Fix nil panic with unsafe_cross_namespace_identity (#1715)

cipherboy · satoqz · web-flow · commit 6bfd52749834 · 2025-08-28T08:42:56.000-04:00
* Fix nil panic with unsafe_cross_namespace_identity

The only place where IdentityStore.db(...) is not called is when ranging
over all views to collect metrics. This did not handle the unsafe
cross-namespace identity behavior of using a single memdb (only
available on the root namespace's view entry), leading to a nil panic.

Resolves: #1708

Signed-off-by: Alexander Scheel &lt;ascheel@gitlab.com&gt;

* Add changelog entry

Signed-off-by: Alexander Scheel &lt;ascheel@gitlab.com&gt;

* Update vault/identity_store_test.go

Co-authored-by: Jonas Köhnen &lt;mail@satoqz.net&gt;
Signed-off-by: Alexander Scheel &lt;alexander.m.scheel@gmail.com&gt;

---------

Signed-off-by: Alexander Scheel &lt;ascheel@gitlab.com&gt;
Signed-off-by: Alexander Scheel &lt;alexander.m.scheel@gmail.com&gt;
Co-authored-by: Jonas Köhnen &lt;mail@satoqz.net&gt;
diff --git a/changelog/1715.txt b/changelog/1715.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+identity: fix nil panic when collecting metrics with unsafe_cross_namespace_identity=true.
+```
diff --git a/vault/core_metrics_test.go b/vault/core_metrics_test.go
@@ -4,6 +4,7 @@
 package vault
 
 import (
+	"context"
 	"errors"
 	"sort"
 	"strings"
@@ -262,9 +263,20 @@ func metricLabelsMatch(t *testing.T, actual []metrics.Label, expected map[string
 }
 
 func TestCoreMetrics_EntityGauges(t *testing.T) {
-	ctx := namespace.RootContext(nil)
-	is, approleAccessor, upAccessor, core := testIdentityStoreWithAppRoleUserpassAuth(ctx, t)
+	ctx := namespace.RootContext(context.Background())
+	is, approleAccessor, upAccessor, core := testIdentityStoreWithAppRoleUserpassAuth(ctx, t, false)
+
+	testCoreMetricsEntityGauges(t, ctx, is, approleAccessor, upAccessor, core)
+}
+
+func TestCoreMetrics_EntityGaugesUnsafeSharedIdentity(t *testing.T) {
+	ctx := namespace.RootContext(context.Background())
+	is, approleAccessor, upAccessor, core := testIdentityStoreWithAppRoleUserpassAuth(ctx, t, true)
+
+	testCoreMetricsEntityGauges(t, ctx, is, approleAccessor, upAccessor, core)
+}
 
+func testCoreMetricsEntityGauges(t *testing.T, ctx context.Context, is *IdentityStore, approleAccessor string, upAccessor string, core *Core) {
 	// Create an entity
 	alias1 := &logical.Alias{
 		MountType:     "approle",
diff --git a/vault/identity_store_aliases_test.go b/vault/identity_store_aliases_test.go
@@ -4,6 +4,7 @@
 package vault
 
 import (
+	"context"
 	"reflect"
 	"strings"
 	"testing"
@@ -654,11 +655,24 @@ func TestIdentityStore_AliasMove_DuplicateAccessor(t *testing.T) {
 // Test that the alias cannot be changed to a mount for which
 // the entity already has an alias
 func TestIdentityStore_AliasUpdate_DuplicateAccessor(t *testing.T) {
+	ctx := namespace.RootContext(context.Background())
+
+	is, approleAccessor, upAccessor, core := testIdentityStoreWithAppRoleUserpassAuth(ctx, t, false)
+
+	testIdentityStoreAliasUpdateDuplicateAccessor(t, ctx, is, approleAccessor, upAccessor, core)
+}
+
+func TestIdentityStore_AliasUpdate_DuplicateAccessor_UnsafeShared(t *testing.T) {
+	ctx := namespace.RootContext(context.Background())
+
+	is, approleAccessor, upAccessor, core := testIdentityStoreWithAppRoleUserpassAuth(ctx, t, true)
+
+	testIdentityStoreAliasUpdateDuplicateAccessor(t, ctx, is, approleAccessor, upAccessor, core)
+}
+
+func testIdentityStoreAliasUpdateDuplicateAccessor(t *testing.T, ctx context.Context, is *IdentityStore, approleAccessor string, upAccessor string, core *Core) {
 	var err error
 	var resp *logical.Response
-	ctx := namespace.RootContext(nil)
-
-	is, ghAccessor, upAccessor, _ := testIdentityStoreWithAppRoleUserpassAuth(ctx, t)
 
 	// Create 1 entity and 2 aliases on it, one for each mount
 	resp, err = is.HandleRequest(ctx, &logical.Request{
@@ -675,7 +689,7 @@ func TestIdentityStore_AliasUpdate_DuplicateAccessor(t *testing.T) {
 
 	alias1Data := map[string]interface{}{
 		"name":           "testaliasname1",
-		"mount_accessor": ghAccessor,
+		"mount_accessor": approleAccessor,
 		"canonical_id":   entityID,
 	}
 
@@ -708,7 +722,7 @@ func TestIdentityStore_AliasUpdate_DuplicateAccessor(t *testing.T) {
 
 	// Attempt to update the userpass mount to point to the github mount
 	updateData := map[string]interface{}{
-		"mount_accessor": ghAccessor,
+		"mount_accessor": approleAccessor,
 	}
 
 	aliasReq.Data = updateData
diff --git a/vault/identity_store_entities_test.go b/vault/identity_store_entities_test.go
@@ -1009,12 +1009,20 @@ func TestIdentityStore_EntityCRUD(t *testing.T) {
 }
 
 func TestIdentityStore_MergeEntitiesByID(t *testing.T) {
-	var err error
-	var resp *logical.Response
+	ctx := namespace.RootContext(context.Background())
+	is, approleAccessor, upAccessor, core := testIdentityStoreWithAppRoleUserpassAuth(ctx, t, false)
+	testIdentityStoreMergeEntitiesById(t, ctx, is, approleAccessor, upAccessor, core)
+}
 
-	ctx := namespace.RootContext(nil)
-	is, approleAccessor, upAccessor, _ := testIdentityStoreWithAppRoleUserpassAuth(ctx, t)
+func TestIdentityStore_MergeEntitiesByID_UnsafeShared(t *testing.T) {
+	ctx := namespace.RootContext(context.Background())
+	is, approleAccessor, upAccessor, core := testIdentityStoreWithAppRoleUserpassAuth(ctx, t, true)
+	testIdentityStoreMergeEntitiesById(t, ctx, is, approleAccessor, upAccessor, core)
+}
 
+func testIdentityStoreMergeEntitiesById(t *testing.T, ctx context.Context, is *IdentityStore, approleAccessor string, upAccessor string, core *Core) {
+	var err error
+	var resp *logical.Response
 	registerData := map[string]interface{}{
 		"name":     "testentityname2",
 		"metadata": []string{"someusefulkey=someusefulvalue"},
diff --git a/vault/identity_store_test.go b/vault/identity_store_test.go
@@ -185,10 +185,10 @@ func TestIdentityStore_UnsealingWhenConflictingAliasNames(t *testing.T) {
 func TestIdentityStore_EntityIDPassthrough(t *testing.T) {
 	// Enable AppRole auth and initialize
 	ctx := namespace.RootContext(nil)
-	is, ghAccessor, core := testIdentityStoreWithAppRoleAuth(ctx, t)
+	is, approleAccessor, core := testIdentityStoreWithAppRoleAuth(ctx, t)
 	alias := &logical.Alias{
 		MountType:     "approle",
-		MountAccessor: ghAccessor,
+		MountAccessor: approleAccessor,
 		Name:          "approleuser",
 	}
 
@@ -257,12 +257,21 @@ func TestIdentityStore_EntityIDPassthrough(t *testing.T) {
 }
 
 func TestIdentityStore_CreateOrFetchEntity(t *testing.T) {
-	ctx := namespace.RootContext(nil)
-	is, ghAccessor, upAccessor, _ := testIdentityStoreWithAppRoleUserpassAuth(ctx, t)
+	ctx := namespace.RootContext(t.Context())
+	is, approleAccessor, upAccessor, core := testIdentityStoreWithAppRoleUserpassAuth(ctx, t, false)
+	testIdentityStoreCreateOrFetchEntity(t, ctx, is, approleAccessor, upAccessor, core)
+}
 
+func TestIdentityStore_CreateOrFetchEntity_UnsafeShared(t *testing.T) {
+	ctx := namespace.RootContext(t.Context())
+	is, approleAccessor, upAccessor, core := testIdentityStoreWithAppRoleUserpassAuth(ctx, t, true)
+	testIdentityStoreCreateOrFetchEntity(t, ctx, is, approleAccessor, upAccessor, core)
+}
+
+func testIdentityStoreCreateOrFetchEntity(t *testing.T, ctx context.Context, is *IdentityStore, approleAccessor string, upAccessor string, core *Core) {
 	alias := &logical.Alias{
 		MountType:     "approle",
-		MountAccessor: ghAccessor,
+		MountAccessor: approleAccessor,
 		Name:          "approleuser",
 		Metadata: map[string]string{
 			"foo": "a",
@@ -372,7 +381,7 @@ func TestIdentityStore_EntityByAliasFactors(t *testing.T) {
 	var resp *logical.Response
 
 	ctx := namespace.RootContext(nil)
-	is, ghAccessor, _ := testIdentityStoreWithAppRoleAuth(ctx, t)
+	is, approleAccessor, _ := testIdentityStoreWithAppRoleAuth(ctx, t)
 
 	registerData := map[string]interface{}{
 		"name":     "testentityname",
@@ -403,7 +412,7 @@ func TestIdentityStore_EntityByAliasFactors(t *testing.T) {
 	aliasData := map[string]interface{}{
 		"entity_id":      entityID,
 		"name":           "alias_name",
-		"mount_accessor": ghAccessor,
+		"mount_accessor": approleAccessor,
 	}
 	aliasReq := &logical.Request{
 		Operation: logical.UpdateOperation,
@@ -419,7 +428,7 @@ func TestIdentityStore_EntityByAliasFactors(t *testing.T) {
 		t.Fatal("expected a non-nil response")
 	}
 
-	entity, err := is.entityByAliasFactors(ctx, ghAccessor, "alias_name", false)
+	entity, err := is.entityByAliasFactors(ctx, approleAccessor, "alias_name", false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -648,13 +657,13 @@ func TestIdentityStore_MergeConflictingAliases(t *testing.T) {
 }
 
 func testCoreWithIdentityTokenAppRole(ctx context.Context, t *testing.T) (*Core, *IdentityStore, *TokenStore, string) {
-	is, ghAccessor, core := testIdentityStoreWithAppRoleAuth(ctx, t)
-	return core, is, core.tokenStore, ghAccessor
+	is, approleAccessor, core := testIdentityStoreWithAppRoleAuth(ctx, t)
+	return core, is, core.tokenStore, approleAccessor
 }
 
 func testCoreWithIdentityTokenAppRoleRoot(ctx context.Context, t *testing.T) (*Core, *IdentityStore, *TokenStore, string, string) {
-	is, ghAccessor, core, root := testIdentityStoreWithAppRoleAuthRoot(ctx, t)
-	return core, is, core.tokenStore, ghAccessor, root
+	is, approleAccessor, core, root := testIdentityStoreWithAppRoleAuthRoot(ctx, t)
+	return core, is, core.tokenStore, approleAccessor, root
 }
 
 func testIdentityStoreWithAppRoleAuth(ctx context.Context, t *testing.T) (*IdentityStore, string, *Core) {
@@ -692,7 +701,7 @@ func testIdentityStoreWithAppRoleAuthRoot(ctx context.Context, t *testing.T) (*I
 	return c.identityStore, meGH.Accessor, c, root
 }
 
-func testIdentityStoreWithAppRoleUserpassAuth(ctx context.Context, t *testing.T) (*IdentityStore, string, string, *Core) {
+func testIdentityStoreWithAppRoleUserpassAuth(ctx context.Context, t *testing.T, unsafeShared bool) (*IdentityStore, string, string, *Core) {
 	// Setup 2 auth backends, github and userpass
 	err := AddTestCredentialBackend("approle", credAppRole.Factory)
 	if err != nil {
@@ -706,7 +715,14 @@ func testIdentityStoreWithAppRoleUserpassAuth(ctx context.Context, t *testing.T)
 
 	defer ClearTestCredentialBackends()
 
-	c, _, _ := TestCoreUnsealed(t)
+	conf := &CoreConfig{
+		BuiltinRegistry:              corehelpers.NewMockBuiltinRegistry(),
+		UnsafeCrossNamespaceIdentity: unsafeShared,
+		AuditBackends: map[string]audit.Factory{
+			"file": auditFile.Factory,
+		},
+	}
+	c, _, _ := TestCoreUnsealedWithConfig(t, conf)
 
 	githubMe := &MountEntry{
 		Table:       credentialTableType,
@@ -802,11 +818,11 @@ func TestIdentityStore_NewEntityCounter(t *testing.T) {
 	}
 
 	is := c.identityStore
-	ghAccessor := meGH.Accessor
+	approleAccessor := meGH.Accessor
 
 	alias := &logical.Alias{
 		MountType:     "approle",
-		MountAccessor: ghAccessor,
+		MountAccessor: approleAccessor,
 		Name:          "approleuser",
 		Metadata: map[string]string{
 			"foo": "a",
diff --git a/vault/identity_store_util.go b/vault/identity_store_util.go
@@ -2435,11 +2435,22 @@ func (i *IdentityStore) handleAliasListCommon(ctx context.Context, groupAlias bo
 func (i *IdentityStore) countEntities(ctx context.Context) (int, error) {
 	var count int
 	var outErr error
+
+	rootViewRaw, ok := i.views.Load(namespace.RootNamespaceUUID)
+	if !ok || rootViewRaw == nil {
+		return -1, fmt.Errorf("failed to load root namespace")
+	}
+	rootView := rootViewRaw.(*identityStoreNamespaceView)
+
 	i.views.Range(func(uuidRaw, viewsRaw any) bool {
 		uuid := uuidRaw.(string)
 		views := viewsRaw.(*identityStoreNamespaceView)
+		db := views.db
+		if db == nil {
+			db = rootView.db
+		}
 
-		txn := views.db.Txn(false)
+		txn := db.Txn(false)
 
 		iter, err := txn.Get(entitiesTable, "id")
 		if err != nil {
@@ -2467,12 +2478,22 @@ func (i *IdentityStore) countEntities(ctx context.Context) (int, error) {
 func (i *IdentityStore) countEntitiesByNamespace(ctx context.Context) (map[string]int, error) {
 	byNamespace := make(map[string]int)
 
+	rootViewRaw, ok := i.views.Load(namespace.RootNamespaceUUID)
+	if !ok || rootViewRaw == nil {
+		return nil, fmt.Errorf("failed to load root namespace")
+	}
+	rootView := rootViewRaw.(*identityStoreNamespaceView)
+
 	var err error
 	i.views.Range(func(uuidRaw, viewsRaw any) bool {
 		uuid := uuidRaw.(string)
 		views := viewsRaw.(*identityStoreNamespaceView)
+		db := views.db
+		if db == nil {
+			db = rootView.db
+		}
 
-		txn := views.db.Txn(false)
+		txn := db.Txn(false)
 
 		var iter memdb.ResultIterator
 		iter, err = txn.Get(entitiesTable, "id")
@@ -2510,12 +2531,22 @@ func (i *IdentityStore) countEntitiesByNamespace(ctx context.Context) (map[strin
 func (i *IdentityStore) countEntitiesByMountAccessor(ctx context.Context) (map[string]int, error) {
 	byMountAccessor := make(map[string]int)
 
+	rootViewRaw, ok := i.views.Load(namespace.RootNamespaceUUID)
+	if !ok || rootViewRaw == nil {
+		return nil, fmt.Errorf("failed to load root namespace")
+	}
+	rootView := rootViewRaw.(*identityStoreNamespaceView)
+
 	var err error
 	i.views.Range(func(uuidRaw, viewsRaw any) bool {
 		uuid := uuidRaw.(string)
 		views := viewsRaw.(*identityStoreNamespaceView)
+		db := views.db
+		if db == nil {
+			db = rootView.db
+		}
 
-		txn := views.db.Txn(false)
+		txn := db.Txn(false)
 
 		var iter memdb.ResultIterator
 		iter, err = txn.Get(entitiesTable, "id")

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:bug
	`2`	`+identity: fix nil panic when collecting metrics with unsafe_cross_namespace_identity=true.`
	`3`	+```