VAULT-31409: trace postUnseal function (#28895)

* initial implementation of unseal trace * close file if we fail to start the trace didn't bother to check the error from traceFile.Close() * use reloadable config instead of env var * license * remove leftover * allow setting custom dir and remove new package * bring back StartDebugTrace after talking to Kuba it sounds like it's a good idea to try to move stuff out of core, so even if there's no immediate need for a generic debug trace function it's still fair to add it * track postUnseal instead of unsealInternal also some usability improvements from manual testing * address PR comments * address security review there were concerns about using the /tmp directory because of permissions, or having a default dir at all, so now it's required to set a dir in order to generate the traces. * add unit tests to StartDebugTrace * move back to default dir * document new parameters * add tiny integration test * avoid column in trace filename sounds like it might be forbidden in Windows and possibly cause problems in some MacOS applications. * address PR feedback * add go doc to test CI was complaining about missing comments on the new test function. It feels a bit silly to require this of tests but whatever XD * fix tests
2025-10-30 02:02:43 +00:00 · 2024-11-26 15:04:34 -03:00
parent 42552f6303
commit a2c467cc22
10 changed files with 272 additions and 1 deletions
--- a/command/server/config.go
+++ b/command/server/config.go
@@ -115,6 +115,9 @@ type Config struct {
 	License          string `hcl:"-"`
 	LicensePath      string `hcl:"license_path"`
 	DisableSSCTokens bool   `hcl:"-"`
+
+	EnablePostUnsealTrace bool   `hcl:"enable_post_unseal_trace"`
+	PostUnsealTraceDir    string `hcl:"post_unseal_trace_directory"`
 }

 const (
@@ -425,6 +428,16 @@ func (c *Config) Merge(c2 *Config) *Config {
 		result.LicensePath = c2.LicensePath
 	}

+	result.EnablePostUnsealTrace = c.EnablePostUnsealTrace
+	if c2.EnablePostUnsealTrace {
+		result.EnablePostUnsealTrace = c2.EnablePostUnsealTrace
+	}
+
+	result.PostUnsealTraceDir = c.PostUnsealTraceDir
+	if c2.PostUnsealTraceDir != "" {
+		result.PostUnsealTraceDir = c2.PostUnsealTraceDir
+	}
+
 	// Use values from top-level configuration for storage if set
 	if storage := result.Storage; storage != nil {
 		if result.APIAddr != "" {
@@ -1150,6 +1163,9 @@ func (c *Config) Sanitized() map[string]interface{} {
 		"detect_deadlocks": c.DetectDeadlocks,

 		"imprecise_lease_role_tracking": c.ImpreciseLeaseRoleTracking,
+
+		"enable_post_unseal_trace":    c.EnablePostUnsealTrace,
+		"post_unseal_trace_directory": c.PostUnsealTraceDir,
 	}
 	for k, v := range sharedResult {
 		result[k] = v
--- a/command/server/config_test_helpers.go
+++ b/command/server/config_test_helpers.go
@@ -854,6 +854,8 @@ func testConfig_Sanitized(t *testing.T) {
 		},
 		"administrative_namespace_path": "admin/",
 		"imprecise_lease_role_tracking": false,
+		"enable_post_unseal_trace":      true,
+		"post_unseal_trace_directory":   "/tmp",
 	}

 	addExpectedEntSanitizedConfig(expected, []string{"http"})
--- a/command/server/test-fixtures/config3.hcl
+++ b/command/server/test-fixtures/config3.hcl
@@ -58,3 +58,5 @@ raw_storage_endpoint = true
 disable_sealwrap = true
 disable_sentinel_trace = true
 administrative_namespace_path = "admin/"
+enable_post_unseal_trace = true
+post_unseal_trace_directory = "/tmp"