scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-31 02:28:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

lock public JWKS generation and re-check cache (#27929)

Browse Source 
---------

Co-authored-by: kpcraig <3031348+kpcraig@users.noreply.github.com>
This commit is contained in:
Brian Howe
2024-09-09 11:36:38 -05:00
committed by GitHub
parent cbbe573916
commit 59342940fd
3 changed files with 20 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/27929.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
identity/oidc: prevent JWKS from being generated by multiple concurrent requests
```

14
vault/identity_store_oidc.go
View File

@@ -1857,6 +1857,20 @@ func (i *IdentityStore) generatePublicJWKS(ctx context.Context, s logical.Storag
return jwksRaw.(*jose.JSONWebKeySet), nil return jwksRaw.(*jose.JSONWebKeySet), nil
} }
i.generateJWKSLock.Lock()
defer i.generateJWKSLock.Unlock()
// Check the cache again incase another requset acquired the lock
// before this request.
jwksRaw, ok, err = i.oidcCache.Get(ns, "jwks")
if err != nil {
return nil, err
}
if ok {
return jwksRaw.(*jose.JSONWebKeySet), nil
}
if _, err := i.expireOIDCPublicKeys(ctx, s); err != nil { if _, err := i.expireOIDCPublicKeys(ctx, s); err != nil {
return nil, err return nil, err
} }

1
vault/identity_store_structs.go
View File

@@ -60,6 +60,7 @@ type IdentityStore struct {
// locks to make sure things are consistent // locks to make sure things are consistent
lock sync.RWMutex lock sync.RWMutex
oidcLock sync.RWMutex oidcLock sync.RWMutex
generateJWKSLock sync.Mutex
// groupLock is used to protect modifications to group entries // groupLock is used to protect modifications to group entries
groupLock sync.RWMutex groupLock sync.RWMutex