Only resolve roles for role quotas and leases (#22597)

http/util.go

@@ -60,22 +60,33 @@ func rateLimitQuotaWrapping(handler http.Handler, core *vault.Core) http.Handler
 		}
 		r.Body = ioutil.NopCloser(bytes.NewBuffer(bodyBytes))
 
-		role := core.DetermineRoleFromLoginRequestFromBytes(mountPath, bodyBytes, r.Context())
-
-		// add an entry to the context to prevent recalculating request role unnecessarily
-		r = r.WithContext(context.WithValue(r.Context(), logical.CtxKeyRequestRole{}, role))
-
-		quotaResp, err := core.ApplyRateLimitQuota(r.Context(), &quotas.Request{
+		quotaReq := &quotas.Request{
 			Type:          quotas.TypeRateLimit,
 			Path:          path,
 			MountPath:     mountPath,
-			Role:          role,
 			NamespacePath: ns.Path,
 			ClientAddress: parseRemoteIPAddress(r),
-		})
+		}
+		requiresResolveRole, err := core.ResolveRoleForQuotas(r.Context(), quotaReq)
+		if err != nil {
+			core.Logger().Error("failed to lookup quotas", "path", path, "error", err)
+			respondError(w, http.StatusInternalServerError, err)
+			return
+		}
+
+		// If any role-based quotas are enabled for this namespace/mount, just
+		// do the role resolution once here.
+		if requiresResolveRole {
+			role := core.DetermineRoleFromLoginRequestFromBytes(r.Context(), mountPath, bodyBytes)
+			// add an entry to the context to prevent recalculating request role unnecessarily
+			r = r.WithContext(context.WithValue(r.Context(), logical.CtxKeyRequestRole{}, role))
+			quotaReq.Role = role
+		}
+
+		quotaResp, err := core.ApplyRateLimitQuota(r.Context(), quotaReq)
 		if err != nil {
 			core.Logger().Error("failed to apply quota", "path", path, "error", err)
-			respondError(w, http.StatusUnprocessableEntity, err)
+			respondError(w, http.StatusInternalServerError, err)
 			return
 		}