From 523c727657735a0c613f0c33ad7e4d73132f76b7 Mon Sep 17 00:00:00 2001
From: vishalnayak <vishalnayakv@gmail.com>
Date: Wed, 26 Sep 2018 18:57:13 -0400
Subject: [PATCH] Case insensitive group names

---
 vault/identity_store.go          |  7 ++++---
 vault/identity_store_entities.go |  3 +--
 vault/identity_store_groups.go   |  6 ++++--
 vault/identity_store_util.go     | 17 +++++++++++++++++
 4 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/vault/identity_store.go b/vault/identity_store.go
index 14055e0b5d2e..31168e463633 100644
--- a/vault/identity_store.go
+++ b/vault/identity_store.go
@@ -311,9 +311,6 @@ func (i *IdentityStore) parseEntityFromBucketItem(ctx context.Context, item *sto
 		entity.NamespaceID = namespace.RootNamespaceID
 	}
 
-	// Entities that were created before NameRaw was introduced, should
-	// duplicate the Name as NameRaw. Persisting the entity back is not
-	// required.
 	if entity.Name != "" && entity.NameRaw == "" {
 		entity.NameRaw = entity.Name
 	}
@@ -354,6 +351,10 @@ func (i *IdentityStore) parseGroupFromBucketItem(item *storagepacker.Item) (*ide
 		group.NamespaceID = namespace.RootNamespaceID
 	}
 
+	if group.Name != "" && group.NameRaw == "" {
+		group.NameRaw = group.Name
+	}
+
 	return &group, nil
 }
 
diff --git a/vault/identity_store_entities.go b/vault/identity_store_entities.go
index 21dd9d33f104..ebe82a6c813a 100644
--- a/vault/identity_store_entities.go
+++ b/vault/identity_store_entities.go
@@ -332,8 +332,7 @@ func (i *IdentityStore) handleEntityReadCommon(ctx context.Context, entity *iden
 
 	respData := map[string]interface{}{}
 	respData["id"] = entity.ID
-	// Respond NameRaw instead of name because NameRaw preserves the casing of
-	// name provided over the API
+	// Case sensitive name
 	respData["name"] = entity.NameRaw
 	respData["metadata"] = entity.Metadata
 	respData["merged_entity_ids"] = entity.MergedEntityIDs
diff --git a/vault/identity_store_groups.go b/vault/identity_store_groups.go
index d8c3280bcdb3..dad928f69acd 100644
--- a/vault/identity_store_groups.go
+++ b/vault/identity_store_groups.go
@@ -225,6 +225,7 @@ func (i *IdentityStore) handleGroupUpdateCommon(ctx context.Context, req *logica
 			return logical.ErrorResponse("group name is already in use"), nil
 		}
 		group.Name = groupName
+		group.NameRaw = groupName
 	}
 
 	metadata, ok, err := d.GetOkErr("metadata")
@@ -326,7 +327,8 @@ func (i *IdentityStore) handleGroupReadCommon(ctx context.Context, group *identi
 
 	respData := map[string]interface{}{}
 	respData["id"] = group.ID
-	respData["name"] = group.Name
+	// Case sensitive name
+	respData["name"] = group.NameRaw
 	respData["policies"] = group.Policies
 	respData["member_entity_ids"] = group.MemberEntityIDs
 	respData["parent_group_ids"] = group.ParentGroupIDs
@@ -496,7 +498,7 @@ func (i *IdentityStore) handleGroupListCommon(ctx context.Context, byID bool) (*
 		if byID {
 			keys = append(keys, group.ID)
 		} else {
-			keys = append(keys, group.Name)
+			keys = append(keys, group.NameRaw)
 		}
 
 		groupInfoEntry := map[string]interface{}{
diff --git a/vault/identity_store_util.go b/vault/identity_store_util.go
index 60681c949d00..3d791bb0249d 100644
--- a/vault/identity_store_util.go
+++ b/vault/identity_store_util.go
@@ -73,6 +73,18 @@ func (i *IdentityStore) loadGroups(ctx context.Context) error {
 				continue
 			}
 
+			// Ensure that there are no groups with duplicate names
+			groupByName, err := i.MemDBGroupByName(ctx, group.Name, false)
+			if err != nil {
+				return err
+			}
+			if groupByName != nil && !i.core.disableCaseInsensitiveIdentityNames {
+				return fmt.Errorf(`Duplicate group names %q and %q.
+Identity names are treated case insensitively unless
+'disable_case_insensitive_identity_names' config is set.`,
+					group.NameRaw, groupByName.NameRaw)
+			}
+
 			if i.logger.IsDebug() {
 				i.logger.Debug("loading group", "name", group.Name, "id", group.ID)
 			}
@@ -923,6 +935,7 @@ func (i *IdentityStore) sanitizeAndUpsertGroup(ctx context.Context, group *ident
 		if err != nil {
 			return fmt.Errorf("failed to generate group name")
 		}
+		group.NameRaw = group.Name
 	}
 
 	// Entity metadata should always be map[string]string
@@ -1122,6 +1135,8 @@ func (i *IdentityStore) MemDBGroupByNameInTxn(ctx context.Context, txn *memdb.Tx
 		return nil, fmt.Errorf("txn is nil")
 	}
 
+	groupName = i.sanitizeName(groupName)
+
 	ns, err := namespace.FromContext(ctx)
 	if err != nil {
 		return nil, err
@@ -1233,6 +1248,8 @@ func (i *IdentityStore) MemDBUpsertGroupInTxn(txn *memdb.Txn, group *identity.Gr
 		return fmt.Errorf("group is nil")
 	}
 
+	group.Name = i.sanitizeName(group.Name)
+
 	if group.NamespaceID == "" {
 		group.NamespaceID = namespace.RootNamespaceID
 	}