Only track role in login path (#22620) (#22626)

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
This commit is contained in:
hc-github-team-secure-vault-core 2023-08-29 17:52:08 -04:00 committed by GitHub
parent 1ca272a127
commit f279de6704
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 15 deletions

View File

@ -1253,13 +1253,8 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
NamespaceID: ns.ID, NamespaceID: ns.ID,
} }
// Check for request role in context to role based quotas // Only logins apply to role based quotas, so we can omit the role here, as we are not logging in.
var role string if err := c.expiration.RegisterAuth(ctx, registeredTokenEntry, resp.Auth, ""); err != nil {
if reqRole := ctx.Value(logical.CtxKeyRequestRole{}); reqRole != nil {
role = reqRole.(string)
}
if err := c.expiration.RegisterAuth(ctx, registeredTokenEntry, resp.Auth, role); err != nil {
// Best-effort clean up on error, so we log the cleanup error as // Best-effort clean up on error, so we log the cleanup error as
// a warning but still return as internal error. // a warning but still return as internal error.
if err := c.tokenStore.revokeOrphan(ctx, resp.Auth.ClientToken); err != nil { if err := c.tokenStore.revokeOrphan(ctx, resp.Auth.ClientToken); err != nil {

View File

@ -327,14 +327,9 @@ DONELISTHANDLING:
}, },
} }
// Check for request role in context to role based quotas // Register the wrapped token with the expiration manager. We skip the role
var role string // lookup here as we are not logging in, and only logins apply to role based quotas.
if reqRole := ctx.Value(logical.CtxKeyRequestRole{}); reqRole != nil { if err := c.expiration.RegisterAuth(ctx, &te, wAuth, ""); err != nil {
role = reqRole.(string)
}
// Register the wrapped token with the expiration manager
if err := c.expiration.RegisterAuth(ctx, &te, wAuth, role); err != nil {
// Revoke since it's not yet being tracked for expiration // Revoke since it's not yet being tracked for expiration
c.tokenStore.revokeOrphan(ctx, te.ID) c.tokenStore.revokeOrphan(ctx, te.ID)
c.logger.Error("failed to register cubbyhole wrapping token lease", "request_path", req.Path, "error", err) c.logger.Error("failed to register cubbyhole wrapping token lease", "request_path", req.Path, "error", err)