Fix entity alias deletion (#12834)

* Fix entity alias deletion

* Fix tests

* Add CL

changelog/12834.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+core/identity: Cleanup alias in the in-memory entity after an alias deletion by ID
+```

vault/identity_store_test.go

@@ -6,6 +6,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/require"
+
 	"github.com/armon/go-metrics"
 	"github.com/go-test/deep"
 	"github.com/golang/protobuf/ptypes"
@@ -18,6 +20,61 @@ import (
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
+func TestIdentityStore_DeleteEntityAlias(t *testing.T) {
+	c, _, _ := TestCoreUnsealed(t)
+	txn := c.identityStore.db.Txn(true)
+	defer txn.Abort()
+
+	alias := &identity.Alias{
+		ID:             "testAliasID1",
+		CanonicalID:    "testEntityID",
+		MountType:      "testMountType",
+		MountAccessor:  "testMountAccessor",
+		Name:           "testAliasName",
+		LocalBucketKey: c.identityStore.localAliasPacker.BucketKey("testEntityID"),
+	}
+	alias2 := &identity.Alias{
+		ID:             "testAliasID2",
+		CanonicalID:    "testEntityID",
+		MountType:      "testMountType",
+		MountAccessor:  "testMountAccessor2",
+		Name:           "testAliasName2",
+		LocalBucketKey: c.identityStore.localAliasPacker.BucketKey("testEntityID"),
+	}
+	entity := &identity.Entity{
+		ID:       "testEntityID",
+		Name:     "testEntityName",
+		Policies: []string{"foo", "bar"},
+		Aliases: []*identity.Alias{
+			alias,
+			alias2,
+		},
+		NamespaceID: namespace.RootNamespaceID,
+		BucketKey:   c.identityStore.entityPacker.BucketKey("testEntityID"),
+	}
+
+	err := c.identityStore.upsertEntityInTxn(context.Background(), txn, entity, nil, false)
+	require.NoError(t, err)
+
+	err = c.identityStore.deleteAliasesInEntityInTxn(txn, entity, []*identity.Alias{alias, alias2})
+	require.NoError(t, err)
+
+	txn.Commit()
+
+	alias, err = c.identityStore.MemDBAliasByID("testAliasID1", false, false)
+	require.NoError(t, err)
+	require.Nil(t, alias)
+
+	alias, err = c.identityStore.MemDBAliasByID("testAliasID2", false, false)
+	require.NoError(t, err)
+	require.Nil(t, alias)
+
+	entity, err = c.identityStore.MemDBEntityByID("testEntityID", false)
+	require.NoError(t, err)
+
+	require.Len(t, entity.Aliases, 0)
+}
+
 func TestIdentityStore_UnsealingWhenConflictingAliasNames(t *testing.T) {
 	err := AddTestCredentialBackend("github", credGithub.Factory)
 	if err != nil {

vault/identity_store_util.go

@@ -1662,15 +1662,18 @@ func (i *IdentityStore) deleteAliasesInEntityInTxn(txn *memdb.Txn, entity *ident
 
 	var remainList []*identity.Alias
 	var removeList []*identity.Alias
-
+	for _, item := range entity.Aliases {
-	for _, item := range aliases {
+		remove := false
-		for _, alias := range entity.Aliases {
+		for _, alias := range aliases {
 			if alias.ID == item.ID {
-				removeList = append(removeList, alias)
+				remove = true
-			} else {
-				remainList = append(remainList, alias)
 			}
 		}
+		if remove {
+			removeList = append(removeList, item)
+		} else {
+			remainList = append(remainList, item)
+		}
 	}
 
 	// Remove identity indices from aliases table for those that needs to