2018-10-23 06:34:02 +00:00
|
|
|
package command
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
"github.com/hashicorp/vault/command/server"
|
|
|
|
"github.com/hashicorp/vault/vault"
|
2018-10-23 08:12:23 +00:00
|
|
|
vaultseal "github.com/hashicorp/vault/vault/seal"
|
2018-10-23 06:34:02 +00:00
|
|
|
"github.com/pkg/errors"
|
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
onEnterprise = false
|
|
|
|
)
|
|
|
|
|
|
|
|
func adjustCoreForSealMigration(ctx context.Context, core *vault.Core, coreConfig *vault.CoreConfig, seal vault.Seal, config *server.Config) error {
|
|
|
|
existBarrierSealConfig, existRecoverySealConfig, err := core.PhysicalSealConfigs(context.Background())
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Error checking for existing seal: %s", err)
|
|
|
|
}
|
|
|
|
var existSeal vault.Seal
|
|
|
|
var newSeal vault.Seal
|
2018-11-06 17:42:03 +00:00
|
|
|
if existBarrierSealConfig != nil && existBarrierSealConfig.Type != vaultseal.HSMAutoDeprecated &&
|
2018-10-23 06:34:02 +00:00
|
|
|
(existBarrierSealConfig.Type != seal.BarrierType() ||
|
|
|
|
config.Seal != nil && config.Seal.Disabled) {
|
|
|
|
// If the existing seal is not Shamir, we're going to Shamir, which
|
|
|
|
// means we require them setting "disabled" to true in their
|
|
|
|
// configuration as a sanity check.
|
2018-10-23 08:12:23 +00:00
|
|
|
if (config.Seal == nil || !config.Seal.Disabled) && existBarrierSealConfig.Type != vaultseal.Shamir {
|
2018-10-23 06:34:02 +00:00
|
|
|
return errors.New(`Seal migration requires specifying "disabled" as "true" in the "seal" block of Vault's configuration file"`)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Conversely, if they are going from Shamir to auto, we want to
|
|
|
|
// ensure disabled is *not* set
|
2018-10-23 08:12:23 +00:00
|
|
|
if existBarrierSealConfig.Type == vaultseal.Shamir && config.Seal != nil && config.Seal.Disabled {
|
2018-10-23 06:34:02 +00:00
|
|
|
coreConfig.Logger.Warn(`when not migrating, Vault's config should not specify "disabled" as "true" in the "seal" block of Vault's configuration file`)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-10-23 08:12:23 +00:00
|
|
|
if existBarrierSealConfig.Type != vaultseal.Shamir && existRecoverySealConfig == nil {
|
2018-10-23 06:34:02 +00:00
|
|
|
return errors.New(`Recovery seal configuration not found for existing seal`)
|
|
|
|
}
|
|
|
|
|
|
|
|
switch existBarrierSealConfig.Type {
|
2018-10-23 08:12:23 +00:00
|
|
|
case vaultseal.Shamir:
|
2018-10-23 06:34:02 +00:00
|
|
|
// The value reflected in config is what we're going to
|
|
|
|
existSeal = vault.NewDefaultSeal()
|
|
|
|
existSeal.SetCore(core)
|
|
|
|
newSeal = seal
|
|
|
|
newBarrierSealConfig := &vault.SealConfig{
|
|
|
|
Type: newSeal.BarrierType(),
|
|
|
|
SecretShares: 1,
|
|
|
|
SecretThreshold: 1,
|
|
|
|
StoredShares: 1,
|
|
|
|
}
|
|
|
|
newSeal.SetCachedBarrierConfig(newBarrierSealConfig)
|
|
|
|
newSeal.SetCachedRecoveryConfig(existBarrierSealConfig)
|
|
|
|
|
|
|
|
default:
|
|
|
|
if onEnterprise {
|
|
|
|
return errors.New("Migrating from autoseal to Shamir seal is not supported on Vault Enterprise")
|
|
|
|
}
|
|
|
|
|
|
|
|
// The disabled value reflected in config is what we're going from
|
|
|
|
existSeal = coreConfig.Seal
|
|
|
|
newSeal = vault.NewDefaultSeal()
|
|
|
|
newSeal.SetCore(core)
|
|
|
|
newSeal.SetCachedBarrierConfig(existRecoverySealConfig)
|
|
|
|
}
|
|
|
|
|
|
|
|
core.SetSealsForMigration(existSeal, newSeal)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|