Backport 12834 18x (#12869)

* Fix entity alias deletion (#12834) * Fix entity alias deletion * Fix tests * Add CL * Remove 1.9 changes
hashicorp · Oct 20, 2021 · dd80dbf · dd80dbf
1 parent 3a186fa
commit dd80dbf
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 6 deletions.
diff --git a/changelog/12834.txt b/changelog/12834.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core/identity: Cleanup alias in the in-memory entity after an alias deletion by ID
+```
diff --git a/vault/identity_store_test.go b/vault/identity_store_test.go
@@ -6,6 +6,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/require"
+
 	"github.com/armon/go-metrics"
 	"github.com/go-test/deep"
 	"github.com/golang/protobuf/ptypes"
@@ -18,6 +20,59 @@ import (
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
+func TestIdentityStore_DeleteEntityAlias(t *testing.T) {
+	c, _, _ := TestCoreUnsealed(t)
+	txn := c.identityStore.db.Txn(true)
+	defer txn.Abort()
+
+	alias := &identity.Alias{
+		ID:            "testAliasID1",
+		CanonicalID:   "testEntityID",
+		MountType:     "testMountType",
+		MountAccessor: "testMountAccessor",
+		Name:          "testAliasName",
+	}
+	alias2 := &identity.Alias{
+		ID:            "testAliasID2",
+		CanonicalID:   "testEntityID",
+		MountType:     "testMountType",
+		MountAccessor: "testMountAccessor2",
+		Name:          "testAliasName2",
+	}
+	entity := &identity.Entity{
+		ID:       "testEntityID",
+		Name:     "testEntityName",
+		Policies: []string{"foo", "bar"},
+		Aliases: []*identity.Alias{
+			alias,
+			alias2,
+		},
+		NamespaceID: namespace.RootNamespaceID,
+		BucketKey:   c.identityStore.entityPacker.BucketKey("testEntityID"),
+	}
+
+	err := c.identityStore.upsertEntityInTxn(context.Background(), txn, entity, nil, false)
+	require.NoError(t, err)
+
+	err = c.identityStore.deleteAliasesInEntityInTxn(txn, entity, []*identity.Alias{alias, alias2})
+	require.NoError(t, err)
+
+	txn.Commit()
+
+	alias, err = c.identityStore.MemDBAliasByID("testAliasID1", false, false)
+	require.NoError(t, err)
+	require.Nil(t, alias)
+
+	alias, err = c.identityStore.MemDBAliasByID("testAliasID2", false, false)
+	require.NoError(t, err)
+	require.Nil(t, alias)
+
+	entity, err = c.identityStore.MemDBEntityByID("testEntityID", false)
+	require.NoError(t, err)
+
+	require.Len(t, entity.Aliases, 0)
+}
+
 func TestIdentityStore_UnsealingWhenConflictingAliasNames(t *testing.T) {
 	err := AddTestCredentialBackend("github", credGithub.Factory)
 	if err != nil {

diff --git a/vault/identity_store_util.go b/vault/identity_store_util.go
@@ -1299,15 +1299,18 @@ func (i *IdentityStore) deleteAliasesInEntityInTxn(txn *memdb.Txn, entity *ident
 
 	var remainList []*identity.Alias
 	var removeList []*identity.Alias
-
-	for _, item := range aliases {
-		for _, alias := range entity.Aliases {
+	for _, item := range entity.Aliases {
+		remove := false
+		for _, alias := range aliases {
 			if alias.ID == item.ID {
-				removeList = append(removeList, alias)
-			} else {
-				remainList = append(remainList, alias)
+				remove = true
 			}
 		}
+		if remove {
+			removeList = append(removeList, item)
+		} else {
+			remainList = append(remainList, item)
+		}
 	}
 
 	// Remove identity indices from aliases table for those that needs to