diff --git a/command/seal_migration_test.go b/command/seal_migration_test.go index 6383630f3..67c3d46e4 100644 --- a/command/seal_migration_test.go +++ b/command/seal_migration_test.go @@ -41,6 +41,7 @@ func TestSealMigration(t *testing.T) { NumCores: 1, } + ctx := context.Background() var keys []string var rootToken string @@ -111,7 +112,7 @@ func TestSealMigration(t *testing.T) { newSeal := vault.NewAutoSeal(seal.NewTestSeal(logger)) newSeal.SetCore(core) autoSeal = newSeal - if err := adjustCoreForSealMigration(context.Background(), core, coreConfig, newSeal, &server.Config{ + if err := adjustCoreForSealMigration(ctx, core, coreConfig, newSeal, &server.Config{ Seal: &server.Seal{ Type: "test-auto", }, @@ -159,7 +160,7 @@ func TestSealMigration(t *testing.T) { client := cluster.Cores[0].Client client.SetToken(rootToken) - if err := core.UnsealWithStoredKeys(context.Background()); err != nil { + if err := core.UnsealWithStoredKeys(ctx); err != nil { t.Fatal(err) } resp, err := client.Sys().SealStatus() @@ -186,7 +187,7 @@ func TestSealMigration(t *testing.T) { t.Fatal(err) } sealAccess := core.SealAccess() - if err := sealAccess.VerifyRecoveryKey(context.Background(), recoveredKey); err != nil { + if err := sealAccess.VerifyRecoveryKey(ctx, recoveredKey); err != nil { t.Fatal(err) } @@ -194,6 +195,11 @@ func TestSealMigration(t *testing.T) { cluster.Cores = nil } + // We should see stored barrier keys; after the next stanza, we shouldn't + if entry, err := phys.Get(ctx, vault.StoredBarrierKeysPath); err != nil || entry == nil { + t.Fatalf("expected nil error and non-nil entry, got error %#v and entry %#v", err, entry) + } + // Fifth: create an autoseal and activate migration. Verify it doesn't work // if disabled isn't set. { @@ -210,11 +216,11 @@ func TestSealMigration(t *testing.T) { }, } - if err := adjustCoreForSealMigration(context.Background(), core, coreConfig, shamirSeal, serverConf); err == nil { + if err := adjustCoreForSealMigration(ctx, core, coreConfig, shamirSeal, serverConf); err == nil { t.Fatal("expected error since disabled isn't set true") } serverConf.Seal.Disabled = true - if err := adjustCoreForSealMigration(context.Background(), core, coreConfig, shamirSeal, serverConf); err != nil { + if err := adjustCoreForSealMigration(ctx, core, coreConfig, shamirSeal, serverConf); err != nil { t.Fatal(err) } @@ -247,6 +253,10 @@ func TestSealMigration(t *testing.T) { cluster.Cores = nil } + if entry, err := phys.Get(ctx, vault.StoredBarrierKeysPath); err != nil || entry != nil { + t.Fatalf("expected nil error and nil entry, got error %#v and entry %#v", err, entry) + } + // Sixth: verify autoseal is off and the expected key shares work { coreConfig.Seal = shamirSeal @@ -258,7 +268,7 @@ func TestSealMigration(t *testing.T) { client := cluster.Cores[0].Client client.SetToken(rootToken) - if err := core.UnsealWithStoredKeys(context.Background()); err != nil { + if err := core.UnsealWithStoredKeys(ctx); err != nil { t.Fatal(err) } resp, err := client.Sys().SealStatus() diff --git a/vault/core.go b/vault/core.go index ed27f54df..034ef3a4a 100644 --- a/vault/core.go +++ b/vault/core.go @@ -953,6 +953,11 @@ func (c *Core) unsealPart(ctx context.Context, seal Seal, key []byte, useRecover return nil, errwrap.Wrapf("error rekeying barrier during migration: {{err}}", err) } + if err := c.barrier.Delete(ctx, StoredBarrierKeysPath); err != nil { + // Don't actually exit here as successful deletion isn't critical + c.logger.Error("error deleting stored barrier keys after migration; continuing anyways", "error", err) + } + masterKey = recoveryKey } diff --git a/vault/seal.go b/vault/seal.go index b80288814..08249a0aa 100644 --- a/vault/seal.go +++ b/vault/seal.go @@ -38,8 +38,8 @@ const ( // recoveryKeyPath is the path to the recovery key recoveryKeyPath = "core/recovery-key" - // storedBarrierKeysPath is the path used for storing HSM-encrypted unseal keys - storedBarrierKeysPath = "core/hsm/barrier-unseal-keys" + // StoredBarrierKeysPath is the path used for storing HSM-encrypted unseal keys + StoredBarrierKeysPath = "core/hsm/barrier-unseal-keys" // hsmStoredIVPath is the path to the initialization vector for stored keys hsmStoredIVPath = "core/hsm/iv" diff --git a/vault/seal_autoseal.go b/vault/seal_autoseal.go index 653f36796..1a46d2633 100644 --- a/vault/seal_autoseal.go +++ b/vault/seal_autoseal.go @@ -99,7 +99,7 @@ func (d *autoSeal) SetStoredKeys(ctx context.Context, keys [][]byte) error { // Store the seal configuration. pe := &physical.Entry{ - Key: storedBarrierKeysPath, + Key: StoredBarrierKeysPath, Value: value, } @@ -113,7 +113,7 @@ func (d *autoSeal) SetStoredKeys(ctx context.Context, keys [][]byte) error { // GetStoredKeys retrieves the key shares by unwrapping the encrypted key using the // autoseal. func (d *autoSeal) GetStoredKeys(ctx context.Context) ([][]byte, error) { - pe, err := d.core.physical.Get(ctx, storedBarrierKeysPath) + pe, err := d.core.physical.Get(ctx, StoredBarrierKeysPath) if err != nil { return nil, errwrap.Wrapf("failed to fetch stored keys: {{err}}", err) }