Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updates to groups without ID are not consistent. #10585

Closed
wants to merge 2 commits into from
Closed

Updates to groups without ID are not consistent. #10585

wants to merge 2 commits into from

Conversation

bruj0
Copy link
Contributor

@bruj0 bruj0 commented Dec 16, 2020
edited
Loading

When using the entity/group endpoint and NOT providing the ID as required the entity groups are not updated.

id (string: <optional>) - ID of the group. If set, updates the corresponding existing group.

https://www.vaultproject.io/api-docs/secret/identity/group#create-a-group

The bug happens when we don't provide an ID but we include the name of an already existing group which results in an inconsistent update.

Originally reported by @luke-clifton

Reproduction, in this case, the group has 3 entities and we remove 1.
The entity still shows the group ID when reading the properties but the group no longer shows the entity ID.

+ vault read identity/group/name/cdaa75b0-0cc8-4902-bfe4-5a3878013528 -format=json
+ jq .data.member_entity_ids
[
  "0ebdf3f1-6067-36ed-3bb1-5a087395a0ff",
  "28b2bf74-db92-c004-53bf-9140851e1784",
  "7ff2f3b2-3b2c-82a0-b6fa-046025111339"
]
+ vault write identity/group name=cdaa75b0-0cc8-4902-bfe4-5a3878013528 member_entity_ids=28b2bf74-db92-c004-53bf-9140851e1784,0ebdf3f1-6067-36ed-3bb1-5a087395a0ff
Key     Value
---     -----
id      57cde975-abf9-5ad9-39bd-e32f613acd20
name    cdaa75b0-0cc8-4902-bfe4-5a3878013528
+ vault read identity/entity/id/7ff2f3b2-3b2c-82a0-b6fa-046025111339 -format=json
+ jq .data.group_ids
[
  "57cde975-abf9-5ad9-39bd-e32f613acd20"
]
+ vault read identity/group/name/cdaa75b0-0cc8-4902-bfe4-5a3878013528 -format=json
+ jq .data.member_entity_ids
[
  "0ebdf3f1-6067-36ed-3bb1-5a087395a0ff",
  "28b2bf74-db92-c004-53bf-9140851e1784"
]

This PR is a draft until I add unit testing.

@bruj0 bruj0 marked this pull request as draft December 16, 2020 14:30
@bruj0 bruj0 added bug Used to indicate a potential bug core/identity labels Dec 16, 2020
@luke-clifton luke-clifton mentioned this pull request Dec 17, 2020
Closed
luke-clifton
luke-clifton reviewed Dec 17, 2020
View reviewed changes
vault/identity_store_groups.go
@@ -219,6 +219,8 @@ func (i *IdentityStore) handleGroupUpdateCommon(ctx context.Context, req *logica
switch {
case groupByName == nil:
// Allowed
case newGroup && groupByName != nil:
return logical.ErrorResponse("new group name is already in use"), nil
case group.ID == "":
group = groupByName
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using the non-cloned groupByName result will always lead to the bug. You need to either clone the groupByName as I did in #10582 or you need to fail on that case.

The case you added essentially makes the group.ID == "" case dead code which solves the bug as well because the only way group.ID == "" can currently occur is when it is a newGroup. However that case should be removed entirely.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For me the bug is not that the update is not happening but that it should return an error, the documentation says it needs an ID to do the update.

Copy link
Contributor

@luke-clifton luke-clifton Dec 17, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, agreed, I listed this as an alternate in my PR. But the code path for group.ID == "" is wrong and should be deleted (or return an error). The case you added will always trigger instead of group.ID == "", so that case is now dead code. It should not be left in. If, in the future, it was triggered again somehow, then this bug would re-appear.

Setting group = groupByName is always wrong, and if it's not wrong, it should be cloned.

@luke-clifton
Copy link
Contributor

Is there any progress on this? It does allow someone who has access to this API to give themselves permanent, un-audited access to that group.

@aphorise
Copy link
Contributor

aphorise commented Feb 7, 2023
edited
Loading

The conditions in the code: vault/identity_store_groups.go remain the same as when this issue was raised - the last proposed solution also doesnt seem to robust enough?

Hey @luke-clifton are you able to draft a PR with what you think is still pending? - I'm not sure I understand fully the cloning or any comparative groupByName / ID that you're after (as you'd noted above).

@VioletHynes VioletHynes added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Jul 7, 2023
@heatherezell
Copy link
Contributor

Closing due to age and draft status

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@luke-clifton luke-clifton luke-clifton left review comments

Assignees
No one assigned
Labels
bug Used to indicate a potential bug core/identity hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bruj0 @luke-clifton @aphorise @heatherezell @VioletHynes