From d02ed76ba65c1e52abcaf832b85a7c23be91fc1e Mon Sep 17 00:00:00 2001
From: Nick Cabatoff <ncabatoff@hashicorp.com>
Date: Mon, 17 Oct 2022 09:18:02 -0400
Subject: [PATCH] Tolerate NamespaceByID returning (nil,nil) when looking up an
 mfa enforcement's ns (#17562)

---
 changelog/17562.txt | 3 +++
 vault/login_mfa.go  | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 changelog/17562.txt

diff --git a/changelog/17562.txt b/changelog/17562.txt
new file mode 100644
index 0000000000..9d9d0f7bd1
--- /dev/null
+++ b/changelog/17562.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: prevent panic during mfa after enforcement's namespace is deleted
+```
diff --git a/vault/login_mfa.go b/vault/login_mfa.go
index 6c0ae5755e..411357da7a 100644
--- a/vault/login_mfa.go
+++ b/vault/login_mfa.go
@@ -1693,7 +1693,7 @@ ECONFIG_LOOP:
 		if err != nil {
 			return nil, fmt.Errorf("failed to find the MFAEnforcementConfig namespace")
 		}
-		if eConfigNS.ID != ns.ID && !ns.HasParent(eConfigNS) {
+		if eConfig == nil || (eConfigNS.ID != ns.ID && !ns.HasParent(eConfigNS)) {
 			continue
 		}