From d7d5c055fcd851872ddd6f0bf69007983f8eb247 Mon Sep 17 00:00:00 2001
From: Hridoy Roy <roy@hashicorp.com>
Date: Wed, 31 Aug 2022 11:05:21 -0700
Subject: [PATCH] Load SSCT Generation Counter Upon DR Promotion [OSS] (#16956)

* port ssct bugfix to load epoch from storage

* changelog

* update changelog to be user-facing

* change 2 to two
---
 changelog/16956.txt              | 3 +++
 vault/token_store_util_common.go | 3 +++
 2 files changed, 6 insertions(+)
 create mode 100644 changelog/16956.txt

diff --git a/changelog/16956.txt b/changelog/16956.txt
new file mode 100644
index 0000000000..8912f727f4
--- /dev/null
+++ b/changelog/16956.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries.
+```
diff --git a/vault/token_store_util_common.go b/vault/token_store_util_common.go
index 235e2d2167..a10bb83a85 100644
--- a/vault/token_store_util_common.go
+++ b/vault/token_store_util_common.go
@@ -38,6 +38,9 @@ func (ts *TokenStore) loadSSCTokensGenerationCounter(ctx context.Context) error
 }
 
 func (ts *TokenStore) UpdateSSCTokensGenerationCounter(ctx context.Context) error {
+	if err := ts.loadSSCTokensGenerationCounter(ctx); err != nil {
+		return err
+	}
 	ts.sscTokensGenerationCounter.Counter += 1
 	if ts.sscTokensGenerationCounter.Counter <= 0 {
 		// Don't store the 0 value