Provide a better error message around initializing with multiple seals (#23210)

* Provide a better error message around initializing with multiple seals - Specifically callout during cluster initialization or initial beta seal migration that we can only have a single seal enabled with the following error message: `Initializing a cluster or enabling multi-seal on an existing cluster must occur with a single seal before adding additional seals` - Handle the use case that we have multiple seals configured, but some are disabled, leaving a single enabled seal. This is the legacy seal migratation case that works without the BETA flag set, so should work with it set as well. * Update the expected error messages within seal tests * Remove support for old style migration configurations in multi-seal
2025-11-01 19:17:58 +00:00 · 2023-09-21 12:32:44 -04:00
parent 6ef2a60314
commit 4389ee438d
2 changed files with 104 additions and 25 deletions
--- a/command/server_sealgenerationinfo_test.go
+++ b/command/server_sealgenerationinfo_test.go
@@ -96,7 +96,7 @@ func TestMultiSealCases(t *testing.T) {
 				},
 			},
 			isErrorExpected:   true,
-			expectedErrorMsg:  "cannot add more than one seal",
+			expectedErrorMsg:  "Initializing a cluster or enabling multi-seal on an existing cluster must occur with a single seal before adding additional seals",
 			sealHaBetaEnabled: true,
 		},
 		// none_to_multi_with_disabled_seals_with_beta
@@ -117,7 +117,7 @@ func TestMultiSealCases(t *testing.T) {
 				},
 			},
 			isErrorExpected:   true,
-			expectedErrorMsg:  "cannot add more than one seal",
+			expectedErrorMsg:  "Initializing a cluster or enabling multi-seal on an existing cluster must occur with a single seal before adding additional seals",
 			sealHaBetaEnabled: true,
 		},
 		// none_to_multi_with_disabled_seals_no_beta
@@ -759,6 +759,72 @@ func TestMultiSealCases(t *testing.T) {
 			hasPartiallyWrappedPaths: false,
 			isErrorExpected:          false,
 		},
+		// migrate from non-beta single seal to single seal
+		{
+			name:                "none_to_single_seal",
+			existingSealGenInfo: nil,
+			newSealGenInfo: &seal.SealGenerationInfo{
+				Generation: 1,
+				Seals: []*configutil.KMS{
+					{
+						Type:     "shamir",
+						Name:     "shamir",
+						Priority: 1,
+					},
+				},
+			},
+			isRewrapped:              true,
+			hasPartiallyWrappedPaths: false,
+			isErrorExpected:          false,
+		},
+		// migrate from non-beta single seal to multi seal, with one disabled, so perform an old style migration
+		// we do not support this use-case at this time so trap the error
+		{
+			name:                "none_to_multiple_seals_one_disabled",
+			existingSealGenInfo: nil,
+			newSealGenInfo: &seal.SealGenerationInfo{
+				Generation: 1,
+				Seals: []*configutil.KMS{
+					{
+						Type: "pkcs11",
+						Name: "autoSeal",
+					},
+					{
+						Type:     "pkcs11",
+						Name:     "autoSeal",
+						Disabled: true,
+					},
+				},
+			},
+			isRewrapped:              true,
+			hasPartiallyWrappedPaths: false,
+			isErrorExpected:          true,
+			expectedErrorMsg:         "Initializing a cluster or enabling multi-seal on an existing cluster must occur with a single seal before adding additional seals",
+		},
+		// migrate from non-beta single seal to multi seal
+		{
+			name:                "none_to_multiple_seals",
+			existingSealGenInfo: nil,
+			newSealGenInfo: &seal.SealGenerationInfo{
+				Generation: 1,
+				Seals: []*configutil.KMS{
+					{
+						Type:     "pkcs11",
+						Name:     "autoSeal1",
+						Priority: 1,
+					},
+					{
+						Type:     "pkcs11",
+						Name:     "autoSeal2",
+						Priority: 2,
+					},
+				},
+			},
+			isRewrapped:              true,
+			hasPartiallyWrappedPaths: false,
+			isErrorExpected:          true,
+			expectedErrorMsg:         "Initializing a cluster or enabling multi-seal on an existing cluster must occur with a single seal before adding additional seals",
+		},
 		// have partially wrapped paths
 		{
 			name: "have_partially_wrapped_paths",