Fix entity alias deletion (#12834)

* Fix entity alias deletion * Fix tests * Add CL
2021-10-19 15:05:06 -04:00 · 2021-10-19 15:05:06 -04:00 · 6eead9f09b
parent 1347d4c534
commit 6eead9f09b
3 changed files with 69 additions and 6 deletions
--- a/changelog/12834.txt
+++ b/changelog/12834.txt
@ -0,0 +1,3 @@
+```release-note:bug
+core/identity: Cleanup alias in the in-memory entity after an alias deletion by ID
+```
--- a/vault/identity_store_test.go
+++ b/vault/identity_store_test.go
@ -6,6 +6,8 @@ import (
 	"testing"
 	"time"

+	"github.com/stretchr/testify/require"
+
 	"github.com/armon/go-metrics"
 	"github.com/go-test/deep"
 	"github.com/golang/protobuf/ptypes"
@ -18,6 +20,61 @@ import (
 	"github.com/hashicorp/vault/sdk/logical"
 )

+func TestIdentityStore_DeleteEntityAlias(t *testing.T) {
+	c, _, _ := TestCoreUnsealed(t)
+	txn := c.identityStore.db.Txn(true)
+	defer txn.Abort()
+
+	alias := &identity.Alias{
+		ID:             "testAliasID1",
+		CanonicalID:    "testEntityID",
+		MountType:      "testMountType",
+		MountAccessor:  "testMountAccessor",
+		Name:           "testAliasName",
+		LocalBucketKey: c.identityStore.localAliasPacker.BucketKey("testEntityID"),
+	}
+	alias2 := &identity.Alias{
+		ID:             "testAliasID2",
+		CanonicalID:    "testEntityID",
+		MountType:      "testMountType",
+		MountAccessor:  "testMountAccessor2",
+		Name:           "testAliasName2",
+		LocalBucketKey: c.identityStore.localAliasPacker.BucketKey("testEntityID"),
+	}
+	entity := &identity.Entity{
+		ID:       "testEntityID",
+		Name:     "testEntityName",
+		Policies: []string{"foo", "bar"},
+		Aliases: []*identity.Alias{
+			alias,
+			alias2,
+		},
+		NamespaceID: namespace.RootNamespaceID,
+		BucketKey:   c.identityStore.entityPacker.BucketKey("testEntityID"),
+	}
+
+	err := c.identityStore.upsertEntityInTxn(context.Background(), txn, entity, nil, false)
+	require.NoError(t, err)
+
+	err = c.identityStore.deleteAliasesInEntityInTxn(txn, entity, []*identity.Alias{alias, alias2})
+	require.NoError(t, err)
+
+	txn.Commit()
+
+	alias, err = c.identityStore.MemDBAliasByID("testAliasID1", false, false)
+	require.NoError(t, err)
+	require.Nil(t, alias)
+
+	alias, err = c.identityStore.MemDBAliasByID("testAliasID2", false, false)
+	require.NoError(t, err)
+	require.Nil(t, alias)
+
+	entity, err = c.identityStore.MemDBEntityByID("testEntityID", false)
+	require.NoError(t, err)
+
+	require.Len(t, entity.Aliases, 0)
+}
+
 func TestIdentityStore_UnsealingWhenConflictingAliasNames(t *testing.T) {
 	err := AddTestCredentialBackend("github", credGithub.Factory)
 	if err != nil {
--- a/vault/identity_store_util.go
+++ b/vault/identity_store_util.go
@ -1662,15 +1662,18 @@ func (i *IdentityStore) deleteAliasesInEntityInTxn(txn *memdb.Txn, entity *ident

 	var remainList []*identity.Alias
 	var removeList []*identity.Alias
-
-	for _, item := range aliases {
-		for _, alias := range entity.Aliases {
+	for _, item := range entity.Aliases {
+		remove := false
+		for _, alias := range aliases {
 			if alias.ID == item.ID {
-				removeList = append(removeList, alias)
-			} else {
-				remainList = append(remainList, alias)
+				remove = true
 			}
 		}
+		if remove {
+			removeList = append(removeList, item)
+		} else {
+			remainList = append(remainList, item)
+		}
 	}

 	// Remove identity indices from aliases table for those that needs to