backport of commit f2887a253506f80cd507d619dc49a2a495c173c1 (#21139)

Co-authored-by: Paul Banks <pbanks@hashicorp.com>
2023-06-13 10:21:51 -04:00 · 2023-06-13 10:21:51 -04:00 · fa482cbf1c
parent 7d6c3aca5f
commit fa482cbf1c
5 changed files with 39 additions and 2 deletions
--- a/changelog/21100.txt
+++ b/changelog/21100.txt
@ -0,0 +1,4 @@
+```release-note:bug
+replication (enterprise): Fix regression causing token creation against a role
+with a new entity alias to be incorrectly forwarded from perf standbys.
+```
--- a/vault/token_store.go
+++ b/vault/token_store.go
@ -2872,10 +2872,20 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
 			MountType:     mountValidationResp.Type,
 		}

-		// Create or fetch entity from entity alias
+		// Create or fetch entity from entity alias. Note that we might be on a perf
+		// standby so a create would return a ReadOnly error which would cause an
+		// RPC-based redirect. That path doesn't register leases since the code that
+		// calls RegisterAuth is in the http layer... So be careful to catch and
+		// handle readonly ourselves.
 		entity, _, err := ts.core.identityStore.CreateOrFetchEntity(ctx, alias)
 		if err != nil {
-			return nil, err
+			auth := &logical.Auth{
+				Alias: alias,
+			}
+			entity, _, err = possiblyForwardAliasCreation(ctx, ts.core, err, auth, entity)
+			if err != nil {
+				return nil, err
+			}
 		}
 		if entity == nil {
 			return nil, errors.New("failed to create or fetch entity from given entity alias")
--- a/website/content/docs/release-notes/1.13.0.mdx
+++ b/website/content/docs/release-notes/1.13.0.mdx
@ -115,6 +115,8 @@ Refer to this [Knowledge Base article](https://support.hashicorp.com/hc/en-us/ar

 The fix for this UI issue is coming in the Vault 1.13.1 release.

+@include 'perf-standby-token-create-forwarding-failure.mdx'
+
 ## Feature Deprecations and EOL

 Please refer to the [Deprecation Plans and Notice](/vault/docs/deprecation) page
--- a/website/content/docs/upgrading/upgrade-to-1.13.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.13.x.mdx
@ -155,3 +155,5 @@ flag for [PKI roles](/vault/api-docs/secret/pki#createupdate-role).
 #### Impacted Versions

 Affects Vault 1.13.0+
+
+@include 'perf-standby-token-create-forwarding-failure.mdx'
--- a/website/content/partials/perf-standby-token-create-forwarding-failure.mdx
+++ b/website/content/partials/perf-standby-token-create-forwarding-failure.mdx
@ -0,0 +1,19 @@
+### Token creation with a new entity alias could silently fail
+
+A regression caused token creation requests under specific circumstances to be
+forwarded from perf standbys (Enterprise only) to the active node incorrectly.
+They would appear to succeed, however no lease was created. The token would then
+be revoked on first use causing a 403 error.
+
+This only happened when all of the following conditions were met:
+ - the token is being created against a role
+ - the request specifies an entity alias which has never been used before with
+   the same role (for example for a brand new role or a unique alias)
+ - the request happens to be made to a perf standby rather than the active node
+
+Retrying token creation after the affected token is rejected would work since
+the entity alias has already been created.
+
+#### Affected Versions
+
+Affects Vault 1.13.0 to 1.13.3. Fixed in 1.13.4.