From 22234c324d81308917a29f75ea212987a0a8cbf4 Mon Sep 17 00:00:00 2001 From: Nick Cabatoff Date: Tue, 13 Jun 2023 17:24:50 +0000 Subject: [PATCH] backport of commit 4654c15248013edeb36fdeae28ab3631bebe0a8e --- changelog/21110.txt | 4 ++++ vault/core.go | 4 ++-- vault/logical_system.go | 4 ++-- vault/request_handling.go | 4 +--- 4 files changed, 9 insertions(+), 7 deletions(-) create mode 100644 changelog/21110.txt diff --git a/changelog/21110.txt b/changelog/21110.txt new file mode 100644 index 000000000000..2471fac770de --- /dev/null +++ b/changelog/21110.txt @@ -0,0 +1,4 @@ +```release-note:bug +core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context. +Also fix a related potential deadlock. +``` \ No newline at end of file diff --git a/vault/core.go b/vault/core.go index ead3e036058b..117a491013ca 100644 --- a/vault/core.go +++ b/vault/core.go @@ -358,7 +358,7 @@ type Core struct { // mountsLock is used to ensure that the mounts table does not // change underneath a calling function - mountsLock sync.RWMutex + mountsLock locking.DeadlockRWMutex // mountMigrationTracker tracks past and ongoing remount operations // against their migration ids @@ -370,7 +370,7 @@ type Core struct { // authLock is used to ensure that the auth table does not // change underneath a calling function - authLock sync.RWMutex + authLock locking.DeadlockRWMutex // audit is loaded after unseal since it is a protected // configuration diff --git a/vault/logical_system.go b/vault/logical_system.go index ca865046cbaa..489dfe7c52ef 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -17,7 +17,6 @@ import ( "sort" "strconv" "strings" - "sync" "time" "unicode" @@ -31,6 +30,7 @@ import ( "github.com/hashicorp/vault/helper/experiments" "github.com/hashicorp/vault/helper/hostutil" "github.com/hashicorp/vault/helper/identity" + "github.com/hashicorp/vault/helper/locking" "github.com/hashicorp/vault/helper/logging" "github.com/hashicorp/vault/helper/metricsutil" "github.com/hashicorp/vault/helper/monitor" @@ -1717,7 +1717,7 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, return nil, logical.ErrReadOnly } - var lock *sync.RWMutex + var lock *locking.DeadlockRWMutex switch { case strings.HasPrefix(path, credentialRoutePrefix): lock = &b.Core.authLock diff --git a/vault/request_handling.go b/vault/request_handling.go index fc8e599c4681..030c9173ecb8 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -1006,11 +1006,9 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp } leaseGenerated := false - loginRole := c.DetermineRoleFromLoginRequest(req.MountPoint, req.Data, ctx) quotaResp, quotaErr := c.applyLeaseCountQuota(ctx, "as.Request{ Path: req.Path, MountPath: strings.TrimPrefix(req.MountPoint, ns.Path), - Role: loginRole, NamespacePath: ns.Path, }) if quotaErr != nil { @@ -1150,7 +1148,7 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp return nil, auth, retErr } - leaseID, err := registerFunc(ctx, req, resp, loginRole) + leaseID, err := registerFunc(ctx, req, resp, "") if err != nil { c.logger.Error("failed to register lease", "request_path", req.Path, "error", err) retErr = multierror.Append(retErr, ErrInternalError)