Fix data race in identity tests (#12941) (#12948)

Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
2026-05-28 04:10:44 -04:00 · 2026-03-12 14:03:48 -04:00 · 2026-03-12 14:03:48 -04:00 · fa8681a666
commit fa8681a666
parent 1a57de40bd
3 changed files with 15 additions and 5 deletions
--- a/vault/identity_store.go
+++ b/vault/identity_store.go
@ -51,6 +51,9 @@ func (i *IdentityStore) GetDisableLowerCasedNames() bool {
 	return i.disableLowerCasedNames
 }

+// resetDB callers must hold the write lock on i.lock before calling, to ensure
+// that no other goroutine is reading from or writing to the database while it
+// gets reset.
 func (i *IdentityStore) resetDB() error {
 	var err error

--- a/vault/identity_store_test.go
+++ b/vault/identity_store_test.go
@ -1506,6 +1506,9 @@ func identityStoreLoadingIsDeterministic(t *testing.T, flags *determinismTestFla
 		CredentialBackends: map[string]logical.Factory{
 			"userpass": credUserpass.Factory,
 		},
+		ActivityLogConfig: ActivityLogCoreConfig{
+			DisableTimers: true,
+		},
 	}

 	c, sealKeys, rootToken := TestCoreUnsealedWithConfig(t, cfg)
@ -1681,13 +1684,15 @@ func identityStoreLoadingIsDeterministic(t *testing.T, flags *determinismTestFla
 	var prevErr error

 	for i := 0; i < 10; i++ {
+		c.identityStore.lock.Lock()
 		err := c.identityStore.resetDB()
+		if err == nil {
+			logger.Info(" ==> BEGIN LOAD ARTIFACTS", "i", i)
+			err = c.identityStore.loadArtifacts(ctx, true)
+		}
+		c.identityStore.lock.Unlock()
 		require.NoError(t, err)

-		logger.Info(" ==> BEGIN LOAD ARTIFACTS", "i", i)
-
-		err = c.identityStore.loadArtifacts(ctx, true)
-
 		if i > 0 {
 			require.Equal(t, prevErr, err)
 		}
@ -1833,7 +1838,9 @@ func TestIdentityStoreLoadingDuplicateReporting(t *testing.T) {
 	// Setup a logger we can use to capture unseal logs
 	logBuf, stopCapture := startLogCapture(t, logger)

+	c.identityStore.lock.Lock()
 	err = c.identityStore.loadArtifacts(ctx, true)
+	c.identityStore.lock.Unlock()
 	stopCapture()

 	require.NoError(t, err)
--- a/vault/identity_store_util.go
+++ b/vault/identity_store_util.go
@ -40,7 +40,7 @@ var (
 )

 // loadArtifacts is responsible for loading entities, groups, and aliases from
-// storage into MemDB.
+// storage into MemDB. The caller should hold the identity store lock.
 func (i *IdentityStore) loadArtifacts(ctx context.Context, isActive bool) error {
 	if i == nil {
 		return nil