diff --git a/command/operator_diagnose.go b/command/operator_diagnose.go index 0f9c096836..0fa75fb88b 100644 --- a/command/operator_diagnose.go +++ b/command/operator_diagnose.go @@ -538,11 +538,11 @@ SEALFAIL: randReaderTestName := "Initialize Randomness for Core" var sources []*configutil.EntropySourcerInfo if barrierSeal != nil { - for _, sealInfo := range barrierSeal.GetAccess().GetEnabledSealInfoByPriority() { - if s, ok := sealInfo.Wrapper.(entropy.Sourcer); ok { + for _, sealWrapper := range barrierSeal.GetAccess().GetEnabledSealWrappersByPriority() { + if s, ok := sealWrapper.Wrapper.(entropy.Sourcer); ok { sources = append(sources, &configutil.EntropySourcerInfo{ Sourcer: s, - Name: sealInfo.Name, + Name: sealWrapper.Name, }) } } diff --git a/command/server.go b/command/server.go index aa2fd339d8..7aa2e15c38 100644 --- a/command/server.go +++ b/command/server.go @@ -1254,11 +1254,11 @@ func (c *ServerCommand) Run(args []string) int { // prepare a secure random reader for core entropyAugLogger := c.logger.Named("entropy-augmentation") var entropySources []*configutil.EntropySourcerInfo - for _, sealInfo := range setSealResponse.barrierSeal.GetAccess().GetEnabledSealInfoByPriority() { - if s, ok := sealInfo.Wrapper.(entropy.Sourcer); ok { + for _, sealWrapper := range setSealResponse.barrierSeal.GetAccess().GetEnabledSealWrappersByPriority() { + if s, ok := sealWrapper.Wrapper.(entropy.Sourcer); ok { entropySources = append(entropySources, &configutil.EntropySourcerInfo{ Sourcer: s, - Name: sealInfo.Name, + Name: sealWrapper.Name, }) } } @@ -2564,8 +2564,8 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma recordSealConfigError := func(err error) { sealConfigError = errors.Join(sealConfigError, err) } - enabledSealInfos := make([]vaultseal.SealInfo, 0) - disabledSealInfos := make([]vaultseal.SealInfo, 0) + enabledSealWrappers := make([]vaultseal.SealWrapper, 0) + disabledSealWrappers := make([]vaultseal.SealWrapper, 0) allSealKmsConfigs := make([]*configutil.KMS, 0) type infoKeysAndMap struct { @@ -2607,7 +2607,7 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma wrapper = aeadwrapper.NewShamirWrapper() } - sealInfo := vaultseal.SealInfo{ + sealWrapper := vaultseal.SealWrapper{ Wrapper: wrapper, Priority: configSeal.Priority, Name: configSeal.Name, @@ -2616,13 +2616,13 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma } if configSeal.Disabled { - disabledSealInfos = append(disabledSealInfos, sealInfo) + disabledSealWrappers = append(disabledSealWrappers, sealWrapper) } else { - enabledSealInfos = append(enabledSealInfos, sealInfo) + enabledSealWrappers = append(enabledSealWrappers, sealWrapper) } allSealKmsConfigs = append(allSealKmsConfigs, configSeal) - sealWrapperInfoKeysMap[sealInfo.Name] = infoKeysAndMap{ + sealWrapperInfoKeysMap[sealWrapper.Name] = infoKeysAndMap{ keys: wrapperInfoKeys, theMap: wrapperInfoMap, } @@ -2631,25 +2631,25 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma //////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // Set the info keys, this modifies the function arguments `info` and `infoKeys` // TODO(SEALHA): Why are we doing this? What is its use? - appendWrapperInfoKeys := func(prefix string, sealInfos []vaultseal.SealInfo) { - if len(sealInfos) > 0 { + appendWrapperInfoKeys := func(prefix string, sealWrappers []vaultseal.SealWrapper) { + if len(sealWrappers) > 0 { useName := false - if len(sealInfos) > 1 { + if len(sealWrappers) > 1 { useName = true } - for _, sealInfo := range sealInfos { + for _, sealWrapper := range sealWrappers { if useName { - prefix = fmt.Sprintf("%s %s ", prefix, sealInfo.Name) + prefix = fmt.Sprintf("%s %s ", prefix, sealWrapper.Name) } - for _, k := range sealWrapperInfoKeysMap[sealInfo.Name].keys { + for _, k := range sealWrapperInfoKeysMap[sealWrapper.Name].keys { infoKeys = append(infoKeys, prefix+k) - info[prefix+k] = sealWrapperInfoKeysMap[sealInfo.Name].theMap[k] + info[prefix+k] = sealWrapperInfoKeysMap[sealWrapper.Name].theMap[k] } } } } - appendWrapperInfoKeys("", enabledSealInfos) - appendWrapperInfoKeys("Old", disabledSealInfos) + appendWrapperInfoKeys("", enabledSealWrappers) + appendWrapperInfoKeys("Old", disabledSealWrappers) //////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // Compute seal generation @@ -2662,8 +2662,8 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma //////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // Create the Seals - containsShamir := func(sealInfos []vaultseal.SealInfo) bool { - for _, si := range sealInfos { + containsShamir := func(sealWrappers []vaultseal.SealWrapper) bool { + for _, si := range sealWrappers { if vault.SealConfigTypeShamir.IsSameAs(si.SealConfigType) { return true } @@ -2679,36 +2679,36 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma var unwrapSeal vault.Seal switch { - case len(enabledSealInfos) == 0: + case len(enabledSealWrappers) == 0: return nil, errors.New("no enabled Seals in configuration") - case containsShamir(enabledSealInfos) && containsShamir(disabledSealInfos): + case containsShamir(enabledSealWrappers) && containsShamir(disabledSealWrappers): return nil, errors.New("shamir seals cannot be set disabled (they should simply not be set)") - case len(enabledSealInfos) == 1 && containsShamir(enabledSealInfos): + case len(enabledSealWrappers) == 1 && containsShamir(enabledSealWrappers): // The barrier seal is Shamir. If there are any disabled seals, then we put them all in the same // autoSeal. - barrierSeal = vault.NewDefaultSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealInfos)) - if len(disabledSealInfos) > 0 { - unwrapSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, disabledSealInfos)) + barrierSeal = vault.NewDefaultSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealWrappers)) + if len(disabledSealWrappers) > 0 { + unwrapSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, disabledSealWrappers)) } - case len(disabledSealInfos) == 1 && containsShamir(disabledSealInfos): + case len(disabledSealWrappers) == 1 && containsShamir(disabledSealWrappers): // The unwrap seal is Shamir, we are migrating to an autoSeal. - barrierSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealInfos)) - unwrapSeal = vault.NewDefaultSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, disabledSealInfos)) + barrierSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealWrappers)) + unwrapSeal = vault.NewDefaultSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, disabledSealWrappers)) case sealHaBetaEnabled: // We know we are not using Shamir seal, that we are not migrating away from one, and seal HA is enabled, // so just put enabled and disabled wrappers on the same seal Access - allSealInfos := append(enabledSealInfos, disabledSealInfos...) - barrierSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, allSealInfos)) + allSealWrappers := append(enabledSealWrappers, disabledSealWrappers...) + barrierSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, allSealWrappers)) - case len(enabledSealInfos) == 1: + case len(enabledSealWrappers) == 1: // We may have multiple seals disabled, but we know Shamir is not one of them. - barrierSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealInfos)) - if len(disabledSealInfos) > 0 { - unwrapSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, disabledSealInfos)) + barrierSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealWrappers)) + if len(disabledSealWrappers) > 0 { + unwrapSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, disabledSealWrappers)) } default: diff --git a/helper/testhelpers/seal/sealhelper.go b/helper/testhelpers/seal/sealhelper.go index 458056b630..8f54a2cd14 100644 --- a/helper/testhelpers/seal/sealhelper.go +++ b/helper/testhelpers/seal/sealhelper.go @@ -73,7 +73,7 @@ func (tss *TransitSealServer) MakeSeal(t testing.T, key string) (vault.Seal, err t.Fatalf("error setting wrapper config: %v", err) } - access, err := seal.NewAccessFromSealInfo(tss.Logger, 1, true, []seal.SealInfo{ + access, err := seal.NewAccessFromSealWrappers(tss.Logger, 1, true, []seal.SealWrapper{ { Wrapper: transitSealWrapper, Priority: 1, diff --git a/vault/core.go b/vault/core.go index 5da2ade3bb..1ff8ff5950 100644 --- a/vault/core.go +++ b/vault/core.go @@ -1103,7 +1103,7 @@ func CreateCore(conf *CoreConfig) (*Core, error) { wrapper := aeadwrapper.NewShamirWrapper() wrapper.SetConfig(context.Background(), awskms.WithLogger(c.logger.Named("shamir"))) - access, err := vaultseal.NewAccessFromSealInfo(c.logger, 1, true, []vaultseal.SealInfo{ + access, err := vaultseal.NewAccessFromSealWrappers(c.logger, 1, true, []vaultseal.SealWrapper{ { Wrapper: wrapper, Priority: 1, @@ -2872,7 +2872,7 @@ func (c *Core) adjustForSealMigration(unwrapSeal Seal) error { // See note about creating a SealGenerationInfo for the unwrap seal in // function setSeal in server.go. - sealAccess, err := vaultseal.NewAccessFromSealInfo(c.logger, 1, true, []vaultseal.SealInfo{ + sealAccess, err := vaultseal.NewAccessFromSealWrappers(c.logger, 1, true, []vaultseal.SealWrapper{ { Wrapper: aeadwrapper.NewShamirWrapper(), Priority: 1, @@ -3100,7 +3100,7 @@ func (c *Core) unsealKeyToRootKey(ctx context.Context, seal Seal, combinedKey [] if useTestSeal { // Note that the seal generation should not matter, since the only thing we are doing with // this seal is calling GetStoredKeys (i.e. we are not encrypting anything). - sealAccess, err := vaultseal.NewAccessFromSealInfo(c.logger, 1, true, []vaultseal.SealInfo{ + sealAccess, err := vaultseal.NewAccessFromSealWrappers(c.logger, 1, true, []vaultseal.SealWrapper{ { Wrapper: aeadwrapper.NewShamirWrapper(), Priority: 1, diff --git a/vault/logical_system.go b/vault/logical_system.go index 0f033a6489..e66cb60a47 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -4833,17 +4833,17 @@ func (c *Core) GetSealBackendStatus(ctx context.Context) (*SealBackendStatusResp if a, ok := c.seal.(*autoSeal); ok { r.Healthy = c.seal.Healthy() var uhMin time.Time - for _, s := range a.GetAllSealInfoByPriority() { + for _, sealWrapper := range a.GetAllSealWrappersByPriority() { b := SealBackendStatus{ - Name: s.Name, - Healthy: s.Healthy, + Name: sealWrapper.Name, + Healthy: sealWrapper.Healthy, } - if !s.Healthy { - if !s.LastSeenHealthy.IsZero() { - b.UnhealthySince = s.LastSeenHealthy.String() + if !sealWrapper.Healthy { + if !sealWrapper.LastSeenHealthy.IsZero() { + b.UnhealthySince = sealWrapper.LastSeenHealthy.String() } - if uhMin.IsZero() || uhMin.After(s.LastSeenHealthy) { - uhMin = s.LastSeenHealthy + if uhMin.IsZero() || uhMin.After(sealWrapper.LastSeenHealthy) { + uhMin = sealWrapper.LastSeenHealthy } } r.Backends = append(r.Backends, b) diff --git a/vault/rekey.go b/vault/rekey.go index 2d5766c23b..fc7e200c83 100644 --- a/vault/rekey.go +++ b/vault/rekey.go @@ -400,7 +400,7 @@ func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string) } case c.seal.BarrierSealConfigType() == SealConfigTypeShamir: if c.seal.StoredKeysSupported() == seal.StoredKeysSupportedShamirRoot { - access, err := seal.NewAccessFromSealInfo(c.logger, c.seal.GetAccess().Generation(), true, []seal.SealInfo{ + access, err := seal.NewAccessFromSealWrappers(c.logger, c.seal.GetAccess().Generation(), true, []seal.SealWrapper{ { Wrapper: aeadwrapper.NewShamirWrapper(), Priority: 1, diff --git a/vault/seal/seal.go b/vault/seal/seal.go index 0ad9ad5b7d..ca08f6d42c 100644 --- a/vault/seal/seal.go +++ b/vault/seal/seal.go @@ -158,7 +158,8 @@ func (sgi *SealGenerationInfo) UnmarshalJSON(b []byte) error { return nil } -type SealInfo struct { +// SealWrapper contains a Wrapper and related information needed by the seal that uses it. +type SealWrapper struct { wrapping.Wrapper Priority int Name string @@ -176,8 +177,8 @@ type SealInfo struct { Healthy bool } -func (si *SealInfo) keyId(ctx context.Context) string { - if id, err := si.Wrapper.KeyId(ctx); err == nil { +func (sw *SealWrapper) keyId(ctx context.Context) string { + if id, err := sw.Wrapper.KeyId(ctx); err == nil { return id } return "" @@ -216,44 +217,44 @@ type Access interface { SetShamirSealKey([]byte) error GetShamirKeyBytes(ctx context.Context) ([]byte, error) - // GetAllSealInfoByPriority returns all the SealInfo for all the seal wrappers, including disabled ones. - GetAllSealInfoByPriority() []*SealInfo + // GetAllSealWrappersByPriority returns all the SealWrapper for all the seal wrappers, including disabled ones. + GetAllSealWrappersByPriority() []*SealWrapper - // GetEnabledSealInfoByPriority returns the SealInfo for the enabled seal wrappers. - GetEnabledSealInfoByPriority() []*SealInfo + // GetEnabledSealWrappersByPriority returns the SealWrapper for the enabled seal wrappers. + GetEnabledSealWrappersByPriority() []*SealWrapper - // AllSealsHealthy returns whether all enabled SealInfos are currently healthy. - AllSealsHealthy() bool + // AllSealsWrappersHealthy returns whether all enabled SealWrappers are currently healthy. + AllSealWrappersHealthy() bool GetSealGenerationInfo() *SealGenerationInfo } type access struct { sealGenerationInfo *SealGenerationInfo - wrappersByPriority []*SealInfo + wrappersByPriority []*SealWrapper keyIdSet keyIdSet logger hclog.Logger } var _ Access = (*access)(nil) -func NewAccess(logger hclog.Logger, sealGenerationInfo *SealGenerationInfo, sealInfos []SealInfo) Access { +func NewAccess(logger hclog.Logger, sealGenerationInfo *SealGenerationInfo, sealWrappers []SealWrapper) Access { if logger == nil { logger = hclog.NewNullLogger() } if sealGenerationInfo == nil { panic("cannot create a seal.Access without a SealGenerationInfo") } - if len(sealInfos) == 0 { - panic("cannot create a seal.Access without any seal info") + if len(sealWrappers) == 0 { + panic("cannot create a seal.Access without any seal wrappers") } a := &access{ sealGenerationInfo: sealGenerationInfo, logger: logger, } - a.wrappersByPriority = make([]*SealInfo, len(sealInfos)) - for i, sealInfo := range sealInfos { - v := sealInfo + a.wrappersByPriority = make([]*SealWrapper, len(sealWrappers)) + for i, sw := range sealWrappers { + v := sw a.wrappersByPriority[i] = &v v.Healthy = true v.LastSeenHealthy = time.Now() @@ -264,56 +265,56 @@ func NewAccess(logger hclog.Logger, sealGenerationInfo *SealGenerationInfo, seal return a } -func NewAccessFromSealInfo(logger hclog.Logger, generation uint64, rewrapped bool, sealInfos []SealInfo) (Access, error) { +func NewAccessFromSealWrappers(logger hclog.Logger, generation uint64, rewrapped bool, sealWrappers []SealWrapper) (Access, error) { sealGenerationInfo := &SealGenerationInfo{ Generation: generation, } sealGenerationInfo.SetRewrapped(rewrapped) ctx := context.Background() - for _, sealInfo := range sealInfos { - typ, err := sealInfo.Wrapper.Type(ctx) + for _, sw := range sealWrappers { + typ, err := sw.Wrapper.Type(ctx) if err != nil { return nil, err } sealGenerationInfo.Seals = append(sealGenerationInfo.Seals, &configutil.KMS{ Type: typ.String(), - Priority: sealInfo.Priority, - Name: sealInfo.Name, + Priority: sw.Priority, + Name: sw.Name, }) } - return NewAccess(logger, sealGenerationInfo, sealInfos), nil + return NewAccess(logger, sealGenerationInfo, sealWrappers), nil } -func (a *access) GetAllSealInfoByPriority() []*SealInfo { - return copySealInfos(a.wrappersByPriority, false) +func (a *access) GetAllSealWrappersByPriority() []*SealWrapper { + return copySealWrappers(a.wrappersByPriority, false) } -func (a *access) GetEnabledSealInfoByPriority() []*SealInfo { - return copySealInfos(a.wrappersByPriority, true) +func (a *access) GetEnabledSealWrappersByPriority() []*SealWrapper { + return copySealWrappers(a.wrappersByPriority, true) } -func (a *access) AllSealsHealthy() bool { - for _, si := range a.wrappersByPriority { +func (a *access) AllSealWrappersHealthy() bool { + for _, sw := range a.wrappersByPriority { // Ignore disabled seals - if si.Disabled { + if sw.Disabled { continue } - si.HcLock.RLock() - defer si.HcLock.RUnlock() - if !si.Healthy { + sw.HcLock.RLock() + defer sw.HcLock.RUnlock() + if !sw.Healthy { return false } } return true } -func copySealInfos(sealInfos []*SealInfo, enabledOnly bool) []*SealInfo { - ret := make([]*SealInfo, 0, len(sealInfos)) - for _, si := range sealInfos { - if enabledOnly && si.Disabled { +func copySealWrappers(sealWrappers []*SealWrapper, enabledOnly bool) []*SealWrapper { + ret := make([]*SealWrapper, 0, len(sealWrappers)) + for _, sw := range sealWrappers { + if enabledOnly && sw.Disabled { continue } - ret = append(ret, si) + ret = append(ret, sw) } return ret } @@ -328,7 +329,7 @@ func (a *access) Generation() uint64 { func (a *access) GetEnabledWrappers() []wrapping.Wrapper { var ret []wrapping.Wrapper - for _, si := range a.GetEnabledSealInfoByPriority() { + for _, si := range a.GetEnabledSealWrappersByPriority() { ret = append(ret, si.Wrapper) } return ret @@ -336,15 +337,15 @@ func (a *access) GetEnabledWrappers() []wrapping.Wrapper { func (a *access) Init(ctx context.Context, options ...wrapping.Option) error { var keyIds []string - for _, sealInfo := range a.GetAllSealInfoByPriority() { - if initWrapper, ok := sealInfo.Wrapper.(wrapping.InitFinalizer); ok { + for _, sealWrapper := range a.GetAllSealWrappersByPriority() { + if initWrapper, ok := sealWrapper.Wrapper.(wrapping.InitFinalizer); ok { if err := initWrapper.Init(ctx, options...); err != nil { return err } - keyId, err := sealInfo.Wrapper.KeyId(ctx) + keyId, err := sealWrapper.Wrapper.KeyId(ctx) if err != nil { - a.logger.Warn("cannot determine key ID for seal", "seal", sealInfo.Name, "err", err) - return fmt.Errorf("cannod determine key ID for seal %s: %w", sealInfo.Name, err) + a.logger.Warn("cannot determine key ID for seal", "seal", sealWrapper.Name, "err", err) + return fmt.Errorf("cannod determine key ID for seal %s: %w", sealWrapper.Name, err) } keyIds = append(keyIds, keyId) } @@ -382,30 +383,30 @@ func (a *access) Encrypt(ctx context.Context, plaintext []byte, options ...wrapp var slots []*wrapping.BlobInfo errs := make(map[string]error) - for _, sealInfo := range a.GetEnabledSealInfoByPriority() { + for _, sealWrapper := range a.GetEnabledSealWrappersByPriority() { var encryptErr error defer func(now time.Time) { metrics.MeasureSince([]string{"seal", "encrypt", "time"}, now) - metrics.MeasureSince([]string{"seal", sealInfo.Name, "encrypt", "time"}, now) + metrics.MeasureSince([]string{"seal", sealWrapper.Name, "encrypt", "time"}, now) if encryptErr != nil { metrics.IncrCounter([]string{"seal", "encrypt", "error"}, 1) - metrics.IncrCounter([]string{"seal", sealInfo.Name, "encrypt", "error"}, 1) + metrics.IncrCounter([]string{"seal", sealWrapper.Name, "encrypt", "error"}, 1) } }(time.Now()) metrics.IncrCounter([]string{"seal", "encrypt"}, 1) - metrics.IncrCounter([]string{"seal", sealInfo.Name, "encrypt"}, 1) + metrics.IncrCounter([]string{"seal", sealWrapper.Name, "encrypt"}, 1) - ciphertext, encryptErr := sealInfo.Wrapper.Encrypt(ctx, plaintext, options...) + ciphertext, encryptErr := sealWrapper.Wrapper.Encrypt(ctx, plaintext, options...) if encryptErr != nil { - a.logger.Warn("error encrypting with seal", "seal", sealInfo.Name) - a.logger.Trace("error encrypting with seal", "seal", sealInfo.Name, "err", encryptErr) + a.logger.Warn("error encrypting with seal", "seal", sealWrapper.Name) + a.logger.Trace("error encrypting with seal", "seal", sealWrapper.Name, "err", encryptErr) - errs[sealInfo.Name] = encryptErr - sealInfo.Healthy = false + errs[sealWrapper.Name] = encryptErr + sealWrapper.Healthy = false } else { - a.logger.Trace("encrypted value using seal", "seal", sealInfo.Name, "keyId", ciphertext.KeyInfo.KeyId) + a.logger.Trace("encrypted value using seal", "seal", sealWrapper.Name, "keyId", ciphertext.KeyInfo.KeyId) slots = append(slots, ciphertext) } @@ -417,7 +418,7 @@ func (a *access) Encrypt(ctx context.Context, plaintext []byte, options ...wrapp } a.logger.Trace("successfully encrypted value", "encryption seal wrappers", len(slots), "total enabled seal wrappers", - len(a.GetEnabledSealInfoByPriority())) + len(a.GetEnabledSealWrappersByPriority())) ret := &MultiWrapValue{ Generation: a.Generation(), Slots: slots, @@ -443,61 +444,61 @@ func (a *access) Decrypt(ctx context.Context, ciphertext *MultiWrapValue, option } // First, lets try the wrappers in order of priority and look for an exact key ID match - for _, sealInfo := range a.GetAllSealInfoByPriority() { - if keyId, err := sealInfo.Wrapper.KeyId(ctx); err == nil { + for _, sealWrapper := range a.GetAllSealWrappersByPriority() { + if keyId, err := sealWrapper.Wrapper.KeyId(ctx); err == nil { if blobInfo, ok := blobInfoMap[keyId]; ok { - pt, oldKey, err := a.tryDecrypt(ctx, sealInfo, blobInfo, options) + pt, oldKey, err := a.tryDecrypt(ctx, sealWrapper, blobInfo, options) if oldKey { - a.logger.Trace("decrypted using OldKey", "seal", sealInfo.Name) + a.logger.Trace("decrypted using OldKey", "seal", sealWrapper.Name) return pt, false, err } if err == nil { - a.logger.Trace("decrypted value using seal", "seal", sealInfo.Name) + a.logger.Trace("decrypted value using seal", "seal", sealWrapper.Name) return pt, isUpToDate, nil } // If there is an error, keep trying with the other wrappers - a.logger.Trace("error decrypting with seal, will try other seals", "seal", sealInfo.Name, "keyId", keyId, "err", err) + a.logger.Trace("error decrypting with seal, will try other seals", "seal", sealWrapper.Name, "keyId", keyId, "err", err) } } } // No key ID match, so try each wrapper with all slots errs := make(map[string]error) - for _, sealInfo := range a.GetAllSealInfoByPriority() { + for _, sealWrapper := range a.GetAllSealWrappersByPriority() { for _, blobInfo := range ciphertext.Slots { - pt, oldKey, err := a.tryDecrypt(ctx, sealInfo, blobInfo, options) + pt, oldKey, err := a.tryDecrypt(ctx, sealWrapper, blobInfo, options) if oldKey { - a.logger.Trace("decrypted using OldKey", "seal", sealInfo.Name) + a.logger.Trace("decrypted using OldKey", "seal", sealWrapper.Name) return pt, false, err } if err == nil { - a.logger.Trace("decrypted value using seal", "seal", sealInfo.Name) + a.logger.Trace("decrypted value using seal", "seal", sealWrapper.Name) return pt, isUpToDate, nil } - errs[sealInfo.Name] = err + errs[sealWrapper.Name] = err } } return nil, false, JoinSealWrapErrors("error decrypting seal wrapped value", errs) } -func (a *access) tryDecrypt(ctx context.Context, sealInfo *SealInfo, ciphertext *wrapping.BlobInfo, options []wrapping.Option) ([]byte, bool, error) { +func (a *access) tryDecrypt(ctx context.Context, sealWrapper *SealWrapper, ciphertext *wrapping.BlobInfo, options []wrapping.Option) ([]byte, bool, error) { var decryptErr error defer func(now time.Time) { metrics.MeasureSince([]string{"seal", "decrypt", "time"}, now) - metrics.MeasureSince([]string{"seal", sealInfo.Name, "decrypt", "time"}, now) + metrics.MeasureSince([]string{"seal", sealWrapper.Name, "decrypt", "time"}, now) if decryptErr != nil { metrics.IncrCounter([]string{"seal", "decrypt", "error"}, 1) - metrics.IncrCounter([]string{"seal", sealInfo.Name, "decrypt", "error"}, 1) + metrics.IncrCounter([]string{"seal", sealWrapper.Name, "decrypt", "error"}, 1) } // TODO (multiseal): log an error? }(time.Now()) metrics.IncrCounter([]string{"seal", "decrypt"}, 1) - metrics.IncrCounter([]string{"seal", sealInfo.Name, "decrypt"}, 1) + metrics.IncrCounter([]string{"seal", sealWrapper.Name, "decrypt"}, 1) - pt, err := sealInfo.Wrapper.Decrypt(ctx, ciphertext, options...) + pt, err := sealWrapper.Wrapper.Decrypt(ctx, ciphertext, options...) isOldKey := false if err != nil && err.Error() == "decrypted with old key" { // This is for compatibility with sealWrapMigration @@ -517,7 +518,7 @@ func JoinSealWrapErrors(msg string, errorMap map[string]error) error { func (a *access) Finalize(ctx context.Context, options ...wrapping.Option) error { var errs []error - for _, w := range a.GetAllSealInfoByPriority() { + for _, w := range a.GetAllSealWrappersByPriority() { if finalizeWrapper, ok := w.Wrapper.(wrapping.InitFinalizer); ok { if err := finalizeWrapper.Finalize(ctx, options...); err != nil { errs = append(errs, err) diff --git a/vault/seal/seal_testing.go b/vault/seal/seal_testing.go index 2776309fdc..15ffc6268f 100644 --- a/vault/seal/seal_testing.go +++ b/vault/seal/seal_testing.go @@ -43,17 +43,17 @@ func NewTestSealOpts(opts *TestSealOpts) *TestSealOpts { func NewTestSeal(opts *TestSealOpts) (Access, []*ToggleableWrapper) { opts = NewTestSealOpts(opts) wrappers := make([]*ToggleableWrapper, opts.WrapperCount) - sealInfos := make([]SealInfo, opts.WrapperCount) + sealWrappers := make([]SealWrapper, opts.WrapperCount) for i := 0; i < opts.WrapperCount; i++ { wrappers[i] = &ToggleableWrapper{Wrapper: wrapping.NewTestWrapper(opts.Secret)} - sealInfos[i] = SealInfo{ + sealWrappers[i] = SealWrapper{ Wrapper: wrappers[i], Priority: i + 1, Name: fmt.Sprintf("%s-%d", opts.Name, i+1), } } - sealAccess, err := NewAccessFromSealInfo(nil, opts.Generation, true, sealInfos) + sealAccess, err := NewAccessFromSealWrappers(nil, opts.Generation, true, sealWrappers) if err != nil { panic(err) } @@ -64,12 +64,12 @@ func NewToggleableTestSeal(opts *TestSealOpts) (Access, []func(error)) { opts = NewTestSealOpts(opts) wrappers := make([]*ToggleableWrapper, opts.WrapperCount) - sealInfos := make([]SealInfo, opts.WrapperCount) + sealWrappers := make([]SealWrapper, opts.WrapperCount) funcs := make([]func(error), opts.WrapperCount) for i := 0; i < opts.WrapperCount; i++ { w := &ToggleableWrapper{Wrapper: wrapping.NewTestWrapper(opts.Secret)} wrappers[i] = w - sealInfos[i] = SealInfo{ + sealWrappers[i] = SealWrapper{ Wrapper: wrappers[i], Priority: i + 1, Name: fmt.Sprintf("%s-%d", opts.Name, i+1), @@ -77,7 +77,7 @@ func NewToggleableTestSeal(opts *TestSealOpts) (Access, []func(error)) { funcs[i] = w.SetError } - sealAccess, err := NewAccessFromSealInfo(nil, opts.Generation, true, sealInfos) + sealAccess, err := NewAccessFromSealWrappers(nil, opts.Generation, true, sealWrappers) if err != nil { panic(err) } diff --git a/vault/seal_autoseal.go b/vault/seal_autoseal.go index 0ef8b27fde..afe29846d0 100644 --- a/vault/seal_autoseal.go +++ b/vault/seal_autoseal.go @@ -475,45 +475,45 @@ func (d *autoSeal) StartHealthCheck() { testVal := fmt.Sprintf("Heartbeat %d", mathrand.Intn(1000)) anyUnhealthy := false - for _, w := range d.Access.GetAllSealInfoByPriority() { + for _, sealWrapper := range d.Access.GetAllSealWrappersByPriority() { func() { - w.HcLock.Lock() - defer w.HcLock.Unlock() - mLabels := []metrics.Label{{Name: "seal_name", Value: w.Name}} + sealWrapper.HcLock.Lock() + defer sealWrapper.HcLock.Unlock() + mLabels := []metrics.Label{{Name: "seal_name", Value: sealWrapper.Name}} fail := func(msg string, args ...interface{}) { d.logger.Warn(msg, args...) - if w.Healthy { + if sealWrapper.Healthy { healthCheck.Reset(sealHealthTestIntervalUnhealthy) } - w.Healthy = false - d.core.MetricSink().SetGaugeWithLabels(autoSealUnavailableDuration, float32(time.Since(w.LastSeenHealthy).Milliseconds()), mLabels) + sealWrapper.Healthy = false + d.core.MetricSink().SetGaugeWithLabels(autoSealUnavailableDuration, float32(time.Since(sealWrapper.LastSeenHealthy).Milliseconds()), mLabels) } - ciphertext, err := w.Encrypt(ctx, []byte(testVal), nil) + ciphertext, err := sealWrapper.Encrypt(ctx, []byte(testVal), nil) checkTime := time.Now() - w.LastHealthCheck = checkTime + sealWrapper.LastHealthCheck = checkTime if err != nil { - fail("failed to encrypt seal health test value, seal backend may be unreachable", "error", err, "seal_name", w.Name) + fail("failed to encrypt seal health test value, seal backend may be unreachable", "error", err, "seal_name", sealWrapper.Name) anyUnhealthy = true } else { func() { ctx, cancel := context.WithTimeout(ctx, sealHealthTestTimeout) defer cancel() - plaintext, err := w.Decrypt(ctx, ciphertext, nil) + plaintext, err := sealWrapper.Decrypt(ctx, ciphertext, nil) if err != nil { - fail("failed to decrypt seal health test value, seal backend may be unreachable", "error", err, "seal_name", w.Name) + fail("failed to decrypt seal health test value, seal backend may be unreachable", "error", err, "seal_name", sealWrapper.Name) } if !bytes.Equal([]byte(testVal), plaintext) { - fail("seal health test value failed to decrypt to expected value", "seal_name", w.Name) + fail("seal health test value failed to decrypt to expected value", "seal_name", sealWrapper.Name) } else { - d.logger.Debug("seal health test passed", "seal_name", w.Name) - if !w.Healthy { - d.logger.Info("seal backend is now healthy again", "downtime", t.Sub(w.LastSeenHealthy).String(), "seal_name", w.Name) + d.logger.Debug("seal health test passed", "seal_name", sealWrapper.Name) + if !sealWrapper.Healthy { + d.logger.Info("seal backend is now healthy again", "downtime", t.Sub(sealWrapper.LastSeenHealthy).String(), "seal_name", sealWrapper.Name) healthCheck.Reset(sealHealthTestIntervalNominal) } - w.Healthy = true - w.LastSeenHealthy = checkTime + sealWrapper.Healthy = true + sealWrapper.LastSeenHealthy = checkTime d.core.MetricSink().SetGaugeWithLabels(autoSealUnavailableDuration, 0, mLabels) } }() diff --git a/vault/seal_testing_util.go b/vault/seal_testing_util.go index b1e53bfd9e..edaf320103 100644 --- a/vault/seal_testing_util.go +++ b/vault/seal_testing_util.go @@ -18,7 +18,7 @@ func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal { switch opts.StoredKeys { case seal.StoredKeysSupportedShamirRoot: w := aeadwrapper.NewShamirWrapper() - sealAccess, err := seal.NewAccessFromSealInfo(logger, opts.Generation, true, []seal.SealInfo{ + sealAccess, err := seal.NewAccessFromSealWrappers(logger, opts.Generation, true, []seal.SealWrapper{ { Wrapper: w, Priority: 1, @@ -38,7 +38,7 @@ func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal { return newSeal case seal.StoredKeysNotSupported: w := aeadwrapper.NewShamirWrapper() - sealAccess, err := seal.NewAccessFromSealInfo(logger, opts.Generation, true, []seal.SealInfo{ + sealAccess, err := seal.NewAccessFromSealWrappers(logger, opts.Generation, true, []seal.SealWrapper{ { Wrapper: w, Priority: 1,