Transit: fix race in the key update api (#28839)

- The key update API would release the lock a little too early after it persisted the update so the reference could be updated when it was preparing the response to the caller across updates and/or key rotations - The storage updates were okay, just the response back to the caller of the update might see a mixture of different updates
2025-10-29 09:42:25 +00:00 · 2024-11-05 14:41:09 -05:00
parent c855f6e982
commit 752bb08664
2 changed files with 6 additions and 2 deletions
--- a/builtin/logical/transit/path_keys.go
+++ b/builtin/logical/transit/path_keys.go
@@ -260,9 +260,10 @@ func (b *backend) pathPolicyWrite(ctx context.Context, req *logical.Request, d *
 	if p == nil {
 		return nil, fmt.Errorf("error generating key: returned policy was nil")
 	}
-	if b.System().CachingDisabled() {
-		p.Unlock()
+	if !b.System().CachingDisabled() {
+		p.Lock(true)
 	}
+	defer p.Unlock()

 	resp, err := b.formatKeyPolicy(p, nil)
 	if err != nil {
--- a/changelog/28839.txt
+++ b/changelog/28839.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/transit: Fix a race in which responses from the key update api could contain results from another subsequent update
+```