Fix handling of minimum operations, and forward rotate/config requests to Primary (#11116)

* Boost max_operations to the greater of that specified or absoluteMinOperations

* Forward rotation config requests to the primary

* Reject rotation configs outside the min/max range

* Minor wording fix

vault/keyring.go

@@ -253,9 +253,12 @@ func (c KeyRotationConfig) Clone() KeyRotationConfig {
 }
 
 func (c *KeyRotationConfig) Sanitize() {
-	if c.MaxOperations == 0 || c.MaxOperations > absoluteOperationMaximum || c.MaxOperations < absoluteOperationMinimum {
+	if c.MaxOperations == 0 || c.MaxOperations > absoluteOperationMaximum {
 		c.MaxOperations = absoluteOperationMaximum
 	}
+	if c.MaxOperations < absoluteOperationMinimum {
+		c.MaxOperations = absoluteOperationMinimum
+	}
 	if c.Interval > 0 && c.Interval < minimumRotationInterval {
 		c.Interval = minimumRotationInterval
 	}

vault/logical_system.go

@@ -2581,6 +2581,16 @@ func (b *SystemBackend) handleKeyRotationConfigUpdate(ctx context.Context, req *
 	if ok {
 		rotConfig.Disabled = !enabled.(bool)
 	}
+
+	// Reject out of range settings
+	if rotConfig.Interval < minimumRotationInterval {
+		return logical.ErrorResponse("interval must be greater or equal to %s", minimumRotationInterval.String()), logical.ErrInvalidRequest
+	}
+
+	if rotConfig.MaxOperations < absoluteOperationMinimum || rotConfig.MaxOperations > absoluteOperationMaximum {
+		return logical.ErrorResponse("max_operations must be in the range [%d,%d]", absoluteOperationMinimum, absoluteOperationMaximum), logical.ErrInvalidRequest
+	}
+
 	// Store the rotation config
 	b.Core.barrier.SetRotationConfig(ctx, rotConfig)
 	if err != nil {

vault/logical_system_paths.go

@@ -618,9 +618,16 @@ func (b *SystemBackend) sealPaths() []*framework.Path {
 					Description: strings.TrimSpace(sysHelp["rotation-interval"][0]),
 				},
 			},
-			Callbacks: map[logical.Operation]framework.OperationFunc{
-				logical.ReadOperation:   b.handleKeyRotationConfigRead,
-				logical.UpdateOperation: b.handleKeyRotationConfigUpdate,
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleKeyRotationConfigRead,
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback:                    b.handleKeyRotationConfigUpdate,
+					ForwardPerformanceSecondary: true,
+					ForwardPerformanceStandby:   true,
+				},
 			},
 
 			HelpSynopsis:    strings.TrimSpace(sysHelp["rotate-config"][0]),

website/content/api-docs/system/rotate-config.mdx

@@ -14,7 +14,7 @@ The `/sys/rotate` endpoint is used to configure automatic key rotation.
 This endpoint configures the automatic rotation of the backend encryption key.  By
 default, the key is rotated after just under 4 billion encryptions, to satisfy the 
 recommendation of [NIST SP 800-38D](https://csrc.nist.gov/publications/detail/sp/800-38d/final).
-One can configure rotations after fewer encryptions or on a time based schedule.
+One can configure rotations after fewer encryptions or on a time based schedule.  
 
 ## Create or Update the Auto Rotation Configuration
 
@@ -25,10 +25,11 @@ One can configure rotations after fewer encryptions or on a time based schedule.
 ### Parameters
 
 - `max_operations` `(int: 3865470566)` - Specify the limit of encryptions after which
-  the key will be automatically rotated.  The number cannot be higher than
-  the default. Specifing 0 resets max_operations to the default.
+  the key will be automatically rotated.  The number must be between 1,000,000 and the
+  default.
 - `interval` `(string: "") - If set, the age of the active key at which an
-  automatic rotation is triggered.  Specified as a Go duration string (e.g. 4320h)
+  automatic rotation is triggered.  Specified as a Go duration string (e.g.
+  4320h), the value must be at least 24 hours.
 - `enabled` `(bool: true)` - If set to false, automatic rotations will not
   be performed.  Tracking of encryption counts will continue.