From 98f7821eb3f60a6ece3125348a121a1238d02159 Mon Sep 17 00:00:00 2001
From: Aditya Manthramurthy <donatello@users.noreply.github.com>
Date: Thu, 18 Apr 2024 12:09:19 -0700
Subject: [PATCH] fix: ldap: avoid unnecessary import errors (#19547)

Follow up for #19528

If there are multiple existing DN mappings for the same normalized DN,
if they all have the same policy mapping value, we pick one of them of
them instead of returning an import error.
---
 cmd/iam.go               | 25 +++++++++++++++++++++++--
 cmd/sts-handlers_test.go |  6 ++++++
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/cmd/iam.go b/cmd/iam.go
index 67d4a6a58..bcaba8236 100644
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -1621,8 +1621,29 @@ func (sys *IAMSys) NormalizeLDAPMappingImport(ctx context.Context, isGroup bool,
 
 	for normKey, origKeys := range normalizedDNKeysMap {
 		if len(origKeys) > 1 {
-			return fmt.Errorf("multiple DNs map to the same LDAP DN[%s]: %v; please remove DNs that are not needed",
-				normKey, origKeys)
+			// If there are multiple DN keys that normalize to the same value,
+			// check if the policy mappings are equal, if they are we don't need
+			// to return an error.
+			policiesDiffer := false
+			firstMappedPolicies := policyMap[origKeys[0]].policySet()
+			for i := 1; i < len(origKeys); i++ {
+				otherMappedPolicies := policyMap[origKeys[i]].policySet()
+				if !firstMappedPolicies.Equals(otherMappedPolicies) {
+					policiesDiffer = true
+					break
+				}
+			}
+
+			if policiesDiffer {
+				return fmt.Errorf("multiple DNs map to the same LDAP DN[%s]: %v; please remove DNs that are not needed",
+					normKey, origKeys)
+			}
+
+			// Policies mapped to the DN's are the same, so we remove the extra
+			// ones from the map.
+			for i := 1; i < len(origKeys); i++ {
+				delete(policyMap, origKeys[i])
+			}
 		}
 
 		// Replacing origKeys[0] with normKey in the policyMap
diff --git a/cmd/sts-handlers_test.go b/cmd/sts-handlers_test.go
index 0b6bcd1a6..55bcf9968 100644
--- a/cmd/sts-handlers_test.go
+++ b/cmd/sts-handlers_test.go
@@ -829,11 +829,17 @@ func TestIAMImportAssetWithLDAP(t *testing.T) {
 }
 `,
 		userPolicyMappingsFile: `{}`,
+		// Contains duplicate mapping with same policy, we should not error out.
 		groupPolicyMappingsFile: `{
     "cn=project.c,ou=groups,ou=swengg,DC=min,dc=io": {
         "version": 0,
         "policy": "consoleAdmin",
         "updatedAt": "2024-04-17T23:54:28.442998301Z"
+    },
+    "cn=project.c,ou=groups,OU=swengg,DC=min,DC=io": {
+        "version": 0,
+        "policy": "consoleAdmin",
+        "updatedAt": "2024-04-17T20:54:28.442998301Z"
     }
 }
 `,