Transit: fix race in the key update api (#28839)

stevendpclark · web-flow · commit 752bb0866461 · 2024-11-05T14:41:09.000-05:00
- The key update API would release the lock a little too early
   after it persisted the update so the reference could be updated
   when it was preparing the response to the caller across updates
   and/or key rotations
 - The storage updates were okay, just the response back to the caller
   of the update might see a mixture of different updates
diff --git a/builtin/logical/transit/path_keys.go b/builtin/logical/transit/path_keys.go
@@ -260,9 +260,10 @@ func (b *backend) pathPolicyWrite(ctx context.Context, req *logical.Request, d *
 	if p == nil {
 		return nil, fmt.Errorf("error generating key: returned policy was nil")
 	}
-	if b.System().CachingDisabled() {
-		p.Unlock()
+	if !b.System().CachingDisabled() {
+		p.Lock(true)
 	}
+	defer p.Unlock()
 
 	resp, err := b.formatKeyPolicy(p, nil)
 	if err != nil {
diff --git a/changelog/28839.txt b/changelog/28839.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/transit: Fix a race in which responses from the key update api could contain results from another subsequent update
+```

Original file line number	Diff line number	Diff line change
`@@ -260,9 +260,10 @@ func (b backend) pathPolicyWrite(ctx context.Context, req logical.Request, d *`
`260`	`260`	`if p == nil {`
`261`	`261`	`return nil, fmt.Errorf("error generating key: returned policy was nil")`
`262`	`262`	`}`
`263`		`- if b.System().CachingDisabled() {`
`264`		`- p.Unlock()`
	`263`	`+ if !b.System().CachingDisabled() {`
	`264`	`+ p.Lock(true)`
`265`	`265`	`}`
	`266`	`+ defer p.Unlock()`
`266`	`267`
`267`	`268`	`resp, err := b.formatKeyPolicy(p, nil)`
`268`	`269`	`if err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:bug
	`2`	`+secrets/transit: Fix a race in which responses from the key update api could contain results from another subsequent update`
	`3`	+```