cherry-picking commit (#29433)

Co-authored-by: akshya96 <[email protected]>
hashicorp · Jan 30, 2025 · 671b4c2 · 671b4c2
1 parent a6aa444
commit 671b4c2
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 3 deletions.
diff --git a/changelog/29432.txt b/changelog/29432.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+activity: Show activity records from clients created in deleted namespaces when activity log is queried from admin namespace.
+```
diff --git a/vault/activity_log.go b/vault/activity_log.go
@@ -1801,8 +1801,9 @@ func (c *Core) ActivityLogInjectResponse(ctx context.Context, pq *activity.Preco
 
 func (a *ActivityLog) includeInResponse(query *namespace.Namespace, record *namespace.Namespace) bool {
 	if record == nil {
-		// Deleted namespace, only include in root queries
-		return query.ID == namespace.RootNamespaceID
+		// Deleted namespace, only include in root or admin namespace (if configured) queries
+		adminNsPath := namespace.Canonicalize(a.core.administrativeNamespacePath())
+		return query.ID == namespace.RootNamespaceID || (adminNsPath != "" && query.Path == adminNsPath)
 	}
 	return record.HasParent(query)
 }

diff --git a/vault/activity_log_test.go b/vault/activity_log_test.go
@@ -1922,7 +1922,8 @@ func (f *fakeResponseWriter) WriteHeader(statusCode int) {
 // their parents.
 func TestActivityLog_IncludeNamespace(t *testing.T) {
 	root := namespace.RootNamespace
-	a := &ActivityLog{}
+	core, _, _ := TestCoreUnsealed(t)
+	a := core.activityLog
 
 	nsA := &namespace.Namespace{
 		ID:   "aaaaa",

diff --git a/vault/core.go b/vault/core.go
@@ -3610,6 +3610,15 @@ func (c *Core) LogFormat() string {
 	return conf.(*server.Config).LogFormat
 }
 
+// administrativeNamespacePath returns the configured administrative namespace path.
+func (c *Core) administrativeNamespacePath() string {
+	conf := c.rawConfig.Load()
+	if conf == nil {
+		return ""
+	}
+	return conf.(*server.Config).AdministrativeNamespacePath
+}
+
 // LogLevel returns the log level provided by level provided by config, CLI flag, or env
 func (c *Core) LogLevel() string {
 	return c.logLevel

diff --git a/vault/core_test.go b/vault/core_test.go
@@ -3696,3 +3696,16 @@ func TestBarrier_DeadlockDetection(t *testing.T) {
 		t.Fatal("barrierLock doesn't have deadlock detection enabled, it should")
 	}
 }
+
+// Test_administrativeNamespacePath verifies if administrativeNamespacePath function returns the configured administrative namespace path
+func Test_administrativeNamespacePath(t *testing.T) {
+	adminNamespacePath := "admin"
+	coreConfig := &CoreConfig{
+		RawConfig: &server.Config{
+			SharedConfig: &configutil.SharedConfig{AdministrativeNamespacePath: adminNamespacePath},
+		},
+		AdministrativeNamespacePath: adminNamespacePath,
+	}
+	core, _, _ := TestCoreUnsealedWithConfig(t, coreConfig)
+	require.Equal(t, core.administrativeNamespacePath(), adminNamespacePath)
+}