Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix race accessing b.crls within cert auth #18945

Merged
merged 3 commits into from
Feb 1, 2023
Merged

Fix race accessing b.crls within cert auth #18945

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5e034a1
Fix race accessing b.crls within cert auth
stevendpclark Feb 1, 2023
5327c5a
Add cl
stevendpclark Feb 1, 2023
b1b4fba
Misc cleanup
stevendpclark Feb 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions builtin/credential/cert/path_crls.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,16 @@ using the same name as specified here.`,
}
}

func (b *backend) populateCrlsIfNil(ctx context.Context, storage logical.Storage) error {
b.crlUpdateMutex.RLock()
if b.crls == nil {
b.crlUpdateMutex.RUnlock()
return b.lockThenpopulateCRLs(ctx, storage)
}
b.crlUpdateMutex.RUnlock()
return nil
}

func (b *backend) lockThenpopulateCRLs(ctx context.Context, storage logical.Storage) error {
b.crlUpdateMutex.Lock()
defer b.crlUpdateMutex.Unlock()
Expand Down
19 changes: 10 additions & 9 deletions builtin/credential/cert/path_login.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,11 @@ func pathLogin(b *backend) *framework.Path {

func (b *backend) pathLoginResolveRole(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
var matched *ParsedCert
// Make sure b.crls is populated if it was invalidated by replication
if err := b.populateCrlsIfNil(ctx, req.Storage); err != nil {
return nil, err
}

if verifyResp, resp, err := b.verifyCredentials(ctx, req, data); err != nil {
return nil, err
} else if resp != nil {
Expand Down Expand Up @@ -90,11 +95,9 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, data *fra
b.updatedConfig(config)
}

if b.crls == nil {
// Probably invalidated due to replication, but we need these to proceed
if err := b.populateCRLs(ctx, req.Storage); err != nil {
return nil, err
}
// Probably invalidated due to replication, but we need these to proceed
if err := b.populateCrlsIfNil(ctx, req.Storage); err != nil {
return nil, err
}

var matched *ParsedCert
Expand Down Expand Up @@ -173,10 +176,8 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *f
b.updatedConfig(config)
}

if b.crls == nil {
if err := b.populateCRLs(ctx, req.Storage); err != nil {
return nil, err
}
if err := b.populateCrlsIfNil(ctx, req.Storage); err != nil {
return nil, err
}

if !config.DisableBinding {
Expand Down
3 changes: 3 additions & 0 deletions changelog/18945.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
auth/cert: Address a race condition accessing the loaded crls without a lock
```