From 2928492d4a1f630cd4d41e318bf6548b63d33e90 Mon Sep 17 00:00:00 2001
From: Bianca <48203644+biazmoreira@users.noreply.github.com>
Date: Tue, 4 Feb 2025 06:49:42 -0300
Subject: [PATCH] Fix group creation forwarding (#29483)

---
 vault/identity_store.go         |  1 -
 vault/identity_store_groups.go  | 20 ++++++++++++++++++--
 vault/identity_store_structs.go |  7 -------
 vault/identity_store_util.go    | 18 ++++++++++--------
 4 files changed, 28 insertions(+), 18 deletions(-)

diff --git a/vault/identity_store.go b/vault/identity_store.go
index 709e9861f8..702d41cdba 100644
--- a/vault/identity_store.go
+++ b/vault/identity_store.go
@@ -66,7 +66,6 @@ func NewIdentityStore(ctx context.Context, core *Core, config *logical.BackendCo
 		namespacer:       core,
 		metrics:          core.MetricSink(),
 		totpPersister:    core,
-		groupUpdater:     core,
 		tokenStorer:      core,
 		entityCreator:    core,
 		mountLister:      core,
diff --git a/vault/identity_store_groups.go b/vault/identity_store_groups.go
index b1d3f8b5a0..d1385d50e1 100644
--- a/vault/identity_store_groups.go
+++ b/vault/identity_store_groups.go
@@ -71,8 +71,9 @@ func groupPaths(i *IdentityStore) []*framework.Path {
 			Fields: groupPathFields(),
 			Operations: map[logical.Operation]framework.OperationHandler{
 				logical.UpdateOperation: &framework.PathOperation{
-					Callback:                  i.pathGroupRegister(),
-					ForwardPerformanceStandby: true,
+					Callback:                    i.pathGroupRegister(),
+					ForwardPerformanceStandby:   true,
+					ForwardPerformanceSecondary: true,
 				},
 			},
 
@@ -95,6 +96,8 @@ func groupPaths(i *IdentityStore) []*framework.Path {
 					DisplayAttrs: &framework.DisplayAttributes{
 						OperationVerb: "update",
 					},
+					ForwardPerformanceStandby:   true,
+					ForwardPerformanceSecondary: true,
 				},
 				logical.ReadOperation: &framework.PathOperation{
 					Callback: i.pathGroupIDRead(),
@@ -107,6 +110,8 @@ func groupPaths(i *IdentityStore) []*framework.Path {
 					DisplayAttrs: &framework.DisplayAttributes{
 						OperationVerb: "delete",
 					},
+					ForwardPerformanceStandby:   true,
+					ForwardPerformanceSecondary: true,
 				},
 			},
 
@@ -144,6 +149,8 @@ func groupPaths(i *IdentityStore) []*framework.Path {
 					DisplayAttrs: &framework.DisplayAttributes{
 						OperationVerb: "update",
 					},
+					ForwardPerformanceStandby:   true,
+					ForwardPerformanceSecondary: true,
 				},
 				logical.ReadOperation: &framework.PathOperation{
 					Callback: i.pathGroupNameRead(),
@@ -156,6 +163,8 @@ func groupPaths(i *IdentityStore) []*framework.Path {
 					DisplayAttrs: &framework.DisplayAttributes{
 						OperationVerb: "delete",
 					},
+					ForwardPerformanceStandby:   true,
+					ForwardPerformanceSecondary: true,
 				},
 			},
 
@@ -180,6 +189,7 @@ func groupPaths(i *IdentityStore) []*framework.Path {
 	}
 }
 
+// pathGroupRegister is always called by the active primary node of the cluster.
 func (i *IdentityStore) pathGroupRegister() framework.OperationFunc {
 	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 		_, ok := d.GetOk("id")
@@ -199,6 +209,7 @@ func (i *IdentityStore) pathGroupRegister() framework.OperationFunc {
 	}
 }
 
+// pathGroupIDUpdate is always called by the active primary node of the cluster.
 func (i *IdentityStore) pathGroupIDUpdate() framework.OperationFunc {
 	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 		groupID := d.Get("id").(string)
@@ -221,6 +232,7 @@ func (i *IdentityStore) pathGroupIDUpdate() framework.OperationFunc {
 	}
 }
 
+// pathGroupNameUpdate is always called by the active primary node of the cluster.
 func (i *IdentityStore) pathGroupNameUpdate() framework.OperationFunc {
 	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 		groupName := d.Get("name").(string)
@@ -239,6 +251,7 @@ func (i *IdentityStore) pathGroupNameUpdate() framework.OperationFunc {
 	}
 }
 
+// handleGroupUpdateCommon is always handled by the active primary node of the cluster.
 func (i *IdentityStore) handleGroupUpdateCommon(ctx context.Context, req *logical.Request, d *framework.FieldData, group *identity.Group) (*logical.Response, error) {
 	var newGroup bool
 	if group == nil {
@@ -442,6 +455,7 @@ func (i *IdentityStore) handleGroupReadCommon(ctx context.Context, group *identi
 	}, nil
 }
 
+// pathGroupIDDelete is always called by the active primary node of the cluster.
 func (i *IdentityStore) pathGroupIDDelete() framework.OperationFunc {
 	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 		groupID := d.Get("id").(string)
@@ -453,6 +467,7 @@ func (i *IdentityStore) pathGroupIDDelete() framework.OperationFunc {
 	}
 }
 
+// pathGroupNameDelete is always called by the active primary node of the cluster.
 func (i *IdentityStore) pathGroupNameDelete() framework.OperationFunc {
 	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 		groupName := d.Get("name").(string)
@@ -464,6 +479,7 @@ func (i *IdentityStore) pathGroupNameDelete() framework.OperationFunc {
 	}
 }
 
+// handleGroupDeleteCommon is always handled by the active primary node of the cluster.
 func (i *IdentityStore) handleGroupDeleteCommon(ctx context.Context, key string, byID bool) (*logical.Response, error) {
 	// Acquire the lock to modify the group storage entry
 	i.groupLock.Lock()
diff --git a/vault/identity_store_structs.go b/vault/identity_store_structs.go
index e75f7473fd..fb25bda366 100644
--- a/vault/identity_store_structs.go
+++ b/vault/identity_store_structs.go
@@ -110,7 +110,6 @@ type IdentityStore struct {
 	namespacer    Namespacer
 	metrics       metricsutil.Metrics
 	totpPersister TOTPPersister
-	groupUpdater  GroupUpdater
 	tokenStorer   TokenStorer
 	entityCreator EntityCreator
 	mountLister   MountLister
@@ -157,12 +156,6 @@ type TOTPPersister interface {
 
 var _ TOTPPersister = &Core{}
 
-type GroupUpdater interface {
-	SendGroupUpdate(ctx context.Context, group *identity.Group) (bool, error)
-}
-
-var _ GroupUpdater = &Core{}
-
 type TokenStorer interface {
 	LookupToken(context.Context, string) (*logical.TokenEntry, error)
 	CreateToken(context.Context, *logical.TokenEntry) error
diff --git a/vault/identity_store_util.go b/vault/identity_store_util.go
index 8dcb83b80d..1b08540db6 100644
--- a/vault/identity_store_util.go
+++ b/vault/identity_store_util.go
@@ -237,7 +237,7 @@ func (i *IdentityStore) loadGroups(ctx context.Context) error {
 				}
 			}
 
-			err = i.UpsertGroupInTxn(ctx, txn, group, persist)
+			err = i.UpsertGroupInTxn(nsCtx, txn, group, persist)
 
 			if errors.Is(err, logical.ErrReadOnly) {
 				// This is an imperfect solution to unblock customers who are running into
@@ -1990,6 +1990,14 @@ func (i *IdentityStore) UpsertGroupInTxn(ctx context.Context, txn *memdb.Txn, gr
 		return fmt.Errorf("group is nil")
 	}
 
+	g, err := i.MemDBGroupByName(ctx, group.Name, true)
+	if err != nil {
+		return err
+	}
+	if g != nil {
+		group.ID = g.ID
+	}
+
 	// Increment the modify index of the group
 	group.ModifyIndex++
 
@@ -2030,15 +2038,9 @@ func (i *IdentityStore) UpsertGroupInTxn(ctx context.Context, txn *memdb.Txn, gr
 			Message: groupAsAny,
 		}
 
-		sent, err := i.groupUpdater.SendGroupUpdate(ctx, group)
-		if err != nil {
+		if err := i.groupPacker.PutItem(ctx, item); err != nil {
 			return err
 		}
-		if !sent {
-			if err := i.groupPacker.PutItem(ctx, item); err != nil {
-				return err
-			}
-		}
 	}
 
 	return nil