Delete parent reference when cycle is found

hashicorp · Sep 14, 2018 · 48b43c2 · 48b43c2
1 parent 77cb849
commit 48b43c2
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 9 deletions.
diff --git a/vault/token_store.go b/vault/token_store.go
@@ -150,13 +150,13 @@ func NewTokenStore(ctx context.Context, logger log.Logger, c *Core, config *logi
 
 	// Initialize the store
 	t := &TokenStore{
-		view:                  view,
-		cubbyholeDestroyer:    destroyCubbyhole,
-		logger:                logger,
-		tokenLocks:            locksutil.CreateLocks(),
-		tokensPendingDeletion: &sync.Map{},
-		saltLock:              sync.RWMutex{},
-		core:                  c,
+		view:                        view,
+		cubbyholeDestroyer:          destroyCubbyhole,
+		logger:                      logger,
+		tokenLocks:                  locksutil.CreateLocks(),
+		tokensPendingDeletion:       &sync.Map{},
+		saltLock:                    sync.RWMutex{},
+		core:                        c,
 		identityPoliciesDeriverFunc: c.fetchEntityAndDerivedPolicies,
 		tidyLock:                    new(uint32),
 		quitContext:                 c.activeContext,
@@ -1221,6 +1221,10 @@ func (ts *TokenStore) revokeTreeSalted(ctx context.Context, saltedID string) err
 			if _, seen := seenIDs[child]; !seen {
 				children = append(children, child)
 			} else {
+				if err = ts.view.Delete(ctx, path+child); err != nil {
+					return errwrap.Wrapf("failed to delete entry: {{err}}", err)
+				}
+
 				ts.Logger().Warn("token cycle found", "token", child)
 			}
 		}

diff --git a/vault/token_store_test.go b/vault/token_store_test.go
@@ -970,10 +970,13 @@ func testTokenStore_RevokeTree_NonRecursive(t testing.TB, depth uint64, injectCy
 	ts := c.tokenStore
 	root, children := buildTokenTree(t, ts, depth)
 
+	var cyclePaths []string
 	if injectCycles {
 		// Make the root the parent of itself
 		saltedRoot, _ := ts.SaltID(context.Background(), root.ID)
-		le := &logical.StorageEntry{Key: fmt.Sprintf("parent/%s/%s", saltedRoot, saltedRoot)}
+		key := fmt.Sprintf("parent/%s/%s", saltedRoot, saltedRoot)
+		cyclePaths = append(cyclePaths, key)
+		le := &logical.StorageEntry{Key: key}
 
 		if err := ts.view.Put(context.Background(), le); err != nil {
 			t.Fatalf("err: %v", err)
@@ -982,7 +985,9 @@ func testTokenStore_RevokeTree_NonRecursive(t testing.TB, depth uint64, injectCy
 		// Make a deep child the parent of a shallow child
 		shallow, _ := ts.SaltID(context.Background(), children[0].ID)
 		deep, _ := ts.SaltID(context.Background(), children[len(children)-1].ID)
-		le = &logical.StorageEntry{Key: fmt.Sprintf("parent/%s/%s", deep, shallow)}
+		key = fmt.Sprintf("parent/%s/%s", deep, shallow)
+		cyclePaths = append(cyclePaths, key)
+		le = &logical.StorageEntry{Key: key}
 
 		if err := ts.view.Put(context.Background(), le); err != nil {
 			t.Fatalf("err: %v", err)
@@ -1013,6 +1018,16 @@ func testTokenStore_RevokeTree_NonRecursive(t testing.TB, depth uint64, injectCy
 			t.Fatalf("bad: %#v", out)
 		}
 	}
+
+	for _, path := range cyclePaths {
+		entry, err := ts.view.Get(context.Background(), path)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		if entry != nil {
+			t.Fatalf("expected reference to be deleted: %v", entry)
+		}
+	}
 }
 
 // A benchmark function that tests testTokenStore_RevokeTree_NonRecursive