Rename SealInfo to SealWrapper. (#22689)

command/operator_diagnose.go

@@ -538,11 +538,11 @@ SEALFAIL:
 		randReaderTestName := "Initialize Randomness for Core"
 		var sources []*configutil.EntropySourcerInfo
 		if barrierSeal != nil {
-			for _, sealInfo := range barrierSeal.GetAccess().GetEnabledSealInfoByPriority() {
-				if s, ok := sealInfo.Wrapper.(entropy.Sourcer); ok {
+			for _, sealWrapper := range barrierSeal.GetAccess().GetEnabledSealWrappersByPriority() {
+				if s, ok := sealWrapper.Wrapper.(entropy.Sourcer); ok {
 					sources = append(sources, &configutil.EntropySourcerInfo{
 						Sourcer: s,
-						Name:    sealInfo.Name,
+						Name:    sealWrapper.Name,
 					})
 				}
 			}

command/server.go

@@ -1254,11 +1254,11 @@ func (c *ServerCommand) Run(args []string) int {
 	// prepare a secure random reader for core
 	entropyAugLogger := c.logger.Named("entropy-augmentation")
 	var entropySources []*configutil.EntropySourcerInfo
-	for _, sealInfo := range setSealResponse.barrierSeal.GetAccess().GetEnabledSealInfoByPriority() {
-		if s, ok := sealInfo.Wrapper.(entropy.Sourcer); ok {
+	for _, sealWrapper := range setSealResponse.barrierSeal.GetAccess().GetEnabledSealWrappersByPriority() {
+		if s, ok := sealWrapper.Wrapper.(entropy.Sourcer); ok {
 			entropySources = append(entropySources, &configutil.EntropySourcerInfo{
 				Sourcer: s,
-				Name:    sealInfo.Name,
+				Name:    sealWrapper.Name,
 			})
 		}
 	}
@@ -2564,8 +2564,8 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 	recordSealConfigError := func(err error) {
 		sealConfigError = errors.Join(sealConfigError, err)
 	}
-	enabledSealInfos := make([]vaultseal.SealInfo, 0)
-	disabledSealInfos := make([]vaultseal.SealInfo, 0)
+	enabledSealWrappers := make([]vaultseal.SealWrapper, 0)
+	disabledSealWrappers := make([]vaultseal.SealWrapper, 0)
 	allSealKmsConfigs := make([]*configutil.KMS, 0)
 
 	type infoKeysAndMap struct {
@@ -2607,7 +2607,7 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 			wrapper = aeadwrapper.NewShamirWrapper()
 		}
 
-		sealInfo := vaultseal.SealInfo{
+		sealWrapper := vaultseal.SealWrapper{
 			Wrapper:        wrapper,
 			Priority:       configSeal.Priority,
 			Name:           configSeal.Name,
@@ -2616,13 +2616,13 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 		}
 
 		if configSeal.Disabled {
-			disabledSealInfos = append(disabledSealInfos, sealInfo)
+			disabledSealWrappers = append(disabledSealWrappers, sealWrapper)
 		} else {
-			enabledSealInfos = append(enabledSealInfos, sealInfo)
+			enabledSealWrappers = append(enabledSealWrappers, sealWrapper)
 		}
 		allSealKmsConfigs = append(allSealKmsConfigs, configSeal)
 
-		sealWrapperInfoKeysMap[sealInfo.Name] = infoKeysAndMap{
+		sealWrapperInfoKeysMap[sealWrapper.Name] = infoKeysAndMap{
 			keys:   wrapperInfoKeys,
 			theMap: wrapperInfoMap,
 		}
@@ -2631,25 +2631,25 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 	// Set the info keys, this modifies the function arguments `info` and `infoKeys`
 	// TODO(SEALHA): Why are we doing this? What is its use?
-	appendWrapperInfoKeys := func(prefix string, sealInfos []vaultseal.SealInfo) {
-		if len(sealInfos) > 0 {
+	appendWrapperInfoKeys := func(prefix string, sealWrappers []vaultseal.SealWrapper) {
+		if len(sealWrappers) > 0 {
 			useName := false
-			if len(sealInfos) > 1 {
+			if len(sealWrappers) > 1 {
 				useName = true
 			}
-			for _, sealInfo := range sealInfos {
+			for _, sealWrapper := range sealWrappers {
 				if useName {
-					prefix = fmt.Sprintf("%s %s ", prefix, sealInfo.Name)
+					prefix = fmt.Sprintf("%s %s ", prefix, sealWrapper.Name)
 				}
-				for _, k := range sealWrapperInfoKeysMap[sealInfo.Name].keys {
+				for _, k := range sealWrapperInfoKeysMap[sealWrapper.Name].keys {
 					infoKeys = append(infoKeys, prefix+k)
-					info[prefix+k] = sealWrapperInfoKeysMap[sealInfo.Name].theMap[k]
+					info[prefix+k] = sealWrapperInfoKeysMap[sealWrapper.Name].theMap[k]
 				}
 			}
 		}
 	}
-	appendWrapperInfoKeys("", enabledSealInfos)
-	appendWrapperInfoKeys("Old", disabledSealInfos)
+	appendWrapperInfoKeys("", enabledSealWrappers)
+	appendWrapperInfoKeys("Old", disabledSealWrappers)
 
 	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 	// Compute seal generation
@@ -2662,8 +2662,8 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 	// Create the Seals
 
-	containsShamir := func(sealInfos []vaultseal.SealInfo) bool {
-		for _, si := range sealInfos {
+	containsShamir := func(sealWrappers []vaultseal.SealWrapper) bool {
+		for _, si := range sealWrappers {
 			if vault.SealConfigTypeShamir.IsSameAs(si.SealConfigType) {
 				return true
 			}
@@ -2679,36 +2679,36 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 	var unwrapSeal vault.Seal
 
 	switch {
-	case len(enabledSealInfos) == 0:
+	case len(enabledSealWrappers) == 0:
 		return nil, errors.New("no enabled Seals in configuration")
 
-	case containsShamir(enabledSealInfos) && containsShamir(disabledSealInfos):
+	case containsShamir(enabledSealWrappers) && containsShamir(disabledSealWrappers):
 		return nil, errors.New("shamir seals cannot be set disabled (they should simply not be set)")
 
-	case len(enabledSealInfos) == 1 && containsShamir(enabledSealInfos):
+	case len(enabledSealWrappers) == 1 && containsShamir(enabledSealWrappers):
 		// The barrier seal is Shamir. If there are any disabled seals, then we put them all in the same
 		// autoSeal.
-		barrierSeal = vault.NewDefaultSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealInfos))
-		if len(disabledSealInfos) > 0 {
-			unwrapSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, disabledSealInfos))
+		barrierSeal = vault.NewDefaultSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealWrappers))
+		if len(disabledSealWrappers) > 0 {
+			unwrapSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, disabledSealWrappers))
 		}
 
-	case len(disabledSealInfos) == 1 && containsShamir(disabledSealInfos):
+	case len(disabledSealWrappers) == 1 && containsShamir(disabledSealWrappers):
 		// The unwrap seal is Shamir, we are migrating to an autoSeal.
-		barrierSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealInfos))
-		unwrapSeal = vault.NewDefaultSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, disabledSealInfos))
+		barrierSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealWrappers))
+		unwrapSeal = vault.NewDefaultSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, disabledSealWrappers))
 
 	case sealHaBetaEnabled:
 		// We know we are not using Shamir seal, that we are not migrating away from one, and seal HA is enabled,
 		// so just put enabled and disabled wrappers on the same seal Access
-		allSealInfos := append(enabledSealInfos, disabledSealInfos...)
-		barrierSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, allSealInfos))
+		allSealWrappers := append(enabledSealWrappers, disabledSealWrappers...)
+		barrierSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, allSealWrappers))
 
-	case len(enabledSealInfos) == 1:
+	case len(enabledSealWrappers) == 1:
 		// We may have multiple seals disabled, but we know Shamir is not one of them.
-		barrierSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealInfos))
-		if len(disabledSealInfos) > 0 {
-			unwrapSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, disabledSealInfos))
+		barrierSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealWrappers))
+		if len(disabledSealWrappers) > 0 {
+			unwrapSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, disabledSealWrappers))
 		}
 
 	default:

helper/testhelpers/seal/sealhelper.go

@@ -73,7 +73,7 @@ func (tss *TransitSealServer) MakeSeal(t testing.T, key string) (vault.Seal, err
 		t.Fatalf("error setting wrapper config: %v", err)
 	}
 
-	access, err := seal.NewAccessFromSealInfo(tss.Logger, 1, true, []seal.SealInfo{
+	access, err := seal.NewAccessFromSealWrappers(tss.Logger, 1, true, []seal.SealWrapper{
 		{
 			Wrapper:  transitSealWrapper,
 			Priority: 1,

vault/core.go

@@ -1103,7 +1103,7 @@ func CreateCore(conf *CoreConfig) (*Core, error) {
 		wrapper := aeadwrapper.NewShamirWrapper()
 		wrapper.SetConfig(context.Background(), awskms.WithLogger(c.logger.Named("shamir")))
 
-		access, err := vaultseal.NewAccessFromSealInfo(c.logger, 1, true, []vaultseal.SealInfo{
+		access, err := vaultseal.NewAccessFromSealWrappers(c.logger, 1, true, []vaultseal.SealWrapper{
 			{
 				Wrapper:  wrapper,
 				Priority: 1,
@@ -2872,7 +2872,7 @@ func (c *Core) adjustForSealMigration(unwrapSeal Seal) error {
 
 			// See note about creating a SealGenerationInfo for the unwrap seal in
 			// function setSeal in server.go.
-			sealAccess, err := vaultseal.NewAccessFromSealInfo(c.logger, 1, true, []vaultseal.SealInfo{
+			sealAccess, err := vaultseal.NewAccessFromSealWrappers(c.logger, 1, true, []vaultseal.SealWrapper{
 				{
 					Wrapper:  aeadwrapper.NewShamirWrapper(),
 					Priority: 1,
@@ -3100,7 +3100,7 @@ func (c *Core) unsealKeyToRootKey(ctx context.Context, seal Seal, combinedKey []
 		if useTestSeal {
 			// Note that the seal generation should not matter, since the only thing we are doing with
 			// this seal is calling GetStoredKeys (i.e. we are not encrypting anything).
-			sealAccess, err := vaultseal.NewAccessFromSealInfo(c.logger, 1, true, []vaultseal.SealInfo{
+			sealAccess, err := vaultseal.NewAccessFromSealWrappers(c.logger, 1, true, []vaultseal.SealWrapper{
 				{
 					Wrapper:  aeadwrapper.NewShamirWrapper(),
 					Priority: 1,

vault/logical_system.go

@@ -4833,17 +4833,17 @@ func (c *Core) GetSealBackendStatus(ctx context.Context) (*SealBackendStatusResp
 	if a, ok := c.seal.(*autoSeal); ok {
 		r.Healthy = c.seal.Healthy()
 		var uhMin time.Time
-		for _, s := range a.GetAllSealInfoByPriority() {
+		for _, sealWrapper := range a.GetAllSealWrappersByPriority() {
 			b := SealBackendStatus{
-				Name:    s.Name,
-				Healthy: s.Healthy,
+				Name:    sealWrapper.Name,
+				Healthy: sealWrapper.Healthy,
 			}
-			if !s.Healthy {
-				if !s.LastSeenHealthy.IsZero() {
-					b.UnhealthySince = s.LastSeenHealthy.String()
+			if !sealWrapper.Healthy {
+				if !sealWrapper.LastSeenHealthy.IsZero() {
+					b.UnhealthySince = sealWrapper.LastSeenHealthy.String()
 				}
-				if uhMin.IsZero() || uhMin.After(s.LastSeenHealthy) {
-					uhMin = s.LastSeenHealthy
+				if uhMin.IsZero() || uhMin.After(sealWrapper.LastSeenHealthy) {
+					uhMin = sealWrapper.LastSeenHealthy
 				}
 			}
 			r.Backends = append(r.Backends, b)

vault/rekey.go

@@ -400,7 +400,7 @@ func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string)
 		}
 	case c.seal.BarrierSealConfigType() == SealConfigTypeShamir:
 		if c.seal.StoredKeysSupported() == seal.StoredKeysSupportedShamirRoot {
-			access, err := seal.NewAccessFromSealInfo(c.logger, c.seal.GetAccess().Generation(), true, []seal.SealInfo{
+			access, err := seal.NewAccessFromSealWrappers(c.logger, c.seal.GetAccess().Generation(), true, []seal.SealWrapper{
 				{
 					Wrapper:  aeadwrapper.NewShamirWrapper(),
 					Priority: 1,

vault/seal/seal.go

@@ -158,7 +158,8 @@ func (sgi *SealGenerationInfo) UnmarshalJSON(b []byte) error {
 	return nil
 }
 
-type SealInfo struct {
+// SealWrapper contains a Wrapper and related information needed by the seal that uses it.
+type SealWrapper struct {
 	wrapping.Wrapper
 	Priority int
 	Name     string
@@ -176,8 +177,8 @@ type SealInfo struct {
 	Healthy         bool
 }
 
-func (si *SealInfo) keyId(ctx context.Context) string {
-	if id, err := si.Wrapper.KeyId(ctx); err == nil {
+func (sw *SealWrapper) keyId(ctx context.Context) string {
+	if id, err := sw.Wrapper.KeyId(ctx); err == nil {
 		return id
 	}
 	return ""
@@ -216,44 +217,44 @@ type Access interface {
 	SetShamirSealKey([]byte) error
 	GetShamirKeyBytes(ctx context.Context) ([]byte, error)
 
-	// GetAllSealInfoByPriority returns all the SealInfo for all the seal wrappers, including disabled ones.
-	GetAllSealInfoByPriority() []*SealInfo
+	// GetAllSealWrappersByPriority returns all the SealWrapper for all the seal wrappers, including disabled ones.
+	GetAllSealWrappersByPriority() []*SealWrapper
 
-	// GetEnabledSealInfoByPriority returns the SealInfo for the enabled seal wrappers.
-	GetEnabledSealInfoByPriority() []*SealInfo
+	// GetEnabledSealWrappersByPriority returns the SealWrapper for the enabled seal wrappers.
+	GetEnabledSealWrappersByPriority() []*SealWrapper
 
-	// AllSealsHealthy returns whether all enabled SealInfos are currently healthy.
-	AllSealsHealthy() bool
+	// AllSealsWrappersHealthy returns whether all enabled SealWrappers are currently healthy.
+	AllSealWrappersHealthy() bool
 
 	GetSealGenerationInfo() *SealGenerationInfo
 }
 
 type access struct {
 	sealGenerationInfo *SealGenerationInfo
-	wrappersByPriority []*SealInfo
+	wrappersByPriority []*SealWrapper
 	keyIdSet           keyIdSet
 	logger             hclog.Logger
 }
 
 var _ Access = (*access)(nil)
 
-func NewAccess(logger hclog.Logger, sealGenerationInfo *SealGenerationInfo, sealInfos []SealInfo) Access {
+func NewAccess(logger hclog.Logger, sealGenerationInfo *SealGenerationInfo, sealWrappers []SealWrapper) Access {
 	if logger == nil {
 		logger = hclog.NewNullLogger()
 	}
 	if sealGenerationInfo == nil {
 		panic("cannot create a seal.Access without a SealGenerationInfo")
 	}
-	if len(sealInfos) == 0 {
-		panic("cannot create a seal.Access without any seal info")
+	if len(sealWrappers) == 0 {
+		panic("cannot create a seal.Access without any seal wrappers")
 	}
 	a := &access{
 		sealGenerationInfo: sealGenerationInfo,
 		logger:             logger,
 	}
-	a.wrappersByPriority = make([]*SealInfo, len(sealInfos))
-	for i, sealInfo := range sealInfos {
-		v := sealInfo
+	a.wrappersByPriority = make([]*SealWrapper, len(sealWrappers))
+	for i, sw := range sealWrappers {
+		v := sw
 		a.wrappersByPriority[i] = &v
 		v.Healthy = true
 		v.LastSeenHealthy = time.Now()
@@ -264,56 +265,56 @@ func NewAccess(logger hclog.Logger, sealGenerationInfo *SealGenerationInfo, seal
 	return a
 }
 
-func NewAccessFromSealInfo(logger hclog.Logger, generation uint64, rewrapped bool, sealInfos []SealInfo) (Access, error) {
+func NewAccessFromSealWrappers(logger hclog.Logger, generation uint64, rewrapped bool, sealWrappers []SealWrapper) (Access, error) {
 	sealGenerationInfo := &SealGenerationInfo{
 		Generation: generation,
 	}
 	sealGenerationInfo.SetRewrapped(rewrapped)
 	ctx := context.Background()
-	for _, sealInfo := range sealInfos {
-		typ, err := sealInfo.Wrapper.Type(ctx)
+	for _, sw := range sealWrappers {
+		typ, err := sw.Wrapper.Type(ctx)
 		if err != nil {
 			return nil, err
 		}
 		sealGenerationInfo.Seals = append(sealGenerationInfo.Seals, &configutil.KMS{
 			Type:     typ.String(),
-			Priority: sealInfo.Priority,
-			Name:     sealInfo.Name,
+			Priority: sw.Priority,
+			Name:     sw.Name,
 		})
 	}
-	return NewAccess(logger, sealGenerationInfo, sealInfos), nil
+	return NewAccess(logger, sealGenerationInfo, sealWrappers), nil
 }
 
-func (a *access) GetAllSealInfoByPriority() []*SealInfo {
-	return copySealInfos(a.wrappersByPriority, false)
+func (a *access) GetAllSealWrappersByPriority() []*SealWrapper {
+	return copySealWrappers(a.wrappersByPriority, false)
 }
 
-func (a *access) GetEnabledSealInfoByPriority() []*SealInfo {
-	return copySealInfos(a.wrappersByPriority, true)
+func (a *access) GetEnabledSealWrappersByPriority() []*SealWrapper {
+	return copySealWrappers(a.wrappersByPriority, true)
 }
 
-func (a *access) AllSealsHealthy() bool {
-	for _, si := range a.wrappersByPriority {
+func (a *access) AllSealWrappersHealthy() bool {
+	for _, sw := range a.wrappersByPriority {
 		// Ignore disabled seals
-		if si.Disabled {
+		if sw.Disabled {
 			continue
 		}
-		si.HcLock.RLock()
-		defer si.HcLock.RUnlock()
-		if !si.Healthy {
+		sw.HcLock.RLock()
+		defer sw.HcLock.RUnlock()
+		if !sw.Healthy {
 			return false
 		}
 	}
 	return true
 }
 
-func copySealInfos(sealInfos []*SealInfo, enabledOnly bool) []*SealInfo {
-	ret := make([]*SealInfo, 0, len(sealInfos))
-	for _, si := range sealInfos {
-		if enabledOnly && si.Disabled {
+func copySealWrappers(sealWrappers []*SealWrapper, enabledOnly bool) []*SealWrapper {
+	ret := make([]*SealWrapper, 0, len(sealWrappers))
+	for _, sw := range sealWrappers {
+		if enabledOnly && sw.Disabled {
 			continue
 		}
-		ret = append(ret, si)
+		ret = append(ret, sw)
 	}
 	return ret
 }
@@ -328,7 +329,7 @@ func (a *access) Generation() uint64 {
 
 func (a *access) GetEnabledWrappers() []wrapping.Wrapper {
 	var ret []wrapping.Wrapper
-	for _, si := range a.GetEnabledSealInfoByPriority() {
+	for _, si := range a.GetEnabledSealWrappersByPriority() {
 		ret = append(ret, si.Wrapper)
 	}
 	return ret
@@ -336,15 +337,15 @@ func (a *access) GetEnabledWrappers() []wrapping.Wrapper {
 
 func (a *access) Init(ctx context.Context, options ...wrapping.Option) error {
 	var keyIds []string
-	for _, sealInfo := range a.GetAllSealInfoByPriority() {
-		if initWrapper, ok := sealInfo.Wrapper.(wrapping.InitFinalizer); ok {
+	for _, sealWrapper := range a.GetAllSealWrappersByPriority() {
+		if initWrapper, ok := sealWrapper.Wrapper.(wrapping.InitFinalizer); ok {
 			if err := initWrapper.Init(ctx, options...); err != nil {
 				return err
 			}
-			keyId, err := sealInfo.Wrapper.KeyId(ctx)
+			keyId, err := sealWrapper.Wrapper.KeyId(ctx)
 			if err != nil {
-				a.logger.Warn("cannot determine key ID for seal", "seal", sealInfo.Name, "err", err)
-				return fmt.Errorf("cannod determine key ID for seal %s: %w", sealInfo.Name, err)
+				a.logger.Warn("cannot determine key ID for seal", "seal", sealWrapper.Name, "err", err)
+				return fmt.Errorf("cannod determine key ID for seal %s: %w", sealWrapper.Name, err)
 			}
 			keyIds = append(keyIds, keyId)
 		}
@@ -382,30 +383,30 @@ func (a *access) Encrypt(ctx context.Context, plaintext []byte, options ...wrapp
 	var slots []*wrapping.BlobInfo
 	errs := make(map[string]error)
 
-	for _, sealInfo := range a.GetEnabledSealInfoByPriority() {
+	for _, sealWrapper := range a.GetEnabledSealWrappersByPriority() {
 		var encryptErr error
 		defer func(now time.Time) {
 			metrics.MeasureSince([]string{"seal", "encrypt", "time"}, now)
-			metrics.MeasureSince([]string{"seal", sealInfo.Name, "encrypt", "time"}, now)
+			metrics.MeasureSince([]string{"seal", sealWrapper.Name, "encrypt", "time"}, now)
 
 			if encryptErr != nil {
 				metrics.IncrCounter([]string{"seal", "encrypt", "error"}, 1)
-				metrics.IncrCounter([]string{"seal", sealInfo.Name, "encrypt", "error"}, 1)
+				metrics.IncrCounter([]string{"seal", sealWrapper.Name, "encrypt", "error"}, 1)
 			}
 		}(time.Now())
 
 		metrics.IncrCounter([]string{"seal", "encrypt"}, 1)
-		metrics.IncrCounter([]string{"seal", sealInfo.Name, "encrypt"}, 1)
+		metrics.IncrCounter([]string{"seal", sealWrapper.Name, "encrypt"}, 1)
 
-		ciphertext, encryptErr := sealInfo.Wrapper.Encrypt(ctx, plaintext, options...)
+		ciphertext, encryptErr := sealWrapper.Wrapper.Encrypt(ctx, plaintext, options...)
 		if encryptErr != nil {
-			a.logger.Warn("error encrypting with seal", "seal", sealInfo.Name)
-			a.logger.Trace("error encrypting with seal", "seal", sealInfo.Name, "err", encryptErr)
+			a.logger.Warn("error encrypting with seal", "seal", sealWrapper.Name)
+			a.logger.Trace("error encrypting with seal", "seal", sealWrapper.Name, "err", encryptErr)
 
-			errs[sealInfo.Name] = encryptErr
-			sealInfo.Healthy = false
+			errs[sealWrapper.Name] = encryptErr
+			sealWrapper.Healthy = false
 		} else {
-			a.logger.Trace("encrypted value using seal", "seal", sealInfo.Name, "keyId", ciphertext.KeyInfo.KeyId)
+			a.logger.Trace("encrypted value using seal", "seal", sealWrapper.Name, "keyId", ciphertext.KeyInfo.KeyId)
 
 			slots = append(slots, ciphertext)
 		}
@@ -417,7 +418,7 @@ func (a *access) Encrypt(ctx context.Context, plaintext []byte, options ...wrapp
 	}
 
 	a.logger.Trace("successfully encrypted value", "encryption seal wrappers", len(slots), "total enabled seal wrappers",
-		len(a.GetEnabledSealInfoByPriority()))
+		len(a.GetEnabledSealWrappersByPriority()))
 	ret := &MultiWrapValue{
 		Generation: a.Generation(),
 		Slots:      slots,
@@ -443,61 +444,61 @@ func (a *access) Decrypt(ctx context.Context, ciphertext *MultiWrapValue, option
 	}
 
 	// First, lets try the wrappers in order of priority and look for an exact key ID match
-	for _, sealInfo := range a.GetAllSealInfoByPriority() {
-		if keyId, err := sealInfo.Wrapper.KeyId(ctx); err == nil {
+	for _, sealWrapper := range a.GetAllSealWrappersByPriority() {
+		if keyId, err := sealWrapper.Wrapper.KeyId(ctx); err == nil {
 			if blobInfo, ok := blobInfoMap[keyId]; ok {
-				pt, oldKey, err := a.tryDecrypt(ctx, sealInfo, blobInfo, options)
+				pt, oldKey, err := a.tryDecrypt(ctx, sealWrapper, blobInfo, options)
 				if oldKey {
-					a.logger.Trace("decrypted using OldKey", "seal", sealInfo.Name)
+					a.logger.Trace("decrypted using OldKey", "seal", sealWrapper.Name)
 					return pt, false, err
 				}
 				if err == nil {
-					a.logger.Trace("decrypted value using seal", "seal", sealInfo.Name)
+					a.logger.Trace("decrypted value using seal", "seal", sealWrapper.Name)
 					return pt, isUpToDate, nil
 				}
 				// If there is an error, keep trying with the other wrappers
-				a.logger.Trace("error decrypting with seal, will try other seals", "seal", sealInfo.Name, "keyId", keyId, "err", err)
+				a.logger.Trace("error decrypting with seal, will try other seals", "seal", sealWrapper.Name, "keyId", keyId, "err", err)
 			}
 		}
 	}
 
 	// No key ID match, so try each wrapper with all slots
 	errs := make(map[string]error)
-	for _, sealInfo := range a.GetAllSealInfoByPriority() {
+	for _, sealWrapper := range a.GetAllSealWrappersByPriority() {
 		for _, blobInfo := range ciphertext.Slots {
-			pt, oldKey, err := a.tryDecrypt(ctx, sealInfo, blobInfo, options)
+			pt, oldKey, err := a.tryDecrypt(ctx, sealWrapper, blobInfo, options)
 			if oldKey {
-				a.logger.Trace("decrypted using OldKey", "seal", sealInfo.Name)
+				a.logger.Trace("decrypted using OldKey", "seal", sealWrapper.Name)
 				return pt, false, err
 			}
 			if err == nil {
-				a.logger.Trace("decrypted value using seal", "seal", sealInfo.Name)
+				a.logger.Trace("decrypted value using seal", "seal", sealWrapper.Name)
 				return pt, isUpToDate, nil
 			}
-			errs[sealInfo.Name] = err
+			errs[sealWrapper.Name] = err
 		}
 	}
 
 	return nil, false, JoinSealWrapErrors("error decrypting seal wrapped value", errs)
 }
 
-func (a *access) tryDecrypt(ctx context.Context, sealInfo *SealInfo, ciphertext *wrapping.BlobInfo, options []wrapping.Option) ([]byte, bool, error) {
+func (a *access) tryDecrypt(ctx context.Context, sealWrapper *SealWrapper, ciphertext *wrapping.BlobInfo, options []wrapping.Option) ([]byte, bool, error) {
 	var decryptErr error
 	defer func(now time.Time) {
 		metrics.MeasureSince([]string{"seal", "decrypt", "time"}, now)
-		metrics.MeasureSince([]string{"seal", sealInfo.Name, "decrypt", "time"}, now)
+		metrics.MeasureSince([]string{"seal", sealWrapper.Name, "decrypt", "time"}, now)
 
 		if decryptErr != nil {
 			metrics.IncrCounter([]string{"seal", "decrypt", "error"}, 1)
-			metrics.IncrCounter([]string{"seal", sealInfo.Name, "decrypt", "error"}, 1)
+			metrics.IncrCounter([]string{"seal", sealWrapper.Name, "decrypt", "error"}, 1)
 		}
 		// TODO (multiseal): log an error?
 	}(time.Now())
 
 	metrics.IncrCounter([]string{"seal", "decrypt"}, 1)
-	metrics.IncrCounter([]string{"seal", sealInfo.Name, "decrypt"}, 1)
+	metrics.IncrCounter([]string{"seal", sealWrapper.Name, "decrypt"}, 1)
 
-	pt, err := sealInfo.Wrapper.Decrypt(ctx, ciphertext, options...)
+	pt, err := sealWrapper.Wrapper.Decrypt(ctx, ciphertext, options...)
 	isOldKey := false
 	if err != nil && err.Error() == "decrypted with old key" {
 		// This is for compatibility with sealWrapMigration
@@ -517,7 +518,7 @@ func JoinSealWrapErrors(msg string, errorMap map[string]error) error {
 func (a *access) Finalize(ctx context.Context, options ...wrapping.Option) error {
 	var errs []error
 
-	for _, w := range a.GetAllSealInfoByPriority() {
+	for _, w := range a.GetAllSealWrappersByPriority() {
 		if finalizeWrapper, ok := w.Wrapper.(wrapping.InitFinalizer); ok {
 			if err := finalizeWrapper.Finalize(ctx, options...); err != nil {
 				errs = append(errs, err)

vault/seal/seal_testing.go

@@ -43,17 +43,17 @@ func NewTestSealOpts(opts *TestSealOpts) *TestSealOpts {
 func NewTestSeal(opts *TestSealOpts) (Access, []*ToggleableWrapper) {
 	opts = NewTestSealOpts(opts)
 	wrappers := make([]*ToggleableWrapper, opts.WrapperCount)
-	sealInfos := make([]SealInfo, opts.WrapperCount)
+	sealWrappers := make([]SealWrapper, opts.WrapperCount)
 	for i := 0; i < opts.WrapperCount; i++ {
 		wrappers[i] = &ToggleableWrapper{Wrapper: wrapping.NewTestWrapper(opts.Secret)}
-		sealInfos[i] = SealInfo{
+		sealWrappers[i] = SealWrapper{
 			Wrapper:  wrappers[i],
 			Priority: i + 1,
 			Name:     fmt.Sprintf("%s-%d", opts.Name, i+1),
 		}
 	}
 
-	sealAccess, err := NewAccessFromSealInfo(nil, opts.Generation, true, sealInfos)
+	sealAccess, err := NewAccessFromSealWrappers(nil, opts.Generation, true, sealWrappers)
 	if err != nil {
 		panic(err)
 	}
@@ -64,12 +64,12 @@ func NewToggleableTestSeal(opts *TestSealOpts) (Access, []func(error)) {
 	opts = NewTestSealOpts(opts)
 
 	wrappers := make([]*ToggleableWrapper, opts.WrapperCount)
-	sealInfos := make([]SealInfo, opts.WrapperCount)
+	sealWrappers := make([]SealWrapper, opts.WrapperCount)
 	funcs := make([]func(error), opts.WrapperCount)
 	for i := 0; i < opts.WrapperCount; i++ {
 		w := &ToggleableWrapper{Wrapper: wrapping.NewTestWrapper(opts.Secret)}
 		wrappers[i] = w
-		sealInfos[i] = SealInfo{
+		sealWrappers[i] = SealWrapper{
 			Wrapper:  wrappers[i],
 			Priority: i + 1,
 			Name:     fmt.Sprintf("%s-%d", opts.Name, i+1),
@@ -77,7 +77,7 @@ func NewToggleableTestSeal(opts *TestSealOpts) (Access, []func(error)) {
 		funcs[i] = w.SetError
 	}
 
-	sealAccess, err := NewAccessFromSealInfo(nil, opts.Generation, true, sealInfos)
+	sealAccess, err := NewAccessFromSealWrappers(nil, opts.Generation, true, sealWrappers)
 	if err != nil {
 		panic(err)
 	}

vault/seal_autoseal.go

@@ -475,45 +475,45 @@ func (d *autoSeal) StartHealthCheck() {
 
 			testVal := fmt.Sprintf("Heartbeat %d", mathrand.Intn(1000))
 			anyUnhealthy := false
-			for _, w := range d.Access.GetAllSealInfoByPriority() {
+			for _, sealWrapper := range d.Access.GetAllSealWrappersByPriority() {
 				func() {
-					w.HcLock.Lock()
-					defer w.HcLock.Unlock()
-					mLabels := []metrics.Label{{Name: "seal_name", Value: w.Name}}
+					sealWrapper.HcLock.Lock()
+					defer sealWrapper.HcLock.Unlock()
+					mLabels := []metrics.Label{{Name: "seal_name", Value: sealWrapper.Name}}
 					fail := func(msg string, args ...interface{}) {
 						d.logger.Warn(msg, args...)
-						if w.Healthy {
+						if sealWrapper.Healthy {
 							healthCheck.Reset(sealHealthTestIntervalUnhealthy)
 						}
-						w.Healthy = false
-						d.core.MetricSink().SetGaugeWithLabels(autoSealUnavailableDuration, float32(time.Since(w.LastSeenHealthy).Milliseconds()), mLabels)
+						sealWrapper.Healthy = false
+						d.core.MetricSink().SetGaugeWithLabels(autoSealUnavailableDuration, float32(time.Since(sealWrapper.LastSeenHealthy).Milliseconds()), mLabels)
 					}
-					ciphertext, err := w.Encrypt(ctx, []byte(testVal), nil)
+					ciphertext, err := sealWrapper.Encrypt(ctx, []byte(testVal), nil)
 					checkTime := time.Now()
-					w.LastHealthCheck = checkTime
+					sealWrapper.LastHealthCheck = checkTime
 
 					if err != nil {
-						fail("failed to encrypt seal health test value, seal backend may be unreachable", "error", err, "seal_name", w.Name)
+						fail("failed to encrypt seal health test value, seal backend may be unreachable", "error", err, "seal_name", sealWrapper.Name)
 						anyUnhealthy = true
 					} else {
 						func() {
 							ctx, cancel := context.WithTimeout(ctx, sealHealthTestTimeout)
 							defer cancel()
-							plaintext, err := w.Decrypt(ctx, ciphertext, nil)
+							plaintext, err := sealWrapper.Decrypt(ctx, ciphertext, nil)
 							if err != nil {
-								fail("failed to decrypt seal health test value, seal backend may be unreachable", "error", err, "seal_name", w.Name)
+								fail("failed to decrypt seal health test value, seal backend may be unreachable", "error", err, "seal_name", sealWrapper.Name)
 							}
 							if !bytes.Equal([]byte(testVal), plaintext) {
-								fail("seal health test value failed to decrypt to expected value", "seal_name", w.Name)
+								fail("seal health test value failed to decrypt to expected value", "seal_name", sealWrapper.Name)
 							} else {
-								d.logger.Debug("seal health test passed", "seal_name", w.Name)
-								if !w.Healthy {
-									d.logger.Info("seal backend is now healthy again", "downtime", t.Sub(w.LastSeenHealthy).String(), "seal_name", w.Name)
+								d.logger.Debug("seal health test passed", "seal_name", sealWrapper.Name)
+								if !sealWrapper.Healthy {
+									d.logger.Info("seal backend is now healthy again", "downtime", t.Sub(sealWrapper.LastSeenHealthy).String(), "seal_name", sealWrapper.Name)
 									healthCheck.Reset(sealHealthTestIntervalNominal)
 								}
 
-								w.Healthy = true
-								w.LastSeenHealthy = checkTime
+								sealWrapper.Healthy = true
+								sealWrapper.LastSeenHealthy = checkTime
 								d.core.MetricSink().SetGaugeWithLabels(autoSealUnavailableDuration, 0, mLabels)
 							}
 						}()

vault/seal_testing_util.go

@@ -18,7 +18,7 @@ func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal {
 	switch opts.StoredKeys {
 	case seal.StoredKeysSupportedShamirRoot:
 		w := aeadwrapper.NewShamirWrapper()
-		sealAccess, err := seal.NewAccessFromSealInfo(logger, opts.Generation, true, []seal.SealInfo{
+		sealAccess, err := seal.NewAccessFromSealWrappers(logger, opts.Generation, true, []seal.SealWrapper{
 			{
 				Wrapper:  w,
 				Priority: 1,
@@ -38,7 +38,7 @@ func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal {
 		return newSeal
 	case seal.StoredKeysNotSupported:
 		w := aeadwrapper.NewShamirWrapper()
-		sealAccess, err := seal.NewAccessFromSealInfo(logger, opts.Generation, true, []seal.SealInfo{
+		sealAccess, err := seal.NewAccessFromSealWrappers(logger, opts.Generation, true, []seal.SealWrapper{
 			{
 				Wrapper:  w,
 				Priority: 1,