Add identity cleanup activation flag (#29301)

* Port activation flags with dynamic registration

* Activation flag tests

* Add identity cleanup activation flag

* Fix flag name

vault/logical_system_activation_flags.go

@@ -34,9 +34,11 @@ This path responds to the following HTTP methods.
 
 	PUT|POST /<feature-name>/activate
 		Activates the specified feature. Cannot be undone.`
+
+	activationFlagIdentityCleanup = "force-identity-deduplication"
+	activationFlagTest            = "activation-test"
 )
 
-// Register CRUD functions dynamically.
 // These variables should only be mutated during initialization or server construction.
 // It is unsafe to modify them once the Vault core is running.
 var (
@@ -67,7 +69,24 @@ func (b *SystemBackend) activationFlagsPaths() []*framework.Path {
 			HelpDescription: helpDescription,
 		},
 		{
-			Pattern: fmt.Sprintf("%s/%s/%s", prefixActivationFlags, "activation-test", verbActivationFlagsActivate),
+			Pattern: fmt.Sprintf("%s/%s/%s", prefixActivationFlags, activationFlagTest, verbActivationFlagsActivate),
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: prefixActivationFlags,
+				OperationVerb:   verbActivationFlagsActivate,
+			},
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback:                    b.handleActivationFlagsActivate,
+					ForwardPerformanceSecondary: true,
+					ForwardPerformanceStandby:   true,
+					Summary:                     summaryUpdate,
+				},
+			},
+			HelpSynopsis:    helpSynopsis,
+			HelpDescription: helpDescription,
+		},
+		{
+			Pattern: fmt.Sprintf("%s/%s/%s", prefixActivationFlags, activationFlagIdentityCleanup, verbActivationFlagsActivate),
 			DisplayAttrs: &framework.DisplayAttributes{
 				OperationPrefix: prefixActivationFlags,
 				OperationVerb:   verbActivationFlagsActivate,

vault/logical_system_activation_flags_test.go

@@ -70,18 +70,37 @@ func TestActivationFlags_BadFeatureName(t *testing.T) {
 
 // TestActivationFlags_Write tests the write operations for the activation flags
 func TestActivationFlags_Write(t *testing.T) {
-	t.Run("given an initial state then read flags and expect all to be unactivated", func(t *testing.T) {
+	t.Run("given an initial state then write an activation test flag and expect no errors", func(t *testing.T) {
 		core, _, _ := TestCoreUnsealedWithConfig(t, &CoreConfig{})
 
 		_, err := core.systemBackend.HandleRequest(
 			context.Background(),
 			&logical.Request{
 				Operation: logical.UpdateOperation,
-				Path:      fmt.Sprintf("%s/%s/%s", prefixActivationFlags, "activation-test", verbActivationFlagsActivate),
+				Path:      fmt.Sprintf("%s/%s/%s", prefixActivationFlags, activationFlagTest, verbActivationFlagsActivate),
 				Storage:   core.systemBarrierView,
 			},
 		)
 
 		require.NoError(t, err)
 	})
+
+	t.Run("activate identity cleanup flag", func(t *testing.T) {
+		core, _, _ := TestCoreUnsealedWithConfig(t, &CoreConfig{})
+
+		resp, err := core.systemBackend.HandleRequest(
+			context.Background(),
+			&logical.Request{
+				Operation: logical.UpdateOperation,
+				Path:      fmt.Sprintf("%s/%s/%s", prefixActivationFlags, activationFlagIdentityCleanup, verbActivationFlagsActivate),
+				Storage:   core.systemBarrierView,
+			},
+		)
+
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+		require.NotEmpty(t, resp.Data)
+		require.NotNil(t, resp.Data["activated"])
+		require.Contains(t, resp.Data["activated"], activationFlagIdentityCleanup)
+	})
 }