From e98cd02fa0a0698e0f039cf933bbf732d84d2984 Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
 <82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Thu, 17 Aug 2023 17:41:15 -0400
Subject: [PATCH] backport of commit c2ba113defbd98a6cd749dcd13f734b911241c98
 (#22423)

Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com>
---
 changelog/22355.txt |  3 +++
 vault/core.go       | 30 ++++++++++++++++++++++--------
 2 files changed, 25 insertions(+), 8 deletions(-)
 create mode 100644 changelog/22355.txt

diff --git a/changelog/22355.txt b/changelog/22355.txt
new file mode 100644
index 000000000..d748796c1
--- /dev/null
+++ b/changelog/22355.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: Fix bug where background thread to update locked user entries runs on DR secondaries. 
+```
\ No newline at end of file
diff --git a/vault/core.go b/vault/core.go
index b19927469..faf1659bc 100644
--- a/vault/core.go
+++ b/vault/core.go
@@ -647,6 +647,8 @@ type Core struct {
 
 	autoRotateCancel context.CancelFunc
 
+	updateLockedUserEntriesCancel context.CancelFunc
+
 	// number of workers to use for lease revocation in the expiration manager
 	numExpirationWorkers int
 
@@ -2322,12 +2324,9 @@ func (s standardUnsealStrategy) unseal(ctx context.Context, logger log.Logger, c
 	if err := c.setupHeaderHMACKey(ctx, false); err != nil {
 		return err
 	}
-	if err := c.runLockedUserEntryUpdates(ctx); err != nil {
-		return err
-	}
-	c.updateLockedUserEntries()
-
 	if !c.IsDRSecondary() {
+		c.updateLockedUserEntries()
+
 		if err := c.startRollback(); err != nil {
 			return err
 		}
@@ -2586,6 +2585,11 @@ func (c *Core) preSeal() error {
 		c.autoRotateCancel = nil
 	}
 
+	if c.updateLockedUserEntriesCancel != nil {
+		c.updateLockedUserEntriesCancel()
+		c.updateLockedUserEntriesCancel = nil
+	}
+
 	if seal, ok := c.seal.(*autoSeal); ok {
 		seal.StopHealthCheck()
 	}
@@ -3434,16 +3438,26 @@ func (c *Core) setupCachedMFAResponseAuth() {
 // updateLockedUserEntries runs every 15 mins to remove stale user entries from storage
 // it also updates the userFailedLoginInfo map with correct information for locked users if incorrect
 func (c *Core) updateLockedUserEntries() {
-	ctx := c.activeContext
+	if c.updateLockedUserEntriesCancel != nil {
+		return
+	}
+
+	var updateLockedUserEntriesCtx context.Context
+	updateLockedUserEntriesCtx, c.updateLockedUserEntriesCancel = context.WithCancel(c.activeContext)
+
+	if err := c.runLockedUserEntryUpdates(updateLockedUserEntriesCtx); err != nil {
+		c.Logger().Error("failed to run locked user entry updates", "error", err)
+	}
+
 	go func() {
 		ticker := time.NewTicker(15 * time.Minute)
 		for {
 			select {
-			case <-ctx.Done():
+			case <-updateLockedUserEntriesCtx.Done():
 				ticker.Stop()
 				return
 			case <-ticker.C:
-				if err := c.runLockedUserEntryUpdates(ctx); err != nil {
+				if err := c.runLockedUserEntryUpdates(updateLockedUserEntriesCtx); err != nil {
 					c.Logger().Error("failed to run locked user entry updates", "error", err)
 				}
 			}