exec-credential: Skip duplicate credentials in load_credential_glob()

We document that when multiple credentials of the same name are found,
we use the first one found so let's actually implement that behavior.

diff --git a/src/core/exec-credential.c b/src/core/exec-credential.c
index a70cf23eaaa14db0d4d1990d6035ea4c03792d64..75eca830f80c080dba4fccb30a992fc4bf9cb36e 100644 (file)
--- a/src/core/exec-credential.c
+++ b/src/core/exec-credential.c
@@ -417,6 +417,17 @@ static int load_credential_glob(
                         _cleanup_(erase_and_freep) char *data = NULL;
                         size_t size;
 
+                        r = path_extract_filename(*p, &fn);
+                        if (r < 0)
+                                return log_debug_errno(r, "Failed to extract filename from '%s': %m", *p);
+
+                        if (faccessat(write_dfd, fn, F_OK, AT_SYMLINK_NOFOLLOW) >= 0) {
+                                log_debug("Skipping credential with duplicated ID %s at %s", fn, *p);
+                                continue;
+                        }
+                        if (errno != ENOENT)
+                                return log_debug_errno(errno, "Failed to test if credential %s exists: %m", fn);
+
                         /* path is absolute, hence pass AT_FDCWD as nop dir fd here */
                         r = read_full_file_full(
                                         AT_FDCWD,
@@ -429,10 +440,6 @@ static int load_credential_glob(
                         if (r < 0)
                                 return log_debug_errno(r, "Failed to read credential '%s': %m", *p);
 
-                        r = path_extract_filename(*p, &fn);
-                        if (r < 0)
-                                return log_debug_errno(r, "Failed to extract filename from '%s': %m", *p);
-
                         r = maybe_decrypt_and_write_credential(
                                         write_dfd,
                                         fn,

diff --git a/test/units/TEST-54-CREDS.sh b/test/units/TEST-54-CREDS.sh
index fe410d567e9c9f9765695227217f99ec3339922f..89d6dcdf034de81c849dee724b890e9fd5bb79d4 100755 (executable)
--- a/test/units/TEST-54-CREDS.sh
+++ b/test/units/TEST-54-CREDS.sh
@@ -273,8 +273,11 @@ rm -rf /tmp/ts54-creds
 # Check that globs work as expected
 mkdir -p /run/credstore
 echo -n a >/run/credstore/test.creds.first
-echo -n b >/run/credstore/test.creds.second
+# Make sure that when multiple credentials of the same name are found, the first one is used (/etc/credstore
+# is searched before /run/credstore).
+echo -n ignored >/run/credstore/test.creds.second
 mkdir -p /etc/credstore
+echo -n b >/etc/credstore/test.creds.second
 echo -n c >/etc/credstore/test.creds.third
 systemd-run -p "ImportCredential=test.creds.*" \
             --unit=test-54-ImportCredential.service \