AUX localhost.json.example 130 BLAKE2B c2af154a798286daae8a1804c698a8a8437bb4fbf2c9e928bd8ebd2cc846a7887058695f3715a4e3b9c82232529fe053b40d52fd98fd6b6c4018fbb2009a7da0 SHA512 9f9bc222f3716942b7423fa2ab14afd1d516bf3f3170b7418a75b970a33341426e13f89cf331a5e25bd3159dcbb435e20e75a0c9109e767e67bf777a7dbcd182

AUX vault-1.8.2-go-limiter.patch 10588 BLAKE2B 597b3edd7e98d36d34123ae5352bc8894df40962afc1721c87b53cd2baa459ae1a9545d5830ea31c46549a38e713157dd920292ede19c4a4e4b4c75e5a605038 SHA512 ae8134f2cd743188e4f7be06ee8f816456613c177cd56b311fd1ad0cae6106180b85c56381da866afd31ccf7e4d5b1c9239f148d2b18dae2dfcea3c08c74d0f7

AUX vault.confd 243 BLAKE2B 6598fa2138c4ca94fdd6b7a02048ee4a4eb2b37d17b8a065ae2f29ac183bd1473de37107b2e141b74933c1b14502cdaaaebe493ee71ad6c9141a889c6e73b977 SHA512 395d823dee49fed30d99fea1fcd1b0c1c3ae2bfd806fa0c169aa14d83a594d224f8966870799a3740a7e52f039616efe78834e0522e7a2802c7df4c56b3bbdd2

AUX vault.initd 573 BLAKE2B 444541b8912910cf6b5d038e466e18baebb7dfd2905d802217baf9e861bb7f2a3e032716545c74e269782aa420fbd052745322576b4bcb8c4cf53ba07471b261 SHA512 11124e6fc656977c20b55b578e30fd76b8f6905760c2f17f93b960a317975f1914c6bd8d4ffd3741ba405bfe5aa0cecb68067f8ce52b2df9015863d31f9a7aad

AUX vault.logrotated 83 BLAKE2B 63b106e949f8a2da0ca97f1d07732fdea4dafbe44cb97ea81074472b95489d179deccd14f4d4176043f488f2be68b96dc6bee20748fe68f650d70fd32078d2bd SHA512 83d73760d85dbb731652aa5936d2780208ac4643e975538652f53b49305d024df6d72a8a06d82f430982b07cf940b2fd69f9a6eedb39d380136c8e5bfda280e5

AUX vault.service 677 BLAKE2B 0d9c6636c841ff33fa38afca10f10c62d273dc1c6419e35e2fa844472de0c963e177c80a6db3e95230db6f641ab50148843085cb4f141fa2dd2765aecf8457d3 SHA512 15951d095181fb1b1a5f79e0f385bdb96812a517ea59e05017141a29ed880d0e6f29d377e7c4bc53d5b70175122785a39923297b8e3304fc46a63835d2d2ec50

EBUILD vault-1.6.6.ebuild 1815 BLAKE2B 26b1ef44a8f7a7368e43f053589e55dbcf184f67c9d7bfa264f80d8a8de83b13568ee614d357ed75eb0464f53dfa8e58a97755229b283d026212761492264e64 SHA512 bd013a506908c251eeb581602e9f039361b33e3a8b13589c32228845cf830f66cb02960f0375a482fdae237a8c637145ab75bffd5d4f4e96d10046fdf32b6948

EBUILD vault-1.7.4.ebuild 1816 BLAKE2B 64dfcfd1375b66458538b35647ddf2a373be16ba8ac27619db188dbaec020f54f045977033a33aa365846e2c9aaf13ec491591208bf67811a7ef871afb32cc2c SHA512 7d4c606e6ad9f6b82c8930580fb37de60b1ce5cb1d470f37fec833e8402ed967187f6884264d417c356f1a2f9f1f7389bd968bddaba4d9baa601771e536b86e3

EBUILD vault-1.8.2.ebuild 95866 BLAKE2B 961521cff94023d3276bf1ebe9bb5b532c9658182fe700dbb70a6612709115ba8fcd690da09019aed77b6ed86971ef5e31f4bab97257b51c20d065f3361dd532 SHA512 4baeeaf13d6bb9132444d48494f2bd1444d92e8a5cf9c66b0f788aab2e9a59bb7362bfd6021048a43b5ee14fc23d6ad05d20a3ccb5b15b34d1657eece05fff96

MISC metadata.xml 372 BLAKE2B 8e18e03d14e17a6a5d8c6b7bdb0d87ef6aec8530e203edc579a66b0c6ba0809bbddf4d68943281483ed841daa18a87ee13bed427162e40cd6c2fe3c45b0ec4fb SHA512 07bd140cd5152ccf7e9c39a0ad45a9361b56306b773176155fceaee3dbfa4645d74dba5a21a131f0221419aed5a9aeed4a5aef7c4eec2750c803e11c96621b02

This is a combination of upstream commits:

b368a675955707db4e940da29a1043871a3781b6

21ea03e0f874991086d2f1bcdc285216878bd566

Fixes https://bugs.gentoo.org/808791

Fixes https://bugs.gentoo.org/810317

diff --git a/go.mod b/go.mod

index 548c0590f..22a8833e2 100644

--- a/go.mod

+++ b/go.mod

@@ -150,7 +150,7 @@ require (

 	github.com/ryanuber/go-glob v1.0.0

 	github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da

 	github.com/sasha-s/go-deadlock v0.2.0

-	github.com/sethvargo/go-limiter v0.3.0

+	github.com/sethvargo/go-limiter v0.7.1

 	github.com/shirou/gopsutil v3.21.5+incompatible

 	github.com/stretchr/testify v1.7.0

 	github.com/tidwall/pretty v1.0.1 // indirect

diff --git a/go.sum b/go.sum

index c5b3b410d..98a5dd0a8 100644

--- a/go.sum

+++ b/go.sum

@@ -1120,8 +1120,8 @@ github.com/sean-/conswriter v0.0.0-20180208195008-f5ae3917a627/go.mod h1:7zjs06q

 github.com/sean-/pager v0.0.0-20180208200047-666be9bf53b5/go.mod h1:BeybITEsBEg6qbIiqJ6/Bqeq25bCLbL7YFmpaFfJDuM=

 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUtVbo7ada43DJhG55ua/hjS5I=

 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=

-github.com/sethvargo/go-limiter v0.3.0 h1:yRMc+Qs2yqw6YJp6UxrO2iUs6DOSq4zcnljbB7/rMns=

-github.com/sethvargo/go-limiter v0.3.0/go.mod h1:C0kbSFbiriE5k2FFOe18M1YZbAR2Fiwf72uGu0CXCcU=

+github.com/sethvargo/go-limiter v0.7.1 h1:wWNhTj0pxjyJ7wuJHpRJpYwJn+bUnjYfw2a85eu5w9U=

+github.com/sethvargo/go-limiter v0.7.1/go.mod h1:C0kbSFbiriE5k2FFOe18M1YZbAR2Fiwf72uGu0CXCcU=

 github.com/shirou/gopsutil v3.21.5+incompatible h1:OloQyEerMi7JUrXiNzy8wQ5XN+baemxSl12QgIzt0jc=

 github.com/shirou/gopsutil v3.21.5+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=

 github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24 h1:pntxY8Ary0t43dCZ5dqY4YTJCObLY1kIXl0uzMv+7DE=

diff --git a/http/util.go b/http/util.go

index 0550a93c7..cbb364843 100644

--- a/http/util.go

+++ b/http/util.go

@@ -48,7 +48,7 @@ func rateLimitQuotaWrapping(handler http.Handler, core *vault.Core) http.Handler

 			return

 		}

-		quotaResp, err := core.ApplyRateLimitQuota(&quotas.Request{

+		quotaResp, err := core.ApplyRateLimitQuota(r.Context(), &quotas.Request{

 			Type:          quotas.TypeRateLimit,

 			Path:          path,

 			MountPath:     strings.TrimPrefix(core.MatchingMount(r.Context(), path), ns.Path),

diff --git a/vault/core.go b/vault/core.go

index 3b6e461fd..27741e8c6 100644

--- a/vault/core.go

+++ b/vault/core.go

@@ -2744,7 +2744,7 @@ func (c *Core) setupQuotas(ctx context.Context, isPerfStandby bool) error {

 // ApplyRateLimitQuota checks the request against all the applicable quota rules.

 // If the given request's path is exempt, no rate limiting will be applied.

-func (c *Core) ApplyRateLimitQuota(req *quotas.Request) (quotas.Response, error) {

+func (c *Core) ApplyRateLimitQuota(ctx context.Context, req *quotas.Request) (quotas.Response, error) {

 	req.Type = quotas.TypeRateLimit

 	resp := quotas.Response{

@@ -2758,7 +2758,7 @@ func (c *Core) ApplyRateLimitQuota(req *quotas.Request) (quotas.Response, error)

 			return resp, nil

 		}

-		return c.quotaManager.ApplyQuota(req)

+		return c.quotaManager.ApplyQuota(ctx, req)

 	}

 	return resp, nil

diff --git a/vault/quotas/quotas.go b/vault/quotas/quotas.go

index 68cc72f9f..80ee59521 100644

--- a/vault/quotas/quotas.go

+++ b/vault/quotas/quotas.go

@@ -168,7 +168,7 @@ type Manager struct {

 // Quota represents the common properties of every quota type

 type Quota interface {

 	// allow checks the if the request is allowed by the quota type implementation.

-	allow(*Request) (Response, error)

+	allow(context.Context, *Request) (Response, error)

 	// quotaID is the identifier of the quota rule

 	quotaID() string

@@ -181,7 +181,7 @@ type Quota interface {

 	// close defines any cleanup behavior that needs to be executed when a quota

 	// rule is deleted.

-	close() error

+	close(context.Context) error

 	// handleRemount takes in the new mount path in the quota

 	handleRemount(string)

@@ -287,7 +287,7 @@ func (m *Manager) setQuotaLocked(ctx context.Context, qType string, quota Quota,

 	// If there already exists an entry in the db, remove that first.

 	if raw != nil {

 		quota := raw.(Quota)

-		if err := quota.close(); err != nil {

+		if err := quota.close(ctx); err != nil {

 			return err

 		}

 		err = txn.Delete(qType, raw)

@@ -518,7 +518,7 @@ func (m *Manager) DeleteQuota(ctx context.Context, qType string, name string) er

 	}

 	quota := raw.(Quota)

-	if err := quota.close(); err != nil {

+	if err := quota.close(ctx); err != nil {

 		return err

 	}

@@ -541,7 +541,7 @@ func (m *Manager) DeleteQuota(ctx context.Context, qType string, name string) er

 // ApplyQuota runs the request against any quota rule that is applicable to it. If

 // there are multiple quota rule that matches the request parameters, rule that

 // takes precedence will be used to allow/reject the request.

-func (m *Manager) ApplyQuota(req *Request) (Response, error) {

+func (m *Manager) ApplyQuota(ctx context.Context, req *Request) (Response, error) {

 	var resp Response

 	quota, err := m.QueryQuota(req)

@@ -562,7 +562,7 @@ func (m *Manager) ApplyQuota(req *Request) (Response, error) {

 		return resp, nil

 	}

-	return quota.allow(req)

+	return quota.allow(ctx, req)

 }

 // SetEnableRateLimitAuditLogging updates the operator preference regarding the

diff --git a/vault/quotas/quotas_rate_limit.go b/vault/quotas/quotas_rate_limit.go

index 64117b002..ad58b2af3 100644

--- a/vault/quotas/quotas_rate_limit.go

+++ b/vault/quotas/quotas_rate_limit.go

@@ -1,6 +1,7 @@

 package quotas

 import (

+	"context"

 	"encoding/hex"

 	"fmt"

 	"math"

@@ -264,7 +265,7 @@ func (rlq *RateLimitQuota) QuotaName() string {

 // returned if the request ID or address is empty. If the path is exempt, the

 // quota will not be evaluated. Otherwise, the client rate limiter is retrieved

 // by address and the rate limit quota is checked against that limiter.

-func (rlq *RateLimitQuota) allow(req *Request) (Response, error) {

+func (rlq *RateLimitQuota) allow(ctx context.Context, req *Request) (Response, error) {

 	resp := Response{

 		Headers: make(map[string]string),

 	}

@@ -300,7 +301,11 @@ func (rlq *RateLimitQuota) allow(req *Request) (Response, error) {

 		}

 	}

-	limit, remaining, reset, allow := rlq.store.Take(req.ClientAddress)

+	limit, remaining, reset, allow, err := rlq.store.Take(ctx, req.ClientAddress)

+	if err != nil {

+		return resp, err

+	}

+

 	resp.Allowed = allow

 	resp.Headers[httplimit.HeaderRateLimitLimit] = strconv.FormatUint(limit, 10)

 	resp.Headers[httplimit.HeaderRateLimitRemaining] = strconv.FormatUint(remaining, 10)

@@ -320,13 +325,13 @@ func (rlq *RateLimitQuota) allow(req *Request) (Response, error) {

 // close stops the current running client purge loop.

 // It should be called with the write lock held.

-func (rlq *RateLimitQuota) close() error {

+func (rlq *RateLimitQuota) close(ctx context.Context) error {

 	if rlq.purgeBlocked {

 		close(rlq.closePurgeBlockedCh)

 	}

 	if rlq.store != nil {

-		return rlq.store.Close()

+		return rlq.store.Close(ctx)

 	}

 	return nil

diff --git a/vault/quotas/quotas_rate_limit_test.go b/vault/quotas/quotas_rate_limit_test.go

index 27225e338..21f35dac3 100644

--- a/vault/quotas/quotas_rate_limit_test.go

+++ b/vault/quotas/quotas_rate_limit_test.go

@@ -37,7 +37,7 @@ func TestNewRateLimitQuota(t *testing.T) {

 			err := tc.rlq.initialize(logging.NewVaultLogger(log.Trace), metricsutil.BlackholeSink())

 			require.Equal(t, tc.expectErr, err != nil, err)

 			if err == nil {

-				require.Nil(t, tc.rlq.close())

+				require.Nil(t, tc.rlq.close(context.Background()))

 			}

 		})

 	}

@@ -46,7 +46,7 @@ func TestNewRateLimitQuota(t *testing.T) {

 func TestRateLimitQuota_Close(t *testing.T) {

 	rlq := NewRateLimitQuota("test-rate-limiter", "qa", "/foo/bar", 16.7, time.Second, time.Minute)

 	require.NoError(t, rlq.initialize(logging.NewVaultLogger(log.Trace), metricsutil.BlackholeSink()))

-	require.NoError(t, rlq.close())

+	require.NoError(t, rlq.close(context.Background()))

 	time.Sleep(time.Second) // allow enough time for purgeClientsLoop to receive on closeCh

 	require.False(t, rlq.getPurgeBlocked(), "expected blocked client purging to be disabled after explicit close")

@@ -66,14 +66,14 @@ func TestRateLimitQuota_Allow(t *testing.T) {

 	}

 	require.NoError(t, rlq.initialize(logging.NewVaultLogger(log.Trace), metricsutil.BlackholeSink()))

-	defer rlq.close()

+	defer rlq.close(context.Background())

 	var wg sync.WaitGroup

 	reqFunc := func(addr string, atomicNumAllow, atomicNumFail *atomic.Int32) {

 		defer wg.Done()

-		resp, err := rlq.allow(&Request{ClientAddress: addr})

+		resp, err := rlq.allow(context.Background(), &Request{ClientAddress: addr})

 		if err != nil {

 			return

 		}

@@ -141,7 +141,7 @@ func TestRateLimitQuota_Allow_WithBlock(t *testing.T) {

 	}

 	require.NoError(t, rlq.initialize(logging.NewVaultLogger(log.Trace), metricsutil.BlackholeSink()))

-	defer rlq.close()

+	defer rlq.close(context.Background())

 	require.True(t, rlq.getPurgeBlocked())

 	var wg sync.WaitGroup

@@ -149,7 +149,7 @@ func TestRateLimitQuota_Allow_WithBlock(t *testing.T) {

 	reqFunc := func(addr string, atomicNumAllow, atomicNumFail *atomic.Int32) {

 		defer wg.Done()

-		resp, err := rlq.allow(&Request{ClientAddress: addr})

+		resp, err := rlq.allow(context.Background(), &Request{ClientAddress: addr})

 		if err != nil {

 			return

 		}

@@ -221,5 +221,5 @@ func TestRateLimitQuota_Update(t *testing.T) {

 	require.NoError(t, qm.SetQuota(context.Background(), TypeRateLimit.String(), quota, true))

 	require.NoError(t, qm.SetQuota(context.Background(), TypeRateLimit.String(), quota, true))

-	require.Nil(t, quota.close())

+	require.Nil(t, quota.close(context.Background()))

 }

diff --git a/vault/quotas/quotas_util.go b/vault/quotas/quotas_util.go

index dc2fcdfac..7c0732f67 100644

--- a/vault/quotas/quotas_util.go

+++ b/vault/quotas/quotas_util.go

@@ -40,7 +40,7 @@ func (*entManager) Reset() error {

 type LeaseCountQuota struct{}

-func (l LeaseCountQuota) allow(request *Request) (Response, error) {

+func (l LeaseCountQuota) allow(_ context.Context, _ *Request) (Response, error) {

 	panic("implement me")

 }

@@ -56,7 +56,7 @@ func (l LeaseCountQuota) initialize(logger log.Logger, sink *metricsutil.Cluster

 	panic("implement me")

 }

-func (l LeaseCountQuota) close() error {

+func (l LeaseCountQuota) close(_ context.Context) error {

 	panic("implement me")

 }

PATCHES=( "${FILESDIR}"/${P}-go-limiter.patch )