Do role lookup for lease if its not set

hashicorp · Aug 30, 2023 · 0f2ab8e · 0f2ab8e
1 parent c6f764c
commit 0f2ab8e
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/vault/request_handling.go b/vault/request_handling.go
@@ -1485,7 +1485,8 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 
 		// Check for request role in context to role based quotas
 		var role string
-		if reqRole := ctx.Value(logical.CtxKeyRequestRole{}); reqRole != nil {
+		reqRole := ctx.Value(logical.CtxKeyRequestRole{})
+		if reqRole != nil {
 			role = reqRole.(string)
 		}
 
@@ -1686,6 +1687,13 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 		// Attach the display name, might be used by audit backends
 		req.DisplayName = auth.DisplayName
 
+		// If this is not a role-based quota, we still need to associate the
+		// login role with this lease for later lease-count quotas to be
+		// accurate.
+		if reqRole == nil {
+			role = c.DetermineRoleFromLoginRequest(ctx, req.MountPoint, req.Data)
+		}
+
 		leaseGen, respTokenCreate, errCreateToken := c.LoginCreateToken(ctx, ns, req.Path, source, role, resp)
 		leaseGenerated = leaseGen
 		if errCreateToken != nil {