Replicate member_entity_ids and policies in identity/group across nod…

…es identically (#16088) (#16186) * Replicate values of group member_entity_ids and policies across nodes identically * Adding CL * fixing tests
hashicorp · Jun 29, 2022 · 90b1453 · 90b1453
1 parent 959a8c2
commit 90b1453
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 11 deletions.
diff --git a/changelog/16088.txt b/changelog/16088.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically
+```
diff --git a/vault/external_tests/identity/identity_test.go b/vault/external_tests/identity/identity_test.go
@@ -628,8 +628,20 @@ func assertMember(t *testing.T, client *api.Client, entityID, groupName, groupID
 		t.Fatal(err)
 	}
 	groupMap := secret.Data
+
+	groupEntityMembers, ok := groupMap["member_entity_ids"].([]interface{})
+	if !ok && expectFound {
+		t.Fatalf("expected member_entity_ids not to be nil")
+	}
+
+	// if type assertion fails and expectFound is false, groupEntityMembers
+	// is nil, then let's just return, nothing to be done!
+	if !ok && !expectFound {
+		return
+	}
+
 	found := false
-	for _, entityIDRaw := range groupMap["member_entity_ids"].([]interface{}) {
+	for _, entityIDRaw := range groupEntityMembers {
 		if entityIDRaw.(string) == entityID {
 			found = true
 		}

diff --git a/vault/identity_store_util.go b/vault/identity_store_util.go
@@ -22,8 +22,10 @@ import (
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
-var errDuplicateIdentityName = errors.New("duplicate identity name")
-var tmpSuffix = ".tmp"
+var (
+	errDuplicateIdentityName = errors.New("duplicate identity name")
+	tmpSuffix                = ".tmp"
+)
 
 func (c *Core) SetLoadCaseSensitiveIdentityStore(caseSensitive bool) {
 	c.loadCaseSensitiveIdentityStore = caseSensitive
@@ -1500,17 +1502,24 @@ func (i *IdentityStore) sanitizeAndUpsertGroup(ctx context.Context, group *ident
 	}
 
 	// Remove duplicate entity IDs and check if all IDs are valid
-	group.MemberEntityIDs = strutil.RemoveDuplicates(group.MemberEntityIDs, false)
-	for _, entityID := range group.MemberEntityIDs {
-		entity, err := i.MemDBEntityByID(entityID, false)
-		if err != nil {
-			return fmt.Errorf("failed to validate entity ID %q: %w", entityID, err)
-		}
-		if entity == nil {
-			return fmt.Errorf("invalid entity ID %q", entityID)
+	if group.MemberEntityIDs != nil {
+		group.MemberEntityIDs = strutil.RemoveDuplicates(group.MemberEntityIDs, false)
+		for _, entityID := range group.MemberEntityIDs {
+			entity, err := i.MemDBEntityByID(entityID, false)
+			if err != nil {
+				return fmt.Errorf("failed to validate entity ID %q: %w", entityID, err)
+			}
+			if entity == nil {
+				return fmt.Errorf("invalid entity ID %q", entityID)
+			}
 		}
 	}
 
+	// Remove duplicate policies
+	if group.Policies != nil {
+		group.Policies = strutil.RemoveDuplicates(group.Policies, false)
+	}
+
 	txn := i.db.Txn(true)
 	defer txn.Abort()