Protect SealWrapper health fields (#22740)

* Create accessors for SealWrapper fields protecteb by the lock. * Use NewSealWrapper constructor to create all seal wrappers.
2025-11-01 19:17:58 +00:00 · 2023-09-01 14:38:11 -04:00
parent 07e76196ba
commit 5dc85c58c1
12 changed files with 163 additions and 118 deletions
--- a/command/server.go
+++ b/command/server.go
@@ -2599,8 +2599,8 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 	recordSealConfigError := func(err error) {
 		sealConfigError = errors.Join(sealConfigError, err)
 	}
-	enabledSealWrappers := make([]vaultseal.SealWrapper, 0)
-	disabledSealWrappers := make([]vaultseal.SealWrapper, 0)
+	enabledSealWrappers := make([]*vaultseal.SealWrapper, 0)
+	disabledSealWrappers := make([]*vaultseal.SealWrapper, 0)
 	allSealKmsConfigs := make([]*configutil.KMS, 0)

 	type infoKeysAndMap struct {
@@ -2642,13 +2642,13 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 			wrapper = aeadwrapper.NewShamirWrapper()
 		}

-		sealWrapper := vaultseal.SealWrapper{
-			Wrapper:        wrapper,
-			Priority:       configSeal.Priority,
-			Name:           configSeal.Name,
-			SealConfigType: configSeal.Type,
-			Disabled:       configSeal.Disabled,
-		}
+		sealWrapper := vaultseal.NewSealWrapper(
+			wrapper,
+			configSeal.Priority,
+			configSeal.Name,
+			configSeal.Type,
+			configSeal.Disabled,
+		)

 		if configSeal.Disabled {
 			disabledSealWrappers = append(disabledSealWrappers, sealWrapper)
@@ -2666,20 +2666,21 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 	// Set the info keys, this modifies the function arguments `info` and `infoKeys`
 	// TODO(SEALHA): Why are we doing this? What is its use?
-	appendWrapperInfoKeys := func(prefix string, sealWrappers []vaultseal.SealWrapper) {
-		if len(sealWrappers) > 0 {
-			useName := false
-			if len(sealWrappers) > 1 {
-				useName = true
+	appendWrapperInfoKeys := func(prefix string, sealWrappers []*vaultseal.SealWrapper) {
+		if len(sealWrappers) == 0 {
+			return
+		}
+		useName := false
+		if len(sealWrappers) > 1 {
+			useName = true
+		}
+		for _, sealWrapper := range sealWrappers {
+			if useName {
+				prefix = fmt.Sprintf("%s %s ", prefix, sealWrapper.Name)
 			}
-			for _, sealWrapper := range sealWrappers {
-				if useName {
-					prefix = fmt.Sprintf("%s %s ", prefix, sealWrapper.Name)
-				}
-				for _, k := range sealWrapperInfoKeysMap[sealWrapper.Name].keys {
-					infoKeys = append(infoKeys, prefix+k)
-					info[prefix+k] = sealWrapperInfoKeysMap[sealWrapper.Name].theMap[k]
-				}
+			for _, k := range sealWrapperInfoKeysMap[sealWrapper.Name].keys {
+				infoKeys = append(infoKeys, prefix+k)
+				info[prefix+k] = sealWrapperInfoKeysMap[sealWrapper.Name].theMap[k]
 			}
 		}
 	}
@@ -2697,7 +2698,7 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 	// Create the Seals

-	containsShamir := func(sealWrappers []vaultseal.SealWrapper) bool {
+	containsShamir := func(sealWrappers []*vaultseal.SealWrapper) bool {
 		for _, si := range sealWrappers {
 			if vault.SealConfigTypeShamir.IsSameAs(si.SealConfigType) {
 				return true