Clean up stored barrier keys after migration to shamir (#5671)

2018-11-05 14:06:39 -05:00 · 2018-11-05 14:06:39 -05:00 · 41649c1511
parent 08a2250647
commit 41649c1511
4 changed files with 25 additions and 10 deletions
--- a/command/seal_migration_test.go
+++ b/command/seal_migration_test.go
@ -41,6 +41,7 @@ func TestSealMigration(t *testing.T) {
 		NumCores:    1,
 	}

+	ctx := context.Background()
 	var keys []string
 	var rootToken string

@ -111,7 +112,7 @@ func TestSealMigration(t *testing.T) {
 		newSeal := vault.NewAutoSeal(seal.NewTestSeal(logger))
 		newSeal.SetCore(core)
 		autoSeal = newSeal
-		if err := adjustCoreForSealMigration(context.Background(), core, coreConfig, newSeal, &server.Config{
+		if err := adjustCoreForSealMigration(ctx, core, coreConfig, newSeal, &server.Config{
 			Seal: &server.Seal{
 				Type: "test-auto",
 			},
@ -159,7 +160,7 @@ func TestSealMigration(t *testing.T) {
 		client := cluster.Cores[0].Client
 		client.SetToken(rootToken)

-		if err := core.UnsealWithStoredKeys(context.Background()); err != nil {
+		if err := core.UnsealWithStoredKeys(ctx); err != nil {
 			t.Fatal(err)
 		}
 		resp, err := client.Sys().SealStatus()
@ -186,7 +187,7 @@ func TestSealMigration(t *testing.T) {
 			t.Fatal(err)
 		}
 		sealAccess := core.SealAccess()
-		if err := sealAccess.VerifyRecoveryKey(context.Background(), recoveredKey); err != nil {
+		if err := sealAccess.VerifyRecoveryKey(ctx, recoveredKey); err != nil {
 			t.Fatal(err)
 		}

@ -194,6 +195,11 @@ func TestSealMigration(t *testing.T) {
 		cluster.Cores = nil
 	}

+	// We should see stored barrier keys; after the next stanza, we shouldn't
+	if entry, err := phys.Get(ctx, vault.StoredBarrierKeysPath); err != nil || entry == nil {
+		t.Fatalf("expected nil error and non-nil entry, got error %#v and entry %#v", err, entry)
+	}
+
 	// Fifth: create an autoseal and activate migration. Verify it doesn't work
 	// if disabled isn't set.
 	{
@ -210,11 +216,11 @@ func TestSealMigration(t *testing.T) {
 			},
 		}

-		if err := adjustCoreForSealMigration(context.Background(), core, coreConfig, shamirSeal, serverConf); err == nil {
+		if err := adjustCoreForSealMigration(ctx, core, coreConfig, shamirSeal, serverConf); err == nil {
 			t.Fatal("expected error since disabled isn't set true")
 		}
 		serverConf.Seal.Disabled = true
-		if err := adjustCoreForSealMigration(context.Background(), core, coreConfig, shamirSeal, serverConf); err != nil {
+		if err := adjustCoreForSealMigration(ctx, core, coreConfig, shamirSeal, serverConf); err != nil {
 			t.Fatal(err)
 		}

@ -247,6 +253,10 @@ func TestSealMigration(t *testing.T) {
 		cluster.Cores = nil
 	}

+	if entry, err := phys.Get(ctx, vault.StoredBarrierKeysPath); err != nil || entry != nil {
+		t.Fatalf("expected nil error and nil entry, got error %#v and entry %#v", err, entry)
+	}
+
 	// Sixth: verify autoseal is off and the expected key shares work
 	{
 		coreConfig.Seal = shamirSeal
@ -258,7 +268,7 @@ func TestSealMigration(t *testing.T) {
 		client := cluster.Cores[0].Client
 		client.SetToken(rootToken)

-		if err := core.UnsealWithStoredKeys(context.Background()); err != nil {
+		if err := core.UnsealWithStoredKeys(ctx); err != nil {
 			t.Fatal(err)
 		}
 		resp, err := client.Sys().SealStatus()
--- a/vault/core.go
+++ b/vault/core.go
@ -953,6 +953,11 @@ func (c *Core) unsealPart(ctx context.Context, seal Seal, key []byte, useRecover
 				return nil, errwrap.Wrapf("error rekeying barrier during migration: {{err}}", err)
 			}

+			if err := c.barrier.Delete(ctx, StoredBarrierKeysPath); err != nil {
+				// Don't actually exit here as successful deletion isn't critical
+				c.logger.Error("error deleting stored barrier keys after migration; continuing anyways", "error", err)
+			}
+
 			masterKey = recoveryKey
 		}

--- a/vault/seal.go
+++ b/vault/seal.go
@ -38,8 +38,8 @@ const (
 	// recoveryKeyPath is the path to the recovery key
 	recoveryKeyPath = "core/recovery-key"

-	// storedBarrierKeysPath is the path used for storing HSM-encrypted unseal keys
-	storedBarrierKeysPath = "core/hsm/barrier-unseal-keys"
+	// StoredBarrierKeysPath is the path used for storing HSM-encrypted unseal keys
+	StoredBarrierKeysPath = "core/hsm/barrier-unseal-keys"

 	// hsmStoredIVPath is the path to the initialization vector for stored keys
 	hsmStoredIVPath = "core/hsm/iv"
--- a/vault/seal_autoseal.go
+++ b/vault/seal_autoseal.go
@ -99,7 +99,7 @@ func (d *autoSeal) SetStoredKeys(ctx context.Context, keys [][]byte) error {

 	// Store the seal configuration.
 	pe := &physical.Entry{
-		Key:   storedBarrierKeysPath,
+		Key:   StoredBarrierKeysPath,
 		Value: value,
 	}

@ -113,7 +113,7 @@ func (d *autoSeal) SetStoredKeys(ctx context.Context, keys [][]byte) error {
 // GetStoredKeys retrieves the key shares by unwrapping the encrypted key using the
 // autoseal.
 func (d *autoSeal) GetStoredKeys(ctx context.Context) ([][]byte, error) {
-	pe, err := d.core.physical.Get(ctx, storedBarrierKeysPath)
+	pe, err := d.core.physical.Get(ctx, StoredBarrierKeysPath)
 	if err != nil {
 		return nil, errwrap.Wrapf("failed to fetch stored keys: {{err}}", err)
 	}