9f980ade31
* Seal migration after unsealing * Refactor migration fields migrationInformation in core * Perform seal migration as part of postUnseal * Remove the sleep logic * Use proper seal in the unseal function * Fix migration from Auto to Shamir * Fix the recovery config missing issue * Address the non-ha migration case * Fix the multi cluster case * Avoid re-running seal migration * Run the post migration code in new leaders * Fix the issue of wrong recovery being set * Address review feedback * Add more complete testing coverage for seal migrations. (#8247) * Add more complete testing coverage for seal migrations. Also remove VAULT_ACC gate from some tests that just depend on docker, cleanup dangling recovery config in storage after migration, and fix a call in adjustCoreForSealMigration that seems broken. * Fix the issue of wrong recovery key being set * Adapt tests to work with multiple cores. * Add missing line to disable raft join. Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com> * Fix all known issues * Remove warning * Review feedback. * Revert my previous change that broke raft tests. We'll need to come back and at least comment this once we better understand why it's needed. * Don't allow migration between same types for now * Disable auto to auto tests for now since it uses migration between same types which is not allowed * Update vault/core.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * Add migration logs * Address review comments * Add the recovery config check back * Skip a few steps if migration is already done * Return from waitForLeadership if migration fails Co-authored-by: ncabatoff <nick.cabatoff@gmail.com> Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
133 lines
4.5 KiB
Go
133 lines
4.5 KiB
Go
package command
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"fmt"
|
|
"io"
|
|
|
|
log "github.com/hashicorp/go-hclog"
|
|
wrapping "github.com/hashicorp/go-kms-wrapping"
|
|
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
|
|
"github.com/hashicorp/vault/command/server"
|
|
"github.com/hashicorp/vault/vault"
|
|
vaultseal "github.com/hashicorp/vault/vault/seal"
|
|
"github.com/pkg/errors"
|
|
)
|
|
|
|
var (
|
|
onEnterprise = false
|
|
createSecureRandomReaderFunc = createSecureRandomReader
|
|
)
|
|
|
|
func createSecureRandomReader(config *server.Config, seal *vault.Seal) (io.Reader, error) {
|
|
return rand.Reader, nil
|
|
}
|
|
|
|
func adjustCoreForSealMigration(logger log.Logger, core *vault.Core, barrierSeal, unwrapSeal vault.Seal) error {
|
|
existBarrierSealConfig, existRecoverySealConfig, err := core.PhysicalSealConfigs(context.Background())
|
|
if err != nil {
|
|
return fmt.Errorf("Error checking for existing seal: %s", err)
|
|
}
|
|
|
|
// If we don't have an existing config or if it's the deprecated auto seal
|
|
// which needs an upgrade, skip out
|
|
if existBarrierSealConfig == nil || existBarrierSealConfig.Type == wrapping.HSMAutoDeprecated {
|
|
return nil
|
|
}
|
|
|
|
if unwrapSeal == nil {
|
|
// We have the same barrier type and the unwrap seal is nil so we're not
|
|
// migrating from same to same, IOW we assume it's not a migration
|
|
if existBarrierSealConfig.Type == barrierSeal.BarrierType() {
|
|
return nil
|
|
}
|
|
|
|
// If we're not coming from Shamir, and the existing type doesn't match
|
|
// the barrier type, we need both the migration seal and the new seal
|
|
if existBarrierSealConfig.Type != wrapping.Shamir && barrierSeal.BarrierType() != wrapping.Shamir {
|
|
return errors.New(`Trying to migrate from auto-seal to auto-seal but no "disabled" seal stanza found`)
|
|
}
|
|
} else {
|
|
if unwrapSeal.BarrierType() == wrapping.Shamir {
|
|
return errors.New("Shamir seals cannot be set disabled (they should simply not be set)")
|
|
}
|
|
}
|
|
|
|
if existBarrierSealConfig.Type != wrapping.Shamir && existRecoverySealConfig == nil {
|
|
return errors.New(`Recovery seal configuration not found for existing seal`)
|
|
}
|
|
|
|
if onEnterprise && barrierSeal.BarrierType() == wrapping.Shamir {
|
|
return errors.New("Migrating from autoseal to Shamir seal is not currently supported on Vault Enterprise")
|
|
}
|
|
|
|
var migrationSeal vault.Seal
|
|
var newSeal vault.Seal
|
|
|
|
// Determine the migrationSeal. This is either going to be an instance of
|
|
// shamir or the unwrapSeal.
|
|
switch existBarrierSealConfig.Type {
|
|
case wrapping.Shamir:
|
|
// The value reflected in config is what we're going to
|
|
migrationSeal = vault.NewDefaultSeal(&vaultseal.Access{
|
|
Wrapper: aeadwrapper.NewWrapper(&wrapping.WrapperOptions{
|
|
Logger: logger.Named("shamir"),
|
|
}),
|
|
})
|
|
|
|
default:
|
|
// If we're not coming from Shamir we expect the previous seal to be
|
|
// in the config and disabled.
|
|
migrationSeal = unwrapSeal
|
|
}
|
|
|
|
// newSeal will be the barrierSeal
|
|
newSeal = barrierSeal
|
|
|
|
if migrationSeal != nil && newSeal != nil && migrationSeal.BarrierType() == newSeal.BarrierType() {
|
|
return errors.New("Migrating between same seal types is currently not supported")
|
|
}
|
|
|
|
if unwrapSeal != nil && existBarrierSealConfig.Type == barrierSeal.BarrierType() {
|
|
// In this case our migration seal is set so we are using it
|
|
// (potentially) for unwrapping. Set it on core for that purpose then
|
|
// exit.
|
|
core.SetSealsForMigration(nil, nil, unwrapSeal)
|
|
return nil
|
|
}
|
|
|
|
// Set the appropriate barrier and recovery configs.
|
|
switch {
|
|
case migrationSeal.RecoveryKeySupported() && newSeal.RecoveryKeySupported():
|
|
// Migrating from auto->auto, copy the configs over
|
|
newSeal.SetCachedBarrierConfig(existBarrierSealConfig)
|
|
newSeal.SetCachedRecoveryConfig(existRecoverySealConfig)
|
|
case migrationSeal.RecoveryKeySupported():
|
|
// Migrating from auto->shamir, clone auto's recovery config and set
|
|
// stored keys to 1.
|
|
newSealConfig := existRecoverySealConfig.Clone()
|
|
newSealConfig.StoredShares = 1
|
|
newSeal.SetCachedBarrierConfig(newSealConfig)
|
|
case newSeal.RecoveryKeySupported():
|
|
// Migrating from shamir->auto, set a new barrier config and set
|
|
// recovery config to a clone of shamir's barrier config with stored
|
|
// keys set to 0.
|
|
newBarrierSealConfig := &vault.SealConfig{
|
|
Type: newSeal.BarrierType(),
|
|
SecretShares: 1,
|
|
SecretThreshold: 1,
|
|
StoredShares: 1,
|
|
}
|
|
newSeal.SetCachedBarrierConfig(newBarrierSealConfig)
|
|
|
|
newRecoveryConfig := existBarrierSealConfig.Clone()
|
|
newRecoveryConfig.StoredShares = 0
|
|
newSeal.SetCachedRecoveryConfig(newRecoveryConfig)
|
|
}
|
|
|
|
core.SetSealsForMigration(migrationSeal, newSeal, unwrapSeal)
|
|
|
|
return nil
|
|
}
|