backport of commit bab1063 (#16841)

hc-github-team-secure-vault-core · jasonodonnell · web-flow · commit f788761c3dbb · 2022-08-23T16:23:50.000-04:00
Co-authored-by: Jason O'Donnell &lt;2160810+jasonodonnell@users.noreply.github.com&gt;
diff --git a/vault/identity_store.go b/vault/identity_store.go
@@ -850,7 +850,7 @@ func (i *IdentityStore) CreateOrFetchEntity(ctx context.Context, alias *logical.
 // names match or no metadata is different, -1 is returned.
 func changedAliasIndex(entity *identity.Entity, alias *logical.Alias) int {
 	for i, a := range entity.Aliases {
-		if a.Name == alias.Name && !strutil.EqualStringMaps(a.Metadata, alias.Metadata) {
+		if a.Name == alias.Name && a.MountAccessor == alias.MountAccessor && !strutil.EqualStringMaps(a.Metadata, alias.Metadata) {
 			return i
 		}
 	}
diff --git a/vault/identity_store_test.go b/vault/identity_store_test.go
@@ -807,3 +807,52 @@ func TestIdentityStore_NewEntityCounter(t *testing.T) {
 
 	expectSingleCount(t, sink, "identity.entity.creation")
 }
+
+func TestIdentityStore_UpdateAliasMetadataPerAccessor(t *testing.T) {
+	entity := &identity.Entity{
+		ID:       "testEntityID",
+		Name:     "testEntityName",
+		Policies: []string{"foo", "bar"},
+		Aliases: []*identity.Alias{
+			{
+				ID:            "testAliasID1",
+				CanonicalID:   "testEntityID",
+				MountType:     "testMountType",
+				MountAccessor: "testMountAccessor",
+				Name:          "sameAliasName",
+			},
+			{
+				ID:            "testAliasID2",
+				CanonicalID:   "testEntityID",
+				MountType:     "testMountType",
+				MountAccessor: "testMountAccessor2",
+				Name:          "sameAliasName",
+			},
+		},
+		NamespaceID: namespace.RootNamespaceID,
+	}
+
+	login := &logical.Alias{
+		MountType:     "testMountType",
+		MountAccessor: "testMountAccessor",
+		Name:          "sameAliasName",
+		ID:            "testAliasID",
+		Metadata:      map[string]string{"foo": "bar"},
+	}
+
+	if i := changedAliasIndex(entity, login); i != 0 {
+		t.Fatalf("wrong alias index changed. Expected 0, got %d", i)
+	}
+
+	login2 := &logical.Alias{
+		MountType:     "testMountType",
+		MountAccessor: "testMountAccessor2",
+		Name:          "sameAliasName",
+		ID:            "testAliasID2",
+		Metadata:      map[string]string{"bar": "foo"},
+	}
+
+	if i := changedAliasIndex(entity, login2); i != 1 {
+		t.Fatalf("wrong alias index changed. Expected 1, got %d", i)
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -850,7 +850,7 @@ func (i IdentityStore) CreateOrFetchEntity(ctx context.Context, alias logical.`
`850`	`850`	`// names match or no metadata is different, -1 is returned.`
`851`	`851`	`func changedAliasIndex(entity identity.Entity, alias logical.Alias) int {`
`852`	`852`	`for i, a := range entity.Aliases {`
`853`		`- if a.Name == alias.Name && !strutil.EqualStringMaps(a.Metadata, alias.Metadata) {`
	`853`	`+ if a.Name == alias.Name && a.MountAccessor == alias.MountAccessor && !strutil.EqualStringMaps(a.Metadata, alias.Metadata) {`
`854`	`854`	`return i`
`855`	`855`	`}`
`856`	`856`	`}`