From 79088f5de06804f2e64335a58ea52741a6837d5e Mon Sep 17 00:00:00 2001
From: Ben Hoyt <ben.hoyt@canonical.com>
Date: Tue, 18 Jun 2024 16:01:14 +1200
Subject: [PATCH] allow local identity with user-id: 0

---
 internals/overlord/state/identities.go | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/internals/overlord/state/identities.go b/internals/overlord/state/identities.go
index 5a44b01d0..c6eac2d2e 100644
--- a/internals/overlord/state/identities.go
+++ b/internals/overlord/state/identities.go
@@ -64,14 +64,10 @@ func (d *Identity) validate() error {
 
 	switch {
 	case d.Local != nil:
-		if d.Local.UserID == 0 {
-			return errors.New("local identity must have nonzero user ID")
-		}
+		return nil
 	default:
 		return errors.New(`identity must have at least one type ("local")`)
 	}
-
-	return nil
 }
 
 // apiIdentity exists so the default JSON marshalling of an Identity (used
@@ -83,14 +79,14 @@ type apiIdentity struct {
 }
 
 type apiLocalIdentity struct {
-	UserID uint32 `json:"user-id"`
+	UserID *uint32 `json:"user-id"`
 }
 
 // IMPORTANT NOTE: be sure to exclude secrets when adding to this!
 func (d *Identity) MarshalJSON() ([]byte, error) {
 	ai := apiIdentity{
 		Access: string(d.Access),
-		Local:  &apiLocalIdentity{UserID: d.Local.UserID},
+		Local:  &apiLocalIdentity{UserID: &d.Local.UserID},
 	}
 	return json.Marshal(ai)
 }
@@ -104,7 +100,10 @@ func (d *Identity) UnmarshalJSON(data []byte) error {
 	d.Access = IdentityAccess(ai.Access)
 	switch {
 	case ai.Local != nil:
-		d.Local = &LocalIdentity{UserID: ai.Local.UserID}
+		if ai.Local.UserID == nil {
+			return errors.New("local identity must specify user-id")
+		}
+		d.Local = &LocalIdentity{UserID: *ai.Local.UserID}
 	default:
 		return errors.New(`identity must have at least one type ("local")`)
 	}