Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revert "backport of commit e7e16fd1756afa5921f402ee9bff0bd58b422023 (#28554)" #28572

Merged
merged 1 commit into from
Oct 2, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 26 additions & 32 deletions vault/init.go
Original file line number Diff line number Diff line change
Expand Up @@ -319,6 +319,32 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
SecretShares: [][]byte{},
}

// If we are storing shares, pop them out of the returned results and push
// them through the seal
switch c.seal.StoredKeysSupported() {
case seal.StoredKeysSupportedShamirRoot:
keysToStore := [][]byte{barrierKey}
if err := c.seal.GetAccess().SetShamirSealKey(sealKey); err != nil {
c.logger.Error("failed to set seal key", "error", err)
return nil, fmt.Errorf("failed to set seal key: %w", err)
}
if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil {
c.logger.Error("failed to store keys", "error", err)
return nil, fmt.Errorf("failed to store keys: %w", err)
}
results.SecretShares = sealKeyShares
case seal.StoredKeysSupportedGeneric:
keysToStore := [][]byte{barrierKey}
if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil {
c.logger.Error("failed to store keys", "error", err)
return nil, fmt.Errorf("failed to store keys: %w", err)
}
default:
// We don't support initializing an old-style Shamir seal anymore, so
// this case is only reachable by tests.
results.SecretShares = barrierKeyShares
}

// Perform initial setup
if err := c.setupCluster(ctx); err != nil {
c.logger.Error("cluster setup failed during init", "error", err)
Expand All @@ -330,12 +356,6 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
initPTCleanup()
}

// Save in a variable whether stored keys are supported before calling postUnsea(), as postUnseal()
// clears the barrier config. For a defaultSeal with a "legacy seal" (i.e. barrier config has StoredShares == 0),
// this will cause StoredKeysSupported() to go from StoredKeysNotSupported to StoredKeysSupportedShamirRoot.
// This would be a problem below when we determine whether to call SetStoredKeys.
storedKeysSupported := c.seal.StoredKeysSupported()

activeCtx, ctxCancel := context.WithCancel(namespace.RootContext(nil))
if err := c.postUnseal(activeCtx, ctxCancel, standardUnsealStrategy{}); err != nil {
c.logger.Error("post-unseal setup failed during init", "error", err)
Expand Down Expand Up @@ -393,32 +413,6 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
}
}

// If we are storing shares, pop them out of the returned results and push
// them through the seal
switch storedKeysSupported {
case seal.StoredKeysSupportedShamirRoot:
keysToStore := [][]byte{barrierKey}
if err := c.seal.GetAccess().SetShamirSealKey(sealKey); err != nil {
c.logger.Error("failed to set seal key", "error", err)
return nil, fmt.Errorf("failed to set seal key: %w", err)
}
if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil {
c.logger.Error("failed to store keys", "error", err)
return nil, fmt.Errorf("failed to store keys: %w", err)
}
results.SecretShares = sealKeyShares
case seal.StoredKeysSupportedGeneric:
keysToStore := [][]byte{barrierKey}
if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil {
c.logger.Error("failed to store keys", "error", err)
return nil, fmt.Errorf("failed to store keys: %w", err)
}
default:
// We don't support initializing an old-style Shamir seal anymore, so
// this case is only reachable by tests.
results.SecretShares = barrierKeyShares
}

// Prepare to re-seal
if err := c.preSeal(); err != nil {
c.logger.Error("pre-seal teardown failed", "error", err)
Expand Down
Loading