flush identity/oidc cache by namespace (#7167)

* flush identity/oidc cache by namespace

* separates and unit tests the logic that looks for a namespace id within a namespace key

* applies pr feedback

* renames nskeyContainsID to isNamespacedKey

vault/identity_store_oidc.go

@@ -1563,6 +1563,15 @@ func (c *oidcCache) SetDefault(ns *namespace.Namespace, key string, obj interfac
 }
 
 func (c *oidcCache) Flush(ns *namespace.Namespace) {
-	// TODO iterate and delete by ns
-	c.c.Flush()
+	for itemKey := range c.c.Items() {
+		if isNamespacedKey(itemKey, ns.ID) {
+			c.c.Delete(itemKey)
+		}
+	}
+}
+
+// isNamespacedKey returns true for a properly constructed namespaced key (<version>:<nsID>:<key>) where <nsID> is nsID
+func isNamespacedKey(nskey, nsID string) bool {
+	split := strings.Split(nskey, ":")
+	return len(split) >= 3 && split[1] == nsID
 }

vault/identity_store_oidc_test.go

@@ -971,6 +971,36 @@ func TestOIDC_Path_Introspect(t *testing.T) {
 	}
 }
 
+func TestOIDC_isNamespacedKey(t *testing.T) {
+	tests := []struct {
+		nsid     string
+		nskey    string
+		expected bool
+	}{
+		{"nsid", "v0:nsid:key", true},
+		{"nsid", "v0:nsid:", true},
+		{"nsid", "v0:nsid", false},
+		{"nsid", "v0:", false},
+		{"nsid", "v0", false},
+		{"nsid", "", false},
+		{"nsid1", "v0:nsid2:key", false},
+		{"nsid1", "nsid1:nsid2:nsid1", false},
+		{"nsid1", "nsid1:nsid1:nsid1", true},
+		{"nsid", "nsid:nsid:nsid:nsid:nsid:nsid", true},
+		{"nsid", ":::", false},
+		{"", ":::", true}, // "" is a valid key for cache.Set/Get
+		{"nsid1", "nsid0:nsid1:nsid0:nsid1:nsid0:nsid1", true},
+		{"nsid0", "nsid0:nsid1:nsid0:nsid1:nsid0:nsid1", false},
+	}
+
+	for _, test := range tests {
+		actual := isNamespacedKey(test.nskey, test.nsid)
+		if test.expected != actual {
+			t.Fatalf("expected %t but got %t for nsid: %q and nskey: %q", test.expected, actual, test.nsid, test.nskey)
+		}
+	}
+}
+
 // some helpers
 func expectSuccess(t *testing.T, resp *logical.Response, err error) {
 	t.Helper()