carverauto/serviceradar
carverauto/serviceradar
2
3
Fork 0
Code Issues 227 Pull requests 25 Projects Releases 235 Packages Wiki Activity Actions

BuildKeysFromRecord omits alias metadata, leaving stale alias keys undeleted #690

New issue
Closed
opened 2026-03-28 04:27:28 +00:00 by mfreeman451 · 1 comment
mfreeman451 commented 2026-03-28 04:27:28 +00:00
Owner
Copy link

Imported from GitHub.

Original GitHub issue: #2152
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/issues/2152
Original created: 2025-12-16T05:18:46Z

Summary

  • Context: The identity map system stores canonical device records in a KV store and maintains multiple lookup keys (by IP, MAC, device ID, etc.) that point to the same canonical record. When a device update occurs, the system creates new keys and removes stale keys that are no longer valid.
  • Bug: BuildKeysFromRecord fails to reconstruct alias-related identity keys (from _alias_last_seen_service_id, _alias_last_seen_ip, service_alias:*, and ip_alias:* metadata fields) that were originally created by BuildKeys.
  • Actual vs. expected: When the identity publisher retrieves an existing record to identify stale keys for deletion, it uses BuildKeysFromRecord to reconstruct the keys that should exist. Since BuildKeysFromRecord omits alias keys, these keys are never identified as stale and are never deleted, even when they should be.
  • Impact: Stale alias keys accumulate in the KV store indefinitely, causing the KV store to grow without bound. This undermines the purpose of the stale key deletion mechanism introduced in commit 3a5787ac ("stop KV from growing out of control").

Code with bug

In pkg/identitymap/identitymap.go, the BuildKeysFromRecord function only reconstructs a subset of metadata fields:

// BuildKeysFromRecord reconstructs the identity keys for a canonical record.
func BuildKeysFromRecord(record *Record) []Key {
	if record == nil {
		return nil
	}

	update := &models.DeviceUpdate{
		DeviceID:  record.CanonicalDeviceID,
		Partition: record.Partition,
	}

	if record.Attributes != nil {
		if ip := strings.TrimSpace(record.Attributes["ip"]); ip != "" {
			update.IP = ip
		}
		if mac := strings.TrimSpace(record.Attributes["mac"]); mac != "" {
			macUpper := strings.ToUpper(mac)
			update.MAC = &macUpper
		}

		metaKeys := []string{"armis_device_id", "integration_id", "integration_type", "netbox_device_id"}
		for _, key := range metaKeys {
			if val := strings.TrimSpace(record.Attributes[key]); val != "" {
				if update.Metadata == nil {
					update.Metadata = make(map[string]string)
				}
				update.Metadata[key] = val  // <-- BUG 🔴 Missing alias metadata fields
			}
		}
	}

	return BuildKeys(update)
}

The metaKeys list on line 151 does not include any of the alias-related metadata fields that BuildKeys uses (lines 97-119):

  • _alias_last_seen_service_id
  • _alias_last_seen_ip
  • Keys with prefix service_alias:
  • Keys with prefix ip_alias:

Evidence

Example

Consider a device update with alias metadata:

update := &models.DeviceUpdate{
    DeviceID:  "tenant-a:host-device",
    IP:        "10.0.0.5",
    Partition: "tenant-a",
    Metadata: map[string]string{
        "_alias_last_seen_service_id":           "serviceradar:agent:k8s-agent",
        "_alias_last_seen_ip":                   "10.0.0.8",
        "service_alias:serviceradar:poller:k8s": "2025-11-03T15:00:00Z",
        "ip_alias:10.0.0.9":                     "2025-11-03T15:00:00Z",
    },
}

When BuildKeys(update) is called, it creates 13 keys including:

  1. KindDeviceID: "tenant-a:host-device" (the main device ID)
  2. KindDeviceID: "serviceradar:agent:k8s-agent" (from _alias_last_seen_service_id)
  3. KindDeviceID: "serviceradar:poller:k8s" (from service_alias:serviceradar:poller:k8s)
  4. KindIP: "10.0.0.5" (main IP)
  5. KindIP: "10.0.0.8" (from _alias_last_seen_ip)
  6. KindIP: "10.0.0.9" (from ip_alias:10.0.0.9)
  7. KindPartitionIP: "tenant-a:10.0.0.5"
  8. KindPartitionIP: "tenant-a:10.0.0.8"
  9. KindPartitionIP: "tenant-a:10.0.0.9"

These keys are stored in the KV store pointing to the canonical record.

However, when the record is later retrieved and BuildKeysFromRecord is called (in identity_publisher.go:521), only 3 keys are reconstructed:

  1. KindDeviceID: "tenant-a:host-device"
  2. KindIP: "10.0.0.5"
  3. KindPartitionIP: "tenant-a:10.0.0.5"

The 6 alias-related keys are missing from the reconstruction.

Inconsistency within the codebase

Reference code: BuildKeys in pkg/identitymap/identitymap.go (lines 97-119)

if aliasService := strings.TrimSpace(update.Metadata["_alias_last_seen_service_id"]); aliasService != "" {
    add(KindDeviceID, aliasService)
}
if aliasIP := strings.TrimSpace(update.Metadata["_alias_last_seen_ip"]); aliasIP != "" {
    add(KindIP, aliasIP)
    add(KindPartitionIP, partitionIPValue(update.Partition, aliasIP))
}

for key := range update.Metadata {
    switch {
    case strings.HasPrefix(key, "service_alias:"):
        aliasID := strings.TrimSpace(strings.TrimPrefix(key, "service_alias:"))
        if aliasID != "" {
            add(KindDeviceID, aliasID)
        }
    case strings.HasPrefix(key, "ip_alias:"):
        aliasIP := strings.TrimSpace(strings.TrimPrefix(key, "ip_alias:"))
        if aliasIP != "" {
            add(KindIP, aliasIP)
            add(KindPartitionIP, partitionIPValue(update.Partition, aliasIP))
        }
    }
}

Current code: BuildKeysFromRecord in pkg/identitymap/identitymap.go (lines 131-163)

func BuildKeysFromRecord(record *Record) []Key {
    if record == nil {
        return nil
    }

    update := &models.DeviceUpdate{
        DeviceID:  record.CanonicalDeviceID,
        Partition: record.Partition,
    }

    if record.Attributes != nil {
        if ip := strings.TrimSpace(record.Attributes["ip"]); ip != "" {
            update.IP = ip
        }
        if mac := strings.TrimSpace(record.Attributes["mac"]); mac != "" {
            macUpper := strings.ToUpper(mac)
            update.MAC = &macUpper
        }

        metaKeys := []string{"armis_device_id", "integration_id", "integration_type", "netbox_device_id"}
        for _, key := range metaKeys {
            if val := strings.TrimSpace(record.Attributes[key]); val != "" {
                if update.Metadata == nil {
                    update.Metadata = make(map[string]string)
                }
                update.Metadata[key] = val
            }
        }
    }

    return BuildKeys(update)
}

Contradiction

BuildKeys processes four categories of alias metadata fields to create identity keys:

  1. _alias_last_seen_service_id → creates a KindDeviceID key
  2. _alias_last_seen_ip → creates KindIP and KindPartitionIP keys
  3. service_alias:* prefixed keys → creates KindDeviceID keys
  4. ip_alias:* prefixed keys → creates KindIP and KindPartitionIP keys

However, BuildKeysFromRecord only reconstructs metadata for armis_device_id, integration_id, integration_type, and netbox_device_id. None of the alias-related fields are included in the reconstruction, causing BuildKeys to produce a different set of keys when called from BuildKeysFromRecord versus when called directly with the original update.

This violates the documented purpose of BuildKeysFromRecord: to "reconstruct the identity keys for a canonical record" (line 131). The function does not actually reconstruct all the keys that were originally created.

Failing test

Test script

package identitymap

import (
	"testing"

	"github.com/carverauto/serviceradar/pkg/models"
	"github.com/stretchr/testify/assert"
)

// TestBuildKeysFromRecordIncludesAliasKeys verifies that BuildKeysFromRecord
// reconstructs all keys that were originally created by BuildKeys, including
// alias-related keys.
//
// This test currently fails, demonstrating a bug where alias keys are lost
// during record reconstruction.
func TestBuildKeysFromRecordIncludesAliasKeys(t *testing.T) {
	mac := "aa:bb:cc:dd:ee:ff"
	update := &models.DeviceUpdate{
		DeviceID:  "tenant-a:host-device",
		IP:        "10.0.0.5",
		Partition: "tenant-a",
		MAC:       &mac,
		Metadata: map[string]string{
			"_alias_last_seen_service_id":           "serviceradar:agent:k8s-agent",
			"_alias_last_seen_ip":                   "10.0.0.8",
			"service_alias:serviceradar:poller:k8s": "2025-11-03T15:00:00Z",
			"ip_alias:10.0.0.9":                     "2025-11-03T15:00:00Z",
			"armis_device_id":                       "armis-123",
			"integration_type":                      "netbox",
			"integration_id":                        "nb-42",
			"netbox_device_id":                      "123",
		},
	}

	// Create a record as it would be stored (mimicking buildIdentityAttributes)
	record := &Record{
		CanonicalDeviceID: update.DeviceID,
		Partition:         update.Partition,
		MetadataHash:      HashIdentityMetadata(update),
		Attributes: map[string]string{
			"ip":               update.IP,
			"mac":              "AA:BB:CC:DD:EE:FF",
			"armis_device_id":  update.Metadata["armis_device_id"],
			"integration_id":   update.Metadata["integration_id"],
			"integration_type": update.Metadata["integration_type"],
			"netbox_device_id": update.Metadata["netbox_device_id"],
			// Note: alias metadata is NOT stored in attributes by buildIdentityAttributes
		},
	}

	keysFromUpdate := BuildKeys(update)
	keysFromRecord := BuildKeysFromRecord(record)

	// This assertion will fail because BuildKeysFromRecord doesn't reconstruct
	// alias keys (service_alias:*, ip_alias:*, _alias_last_seen_service_id, _alias_last_seen_ip)
	assert.ElementsMatch(t, keysFromUpdate, keysFromRecord,
		"BuildKeysFromRecord should reconstruct all keys that BuildKeys originally created")

	// Specifically verify the alias keys are present
	aliasServiceKey := Key{Kind: KindDeviceID, Value: "serviceradar:agent:k8s-agent"}
	assert.Contains(t, keysFromRecord, aliasServiceKey,
		"Should include alias service ID from _alias_last_seen_service_id")

	aliasServiceKey2 := Key{Kind: KindDeviceID, Value: "serviceradar:poller:k8s"}
	assert.Contains(t, keysFromRecord, aliasServiceKey2,
		"Should include alias service ID from service_alias: prefix")

	aliasIPKey := Key{Kind: KindIP, Value: "10.0.0.8"}
	assert.Contains(t, keysFromRecord, aliasIPKey,
		"Should include alias IP from _alias_last_seen_ip")

	aliasIPKey2 := Key{Kind: KindIP, Value: "10.0.0.9"}
	assert.Contains(t, keysFromRecord, aliasIPKey2,
		"Should include alias IP from ip_alias: prefix")
}

Test output

=== RUN   TestBuildKeysFromRecordIncludesAliasKeys
    alias_keys_bug_test.go:56:
        	Error Trace:	/home/user/serviceradar/pkg/identitymap/alias_keys_bug_test.go:56
        	Error:      	elements differ

        	            	extra elements in list A:
        	            	([]interface {}) (len=6) {
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 1,
        	            	  Value: (string) (len=28) "serviceradar:agent:k8s-agent"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 5,
        	            	  Value: (string) (len=8) "10.0.0.8"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 6,
        	            	  Value: (string) (len=17) "tenant-a:10.0.0.8"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 5,
        	            	  Value: (string) (len=8) "10.0.0.9"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 6,
        	            	  Value: (string) (len=17) "tenant-a:10.0.0.9"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 1,
        	            	  Value: (string) (len=23) "serviceradar:poller:k8s"
        	            	 }
        	            	}


        	            	listA:
        	            	([]identitymap.Key) (len=13) {
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 1,
        	            	  Value: (string) (len=20) "tenant-a:host-device"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 5,
        	            	  Value: (string) (len=8) "10.0.0.5"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 6,
        	            	  Value: (string) (len=17) "tenant-a:10.0.0.5"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 2,
        	            	  Value: (string) (len=9) "armis-123"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 3,
        	            	  Value: (string) (len=5) "nb-42"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 3,
        	            	  Value: (string) (len=3) "123"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 1,
        	            	  Value: (string) (len=28) "serviceradar:agent:k8s-agent"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 5,
        	            	  Value: (string) (len=8) "10.0.0.8"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 6,
        	            	  Value: (string) (len=17) "tenant-a:10.0.0.8"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 5,
        	            	  Value: (string) (len=8) "10.0.0.9"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 6,
        	            	  Value: (string) (len=17) "tenant-a:10.0.0.9"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 1,
        	            	  Value: (string) (len=23) "serviceradar:poller:k8s"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 4,
        	            	  Value: (string) (len=17) "AA:BB:CC:DD:EE:FF"
        	            	 }
        	            	}


        	            	listB:
        	            	([]identitymap.Key) (len=7) {
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 1,
        	            	  Value: (string) (len=20) "tenant-a:host-device"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 5,
        	            	  Value: (string) (len=8) "10.0.0.5"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 6,
        	            	  Value: (string) (len=17) "tenant-a:10.0.0.5"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 2,
        	            	  Value: (string) (len=9) "armis-123"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 3,
        	            	  Value: (string) (len=5) "nb-42"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 3,
        	            	  Value: (string) (len=3) "123"
        	            	 },
        	            	 (identitymap.Key) {
        	            	  Kind: (identitymappb.IdentityKind) 4,
        	            	  Value: (string) (len=17) "AA:BB:CC:DD:EE:FF"
        	            	 }
        	            	}
        	Test:       	TestBuildKeysFromRecordIncludesAliasKeys
        	Messages:   	BuildKeysFromRecord should reconstruct all keys that BuildKeys originally created
    alias_keys_bug_test.go:61:
        	Error Trace:	/home/user/serviceradar/pkg/identitymap/alias_keys_bug_test.go:61
        	Error:      	[]identitymap.Key{identitymap.Key{Kind:1, Value:"tenant-a:host-device"}, identitymap.Key{Kind:5, Value:"10.0.0.5"}, identitymap.Key{Kind:6, Value:"tenant-a:10.0.0.5"}, identitymap.Key{Kind:2, Value:"armis-123"}, identitymap.Key{Kind:3, Value:"nb-42"}, identitymap.Key{Kind:3, Value:"123"}, identitymap.Key{Kind:4, Value:"AA:BB:CC:DD:EE:FF"}} does not contain identitymap.Key{Kind:1, Value:"serviceradar:agent:k8s-agent"}
        	Test:       	TestBuildKeysFromRecordIncludesAliasKeys
        	Messages:   	Should include alias service ID from _alias_last_seen_service_id
    alias_keys_bug_test.go:65:
        	Error Trace:	/home/user/serviceradar/pkg/identitymap/alias_keys_bug_test.go:65
        	Error:      	[]identitymap.Key{identitymap.Key{Kind:1, Value:"tenant-a:host-device"}, identitymap.Key{Kind:5, Value:"10.0.0.5"}, identitymap.Key{Kind:6, Value:"tenant-a:10.0.0.5"}, identitymap.Key{Kind:2, Value:"armis-123"}, identitymap.Key{Kind:3, Value:"nb-42"}, identitymap.Key{Kind:3, Value:"123"}, identitymap.Key{Kind:4, Value:"AA:BB:CC:DD:EE:FF"}} does not contain identitymap.Key{Kind:1, Value:"serviceradar:poller:k8s"}
        	Test:       	TestBuildKeysFromRecordIncludesAliasKeys
        	Messages:   	Should include alias service ID from service_alias: prefix
    alias_keys_bug_test.go:69:
        	Error Trace:	/home/user/serviceradar/pkg/identitymap/alias_keys_bug_test.go:69
        	Error:      	[]identitymap.Key{identitymap.Key{Kind:1, Value:"tenant-a:host-device"}, identitymap.Key{Kind:5, Value:"10.0.0.5"}, identitymap.Key{Kind:6, Value:"tenant-a:10.0.0.5"}, identitymap.Key{Kind:2, Value:"armis-123"}, identitymap.Key{Kind:3, Value:"nb-42"}, identitymap.Key{Kind:3, Value:"123"}, identitymap.Key{Kind:4, Value:"AA:BB:CC:DD:EE:FF"}} does not contain identitymap.Key{Kind:5, Value:"10.0.0.8"}
        	Test:       	TestBuildKeysFromRecordIncludesAliasKeys
        	Messages:   	Should include alias IP from _alias_last_seen_ip
    alias_keys_bug_test.go:73:
        	Error Trace:	/home/user/serviceradar/pkg/identitymap/alias_keys_bug_test.go:73
        	Error:      	[]identitymap.Key{identitymap.Key{Kind:1, Value:"tenant-a:host-device"}, identitymap.Key{Kind:5, Value:"10.0.0.5"}, identitymap.Key{Kind:6, Value:"tenant-a:10.0.0.5"}, identitymap.Key{Kind:2, Value:"armis-123"}, identitymap.Key{Kind:3, Value:"nb-42"}, identitymap.Key{Kind:3, Value:"123"}, identitymap.Key{Kind:4, Value:"AA:BB:CC:DD:EE:FF"}} does not contain identitymap.Key{Kind:5, Value:"10.0.0.9"}
        	Test:       	TestBuildKeysFromRecordIncludesAliasKeys
        	Messages:   	Should include alias IP from ip_alias: prefix
--- FAIL: TestBuildKeysFromRecordIncludesAliasKeys (0.00s)
FAIL
FAIL	github.com/carverauto/serviceradar/pkg/identitymap	0.006s
FAIL

The test clearly shows that BuildKeysFromRecord produces only 7 keys while BuildKeys produces 13 keys for the same device. The 6 missing keys are all alias-related keys.

Full context

The identity map system is used to maintain a canonical mapping of device identities across the ServiceRadar platform. When a device is discovered or updated, multiple identity keys are created (by IP address, MAC address, device ID, integration IDs, etc.) that all point to the same canonical device record stored in a NATS JetStream KV store.

The identityPublisher in pkg/registry/identity_publisher.go is responsible for publishing these mappings to the KV store. When publishing an update for a device:

  1. It calls BuildKeys(update) to generate all identity keys for the new update (lines 216-222)
  2. It retrieves the existing canonical record from the KV store to find what keys currently exist (line 206, which calls existingIdentitySnapshot)
  3. Inside existingIdentitySnapshot, it calls BuildKeysFromRecord(record) to reconstruct what keys should exist based on the stored record (line 521)
  4. It compares the new key set with the reconstructed old key set to identify stale keys (line 225)
  5. It deletes the stale keys from the KV store (lines 226-228)

This stale key deletion mechanism was explicitly added in commit 3a5787ac on Oct 16, 2025 to "stop KV from growing out of control."

However, on Nov 4, 2025 (commit 5223ac8c), alias support was added to BuildKeys to track device aliases (when a device is known by multiple service IDs or IP addresses). This allows the system to create additional lookup keys for aliased identities. The commit added support for:

  • _alias_last_seen_service_id: The last service ID this device was seen as
  • _alias_last_seen_ip: The last IP address this device was seen at
  • service_alias:*: Historical service IDs this device has been known as
  • ip_alias:*: Historical IP addresses this device has been associated with

The problem is that BuildKeysFromRecord was not updated to handle these alias fields. Additionally, the buildIdentityAttributes function in pkg/registry/identity_publisher.go (lines 408-450) does not store alias metadata in the record's attributes, so even if BuildKeysFromRecord tried to reconstruct them, the data wouldn't be available.

This means:

  1. When a device with aliases is published, alias keys are created in the KV store
  2. When the same device is later updated (even if aliases change or are removed), the old alias keys are never identified as stale
  3. These orphaned alias keys remain in the KV store indefinitely, accumulating over time
  4. The KV store grows without bound, exactly the problem that commit 3a5787ac was meant to prevent

The device alias feature is actively used in the codebase (see pkg/core/alias_events.go, pkg/devicealias/alias.go) to track when devices are seen under different identities, which is an important feature for device tracking in complex networks.

Why has this bug gone undetected?

This bug has gone undetected for several reasons:

  1. Silent failure: The bug doesn't cause any errors or exceptions. The identity publisher successfully creates the alias keys and successfully publishes updates. The only symptom is that stale keys are not deleted, which is not immediately observable.

  2. Gradual accumulation: The effect of the bug is a gradual accumulation of stale keys over time. In a test environment or during initial deployment, the KV store might not grow large enough to be noticed. Only in production with sustained use would the KV store growth become apparent.

  3. Temporal separation: The bug was introduced by the interaction of two commits 19 days apart:

    • Oct 16, 2025: BuildKeysFromRecord was added
    • Nov 4, 2025: Alias support was added to BuildKeys

    Each commit in isolation worked correctly. The bug only manifested when both features interacted.

  4. No end-to-end test: The existing test TestBuildKeysFromRecord (lines 91-124 of pkg/identitymap/identitymap_test.go) only tests the basic functionality without alias metadata. It doesn't verify that BuildKeysFromRecord produces the same keys as BuildKeys for devices with aliases.

  5. Different code paths: The creation of keys (via BuildKeys) and the reconstruction of keys (via BuildKeysFromRecord) happen in different code paths. During normal operation, keys are created successfully. The reconstruction only happens when checking for stale keys, and its failure is not visible to the application - it simply results in stale keys not being deleted.

  6. Monitoring gap: The KV store metrics likely track total entries and growth rate, but wouldn't necessarily distinguish between legitimate growth (more devices) and bug-related growth (accumulating stale alias keys).

Recommended fix

The fix requires two changes:

  1. Store alias metadata in attributes: Update buildIdentityAttributes in pkg/registry/identity_publisher.go to store alias-related metadata fields in the record's attributes. This ensures the data is available for reconstruction.

  2. Reconstruct alias metadata: Update BuildKeysFromRecord in pkg/identitymap/identitymap.go to extract and reconstruct alias metadata fields from the record's attributes, similar to how it currently handles armis_device_id, integration_id, etc.

Here's a sketch of the fix for BuildKeysFromRecord:

func BuildKeysFromRecord(record *Record) []Key {
	if record == nil {
		return nil
	}

	update := &models.DeviceUpdate{
		DeviceID:  record.CanonicalDeviceID,
		Partition: record.Partition,
	}

	if record.Attributes != nil {
		if ip := strings.TrimSpace(record.Attributes["ip"]); ip != "" {
			update.IP = ip
		}
		if mac := strings.TrimSpace(record.Attributes["mac"]); mac != "" {
			macUpper := strings.ToUpper(mac)
			update.MAC = &macUpper
		}

		metaKeys := []string{"armis_device_id", "integration_id", "integration_type", "netbox_device_id"}
		for _, key := range metaKeys {
			if val := strings.TrimSpace(record.Attributes[key]); val != "" {
				if update.Metadata == nil {
					update.Metadata = make(map[string]string)
				}
				update.Metadata[key] = val
			}
		}

		// Reconstruct alias metadata  // <-- FIX 🟢
		aliasKeys := []string{"_alias_last_seen_service_id", "_alias_last_seen_ip"}
		for _, key := range aliasKeys {
			if val := strings.TrimSpace(record.Attributes[key]); val != "" {
				if update.Metadata == nil {
					update.Metadata = make(map[string]string)
				}
				update.Metadata[key] = val
			}
		}

		// Reconstruct service_alias:* and ip_alias:* fields  // <-- FIX 🟢
		for key, val := range record.Attributes {
			if strings.HasPrefix(key, "service_alias:") || strings.HasPrefix(key, "ip_alias:") {
				if update.Metadata == nil {
					update.Metadata = make(map[string]string)
				}
				update.Metadata[key] = val
			}
		}
	}

	return BuildKeys(update)
}

Note: This fix also requires updating buildIdentityAttributes to actually store these fields, which it currently doesn't do.

Imported from GitHub. Original GitHub issue: #2152 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/issues/2152 Original created: 2025-12-16T05:18:46Z --- # Summary - **Context**: The identity map system stores canonical device records in a KV store and maintains multiple lookup keys (by IP, MAC, device ID, etc.) that point to the same canonical record. When a device update occurs, the system creates new keys and removes stale keys that are no longer valid. - **Bug**: `BuildKeysFromRecord` fails to reconstruct alias-related identity keys (from `_alias_last_seen_service_id`, `_alias_last_seen_ip`, `service_alias:*`, and `ip_alias:*` metadata fields) that were originally created by `BuildKeys`. - **Actual vs. expected**: When the identity publisher retrieves an existing record to identify stale keys for deletion, it uses `BuildKeysFromRecord` to reconstruct the keys that should exist. Since `BuildKeysFromRecord` omits alias keys, these keys are never identified as stale and are never deleted, even when they should be. - **Impact**: Stale alias keys accumulate in the KV store indefinitely, causing the KV store to grow without bound. This undermines the purpose of the stale key deletion mechanism introduced in commit 3a5787ac ("stop KV from growing out of control"). # Code with bug In `pkg/identitymap/identitymap.go`, the `BuildKeysFromRecord` function only reconstructs a subset of metadata fields: ```go // BuildKeysFromRecord reconstructs the identity keys for a canonical record. func BuildKeysFromRecord(record *Record) []Key { if record == nil { return nil } update := &models.DeviceUpdate{ DeviceID: record.CanonicalDeviceID, Partition: record.Partition, } if record.Attributes != nil { if ip := strings.TrimSpace(record.Attributes["ip"]); ip != "" { update.IP = ip } if mac := strings.TrimSpace(record.Attributes["mac"]); mac != "" { macUpper := strings.ToUpper(mac) update.MAC = &macUpper } metaKeys := []string{"armis_device_id", "integration_id", "integration_type", "netbox_device_id"} for _, key := range metaKeys { if val := strings.TrimSpace(record.Attributes[key]); val != "" { if update.Metadata == nil { update.Metadata = make(map[string]string) } update.Metadata[key] = val // <-- BUG 🔴 Missing alias metadata fields } } } return BuildKeys(update) } ``` The `metaKeys` list on line 151 does not include any of the alias-related metadata fields that `BuildKeys` uses (lines 97-119): - `_alias_last_seen_service_id` - `_alias_last_seen_ip` - Keys with prefix `service_alias:` - Keys with prefix `ip_alias:` # Evidence ## Example Consider a device update with alias metadata: ```go update := &models.DeviceUpdate{ DeviceID: "tenant-a:host-device", IP: "10.0.0.5", Partition: "tenant-a", Metadata: map[string]string{ "_alias_last_seen_service_id": "serviceradar:agent:k8s-agent", "_alias_last_seen_ip": "10.0.0.8", "service_alias:serviceradar:poller:k8s": "2025-11-03T15:00:00Z", "ip_alias:10.0.0.9": "2025-11-03T15:00:00Z", }, } ``` When `BuildKeys(update)` is called, it creates 13 keys including: 1. `KindDeviceID: "tenant-a:host-device"` (the main device ID) 2. `KindDeviceID: "serviceradar:agent:k8s-agent"` (from `_alias_last_seen_service_id`) 3. `KindDeviceID: "serviceradar:poller:k8s"` (from `service_alias:serviceradar:poller:k8s`) 4. `KindIP: "10.0.0.5"` (main IP) 5. `KindIP: "10.0.0.8"` (from `_alias_last_seen_ip`) 6. `KindIP: "10.0.0.9"` (from `ip_alias:10.0.0.9`) 7. `KindPartitionIP: "tenant-a:10.0.0.5"` 8. `KindPartitionIP: "tenant-a:10.0.0.8"` 9. `KindPartitionIP: "tenant-a:10.0.0.9"` These keys are stored in the KV store pointing to the canonical record. However, when the record is later retrieved and `BuildKeysFromRecord` is called (in `identity_publisher.go:521`), only 3 keys are reconstructed: 1. `KindDeviceID: "tenant-a:host-device"` 2. `KindIP: "10.0.0.5"` 3. `KindPartitionIP: "tenant-a:10.0.0.5"` The 6 alias-related keys are missing from the reconstruction. ## Inconsistency within the codebase ### Reference code: BuildKeys in pkg/identitymap/identitymap.go (lines 97-119) ```go if aliasService := strings.TrimSpace(update.Metadata["_alias_last_seen_service_id"]); aliasService != "" { add(KindDeviceID, aliasService) } if aliasIP := strings.TrimSpace(update.Metadata["_alias_last_seen_ip"]); aliasIP != "" { add(KindIP, aliasIP) add(KindPartitionIP, partitionIPValue(update.Partition, aliasIP)) } for key := range update.Metadata { switch { case strings.HasPrefix(key, "service_alias:"): aliasID := strings.TrimSpace(strings.TrimPrefix(key, "service_alias:")) if aliasID != "" { add(KindDeviceID, aliasID) } case strings.HasPrefix(key, "ip_alias:"): aliasIP := strings.TrimSpace(strings.TrimPrefix(key, "ip_alias:")) if aliasIP != "" { add(KindIP, aliasIP) add(KindPartitionIP, partitionIPValue(update.Partition, aliasIP)) } } } ``` ### Current code: BuildKeysFromRecord in pkg/identitymap/identitymap.go (lines 131-163) ```go func BuildKeysFromRecord(record *Record) []Key { if record == nil { return nil } update := &models.DeviceUpdate{ DeviceID: record.CanonicalDeviceID, Partition: record.Partition, } if record.Attributes != nil { if ip := strings.TrimSpace(record.Attributes["ip"]); ip != "" { update.IP = ip } if mac := strings.TrimSpace(record.Attributes["mac"]); mac != "" { macUpper := strings.ToUpper(mac) update.MAC = &macUpper } metaKeys := []string{"armis_device_id", "integration_id", "integration_type", "netbox_device_id"} for _, key := range metaKeys { if val := strings.TrimSpace(record.Attributes[key]); val != "" { if update.Metadata == nil { update.Metadata = make(map[string]string) } update.Metadata[key] = val } } } return BuildKeys(update) } ``` ### Contradiction `BuildKeys` processes four categories of alias metadata fields to create identity keys: 1. `_alias_last_seen_service_id` → creates a `KindDeviceID` key 2. `_alias_last_seen_ip` → creates `KindIP` and `KindPartitionIP` keys 3. `service_alias:*` prefixed keys → creates `KindDeviceID` keys 4. `ip_alias:*` prefixed keys → creates `KindIP` and `KindPartitionIP` keys However, `BuildKeysFromRecord` only reconstructs metadata for `armis_device_id`, `integration_id`, `integration_type`, and `netbox_device_id`. None of the alias-related fields are included in the reconstruction, causing `BuildKeys` to produce a different set of keys when called from `BuildKeysFromRecord` versus when called directly with the original update. This violates the documented purpose of `BuildKeysFromRecord`: to "reconstruct the identity keys for a canonical record" (line 131). The function does not actually reconstruct all the keys that were originally created. ## Failing test ### Test script ```go package identitymap import ( "testing" "github.com/carverauto/serviceradar/pkg/models" "github.com/stretchr/testify/assert" ) // TestBuildKeysFromRecordIncludesAliasKeys verifies that BuildKeysFromRecord // reconstructs all keys that were originally created by BuildKeys, including // alias-related keys. // // This test currently fails, demonstrating a bug where alias keys are lost // during record reconstruction. func TestBuildKeysFromRecordIncludesAliasKeys(t *testing.T) { mac := "aa:bb:cc:dd:ee:ff" update := &models.DeviceUpdate{ DeviceID: "tenant-a:host-device", IP: "10.0.0.5", Partition: "tenant-a", MAC: &mac, Metadata: map[string]string{ "_alias_last_seen_service_id": "serviceradar:agent:k8s-agent", "_alias_last_seen_ip": "10.0.0.8", "service_alias:serviceradar:poller:k8s": "2025-11-03T15:00:00Z", "ip_alias:10.0.0.9": "2025-11-03T15:00:00Z", "armis_device_id": "armis-123", "integration_type": "netbox", "integration_id": "nb-42", "netbox_device_id": "123", }, } // Create a record as it would be stored (mimicking buildIdentityAttributes) record := &Record{ CanonicalDeviceID: update.DeviceID, Partition: update.Partition, MetadataHash: HashIdentityMetadata(update), Attributes: map[string]string{ "ip": update.IP, "mac": "AA:BB:CC:DD:EE:FF", "armis_device_id": update.Metadata["armis_device_id"], "integration_id": update.Metadata["integration_id"], "integration_type": update.Metadata["integration_type"], "netbox_device_id": update.Metadata["netbox_device_id"], // Note: alias metadata is NOT stored in attributes by buildIdentityAttributes }, } keysFromUpdate := BuildKeys(update) keysFromRecord := BuildKeysFromRecord(record) // This assertion will fail because BuildKeysFromRecord doesn't reconstruct // alias keys (service_alias:*, ip_alias:*, _alias_last_seen_service_id, _alias_last_seen_ip) assert.ElementsMatch(t, keysFromUpdate, keysFromRecord, "BuildKeysFromRecord should reconstruct all keys that BuildKeys originally created") // Specifically verify the alias keys are present aliasServiceKey := Key{Kind: KindDeviceID, Value: "serviceradar:agent:k8s-agent"} assert.Contains(t, keysFromRecord, aliasServiceKey, "Should include alias service ID from _alias_last_seen_service_id") aliasServiceKey2 := Key{Kind: KindDeviceID, Value: "serviceradar:poller:k8s"} assert.Contains(t, keysFromRecord, aliasServiceKey2, "Should include alias service ID from service_alias: prefix") aliasIPKey := Key{Kind: KindIP, Value: "10.0.0.8"} assert.Contains(t, keysFromRecord, aliasIPKey, "Should include alias IP from _alias_last_seen_ip") aliasIPKey2 := Key{Kind: KindIP, Value: "10.0.0.9"} assert.Contains(t, keysFromRecord, aliasIPKey2, "Should include alias IP from ip_alias: prefix") } ``` ### Test output ``` === RUN TestBuildKeysFromRecordIncludesAliasKeys alias_keys_bug_test.go:56: Error Trace: /home/user/serviceradar/pkg/identitymap/alias_keys_bug_test.go:56 Error: elements differ extra elements in list A: ([]interface {}) (len=6) { (identitymap.Key) { Kind: (identitymappb.IdentityKind) 1, Value: (string) (len=28) "serviceradar:agent:k8s-agent" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 5, Value: (string) (len=8) "10.0.0.8" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 6, Value: (string) (len=17) "tenant-a:10.0.0.8" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 5, Value: (string) (len=8) "10.0.0.9" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 6, Value: (string) (len=17) "tenant-a:10.0.0.9" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 1, Value: (string) (len=23) "serviceradar:poller:k8s" } } listA: ([]identitymap.Key) (len=13) { (identitymap.Key) { Kind: (identitymappb.IdentityKind) 1, Value: (string) (len=20) "tenant-a:host-device" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 5, Value: (string) (len=8) "10.0.0.5" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 6, Value: (string) (len=17) "tenant-a:10.0.0.5" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 2, Value: (string) (len=9) "armis-123" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 3, Value: (string) (len=5) "nb-42" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 3, Value: (string) (len=3) "123" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 1, Value: (string) (len=28) "serviceradar:agent:k8s-agent" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 5, Value: (string) (len=8) "10.0.0.8" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 6, Value: (string) (len=17) "tenant-a:10.0.0.8" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 5, Value: (string) (len=8) "10.0.0.9" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 6, Value: (string) (len=17) "tenant-a:10.0.0.9" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 1, Value: (string) (len=23) "serviceradar:poller:k8s" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 4, Value: (string) (len=17) "AA:BB:CC:DD:EE:FF" } } listB: ([]identitymap.Key) (len=7) { (identitymap.Key) { Kind: (identitymappb.IdentityKind) 1, Value: (string) (len=20) "tenant-a:host-device" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 5, Value: (string) (len=8) "10.0.0.5" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 6, Value: (string) (len=17) "tenant-a:10.0.0.5" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 2, Value: (string) (len=9) "armis-123" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 3, Value: (string) (len=5) "nb-42" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 3, Value: (string) (len=3) "123" }, (identitymap.Key) { Kind: (identitymappb.IdentityKind) 4, Value: (string) (len=17) "AA:BB:CC:DD:EE:FF" } } Test: TestBuildKeysFromRecordIncludesAliasKeys Messages: BuildKeysFromRecord should reconstruct all keys that BuildKeys originally created alias_keys_bug_test.go:61: Error Trace: /home/user/serviceradar/pkg/identitymap/alias_keys_bug_test.go:61 Error: []identitymap.Key{identitymap.Key{Kind:1, Value:"tenant-a:host-device"}, identitymap.Key{Kind:5, Value:"10.0.0.5"}, identitymap.Key{Kind:6, Value:"tenant-a:10.0.0.5"}, identitymap.Key{Kind:2, Value:"armis-123"}, identitymap.Key{Kind:3, Value:"nb-42"}, identitymap.Key{Kind:3, Value:"123"}, identitymap.Key{Kind:4, Value:"AA:BB:CC:DD:EE:FF"}} does not contain identitymap.Key{Kind:1, Value:"serviceradar:agent:k8s-agent"} Test: TestBuildKeysFromRecordIncludesAliasKeys Messages: Should include alias service ID from _alias_last_seen_service_id alias_keys_bug_test.go:65: Error Trace: /home/user/serviceradar/pkg/identitymap/alias_keys_bug_test.go:65 Error: []identitymap.Key{identitymap.Key{Kind:1, Value:"tenant-a:host-device"}, identitymap.Key{Kind:5, Value:"10.0.0.5"}, identitymap.Key{Kind:6, Value:"tenant-a:10.0.0.5"}, identitymap.Key{Kind:2, Value:"armis-123"}, identitymap.Key{Kind:3, Value:"nb-42"}, identitymap.Key{Kind:3, Value:"123"}, identitymap.Key{Kind:4, Value:"AA:BB:CC:DD:EE:FF"}} does not contain identitymap.Key{Kind:1, Value:"serviceradar:poller:k8s"} Test: TestBuildKeysFromRecordIncludesAliasKeys Messages: Should include alias service ID from service_alias: prefix alias_keys_bug_test.go:69: Error Trace: /home/user/serviceradar/pkg/identitymap/alias_keys_bug_test.go:69 Error: []identitymap.Key{identitymap.Key{Kind:1, Value:"tenant-a:host-device"}, identitymap.Key{Kind:5, Value:"10.0.0.5"}, identitymap.Key{Kind:6, Value:"tenant-a:10.0.0.5"}, identitymap.Key{Kind:2, Value:"armis-123"}, identitymap.Key{Kind:3, Value:"nb-42"}, identitymap.Key{Kind:3, Value:"123"}, identitymap.Key{Kind:4, Value:"AA:BB:CC:DD:EE:FF"}} does not contain identitymap.Key{Kind:5, Value:"10.0.0.8"} Test: TestBuildKeysFromRecordIncludesAliasKeys Messages: Should include alias IP from _alias_last_seen_ip alias_keys_bug_test.go:73: Error Trace: /home/user/serviceradar/pkg/identitymap/alias_keys_bug_test.go:73 Error: []identitymap.Key{identitymap.Key{Kind:1, Value:"tenant-a:host-device"}, identitymap.Key{Kind:5, Value:"10.0.0.5"}, identitymap.Key{Kind:6, Value:"tenant-a:10.0.0.5"}, identitymap.Key{Kind:2, Value:"armis-123"}, identitymap.Key{Kind:3, Value:"nb-42"}, identitymap.Key{Kind:3, Value:"123"}, identitymap.Key{Kind:4, Value:"AA:BB:CC:DD:EE:FF"}} does not contain identitymap.Key{Kind:5, Value:"10.0.0.9"} Test: TestBuildKeysFromRecordIncludesAliasKeys Messages: Should include alias IP from ip_alias: prefix --- FAIL: TestBuildKeysFromRecordIncludesAliasKeys (0.00s) FAIL FAIL github.com/carverauto/serviceradar/pkg/identitymap 0.006s FAIL ``` The test clearly shows that `BuildKeysFromRecord` produces only 7 keys while `BuildKeys` produces 13 keys for the same device. The 6 missing keys are all alias-related keys. # Full context The identity map system is used to maintain a canonical mapping of device identities across the ServiceRadar platform. When a device is discovered or updated, multiple identity keys are created (by IP address, MAC address, device ID, integration IDs, etc.) that all point to the same canonical device record stored in a NATS JetStream KV store. The `identityPublisher` in `pkg/registry/identity_publisher.go` is responsible for publishing these mappings to the KV store. When publishing an update for a device: 1. It calls `BuildKeys(update)` to generate all identity keys for the new update (lines 216-222) 2. It retrieves the existing canonical record from the KV store to find what keys currently exist (line 206, which calls `existingIdentitySnapshot`) 3. Inside `existingIdentitySnapshot`, it calls `BuildKeysFromRecord(record)` to reconstruct what keys should exist based on the stored record (line 521) 4. It compares the new key set with the reconstructed old key set to identify stale keys (line 225) 5. It deletes the stale keys from the KV store (lines 226-228) This stale key deletion mechanism was explicitly added in commit 3a5787ac on Oct 16, 2025 to "stop KV from growing out of control." However, on Nov 4, 2025 (commit 5223ac8c), alias support was added to `BuildKeys` to track device aliases (when a device is known by multiple service IDs or IP addresses). This allows the system to create additional lookup keys for aliased identities. The commit added support for: - `_alias_last_seen_service_id`: The last service ID this device was seen as - `_alias_last_seen_ip`: The last IP address this device was seen at - `service_alias:*`: Historical service IDs this device has been known as - `ip_alias:*`: Historical IP addresses this device has been associated with The problem is that `BuildKeysFromRecord` was not updated to handle these alias fields. Additionally, the `buildIdentityAttributes` function in `pkg/registry/identity_publisher.go` (lines 408-450) does not store alias metadata in the record's attributes, so even if `BuildKeysFromRecord` tried to reconstruct them, the data wouldn't be available. This means: 1. When a device with aliases is published, alias keys are created in the KV store 2. When the same device is later updated (even if aliases change or are removed), the old alias keys are never identified as stale 3. These orphaned alias keys remain in the KV store indefinitely, accumulating over time 4. The KV store grows without bound, exactly the problem that commit 3a5787ac was meant to prevent The device alias feature is actively used in the codebase (see `pkg/core/alias_events.go`, `pkg/devicealias/alias.go`) to track when devices are seen under different identities, which is an important feature for device tracking in complex networks. # Why has this bug gone undetected? This bug has gone undetected for several reasons: 1. **Silent failure**: The bug doesn't cause any errors or exceptions. The identity publisher successfully creates the alias keys and successfully publishes updates. The only symptom is that stale keys are not deleted, which is not immediately observable. 2. **Gradual accumulation**: The effect of the bug is a gradual accumulation of stale keys over time. In a test environment or during initial deployment, the KV store might not grow large enough to be noticed. Only in production with sustained use would the KV store growth become apparent. 3. **Temporal separation**: The bug was introduced by the interaction of two commits 19 days apart: - Oct 16, 2025: `BuildKeysFromRecord` was added - Nov 4, 2025: Alias support was added to `BuildKeys` Each commit in isolation worked correctly. The bug only manifested when both features interacted. 4. **No end-to-end test**: The existing test `TestBuildKeysFromRecord` (lines 91-124 of `pkg/identitymap/identitymap_test.go`) only tests the basic functionality without alias metadata. It doesn't verify that `BuildKeysFromRecord` produces the same keys as `BuildKeys` for devices with aliases. 5. **Different code paths**: The creation of keys (via `BuildKeys`) and the reconstruction of keys (via `BuildKeysFromRecord`) happen in different code paths. During normal operation, keys are created successfully. The reconstruction only happens when checking for stale keys, and its failure is not visible to the application - it simply results in stale keys not being deleted. 6. **Monitoring gap**: The KV store metrics likely track total entries and growth rate, but wouldn't necessarily distinguish between legitimate growth (more devices) and bug-related growth (accumulating stale alias keys). # Recommended fix The fix requires two changes: 1. **Store alias metadata in attributes**: Update `buildIdentityAttributes` in `pkg/registry/identity_publisher.go` to store alias-related metadata fields in the record's attributes. This ensures the data is available for reconstruction. 2. **Reconstruct alias metadata**: Update `BuildKeysFromRecord` in `pkg/identitymap/identitymap.go` to extract and reconstruct alias metadata fields from the record's attributes, similar to how it currently handles `armis_device_id`, `integration_id`, etc. Here's a sketch of the fix for `BuildKeysFromRecord`: ```go func BuildKeysFromRecord(record *Record) []Key { if record == nil { return nil } update := &models.DeviceUpdate{ DeviceID: record.CanonicalDeviceID, Partition: record.Partition, } if record.Attributes != nil { if ip := strings.TrimSpace(record.Attributes["ip"]); ip != "" { update.IP = ip } if mac := strings.TrimSpace(record.Attributes["mac"]); mac != "" { macUpper := strings.ToUpper(mac) update.MAC = &macUpper } metaKeys := []string{"armis_device_id", "integration_id", "integration_type", "netbox_device_id"} for _, key := range metaKeys { if val := strings.TrimSpace(record.Attributes[key]); val != "" { if update.Metadata == nil { update.Metadata = make(map[string]string) } update.Metadata[key] = val } } // Reconstruct alias metadata // <-- FIX 🟢 aliasKeys := []string{"_alias_last_seen_service_id", "_alias_last_seen_ip"} for _, key := range aliasKeys { if val := strings.TrimSpace(record.Attributes[key]); val != "" { if update.Metadata == nil { update.Metadata = make(map[string]string) } update.Metadata[key] = val } } // Reconstruct service_alias:* and ip_alias:* fields // <-- FIX 🟢 for key, val := range record.Attributes { if strings.HasPrefix(key, "service_alias:") || strings.HasPrefix(key, "ip_alias:") { if update.Metadata == nil { update.Metadata = make(map[string]string) } update.Metadata[key] = val } } } return BuildKeys(update) } ``` Note: This fix also requires updating `buildIdentityAttributes` to actually store these fields, which it currently doesn't do.
mfreeman451 commented 2026-03-28 04:27:28 +00:00
Author
Owner
Copy link

Imported GitHub comment.

Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/issues/2152#issuecomment-3663247422
Original created: 2025-12-17T01:49:02Z

closing as completed

Imported GitHub comment. Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/issues/2152#issuecomment-3663247422 Original created: 2025-12-17T01:49:02Z --- closing as completed
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
staging
demo/prod-release
add-dashboard-srql-service-views
enhance-dashboard-creator-visual-builder
fix-release-1-2-78-ci-failures
refactor-agent-plugin-runtime
add-dashboard-creator
update/plugin-system
add-service-monitoring-foundation
fix/cli-auth-settings-navigation
fix/device-unknown-facet
fix-plugin-assignment-upgrades
fix/sweep-profile-mode-status
fix/armis-northbound-fixes
fix-proxmox-console-react-client-render
fix-openbao-signing-job-token-mount
fix-services-plugin-status-read-model
fix-stream-status-final-chunk
codex/fix-prod-armis-sync-icmp
fix-demo-cnpg-operator-networkpolicy
update/docs-cleanup
fix-armis-northbound-raw-token-auth
fix-armis-northbound-stuck-running
update-manual-device-hostname-readd
fix/observability-severity-card-links
renovate/debian_testing_slim-testing-slim
docs/kubernetes-ingestion-gateway
fix/flow-collector-external-network-policy
fix/armis-availability-and-stream-config
refactor-fast-fresh-db-bootstrap
fix/cnpg-not-found
fix/docker-update/cnpg
renovate/debian_bookworm_slim-bookworm-slim
add-socket-firewall-ci
add-ipv6-sweep-scanners
fix-armis-northbound
add-streamed-agent-config
fix/sweep-ip-family-routing
codex/fix-core-migration-hook-upgrade
renovate/arc_runner
renovate/actions_runner
codex/remote-access-desktop-rdp
updates/missing-fixes
fix/batched-sweep-targets
fix/agent-sysmon-memory-growth
fix/armis-northbound-single-run-and-timestamps
release/1.2.67
fix/wasm-plugin-service-status
fix/armis-names-string
codex/harden-remote-access-app-tcp-followup
codex/harden-remote-access-app-tcp
codex/harden-gateway-proxy-auth
codex/harden-remote-access-destroy-rbac
codex/harden-ssh-ca-remote-access
codex/harden-remote-access-broker-registry
codex/harden-remote-access-approval-policy
codex/harden-remote-access-file-transfer
codex/harden-remote-access-attach-ticket
fix-release-plugin-list-cleanup
codex/harden-grpc-logger-payloads
propose-interface-action-target-context
add-signed-northbound-action-callbacks
fix/reap-stale-self-scheduled-oban-jobs
fix/device-logs-tab-async
fix/device-metadata-summary
fix/northbound-launch-target-auth
fix/northbound-provider-atomic-read
proposal/add-sample-northbound-wasm-plugin
proposal/northbound-action-integrations
fix/ansible-run-job-device-launch
codex/fix-audit-events-shell-theme
codex/fix-sweep-tcp-availability
codex/fix-armis-names-string
fix/update-nats-2-14
fix/elixir-quality-release-blockers
fix/latest-release-device-ingest-ui-bugs
fix/release-1.2.61-ci-failures
fix/web-ng-precommit-format
fix/wasm-tinygo-go125
fix/agent-file-transfer-bazel-src
fix/release-key-stamp-root
fix/release-1.2.59-staging
main
fix/agent-accept-deprecated-remote-access-config
fix/device-results-count-facets
fix/bazelisk-installer-retries
fix/tinygo-host-toolchain-fetch
add-per-agent-availability
fix/forgejo-release-multipart-assets
fix/agent-config-stale-session
fix/mtr-hop-dns-resolution
fix/hostname-only-device-create
fix/otlp-log-metadata-sanitization
fix/sweep-icmp-legacy-mode-classification
add-nats-object-store-retention
fix/helm-serviceradar-state-pvc
harden/forgejo-ci-nonroot
codex/expand-remote-access-teleport-parity
fix/sweep-port-history-consistency
fix/remote-access-ssh-feature-flag
fix/devices-refresh-artifacts
fix/identity-ingestion-sweep-availability
spec/identity-cache-ingestion-correctness
fix/sweep-mapper-promotion-stale-cache
fix/sweep-provisional-duplicate-ip
fix/sweep-target-invalid-ip-order
fix/armis-large-sync-streaming
fix/docusaurus-blog-build-date
fix/armis-sync-compat-deep-dive
fix/awx-controller-credential-secret
fix/demo-release-source-branch
demo/release-v1.2.44-source-fix
codex/teleport-agent-routed-remote-access
feature/agent-config-dependency-catalog
proposal/agent-config-dependency-catalog
bugfix/armis-credentials-save-display
bugfix/armis-integration-credentials
fix/web-ng-precommit-formatting
bugfix/armis-secret-config-push
feature/close-controllers-to-pipelines
carverauto/extract-palisade
feature/migrate-dashboard-cli-to-plugs
feature/audit-history-page
feature/migrate-controllers-to-security-pipelines
fix/security-events-test-and-retention-worker
feature/add-platform-security-hardening
demo-rollout-proxmox-bazel-fix
bug/armis-sync-issues
add-virtualization-srql-queries
add-proxmox-ingestion-hardening-tests
add-ssh-private-key-credential-rules
redact-plugin-credential-material
add-credential-rules-settings-entry
add-credential-rules-settings-flows
require-network-credential-broker-grants
preview-credential-rule-target-scope
add-proxmox-credential-secret-preset
harden-credential-rules-live-tests
clarify-proxmox-plugin-credential-modes
docs-proxmox-credential-operations
fingerprint-proxmox-candidates
proxmox-resource-efficiency-dashboard
proxmox-console-security-docs
proxmox-focused-quality-validation
proxmox-metric-baseline-alerts
proxmox-device-scoped-logs
proxmox-defer-vector-log-forwarding
proxmox-console-session-tickets
proxmox-console-xterm-shell
proxmox-console-websocket-broker
proxmox-console-control-frames
proxmox-console-agent-session-manager
proxmox-console-plugin-pty-bridge
proxmox-console-assignment-materializer
proxmox-console-ssh-connector
proxmox-console-agent-local-broker
proxmox-console-device-actions
proxmox-console-stream-timeouts
proxmox-console-guest-mode-gating
proxmox-console-ci-race-fix
fix/falco-alert-routing-datasvc-channel
fix-agent-release-page-bugs
add-proxmox-device-details-summary
add-proxmox-virtualization-ingestor
add-virtualization-inventory-schema
add-proxmox-infrastructure-inventory
add-proxmox-plugin-live-smoke
add-proxmox-local-api-smoke
add-proxmox-credential-test-dispatch
add-proxmox-credential-test-plan
add-network-credential-rule-preview
add-proxmox-plugin-inventory-details
add-proxmox-credential-reconcile-worker
add-proxmox-credential-assignment-materializer
add-plugin-input-template-secret-refs
add-proxmox-plugin-policy-inputs
add-proxmox-wasm-plugin-scaffold
add-network-credential-rules-model
add-proxmox-plugin-credential-rules
fix/rperf-rustls-provider-demo
fix/dashboard-template-sdk-014
fix/tinygo-go126-release
fix/reqsign-provider-bazel-deps
fix/release-bazel-rust-crates
fix/core-coordinator-connection-leak
chore/security-updates
update/readme-versions-update
docs/readme-dashboard-sdk
chore/cli-0.1.5
fix/dashboard-cli-local-map-dev
fix/dashboard-cli-hmr-map-libraries
chore/bump-serviceradar-cli-0.1.2
fix/dashboard-cli-hmr-harness
fix/helm-contour-liveview-websocket
fix/helm-cnpg-pooler-defaults
updates/helm-fixes
update/fix-light-mode-analytics
ual/dashboard-sdk-dx
security/postgres-update
update-falco-alert-diagnostics
ual/react-dashboard-sdk
fix/cnpg-saturation-fk-and-bootstrap
ual/wifi-site-map
fix-coraza-log-db-writer
fix-log-viewer-syslog-processed
plan-fieldsurvey-spatial-selection
plan-envoy-coraza-waf
plan-alienvault-otx-integration
plan-fieldsurvey-sidekick-daemon
cleanup-openspec-archive-closed-proposals
bug-core-elx-ip-enrichment-reap
fix-release-libcap2-pin-v125
fix-camera-stream-gateway-route
add-core-elx-prometheus-metrics
add-serviceradar-observability-dashboards
add-pgbouncer-helm-cnpg
renovate/ghcr.io-actions-actions-runner
feat/cluster-agent-runtime-metadata-stability
feat/observability-shell-standardization
feat/observability-live-log-toggle
fix/mtr-bulk-queue-and-srql-targets
fix/mtr-profile-protocol-keyerror
fix/mtr-diagnostics-keyerror
add-demo-rollout-skills
fix-web-ng-test-support-dialyzer
fix-web-ng-dialyzer-findings
add-bulk-queued-mtr-diagnostics
fix-serviceradar-core-integration-failures
harden-agent-updater-exec-arguments
harden-agent-release-trust-boundaries
fix-compose-hermetic-nats-datasvc-bootstrap
fix/openbao-release-issues
elixir/formatting-updates
codex/demo-cnpg-signing-release-fixes
chore/lint-fixes
fix/bazel-alpine-bump-and-cosign-skip
update-event-alert-dedup-and-suppression
armis-northbound-events
armis-northbound-availability-updates
push-owvypksrmooo
codex/topology-endpoint-evidence-investigation
codex/topology-bootstrap-and-layout-simplification
codex/remove-ingress-nginx-edge
fix/forgejo-ci-snmp-cache-and-ubuntu24
bug/cnpg-mtls-failure
bug/log-collector
fix/forgejo-runner-labels
fix/cargo-lock-sync
remove-arc-runner-from-push-all
fix-push-all-cosign-preflight
fix-go-ci
add-versioned-openapi-publish
chore/forgejo-hardening
security/k8s-hardening
update/cluster-page-agents
updates/helm-security-updates
2406-feat-agent-fleet-management-secure-self-update-system
bug/k8s-helm-deployments
chore/k8s-arc-update
rust-fix
2371-analytics-stats-cards-should-abbreviate-numbers
chore/perl-cleanup
2942-featweb-ng-add-logs-tab-to-device-details-page
192-feat-tftp-server
mikemiles-dev/feature/netflow_collection
testing
dependabot/cargo/hostname-0.4.1
dependabot/cargo/redis-1.0.1
dependabot/cargo/bb8-0.9.0
dependabot/cargo/rcgen-0.14.6
dependabot/cargo/hyper-1.8.1
dependabot/cargo/hyper-util-0.1.19
dependabot/cargo/clap-4.5.51
dependabot/cargo/thiserror-2.0.17
dependabot/cargo/time-tz-2.0.0
dependabot/cargo/tonic-build-0.14.2
backup/main-pre-staging-sync-2026-04-02
dependabot/npm_and_yarn/docs/mdast-util-to-hast-13.2.1
815-feat-support-win32-for-agentpoller
gh-pages
v1.2.79
v1.2.78
v1.2.77
v1.2.76
v1.2.75
v1.2.74
v1.2.73
v1.2.72
v1.2.71
v1.2.70
v1.2.69
v1.2.68
v1.2.67
v1.2.66
v1.2.65
v1.2.64
v1.2.63
v1.2.62
v1.2.61
v1.2.60
v1.2.59
v1.2.58
v1.2.57
v1.2.54
v1.2.53
v1.2.52
v1.2.51
v1.2.50
v1.2.49
v1.2.48
v1.2.47
v1.2.46
v1.2.45
v1.2.44
v1.2.43
v1.2.42
v1.2.41
v1.2.40
v1.2.39
v1.2.38
sha-de6d1025d59f039188754b895ff7fe65db9b306b
sha-8006b6105635acf43060fab2613eab3bccb1efcf
v1.2.37
v1.2.36
v1.2.35
v1.2.34
v1.2.33
v1.2.32
v1.2.31
v1.2.30
v1.2.29
v1.2.28
v1.2.27
v1.2.26
v1.2.25
v1.2.24
v1.2.23
v1.2.22
v1.2.21
v1.2.20
v1.2.19
v1.2.18
v1.2.17
v1.2.16
v1.2.15
v1.2.14
v1.2.13
v1.2.12
v1.2.11
v1.2.6
v1.2.10
v1.2.9
v1.2.8
v1.2.7
v1.2.5
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.2
v1.1.0
v1.0.92
v1.0.91
v1.0.90
v1.0.89
v1.0.88
v1.0.87
v1.0.86
v1.0.85
v1.0.84
v1.0.83
v1.0.82
v1.0.81
v1.0.78
v1.0.77
v1.0.76
v1.0.70
v1.0.69
v1.0.68
v1.0.67
v1.0.66
v1.0.65
v1.0.64
v1.0.63
v1.0.62
v1.0.61
v1.0.60
v1.0.59
v1.0.58
1.0.57
v1.0.56
v1.0.55
v1.0.54-pre5
v1.0.53
v1.0.53-pre19
v1.0.53-pre18
v1.0.53-pre17
v1.0.53-pre15
1.0.53-pre10
1.0.53-pre9
1.0.53-pre8
1.0.53-pre7
1.0.53-pre6
1.0.53-pre5
1.0.53-pre4
1.0.53-pre3
1.0.53-pre2
1.0.53-pre1
1.0.52
1.0.51
1.0.50
1.0.49
1.0.49-pre5
1.0.49-pre4
1.0.49-pre3
1.0.49-pre2
1.0.48
1.0.48-rc2
1.0.48-rc1
1.0.48-pre8
1.0.48-pre7
1.0.48-pre6
1.0.48-pre5
1.0.48-pre4
1.0.48-pre3
1.0.48-pre2
1.0.48-pre1
1.0.47
1.0.47-pre8
1.0.47-pre7
1.0.47-pre6
1.0.47-pre5
1.0.47-pre4
1.0.47-pre3
1.0.47-pre2
1.0.47-pre1
1.0.46
1.0.46-pre9
1.0.46-pre8
1.0.46-pre7
1.0.46-pre6
1.0.46-pre5
1.0.46-pre4
1.0.46-pre3
1.0.46-pre2
1.0.46-pre1
1.0.45
1.0.44
1.0.44-pre12
1.0.44-pre11
1.0.44-pre10
1.0.44-pre9
1.0.44-pre8
1.0.44-pre7
1.0.44-pre6
1.0.44-pre5
1.0.44-pre4
1.0.44-pre3
1.0.44-pre2
1.0.44-pre1
1.0.43
1.0.42
1.0.41
1.0.41-pre1
1.0.40
1.0.40-pre11
1.0.40-pre10
1.0.40-pre9
1.0.40-pre8
1.0.40-pre7
1.0.40-pre6
1.0.40-pre5
1.0.40-pre4
1.0.40-pre3
1.0.40-pre2
1.0.40-pre1
1.0.39
1.0.38
1.0.37
1.0.36
1.0.36-pre5
1.0.36-pre4
1.0.36-pre3
1.0.36-pre2
1.0.35
1.0.35-pre3
1.0.35-pre2
1.0.35-pre
1.0.34-pre3
1.0.34-pre2
1.0.34-pre1
1.0.33
1.0.33-pre2
1.0.33-pre
1.0.32
1.0.31
1.0.30
1.0.29
1.0.28
1.0.27
1.0.26
1.0.25
1.0.24
1.0.23
1.0.22
1.0.21
1.0.20
1.0.19
1.0.18
1.0.17
1.0.16
1.0.15
1.0.14
1.0.13
1.0.11
1.0.10
1.0.9
1.0.8
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0
Labels
Clear labels   
1week

   
2weeks

   
Failed compliance check

   
IP cameras

   
NATS
NATS JetStream

  
Possible security concern

   
Review effort 1/5

   
Review effort 2/5

   
Review effort 3/5

   
Review effort 4/5

   
Review effort 5/5

   
UI

   
aardvark

   
accessibility

   
amd64

   
api

   
arm64

   
auth

   
back-end

   
bgp

   
blog

   
bug
Something isn't working

  
build

   
checkers

   
ci-cd
continuous integration-continuous deployments

  
cleanup

   
cnpg
cloud-native postgres

  
codex

   
core
core service

  
dependencies
Pull requests that update a dependency file

  
device-management

   
documentation
Improvements or additions to documentation

  
duplicate
This issue or pull request already exists

  
dusk

   
ebpf

   
enhancement
New feature or request

  
eta 1d

   
eta 1hr

   
eta 3d

   
eta 3hr

   
feature

   
fieldsurvey

   
github_actions
Pull requests that update GitHub Actions code

  
go
Pull requests that update Go code

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
javascript
Pull requests that update Javascript code

  
k8s

   
log-collector

   
mapper

   
mtr
multi traceroute

  
needs-triage

   
netflow

   
network-sweep

   
observability

   
oracle
Oracle Linux related issues

  
otel
opentelemetry logs, traces, metrics

  
plug-in

   
proton
timeplus proton streaming database

  
python

   
question
Further information is requested

  
reddit

   
redhat

   
research

   
rperf

   
rperf-checker

   
rust
Pull requests that update rust code

  
sdk

   
security

   
serviceradar-agent

   
serviceradar-agent-gateway

   
serviceradar-web

   
serviceradar-web-ng

   
siem

   
snmp

   
sysmon

   
topology

   
ubiquiti

   
wasm

   
wontfix
This will not be worked on

  
zen-engine
No labels
1week
2weeks
Failed compliance check
IP cameras
NATS
Possible security concern
Review effort 1/5
Review effort 2/5
Review effort 3/5
Review effort 4/5
Review effort 5/5
UI
aardvark
accessibility
amd64
api
arm64
auth
back-end
bgp
blog
bug
build
checkers
ci-cd
cleanup
cnpg
codex
core
dependencies
device-management
documentation
duplicate
dusk
ebpf
enhancement
eta 1d
eta 1hr
eta 3d
eta 3hr
feature
fieldsurvey
github_actions
go
good first issue
help wanted
invalid
javascript
k8s
log-collector
mapper
mtr
needs-triage
netflow
network-sweep
observability
oracle
otel
plug-in
proton
python
question
reddit
redhat
research
rperf
rperf-checker
rust
sdk
security
serviceradar-agent
serviceradar-agent-gateway
serviceradar-web
serviceradar-web-ng
siem
snmp
sysmon
topology
ubiquiti
wasm
wontfix
zen-engine
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
carverauto/serviceradar#690
No description provided.