From a9bcc234b158e50be6ea873fec4418143cac00c3 Mon Sep 17 00:00:00 2001
From: Steven Clark <steven.clark@hashicorp.com>
Date: Tue, 5 Nov 2024 13:43:55 -0500
Subject: [PATCH] Transit: fix race in the key update api

 - The key update API would release the lock a little too early
   after it persisted the update so the reference could be updated
   when it was preparing the response to the caller across updates
   and/or key rotations
 - The storage updates were okay, just the response back to the caller
   of the update might see a mixture of different updates
---
 builtin/logical/transit/path_keys.go | 5 +++--
 changelog/28839.txt                  | 3 +++
 2 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 changelog/28839.txt

diff --git a/builtin/logical/transit/path_keys.go b/builtin/logical/transit/path_keys.go
index ded75f57d874..9da21e855585 100644
--- a/builtin/logical/transit/path_keys.go
+++ b/builtin/logical/transit/path_keys.go
@@ -260,9 +260,10 @@ func (b *backend) pathPolicyWrite(ctx context.Context, req *logical.Request, d *
 	if p == nil {
 		return nil, fmt.Errorf("error generating key: returned policy was nil")
 	}
-	if b.System().CachingDisabled() {
-		p.Unlock()
+	if !b.System().CachingDisabled() {
+		p.Lock(true)
 	}
+	defer p.Unlock()
 
 	resp, err := b.formatKeyPolicy(p, nil)
 	if err != nil {
diff --git a/changelog/28839.txt b/changelog/28839.txt
new file mode 100644
index 000000000000..b719e5ea470c
--- /dev/null
+++ b/changelog/28839.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/transit: Fix a race in which responses from the key update api could contain results from another subsequent update
+```