use map-based approach to dedup key IDs

hashicorp · Mar 16, 2022 · e7e2858 · e7e2858
1 parent 76e53ef
commit e7e2858
Showing 1 changed file with 13 additions and 15 deletions.
diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go
@@ -1672,6 +1672,8 @@ func (i *IdentityStore) generatePublicJWKS(ctx context.Context, s logical.Storag
 		return nil, err
 	}
 
+	// collect and deduplicate the key IDs for all roles
+	keyIDs := make(map[string]struct{})
 	for _, roleName := range roleNames {
 		role, err := i.getOIDCRole(ctx, s, roleName)
 		if err != nil {
@@ -1681,27 +1683,23 @@ func (i *IdentityStore) generatePublicJWKS(ctx context.Context, s logical.Storag
 			continue
 		}
 
-		keyIDs, err := i.keyIDsByName(ctx, s, role.Key)
+		roleKeyIDs, err := i.keyIDsByName(ctx, s, role.Key)
 		if err != nil {
 			return nil, err
 		}
 
-		for _, keyID := range keyIDs {
-			found := false
-			for _, key := range jwks.Keys {
-				if key.KeyID == keyID {
-					found = true
-				}
-			}
+		for _, keyID := range roleKeyIDs {
+			keyIDs[keyID] = struct{}{}
+		}
+	}
 
-			if !found {
-				key, err := loadOIDCPublicKey(ctx, s, keyID)
-				if err != nil {
-					return nil, err
-				}
-				jwks.Keys = append(jwks.Keys, *key)
-			}
+	// load the JSON web key for each key ID
+	for keyID := range keyIDs {
+		key, err := loadOIDCPublicKey(ctx, s, keyID)
+		if err != nil {
+			return nil, err
 		}
+		jwks.Keys = append(jwks.Keys, *key)
 	}
 
 	if err := i.oidcCache.SetDefault(ns, "jwks", jwks); err != nil {