scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-31 02:28:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

identity/oidc: prevent key rotation on performance secondary clusters (#14426)

Browse Source
This commit is contained in:
Austin Gebauer
2022-03-09 15:41:02 -08:00
committed by GitHub
parent fd85ca339f
commit 98692e19c9
2 changed files with 16 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/14426.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
identity/oidc: Fixes potential write to readonly storage on performance secondary clusters during key rotation
```

16
vault/identity_store_oidc.go
View File

@@ -24,6 +24,7 @@ import (
"github.com/hashicorp/vault/helper/identity" "github.com/hashicorp/vault/helper/identity"
"github.com/hashicorp/vault/helper/namespace" "github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/helper/identitytpl" "github.com/hashicorp/vault/sdk/helper/identitytpl"
"github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/sdk/logical"
"github.com/patrickmn/go-cache" "github.com/patrickmn/go-cache"
@@ -1773,11 +1774,13 @@ func (i *IdentityStore) expireOIDCPublicKeys(ctx context.Context, s logical.Stor
key.KeyRing = keyRing key.KeyRing = keyRing
entry, err := logical.StorageEntryJSON(entry.Key, key) entry, err := logical.StorageEntryJSON(entry.Key, key)
if err != nil { if err != nil {
i.Logger().Error("error updating key", "key", key.name, "error", err) i.Logger().Error("error creating storage entry", "key", key.name, "error", err)
continue
} }
if err := s.Put(ctx, entry); err != nil { if err := s.Put(ctx, entry); err != nil {
i.Logger().Error("error saving key", "key", key.name, "error", err) i.Logger().Error("error writing key", "key", key.name, "error", err)
continue
} }
didUpdate = true didUpdate = true
} }
@@ -1787,11 +1790,12 @@ func (i *IdentityStore) expireOIDCPublicKeys(ctx context.Context, s logical.Stor
// use by some role. // use by some role.
for _, keyID := range publicKeyIDs { for _, keyID := range publicKeyIDs {
if !strutil.StrListContains(usedKeys, keyID) { if !strutil.StrListContains(usedKeys, keyID) {
didUpdate = true
if err := s.Delete(ctx, publicKeysConfigPath+keyID); err != nil { if err := s.Delete(ctx, publicKeysConfigPath+keyID); err != nil {
i.Logger().Error("error deleting OIDC public key", "key_id", keyID, "error", err) i.Logger().Error("error deleting OIDC public key", "key_id", keyID, "error", err)
nextExpiration = now nextExpiration = now
continue
} }
didUpdate = true
i.Logger().Debug("deleted OIDC public key", "key_id", keyID) i.Logger().Debug("deleted OIDC public key", "key_id", keyID)
} }
} }
@@ -1874,6 +1878,12 @@ func (i *IdentityStore) oidcKeyRotation(ctx context.Context, s logical.Storage)
// oidcPeriodFunc is invoked by the backend's periodFunc and runs regular key // oidcPeriodFunc is invoked by the backend's periodFunc and runs regular key
// rotations and expiration actions. // rotations and expiration actions.
func (i *IdentityStore) oidcPeriodicFunc(ctx context.Context) { func (i *IdentityStore) oidcPeriodicFunc(ctx context.Context) {
// Key rotations write to storage, so only run this on the primary cluster.
// The periodic func does not run on perf standbys or DR secondaries.
if i.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary) {
return
}
var nextRun time.Time var nextRun time.Time
now := time.Now() now := time.Now()