VAULT-28656 CE changes for Proxy bug (#27730)

* VAULT-28656 CE changes for Proxy bug * VAULT-28656 changelog * VAULT-28656 rename changelog
2025-10-29 17:52:32 +00:00 · 2024-07-10 09:38:51 -04:00
parent 261c9a8fbb
commit b9c892f8aa
4 changed files with 17 additions and 4 deletions
--- a/changelog/27730.txt
+++ b/changelog/27730.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+proxy/cache (enterprise): Fixed an issue where cached static secrets could fail to update if the secrets belonged to a non-root namespace.
+```
--- a/command/agentproxyshared/cache/lease_cache.go
+++ b/command/agentproxyshared/cache/lease_cache.go
@@ -411,7 +411,7 @@ func (c *LeaseCache) Send(ctx context.Context, req *SendRequest) (*SendResponse,
 			return nil, err
 		}
 		if cachedResp != nil {
-			c.logger.Debug("returning cached static secret response", "id", staticSecretCacheId, "path", req.Request.URL.Path)
+			c.logger.Debug("returning cached static secret response", "id", staticSecretCacheId, "path", getStaticSecretPathFromRequest(req))
 			return cachedResp, nil
 		}
 	}
@@ -482,6 +482,7 @@ func (c *LeaseCache) Send(ctx context.Context, req *SendRequest) (*SendResponse,
 		// included in the request path.
 		index.RequestPath = getStaticSecretPathFromRequest(req)

+		c.logger.Trace("attempting to cache static secret with following request path", "request path", index.RequestPath)
 		err := c.cacheStaticSecret(ctx, req, resp, index)
 		if err != nil {
 			return nil, err
@@ -665,7 +666,7 @@ func (c *LeaseCache) cacheStaticSecret(ctx context.Context, req *SendRequest, re

 func (c *LeaseCache) storeStaticSecretIndex(ctx context.Context, req *SendRequest, index *cachememdb.Index) error {
 	// Store the index in the cache
-	c.logger.Debug("storing static secret response into the cache", "method", req.Request.Method, "path", req.Request.URL.Path, "id", index.ID)
+	c.logger.Debug("storing static secret response into the cache", "method", req.Request.Method, "path", index.RequestPath, "id", index.ID)
 	err := c.Set(ctx, index)
 	if err != nil {
 		c.logger.Error("failed to cache the proxied response", "error", err)
--- a/command/agentproxyshared/cache/static_secret_cache_updater.go
+++ b/command/agentproxyshared/cache/static_secret_cache_updater.go
@@ -163,6 +163,10 @@ func (updater *StaticSecretCacheUpdater) streamStaticSecretEvents(ctx context.Co
 				if !ok {
 					return fmt.Errorf("unexpected event format when decoding 'path' element, message: %s\nerror: %w", string(message), err)
 				}
+				namespace, ok := data["namespace"].(string)
+				if ok {
+					path = namespace + path
+				}
 				err := updater.updateStaticSecret(ctx, path)
 				if err != nil {
 					// While we are kind of 'missing' an event this way, re-calling this function will
@@ -218,6 +222,10 @@ func (updater *StaticSecretCacheUpdater) updateStaticSecret(ctx context.Context,
 		return err
 	}

+	// Clear the client's header namespace since we'll be including the
+	// namespace as part of the path.
+	client.ClearNamespace()
+
 	indexId := hashStaticSecretIndex(path)

 	updater.logger.Debug("received update static secret request", "path", path, "indexId", indexId)
@@ -248,7 +256,7 @@ func (updater *StaticSecretCacheUpdater) updateStaticSecret(ctx context.Context,
 		request.Headers.Set(api.AuthHeaderName, token)
 		resp, err = client.RawRequestWithContext(ctx, request)
 		if err != nil {
-			updater.logger.Trace("received error when trying to update cache", "path", path, "err", err, "token", token)
+			updater.logger.Trace("received error when trying to update cache", "path", path, "err", err, "token", token, "namespace", index.Namespace)
 			// We cannot access this secret with this token for whatever reason,
 			// so token for removal.
 			tokensToRemove = append(tokensToRemove, token)
@@ -329,6 +337,7 @@ func (updater *StaticSecretCacheUpdater) openWebSocketConnection(ctx context.Con
 	}
 	query := webSocketURL.Query()
 	query.Set("json", "true")
+	query.Set("namespaces", "*")
 	webSocketURL.RawQuery = query.Encode()

 	updater.client.AddHeader(api.AuthHeaderName, updater.client.Token())
--- a/command/agentproxyshared/cache/static_secret_cache_updater_test.go
+++ b/command/agentproxyshared/cache/static_secret_cache_updater_test.go
@@ -407,7 +407,7 @@ func TestOpenWebSocketConnectionReceivesEventsKVV1(t *testing.T) {
 	}
 }

-// TestOpenWebSocketConnectionReceivesEvents tests that the openWebSocketConnection function
+// TestOpenWebSocketConnectionReceivesEventsKVV2 tests that the openWebSocketConnection function
 // works as expected with KVV2, and then the connection can be used to receive an event.
 // This acts as more of an event system sanity check than a test of the updater
 // logic. It's still important coverage, though.