From dde5c0cc998c03822a4c3fdb2c9b3d8fde46d258 Mon Sep 17 00:00:00 2001
From: Aapo Talvensaari <aapo.talvensaari@gmail.com>
Date: Mon, 18 Sep 2023 10:50:51 +0300
Subject: [PATCH] fix(vault): vault references may be dropped from rotation
 (#11567)

### Summary

Fixes issue where Vault references may be dropped from rotation in case
a too small value if configured in `config.resurrect_ttl` OR
`config.neg_ttl`.

This is fixed by setting a constant value of:
```
local SECRETS_CACHE_MIN_TTL = ROTATION_INTERVAL * 2
```

(the rotation interval is by default 60 seconds).

Signed-off-by: Aapo Talvensaari <aapo.talvensaari@gmail.com>
---
 kong/pdk/vault.lua | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/kong/pdk/vault.lua b/kong/pdk/vault.lua
index fedf459b291e..32a35e51d82d 100644
--- a/kong/pdk/vault.lua
+++ b/kong/pdk/vault.lua
@@ -26,7 +26,7 @@ local get_updated_now_ms = utils.get_updated_now_ms
 
 local ngx = ngx
 local get_phase = ngx.get_phase
-local min = math.min
+local max = math.max
 local fmt = string.format
 local sub = string.sub
 local byte = string.byte
@@ -50,7 +50,7 @@ local decode_json = cjson.decode
 
 
 local NEGATIVELY_CACHED_VALUE = "\0"
-local ROTATION_INTERVAL = tonumber(os.getenv("KONG_VAULT_ROTATION_INTERVAL") or 60)
+local ROTATION_INTERVAL = tonumber(os.getenv("KONG_VAULT_ROTATION_INTERVAL"), 10) or 60
 local DAO_MAX_TTL = constants.DATABASE.DAO_MAX_TTL
 
 
@@ -183,7 +183,7 @@ end
 local function new(self)
   -- Don't put this onto the top level of the file unless you're prepared for a surprise
   local Schema = require "kong.db.schema"
-
+  
   local ROTATION_MUTEX_OPTS = {
     name = "vault-rotation",
     exptime = ROTATION_INTERVAL * 1.5, -- just in case the lock is not properly released
@@ -194,6 +194,7 @@ local function new(self)
   local RETRY_LRU = lrucache.new(1000)
 
   local SECRETS_CACHE = ngx.shared.kong_secrets
+  local SECRETS_CACHE_MIN_TTL = ROTATION_INTERVAL * 2
 
   local STRATEGIES = {}
   local SCHEMAS = {}
@@ -762,12 +763,12 @@ local function new(self)
     if value then
       -- adjust ttl to the minimum and maximum values configured
       ttl = adjust_ttl(ttl, config)
-      shdict_ttl = ttl + (config.resurrect_ttl or DAO_MAX_TTL)
+      shdict_ttl = max(ttl + (config.resurrect_ttl or DAO_MAX_TTL), SECRETS_CACHE_MIN_TTL)
       cache_value = value
 
     else
       -- negatively cached values will be rotated on each rotation interval
-      shdict_ttl = min(config.neg_ttl or ROTATION_INTERVAL)
+      shdict_ttl = max(config.neg_ttl or 0, SECRETS_CACHE_MIN_TTL)
       cache_value = NEGATIVELY_CACHED_VALUE
     end
 
@@ -777,6 +778,7 @@ local function new(self)
     end
 
     if not value then
+      LRU:delete(reference)
       return nil, fmt("could not get value from external vault (%s)", err)
     end
 
@@ -1176,7 +1178,7 @@ local function new(self)
     -- negatively cached.
     local ttl = SECRETS_CACHE:ttl(new_cache_key)
     if ttl and SECRETS_CACHE:get(new_cache_key) ~= NEGATIVELY_CACHED_VALUE then
-      local resurrect_ttl = config.resurrect_ttl or DAO_MAX_TTL
+      local resurrect_ttl = max(config.resurrect_ttl or DAO_MAX_TTL, SECRETS_CACHE_MIN_TTL)
       if ttl > resurrect_ttl then
         return true
       end