From 706e2b5f095b0036208299dcb7122233394f1279 Mon Sep 17 00:00:00 2001
From: Michel Vocks <michelvocks@gmail.com>
Date: Tue, 29 Oct 2019 17:42:13 +0100
Subject: [PATCH] Harden mount/auth filter evaluation error handling (#7754)

---
 vault/auth.go  | 5 +++++
 vault/mount.go | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/vault/auth.go b/vault/auth.go
index 8b411899ae..a30bbe7c80 100644
--- a/vault/auth.go
+++ b/vault/auth.go
@@ -56,6 +56,11 @@ func (c *Core) enableCredential(ctx context.Context, entry *MountEntry) error {
 	// Re-evaluate filtered paths
 	if err := runFilteredPathsEvaluation(ctx, c); err != nil {
 		c.logger.Error("failed to evaluate filtered paths", "error", err)
+
+		// We failed to evaluate filtered paths so we are undoing the mount operation
+		if disableCredentialErr := c.disableCredentialInternal(ctx, entry.Path, MountTableUpdateStorage); disableCredentialErr != nil {
+			c.logger.Error("failed to disable credential", "error", disableCredentialErr)
+		}
 		return err
 	}
 	return nil
diff --git a/vault/mount.go b/vault/mount.go
index f7d352cb97..a029ffb619 100644
--- a/vault/mount.go
+++ b/vault/mount.go
@@ -383,6 +383,11 @@ func (c *Core) mount(ctx context.Context, entry *MountEntry) error {
 	// Re-evaluate filtered paths
 	if err := runFilteredPathsEvaluation(ctx, c); err != nil {
 		c.logger.Error("failed to evaluate filtered paths", "error", err)
+
+		// We failed to evaluate filtered paths so we are undoing the mount operation
+		if unmountInternalErr := c.unmountInternal(ctx, entry.Path, MountTableUpdateStorage); unmountInternalErr != nil {
+			c.logger.Error("failed to unmount", "error", unmountInternalErr)
+		}
 		return err
 	}