From b7fc4645f33f2f126043c5fca8f8ed8dfb5a1bfc Mon Sep 17 00:00:00 2001 From: Peter Wilson Date: Thu, 26 May 2022 13:52:19 +0100 Subject: [PATCH] Only add distinct policies to identity group (#15638) * Only add distinct policies to identity group --- changelog/15638.txt | 3 +++ vault/identity_store_groups.go | 2 +- vault/identity_store_groups_test.go | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 changelog/15638.txt diff --git a/changelog/15638.txt b/changelog/15638.txt new file mode 100644 index 000000000..94179552f --- /dev/null +++ b/changelog/15638.txt @@ -0,0 +1,3 @@ +```release-note:bug +vault: Fix a bug where duplicate policies could be added to an identity group. +``` \ No newline at end of file diff --git a/vault/identity_store_groups.go b/vault/identity_store_groups.go index 837022686..4a8b69273 100644 --- a/vault/identity_store_groups.go +++ b/vault/identity_store_groups.go @@ -181,7 +181,7 @@ func (i *IdentityStore) handleGroupUpdateCommon(ctx context.Context, req *logica // Update the policies if supplied policiesRaw, ok := d.GetOk("policies") if ok { - group.Policies = policiesRaw.([]string) + group.Policies = strutil.RemoveDuplicatesStable(policiesRaw.([]string), true) } if strutil.StrListContains(group.Policies, "root") { diff --git a/vault/identity_store_groups_test.go b/vault/identity_store_groups_test.go index 8e1d38038..4ae85ff04 100644 --- a/vault/identity_store_groups_test.go +++ b/vault/identity_store_groups_test.go @@ -677,7 +677,7 @@ func TestIdentityStore_GroupsCreateUpdate(t *testing.T) { // Create a group with the above created 2 entities as its members groupData := map[string]interface{}{ - "policies": "testpolicy1,testpolicy2", + "policies": "testpolicy1,testPolicy1 , testpolicy2", "metadata": []string{"testkey1=testvalue1", "testkey2=testvalue2"}, "member_entity_ids": []string{entityID1, entityID2}, }