upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-05-28 04:10:44 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

events: Avoid data race by checking for root token (#22916)

Browse source 
before starting access loop checker.

We were seeing rare data races because the `core.IsRoot()` check was
being called after the subscriber access loop checker was starter.
The subscriber access loop calls `core.CheckToken()`, which can modify
the values that `IsRoot()` is reading.
This commit is contained in:
Christopher Swenson 2023-09-08 10:15:01 -07:00 committed by GitHub
parent 12b9e5dd36
commit b6e8cb3a4c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
http/events.go
View file

@ -244,8 +244,9 @@ func handleEventsSubscribe(core *vault.Core, req *logical.Request) http.Handler
// continually validate subscribe access while the websocket is running
ctx, cancelCtx := context.WithCancel(ctx)
defer cancelCtx()
go validateSubscribeAccessLoop(core, ctx, cancelCtx, req)
isRoot := entry.IsRoot()
go validateSubscribeAccessLoop(core, ctx, cancelCtx, req)
sub := &eventSubscriber{
ctx: ctx,
capabilitiesFunc: core.CapabilitiesAndSubscribeEventTypes,
@ -258,7 +259,7 @@ func handleEventsSubscribe(core *vault.Core, req *logical.Request) http.Handler
json: json,
checkCache: cache.New(webSocketRevalidationTime, webSocketRevalidationTime),
clientToken: auth.ClientToken,
isRootToken: entry.IsRoot(),
isRootToken: isRoot,
}
closeStatus, closeReason, err := sub.handleEventsSubscribeWebsocket()
if err != nil {