From 884840a192bb03d71f638a848f48ec9c1aabbf0d Mon Sep 17 00:00:00 2001
From: miagilepner <mia.epner@hashicorp.com>
Date: Mon, 1 May 2023 12:42:30 +0200
Subject: [PATCH] VAULT-15840: Allow updates of only entity-alias
 custom-metadata (#20368)

* allow updates of only custom metadata

* add changelog
---
 changelog/20368.txt                  |  3 +++
 vault/identity_store_aliases.go      |  5 ++--
 vault/identity_store_aliases_test.go | 40 ++++++++++++++++++++++++++++
 3 files changed, 46 insertions(+), 2 deletions(-)
 create mode 100644 changelog/20368.txt

diff --git a/changelog/20368.txt b/changelog/20368.txt
new file mode 100644
index 0000000000..bca5957d1d
--- /dev/null
+++ b/changelog/20368.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core/identity: Allow updates of only the custom-metadata for entity alias.
+```
\ No newline at end of file
diff --git a/vault/identity_store_aliases.go b/vault/identity_store_aliases.go
index 041f5f4d64..893105ad5b 100644
--- a/vault/identity_store_aliases.go
+++ b/vault/identity_store_aliases.go
@@ -211,8 +211,9 @@ func (i *IdentityStore) handleAliasCreateUpdate() framework.OperationFunc {
 				}
 				switch {
 				case mountAccessor == "" && name == "":
-					// Just a canonical ID update, maybe
-					if canonicalID == "" {
+					// Check if the canonicalID or the customMetadata are being
+					// updated
+					if canonicalID == "" && !customMetadataExists {
 						// Nothing to do, so be idempotent
 						return nil, nil
 					}
diff --git a/vault/identity_store_aliases_test.go b/vault/identity_store_aliases_test.go
index b62aca78a1..08724f5fce 100644
--- a/vault/identity_store_aliases_test.go
+++ b/vault/identity_store_aliases_test.go
@@ -461,6 +461,46 @@ func TestIdentityStore_AliasUpdate(t *testing.T) {
 				"custom_metadata": map[string]string{},
 			},
 		},
+		{
+			name: "only-metadata",
+			createData: map[string]interface{}{
+				"name":           "only",
+				"mount_accessor": githubAccessor,
+				"custom_metadata": map[string]string{
+					"foo": "bar",
+				},
+			},
+			updateData: map[string]interface{}{
+				"custom_metadata": map[string]string{
+					"bar": "baz",
+				},
+			},
+		},
+		{
+			name: "only-metadata-clear",
+			createData: map[string]interface{}{
+				"name":           "only-clear",
+				"mount_accessor": githubAccessor,
+				"custom_metadata": map[string]string{
+					"foo": "bar",
+				},
+			},
+			updateData: map[string]interface{}{
+				"custom_metadata": map[string]string{},
+			},
+		},
+		{
+			name: "only-metadata-none-before",
+			createData: map[string]interface{}{
+				"name":           "no-metadata",
+				"mount_accessor": githubAccessor,
+			},
+			updateData: map[string]interface{}{
+				"custom_metadata": map[string]string{
+					"foo": "bar",
+				},
+			},
+		},
 	}
 
 	handleRequest := func(t *testing.T, req *logical.Request) *logical.Response {