Merge remote-tracking branch 'oss/master' into required-params

* oss/master:
  Add seal type to seal-status output. (#3516)
  Use an atomic store in expiration loading test to fix race detector
  fix deadlock while loading groups (#3515)
  changelog++
  Fix memory leak when a connection would hit the cluster port and go away (#3513)

CHANGELOG.md

@@ -34,6 +34,8 @@ BUG FIXES:
  * api: Fix panic when setting a custom HTTP client but with a nil transport
    [GH-3437]
  * auth/radius: Fix logging in in some situations [GH-3461]
+ * core: Fix memleak when a connection would connect to the cluster port and
+   then go away [GH-3513]
  * physical/etcd3: Fix some listing issues due to how etcd3 does prefix
    matching [GH-3406]
  * physical/file: Fix listing when underscores are the first component of a

api/sys_seal.go

@@ -49,6 +49,7 @@ func sealStatusRequest(c *Sys, r *Request) (*SealStatusResponse, error) {
 }
 
 type SealStatusResponse struct {
+	Type        string `json:"type"`
 	Sealed      bool   `json:"sealed"`
 	T           int    `json:"t"`
 	N           int    `json:"n"`

command/status.go

@@ -36,12 +36,14 @@ func (c *StatusCommand) Run(args []string) int {
 	}
 
 	outStr := fmt.Sprintf(
-		"Sealed: %v\n"+
+		"Type: %s\n"+
+			"Sealed: %v\n"+
 			"Key Shares: %d\n"+
 			"Key Threshold: %d\n"+
 			"Unseal Progress: %d\n"+
 			"Unseal Nonce: %v\n"+
 			"Version: %s",
+		sealStatus.Type,
 		sealStatus.Sealed,
 		sealStatus.N,
 		sealStatus.T,

http/sys_seal.go

@@ -190,6 +190,7 @@ func handleSysSealStatusRaw(core *vault.Core, w http.ResponseWriter, r *http.Req
 	progress, nonce := core.SecretProgress()
 
 	respondOk(w, &SealStatusResponse{
+		Type:        sealConfig.Type,
 		Sealed:      sealed,
 		T:           sealConfig.SecretThreshold,
 		N:           sealConfig.SecretShares,
@@ -202,6 +203,7 @@ func handleSysSealStatusRaw(core *vault.Core, w http.ResponseWriter, r *http.Req
 }
 
 type SealStatusResponse struct {
+	Type        string `json:"type"`
 	Sealed      bool   `json:"sealed"`
 	T           int    `json:"t"`
 	N           int    `json:"n"`

vault/identity_store_util.go

@@ -60,6 +60,9 @@ func (i *IdentityStore) loadGroups() error {
 	}
 	i.logger.Debug("identity: groups collected", "num_existing", len(existing))
 
+	i.groupLock.Lock()
+	defer i.groupLock.Unlock()
+
 	for _, key := range existing {
 		bucket, err := i.groupPacker.GetBucket(i.groupPacker.BucketPath(key))
 		if err != nil {
@@ -83,14 +86,11 @@ func (i *IdentityStore) loadGroups() error {
 				i.logger.Trace("loading group", "name", group.Name, "id", group.ID)
 			}
 
-			i.groupLock.Lock()
-			defer i.groupLock.Unlock()
-
 			txn := i.db.Txn(true)
-			defer txn.Abort()
 
 			err = i.upsertGroupInTxn(txn, group, false)
 			if err != nil {
+				txn.Abort()
 				return fmt.Errorf("failed to update group in memdb: %v", err)
 			}
 

vault/request_forwarding.go

@@ -122,11 +122,10 @@ func (c *Core) startForwarding() error {
 
 				// Accept the connection
 				conn, err := tlsLn.Accept()
-				if conn != nil {
-					// Always defer although it may be closed ahead of time
-					defer conn.Close()
-				}
-				if err != nil {
+				if err != nil || conn == nil {
+					if conn != nil {
+						conn.Close()
+					}
 					continue
 				}
 
@@ -138,9 +137,7 @@ func (c *Core) startForwarding() error {
 					if c.logger.IsDebug() {
 						c.logger.Debug("core: error handshaking cluster connection", "error", err)
 					}
-					if conn != nil {
-						conn.Close()
-					}
+					conn.Close()
 					continue
 				}
 
@@ -153,10 +150,14 @@ func (c *Core) startForwarding() error {
 
 					c.logger.Trace("core: got request forwarding connection")
 					c.clusterParamsLock.RLock()
-					go fws.ServeConn(conn, &http2.ServeConnOpts{
-						Handler: c.rpcServer,
-					})
+					rpcServer := c.rpcServer
 					c.clusterParamsLock.RUnlock()
+					go func() {
+						defer conn.Close()
+						fws.ServeConn(conn, &http2.ServeConnOpts{
+							Handler: rpcServer,
+						})
+					}()
 
 				default:
 					c.logger.Debug("core: unknown negotiated protocol on cluster port")

vault/token_store_test.go

@@ -8,6 +8,7 @@ import (
 	"sort"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"testing"
 	"time"
 
@@ -567,7 +568,7 @@ func TestTokenStore_CreateLookup_ExpirationInRestoreMode(t *testing.T) {
 
 	// Reset expiration manager to restore mode
 	ts.expiration.restoreModeLock.Lock()
-	ts.expiration.restoreMode = 1
+	atomic.StoreInt32(&ts.expiration.restoreMode, 1)
 	ts.expiration.restoreLocks = locksutil.CreateLocks()
 	ts.expiration.restoreModeLock.Unlock()