Validate seal generation info only if beta flag is enabled (#22741)

2025-12-24 19:01:51 +01:00 · 2023-09-05 13:13:43 -05:00 · 2023-09-05 13:13:43 -05:00 · dcb7083260
commit dcb7083260
parent b97ec49125
2 changed files with 91 additions and 16 deletions
--- a/command/server.go
+++ b/command/server.go
@ -2690,7 +2690,12 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 	// Compute seal generation

-	sealGenerationInfo, err := c.computeSealGenerationInfo(existingSealGenerationInfo, allSealKmsConfigs, hasPartiallyWrappedPaths)
+	sealHaBetaEnabled, err := server.IsSealHABetaEnabled()
+	if err != nil {
+		return nil, err
+	}
+
+	sealGenerationInfo, err := c.computeSealGenerationInfo(existingSealGenerationInfo, allSealKmsConfigs, hasPartiallyWrappedPaths, sealHaBetaEnabled)
 	if err != nil {
 		return nil, err
 	}
@ -2706,10 +2711,6 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 		}
 		return false
 	}
-	sealHaBetaEnabled, err := server.IsSealHABetaEnabled()
-	if err != nil {
-		return nil, err
-	}

 	var barrierSeal vault.Seal
 	var unwrapSeal vault.Seal
@ -2760,7 +2761,7 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 	}, nil
 }

-func (c *ServerCommand) computeSealGenerationInfo(existingSealGenInfo *vaultseal.SealGenerationInfo, sealConfigs []*configutil.KMS, hasPartiallyWrappedPaths bool) (*vaultseal.SealGenerationInfo, error) {
+func (c *ServerCommand) computeSealGenerationInfo(existingSealGenInfo *vaultseal.SealGenerationInfo, sealConfigs []*configutil.KMS, hasPartiallyWrappedPaths bool, sealHaBetaEnabled bool) (*vaultseal.SealGenerationInfo, error) {
 	generation := uint64(1)

 	if existingSealGenInfo != nil {
@ -2778,9 +2779,11 @@ func (c *ServerCommand) computeSealGenerationInfo(existingSealGenInfo *vaultseal
 		Seals:      sealConfigs,
 	}

-	err := newSealGenInfo.Validate(existingSealGenInfo, hasPartiallyWrappedPaths)
-	if err != nil {
-		return nil, err
+	if sealHaBetaEnabled {
+		err := newSealGenInfo.Validate(existingSealGenInfo, hasPartiallyWrappedPaths)
+		if err != nil {
+			return nil, err
+		}
 	}

 	return newSealGenInfo, nil
--- a/command/server_sealgenerationinfo_test.go
+++ b/command/server_sealgenerationinfo_test.go
@ -29,6 +29,7 @@ func TestMultiSealCases(t *testing.T) {
 		expectedSealGenInfo      *seal.SealGenerationInfo
 		isRewrapped              bool
 		hasPartiallyWrappedPaths bool
+		sealHaBetaEnabled        bool
 		isErrorExpected          bool
 		expectedErrorMsg         string
 	}{
@ -53,6 +54,7 @@ func TestMultiSealCases(t *testing.T) {
 					},
 				},
 			},
+			sealHaBetaEnabled: true,
 		},
 		// none_to_auto
 		{
@ -75,6 +77,7 @@ func TestMultiSealCases(t *testing.T) {
 					},
 				},
 			},
+			sealHaBetaEnabled: true,
 		},
 		// none_to_multi
 		{
@ -92,8 +95,66 @@ func TestMultiSealCases(t *testing.T) {
 					Priority: 2,
 				},
 			},
-			isErrorExpected:  true,
-			expectedErrorMsg: "cannot add more than one seal",
+			isErrorExpected:   true,
+			expectedErrorMsg:  "cannot add more than one seal",
+			sealHaBetaEnabled: true,
+		},
+		// none_to_multi_with_disabled_seals_with_beta
+		{
+			name:                "none_to_multi_with_disabled_seals_with_beta",
+			existingSealGenInfo: nil,
+			allSealKmsConfigs: []*configutil.KMS{
+				{
+					Type:     "pkcs11",
+					Name:     "autoSeal1",
+					Priority: 1,
+				},
+				{
+					Type:     "pkcs11",
+					Name:     "autoSeal2",
+					Priority: 2,
+					Disabled: true,
+				},
+			},
+			isErrorExpected:   true,
+			expectedErrorMsg:  "cannot add more than one seal",
+			sealHaBetaEnabled: true,
+		},
+		// none_to_multi_with_disabled_seals_no_beta
+		{
+			name:                "none_to_multi_with_disabled_seals_no_beta",
+			existingSealGenInfo: nil,
+			allSealKmsConfigs: []*configutil.KMS{
+				{
+					Type:     "pkcs11",
+					Name:     "autoSeal1",
+					Priority: 1,
+				},
+				{
+					Type:     "pkcs11",
+					Name:     "autoSeal2",
+					Priority: 2,
+					Disabled: true,
+				},
+			},
+			isErrorExpected:   false,
+			sealHaBetaEnabled: false,
+			expectedSealGenInfo: &seal.SealGenerationInfo{
+				Generation: 1,
+				Seals: []*configutil.KMS{
+					{
+						Type:     "pkcs11",
+						Name:     "autoSeal1",
+						Priority: 1,
+					},
+					{
+						Type:     "pkcs11",
+						Name:     "autoSeal2",
+						Priority: 2,
+						Disabled: true,
+					},
+				},
+			},
 		},
 		// shamir_to_auto
 		{
@ -125,7 +186,8 @@ func TestMultiSealCases(t *testing.T) {
 					},
 				},
 			},
-			isRewrapped: false,
+			isRewrapped:       false,
+			sealHaBetaEnabled: true,
 		},
 		// shamir_to_multi
 		{
@ -152,9 +214,10 @@ func TestMultiSealCases(t *testing.T) {
 					Priority: 3,
 				},
 			},
-			isRewrapped:      false,
-			isErrorExpected:  true,
-			expectedErrorMsg: "cannot add more than one seal",
+			isRewrapped:       false,
+			sealHaBetaEnabled: true,
+			isErrorExpected:   true,
+			expectedErrorMsg:  "cannot add more than one seal",
 		},
 		// auto_to_shamir_no_common_seal
 		{
@ -178,6 +241,7 @@ func TestMultiSealCases(t *testing.T) {
 			},
 			isRewrapped:              true,
 			hasPartiallyWrappedPaths: false,
+			sealHaBetaEnabled:        true,
 			isErrorExpected:          true,
 			expectedErrorMsg:         "must have at least one seal in common with the old generation",
 		},
@ -225,6 +289,7 @@ func TestMultiSealCases(t *testing.T) {
 			},
 			isRewrapped:              true,
 			hasPartiallyWrappedPaths: false,
+			sealHaBetaEnabled:        true,
 		},
 		// auto_to_auto_no_common_seal
 		{
@ -248,6 +313,7 @@ func TestMultiSealCases(t *testing.T) {
 			},
 			isRewrapped:              true,
 			hasPartiallyWrappedPaths: false,
+			sealHaBetaEnabled:        true,
 			isErrorExpected:          true,
 			expectedErrorMsg:         "must have at least one seal in common with the old generation",
 		},
@ -295,6 +361,7 @@ func TestMultiSealCases(t *testing.T) {
 			},
 			isRewrapped:              true,
 			hasPartiallyWrappedPaths: false,
+			sealHaBetaEnabled:        true,
 		},
 		// auto_to_multi_add_one
 		{
@ -338,6 +405,7 @@ func TestMultiSealCases(t *testing.T) {
 			},
 			isRewrapped:              true,
 			hasPartiallyWrappedPaths: false,
+			sealHaBetaEnabled:        true,
 		},
 		// auto_to_multi_add_two
 		{
@ -371,6 +439,7 @@ func TestMultiSealCases(t *testing.T) {
 			},
 			isRewrapped:              true,
 			hasPartiallyWrappedPaths: false,
+			sealHaBetaEnabled:        true,
 			isErrorExpected:          true,
 			expectedErrorMsg:         "cannot add more than one seal",
 		},
@ -411,6 +480,7 @@ func TestMultiSealCases(t *testing.T) {
 			},
 			isRewrapped:              true,
 			hasPartiallyWrappedPaths: false,
+			sealHaBetaEnabled:        true,
 		},
 		// multi_to_auto_delete_two
 		{
@ -444,6 +514,7 @@ func TestMultiSealCases(t *testing.T) {
 			},
 			isRewrapped:              true,
 			hasPartiallyWrappedPaths: false,
+			sealHaBetaEnabled:        true,
 			isErrorExpected:          true,
 			expectedErrorMsg:         "cannot delete more than one seal",
 		},
@ -513,6 +584,7 @@ func TestMultiSealCases(t *testing.T) {
 			},
 			isRewrapped:              true,
 			hasPartiallyWrappedPaths: false,
+			sealHaBetaEnabled:        true,
 		},
 	}

@ -523,7 +595,7 @@ func TestMultiSealCases(t *testing.T) {
 			if tc.existingSealGenInfo != nil {
 				tc.existingSealGenInfo.SetRewrapped(tc.isRewrapped)
 			}
-			sealGenInfo, err := cmd.computeSealGenerationInfo(tc.existingSealGenInfo, tc.allSealKmsConfigs, tc.hasPartiallyWrappedPaths)
+			sealGenInfo, err := cmd.computeSealGenerationInfo(tc.existingSealGenInfo, tc.allSealKmsConfigs, tc.hasPartiallyWrappedPaths, tc.sealHaBetaEnabled)
 			switch {
 			case tc.isErrorExpected:
 				require.Error(t, err)