From 2dc73dd2b27b3feb42e30a02bb3c23dd559e10ad Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
 <82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Tue, 27 Jun 2023 15:54:22 -0400
Subject: [PATCH] backport of commit c3741b0177056d9e999ff03a6542a4811508fa9a
 (#21484)

Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
---
 changelog/24170.txt | 3 +++
 vault/auth.go       | 1 +
 vault/mount.go      | 6 +++++-
 3 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 changelog/24170.txt

diff --git a/changelog/24170.txt b/changelog/24170.txt
new file mode 100644
index 0000000000000..9f047a9d67589
--- /dev/null
+++ b/changelog/24170.txt
@@ -0,0 +1,3 @@
+```release-note:bug 
+core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this.
+```
diff --git a/vault/auth.go b/vault/auth.go
index f3692a5c9d0af..ddae3ee884531 100644
--- a/vault/auth.go
+++ b/vault/auth.go
@@ -876,6 +876,7 @@ func (c *Core) setupCredentials(ctx context.Context) error {
 			// Calculate any namespace prefixes here, because when Taint() is called, there won't be
 			// a namespace to pull from the context. This is similar to what we do above in c.router.Mount().
 			path = entry.Namespace().Path + path
+			c.logger.Debug("tainting a mount due to it being marked as tainted in mount table", "entry.path", entry.Path, "entry.namespace.path", entry.Namespace().Path, "full_path", path)
 			c.router.Taint(ctx, path)
 		}
 
diff --git a/vault/mount.go b/vault/mount.go
index b4f817f86f2b0..a05d12dccb978 100644
--- a/vault/mount.go
+++ b/vault/mount.go
@@ -1571,7 +1571,11 @@ func (c *Core) setupMounts(ctx context.Context) error {
 
 		// Ensure the path is tainted if set in the mount table
 		if entry.Tainted {
-			c.router.Taint(ctx, entry.Path)
+			// Calculate any namespace prefixes here, because when Taint() is called, there won't be
+			// a namespace to pull from the context. This is similar to what we do above in c.router.Mount().
+			path := entry.Namespace().Path + entry.Path
+			c.logger.Debug("tainting a mount due to it being marked as tainted in mount table", "entry.path", entry.Path, "entry.namespace.path", entry.Namespace().Path, "full_path", path)
+			c.router.Taint(ctx, path)
 		}
 
 		// Ensure the cache is populated, don't need the result