Clear the Barrier AEAD cache on keyring reload (#6870)

* Clear the barrier's AEAD cache on keyring reload * Update barrier_aes_gcm_test.go
2019-06-12 08:56:16 -07:00 · 2019-06-12 08:56:16 -07:00 · 934b497101
parent 342c1b57e3
commit 934b497101
2 changed files with 80 additions and 0 deletions
--- a/vault/barrier_aes_gcm.go
+++ b/vault/barrier_aes_gcm.go
@ -287,6 +287,7 @@ func (b *AESGCMBarrier) ReloadKeyring(ctx context.Context) error {
 	}

 	// Setup the keyring and finish
+	b.cache = make(map[uint32]cipher.AEAD)
 	b.keyring = keyring
 	return nil
 }
--- a/vault/barrier_aes_gcm_test.go
+++ b/vault/barrier_aes_gcm_test.go
@ -516,3 +516,82 @@ func TestEncrypt_BarrierEncryptor(t *testing.T) {
 		t.Fatalf("bad: %s", plain)
 	}
 }
+
+func TestAESGCMBarrier_ReloadKeyring(t *testing.T) {
+	inm, err := inmem.NewInmem(nil, logger)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	b, err := NewAESGCMBarrier(inm)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Initialize and unseal
+	key, _ := b.GenerateKey()
+	b.Initialize(context.Background(), key)
+	b.Unseal(context.Background(), key)
+
+	keyringRaw, err := inm.Get(context.Background(), keyringPath)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Encrypt something to test cache invalidation
+	_, err = b.Encrypt(context.Background(), "foo", []byte("quick brown fox"))
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	{
+		// Create a second barrier and rotate the keyring
+		b2, err := NewAESGCMBarrier(inm)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		b2.Unseal(context.Background(), key)
+		_, err = b2.Rotate(context.Background())
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+	}
+
+	// Reload the keyring on the first
+	err = b.ReloadKeyring(context.Background())
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	if b.keyring.ActiveTerm() != 2 {
+		t.Fatal("failed to reload keyring")
+	}
+	if len(b.cache) != 0 {
+		t.Fatal("failed to clear cache")
+	}
+
+	// Encrypt something to test cache invalidation
+	_, err = b.Encrypt(context.Background(), "foo", []byte("quick brown fox"))
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Restore old keyring to test rolling back
+	err = inm.Put(context.Background(), keyringRaw)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Reload the keyring on the first
+	err = b.ReloadKeyring(context.Background())
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	if b.keyring.ActiveTerm() != 1 {
+		t.Fatal("failed to reload keyring")
+	}
+	if len(b.cache) != 0 {
+		t.Fatal("failed to clear cache")
+	}
+
+}