Fix identity token caching (#8412) (#8446)

The namespace-partitioned cache flushing was not being used correctly, which could leave standby nodes with stale information. Fixes #8284
hashicorp · Mar 3, 2020 · 528d04e · 528d04e
1 parent 859a286
commit 528d04e
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 7 deletions.
diff --git a/vault/identity_store.go b/vault/identity_store.go
@@ -315,7 +315,15 @@ func (i *IdentityStore) Invalidate(ctx context.Context, key string) {
 		return
 
 	case strings.HasPrefix(key, oidcTokensPrefix):
-		if err := i.oidcCache.Flush(noNamespace); err != nil {
+		ns, err := namespace.FromContext(ctx)
+		if err != nil {
+			i.logger.Error("error retrieving namespace", "error", err)
+			return
+		}
+
+		// Wipe the cache for the requested namespace. This will also clear
+		// the shared namespace as well.
+		if err := i.oidcCache.Flush(ns); err != nil {
 			i.logger.Error("error flushing oidc cache", "error", err)
 		}
 	}

diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go
@@ -1555,8 +1555,6 @@ func (i *IdentityStore) oidcPeriodicFunc(ctx context.Context) {
 	var nextRun time.Time
 	now := time.Now()
 
-	nsPaths := i.listNamespacePaths()
-
 	v, ok, err := i.oidcCache.Get(noNamespace, "nextRun")
 	if err != nil {
 		i.Logger().Error("error reading oidc cache", "err", err)
@@ -1576,7 +1574,9 @@ func (i *IdentityStore) oidcPeriodicFunc(ctx context.Context) {
 		// based on key rotation times.
 		nextRun = now.Add(24 * time.Hour)
 
-		for _, nsPath := range nsPaths {
+		for _, ns := range i.listNamespaces() {
+			nsPath := ns.Path
+
 			s := i.core.router.MatchingStorageByAPIPath(ctx, nsPath+"identity/oidc")
 
 			if s == nil {
@@ -1593,7 +1593,7 @@ func (i *IdentityStore) oidcPeriodicFunc(ctx context.Context) {
 				i.Logger().Warn("error expiring OIDC public keys", "err", err)
 			}
 
-			if err := i.oidcCache.Flush(noNamespace); err != nil {
+			if err := i.oidcCache.Flush(ns); err != nil {
 				i.Logger().Error("error flushing oidc cache", "err", err)
 			}
 
@@ -1644,6 +1644,7 @@ func (c *oidcCache) Flush(ns *namespace.Namespace) error {
 		return errNilNamespace
 	}
 
+	// Remove all items from the provided namespace as well as the shared, "no namespace" section.
 	for itemKey := range c.c.Items() {
 		if isTargetNamespacedKey(itemKey, []string{noNamespace.ID, ns.ID}) {
 			c.c.Delete(itemKey)

diff --git a/vault/identity_store_oidc_util.go b/vault/identity_store_oidc_util.go
@@ -6,6 +6,6 @@ import (
 	"github.com/hashicorp/vault/helper/namespace"
 )
 
-func (i *IdentityStore) listNamespacePaths() []string {
-	return []string{namespace.RootNamespace.Path}
+func (i *IdentityStore) listNamespaces() []*namespace.Namespace {
+	return []*namespace.Namespace{namespace.RootNamespace}
 }