[VAULT-3252] Disallow alias creation if entity/accessor combination exists

changelog/12747.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+core/identity: Disallow entity alias creation when an alias for the specified entity and mount exists
+```

vault/identity_store_aliases.go

@@ -267,6 +267,12 @@ func (i *IdentityStore) handleAliasCreate(ctx context.Context, req *logical.Requ
 		}
 	}
 
+	for _, alias := range entity.Aliases {
+		if alias.MountAccessor == mountAccessor {
+			return logical.ErrorResponse("Alias already exists for requested entity and mount accessor"), nil
+		}
+	}
+
 	entity.Aliases = append(entity.Aliases, alias)
 
 	// ID creation and other validations; This is more useful for new entities

vault/identity_store_aliases_test.go

@@ -405,6 +405,56 @@ func TestIdentityStore_AliasUpdate(t *testing.T) {
 	}
 }
 
+// Test that alias creation fails if an alias for the specified mount
+// and entity has already been created
+func TestIdentityStore_AliasCreate_DuplicateAccessor(t *testing.T) {
+	var err error
+	var resp *logical.Response
+	ctx := namespace.RootContext(nil)
+	is, githubAccessor, _ := testIdentityStoreWithGithubAuth(ctx, t)
+
+	resp, err = is.HandleRequest(ctx, &logical.Request{
+		Path:      "entity",
+		Operation: logical.UpdateOperation,
+	})
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: err:%v\nresp: %#v", err, resp)
+	}
+	entityID := resp.Data["id"].(string)
+
+	aliasData := map[string]interface{}{
+		"name":           "testaliasname",
+		"mount_accessor": githubAccessor,
+		"canonical_id":   entityID,
+	}
+
+	aliasReq := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "entity-alias",
+		Data:      aliasData,
+	}
+
+	// This will create an alias and a corresponding entity
+	resp, err = is.HandleRequest(ctx, aliasReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("err:%v resp:%#v", err, resp)
+	}
+
+	aliasData["name"] = "testaliasname2"
+	aliasReq = &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "entity-alias",
+		Data:      aliasData,
+	}
+
+	// This will try to create a new alias with the same accessor and entity
+	resp, err = is.HandleRequest(ctx, aliasReq)
+
+	if resp == nil || !resp.IsError() {
+		t.Fatalf("expected an error as alias already exists for this accessor and entity")
+	}
+}
+
 func TestIdentityStore_AliasUpdate_ByID(t *testing.T) {
 	var err error
 	var resp *logical.Response

vault/identity_store_util.go

@@ -341,6 +341,12 @@ func (i *IdentityStore) loadEntities(ctx context.Context) error {
 					}
 				}
 
+				duplicateAccessors := getDuplicateAccessorsOnAliases(ctx, entity.Aliases)
+
+				// Log a warning if an entity has multiple aliases with the same accessor
+				if len(duplicateAccessors) > 0 {
+					i.logger.Warn("Duplicate aliases present for the same entity and accessor", "entity_name", entity.Name, "namespace_id", entity.NamespaceID, "duplicate_accessors", duplicateAccessors)
+				}
 				// Only update MemDB and don't hit the storage again
 				err = i.upsertEntity(nsCtx, entity, nil, false)
 				if err != nil {
@@ -360,6 +366,25 @@ func (i *IdentityStore) loadEntities(ctx context.Context) error {
 	return nil
 }
 
+// getDuplicateAccessorsOnAliases returns a list of duplicate accessors present in the
+// passed in list of aliases
+func getDuplicateAccessorsOnAliases(ctx context.Context, aliases []*identity.Alias) []string {
+	accessorCounts := make(map[string]int)
+	duplicateAccessors := make([]string, 0)
+
+	for _, alias := range aliases {
+		accessorCounts[alias.MountAccessor] += 1
+	}
+
+	for accessor, accessorCount := range accessorCounts {
+		if accessorCount > 1 {
+			duplicateAccessors = append(duplicateAccessors, accessor)
+		}
+	}
+
+	return duplicateAccessors
+}
+
 // upsertEntityInTxn either creates or updates an existing entity. The
 // operations will be updated in both MemDB and storage. If 'persist' is set to
 // false, then storage will not be updated. When an alias is transferred from