From 0575ca69551b5e48aa481cc51a0321fda541f03b Mon Sep 17 00:00:00 2001 From: Divya Pola <87338962+divyapola5@users.noreply.github.com> Date: Fri, 10 Nov 2023 09:46:04 -0600 Subject: [PATCH] Community changes for seal-ha seal wrap backend unit tests (#24073) --- vault/seal/seal.go | 7 +++--- vault/seal/seal_testing.go | 44 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 4 deletions(-) diff --git a/vault/seal/seal.go b/vault/seal/seal.go index 0caa453053..6410b2a201 100644 --- a/vault/seal/seal.go +++ b/vault/seal/seal.go @@ -298,13 +298,13 @@ type Access interface { SetShamirSealKey([]byte) error GetShamirKeyBytes(ctx context.Context) ([]byte, error) - // GetConfiguredSealWrappersByPriority returns all the SealWrappers including disabled and unconfigured wrappers. + // GetAllSealWrappersByPriority returns all the SealWrappers including disabled and unconfigured wrappers. GetAllSealWrappersByPriority() []*SealWrapper // GetConfiguredSealWrappersByPriority returns all the configured SealWrappers for all the seal wrappers, including disabled ones. GetConfiguredSealWrappersByPriority() []*SealWrapper - // GetEnabledSealWrappersByPriority returns the SealWrapper for the enabled seal wrappers. + // GetEnabledSealWrappersByPriority returns the SealWrappers for the enabled seal wrappers. GetEnabledSealWrappersByPriority() []*SealWrapper // AllSealsWrappersHealthy returns whether all enabled SealWrappers are currently healthy. @@ -564,7 +564,7 @@ GATHER_RESULTS: // Just being paranoid, encryptCtx.Err() should never be nil in this case errs[sealWrapper.Name] = errors.New("context timeout exceeded") } - // This failure did not happen on tryDecrypt, so we must log it here + // This failure did not happen on tryEncrypt, so we must log it here a.logger.Trace("error encrypting with seal", "seal", sealWrapper.Name, "err", errs[sealWrapper.Name]) } } @@ -726,7 +726,6 @@ GATHER_RESULTS: } // No wrapper was able to decrypt the value, return an error - if len(errs) > 0 { return nil, false, JoinSealWrapErrors("error decrypting seal wrapped value", errs) } diff --git a/vault/seal/seal_testing.go b/vault/seal/seal_testing.go index 52241f3e5e..56a7bcb46c 100644 --- a/vault/seal/seal_testing.go +++ b/vault/seal/seal_testing.go @@ -68,6 +68,50 @@ func NewTestSeal(opts *TestSealOpts) (Access, []*ToggleableWrapper) { return sealAccess, wrappers } +type TestSealWrapperOpts struct { + Logger hclog.Logger + Secret []byte + Name wrapping.WrapperType + WrapperCount int +} + +func CreateTestSealWrapperOpts(opts *TestSealWrapperOpts) *TestSealWrapperOpts { + if opts == nil { + opts = new(TestSealWrapperOpts) + } + if opts.WrapperCount == 0 { + opts.WrapperCount = 1 + } + if opts.Logger == nil { + opts.Logger = logging.NewVaultLogger(hclog.Debug) + } + return opts +} + +func CreateTestSealWrappers(opts *TestSealWrapperOpts) []*SealWrapper { + opts = CreateTestSealWrapperOpts(opts) + wrappers := make([]*ToggleableWrapper, opts.WrapperCount) + sealWrappers := make([]*SealWrapper, opts.WrapperCount) + ctx := context.Background() + for i := 0; i < opts.WrapperCount; i++ { + wrappers[i] = &ToggleableWrapper{Wrapper: wrapping.NewTestWrapper(opts.Secret)} + wrapperType, err := wrappers[i].Type(ctx) + if err != nil { + panic(err) + } + sealWrappers[i] = NewSealWrapper( + wrappers[i], + i+1, + fmt.Sprintf("%s-%d", opts.Name, i+1), + wrapperType.String(), + false, + true, + ) + } + + return sealWrappers +} + func NewToggleableTestSeal(opts *TestSealOpts) (Access, []func(error)) { opts = NewTestSealOpts(opts)