJSON(entry.Key, key)
if err != nil { if err != nil {
i.Logger().Error("error updating key", "key", key.name, "error", err) i.Logger().Error("error creating storage entry", "key", key.name, "error", err)
continue
} }
if err := s.Put(ctx, entry); err != nil { if err := s.Put(ctx, entry); err != nil {
i.Logger().Error("error saving key", "key", key.name, "error", err) i.Logger().Error("error writing key", "key", key.name, "error", err)
continue
} }
didUpdate = true didUpdate = true
} }
@ -1787,11 +1790,12 @@ func (i *IdentityStore) expireOIDCPublicKeys(ctx context.Context, s logical.Stor
// use by some role. // use by some role.
for _, keyID := range publicKeyIDs { for _, keyID := range publicKeyIDs {
if !strutil.StrListContains(usedKeys, keyID) { if !strutil.StrListContains(usedKeys, keyID) {
didUpdate = true
if err := s.Delete(ctx, publicKeysConfigPath+keyID); err != nil { if err := s.Delete(ctx, publicKeysConfigPath+keyID); err != nil {
i.Logger().Error("error deleting OIDC public key", "key_id", keyID, "error", err) i.Logger().Error("error deleting OIDC public key", "key_id", keyID, "error", err)
nextExpiration = now nextExpiration = now
continue
} }
didUpdate = true
i.Logger().Debug("deleted OIDC public key", "key_id", keyID) i.Logger().Debug("deleted OIDC public key", "key_id", keyID)
} }
} }
@ -1874,6 +1878,12 @@ func (i *IdentityStore) oidcKeyRotation(ctx context.Context, s logical.Storage)
// oidcPeriodFunc is invoked by the backend's periodFunc and runs regular key // oidcPeriodFunc is invoked by the backend's periodFunc and runs regular key
// rotations and expiration actions. // rotations and expiration actions.
func (i *IdentityStore) oidcPeriodicFunc(ctx context.Context) { func (i *IdentityStore) oidcPeriodicFunc(ctx context.Context) {
// Key rotations write to storage, so only run this on the primary cluster.
// The periodic func does not run on perf standbys or DR secondaries.
if i.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary) {
return
}
var nextRun time.Time var nextRun time.Time
now := time.Now() now := time.Now()