backport of commit c040f901e5 (#22135)

Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>

changelog/21925.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+kmip (enterprise): Add namespace lock and unlock support
+```

sdk/logical/system_view.go

@@ -107,27 +107,32 @@ type PasswordPolicy interface {
 type ExtendedSystemView interface {
 	Auditor() Auditor
 	ForwardGenericRequest(context.Context, *Request) (*Response, error)
+
+	// APILockShouldBlockRequest returns whether a namespace for the requested
+	// mount is locked and should be blocked
+	APILockShouldBlockRequest() (bool, error)
 }
 
 type PasswordGenerator func() (password string, err error)
 
 type StaticSystemView struct {
-	DefaultLeaseTTLVal  time.Duration
+	DefaultLeaseTTLVal           time.Duration
-	MaxLeaseTTLVal      time.Duration
+	MaxLeaseTTLVal               time.Duration
-	SudoPrivilegeVal    bool
+	SudoPrivilegeVal             bool
-	TaintedVal          bool
+	TaintedVal                   bool
-	CachingDisabledVal  bool
+	CachingDisabledVal           bool
-	Primary             bool
+	Primary                      bool
-	EnableMlock         bool
+	EnableMlock                  bool
-	LocalMountVal       bool
+	LocalMountVal                bool
-	ReplicationStateVal consts.ReplicationState
+	ReplicationStateVal          consts.ReplicationState
-	EntityVal           *Entity
+	EntityVal                    *Entity
-	GroupsVal           []*Group
+	GroupsVal                    []*Group
-	Features            license.Features
+	Features                     license.Features
-	PluginEnvironment   *PluginEnvironment
+	PluginEnvironment            *PluginEnvironment
-	PasswordPolicies    map[string]PasswordGenerator
+	PasswordPolicies             map[string]PasswordGenerator
-	VersionString       string
+	VersionString                string
-	ClusterUUID         string
+	ClusterUUID                  string
+	APILockShouldBlockRequestVal bool
 }
 
 type noopAuditor struct{}
@@ -253,3 +258,7 @@ func (d *StaticSystemView) DeletePasswordPolicy(name string) (existed bool) {
 func (d StaticSystemView) ClusterID(ctx context.Context) (string, error) {
 	return d.ClusterUUID, nil
 }
+
+func (d StaticSystemView) APILockShouldBlockRequest() (bool, error) {
+	return d.APILockShouldBlockRequestVal, nil
+}

vault/dynamic_system_view.go

@@ -136,6 +136,20 @@ func (e extendedSystemViewImpl) SudoPrivilege(ctx context.Context, path string,
 	return authResults.RootPrivs
 }
 
+func (e extendedSystemViewImpl) APILockShouldBlockRequest() (bool, error) {
+	mountEntry := e.mountEntry
+	if mountEntry == nil {
+		return false, fmt.Errorf("no mount entry")
+	}
+	ns := mountEntry.Namespace()
+
+	if err := enterpriseBlockRequestIfError(e.core, ns.Path, mountEntry.Path); err != nil {
+		return true, nil
+	}
+
+	return false, nil
+}
+
 func (d dynamicSystemView) DefaultLeaseTTL() time.Duration {
 	def, _ := d.fetchTTLs()
 	return def