lock create/update role; remove now redundant key check

hashicorp · Jul 29, 2021 · a0e2449 · a0e2449
1 parent 73ea373
commit a0e2449
Showing 1 changed file with 18 additions and 17 deletions.
diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go
@@ -927,6 +927,9 @@ func (i *IdentityStore) pathOIDCCreateUpdateRole(ctx context.Context, req *logic
 
 	name := d.Get("name").(string)
 
+	i.oidcLock.Lock()
+	defer i.oidcLock.Unlock()
+
 	var role role
 	if req.Operation == logical.UpdateOperation {
 		entry, err := req.Storage.Get(ctx, roleConfigPath+name)
@@ -993,22 +996,20 @@ func (i *IdentityStore) pathOIDCCreateUpdateRole(ctx context.Context, req *logic
 		role.TokenTTL = time.Duration(d.Get("ttl").(int)) * time.Second
 	}
 
-	// get the key referenced by this role (if it exists)
-	if role.Key != "" {
-		var key namedKey
-		entry, err := req.Storage.Get(ctx, namedKeyConfigPath+role.Key)
-		if err != nil {
-			return nil, err
-		}
-		if entry == nil {
-			return logical.ErrorResponse("cannot find key %q", role.Key), nil
-		}
-		if err := entry.DecodeJSON(&key); err != nil {
-			return nil, err
-		}
-		if role.TokenTTL > key.VerificationTTL {
-			return logical.ErrorResponse("a role's token ttl cannot be longer than the verification_ttl of the key it references"), nil
-		}
+	// get the key referenced by this role
+	var key namedKey
+	entry, err := req.Storage.Get(ctx, namedKeyConfigPath+role.Key)
+	if err != nil {
+		return nil, err
+	}
+	if entry == nil {
+		return logical.ErrorResponse("cannot find key %q", role.Key), nil
+	}
+	if err := entry.DecodeJSON(&key); err != nil {
+		return nil, err
+	}
+	if role.TokenTTL > key.VerificationTTL {
+		return logical.ErrorResponse("a role's token ttl cannot be longer than the verification_ttl of the key it references"), nil
 	}
 
 	if clientID, ok := d.GetOk("client_id"); ok {
@@ -1025,7 +1026,7 @@ func (i *IdentityStore) pathOIDCCreateUpdateRole(ctx context.Context, req *logic
 	}
 
 	// store role (which was either just created or updated)
-	entry, err := logical.StorageEntryJSON(roleConfigPath+name, role)
+	entry, err = logical.StorageEntryJSON(roleConfigPath+name, role)
 	if err != nil {
 		return nil, err
 	}