vault: Support a pre-seal teardown

vault/core.go

@@ -386,7 +386,7 @@ func (c *Core) Unseal(key []byte) (bool, error) {
 	return true, nil
 }
 
-// Seal is used to re-seal the Vault. This requires the Vaultto
+// Seal is used to re-seal the Vault. This requires the Vault to
 // be unsealed again to perform any further operations.
 func (c *Core) Seal() error {
 	c.stateLock.Lock()
@@ -394,8 +394,15 @@ func (c *Core) Seal() error {
 	if c.sealed {
 		return nil
 	}
-	c.logger.Printf("[INFO] core: vault is being sealed")
 	c.sealed = true
+
+	// Do pre-seal teardown
+	if err := c.preSeal(); err != nil {
+		c.logger.Printf("[ERR] core: pre-seal teardown failed: %v", err)
+		return fmt.Errorf("internal error")
+	}
+
+	c.logger.Printf("[INFO] core: vault is being sealed")
 	return c.barrier.Seal()
 }
 
@@ -415,3 +422,12 @@ func (c *Core) postUnseal() error {
 	}
 	return nil
 }
+
+// preSeal is invoked before the barrier is sealed, allowing
+// for any state teardown required.
+func (c *Core) preSeal() error {
+	if err := c.unloadMounts(); err != nil {
+		return err
+	}
+	return nil
+}

vault/core_test.go

@@ -332,3 +332,14 @@ func TestCore_Route_Sealed(t *testing.T) {
 		t.Fatalf("err: %v", err)
 	}
 }
+
+// Attempt to unseal after doing a first seal
+func TestCore_SealUnseal(t *testing.T) {
+	c, key := testUnsealedCore(t)
+	if err := c.Seal(); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if unseal, err := c.Unseal(key); err != nil || !unseal {
+		t.Fatalf("err: %v", err)
+	}
+}

vault/mount.go

@@ -151,6 +151,15 @@ func (c *Core) setupMounts() error {
 	return nil
 }
 
+// unloadMounts is used before we seal the vault to reset the mounts to
+// their unloaded state. This is reversed by load and setup mounts.
+func (c *Core) unloadMounts() error {
+	c.mounts = nil
+	c.router = NewRouter()
+	c.systemView = nil
+	return nil
+}
+
 // mountEntry is used to create a new mount entry
 func (c *Core) mountEntry(me *MountEntry) error {
 	c.mountsLock.Lock()