From a0e2449bd29bb60052d45e5487692cb0f57f2d6b Mon Sep 17 00:00:00 2001
From: JM Faircloth <jmfaircloth@hashicorp.com>
Date: Thu, 29 Jul 2021 13:33:19 -0500
Subject: [PATCH] lock create/update role; remove now redundant key check

---
 vault/identity_store_oidc.go | 35 ++++++++++++++++++-----------------
 1 file changed, 18 insertions(+), 17 deletions(-)

diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go
index 5dc3ea6553012..f9406c0ab387d 100644
--- a/vault/identity_store_oidc.go
+++ b/vault/identity_store_oidc.go
@@ -927,6 +927,9 @@ func (i *IdentityStore) pathOIDCCreateUpdateRole(ctx context.Context, req *logic
 
 	name := d.Get("name").(string)
 
+	i.oidcLock.Lock()
+	defer i.oidcLock.Unlock()
+
 	var role role
 	if req.Operation == logical.UpdateOperation {
 		entry, err := req.Storage.Get(ctx, roleConfigPath+name)
@@ -993,22 +996,20 @@ func (i *IdentityStore) pathOIDCCreateUpdateRole(ctx context.Context, req *logic
 		role.TokenTTL = time.Duration(d.Get("ttl").(int)) * time.Second
 	}
 
-	// get the key referenced by this role (if it exists)
-	if role.Key != "" {
-		var key namedKey
-		entry, err := req.Storage.Get(ctx, namedKeyConfigPath+role.Key)
-		if err != nil {
-			return nil, err
-		}
-		if entry == nil {
-			return logical.ErrorResponse("cannot find key %q", role.Key), nil
-		}
-		if err := entry.DecodeJSON(&key); err != nil {
-			return nil, err
-		}
-		if role.TokenTTL > key.VerificationTTL {
-			return logical.ErrorResponse("a role's token ttl cannot be longer than the verification_ttl of the key it references"), nil
-		}
+	// get the key referenced by this role
+	var key namedKey
+	entry, err := req.Storage.Get(ctx, namedKeyConfigPath+role.Key)
+	if err != nil {
+		return nil, err
+	}
+	if entry == nil {
+		return logical.ErrorResponse("cannot find key %q", role.Key), nil
+	}
+	if err := entry.DecodeJSON(&key); err != nil {
+		return nil, err
+	}
+	if role.TokenTTL > key.VerificationTTL {
+		return logical.ErrorResponse("a role's token ttl cannot be longer than the verification_ttl of the key it references"), nil
 	}
 
 	if clientID, ok := d.GetOk("client_id"); ok {
@@ -1025,7 +1026,7 @@ func (i *IdentityStore) pathOIDCCreateUpdateRole(ctx context.Context, req *logic
 	}
 
 	// store role (which was either just created or updated)
-	entry, err := logical.StorageEntryJSON(roleConfigPath+name, role)
+	entry, err = logical.StorageEntryJSON(roleConfigPath+name, role)
 	if err != nil {
 		return nil, err
 	}