Skip to content

Commit

Permalink
backport of commit e7e16fd
Browse files Browse the repository at this point in the history
  • Loading branch information
victorr authored Oct 1, 2024
1 parent 7d87f6e commit 0c917a3
Showing 1 changed file with 32 additions and 26 deletions.
58 changes: 32 additions & 26 deletions vault/init.go
Original file line number Diff line number Diff line change
Expand Up @@ -319,32 +319,6 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
SecretShares: [][]byte{},
}

// If we are storing shares, pop them out of the returned results and push
// them through the seal
switch c.seal.StoredKeysSupported() {
case seal.StoredKeysSupportedShamirRoot:
keysToStore := [][]byte{barrierKey}
if err := c.seal.GetAccess().SetShamirSealKey(sealKey); err != nil {
c.logger.Error("failed to set seal key", "error", err)
return nil, fmt.Errorf("failed to set seal key: %w", err)
}
if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil {
c.logger.Error("failed to store keys", "error", err)
return nil, fmt.Errorf("failed to store keys: %w", err)
}
results.SecretShares = sealKeyShares
case seal.StoredKeysSupportedGeneric:
keysToStore := [][]byte{barrierKey}
if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil {
c.logger.Error("failed to store keys", "error", err)
return nil, fmt.Errorf("failed to store keys: %w", err)
}
default:
// We don't support initializing an old-style Shamir seal anymore, so
// this case is only reachable by tests.
results.SecretShares = barrierKeyShares
}

// Perform initial setup
if err := c.setupCluster(ctx); err != nil {
c.logger.Error("cluster setup failed during init", "error", err)
Expand All @@ -356,6 +330,12 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
initPTCleanup()
}

// Save in a variable whether stored keys are supported before calling postUnsea(), as postUnseal()
// clears the barrier config. For a defaultSeal with a "legacy seal" (i.e. barrier config has StoredShares == 0),
// this will cause StoredKeysSupported() to go from StoredKeysNotSupported to StoredKeysSupportedShamirRoot.
// This would be a problem below when we determine whether to call SetStoredKeys.
storedKeysSupported := c.seal.StoredKeysSupported()

activeCtx, ctxCancel := context.WithCancel(namespace.RootContext(nil))
if err := c.postUnseal(activeCtx, ctxCancel, standardUnsealStrategy{}); err != nil {
c.logger.Error("post-unseal setup failed during init", "error", err)
Expand Down Expand Up @@ -413,6 +393,32 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
}
}

// If we are storing shares, pop them out of the returned results and push
// them through the seal
switch storedKeysSupported {
case seal.StoredKeysSupportedShamirRoot:
keysToStore := [][]byte{barrierKey}
if err := c.seal.GetAccess().SetShamirSealKey(sealKey); err != nil {
c.logger.Error("failed to set seal key", "error", err)
return nil, fmt.Errorf("failed to set seal key: %w", err)
}
if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil {
c.logger.Error("failed to store keys", "error", err)
return nil, fmt.Errorf("failed to store keys: %w", err)
}
results.SecretShares = sealKeyShares
case seal.StoredKeysSupportedGeneric:
keysToStore := [][]byte{barrierKey}
if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil {
c.logger.Error("failed to store keys", "error", err)
return nil, fmt.Errorf("failed to store keys: %w", err)
}
default:
// We don't support initializing an old-style Shamir seal anymore, so
// this case is only reachable by tests.
results.SecretShares = barrierKeyShares
}

// Prepare to re-seal
if err := c.preSeal(); err != nil {
c.logger.Error("pre-seal teardown failed", "error", err)
Expand Down

0 comments on commit 0c917a3

Please sign in to comment.