Case insensitive group names

hashicorp · Sep 26, 2018 · 523c727 · 523c727
1 parent f05264d
commit 523c727
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 7 deletions.
diff --git a/vault/identity_store.go b/vault/identity_store.go
@@ -311,9 +311,6 @@ func (i *IdentityStore) parseEntityFromBucketItem(ctx context.Context, item *sto
 		entity.NamespaceID = namespace.RootNamespaceID
 	}
 
-	// Entities that were created before NameRaw was introduced, should
-	// duplicate the Name as NameRaw. Persisting the entity back is not
-	// required.
 	if entity.Name != "" && entity.NameRaw == "" {
 		entity.NameRaw = entity.Name
 	}
@@ -354,6 +351,10 @@ func (i *IdentityStore) parseGroupFromBucketItem(item *storagepacker.Item) (*ide
 		group.NamespaceID = namespace.RootNamespaceID
 	}
 
+	if group.Name != "" && group.NameRaw == "" {
+		group.NameRaw = group.Name
+	}
+
 	return &group, nil
 }
 

diff --git a/vault/identity_store_entities.go b/vault/identity_store_entities.go
@@ -332,8 +332,7 @@ func (i *IdentityStore) handleEntityReadCommon(ctx context.Context, entity *iden
 
 	respData := map[string]interface{}{}
 	respData["id"] = entity.ID
-	// Respond NameRaw instead of name because NameRaw preserves the casing of
-	// name provided over the API
+	// Case sensitive name
 	respData["name"] = entity.NameRaw
 	respData["metadata"] = entity.Metadata
 	respData["merged_entity_ids"] = entity.MergedEntityIDs

diff --git a/vault/identity_store_groups.go b/vault/identity_store_groups.go
@@ -225,6 +225,7 @@ func (i *IdentityStore) handleGroupUpdateCommon(ctx context.Context, req *logica
 			return logical.ErrorResponse("group name is already in use"), nil
 		}
 		group.Name = groupName
+		group.NameRaw = groupName
 	}
 
 	metadata, ok, err := d.GetOkErr("metadata")
@@ -326,7 +327,8 @@ func (i *IdentityStore) handleGroupReadCommon(ctx context.Context, group *identi
 
 	respData := map[string]interface{}{}
 	respData["id"] = group.ID
-	respData["name"] = group.Name
+	// Case sensitive name
+	respData["name"] = group.NameRaw
 	respData["policies"] = group.Policies
 	respData["member_entity_ids"] = group.MemberEntityIDs
 	respData["parent_group_ids"] = group.ParentGroupIDs
@@ -496,7 +498,7 @@ func (i *IdentityStore) handleGroupListCommon(ctx context.Context, byID bool) (*
 		if byID {
 			keys = append(keys, group.ID)
 		} else {
-			keys = append(keys, group.Name)
+			keys = append(keys, group.NameRaw)
 		}
 
 		groupInfoEntry := map[string]interface{}{

diff --git a/vault/identity_store_util.go b/vault/identity_store_util.go
@@ -73,6 +73,18 @@ func (i *IdentityStore) loadGroups(ctx context.Context) error {
 				continue
 			}
 
+			// Ensure that there are no groups with duplicate names
+			groupByName, err := i.MemDBGroupByName(ctx, group.Name, false)
+			if err != nil {
+				return err
+			}
+			if groupByName != nil && !i.core.disableCaseInsensitiveIdentityNames {
+				return fmt.Errorf(`Duplicate group names %q and %q.
+Identity names are treated case insensitively unless
+'disable_case_insensitive_identity_names' config is set.`,
+					group.NameRaw, groupByName.NameRaw)
+			}
+
 			if i.logger.IsDebug() {
 				i.logger.Debug("loading group", "name", group.Name, "id", group.ID)
 			}
@@ -923,6 +935,7 @@ func (i *IdentityStore) sanitizeAndUpsertGroup(ctx context.Context, group *ident
 		if err != nil {
 			return fmt.Errorf("failed to generate group name")
 		}
+		group.NameRaw = group.Name
 	}
 
 	// Entity metadata should always be map[string]string
@@ -1122,6 +1135,8 @@ func (i *IdentityStore) MemDBGroupByNameInTxn(ctx context.Context, txn *memdb.Tx
 		return nil, fmt.Errorf("txn is nil")
 	}
 
+	groupName = i.sanitizeName(groupName)
+
 	ns, err := namespace.FromContext(ctx)
 	if err != nil {
 		return nil, err
@@ -1233,6 +1248,8 @@ func (i *IdentityStore) MemDBUpsertGroupInTxn(txn *memdb.Txn, group *identity.Gr
 		return fmt.Errorf("group is nil")
 	}
 
+	group.Name = i.sanitizeName(group.Name)
+
 	if group.NamespaceID == "" {
 		group.NamespaceID = namespace.RootNamespaceID
 	}