Case insensitive identity names #5404
Conversation
vishalnayak
force-pushed
the
case-insensitive-identity-names
branch
from
de0b089 to
523c727
Compare
vishalnayak
changed the title
|
This is ready for review. Did some upgrade testing as well and it all seems to work as intended. |
vault/identity_store_aliases.go
Outdated
| @@ -203,7 +200,7 @@ func (i *IdentityStore) handleAliasUpdateCommon() framework.OperationFunc { | |||
| // If we can look up by the given canonical ID, see if this is a | |||
| // transfer; otherwise if we found no previous entity but we find one | |||
| // here, use it. | |||
| canonicalEntity, err := i.MemDBEntityByID(canonicalID, true) | |||
| canonicalEntity, err := i.MemDBEntityByID(canonicalID, false) | |||
There was a problem hiding this comment.
I'm curious why this was flipped to false.
There was a problem hiding this comment.
It was something I was trying while investigating an issue and had forgot to flip back. You pointed out a potential bug. Thanks! Fixed it.
vault/identity_store_util.go
Outdated
| return err | ||
| } | ||
| if groupByName != nil && !i.core.disableCaseInsensitiveIdentityNames { | ||
| return fmt.Errorf(`Duplicate group names %q and %q. |
vault/identity_store_util.go
Outdated
| return nil | ||
| } | ||
| if entityByName != nil && !i.core.disableCaseInsensitiveIdentityNames { | ||
| return fmt.Errorf(`Duplicate entity names %q and %q. |
vault/identity_store_util.go
Outdated
| @@ -244,11 +277,20 @@ func (i *IdentityStore) upsertEntityInTxn(ctx context.Context, txn *memdb.Txn, e | |||
| return nil | |||
| } | |||
|
|
|||
| if strutil.StrListContains(aliasFactors, i.sanitizeName(alias.Name)+alias.MountAccessor) && !i.core.disableCaseInsensitiveIdentityNames { | |||
| return fmt.Errorf(`Duplicate alias factors name=%q mount_accessor=%q for entity name %q. | |||
| testAliasName := "testAliasName" | ||
|
|
||
| // Create a case sensitive alias name | ||
| // Create a case sensitive alias name |
|
Just some minor observations, otherwise it looks good! |
| if err != nil || (resp != nil && resp.IsError()) { | ||
| t.Fatalf("bad: err:%v\nresp: %#v", err, resp) | ||
| } | ||
| } |
There was a problem hiding this comment.
Perhaps test for actual vs expected value once more after the group alias has been updated.
There was a problem hiding this comment.
Done, for both entity and group alias tests.
vault/identity_store.go
Outdated
| @@ -455,6 +473,7 @@ func (i *IdentityStore) CreateOrFetchEntity(ctx context.Context, alias *logical. | |||
| newAlias := &identity.Alias{ | |||
| CanonicalID: entity.ID, | |||
| Name: alias.Name, | |||
There was a problem hiding this comment.
Can we sanitize the name here?
There was a problem hiding this comment.
Nope. We don't need to sanitize here. It is done in the utility that inserts item into memdb.
vault/identity_store_aliases.go
Outdated
| @@ -138,6 +138,7 @@ func (i *IdentityStore) handleAliasUpdateCommon() framework.OperationFunc { | |||
| } | |||
| } else { | |||
| alias.Name = aliasName | |||
There was a problem hiding this comment.
Same, should we sanitize this here?
There was a problem hiding this comment.
Same here. We don't need to sanitize here.
vault/identity_store_entities.go
Outdated
| @@ -214,6 +214,8 @@ func (i *IdentityStore) handleEntityUpdateCommon() framework.OperationFunc { | |||
|
|
|||
| if entityName != "" { | |||
| entity.Name = entityName | |||
There was a problem hiding this comment.
Same, should we sanitize here?
vault/identity_store_groups.go
Outdated
| @@ -225,6 +225,7 @@ func (i *IdentityStore) handleGroupUpdateCommon(ctx context.Context, req *logica | |||
| return logical.ErrorResponse("group name is already in use"), nil | |||
| } | |||
| group.Name = groupName | |||
There was a problem hiding this comment.
Same, should we sanitize here?
| identity names are treated case insensitively unless | ||
| 'disable_case_insensitive_identity_names' config is set`, | ||
| group.NameRaw, groupByName.NameRaw) | ||
| } |
There was a problem hiding this comment.
This is likely to happen during upgrade right? Would this halt startup?
There was a problem hiding this comment.
This worries me a bit, I wonder if there is a better escape hatch we can offer. It seems to me it's likely that many existing installations will hit this issue and need to disable case insensitivity, which defeats the purpose of making it case sensitive.
There was a problem hiding this comment.
Yes this would happen during upgrade. The goal was to switch over all identity names to be case insensitive for good. It would still work seemlessly for those who are using case sensitive names. The conflict would only arise if there are duplicate names with different casings for entities, groups and/or respective aliases. In that case, they will have to set this flag to continue operating as they would. Or, they could set this flag, remove the duplicate items, and reset the flag to get along with the regular flow.
There was a problem hiding this comment.
This should get a mention in the upgrade notes.
There was a problem hiding this comment.
I think if disable is set, we should detect and warn. That way people can set the flag, start up, see if anything is in conflict, take appropriate action.
There was a problem hiding this comment.
There is no flag now. So, the above discussion is not required.
vishalnayak
force-pushed
the
case-insensitive-identity-names
branch
from
2eda462 to
750917d
Compare
vault/identity_store_util.go
Outdated
| // If it succeeds, all is well | ||
| return nil | ||
| case err != nil && !errwrap.ContainsType(err, errDuplicateIdentityName): | ||
| // Return all errors except one |
There was a problem hiding this comment.
What does this comment mean, are there multiple errors that we expect?
There was a problem hiding this comment.
It meant to return all the errors expect when error contains errDuplicateIdentityName.
vault/identity_store_util.go
Outdated
| if err != nil { | ||
| return err | ||
| } | ||
|
|
||
| return nil | ||
| c.identityStore.logger.Warn("enabling case sensitive identity names") |
There was a problem hiding this comment.
Can we move this to L52? It would make the error from resetDB above more clear (i.e. error is related to switching over to handling case sensitive names).
vault/identity_store_util.go
Outdated
| return nil | ||
| c.identityStore.logger.Warn("enabling case sensitive identity names") | ||
|
|
||
| // Load everything from the beginning. |
There was a problem hiding this comment.
"Attempt to load artifacts once more after memdb is reset to accept case sensitive names" might be more clear since it was called already once before.
| @@ -181,10 +181,6 @@ func (i *IdentityStore) handleAliasUpdateCommon() framework.OperationFunc { | |||
| if entity == nil { | |||
| return nil, fmt.Errorf("existing alias is not associated with an entity") | |||
| } | |||
| if canonicalID == "" || entity.ID == canonicalID { | |||
There was a problem hiding this comment.
This is to ensure that we always update the alias. This is useful when an existing alias name is updated with its casing altered.
| @@ -255,6 +251,12 @@ func (i *IdentityStore) handleAliasUpdateCommon() framework.OperationFunc { | |||
| return nil, err | |||
| } | |||
|
|
|||
| for index, item := range entity.Aliases { | |||
There was a problem hiding this comment.
Same, can you explain what this change is for?
There was a problem hiding this comment.
All the updates are held by the alias object. This is where we reflect those changes in the entity.
vault/identity_store_util.go
Outdated
| case err == nil: | ||
| // If it succeeds, all is well | ||
| return nil | ||
| case err != nil && !errwrap.ContainsType(err, errDuplicateIdentityName): |
There was a problem hiding this comment.
I don't think ContainsType does what you think it does here, which makes me wonder if this works properly. ContainsType is supposed to be used to validate a typed error, which means this will likely match against any error generated via errors.New. You probably want .Contains()
There was a problem hiding this comment.
Wow. This is a nice observation. Fixed. But the code was working properly because the code expecting a true and ContainsType (as you said) was returning true. There wasn't a different error there to catch. I tested it by overwriting the err returned from loadFunc and verified that its getting caught properly now.
vault/identity_store_util.go
Outdated
| if err != nil { | ||
| return err | ||
| } | ||
| if groupByName != nil && !i.disableLowerCasedNames { |
There was a problem hiding this comment.
What happens if a group is found and lower caes names are disabled? That's also an error condition but won't be covered here.
There was a problem hiding this comment.
When a group is found and when lower cased names are disabled, it means that we are falling back to the original behavior, and we are okay with the existence of another group. It is not an error condition. It would only mean that another group with same but differently cased name exists.
There was a problem hiding this comment.
It would be good to warn in that case just as with entity names -- that way they can try to address the issue.
There was a problem hiding this comment.
There was a warning with only one item that lead to the conflict. But your suggestion helps identify all the conflicting items after switching over to the case sensitive way. Nice observation. Fixed.
vault/identity_store_util.go
Outdated
| return err | ||
| } | ||
| if groupByName != nil { | ||
| i.logger.Warn(errDuplicateIdentityName.Error(), "group_name", group.Name, "conflicting_group_name", groupByName.Name) |
There was a problem hiding this comment.
Could we give an actionable here and in the same log line bellow? Something like, please merge these groups or rename one
No description provided.