backport of commit 0575ca6955 (#24097)

Co-authored-by: Divya Pola <87338962+divyapola5@users.noreply.github.com>

vault/seal/seal.go

@@ -298,13 +298,13 @@ type Access interface {
 	SetShamirSealKey([]byte) error
 	GetShamirKeyBytes(ctx context.Context) ([]byte, error)
 
-	// GetConfiguredSealWrappersByPriority returns all the SealWrappers including disabled and unconfigured wrappers.
+	// GetAllSealWrappersByPriority returns all the SealWrappers including disabled and unconfigured wrappers.
 	GetAllSealWrappersByPriority() []*SealWrapper
 
 	// GetConfiguredSealWrappersByPriority returns all the configured SealWrappers for all the seal wrappers, including disabled ones.
 	GetConfiguredSealWrappersByPriority() []*SealWrapper
 
-	// GetEnabledSealWrappersByPriority returns the SealWrapper for the enabled seal wrappers.
+	// GetEnabledSealWrappersByPriority returns the SealWrappers for the enabled seal wrappers.
 	GetEnabledSealWrappersByPriority() []*SealWrapper
 
 	// AllSealsWrappersHealthy returns whether all enabled SealWrappers are currently healthy.
@@ -564,7 +564,7 @@ GATHER_RESULTS:
 				// Just being paranoid, encryptCtx.Err() should never be nil in this case
 				errs[sealWrapper.Name] = errors.New("context timeout exceeded")
 			}
-			// This failure did not happen on tryDecrypt, so we must log it here
+			// This failure did not happen on tryEncrypt, so we must log it here
 			a.logger.Trace("error encrypting with seal", "seal", sealWrapper.Name, "err", errs[sealWrapper.Name])
 		}
 	}
@@ -727,7 +727,6 @@ GATHER_RESULTS:
 	}
 
 	// No wrapper was able to decrypt the value, return an error
-
 	if len(errs) > 0 {
 		return nil, false, JoinSealWrapErrors("error decrypting seal wrapped value", errs)
 	}

vault/seal/seal_testing.go

@@ -68,6 +68,50 @@ func NewTestSeal(opts *TestSealOpts) (Access, []*ToggleableWrapper) {
 	return sealAccess, wrappers
 }
 
+type TestSealWrapperOpts struct {
+	Logger       hclog.Logger
+	Secret       []byte
+	Name         wrapping.WrapperType
+	WrapperCount int
+}
+
+func CreateTestSealWrapperOpts(opts *TestSealWrapperOpts) *TestSealWrapperOpts {
+	if opts == nil {
+		opts = new(TestSealWrapperOpts)
+	}
+	if opts.WrapperCount == 0 {
+		opts.WrapperCount = 1
+	}
+	if opts.Logger == nil {
+		opts.Logger = logging.NewVaultLogger(hclog.Debug)
+	}
+	return opts
+}
+
+func CreateTestSealWrappers(opts *TestSealWrapperOpts) []*SealWrapper {
+	opts = CreateTestSealWrapperOpts(opts)
+	wrappers := make([]*ToggleableWrapper, opts.WrapperCount)
+	sealWrappers := make([]*SealWrapper, opts.WrapperCount)
+	ctx := context.Background()
+	for i := 0; i < opts.WrapperCount; i++ {
+		wrappers[i] = &ToggleableWrapper{Wrapper: wrapping.NewTestWrapper(opts.Secret)}
+		wrapperType, err := wrappers[i].Type(ctx)
+		if err != nil {
+			panic(err)
+		}
+		sealWrappers[i] = NewSealWrapper(
+			wrappers[i],
+			i+1,
+			fmt.Sprintf("%s-%d", opts.Name, i+1),
+			wrapperType.String(),
+			false,
+			true,
+		)
+	}
+
+	return sealWrappers
+}
+
 func NewToggleableTestSeal(opts *TestSealOpts) (Access, []func(error)) {
 	opts = NewTestSealOpts(opts)