Add -dev-auto-seal option (#5629)

* adding a -dev-auto-seal option

* adding logger to TestSeal

command/seal_migration_test.go

@@ -108,7 +108,7 @@ func TestSealMigration(t *testing.T) {
 
 		core := cluster.Cores[0].Core
 
-		newSeal := vault.NewAutoSeal(&seal.TestSeal{})
+		newSeal := vault.NewAutoSeal(seal.NeweTestSeal(logger))
 		newSeal.SetCore(core)
 		autoSeal = newSeal
 		if err := adjustCoreForSealMigration(context.Background(), core, coreConfig, newSeal, &server.Config{

command/server.go

@@ -47,6 +47,7 @@ import (
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/physical"
 	"github.com/hashicorp/vault/vault"
+	vaultseal "github.com/hashicorp/vault/vault/seal"
 	"github.com/hashicorp/vault/version"
 )
 
@@ -96,6 +97,7 @@ type ServerCommand struct {
 	flagDevThreeNode     bool
 	flagDevFourCluster   bool
 	flagDevTransactional bool
+	flagDevAutoSeal      bool
 	flagTestVerifyOnly   bool
 	flagCombineLogs      bool
 }
@@ -247,6 +249,13 @@ func (c *ServerCommand) Flags() *FlagSets {
 		Hidden:  true,
 	})
 
+	f.BoolVar(&BoolVar{
+		Name:    "dev-auto-seal",
+		Target:  &c.flagDevAutoSeal,
+		Default: false,
+		Hidden:  true,
+	})
+
 	f.BoolVar(&BoolVar{
 		Name:    "dev-skip-init",
 		Target:  &c.flagDevSkipInit,
@@ -346,7 +355,7 @@ func (c *ServerCommand) Run(args []string) int {
 	allLoggers := []log.Logger{c.logger}
 
 	// Automatically enable dev mode if other dev flags are provided.
-	if c.flagDevHA || c.flagDevTransactional || c.flagDevLeasedKV || c.flagDevThreeNode || c.flagDevFourCluster {
+	if c.flagDevHA || c.flagDevTransactional || c.flagDevLeasedKV || c.flagDevThreeNode || c.flagDevFourCluster || c.flagDevAutoSeal {
 		c.flagDev = true
 	}
 
@@ -473,7 +482,7 @@ func (c *ServerCommand) Run(args []string) int {
 	info["log level"] = c.flagLogLevel
 	infoKeys = append(infoKeys, "log level")
 
-	sealType := "shamir"
+	sealType := vaultseal.Shamir
 	if config.Seal != nil || os.Getenv("VAULT_SEAL_TYPE") != "" {
 		if config.Seal == nil {
 			sealType = os.Getenv("VAULT_SEAL_TYPE")
@@ -482,9 +491,15 @@ func (c *ServerCommand) Run(args []string) int {
 		}
 	}
 
+	var seal vault.Seal
+	var sealConfigError error
+	if c.flagDevAutoSeal {
+		sealLogger := c.logger.Named(vaultseal.Test)
+		seal = vault.NewAutoSeal(vaultseal.NewTestSeal(sealLogger))
+	} else {
 		sealLogger := c.logger.Named(sealType)
 		allLoggers = append(allLoggers, sealLogger)
-	seal, sealConfigError := serverseal.ConfigureSeal(config, &infoKeys, &info, sealLogger, vault.NewDefaultSeal())
+		seal, sealConfigError = serverseal.ConfigureSeal(config, &infoKeys, &info, sealLogger, vault.NewDefaultSeal())
 		if sealConfigError != nil {
 			if !errwrap.ContainsType(sealConfigError, new(logical.KeyNotFoundError)) {
 				c.UI.Error(fmt.Sprintf(
@@ -492,6 +507,7 @@ func (c *ServerCommand) Run(args []string) int {
 				return 1
 			}
 		}
+	}
 
 	// Ensure that the seal finalizer is called, even if using verify-only
 	defer func() {
@@ -1007,7 +1023,7 @@ CLUSTER_SYNTHESIS_COMPLETE:
 				"The recovery key and root token are displayed below in case you want " +
 					"to seal/unseal the Vault or re-authenticate."))
 			c.UI.Warn("")
-			c.UI.Warn(fmt.Sprintf("Unseal Key: %s", base64.StdEncoding.EncodeToString(init.RecoveryShares[0])))
+			c.UI.Warn(fmt.Sprintf("Recovery Key: %s", base64.StdEncoding.EncodeToString(init.RecoveryShares[0])))
 		}
 
 		c.UI.Warn(fmt.Sprintf("Root Token: %s", init.RootToken))

command/server/config.go

@@ -747,17 +747,6 @@ func parseSeal(result *Config, list *ast.ObjectList, blockName string) error {
 		key = item.Keys[0].Token.Value().(string)
 	}
 
-	// Valid parameter for the Seal types
-	switch key {
-	case "pkcs11":
-	case "alicloudkms":
-	case "awskms":
-	case "gcpckms":
-	case "azurekeyvault":
-	default:
-		return fmt.Errorf("invalid seal type %q", key)
-	}
-
 	var m map[string]string
 	if err := hcl.DecodeObject(&m, item.Val); err != nil {
 		return multierror.Prefix(err, fmt.Sprintf("%s.%s:", blockName, key))

command/server/seal/server_seal.go

@@ -7,13 +7,14 @@ import (
 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/command/server"
 	"github.com/hashicorp/vault/vault"
+	"github.com/hashicorp/vault/vault/seal"
 )
 
 var (
 	ConfigureSeal func(*server.Config, *[]string, *map[string]string, log.Logger, vault.Seal) (vault.Seal, error) = configureSeal
 )
 
-func configureSeal(config *server.Config, infoKeys *[]string, info *map[string]string, logger log.Logger, inseal vault.Seal) (seal vault.Seal, err error) {
+func configureSeal(config *server.Config, infoKeys *[]string, info *map[string]string, logger log.Logger, inseal vault.Seal) (outseal vault.Seal, err error) {
 	if config.Seal != nil || os.Getenv("VAULT_SEAL_TYPE") != "" {
 		if config.Seal == nil {
 			config.Seal = &server.Seal{
@@ -21,19 +22,19 @@ func configureSeal(config *server.Config, infoKeys *[]string, info *map[string]s
 			}
 		}
 		switch config.Seal.Type {
-		case "alicloudkms":
+		case seal.AliCloudKMS:
 			return configureAliCloudKMSSeal(config, infoKeys, info, logger, inseal)
 
-		case "awskms":
+		case seal.AWSKMS:
 			return configureAWSKMSSeal(config, infoKeys, info, logger, inseal)
 
-		case "gcpckms":
+		case seal.GCPCKMS:
 			return configureGCPCKMSSeal(config, infoKeys, info, logger, inseal)
 
-		case "azurekeyvault":
+		case seal.AzureKeyVault:
 			return configureAzureKeyVaultSeal(config, infoKeys, info, logger, inseal)
 
-		case "pkcs11":
+		case seal.PKCS11:
 			return nil, fmt.Errorf("Seal type 'pkcs11' requires the Vault Enterprise HSM binary")
 
 		default:

vault/seal/seal_testing.go

@@ -3,13 +3,22 @@ package seal
 import (
 	"context"
 
+	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/physical"
 )
 
-type TestSeal struct{}
+type TestSeal struct {
+	logger log.Logger
+}
 
 var _ Access = (*TestSeal)(nil)
 
+func NewTestSeal(logger log.Logger) *TestSeal {
+	return &TestSeal{
+		logger: logger,
+	}
+}
+
 func (s *TestSeal) Init(_ context.Context) error {
 	return nil
 }