From fa754c7fa52b321f037f88250c54dfa8d321232a Mon Sep 17 00:00:00 2001
From: Hamid Ghaf <83242695+hghaf099@users.noreply.github.com>
Date: Tue, 28 Jun 2022 19:54:24 -0400
Subject: [PATCH] Replicate member_entity_ids and policies in identity/group
 across nodes identically (#16088)

* Replicate values of group member_entity_ids and policies across nodes identically

* Adding CL

* fixing tests
---
 changelog/16088.txt                           |  3 +++
 .../external_tests/identity/identity_test.go  | 14 +++++++++++-
 vault/identity_store_util.go                  | 22 +++++++++++--------
 3 files changed, 29 insertions(+), 10 deletions(-)
 create mode 100644 changelog/16088.txt

diff --git a/changelog/16088.txt b/changelog/16088.txt
new file mode 100644
index 000000000..ff2457aaf
--- /dev/null
+++ b/changelog/16088.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically
+```
diff --git a/vault/external_tests/identity/identity_test.go b/vault/external_tests/identity/identity_test.go
index 72f4c9b9e..0b97d72e9 100644
--- a/vault/external_tests/identity/identity_test.go
+++ b/vault/external_tests/identity/identity_test.go
@@ -628,8 +628,20 @@ func assertMember(t *testing.T, client *api.Client, entityID, groupName, groupID
 		t.Fatal(err)
 	}
 	groupMap := secret.Data
+
+	groupEntityMembers, ok := groupMap["member_entity_ids"].([]interface{})
+	if !ok && expectFound {
+		t.Fatalf("expected member_entity_ids not to be nil")
+	}
+
+	// if type assertion fails and expectFound is false, groupEntityMembers
+	// is nil, then let's just return, nothing to be done!
+	if !ok && !expectFound {
+		return
+	}
+
 	found := false
-	for _, entityIDRaw := range groupMap["member_entity_ids"].([]interface{}) {
+	for _, entityIDRaw := range groupEntityMembers {
 		if entityIDRaw.(string) == entityID {
 			found = true
 		}
diff --git a/vault/identity_store_util.go b/vault/identity_store_util.go
index 277460aef..ae08bd387 100644
--- a/vault/identity_store_util.go
+++ b/vault/identity_store_util.go
@@ -1473,19 +1473,23 @@ func (i *IdentityStore) sanitizeAndUpsertGroup(ctx context.Context, group *ident
 	}
 
 	// Remove duplicate entity IDs and check if all IDs are valid
-	group.MemberEntityIDs = strutil.RemoveDuplicates(group.MemberEntityIDs, false)
-	for _, entityID := range group.MemberEntityIDs {
-		entity, err := i.MemDBEntityByID(entityID, false)
-		if err != nil {
-			return fmt.Errorf("failed to validate entity ID %q: %w", entityID, err)
-		}
-		if entity == nil {
-			return fmt.Errorf("invalid entity ID %q", entityID)
+	if group.MemberEntityIDs != nil {
+		group.MemberEntityIDs = strutil.RemoveDuplicates(group.MemberEntityIDs, false)
+		for _, entityID := range group.MemberEntityIDs {
+			entity, err := i.MemDBEntityByID(entityID, false)
+			if err != nil {
+				return fmt.Errorf("failed to validate entity ID %q: %w", entityID, err)
+			}
+			if entity == nil {
+				return fmt.Errorf("invalid entity ID %q", entityID)
+			}
 		}
 	}
 
 	// Remove duplicate policies
-	group.Policies = strutil.RemoveDuplicates(group.Policies, false)
+	if group.Policies != nil {
+		group.Policies = strutil.RemoveDuplicates(group.Policies, false)
+	}
 
 	txn := i.db.Txn(true)
 	defer txn.Abort()