Add locking when adding aliases to existing entities

vault/identity_store.go

@@ -38,6 +38,7 @@ func NewIdentityStore(ctx context.Context, core *Core, config *logical.BackendCo
 		view:        config.StorageView,
 		db:          db,
 		entityLocks: locksutil.CreateLocks(),
+		aliasLocks:  locksutil.CreateLocks(),
 		logger:      logger,
 		core:        core,
 	}

vault/identity_store_aliases.go

@@ -30,8 +30,9 @@ func aliasPaths(i *IdentityStore) []*framework.Path {
 				},
 				// entity_id is deprecated in favor of canonical_id
 				"entity_id": {
-					Type:        framework.TypeString,
-					Description: "Entity ID to which this alias belongs to",
+					Type: framework.TypeString,
+					Description: `Entity ID to which this alias belongs to.
+This field is deprecated, use canonical_id.`,
 				},
 				"canonical_id": {
 					Type:        framework.TypeString,
@@ -71,8 +72,9 @@ vault <command> <path> metadata=key1=value1 metadata=key2=value2
 				},
 				// entity_id is deprecated
 				"entity_id": {
-					Type:        framework.TypeString,
-					Description: "Entity ID to which this alias belongs to",
+					Type: framework.TypeString,
+					Description: `Entity ID to which this alias belongs to.
+This field is deprecated, use canonical_id.`,
 				},
 				"canonical_id": {
 					Type:        framework.TypeString,
@@ -111,8 +113,9 @@ vault <command> <path> metadata=key1=value1 metadata=key2=value2
 				},
 				// entity_id is deprecated
 				"entity_id": {
-					Type:        framework.TypeString,
-					Description: "Entity ID to which this alias belongs to",
+					Type: framework.TypeString,
+					Description: `Entity ID to which this alias belongs to.
+This field is deprecated, use canonical_id.`,
 				},
 				"canonical_id": {
 					Type:        framework.TypeString,
@@ -179,6 +182,10 @@ func (i *IdentityStore) pathAliasIDUpdate() framework.OperationFunc {
 			return logical.ErrorResponse("empty alias ID"), nil
 		}
 
+		lock := locksutil.LockForKey(i.aliasLocks, aliasID)
+		lock.Lock()
+		defer lock.Unlock()
+
 		alias, err := i.MemDBAliasByID(aliasID, true, false)
 		if err != nil {
 			return nil, err
@@ -197,6 +204,7 @@ func (i *IdentityStore) handleAliasUpdateCommon(req *logical.Request, d *framewo
 	var newAlias bool
 	var entity *identity.Entity
 	var previousEntity *identity.Entity
+	var lockKeys []string
 
 	// Alias will be nil when a new alias is being registered; create a
 	// new struct in that case.
@@ -206,19 +214,13 @@ func (i *IdentityStore) handleAliasUpdateCommon(req *logical.Request, d *framewo
 	}
 
 	// Get entity id
-	canonicalID := d.Get("entity_id").(string)
+	canonicalID := d.Get("canonical_id").(string)
 	if canonicalID == "" {
-		canonicalID = d.Get("canonical_id").(string)
+		// For backwards compatibility
+		canonicalID = d.Get("entity_id").(string)
 	}
-
 	if canonicalID != "" {
-		entity, err = i.MemDBEntityByID(canonicalID, true)
-		if err != nil {
-			return nil, err
-		}
-		if entity == nil {
-			return logical.ErrorResponse("invalid entity ID"), nil
-		}
+		lockKeys = append(lockKeys, canonicalID)
 	}
 
 	// Get alias name
@@ -256,8 +258,46 @@ func (i *IdentityStore) handleAliasUpdateCommon(req *logical.Request, d *framewo
 		return nil, err
 	}
 
+	var existingEntity *identity.Entity
+	if !newAlias {
+		// Verify that the combination of alias name and mount is not
+		// already tied to a different alias
+		if aliasByFactors != nil && aliasByFactors.ID != alias.ID {
+			return logical.ErrorResponse("combination of mount and alias name is already in use"), nil
+		}
+
+		// Fetch the entity to which the alias is tied to
+		existingEntity, err = i.MemDBEntityByAliasID(alias.ID, true)
+		if err != nil {
+			return nil, err
+		}
+
+		if existingEntity == nil {
+			return nil, fmt.Errorf("alias is not associated with an entity")
+		}
+		lockKeys = append(lockKeys, existingEntity.ID)
+	}
+
+	// Acquire the lock to modify the entity storage entry
+	locks := locksutil.LocksForKeys(i.entityLocks, lockKeys)
+	for _, lock := range locks {
+		lock.Lock()
+		defer lock.Unlock()
+	}
+
+	if canonicalID != "" {
+		entity, err = i.MemDBEntityByID(canonicalID, true)
+		if err != nil {
+			return nil, err
+		}
+		if entity == nil {
+			return logical.ErrorResponse("invalid canonical ID"), nil
+		}
+	}
+
 	resp := &logical.Response{}
 
+	var newEntity bool
 	if newAlias {
 		if aliasByFactors != nil {
 			return logical.ErrorResponse("combination of mount and alias name is already in use"), nil
@@ -271,22 +311,16 @@ func (i *IdentityStore) handleAliasUpdateCommon(req *logical.Request, d *framewo
 					alias,
 				},
 			}
+			newEntity = true
 		} else {
 			entity.Aliases = append(entity.Aliases, alias)
 		}
 	} else {
-		// Verify that the combination of alias name and mount is not
-		// already tied to a different alias
-		if aliasByFactors != nil && aliasByFactors.ID != alias.ID {
-			return logical.ErrorResponse("combination of mount and alias name is already in use"), nil
-		}
-
-		// Fetch the entity to which the alias is tied to
-		existingEntity, err := i.MemDBEntityByAliasID(alias.ID, true)
+		// Reread existing entity now that we have the lock on the entity id
+		existingEntity, err := i.MemDBEntityByID(existingEntity.ID, true)
 		if err != nil {
 			return nil, err
 		}
-
 		if existingEntity == nil {
 			return nil, fmt.Errorf("alias is not associated with an entity")
 		}
@@ -353,9 +387,14 @@ func (i *IdentityStore) handleAliasUpdateCommon(req *logical.Request, d *framewo
 	// aliases in storage. If the alias is being transferred over from
 	// one entity to another, previous entity needs to get refreshed in MemDB
 	// and persisted in storage as well.
-	err = i.upsertEntity(entity, previousEntity, true)
-	if err != nil {
-		return nil, err
+	if newEntity {
+		if err := i.upsertEntity(entity, previousEntity, true); err != nil {
+			return nil, err
+		}
+	} else {
+		if err := i.upsertEntityNonLocked(entity, previousEntity, true); err != nil {
+			return nil, err
+		}
 	}
 
 	// Return ID of both alias and entity

vault/identity_store_entities.go

@@ -332,6 +332,11 @@ func (i *IdentityStore) pathEntityIDUpdate() framework.OperationFunc {
 			return logical.ErrorResponse("missing entity id"), nil
 		}
 
+		// Acquire the lock to modify the entity storage entry
+		lock := locksutil.LockForKey(i.entityLocks, entityID)
+		lock.Lock()
+		defer lock.Unlock()
+
 		entity, err := i.MemDBEntityByID(entityID, true)
 		if err != nil {
 			return nil, err
@@ -407,10 +412,16 @@ func (i *IdentityStore) handleEntityUpdateCommon(req *logical.Request, d *framew
 
 	respData["aliases"] = aliasIDs
 
-	// Update MemDB and persist entity object
-	err = i.upsertEntity(entity, nil, true)
-	if err != nil {
-		return nil, err
+	// Update MemDB and persist entity object. New entities have not been
+	// looked up yet so we need to take the lock on the entity on upsert
+	if newEntity {
+		if err := i.upsertEntity(entity, nil, true); err != nil {
+			return nil, err
+		}
+	} else {
+		if err := i.upsertEntityNonLocked(entity, nil, true); err != nil {
+			return nil, err
+		}
 	}
 
 	// Return ID of the entity that was either created or updated along with

vault/identity_store_structs.go

@@ -56,6 +56,10 @@ type IdentityStore struct {
 	// categorized to while performing storage modifications.
 	entityLocks []*locksutil.LockEntry
 
+	// aliasLocks are a set of 256 locks to which all the aliases will be
+	// categorized to while performing storage modifications.
+	aliasLocks []*locksutil.LockEntry
+
 	// groupLock is used to protect modifications to group entries
 	groupLock sync.RWMutex