From 77ca499c6e93c1039404632ff3b87d5261e09f66 Mon Sep 17 00:00:00 2001
From: Pratyoy Mukhopadhyay <35388175+pmmukh@users.noreply.github.com>
Date: Thu, 21 Jul 2022 10:53:42 -0700
Subject: [PATCH] oss changes (#16407)

---
 vault/identity_store.go        |  2 +-
 vault/request_handling.go      | 21 +++++++++++++--------
 vault/request_handling_util.go |  4 ++++
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/vault/identity_store.go b/vault/identity_store.go
index 3d8626b6d..8114d1e92 100644
--- a/vault/identity_store.go
+++ b/vault/identity_store.go
@@ -1209,7 +1209,7 @@ func (i *IdentityStore) CreateOrFetchEntity(ctx context.Context, alias *logical.
 	// Update MemDB and persist entity object
 	err = i.upsertEntityInTxn(ctx, txn, entity, nil, true)
 	if err != nil {
-		return nil, false, err
+		return entity, entityCreated, err
 	}
 
 	txn.Commit()
diff --git a/vault/request_handling.go b/vault/request_handling.go
index 67c11b32f..87c56140d 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -1454,15 +1454,20 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 			if err != nil {
 				switch auth.Alias.Local {
 				case true:
-					entity, err = possiblyForwardEntityCreation(ctx, c, err, auth, entity)
-					if err != nil && strings.Contains(err.Error(), errCreateEntityUnimplemented) {
-						resp.AddWarning("primary cluster doesn't yet issue entities for local auth mounts; falling back to not issuing entities for local auth mounts")
-						goto CREATE_TOKEN
-					}
-					// If the entity creation via forwarding was successful, update the bool flag
-					if entity != nil && err == nil {
-						entityCreated = true
+					// Only create a new entity if the error was a readonly error and the creation flag is true
+					// i.e the entity was in the middle of being created
+					if entityCreated && errors.Is(err, logical.ErrReadOnly) {
+						entity, err = possiblyForwardEntityCreation(ctx, c, err, auth, nil)
+						if err != nil {
+							if strings.Contains(err.Error(), errCreateEntityUnimplemented) {
+								resp.AddWarning("primary cluster doesn't yet issue entities for local auth mounts; falling back to not issuing entities for local auth mounts")
+								goto CREATE_TOKEN
+							} else {
+								return nil, nil, err
+							}
+						}
 					}
+					err = updateLocalAlias(ctx, c, auth, entity)
 				default:
 					entity, entityCreated, err = possiblyForwardAliasCreation(ctx, c, err, auth, entity)
 				}
diff --git a/vault/request_handling_util.go b/vault/request_handling_util.go
index f8549e214..de1437e89 100644
--- a/vault/request_handling_util.go
+++ b/vault/request_handling_util.go
@@ -60,6 +60,10 @@ func possiblyForwardEntityCreation(ctx context.Context, c *Core, inErr error, au
 	return entity, inErr
 }
 
+func updateLocalAlias(ctx context.Context, c *Core, auth *logical.Auth, entity *identity.Entity) error {
+	return nil
+}
+
 func possiblyForwardSaveCachedAuthResponse(ctx context.Context, c *Core, respAuth *MFACachedAuthResponse) error {
 	err := c.SaveMFAResponseAuth(respAuth)
 	if err != nil {