More Mount Conflict Detection

vault/auth.go

@@ -73,8 +73,8 @@ func (c *Core) enableCredential(entry *MountEntry) error {
 		return fmt.Errorf("token credential backend cannot be instantiated")
 	}
 
-	if match := c.router.MatchingMount(credentialRoutePrefix + entry.Path); match != "" {
-		return logical.CodedError(409, fmt.Sprintf("existing mount at %s", match))
+	if conflict := c.router.MountConflict(credentialRoutePrefix + entry.Path); conflict != "" {
+		return logical.CodedError(409, fmt.Sprintf("existing mount at %s", conflict))
 	}
 
 	// Generate a new UUID and view

vault/mount.go

@@ -195,8 +195,8 @@ func (c *Core) mount(entry *MountEntry) error {
 	c.mountsLock.Lock()
 	defer c.mountsLock.Unlock()
 
-	// Verify there is no conflicting mount
-	if match := c.router.MatchingMount(entry.Path); match != "" {
+	// Verify there are no conflicting mounts
+	if match := c.router.MountConflict(entry.Path); match != "" {
 		return logical.CodedError(409, fmt.Sprintf("existing mount at %s", match))
 	}
 

vault/router.go

@@ -60,6 +60,13 @@ func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *Mount
 	if existing, _, ok := r.root.LongestPrefix(prefix); ok && existing != "" {
 		return fmt.Errorf("cannot mount under existing mount '%s'", existing)
 	}
+	// If this is a secret backend, check to see if the prefix conflicts
+	// with an existing mountpoint
+	if prefix != "" {
+		if match := r.MatchingPrefix(prefix); match != "" {
+			return fmt.Errorf("cannot mount over existing mount '%s'", match)
+		}
+	}
 
 	// Build the paths
 	paths := backend.SpecialPaths()
@@ -174,6 +181,31 @@ func (r *Router) MatchingMount(path string) string {
 	return mount
 }
 
+//MatchingPrefix returns a mount prefix that a path may be a part of
+func (r *Router) MatchingPrefix(path string) string {
+	var existing string = ""
+	fn := func(existing_path string, _v interface{}) bool {
+		if strings.HasPrefix(existing_path, path) {
+			existing = existing_path
+			return true
+		}
+		return false
+	}
+	r.root.WalkPrefix(path, fn)
+	return existing
+}
+
+// MountConflict determines if there are potential path conflicts
+func (r *Router) MountConflict(path string) string {
+	if exact_match := r.MatchingMount(path); exact_match != "" {
+		return exact_match
+	}
+	if prefix_match := r.MatchingPrefix(path); prefix_match != "" {
+		return prefix_match
+	}
+	return ""
+}
+
 // MatchingView returns the view used for a path
 func (r *Router) MatchingStorageView(path string) *BarrierView {
 	r.l.RLock()

vault/router_test.go

@@ -98,6 +98,28 @@ func TestRouter_Mount(t *testing.T) {
 		t.Fatalf("err: %v", err)
 	}
 
+	meUUID, err = uuid.GenerateUUID()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	subMountEntry := &MountEntry{
+		Path: "prod/",
+		UUID: meUUID,
+	}
+
+	if r.MountConflict("prod/aws/") == "" {
+		t.Fatalf("bad: prod/aws/")
+	}
+	if r.MountConflict("prod/") == "" {
+		t.Fatalf("bad: prod/")
+	}
+
+	err = r.Mount(n, "prod/", subMountEntry, view)
+	if !strings.Contains(err.Error(), "cannot mount over existing mount") {
+		t.Fatalf("err: %v", err)
+	}
+
 	if path := r.MatchingMount("prod/aws/foo"); path != "prod/aws/" {
 		t.Fatalf("bad: %s", path)
 	}

website/source/docs/secrets/index.html.md

@@ -59,6 +59,13 @@ Once a secret backend is mounted, you can interact with it directly
 at its mount point according to its own API. You can use the `vault path-help`
 system to determine the paths it responds to.
 
+Note that mount point cannot conflict with each other in Vault. There are
+two broad implications of this fact. The first is that you cannot have
+a mount which is prefixed with an existing mount. The second is that you
+cannot create a mount point that is named as a prefix of an existing mount.
+As an example, the mounts `foo/bar` and `foo/baz` can peacefully coexist
+with each other whereas `foo` and `foo/baz` cannot
+
 ## Barrier View
 
 An important concept around secret backends is that they receive a