Updates identity/group to allow updating a group by name (#10223)

hashicorp · Jan 29, 2021 · d0f1dd7 · d0f1dd7
1 parent ce4c842
commit d0f1dd7
Show file tree

Hide file tree

Showing 3 changed files with 66 additions and 1 deletion.
diff --git a/vault/identity_store_groups.go b/vault/identity_store_groups.go
@@ -120,6 +120,11 @@ func (i *IdentityStore) pathGroupRegister() framework.OperationFunc {
 			return i.pathGroupIDUpdate()(ctx, req, d)
 		}
 
+		_, ok = d.GetOk("name")
+		if ok {
+			return i.pathGroupNameUpdate()(ctx, req, d)
+		}
+
 		i.groupLock.Lock()
 		defer i.groupLock.Unlock()
 

diff --git a/vault/identity_store_groups_test.go b/vault/identity_store_groups_test.go
@@ -12,6 +12,65 @@ import (
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
+func TestIdentityStore_Groups_AddByNameEntityUpdate(t *testing.T) {
+	c, _, _ := TestCoreUnsealed(t)
+	ctx := namespace.RootContext(nil)
+
+	// Create an entity and get its ID
+	entityRegisterReq := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "entity",
+	}
+	resp, err := c.identityStore.HandleRequest(ctx, entityRegisterReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: resp: %#v, err: %v", resp, err)
+	}
+	entityID := resp.Data["id"].(string)
+
+	// Create a group containing the entity
+	groupName := "group-name"
+	expectedMemberEntityIDs := []string{entityID}
+	resp, err = c.identityStore.HandleRequest(ctx, &logical.Request{
+		Path:      "group",
+		Operation: logical.UpdateOperation,
+		Data: map[string]interface{}{
+			"name":              groupName,
+			"member_entity_ids": expectedMemberEntityIDs,
+		},
+	})
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: err: %v\nresp: %#v", err, resp)
+	}
+
+	// Remove the entity from the group
+	resp, err = c.identityStore.HandleRequest(ctx, &logical.Request{
+		Path:      "group",
+		Operation: logical.UpdateOperation,
+		Data: map[string]interface{}{
+			"name":              groupName,
+			"member_entity_ids": []string{},
+		},
+	})
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: err: %v\nresp: %#v", err, resp)
+	}
+
+	// Make sure the member no longer thinks it's in the group
+	entityIDReq := &logical.Request{
+		Operation: logical.ReadOperation,
+		Path:      "entity/id/" + entityID,
+	}
+	resp, err = c.identityStore.HandleRequest(ctx, entityIDReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: resp: %#v, err: %v", resp, err)
+	}
+	expectedGroupIDs := []string{}
+	actualGroupIDs := resp.Data["direct_group_ids"]
+	if !reflect.DeepEqual(expectedGroupIDs, actualGroupIDs) {
+		t.Fatalf("bad: direct_group_ids:\nexpected: %#v\nactual: %#v", expectedGroupIDs, actualGroupIDs)
+	}
+}
+
 func TestIdentityStore_FixOverwrittenMemberGroupIDs(t *testing.T) {
 	c, _, _ := TestCoreUnsealed(t)
 	ctx := namespace.RootContext(nil)

diff --git a/website/content/api-docs/secret/identity/group.mdx b/website/content/api-docs/secret/identity/group.mdx
@@ -15,7 +15,8 @@ This endpoint creates or updates a Group.
 
 ### Parameters
 
-- `name` `(string: entity-<UUID>)` – Name of the group.
+- `name` `(string: entity-<UUID>)` – Name of the group.  If set (and
+  ID is not set), updates the corresponding existing group.
 
 - `id` `(string: <optional>)` - ID of the group. If set, updates the
   corresponding existing group.