Make cubbyhole revocation/tidying compatible with cubbys in namespace…

…s. (#11408) (#11412)
hashicorp · Apr 19, 2021 · 2df19e5 · 2df19e5
1 parent be6b0e6
commit 2df19e5
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 6 deletions.
diff --git a/changelog/11408.txt b/changelog/11408.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: Fix cleanup of storage entries from cubbyholes within namespaces.
+```
diff --git a/vault/logical_cubbyhole.go b/vault/logical_cubbyhole.go
@@ -83,12 +83,12 @@ func (b *CubbyholeBackend) paths() []*framework.Path {
 	}
 }
 
-func (b *CubbyholeBackend) revoke(ctx context.Context, saltedToken string) error {
+func (b *CubbyholeBackend) revoke(ctx context.Context, view *BarrierView, saltedToken string) error {
 	if saltedToken == "" {
 		return fmt.Errorf("client token empty during revocation")
 	}
 
-	if err := logical.ClearView(ctx, b.storageView.(*BarrierView).SubView(saltedToken+"/")); err != nil {
+	if err := logical.ClearView(ctx, view.SubView(saltedToken+"/")); err != nil {
 		return err
 	}
 

diff --git a/vault/token_store.go b/vault/token_store.go
@@ -86,19 +86,25 @@ var (
 			return errors.New("nil token entry")
 		}
 
+		storage := ts.core.router.MatchingStorageByAPIPath(ctx, cubbyholeMountPath)
+		if storage == nil {
+			return fmt.Errorf("no cubby mount entry")
+		}
+		view := storage.(*BarrierView)
+
 		switch {
 		case te.NamespaceID == namespace.RootNamespaceID && !strings.HasPrefix(te.ID, "s."):
 			saltedID, err := ts.SaltID(ctx, te.ID)
 			if err != nil {
 				return err
 			}
-			return ts.cubbyholeBackend.revoke(ctx, salt.SaltID(ts.cubbyholeBackend.saltUUID, saltedID, salt.SHA1Hash))
+			return ts.cubbyholeBackend.revoke(ctx, view, salt.SaltID(ts.cubbyholeBackend.saltUUID, saltedID, salt.SHA1Hash))
 
 		default:
 			if te.CubbyholeID == "" {
 				return fmt.Errorf("missing cubbyhole ID while destroying")
 			}
-			return ts.cubbyholeBackend.revoke(ctx, te.CubbyholeID)
+			return ts.cubbyholeBackend.revoke(ctx, view, te.CubbyholeID)
 		}
 	}
 )
@@ -1790,7 +1796,13 @@ func (ts *TokenStore) handleTidy(ctx context.Context, req *logical.Request, data
 			}
 
 			// List all the cubbyhole storage keys
-			cubbyholeKeys, err := ts.cubbyholeBackend.storageView.List(quitCtx, "")
+			view := ts.core.router.MatchingStorageByAPIPath(ctx, cubbyholeMountPath)
+			if view == nil {
+				return fmt.Errorf("no cubby mount entry")
+			}
+			bview := view.(*BarrierView)
+
+			cubbyholeKeys, err := bview.List(quitCtx, "")
 			if err != nil {
 				return errwrap.Wrapf("failed to fetch cubbyhole storage keys: {{err}}", err)
 			}
@@ -1987,7 +1999,7 @@ func (ts *TokenStore) handleTidy(ctx context.Context, req *logical.Request, data
 				key := strings.TrimSuffix(key, "/")
 				if !validCubbyholeKeys[key] {
 					ts.logger.Info("deleting invalid cubbyhole", "key", key)
-					err = ts.cubbyholeBackend.revoke(quitCtx, key)
+					err = ts.cubbyholeBackend.revoke(quitCtx, bview, key)
 					if err != nil {
 						tidyErrors = multierror.Append(tidyErrors, errwrap.Wrapf(fmt.Sprintf("failed to revoke cubbyhole key %q: {{err}}", key), err))
 					}