From 1ee302dfcde82cceda73307abb65e12d87c8dd8e Mon Sep 17 00:00:00 2001
From: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
Date: Fri, 12 Apr 2024 16:16:26 -0500
Subject: [PATCH] plugin/wif: support external plugins (#26384)

* plugin/wif: support external plugins

* changelog
---
 changelog/26384.txt          | 3 +++
 sdk/plugin/grpc_system.go    | 2 +-
 vault/dynamic_system_view.go | 9 +++++++--
 3 files changed, 11 insertions(+), 3 deletions(-)
 create mode 100644 changelog/26384.txt

diff --git a/changelog/26384.txt b/changelog/26384.txt
new file mode 100644
index 0000000000..56fb0a5775
--- /dev/null
+++ b/changelog/26384.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+plugin/wif: fix a bug where the namespace was not set for external plugins using workload identity federation
+```
diff --git a/sdk/plugin/grpc_system.go b/sdk/plugin/grpc_system.go
index 405d03163a..d907e60eac 100644
--- a/sdk/plugin/grpc_system.go
+++ b/sdk/plugin/grpc_system.go
@@ -421,7 +421,7 @@ func (s *gRPCSystemViewServer) GenerateIdentityToken(ctx context.Context, req *p
 	})
 	if err != nil {
 		return &pb.GenerateIdentityTokenResponse{}, status.Errorf(codes.Internal,
-			"failed to generate plugin identity token")
+			err.Error())
 	}
 
 	return &pb.GenerateIdentityTokenResponse{
diff --git a/vault/dynamic_system_view.go b/vault/dynamic_system_view.go
index ee460c0dd5..f95dbd7ed9 100644
--- a/vault/dynamic_system_view.go
+++ b/vault/dynamic_system_view.go
@@ -459,12 +459,17 @@ func (d dynamicSystemView) ClusterID(ctx context.Context) (string, error) {
 }
 
 func (d dynamicSystemView) GenerateIdentityToken(ctx context.Context, req *pluginutil.IdentityTokenRequest) (*pluginutil.IdentityTokenResponse, error) {
-	storage := d.core.router.MatchingStorageByAPIPath(ctx, mountPathIdentity)
+	mountEntry := d.mountEntry
+	if mountEntry == nil {
+		return nil, fmt.Errorf("no mount entry")
+	}
+	nsCtx := namespace.ContextWithNamespace(ctx, mountEntry.Namespace())
+	storage := d.core.router.MatchingStorageByAPIPath(nsCtx, mountPathIdentity)
 	if storage == nil {
 		return nil, fmt.Errorf("failed to find storage entry for identity mount")
 	}
 
-	token, ttl, err := d.core.IdentityStore().generatePluginIdentityToken(ctx, storage, d.mountEntry, req.Audience, req.TTL)
+	token, ttl, err := d.core.IdentityStore().generatePluginIdentityToken(nsCtx, storage, d.mountEntry, req.Audience, req.TTL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate plugin identity token: %w", err)
 	}