Correct the post-unseal meaning of the seal status type (#23022)

* Correct the post-unseal meaning of the seal status type And at the same time add a RecoverySealType to the response which preserves the old meaning. Updated the CLI to display both when relevant. * changelog * no longer needed * Don't need this field either, which fixes unit tests * fix unit tests
2025-11-03 03:58:01 +00:00 · 2023-10-09 12:53:13 -05:00
parent 61f8aff24b
commit 42a484c6ce
5 changed files with 67 additions and 47 deletions
--- a/api/sys_seal.go
+++ b/api/sys_seal.go
@@ -109,6 +109,7 @@ type SealStatusResponse struct {
 	ClusterName       string   `json:"cluster_name,omitempty"`
 	ClusterID         string   `json:"cluster_id,omitempty"`
 	RecoverySeal      bool     `json:"recovery_seal"`
 	RecoverySealType  string   `json:"recovery_seal_type,omitempty"`
 	StorageType       string   `json:"storage_type,omitempty"`
 	HCPLinkStatus     string   `json:"hcp_link_status,omitempty"`
 	HCPLinkResourceID string   `json:"hcp_link_resource_ID,omitempty"`
--- a/changelog/23022.txt
+++ b/changelog/23022.txt
@@ -0,0 +1,5 @@
 ```release-note:improvement
 core: update sys/seal-status (and CLI vault status) to report the type of
 the seal when unsealed, as well as the type of the recovery seal if an
 auto-seal.
 ```
--- a/command/format.go
+++ b/command/format.go
@@ -326,13 +326,14 @@ func (t TableFormatter) Output(ui cli.Ui, secret *api.Secret, data interface{})
 func (t TableFormatter) OutputSealStatusStruct(ui cli.Ui, secret *api.Secret, data interface{}) error {
 	var status SealStatusOutput = data.(SealStatusOutput)
 	var sealPrefix string
 	if status.RecoverySeal {
 		sealPrefix = "Recovery "
 	}
 	out := []string{}
 	out = append(out, "Key | Value")
-	out = append(out, fmt.Sprintf("%sSeal Type | %s", sealPrefix, status.Type))
+	out = append(out, fmt.Sprintf("Seal Type | %s", status.Type))
 	if status.RecoverySeal {
 		sealPrefix = "Recovery "
 		out = append(out, fmt.Sprintf("Recovery Seal Type | %s", status.RecoverySealType))
 	}
 	out = append(out, fmt.Sprintf("Initialized | %t", status.Initialized))
 	out = append(out, fmt.Sprintf("Sealed | %t", status.Sealed))
 	out = append(out, fmt.Sprintf("Total %sShares | %d", sealPrefix, status.N))
--- a/command/format_test.go
+++ b/command/format_test.go
@@ -108,6 +108,7 @@ func TestStatusFormat(t *testing.T) {
 	expectedOutputString := `Key                           Value
 ---                           -----
 Seal Type                     type
 Recovery Seal Type            type
 Initialized                   true
 Sealed                        true
@@ -140,6 +141,7 @@ Warnings                      [warning]`
 	expectedOutputString = `Key                           Value
 ---                           -----
 Seal Type                     type
 Recovery Seal Type            type
 Initialized                   true
 Sealed                        true
@@ -180,6 +182,7 @@ func getMockStatusData(emptyFields bool) SealStatusOutput {
 			ClusterName:      "cluster name",
 			ClusterID:        "cluster id",
 			RecoverySeal:     true,
 			RecoverySealType: "type",
 			StorageType:      "storage type",
 			Warnings:         []string{"warning"},
 		}
@@ -214,6 +217,7 @@ func getMockStatusData(emptyFields bool) SealStatusOutput {
 			ClusterID:        "",
 			RecoverySeal:     true,
 			StorageType:      "",
 			RecoverySealType: "type",
 		}
 		// must initialize this struct without explicit field names due to embedding
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@@ -4941,6 +4941,7 @@ type SealStatusResponse struct {
 	HCPLinkStatus     string   `json:"hcp_link_status,omitempty"`
 	HCPLinkResourceID string   `json:"hcp_link_resource_ID,omitempty"`
 	Warnings          []string `json:"warnings,omitempty"`
 	RecoverySealType  string   `json:"recovery_seal_type,omitempty"`
 }
 type SealBackendStatus struct {
@@ -4994,6 +4995,9 @@ func (core *Core) GetSealStatus(ctx context.Context) (*SealStatusResponse, error
 		return s, nil
 	}
 	var recoverySealType string
 	sealType := sealConfig.Type
 	// Fetch the local cluster name and identifier
 	var clusterName, clusterID string
 	if !sealed {
@@ -5006,12 +5010,16 @@ func (core *Core) GetSealStatus(ctx context.Context) (*SealStatusResponse, error
 		}
 		clusterName = cluster.Name
 		clusterID = cluster.ID
 		if core.SealAccess().RecoveryKeySupported() {
 			recoverySealType = sealType
 		}
 		sealType = core.seal.BarrierSealConfigType().String()
 	}
 	progress, nonce := core.SecretProgress()
 	s := &SealStatusResponse{
-		Type:         sealConfig.Type,
+		Type:             sealType,
 		Initialized:      initialized,
 		Sealed:           sealed,
 		T:                sealConfig.SecretThreshold,
@@ -5024,6 +5032,7 @@ func (core *Core) GetSealStatus(ctx context.Context) (*SealStatusResponse, error
 		ClusterName:      clusterName,
 		ClusterID:        clusterID,
 		RecoverySeal:     core.SealAccess().RecoveryKeySupported(),
 		RecoverySealType: recoverySealType,
 		StorageType:      core.StorageType(),
 	}