diff --git a/command/seal_migration_test.go b/command/seal_migration_test.go index 63465d9513..8840781e50 100644 --- a/command/seal_migration_test.go +++ b/command/seal_migration_test.go @@ -108,7 +108,7 @@ func TestSealMigration(t *testing.T) { core := cluster.Cores[0].Core - newSeal := vault.NewAutoSeal(&seal.TestSeal{}) + newSeal := vault.NewAutoSeal(seal.NeweTestSeal(logger)) newSeal.SetCore(core) autoSeal = newSeal if err := adjustCoreForSealMigration(context.Background(), core, coreConfig, newSeal, &server.Config{ diff --git a/command/server.go b/command/server.go index bd4e47ba65..53c13efeed 100644 --- a/command/server.go +++ b/command/server.go @@ -47,6 +47,7 @@ import ( "github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/physical" "github.com/hashicorp/vault/vault" + vaultseal "github.com/hashicorp/vault/vault/seal" "github.com/hashicorp/vault/version" ) @@ -96,6 +97,7 @@ type ServerCommand struct { flagDevThreeNode bool flagDevFourCluster bool flagDevTransactional bool + flagDevAutoSeal bool flagTestVerifyOnly bool flagCombineLogs bool } @@ -247,6 +249,13 @@ func (c *ServerCommand) Flags() *FlagSets { Hidden: true, }) + f.BoolVar(&BoolVar{ + Name: "dev-auto-seal", + Target: &c.flagDevAutoSeal, + Default: false, + Hidden: true, + }) + f.BoolVar(&BoolVar{ Name: "dev-skip-init", Target: &c.flagDevSkipInit, @@ -346,7 +355,7 @@ func (c *ServerCommand) Run(args []string) int { allLoggers := []log.Logger{c.logger} // Automatically enable dev mode if other dev flags are provided. - if c.flagDevHA || c.flagDevTransactional || c.flagDevLeasedKV || c.flagDevThreeNode || c.flagDevFourCluster { + if c.flagDevHA || c.flagDevTransactional || c.flagDevLeasedKV || c.flagDevThreeNode || c.flagDevFourCluster || c.flagDevAutoSeal { c.flagDev = true } @@ -473,7 +482,7 @@ func (c *ServerCommand) Run(args []string) int { info["log level"] = c.flagLogLevel infoKeys = append(infoKeys, "log level") - sealType := "shamir" + sealType := vaultseal.Shamir if config.Seal != nil || os.Getenv("VAULT_SEAL_TYPE") != "" { if config.Seal == nil { sealType = os.Getenv("VAULT_SEAL_TYPE") @@ -482,14 +491,21 @@ func (c *ServerCommand) Run(args []string) int { } } - sealLogger := c.logger.Named(sealType) - allLoggers = append(allLoggers, sealLogger) - seal, sealConfigError := serverseal.ConfigureSeal(config, &infoKeys, &info, sealLogger, vault.NewDefaultSeal()) - if sealConfigError != nil { - if !errwrap.ContainsType(sealConfigError, new(logical.KeyNotFoundError)) { - c.UI.Error(fmt.Sprintf( - "Error parsing Seal configuration: %s", sealConfigError)) - return 1 + var seal vault.Seal + var sealConfigError error + if c.flagDevAutoSeal { + sealLogger := c.logger.Named(vaultseal.Test) + seal = vault.NewAutoSeal(vaultseal.NewTestSeal(sealLogger)) + } else { + sealLogger := c.logger.Named(sealType) + allLoggers = append(allLoggers, sealLogger) + seal, sealConfigError = serverseal.ConfigureSeal(config, &infoKeys, &info, sealLogger, vault.NewDefaultSeal()) + if sealConfigError != nil { + if !errwrap.ContainsType(sealConfigError, new(logical.KeyNotFoundError)) { + c.UI.Error(fmt.Sprintf( + "Error parsing Seal configuration: %s", sealConfigError)) + return 1 + } } } @@ -1007,7 +1023,7 @@ CLUSTER_SYNTHESIS_COMPLETE: "The recovery key and root token are displayed below in case you want " + "to seal/unseal the Vault or re-authenticate.")) c.UI.Warn("") - c.UI.Warn(fmt.Sprintf("Unseal Key: %s", base64.StdEncoding.EncodeToString(init.RecoveryShares[0]))) + c.UI.Warn(fmt.Sprintf("Recovery Key: %s", base64.StdEncoding.EncodeToString(init.RecoveryShares[0]))) } c.UI.Warn(fmt.Sprintf("Root Token: %s", init.RootToken)) diff --git a/command/server/config.go b/command/server/config.go index 94a8b48842..69c89489cc 100644 --- a/command/server/config.go +++ b/command/server/config.go @@ -747,17 +747,6 @@ func parseSeal(result *Config, list *ast.ObjectList, blockName string) error { key = item.Keys[0].Token.Value().(string) } - // Valid parameter for the Seal types - switch key { - case "pkcs11": - case "alicloudkms": - case "awskms": - case "gcpckms": - case "azurekeyvault": - default: - return fmt.Errorf("invalid seal type %q", key) - } - var m map[string]string if err := hcl.DecodeObject(&m, item.Val); err != nil { return multierror.Prefix(err, fmt.Sprintf("%s.%s:", blockName, key)) diff --git a/command/server/seal/server_seal.go b/command/server/seal/server_seal.go index 754b379856..2b42cd0874 100644 --- a/command/server/seal/server_seal.go +++ b/command/server/seal/server_seal.go @@ -7,13 +7,14 @@ import ( log "github.com/hashicorp/go-hclog" "github.com/hashicorp/vault/command/server" "github.com/hashicorp/vault/vault" + "github.com/hashicorp/vault/vault/seal" ) var ( ConfigureSeal func(*server.Config, *[]string, *map[string]string, log.Logger, vault.Seal) (vault.Seal, error) = configureSeal ) -func configureSeal(config *server.Config, infoKeys *[]string, info *map[string]string, logger log.Logger, inseal vault.Seal) (seal vault.Seal, err error) { +func configureSeal(config *server.Config, infoKeys *[]string, info *map[string]string, logger log.Logger, inseal vault.Seal) (outseal vault.Seal, err error) { if config.Seal != nil || os.Getenv("VAULT_SEAL_TYPE") != "" { if config.Seal == nil { config.Seal = &server.Seal{ @@ -21,19 +22,19 @@ func configureSeal(config *server.Config, infoKeys *[]string, info *map[string]s } } switch config.Seal.Type { - case "alicloudkms": + case seal.AliCloudKMS: return configureAliCloudKMSSeal(config, infoKeys, info, logger, inseal) - case "awskms": + case seal.AWSKMS: return configureAWSKMSSeal(config, infoKeys, info, logger, inseal) - case "gcpckms": + case seal.GCPCKMS: return configureGCPCKMSSeal(config, infoKeys, info, logger, inseal) - case "azurekeyvault": + case seal.AzureKeyVault: return configureAzureKeyVaultSeal(config, infoKeys, info, logger, inseal) - case "pkcs11": + case seal.PKCS11: return nil, fmt.Errorf("Seal type 'pkcs11' requires the Vault Enterprise HSM binary") default: diff --git a/vault/seal/seal_testing.go b/vault/seal/seal_testing.go index c325f76a0e..6ce03b421f 100644 --- a/vault/seal/seal_testing.go +++ b/vault/seal/seal_testing.go @@ -3,13 +3,22 @@ package seal import ( "context" + log "github.com/hashicorp/go-hclog" "github.com/hashicorp/vault/physical" ) -type TestSeal struct{} +type TestSeal struct { + logger log.Logger +} var _ Access = (*TestSeal)(nil) +func NewTestSeal(logger log.Logger) *TestSeal { + return &TestSeal{ + logger: logger, + } +} + func (s *TestSeal) Init(_ context.Context) error { return nil }