Persist merged entities only on the primary

vault/core.go

@@ -416,6 +416,10 @@ type Core struct {
 	// Can be toggled atomically to cause the core to never try to become
 	// active, or give up active as soon as it gets it
 	neverBecomeActive *uint32
+
+	// loadCaseSensitiveIdentityStore enforces the loading of identity store
+	// artifacts in a case sensitive manner. To be used only in testing.
+	loadCaseSensitiveIdentityStore bool
 }
 
 // CoreConfig is used to parameterize a core

vault/identity_store_test.go

@@ -15,6 +15,98 @@ import (
 	"github.com/hashicorp/vault/logical"
 )
 
+func TestIdentityStore_UnsealingWhenConflictingAliasNames(t *testing.T) {
+	err := AddTestCredentialBackend("github", credGithub.Factory)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	c, unsealKey, root := TestCoreUnsealed(t)
+
+	meGH := &MountEntry{
+		Table:       credentialTableType,
+		Path:        "github/",
+		Type:        "github",
+		Description: "github auth",
+	}
+
+	err = c.enableCredential(namespace.RootContext(nil), meGH)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	alias := &identity.Alias{
+		ID:            "alias1",
+		CanonicalID:   "entity1",
+		MountType:     "github",
+		MountAccessor: meGH.Accessor,
+		Name:          "githubuser",
+	}
+	entity := &identity.Entity{
+		ID:       "entity1",
+		Name:     "name1",
+		Policies: []string{"foo", "bar"},
+		Aliases: []*identity.Alias{
+			alias,
+		},
+		NamespaceID: namespace.RootNamespaceID,
+	}
+	entity.BucketKeyHash = c.identityStore.entityPacker.BucketKeyHashByItemID(entity.ID)
+
+	err = c.identityStore.upsertEntity(namespace.RootContext(nil), entity, nil, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	alias2 := &identity.Alias{
+		ID:            "alias2",
+		CanonicalID:   "entity2",
+		MountType:     "github",
+		MountAccessor: meGH.Accessor,
+		Name:          "GITHUBUSER",
+	}
+	entity2 := &identity.Entity{
+		ID:       "entity2",
+		Name:     "name2",
+		Policies: []string{"foo", "bar"},
+		Aliases: []*identity.Alias{
+			alias2,
+		},
+		NamespaceID: namespace.RootNamespaceID,
+	}
+	entity2.BucketKeyHash = c.identityStore.entityPacker.BucketKeyHashByItemID(entity2.ID)
+
+	// Persist the second entity directly without the regular flow. This will skip
+	// merging of these enties.
+	entity2Any, err := ptypes.MarshalAny(entity2)
+	if err != nil {
+		t.Fatal(err)
+	}
+	item := &storagepacker.Item{
+		ID:      entity2.ID,
+		Message: entity2Any,
+	}
+	if err = c.identityStore.entityPacker.PutItem(item); err != nil {
+		t.Fatal(err)
+	}
+
+	// Seal and ensure that unseal works
+	if err = c.Seal(root); err != nil {
+		t.Fatal(err)
+	}
+
+	var unsealed bool
+	for i := 0; i < 3; i++ {
+		unsealed, err = c.Unseal(unsealKey[i])
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+	if !unsealed {
+		t.Fatal("still sealed")
+	}
+}
+
 func TestIdentityStore_EntityIDPassthrough(t *testing.T) {
 	// Enable GitHub auth and initialize
 	ctx := namespace.RootContext(nil)
@@ -381,7 +473,7 @@ func TestIdentityStore_MergeConflictingAliases(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
-	c, unsealKey, root := TestCoreUnsealed(t)
+	c, _, _ := TestCoreUnsealed(t)
 
 	meGH := &MountEntry{
 		Table:       credentialTableType,
@@ -409,54 +501,36 @@ func TestIdentityStore_MergeConflictingAliases(t *testing.T) {
 		Aliases: []*identity.Alias{
 			alias,
 		},
+		NamespaceID: namespace.RootNamespaceID,
 	}
 	entity.BucketKeyHash = c.identityStore.entityPacker.BucketKeyHashByItemID(entity.ID)
-	// Now add the alias to two entities, skipping all existing checking by
-	// writing directly
-	entityAny, err := ptypes.MarshalAny(entity)
+	err = c.identityStore.upsertEntity(namespace.RootContext(nil), entity, nil, true)
 	if err != nil {
 		t.Fatal(err)
 	}
-	item := &storagepacker.Item{
-		ID:      entity.ID,
-		Message: entityAny,
-	}
-	if err = c.identityStore.entityPacker.PutItem(item); err != nil {
-		t.Fatal(err)
-	}
 
-	entity.ID = "entity2"
-	entity.Name = "name2"
-	entity.Policies = []string{"bar", "baz"}
-	alias.ID = "alias2"
-	alias.CanonicalID = "entity2"
-	entity.BucketKeyHash = c.identityStore.entityPacker.BucketKeyHashByItemID(entity.ID)
-	entityAny, err = ptypes.MarshalAny(entity)
-	if err != nil {
-		t.Fatal(err)
-	}
-	item = &storagepacker.Item{
-		ID:      entity.ID,
-		Message: entityAny,
+	alias2 := &identity.Alias{
+		ID:            "alias2",
+		CanonicalID:   "entity2",
+		MountType:     "github",
+		MountAccessor: meGH.Accessor,
+		Name:          "githubuser",
 	}
-	if err = c.identityStore.entityPacker.PutItem(item); err != nil {
-		t.Fatal(err)
+	entity2 := &identity.Entity{
+		ID:       "entity2",
+		Name:     "name2",
+		Policies: []string{"bar", "baz"},
+		Aliases: []*identity.Alias{
+			alias2,
+		},
+		NamespaceID: namespace.RootNamespaceID,
 	}
 
-	// Seal and unseal. If things are broken, we will now fail to unseal.
-	if err = c.Seal(root); err != nil {
-		t.Fatal(err)
-	}
+	entity2.BucketKeyHash = c.identityStore.entityPacker.BucketKeyHashByItemID(entity2.ID)
 
-	var unsealed bool
-	for i := 0; i < 3; i++ {
-		unsealed, err = c.Unseal(unsealKey[i])
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-	if !unsealed {
-		t.Fatal("still sealed")
+	err = c.identityStore.upsertEntity(namespace.RootContext(nil), entity2, nil, true)
+	if err != nil {
+		t.Fatal(err)
 	}
 
 	newEntity, err := c.identityStore.CreateOrFetchEntity(namespace.RootContext(nil), &logical.Alias{

vault/identity_store_util.go

@@ -24,28 +24,35 @@ var (
 	errDuplicateIdentityName = errors.New("duplicate identity name")
 )
 
+func (c *Core) SetLoadCaseSensitiveIdentityStore(caseSensitive bool) {
+	c.loadCaseSensitiveIdentityStore = caseSensitive
+}
+
 func (c *Core) loadIdentityStoreArtifacts(ctx context.Context) error {
 	if c.identityStore == nil {
 		c.logger.Warn("identity store is not setup, skipping loading")
 		return nil
 	}
 
+	var err error
 	loadFunc := func(context.Context) error {
-		err := c.identityStore.loadEntities(ctx)
+		err = c.identityStore.loadEntities(ctx)
 		if err != nil {
 			return err
 		}
 		return c.identityStore.loadGroups(ctx)
 	}
 
-	// Load everything when memdb is set to operate on lower cased names
-	err := loadFunc(ctx)
-	switch {
-	case err == nil:
-		// If it succeeds, all is well
-		return nil
-	case err != nil && !errwrap.Contains(err, errDuplicateIdentityName.Error()):
-		return err
+	if !c.loadCaseSensitiveIdentityStore {
+		// Load everything when memdb is set to operate on lower cased names
+		err = loadFunc(ctx)
+		switch {
+		case err == nil:
+			// If it succeeds, all is well
+			return nil
+		case err != nil && !errwrap.Contains(err, errDuplicateIdentityName.Error()):
+			return err
+		}
 	}
 
 	c.identityStore.logger.Warn("enabling case sensitive identity names")
@@ -333,22 +340,37 @@ func (i *IdentityStore) upsertEntityInTxn(ctx context.Context, txn *memdb.Txn, e
 			// into merging
 			fallthrough
 		default:
+			if !persist {
+				i.logger.Warn(errDuplicateIdentityName.Error(), "alias_name", alias.Name, "mount_accessor", alias.MountAccessor, "entity_name", entity.Name, "action", "delete one of the duplicate aliases")
+				if !i.disableLowerCasedNames {
+					return errDuplicateIdentityName
+				}
+
+				// At this point, identity store is operating case-sensitively.
+				// Persisting is allowed only on the primary.
+				if i.core.ReplicationState().HasState(consts.ReplicationPerformanceSecondary) || i.core.perfStandby {
+					break
+				}
+			}
+
 			i.logger.Warn("alias is already tied to a different entity; these entities are being merged", "alias_id", alias.ID, "other_entity_id", aliasByFactors.CanonicalID, "entity_aliases", entity.Aliases, "alias_by_factors", aliasByFactors)
+
 			respErr, intErr := i.mergeEntity(ctx, txn, entity, []string{aliasByFactors.CanonicalID}, true, false, true)
 			switch {
 			case respErr != nil:
 				return respErr
 			case intErr != nil:
 				return intErr
 			}
+
 			// The entity and aliases will be loaded into memdb and persisted
 			// as a result of the merge so we are done here
 			return nil
 		}
 
 		if strutil.StrListContains(aliasFactors, i.sanitizeName(alias.Name)+alias.MountAccessor) {
 			i.logger.Warn(errDuplicateIdentityName.Error(), "alias_name", alias.Name, "mount_accessor", alias.MountAccessor, "entity_name", entity.Name, "action", "delete one of the duplicate aliases")
-			if !i.disableLowerCasedNames {
+			if !persist && !i.disableLowerCasedNames {
 				return errDuplicateIdentityName
 			}
 		}