diff --git a/vault/barrier_aes_gcm.go b/vault/barrier_aes_gcm.go index 4de8921e5..3bc5bc39c 100644 --- a/vault/barrier_aes_gcm.go +++ b/vault/barrier_aes_gcm.go @@ -138,7 +138,7 @@ func (b *AESGCMBarrier) persistKeyring(keyring *Keyring) error { // Encrypt the barrier init value value := b.encrypt(initialKeyTerm, gcm, buf) - // Create the barrierInitPath + // Create the keyring physical entry pe := &physical.Entry{ Key: keyringPath, Value: value, @@ -253,6 +253,11 @@ func (b *AESGCMBarrier) Unseal(key []byte) error { return err } + // Delete the old barrier entry + if err := b.backend.Delete(barrierInitPath); err != nil { + return fmt.Errorf("failed to delete barrier init file: %v", err) + } + // Set the vault as unsealed b.keyring = keyring b.sealed = false diff --git a/vault/barrier_aes_gcm_test.go b/vault/barrier_aes_gcm_test.go index b28318118..070e5449d 100644 --- a/vault/barrier_aes_gcm_test.go +++ b/vault/barrier_aes_gcm_test.go @@ -2,6 +2,7 @@ package vault import ( "bytes" + "encoding/json" "testing" "github.com/hashicorp/vault/physical" @@ -31,6 +32,69 @@ func TestAESGCMBarrier_Basic(t *testing.T) { testBarrier(t, b) } +// Test an upgrade from the old (0.1) barrier/init to the new +// core/keyring style +func TestAESGCMBarrier_BackwardsCompatible(t *testing.T) { + inm := physical.NewInmem() + b, err := NewAESGCMBarrier(inm) + if err != nil { + t.Fatalf("err: %v", err) + } + + // Generate a barrier/init entry + encrypt, _ := b.GenerateKey() + init := &barrierInit{ + Version: 1, + Key: encrypt, + } + buf, _ := json.Marshal(init) + + // Protect with master key + master, _ := b.GenerateKey() + gcm, _ := b.aeadFromKey(master) + value := b.encrypt(initialKeyTerm, gcm, buf) + + // Write to the physical backend + pe := &physical.Entry{ + Key: barrierInitPath, + Value: value, + } + inm.Put(pe) + + // Should still be initialized + isInit, err := b.Initialized() + if err != nil { + t.Fatalf("err: %v", err) + } + if !isInit { + t.Fatalf("should be initialized") + } + + // Unseal should work and migrate online + err = b.Unseal(master) + if err != nil { + t.Fatalf("err: %v", err) + } + + // Check for migraiton + out, err := inm.Get(barrierInitPath) + if err != nil { + t.Fatalf("err: %v", err) + } + if out != nil { + t.Fatalf("should delete old barrier init") + } + + // Should have keyring + out, err = inm.Get(keyringPath) + if err != nil { + t.Fatalf("err: %v", err) + } + if out == nil { + t.Fatalf("should have keyring file") + } +} + // Verify data sent through is encrypted func TestAESGCMBarrier_Confidential(t *testing.T) { inm := physical.NewInmem()