From f279de670433c83d8132c9484b44ac78a37e6b86 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Tue, 29 Aug 2023 17:52:08 -0400 Subject: [PATCH] Only track role in login path (#22620) (#22626) Co-authored-by: Mike Palmiotto --- vault/request_handling.go | 9 ++------- vault/wrapping.go | 11 +++-------- 2 files changed, 5 insertions(+), 15 deletions(-) diff --git a/vault/request_handling.go b/vault/request_handling.go index 33e57a350..2d10dca0b 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -1253,13 +1253,8 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp NamespaceID: ns.ID, } - // Check for request role in context to role based quotas - var role string - if reqRole := ctx.Value(logical.CtxKeyRequestRole{}); reqRole != nil { - role = reqRole.(string) - } - - if err := c.expiration.RegisterAuth(ctx, registeredTokenEntry, resp.Auth, role); err != nil { + // Only logins apply to role based quotas, so we can omit the role here, as we are not logging in. + if err := c.expiration.RegisterAuth(ctx, registeredTokenEntry, resp.Auth, ""); err != nil { // Best-effort clean up on error, so we log the cleanup error as // a warning but still return as internal error. if err := c.tokenStore.revokeOrphan(ctx, resp.Auth.ClientToken); err != nil { diff --git a/vault/wrapping.go b/vault/wrapping.go index 50ce0a585..889a171ef 100644 --- a/vault/wrapping.go +++ b/vault/wrapping.go @@ -327,14 +327,9 @@ DONELISTHANDLING: }, } - // Check for request role in context to role based quotas - var role string - if reqRole := ctx.Value(logical.CtxKeyRequestRole{}); reqRole != nil { - role = reqRole.(string) - } - - // Register the wrapped token with the expiration manager - if err := c.expiration.RegisterAuth(ctx, &te, wAuth, role); err != nil { + // Register the wrapped token with the expiration manager. We skip the role + // lookup here as we are not logging in, and only logins apply to role based quotas. + if err := c.expiration.RegisterAuth(ctx, &te, wAuth, ""); err != nil { // Revoke since it's not yet being tracked for expiration c.tokenStore.revokeOrphan(ctx, te.ID) c.logger.Error("failed to register cubbyhole wrapping token lease", "request_path", req.Path, "error", err)