backport of commit f2887a2 (#21138)

Co-authored-by: Paul Banks <pbanks@hashicorp.com>
hashicorp · Jun 13, 2023 · a610bec · a610bec
1 parent 15ac3f3
commit a610bec
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 2 deletions.
diff --git a/changelog/21100.txt b/changelog/21100.txt
@@ -0,0 +1,4 @@
+```release-note:bug
+replication (enterprise): Fix regression causing token creation against a role
+with a new entity alias to be incorrectly forwarded from perf standbys.
+```
diff --git a/vault/token_store.go b/vault/token_store.go
@@ -2756,10 +2756,20 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
 			MountType:     mountValidationResp.Type,
 		}
 
-		// Create or fetch entity from entity alias
+		// Create or fetch entity from entity alias. Note that we might be on a perf
+		// standby so a create would return a ReadOnly error which would cause an
+		// RPC-based redirect. That path doesn't register leases since the code that
+		// calls RegisterAuth is in the http layer... So be careful to catch and
+		// handle readonly ourselves.
 		entity, _, err := ts.core.identityStore.CreateOrFetchEntity(ctx, alias)
 		if err != nil {
-			return nil, err
+			auth := &logical.Auth{
+				Alias: alias,
+			}
+			entity, _, err = possiblyForwardAliasCreation(ctx, ts.core, err, auth, entity)
+			if err != nil {
+				return nil, err
+			}
 		}
 		if entity == nil {
 			return nil, errors.New("failed to create or fetch entity from given entity alias")

diff --git a/website/content/docs/release-notes/1.13.0.mdx b/website/content/docs/release-notes/1.13.0.mdx
@@ -115,6 +115,8 @@ Refer to this [Knowledge Base article](https://support.hashicorp.com/hc/en-us/ar
 
 The fix for this UI issue is coming in the Vault 1.13.1 release.
 
+@include 'perf-standby-token-create-forwarding-failure.mdx'
+
 ## Feature Deprecations and EOL
 
 Please refer to the [Deprecation Plans and Notice](/vault/docs/deprecation) page

diff --git a/website/content/docs/upgrading/upgrade-to-1.13.x.mdx b/website/content/docs/upgrading/upgrade-to-1.13.x.mdx
@@ -155,3 +155,5 @@ flag for [PKI roles](/vault/api-docs/secret/pki#createupdate-role).
 #### Impacted Versions
 
 Affects Vault 1.13.0+
+
+@include 'perf-standby-token-create-forwarding-failure.mdx'
diff --git a/website/content/partials/perf-standby-token-create-forwarding-failure.mdx b/website/content/partials/perf-standby-token-create-forwarding-failure.mdx
@@ -0,0 +1,19 @@
+### Token creation with a new entity alias could silently fail
+
+A regression caused token creation requests under specific circumstances to be
+forwarded from perf standbys (Enterprise only) to the active node incorrectly.
+They would appear to succeed, however no lease was created. The token would then
+be revoked on first use causing a 403 error.
+
+This only happened when all of the following conditions were met:
+ - the token is being created against a role
+ - the request specifies an entity alias which has never been used before with
+   the same role (for example for a brand new role or a unique alias)
+ - the request happens to be made to a perf standby rather than the active node
+
+Retrying token creation after the affected token is rejected would work since
+the entity alias has already been created.
+
+#### Affected Versions
+
+Affects Vault 1.13.0 to 1.13.3. Fixed in 1.13.4.