Enforce minimum cache size for transit backend

builtin/logical/transit/backend.go

@@ -10,6 +10,9 @@ import (
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
+// Minimum cache size for transit backend
+const minCacheSize = 10
+
 func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
 	b, err := Backend(ctx, conf)
 	if err != nil {
@@ -68,6 +71,11 @@ func Backend(ctx context.Context, conf *logical.BackendConfig) (*backend, error)
 		if err != nil {
 			return nil, fmt.Errorf("Error retrieving cache size from storage: %w", err)
 		}
+
+		if cacheSize != 0 && cacheSize < minCacheSize {
+			b.Logger().Warn("size %d is less than minimum %d. Cache size is set to %d", cacheSize, minCacheSize, minCacheSize)
+			cacheSize = minCacheSize
+		}
 	}
 
 	var err error

builtin/logical/transit/path_cache_config.go

@@ -3,8 +3,8 @@ package transit
 import (
 	"context"
 	"errors"
-
 	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/keysutil"
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
@@ -45,8 +45,8 @@ func (b *backend) pathCacheConfig() *framework.Path {
 func (b *backend) pathCacheConfigWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 	// get target size
 	cacheSize := d.Get("size").(int)
-	if cacheSize < 0 {
-		return logical.ErrorResponse("size must be greater or equal to 0"), logical.ErrInvalidRequest
+	if cacheSize != 0 && cacheSize < minCacheSize {
+		return logical.ErrorResponse("size must be 0 or a value greater or equal to %d", minCacheSize), logical.ErrInvalidRequest
 	}
 
 	// store cache size
@@ -60,8 +60,11 @@ func (b *backend) pathCacheConfigWrite(ctx context.Context, req *logical.Request
 		return nil, err
 	}
 
-	resp := &logical.Response{
-		Warnings: []string{"cache configurations will be applied when this backend is restarted"},
+	resp := &logical.Response{}
+
+	b.lm, err = keysutil.NewLockManager(true, cacheSize)
+	if err != nil {
+		return nil, err
 	}
 
 	return resp, nil

builtin/logical/transit/path_cache_config_test.go

@@ -8,6 +8,7 @@ import (
 )
 
 const targetCacheSize = 12345
+const smallCacheSize = 3
 
 func TestTransit_CacheConfig(t *testing.T) {
 	b1, storage := createBackendWithSysView(t)
@@ -58,6 +59,15 @@ func TestTransit_CacheConfig(t *testing.T) {
 		},
 	}
 
+	writeSmallCacheSizeReq := &logical.Request{
+		Storage:   storage,
+		Operation: logical.UpdateOperation,
+		Path:      "cache-config",
+		Data: map[string]interface{}{
+			"size": smallCacheSize,
+		},
+	}
+
 	readReq := &logical.Request{
 		Storage:   storage,
 		Operation: logical.ReadOperation,
@@ -68,7 +78,7 @@ func TestTransit_CacheConfig(t *testing.T) {
 	// b1 should spin up with an unlimited cache
 	validateResponse(doReq(b1, readReq), 0, false)
 	doReq(b1, writeReq)
-	validateResponse(doReq(b1, readReq), targetCacheSize, true)
+	validateResponse(doReq(b1, readReq), targetCacheSize, false)
 
 	// b2 should spin up with a configured cache
 	b2 := createBackendWithSysViewWithStorage(t, storage)
@@ -77,4 +87,10 @@ func TestTransit_CacheConfig(t *testing.T) {
 	// b3 enables transit without a cache, trying to read it should error
 	b3 := createBackendWithForceNoCacheWithSysViewWithStorage(t, storage)
 	doErrReq(b3, readReq)
+
+	// b4 should spin up with a size less than minimum cache size (10)
+	b4, storage := createBackendWithSysView(t)
+	doErrReq(b4, writeSmallCacheSizeReq)
+
+
 }

changelog/12418.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+Enforce minimum cache size for transit backend
+```

website/content/api-docs/secret/transit.mdx

@@ -1307,7 +1307,7 @@ using the [`/sys/plugins/reload/backend`][sys-plugin-reload-backend] endpoint.
 
 - `size` `(int: 0)` - Specifies the size in terms of number of entries. A size of
   `0` means unlimited. A _Least Recently Used_ (LRU) caching strategy is used for a
-  non-zero cache size.
+  non-zero cache size. Must be 0 (default) or a value greater or equal to 10 (minimum cache size).
 
 ### Sample Payload