Fix panic and update some text
This commit is contained in:
parent
8b065344f8
commit
c53717ba1c
|
@ -682,7 +682,11 @@ func (c *OperatorRekeyCommand) printStatus(in interface{}) int {
|
||||||
out = append(out, fmt.Sprintf("Nonce | %s", status.Nonce))
|
out = append(out, fmt.Sprintf("Nonce | %s", status.Nonce))
|
||||||
out = append(out, fmt.Sprintf("Started | %t", status.Started))
|
out = append(out, fmt.Sprintf("Started | %t", status.Started))
|
||||||
if status.Started {
|
if status.Started {
|
||||||
|
if status.Progress == status.Required {
|
||||||
|
out = append(out, fmt.Sprintf("Rekey Progress | %d/%d (verification in progress)", status.Progress, status.Required))
|
||||||
|
} else {
|
||||||
out = append(out, fmt.Sprintf("Rekey Progress | %d/%d", status.Progress, status.Required))
|
out = append(out, fmt.Sprintf("Rekey Progress | %d/%d", status.Progress, status.Required))
|
||||||
|
}
|
||||||
out = append(out, fmt.Sprintf("New Shares | %d", status.N))
|
out = append(out, fmt.Sprintf("New Shares | %d", status.N))
|
||||||
out = append(out, fmt.Sprintf("New Threshold | %d", status.T))
|
out = append(out, fmt.Sprintf("New Threshold | %d", status.T))
|
||||||
out = append(out, fmt.Sprintf("Verification Required | %t", status.VerificationRequired))
|
out = append(out, fmt.Sprintf("Verification Required | %t", status.VerificationRequired))
|
||||||
|
|
|
@ -117,20 +117,6 @@ func handleSysRekeyInitPut(ctx context.Context, core *vault.Core, recovery bool,
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// If the seal supports stored keys, and we are rekeying the barrier key,
|
|
||||||
// force the shares to 1
|
|
||||||
if !recovery && core.SealAccess().StoredKeysSupported() {
|
|
||||||
req.SecretShares = 1
|
|
||||||
req.SecretThreshold = 1
|
|
||||||
req.StoredShares = 1
|
|
||||||
core.Logger().Warn("rekey: stored keys supported, forcing shares/threshold to 1")
|
|
||||||
} else {
|
|
||||||
if req.StoredShares != 0 {
|
|
||||||
respondError(w, http.StatusBadRequest, fmt.Errorf("stored keys are not supported by the current seal type"))
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(req.PGPKeys) > 0 && len(req.PGPKeys) != req.SecretShares {
|
if len(req.PGPKeys) > 0 && len(req.PGPKeys) != req.SecretShares {
|
||||||
respondError(w, http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys for rekey"))
|
respondError(w, http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys for rekey"))
|
||||||
return
|
return
|
||||||
|
|
|
@ -162,6 +162,13 @@ func (c *Core) RekeyInit(config *SealConfig, recovery bool) logical.HTTPCodedErr
|
||||||
|
|
||||||
// BarrierRekeyInit is used to initialize the rekey settings for the barrier key
|
// BarrierRekeyInit is used to initialize the rekey settings for the barrier key
|
||||||
func (c *Core) BarrierRekeyInit(config *SealConfig) logical.HTTPCodedError {
|
func (c *Core) BarrierRekeyInit(config *SealConfig) logical.HTTPCodedError {
|
||||||
|
if c.seal.StoredKeysSupported() {
|
||||||
|
c.logger.Warn("stored keys supported, forcing rekey shares/threshold to 1")
|
||||||
|
config.SecretShares = 1
|
||||||
|
config.SecretThreshold = 1
|
||||||
|
config.StoredShares = 1
|
||||||
|
}
|
||||||
|
|
||||||
if config.StoredShares > 0 {
|
if config.StoredShares > 0 {
|
||||||
if !c.seal.StoredKeysSupported() {
|
if !c.seal.StoredKeysSupported() {
|
||||||
return logical.CodedError(http.StatusBadRequest, "storing keys not supported by barrier seal")
|
return logical.CodedError(http.StatusBadRequest, "storing keys not supported by barrier seal")
|
||||||
|
@ -357,13 +364,6 @@ func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string)
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Schedule the rekey progress for forgetting
|
|
||||||
defer func() {
|
|
||||||
if c.barrierRekeyConfig != nil {
|
|
||||||
c.barrierRekeyConfig.RekeyProgress = nil
|
|
||||||
}
|
|
||||||
}()
|
|
||||||
|
|
||||||
// Recover the master key or recovery key
|
// Recover the master key or recovery key
|
||||||
var recoveredKey []byte
|
var recoveredKey []byte
|
||||||
if existingConfig.SecretThreshold == 1 {
|
if existingConfig.SecretThreshold == 1 {
|
||||||
|
@ -521,6 +521,8 @@ func (c *Core) performBarrierRekey(ctx context.Context, newMasterKey []byte) log
|
||||||
return logical.CodedError(http.StatusInternalServerError, errwrap.Wrapf("failed to save keyring canary: {{err}}", err).Error())
|
return logical.CodedError(http.StatusInternalServerError, errwrap.Wrapf("failed to save keyring canary: {{err}}", err).Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
c.barrierRekeyConfig.RekeyProgress = nil
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -590,13 +592,6 @@ func (c *Core) RecoveryRekeyUpdate(ctx context.Context, key []byte, nonce string
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Schedule the rekey progress for forgetting
|
|
||||||
defer func() {
|
|
||||||
if c.recoveryRekeyConfig != nil {
|
|
||||||
c.recoveryRekeyConfig.RekeyProgress = nil
|
|
||||||
}
|
|
||||||
}()
|
|
||||||
|
|
||||||
// Recover the master key
|
// Recover the master key
|
||||||
var recoveryKey []byte
|
var recoveryKey []byte
|
||||||
if existingConfig.SecretThreshold == 1 {
|
if existingConfig.SecretThreshold == 1 {
|
||||||
|
@ -726,6 +721,8 @@ func (c *Core) performRecoveryRekey(ctx context.Context, newMasterKey []byte) lo
|
||||||
return logical.CodedError(http.StatusInternalServerError, errwrap.Wrapf("failed to save keyring canary: {{err}}", err).Error())
|
return logical.CodedError(http.StatusInternalServerError, errwrap.Wrapf("failed to save keyring canary: {{err}}", err).Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
c.recoveryRekeyConfig.RekeyProgress = nil
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -763,7 +760,7 @@ func (c *Core) RekeyVerify(ctx context.Context, key []byte, nonce string, recove
|
||||||
return nil, logical.CodedError(http.StatusBadRequest, "no rekey in progress")
|
return nil, logical.CodedError(http.StatusBadRequest, "no rekey in progress")
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(c.barrierRekeyConfig.VerificationKey) == 0 {
|
if len(config.VerificationKey) == 0 {
|
||||||
return nil, logical.CodedError(http.StatusBadRequest, "no rekey verification in progress")
|
return nil, logical.CodedError(http.StatusBadRequest, "no rekey verification in progress")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue