diff --git a/changelog/24165.txt b/changelog/24165.txt new file mode 100644 index 0000000000..04c0b92234 --- /dev/null +++ b/changelog/24165.txt @@ -0,0 +1,4 @@ +```release-note:bug +core: Fix an error that resulted in the wrong seal type being returned by sys/seal-status while +Vault is in seal migration mode. +``` diff --git a/vault/logical_system.go b/vault/logical_system.go index 7d9c75f52a..e978095a19 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -5018,8 +5018,14 @@ func (core *Core) GetSealStatus(ctx context.Context, lock bool) (*SealStatusResp return s, nil } + var sealType string var recoverySealType string - sealType := sealConfig.Type + if core.SealAccess().RecoveryKeySupported() { + recoverySealType = sealConfig.Type + sealType = core.seal.BarrierSealConfigType().String() + } else { + sealType = sealConfig.Type + } // Fetch the local cluster name and identifier var clusterName, clusterID string @@ -5033,10 +5039,6 @@ func (core *Core) GetSealStatus(ctx context.Context, lock bool) (*SealStatusResp } clusterName = cluster.Name clusterID = cluster.ID - if core.SealAccess().RecoveryKeySupported() { - recoverySealType = sealType - } - sealType = core.seal.BarrierSealConfigType().String() } progress, nonce := core.SecretProgress(lock) diff --git a/vault/seal_autoseal.go b/vault/seal_autoseal.go index e4c874b358..a1613526c8 100644 --- a/vault/seal_autoseal.go +++ b/vault/seal_autoseal.go @@ -53,12 +53,12 @@ func NewAutoSeal(lowLevel seal.Access) *autoSeal { ret.barrierConfig.Store((*SealConfig)(nil)) ret.recoveryConfig.Store((*SealConfig)(nil)) - // See SealConfigType for the rules about computing the type. - if len(lowLevel.GetSealGenerationInfo().Seals) > 1 { - ret.barrierSealConfigType = SealConfigTypeMultiseal + // See SealConfigType for the rules about computing the type. Note that NewAccess guarantees + // that there is at least one wrapper + if wrappers := lowLevel.GetAllSealWrappersByPriority(); len(wrappers) == 1 { + ret.barrierSealConfigType = SealConfigType(wrappers[0].SealConfigType) } else { - // Note that the Access constructors guarantee that there is at least one KMS config - ret.barrierSealConfigType = SealConfigType(lowLevel.GetSealGenerationInfo().Seals[0].Type) + ret.barrierSealConfigType = SealConfigTypeMultiseal } return ret diff --git a/vault/seal_autoseal_test.go b/vault/seal_autoseal_test.go index 34aaeaf43d..09edd7ea4f 100644 --- a/vault/seal_autoseal_test.go +++ b/vault/seal_autoseal_test.go @@ -7,6 +7,7 @@ import ( "bytes" "context" "errors" + "github.com/stretchr/testify/require" "reflect" "testing" "time" @@ -212,3 +213,14 @@ func TestAutoSeal_HealthCheck(t *testing.T) { t.Fatal("Expected seals to be healthy") } } + +func TestAutoSeal_BarrierSealConfigType(t *testing.T) { + singleWrapperAccess, _ := seal.NewToggleableTestSeal(&seal.TestSealOpts{WrapperCount: 1}) + multipleWrapperAccess, _ := seal.NewToggleableTestSeal(&seal.TestSealOpts{WrapperCount: 2}) + + require.Equalf(t, singleWrapperAccess.GetAllSealWrappersByPriority()[0].SealConfigType, NewAutoSeal(singleWrapperAccess).BarrierSealConfigType().String(), + "autoseals that have a single seal wrapper report that wrapper's as the barrier seal type") + + require.Equalf(t, SealConfigTypeMultiseal, NewAutoSeal(multipleWrapperAccess).BarrierSealConfigType(), + "autoseals that have a multiple seal wrappers report the barrier seal type as Multiseal") +}