mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-11-29 22:51:31 +01:00
Code Issues Projects Releases Wiki Activity

TLS Verification Bugfixes (#11910)

Browse Source 
* tls verification bugfix

* tls verification bugfix

* allow diagnose fail to report status when there are also warnings

* allow diagnose fail to report status when there are also warnings

* Update vault/diagnose/helpers_test.go

Co-authored-by: swayne275 <swayne275@gmail.com>

* comments

Co-authored-by: swayne275 <swayne275@gmail.com>
This commit is contained in:
Hridoy Roy 2021-06-24 10:43:49 -07:00 committed by GitHub
parent 160c409d93
commit bbef373a8d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 311 additions and 326 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
command/operator_diagnose.go
View File

@ -426,7 +426,7 @@ func (c *OperatorDiagnoseCommand) offlineDiagnostics(ctx context.Context) error
SEALFAIL: SEALFAIL:
sealspan.End() sealspan.End()
var coreConfig vault.CoreConfig var coreConfig vault.CoreConfig
if err := diagnose.Test(ctx, "setup-core", func(ctx context.Context) error { diagnose.Test(ctx, "setup-core", func(ctx context.Context) error {
var secureRandomReader io.Reader var secureRandomReader io.Reader
// prepare a secure random reader for core // prepare a secure random reader for core
secureRandomReader, err = configutil.CreateSecureRandomReaderFunc(config.SharedConfig, barrierWrapper) secureRandomReader, err = configutil.CreateSecureRandomReaderFunc(config.SharedConfig, barrierWrapper)
@ -436,9 +436,7 @@ SEALFAIL:
diagnose.SpotOk(ctx, "init-randreader", "") diagnose.SpotOk(ctx, "init-randreader", "")
coreConfig = createCoreConfig(server, config, *backend, configSR, barrierSeal, unwrapSeal, metricsHelper, metricSink, secureRandomReader) coreConfig = createCoreConfig(server, config, *backend, configSR, barrierSeal, unwrapSeal, metricsHelper, metricSink, secureRandomReader)
return nil return nil
}); err != nil { })
diagnose.Error(ctx, err)
}
var disableClustering bool var disableClustering bool
diagnose.Test(ctx, "setup-ha-storage", func(ctx context.Context) error { diagnose.Test(ctx, "setup-ha-storage", func(ctx context.Context) error {
@ -514,6 +512,9 @@ SEALFAIL:
info := make(map[string]string) info := make(map[string]string)
var listeners []listenerutil.Listener var listeners []listenerutil.Listener
var status int var status int
diagnose.ListenerChecks(ctx, config.Listeners)
diagnose.Test(ctx, "create-listeners", func(ctx context.Context) error { diagnose.Test(ctx, "create-listeners", func(ctx context.Context) error {
status, listeners, _, err = server.InitListeners(config, disableClustering, &infoKeys, &info) status, listeners, _, err = server.InitListeners(config, disableClustering, &infoKeys, &info)
if status != 0 { if status != 0 {
@ -531,32 +532,7 @@ SEALFAIL:
} }
} }
defer c.cleanupGuard.Do(listenerCloseFunc) c.cleanupGuard.Do(listenerCloseFunc)
listenerTLSContext, listenerTLSSpan := diagnose.StartSpan(ctx, "check-listener-tls")
sanitizedListeners := make([]listenerutil.Listener, 0, len(config.Listeners))
for _, ln := range lns {
if ln.Config.TLSDisable {
diagnose.Warn(listenerTLSContext, "TLS is disabled in a Listener config stanza.")
continue
}
if ln.Config.TLSDisableClientCerts {
diagnose.Warn(listenerTLSContext, "TLS for a listener is turned on without requiring client certs.")
}
err = diagnose.TLSMutualExclusionCertCheck(ln.Config)
if err != nil {
diagnose.Warn(listenerTLSContext, fmt.Sprintf("TLSDisableClientCerts and TLSRequireAndVerifyClientCert should not both be set. %s", err))
}
sanitizedListeners = append(sanitizedListeners, listenerutil.Listener{
Listener: ln.Listener,
Config: ln.Config,
})
}
diagnose.ListenerChecks(listenerTLSContext, sanitizedListeners)
listenerTLSSpan.End()
return nil return nil
}) })

64
vault/diagnose/helpers_test.go
View File

@ -3,11 +3,12 @@ package diagnose
import ( import (
"context" "context"
"errors" "errors"
"github.com/go-test/deep"
"os" "os"
"reflect" "reflect"
"strings" "strings"
"testing" "testing"
"github.com/go-test/deep"
) )
const getMoreCoffee = "You'll find more coffee in the freezer door, or consider buying more for the office." const getMoreCoffee = "You'll find more coffee in the freezer door, or consider buying more for the office."
@ -21,6 +22,26 @@ func TestDiagnoseOtelResults(t *testing.T) {
}, },
Advice: getMoreCoffee, Advice: getMoreCoffee,
Children: []*Result{ Children: []*Result{
{
Name: "prepare-kitchen",
Status: ErrorStatus,
Children: []*Result{
{
Name: "build-microwave",
Status: ErrorStatus,
Children: []*Result{
{
Name: "buy-parts",
Status: ErrorStatus,
Message: "no stores sell microwave parts, please buy a microwave instead.",
Warnings: []string{
"warning: you are about to try to build a microwave from scratch.",
},
},
},
},
},
},
{ {
Name: "warm-milk", Name: "warm-milk",
Status: OkStatus, Status: OkStatus,
@ -54,6 +75,7 @@ func TestDiagnoseOtelResults(t *testing.T) {
results := sess.Finalize(ctx) results := sess.Finalize(ctx)
results.ZeroTimes() results.ZeroTimes()
if !reflect.DeepEqual(results, expected) { if !reflect.DeepEqual(results, expected) {
t.Fatalf("results mismatch: %s", strings.Join(deep.Equal(results, expected), "\n")) t.Fatalf("results mismatch: %s", strings.Join(deep.Equal(results, expected), "\n"))
} }
@ -63,20 +85,25 @@ func TestDiagnoseOtelResults(t *testing.T) {
const coffeeLeft = 3 const coffeeLeft = 3
func makeCoffee(ctx context.Context) error { func makeCoffee(ctx context.Context) error {
if coffeeLeft < 5 { if coffeeLeft < 5 {
Warn(ctx, "coffee getting low") Warn(ctx, "coffee getting low")
Advise(ctx, getMoreCoffee) Advise(ctx, getMoreCoffee)
} }
err := Test(ctx, "warm-milk", warmMilk) // To mimic listener TLS checks, we'll see if we can nest a Test and add errors in the function
if err != nil { Test(ctx, "prepare-kitchen", func(ctx context.Context) error {
return err return Test(ctx, "build-microwave", func(ctx context.Context) error {
} buildMicrowave(ctx)
return nil
})
})
err = brewCoffee(ctx) Test(ctx, "warm-milk", func(ctx context.Context) error {
if err != nil { return warmMilk(ctx)
return err })
}
brewCoffee(ctx)
SpotCheck(ctx, "pick-scone", pickScone) SpotCheck(ctx, "pick-scone", pickScone)
@ -84,6 +111,25 @@ func makeCoffee(ctx context.Context) error {
return nil return nil
} }
// buildMicrowave will throw an error in the function itself to fail the span,
// but will return nil so the caller test doesn't necessarily throw an error.
// The intended behavior is that the superspan will detect the failed subspan
// and fail regardless. This happens when Fail is used to fail the span, but not
// when Error is used. See the comment in the function itself.
func buildMicrowave(ctx context.Context) error {
ctx, span := StartSpan(ctx, "buy-parts")
Fail(ctx, "no stores sell microwave parts, please buy a microwave instead.")
// The error line here does not actually yield an error in the output.
// TODO: Debug this. In the meantime, always use Fail over Error.
// Error(ctx, errors.New("no stores sell microwave parts, please buy a microwave instead."))
Warn(ctx, "warning: you are about to try to build a microwave from scratch.")
span.End()
return nil
}
func warmMilk(ctx context.Context) error { func warmMilk(ctx context.Context) error {
// Always succeeds // Always succeeds
return nil return nil

32
vault/diagnose/output.go
View File

@ -4,13 +4,14 @@ import (
"context" "context"
"errors" "errors"
"fmt" "fmt"
"go.opentelemetry.io/otel/attribute"
"io" "io"
"sort" "sort"
"strings" "strings"
"sync" "sync"
"time" "time"
"go.opentelemetry.io/otel/attribute"
wordwrap "github.com/mitchellh/go-wordwrap" wordwrap "github.com/mitchellh/go-wordwrap"
"go.opentelemetry.io/otel/codes" "go.opentelemetry.io/otel/codes"
sdktrace "go.opentelemetry.io/otel/sdk/trace" sdktrace "go.opentelemetry.io/otel/sdk/trace"
@ -318,22 +319,20 @@ func (r *Result) StringWrapped(wrapLimit int) string {
func (r *Result) write(sb *strings.Builder, depth int, limit int) { func (r *Result) write(sb *strings.Builder, depth int, limit int) {
indent(sb, depth) indent(sb, depth)
var prelude string var prelude string
if len(r.Warnings) == 0 { switch r.Status {
switch r.Status { case OkStatus:
case OkStatus: prelude = status_ok
prelude = status_ok case WarningStatus:
case WarningStatus: prelude = status_warn
prelude = status_warn case ErrorStatus:
case ErrorStatus: prelude = status_failed
prelude = status_failed case SkippedStatus:
case SkippedStatus: prelude = status_skipped
prelude = status_skipped }
} prelude = prelude + r.Name
prelude = prelude + r.Name
if r.Message != "" { if r.Message != "" {
prelude = prelude + ": " + r.Message prelude = prelude + ": " + r.Message
}
} }
warnings := r.Warnings warnings := r.Warnings
if r.Message == "" && len(warnings) > 0 { if r.Message == "" && len(warnings) > 0 {
@ -343,6 +342,7 @@ func (r *Result) write(sb *strings.Builder, depth int, limit int) {
warnings = warnings[1:] warnings = warnings[1:]
} }
} }
writeWrapped(sb, prelude, depth+1, limit) writeWrapped(sb, prelude, depth+1, limit)
for _, w := range warnings { for _, w := range warnings {
sb.WriteRune('\n') sb.WriteRune('\n')

36
vault/diagnose/tls_verification.go
View File

@ -12,7 +12,6 @@ import (
"time" "time"
"github.com/hashicorp/vault/internalshared/configutil" "github.com/hashicorp/vault/internalshared/configutil"
"github.com/hashicorp/vault/internalshared/listenerutil"
"github.com/hashicorp/vault/sdk/helper/tlsutil" "github.com/hashicorp/vault/sdk/helper/tlsutil"
) )
@ -21,17 +20,32 @@ const maxVersionError = "'tls_max_version' value %q not supported, please specif
// ListenerChecks diagnoses warnings and the first encountered error for the listener // ListenerChecks diagnoses warnings and the first encountered error for the listener
// configuration stanzas. // configuration stanzas.
func ListenerChecks(ctx context.Context, listeners []listenerutil.Listener) ([]string, []error) { func ListenerChecks(ctx context.Context, listeners []*configutil.Listener) ([]string, []error) {
testName := "check-listener-tls"
ctx, span := StartSpan(ctx, testName)
defer span.End()
// These aggregated warnings and errors are returned purely for testing purposes. // These aggregated warnings and errors are returned purely for testing purposes.
// The errors and warnings will report in this function itself. // The errors and warnings will report in this function itself.
var listenerWarnings []string var listenerWarnings []string
var listenerErrors []error var listenerErrors []error
for _, listener := range listeners { for _, l := range listeners {
l := listener.Config
listenerID := l.Address listenerID := l.Address
if l.TLSDisable {
Warn(ctx, fmt.Sprintf("listener at address: %s has error: TLS is disabled in a Listener config stanza.", listenerID))
continue
}
if l.TLSDisableClientCerts {
Warn(ctx, fmt.Sprintf("listener at address: %s has error: TLS for a listener is turned on without requiring client certs.", listenerID))
}
status, warning := TLSMutualExclusionCertCheck(l)
if status == 1 {
Warn(ctx, warning)
}
// Perform the TLS version check for listeners. // Perform the TLS version check for listeners.
if l.TLSMinVersion == "" { if l.TLSMinVersion == "" {
l.TLSMinVersion = "tls12" l.TLSMinVersion = "tls12"
@ -43,13 +57,13 @@ func ListenerChecks(ctx context.Context, listeners []listenerutil.Listener) ([]s
if !ok { if !ok {
err := fmt.Errorf("listener at address: %s has error %s: ", listenerID, fmt.Sprintf(minVersionError, l.TLSMinVersion)) err := fmt.Errorf("listener at address: %s has error %s: ", listenerID, fmt.Sprintf(minVersionError, l.TLSMinVersion))
listenerErrors = append(listenerErrors, err) listenerErrors = append(listenerErrors, err)
Error(ctx, err) Fail(ctx, err.Error())
} }
_, ok = tlsutil.TLSLookup[l.TLSMaxVersion] _, ok = tlsutil.TLSLookup[l.TLSMaxVersion]
if !ok { if !ok {
err := fmt.Errorf("listener at address: %s has error %s: ", listenerID, fmt.Sprintf(maxVersionError, l.TLSMaxVersion)) err := fmt.Errorf("listener at address: %s has error %s: ", listenerID, fmt.Sprintf(maxVersionError, l.TLSMaxVersion))
listenerErrors = append(listenerErrors, err) listenerErrors = append(listenerErrors, err)
Error(ctx, err) Fail(ctx, err.Error())
} }
// Perform checks on the TLS Cryptographic Information. // Perform checks on the TLS Cryptographic Information.
@ -74,8 +88,7 @@ func outputError(ctx context.Context, newWarnings, listenerWarnings []string, ne
if newErr != nil { if newErr != nil {
errMsg := listenerID + ": " + newErr.Error() errMsg := listenerID + ": " + newErr.Error()
listenerErrors = append(listenerErrors, fmt.Errorf(errMsg)) listenerErrors = append(listenerErrors, fmt.Errorf(errMsg))
Error(ctx, fmt.Errorf(errMsg)) Fail(ctx, errMsg)
} }
return listenerWarnings, listenerErrors return listenerWarnings, listenerErrors
} }
@ -256,15 +269,14 @@ func NearExpiration(c *x509.Certificate) (bool, time.Duration) {
} }
// TLSMutualExclusionCertCheck returns error if both TLSDisableClientCerts and TLSRequireAndVerifyClientCert are set // TLSMutualExclusionCertCheck returns error if both TLSDisableClientCerts and TLSRequireAndVerifyClientCert are set
func TLSMutualExclusionCertCheck(l *configutil.Listener) error { func TLSMutualExclusionCertCheck(l *configutil.Listener) (int, string) {
if l.TLSDisableClientCerts { if l.TLSDisableClientCerts {
if l.TLSRequireAndVerifyClientCert { if l.TLSRequireAndVerifyClientCert {
return fmt.Errorf("the tls_disable_client_certs and tls_require_and_verify_client_cert fields in the " + return 1, "the tls_disable_client_certs and tls_require_and_verify_client_cert fields in the listener stanza of the vault server config are mutually exclusive fields. Please ensure they are not both set to true."
"listener stanza of the vault server config are mutually exclusive fields. Please ensure they are not both set to true.")
} }
} }
return nil return 0, ""
} }
// TLSClientCAFileCheck Checks the validity of a client CA file // TLSClientCAFileCheck Checks the validity of a client CA file

465
vault/diagnose/tls_verification_test.go
View File

@ -7,23 +7,20 @@ import (
"testing" "testing"
"github.com/hashicorp/vault/internalshared/configutil" "github.com/hashicorp/vault/internalshared/configutil"
"github.com/hashicorp/vault/internalshared/listenerutil"
) )
// TestTLSValidCert is the positive test case to show that specifying a valid cert and key // TestTLSValidCert is the positive test case to show that specifying a valid cert and key
// passes all checks. // passes all checks.
func TestTLSValidCert(t *testing.T) { func TestTLSValidCert(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./test-fixtures/goodcertwithroot.pem",
TLSCertFile: "./test-fixtures/goodcertwithroot.pem", TLSKeyFile: "./test-fixtures/goodkey.pem",
TLSKeyFile: "./test-fixtures/goodkey.pem", TLSMinVersion: "tls10",
TLSMinVersion: "tls10", TLSDisableClientCerts: true,
TLSDisableClientCerts: true,
},
}, },
} }
warnings, errs := ListenerChecks(context.Background(), listeners) warnings, errs := ListenerChecks(context.Background(), listeners)
@ -38,17 +35,15 @@ func TestTLSValidCert(t *testing.T) {
// TestTLSFakeCert simply ensures that the certificate file must contain PEM data. // TestTLSFakeCert simply ensures that the certificate file must contain PEM data.
func TestTLSFakeCert(t *testing.T) { func TestTLSFakeCert(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./test-fixtures/fakecert.pem",
TLSCertFile: "./test-fixtures/fakecert.pem", TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", TLSMinVersion: "tls10",
TLSMinVersion: "tls10", TLSDisableClientCerts: true,
TLSDisableClientCerts: true,
},
}, },
} }
_, errs := ListenerChecks(context.Background(), listeners) _, errs := ListenerChecks(context.Background(), listeners)
@ -68,17 +63,15 @@ func TestTLSFakeCert(t *testing.T) {
// an extra DER sequence, and makes sure a trailing data error // an extra DER sequence, and makes sure a trailing data error
// is returned. // is returned.
func TestTLSTrailingData(t *testing.T) { func TestTLSTrailingData(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./test-fixtures/trailingdatacert.pem",
TLSCertFile: "./test-fixtures/trailingdatacert.pem", TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", TLSMinVersion: "tls10",
TLSMinVersion: "tls10", TLSDisableClientCerts: true,
TLSDisableClientCerts: true,
},
}, },
} }
_, errs := ListenerChecks(context.Background(), listeners) _, errs := ListenerChecks(context.Background(), listeners)
@ -93,17 +86,15 @@ func TestTLSTrailingData(t *testing.T) {
// TestTLSExpiredCert checks that an expired certificate fails TLS checks // TestTLSExpiredCert checks that an expired certificate fails TLS checks
// with an appropriate error. // with an appropriate error.
func TestTLSExpiredCert(t *testing.T) { func TestTLSExpiredCert(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./test-fixtures/expiredcert.pem",
TLSCertFile: "./test-fixtures/expiredcert.pem", TLSKeyFile: "./test-fixtures/expiredprivatekey.pem",
TLSKeyFile: "./test-fixtures/expiredprivatekey.pem", TLSMinVersion: "tls10",
TLSMinVersion: "tls10", TLSDisableClientCerts: true,
TLSDisableClientCerts: true,
},
}, },
} }
warnings, errs := ListenerChecks(context.Background(), listeners) warnings, errs := ListenerChecks(context.Background(), listeners)
@ -124,17 +115,15 @@ func TestTLSExpiredCert(t *testing.T) {
// TestTLSMismatchedCryptographicInfo verifies that a cert and key of differing cryptographic // TestTLSMismatchedCryptographicInfo verifies that a cert and key of differing cryptographic
// types, when specified together, is met with a unique error message. // types, when specified together, is met with a unique error message.
func TestTLSMismatchedCryptographicInfo(t *testing.T) { func TestTLSMismatchedCryptographicInfo(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", TLSKeyFile: "./test-fixtures/ecdsa.key",
TLSKeyFile: "./test-fixtures/ecdsa.key", TLSMinVersion: "tls10",
TLSMinVersion: "tls10", TLSDisableClientCerts: true,
TLSDisableClientCerts: true,
},
}, },
} }
_, errs := ListenerChecks(context.Background(), listeners) _, errs := ListenerChecks(context.Background(), listeners)
@ -145,18 +134,16 @@ func TestTLSMismatchedCryptographicInfo(t *testing.T) {
t.Fatalf("Bad error message: %s", errs[0]) t.Fatalf("Bad error message: %s", errs[0])
} }
listeners = []listenerutil.Listener{ listeners = []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./test-fixtures/ecdsa.crt",
TLSCertFile: "./test-fixtures/ecdsa.crt", TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem",
TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem", TLSMinVersion: "tls10",
TLSMinVersion: "tls10", TLSDisableClientCerts: true,
TLSDisableClientCerts: true,
},
}, },
} }
_, errs = ListenerChecks(context.Background(), listeners) _, errs = ListenerChecks(context.Background(), listeners)
@ -170,18 +157,16 @@ func TestTLSMismatchedCryptographicInfo(t *testing.T) {
// TestTLSMultiKeys verifies that a unique error message is thrown when a key is specified twice. // TestTLSMultiKeys verifies that a unique error message is thrown when a key is specified twice.
func TestTLSMultiKeys(t *testing.T) { func TestTLSMultiKeys(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./../../api/test-fixtures/keys/key.pem",
TLSCertFile: "./../../api/test-fixtures/keys/key.pem", TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem",
TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem", TLSMinVersion: "tls10",
TLSMinVersion: "tls10", TLSDisableClientCerts: true,
TLSDisableClientCerts: true,
},
}, },
} }
_, errs := ListenerChecks(context.Background(), listeners) _, errs := ListenerChecks(context.Background(), listeners)
@ -195,17 +180,15 @@ func TestTLSMultiKeys(t *testing.T) {
// TestTLSCertAsKey verifies that a unique error message is thrown when a cert is specified twice. // TestTLSCertAsKey verifies that a unique error message is thrown when a cert is specified twice.
func TestTLSCertAsKey(t *testing.T) { func TestTLSCertAsKey(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", TLSKeyFile: "./../../api/test-fixtures/keys/cert.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/cert.pem", TLSMinVersion: "tls10",
TLSMinVersion: "tls10", TLSDisableClientCerts: true,
TLSDisableClientCerts: true,
},
}, },
} }
_, errs := ListenerChecks(context.Background(), listeners) _, errs := ListenerChecks(context.Background(), listeners)
@ -221,17 +204,15 @@ func TestTLSCertAsKey(t *testing.T) {
// the root. The root certificate used in this test is the Baltimore Cyber Trust root // the root. The root certificate used in this test is the Baltimore Cyber Trust root
// certificate, downloaded from: https://www.digicert.com/kb/digicert-root-certificates.htm // certificate, downloaded from: https://www.digicert.com/kb/digicert-root-certificates.htm
func TestTLSInvalidRoot(t *testing.T) { func TestTLSInvalidRoot(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./test-fixtures/goodcertbadroot.pem",
TLSCertFile: "./test-fixtures/goodcertbadroot.pem", TLSKeyFile: "./test-fixtures/goodkey.pem",
TLSKeyFile: "./test-fixtures/goodkey.pem", TLSMinVersion: "tls10",
TLSMinVersion: "tls10", TLSDisableClientCerts: true,
TLSDisableClientCerts: true,
},
}, },
} }
_, errs := ListenerChecks(context.Background(), listeners) _, errs := ListenerChecks(context.Background(), listeners)
@ -247,17 +228,15 @@ func TestTLSInvalidRoot(t *testing.T) {
// is still accepted by diagnose as valid. This is an acceptable, though less secure, // is still accepted by diagnose as valid. This is an acceptable, though less secure,
// server configuration. // server configuration.
func TestTLSNoRoot(t *testing.T) { func TestTLSNoRoot(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", TLSKeyFile: "./test-fixtures/goodkey.pem",
TLSKeyFile: "./test-fixtures/goodkey.pem", TLSMinVersion: "tls10",
TLSMinVersion: "tls10", TLSDisableClientCerts: true,
TLSDisableClientCerts: true,
},
}, },
} }
_, errs := ListenerChecks(context.Background(), listeners) _, errs := ListenerChecks(context.Background(), listeners)
@ -270,18 +249,16 @@ func TestTLSNoRoot(t *testing.T) {
// TestTLSInvalidMinVersion checks that a listener with an invalid minimum configured // TestTLSInvalidMinVersion checks that a listener with an invalid minimum configured
// version errors appropriately. // version errors appropriately.
func TestTLSInvalidMinVersion(t *testing.T) { func TestTLSInvalidMinVersion(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem",
TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem", TLSMinVersion: "0",
TLSMinVersion: "0", TLSDisableClientCerts: true,
TLSDisableClientCerts: true,
},
}, },
} }
_, errs := ListenerChecks(context.Background(), listeners) _, errs := ListenerChecks(context.Background(), listeners)
@ -296,18 +273,16 @@ func TestTLSInvalidMinVersion(t *testing.T) {
// TestTLSInvalidMaxVersion checks that a listener with an invalid maximum configured // TestTLSInvalidMaxVersion checks that a listener with an invalid maximum configured
// version errors appropriately. // version errors appropriately.
func TestTLSInvalidMaxVersion(t *testing.T) { func TestTLSInvalidMaxVersion(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem",
TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem", TLSMaxVersion: "0",
TLSMaxVersion: "0", TLSDisableClientCerts: true,
TLSDisableClientCerts: true,
},
}, },
} }
_, errs := ListenerChecks(context.Background(), listeners) _, errs := ListenerChecks(context.Background(), listeners)
@ -322,46 +297,42 @@ func TestTLSInvalidMaxVersion(t *testing.T) {
// TestDisabledClientCertsAndDisabledTLSClientCAVerfiy checks that a listener works properly when both // TestDisabledClientCertsAndDisabledTLSClientCAVerfiy checks that a listener works properly when both
// TLSRequireAndVerifyClientCert and TLSDisableClientCerts are false // TLSRequireAndVerifyClientCert and TLSDisableClientCerts are false
func TestDisabledClientCertsAndDisabledTLSClientCAVerfiy(t *testing.T) { func TestDisabledClientCertsAndDisabledTLSClientCAVerfiy(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem",
TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem", TLSMaxVersion: "tls10",
TLSMaxVersion: "tls10", TLSRequireAndVerifyClientCert: false,
TLSRequireAndVerifyClientCert: false, TLSDisableClientCerts: false,
TLSDisableClientCerts: false,
},
}, },
} }
err := TLSMutualExclusionCertCheck(listeners[0].Config) status, _ := TLSMutualExclusionCertCheck(listeners[0])
if err != nil { if status != 0 {
t.Fatalf("TLS config failed when both TLSRequireAndVerifyClientCert and TLSDisableClientCerts are false") t.Fatalf("TLS config failed when both TLSRequireAndVerifyClientCert and TLSDisableClientCerts are false")
} }
} }
// TestTLSClientCAVerfiy checks that a listener which has TLS client certs checks enabled works as expected // TestTLSClientCAVerfiy checks that a listener which has TLS client certs checks enabled works as expected
func TestTLSClientCAVerfiy(t *testing.T) { func TestTLSClientCAVerfiy(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem",
TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem", TLSMaxVersion: "tls10",
TLSMaxVersion: "tls10", TLSRequireAndVerifyClientCert: true,
TLSRequireAndVerifyClientCert: true, TLSDisableClientCerts: false,
TLSDisableClientCerts: false,
},
}, },
} }
err := TLSMutualExclusionCertCheck(listeners[0].Config) status, err := TLSMutualExclusionCertCheck(listeners[0])
if err != nil { if status != 0 {
t.Fatalf("TLS config check failed with %s", err) t.Fatalf("TLS config check failed with %s", err)
} }
} }
@ -369,23 +340,21 @@ func TestTLSClientCAVerfiy(t *testing.T) {
// TestTLSClientCAVerfiySkip checks that TLS client cert checks are skipped if TLSDisableClientCerts is true // TestTLSClientCAVerfiySkip checks that TLS client cert checks are skipped if TLSDisableClientCerts is true
// regardless of the value for TLSRequireAndVerifyClientCert // regardless of the value for TLSRequireAndVerifyClientCert
func TestTLSClientCAVerfiySkip(t *testing.T) { func TestTLSClientCAVerfiySkip(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem",
TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem", TLSMaxVersion: "tls10",
TLSMaxVersion: "tls10", TLSRequireAndVerifyClientCert: false,
TLSRequireAndVerifyClientCert: false, TLSDisableClientCerts: true,
TLSDisableClientCerts: true,
},
}, },
} }
err := TLSMutualExclusionCertCheck(listeners[0].Config) status, err := TLSMutualExclusionCertCheck(listeners[0])
if err != nil { if status != 0 {
t.Fatalf("TLS config check did not skip verification and failed with %s", err) t.Fatalf("TLS config check did not skip verification and failed with %s", err)
} }
} }
@ -393,26 +362,24 @@ func TestTLSClientCAVerfiySkip(t *testing.T) {
// TestTLSClientCAVerfiyMutualExclusion checks that TLS client cert checks are skipped if TLSDisableClientCerts is true // TestTLSClientCAVerfiyMutualExclusion checks that TLS client cert checks are skipped if TLSDisableClientCerts is true
// regardless of the value for TLSRequireAndVerifyClientCert // regardless of the value for TLSRequireAndVerifyClientCert
func TestTLSClientCAVerfiyMutualExclusion(t *testing.T) { func TestTLSClientCAVerfiyMutualExclusion(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem",
TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem", TLSMaxVersion: "tls10",
TLSMaxVersion: "tls10", TLSRequireAndVerifyClientCert: true,
TLSRequireAndVerifyClientCert: true, TLSDisableClientCerts: true,
TLSDisableClientCerts: true,
},
}, },
} }
err := TLSMutualExclusionCertCheck(listeners[0].Config) status, err := TLSMutualExclusionCertCheck(listeners[0])
if err == nil { if status == 0 {
t.Fatalf("TLS config check should have failed when both 'tls_disable_client_certs' and 'tls_require_and_verify_client_cert' are true") t.Fatalf("TLS config check should have failed when both 'tls_disable_client_certs' and 'tls_require_and_verify_client_cert' are true")
} }
if !strings.Contains(err.Error(), "the tls_disable_client_certs and tls_require_and_verify_client_cert fields in the "+ if !strings.Contains(err, "the tls_disable_client_certs and tls_require_and_verify_client_cert fields in the "+
"listener stanza of the vault server config are mutually exclusive fields") { "listener stanza of the vault server config are mutually exclusive fields") {
t.Fatalf("Bad error message: %s", err) t.Fatalf("Bad error message: %s", err)
} }
@ -420,19 +387,17 @@ func TestTLSClientCAVerfiyMutualExclusion(t *testing.T) {
// TestTLSClientCAVerfiy checks that a listener which has TLS client certs checks enabled works as expected // TestTLSClientCAVerfiy checks that a listener which has TLS client certs checks enabled works as expected
func TestTLSClientCAFileCheck(t *testing.T) { func TestTLSClientCAFileCheck(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem",
TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem", TLSMaxVersion: "tls10",
TLSMaxVersion: "tls10", TLSRequireAndVerifyClientCert: true,
TLSRequireAndVerifyClientCert: true, TLSDisableClientCerts: false,
TLSDisableClientCerts: false,
},
}, },
} }
warnings, errs := ListenerChecks(context.Background(), listeners) warnings, errs := ListenerChecks(context.Background(), listeners)
@ -446,19 +411,17 @@ func TestTLSClientCAFileCheck(t *testing.T) {
// TestTLSLeafCertInClientCAFile checks if a leafCert exist in TLSClientCAFile // TestTLSLeafCertInClientCAFile checks if a leafCert exist in TLSClientCAFile
func TestTLSLeafCertInClientCAFile(t *testing.T) { func TestTLSLeafCertInClientCAFile(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", TLSClientCAFile: "./test-fixtures/goodcertbadroot.pem",
TLSClientCAFile: "./test-fixtures/goodcertbadroot.pem", TLSMaxVersion: "tls10",
TLSMaxVersion: "tls10", TLSRequireAndVerifyClientCert: true,
TLSRequireAndVerifyClientCert: true, TLSDisableClientCerts: false,
TLSDisableClientCerts: false,
},
}, },
} }
_, errs := ListenerChecks(context.Background(), listeners) _, errs := ListenerChecks(context.Background(), listeners)
@ -472,19 +435,17 @@ func TestTLSLeafCertInClientCAFile(t *testing.T) {
// TestTLSNoRootInClientCAFile checks if no Root cert exist in TLSClientCAFile // TestTLSNoRootInClientCAFile checks if no Root cert exist in TLSClientCAFile
func TestTLSNoRootInClientCAFile(t *testing.T) { func TestTLSNoRootInClientCAFile(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", TLSClientCAFile: "./test-fixtures/intermediateCert.pem",
TLSClientCAFile: "./test-fixtures/intermediateCert.pem", TLSMaxVersion: "tls10",
TLSMaxVersion: "tls10", TLSRequireAndVerifyClientCert: true,
TLSRequireAndVerifyClientCert: true, TLSDisableClientCerts: false,
TLSDisableClientCerts: false,
},
}, },
} }
_, errs := ListenerChecks(context.Background(), listeners) _, errs := ListenerChecks(context.Background(), listeners)
@ -498,19 +459,17 @@ func TestTLSNoRootInClientCAFile(t *testing.T) {
// TestTLSIntermediateCertInClientCAFile checks if an intermediate cert is included in TLSClientCAFile // TestTLSIntermediateCertInClientCAFile checks if an intermediate cert is included in TLSClientCAFile
func TestTLSIntermediateCertInClientCAFile(t *testing.T) { func TestTLSIntermediateCertInClientCAFile(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", TLSClientCAFile: "./test-fixtures/chain.crt.pem",
TLSClientCAFile: "./test-fixtures/chain.crt.pem", TLSMaxVersion: "tls10",
TLSMaxVersion: "tls10", TLSRequireAndVerifyClientCert: true,
TLSRequireAndVerifyClientCert: true, TLSDisableClientCerts: false,
TLSDisableClientCerts: false,
},
}, },
} }
_, errs := ListenerChecks(context.Background(), listeners) _, errs := ListenerChecks(context.Background(), listeners)
@ -524,19 +483,17 @@ func TestTLSIntermediateCertInClientCAFile(t *testing.T) {
// TestTLSMultipleRootInClietCACert checks if multiple roots included in TLSClientCAFile // TestTLSMultipleRootInClietCACert checks if multiple roots included in TLSClientCAFile
func TestTLSMultipleRootInClietCACert(t *testing.T) { func TestTLSMultipleRootInClietCACert(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", TLSClientCAFile: "./test-fixtures/twoRootCA.pem",
TLSClientCAFile: "./test-fixtures/twoRootCA.pem", TLSMinVersion: "tls10",
TLSMinVersion: "tls10", TLSRequireAndVerifyClientCert: true,
TLSRequireAndVerifyClientCert: true, TLSDisableClientCerts: false,
TLSDisableClientCerts: false,
},
}, },
} }
warnings, errs := ListenerChecks(context.Background(), listeners) warnings, errs := ListenerChecks(context.Background(), listeners)
@ -552,20 +509,18 @@ func TestTLSMultipleRootInClietCACert(t *testing.T) {
} }
// TestTLSSelfSignedCerts tests invalid self-signed cert as TLSClientCAFile // TestTLSSelfSignedCerts tests invalid self-signed cert as TLSClientCAFile
func TestTLSSelfSignedCerts(t *testing.T) { func TestTLSSelfSignedCert(t *testing.T) {
listeners := []listenerutil.Listener{ listeners := []*configutil.Listener{
{ {
Config: &configutil.Listener{ Type: "tcp",
Type: "tcp", Address: "127.0.0.1:443",
Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201",
ClusterAddress: "127.0.0.1:8201", TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", TLSClientCAFile: "test-fixtures/selfSignedCert.pem",
TLSClientCAFile: "test-fixtures/selfSignedCert.pem", TLSMinVersion: "tls10",
TLSMinVersion: "tls10", TLSRequireAndVerifyClientCert: true,
TLSRequireAndVerifyClientCert: true, TLSDisableClientCerts: false,
TLSDisableClientCerts: false,
},
}, },
} }
_, errs := ListenerChecks(context.Background(), listeners) _, errs := ListenerChecks(context.Background(), listeners)

4
vault/init.go
View File

@ -11,7 +11,6 @@ import (
wrapping "github.com/hashicorp/go-kms-wrapping" wrapping "github.com/hashicorp/go-kms-wrapping"
"github.com/hashicorp/vault/physical/raft" "github.com/hashicorp/vault/physical/raft"
"github.com/hashicorp/vault/vault/diagnose"
"github.com/hashicorp/vault/vault/seal" "github.com/hashicorp/vault/vault/seal"
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead" aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
@ -467,11 +466,9 @@ func (c *Core) UnsealWithStoredKeys(ctx context.Context) error {
// This usually happens when auto-unseal is configured, but the servers have // This usually happens when auto-unseal is configured, but the servers have
// not been initialized yet. // not been initialized yet.
if len(keys) == 0 { if len(keys) == 0 {
diagnose.Error(ctx, errors.New("stored unseal keys are supported, but none were found"))
return NewNonFatalError(errors.New("stored unseal keys are supported, but none were found")) return NewNonFatalError(errors.New("stored unseal keys are supported, but none were found"))
} }
if len(keys) != 1 { if len(keys) != 1 {
diagnose.Error(ctx, errors.New("expected exactly one stored key"))
return NewNonFatalError(errors.New("expected exactly one stored key")) return NewNonFatalError(errors.New("expected exactly one stored key"))
} }
@ -485,7 +482,6 @@ func (c *Core) UnsealWithStoredKeys(ctx context.Context) error {
// subset of the required threshold of keys. We still consider this a // subset of the required threshold of keys. We still consider this a
// "success", since trying again would yield the same result. // "success", since trying again would yield the same result.
c.Logger().Warn("vault still sealed after using stored unseal key") c.Logger().Warn("vault still sealed after using stored unseal key")
diagnose.Warn(ctx, "vault still sealed after using stored unseal key")
} else { } else {
c.Logger().Info("unsealed with stored key") c.Logger().Info("unsealed with stored key")
} }