From 752bb0866461d172b214bc1e5c39cc177f6b21ff Mon Sep 17 00:00:00 2001
From: Steven Clark <steven.clark@hashicorp.com>
Date: Tue, 5 Nov 2024 14:41:09 -0500
Subject: [PATCH] Transit: fix race in the key update api (#28839)

- The key update API would release the lock a little too early
   after it persisted the update so the reference could be updated
   when it was preparing the response to the caller across updates
   and/or key rotations
 - The storage updates were okay, just the response back to the caller
   of the update might see a mixture of different updates
---
 builtin/logical/transit/path_keys.go | 5 +++--
 changelog/28839.txt                  | 3 +++
 2 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 changelog/28839.txt

diff --git a/builtin/logical/transit/path_keys.go b/builtin/logical/transit/path_keys.go
index ded75f57d8..9da21e8555 100644
--- a/builtin/logical/transit/path_keys.go
+++ b/builtin/logical/transit/path_keys.go
@@ -260,9 +260,10 @@ func (b *backend) pathPolicyWrite(ctx context.Context, req *logical.Request, d *
 	if p == nil {
 		return nil, fmt.Errorf("error generating key: returned policy was nil")
 	}
-	if b.System().CachingDisabled() {
-		p.Unlock()
+	if !b.System().CachingDisabled() {
+		p.Lock(true)
 	}
+	defer p.Unlock()
 
 	resp, err := b.formatKeyPolicy(p, nil)
 	if err != nil {
diff --git a/changelog/28839.txt b/changelog/28839.txt
new file mode 100644
index 0000000000..b719e5ea47
--- /dev/null
+++ b/changelog/28839.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/transit: Fix a race in which responses from the key update api could contain results from another subsequent update
+```