Skip to content

Commit b0e91d2

Browse files
ncabatoffncabatoff
authored
Make cubbyhole revocation/tidying compatible with cubbys in namespaces. (#11408) (#11411)
1 parent e2d2736 commit b0e91d2

File tree

3 files changed

+21
-6
lines changed

3 files changed

+21
-6
lines changed

changelog/11408.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
```release-note:bug
2+
core: Fix cleanup of storage entries from cubbyholes within namespaces.
3+
```

vault/logical_cubbyhole.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -83,12 +83,12 @@ func (b *CubbyholeBackend) paths() []*framework.Path {
8383
}
8484
}
8585

86-
func (b *CubbyholeBackend) revoke(ctx context.Context, saltedToken string) error {
86+
func (b *CubbyholeBackend) revoke(ctx context.Context, view *BarrierView, saltedToken string) error {
8787
if saltedToken == "" {
8888
return fmt.Errorf("client token empty during revocation")
8989
}
9090

91-
if err := logical.ClearView(ctx, b.storageView.(*BarrierView).SubView(saltedToken+"/")); err != nil {
91+
if err := logical.ClearView(ctx, view.SubView(saltedToken+"/")); err != nil {
9292
return err
9393
}
9494

vault/token_store.go

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -86,19 +86,25 @@ var (
8686
return errors.New("nil token entry")
8787
}
8888

89+
storage := ts.core.router.MatchingStorageByAPIPath(ctx, cubbyholeMountPath)
90+
if storage == nil {
91+
return fmt.Errorf("no cubby mount entry")
92+
}
93+
view := storage.(*BarrierView)
94+
8995
switch {
9096
case te.NamespaceID == namespace.RootNamespaceID && !strings.HasPrefix(te.ID, "s."):
9197
saltedID, err := ts.SaltID(ctx, te.ID)
9298
if err != nil {
9399
return err
94100
}
95-
return ts.cubbyholeBackend.revoke(ctx, salt.SaltID(ts.cubbyholeBackend.saltUUID, saltedID, salt.SHA1Hash))
101+
return ts.cubbyholeBackend.revoke(ctx, view, salt.SaltID(ts.cubbyholeBackend.saltUUID, saltedID, salt.SHA1Hash))
96102

97103
default:
98104
if te.CubbyholeID == "" {
99105
return fmt.Errorf("missing cubbyhole ID while destroying")
100106
}
101-
return ts.cubbyholeBackend.revoke(ctx, te.CubbyholeID)
107+
return ts.cubbyholeBackend.revoke(ctx, view, te.CubbyholeID)
102108
}
103109
}
104110
)
@@ -1816,7 +1822,13 @@ func (ts *TokenStore) handleTidy(ctx context.Context, req *logical.Request, data
18161822
}
18171823

18181824
// List all the cubbyhole storage keys
1819-
cubbyholeKeys, err := ts.cubbyholeBackend.storageView.List(quitCtx, "")
1825+
view := ts.core.router.MatchingStorageByAPIPath(ctx, cubbyholeMountPath)
1826+
if view == nil {
1827+
return fmt.Errorf("no cubby mount entry")
1828+
}
1829+
bview := view.(*BarrierView)
1830+
1831+
cubbyholeKeys, err := bview.List(quitCtx, "")
18201832
if err != nil {
18211833
return errwrap.Wrapf("failed to fetch cubbyhole storage keys: {{err}}", err)
18221834
}
@@ -2013,7 +2025,7 @@ func (ts *TokenStore) handleTidy(ctx context.Context, req *logical.Request, data
20132025
key := strings.TrimSuffix(key, "/")
20142026
if !validCubbyholeKeys[key] {
20152027
ts.logger.Info("deleting invalid cubbyhole", "key", key)
2016-
err = ts.cubbyholeBackend.revoke(quitCtx, key)
2028+
err = ts.cubbyholeBackend.revoke(quitCtx, bview, key)
20172029
if err != nil {
20182030
tidyErrors = multierror.Append(tidyErrors, errwrap.Wrapf(fmt.Sprintf("failed to revoke cubbyhole key %q: {{err}}", key), err))
20192031
}

0 commit comments

Comments
 (0)