-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updates to groups without ID are not consistent. #10585
Conversation
@@ -219,6 +219,8 @@ func (i *IdentityStore) handleGroupUpdateCommon(ctx context.Context, req *logica | |||
switch { | |||
case groupByName == nil: | |||
// Allowed | |||
case newGroup && groupByName != nil: | |||
return logical.ErrorResponse("new group name is already in use"), nil | |||
case group.ID == "": | |||
group = groupByName |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using the non-cloned groupByName
result will always lead to the bug. You need to either clone the groupByName
as I did in #10582 or you need to fail on that case.
The case you added essentially makes the group.ID == ""
case dead code which solves the bug as well because the only way group.ID == ""
can currently occur is when it is a newGroup
. However that case should be removed entirely.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For me the bug is not that the update is not happening but that it should return an error, the documentation says it needs an ID to do the update.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, agreed, I listed this as an alternate in my PR. But the code path for group.ID == ""
is wrong and should be deleted (or return an error). The case you added will always trigger instead of group.ID == ""
, so that case is now dead code. It should not be left in. If, in the future, it was triggered again somehow, then this bug would re-appear.
Setting group = groupByName
is always wrong, and if it's not wrong, it should be cloned.
Is there any progress on this? It does allow someone who has access to this API to give themselves permanent, un-audited access to that group. |
The conditions in the code: Hey @luke-clifton are you able to draft a PR with what you think is still pending? - I'm not sure I understand fully the cloning or any comparative |
Closing due to age and draft status |
When using the
entity/group
endpoint and NOT providing the ID as required the entity groups are not updated.id (string: <optional>) - ID of the group. If set, updates the corresponding existing group.
https://www.vaultproject.io/api-docs/secret/identity/group#create-a-group
The bug happens when we don't provide an ID but we include the name of an already existing group which results in an inconsistent update.
Originally reported by @luke-clifton
Reproduction, in this case, the group has 3 entities and we remove 1.
The entity still shows the group ID when reading the properties but the group no longer shows the entity ID.
This PR is a draft until I add unit testing.