Skip to content

Commit

Permalink
Revert "backport of commit e7e16fd (#28554)"
Browse files Browse the repository at this point in the history
This reverts commit c77aa48.
  • Loading branch information
victorr committed Oct 2, 2024
1 parent 4d955a4 commit 9b6ed02
Showing 1 changed file with 26 additions and 32 deletions.
58 changes: 26 additions & 32 deletions vault/init.go
Original file line number Diff line number Diff line change
Expand Up @@ -319,6 +319,32 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
SecretShares: [][]byte{},
}

// If we are storing shares, pop them out of the returned results and push
// them through the seal
switch c.seal.StoredKeysSupported() {
case seal.StoredKeysSupportedShamirRoot:
keysToStore := [][]byte{barrierKey}
if err := c.seal.GetAccess().SetShamirSealKey(sealKey); err != nil {
c.logger.Error("failed to set seal key", "error", err)
return nil, fmt.Errorf("failed to set seal key: %w", err)
}
if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil {
c.logger.Error("failed to store keys", "error", err)
return nil, fmt.Errorf("failed to store keys: %w", err)
}
results.SecretShares = sealKeyShares
case seal.StoredKeysSupportedGeneric:
keysToStore := [][]byte{barrierKey}
if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil {
c.logger.Error("failed to store keys", "error", err)
return nil, fmt.Errorf("failed to store keys: %w", err)
}
default:
// We don't support initializing an old-style Shamir seal anymore, so
// this case is only reachable by tests.
results.SecretShares = barrierKeyShares
}

// Perform initial setup
if err := c.setupCluster(ctx); err != nil {
c.logger.Error("cluster setup failed during init", "error", err)
Expand All @@ -330,12 +356,6 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
initPTCleanup()
}

// Save in a variable whether stored keys are supported before calling postUnsea(), as postUnseal()
// clears the barrier config. For a defaultSeal with a "legacy seal" (i.e. barrier config has StoredShares == 0),
// this will cause StoredKeysSupported() to go from StoredKeysNotSupported to StoredKeysSupportedShamirRoot.
// This would be a problem below when we determine whether to call SetStoredKeys.
storedKeysSupported := c.seal.StoredKeysSupported()

activeCtx, ctxCancel := context.WithCancel(namespace.RootContext(nil))
if err := c.postUnseal(activeCtx, ctxCancel, standardUnsealStrategy{}); err != nil {
c.logger.Error("post-unseal setup failed during init", "error", err)
Expand Down Expand Up @@ -393,32 +413,6 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
}
}

// If we are storing shares, pop them out of the returned results and push
// them through the seal
switch storedKeysSupported {
case seal.StoredKeysSupportedShamirRoot:
keysToStore := [][]byte{barrierKey}
if err := c.seal.GetAccess().SetShamirSealKey(sealKey); err != nil {
c.logger.Error("failed to set seal key", "error", err)
return nil, fmt.Errorf("failed to set seal key: %w", err)
}
if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil {
c.logger.Error("failed to store keys", "error", err)
return nil, fmt.Errorf("failed to store keys: %w", err)
}
results.SecretShares = sealKeyShares
case seal.StoredKeysSupportedGeneric:
keysToStore := [][]byte{barrierKey}
if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil {
c.logger.Error("failed to store keys", "error", err)
return nil, fmt.Errorf("failed to store keys: %w", err)
}
default:
// We don't support initializing an old-style Shamir seal anymore, so
// this case is only reachable by tests.
results.SecretShares = barrierKeyShares
}

// Prepare to re-seal
if err := c.preSeal(); err != nil {
c.logger.Error("pre-seal teardown failed", "error", err)
Expand Down

0 comments on commit 9b6ed02

Please sign in to comment.