From cfc788f60e8e4d43b447c2dbe0e22e617e36497a Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Fri, 19 Jan 2018 03:44:06 -0500 Subject: [PATCH] Remove context from a few extraneous places --- command/server.go | 10 +++++----- http/sys_generate_root.go | 2 +- http/sys_init.go | 4 ++-- http/sys_rekey.go | 6 +++--- http/sys_seal.go | 4 ++-- vault/core.go | 12 ++++++------ vault/generate_root.go | 4 ++-- vault/init.go | 6 +++--- vault/rekey.go | 22 +++++++++++----------- vault/rekey_test.go | 20 ++++++++++---------- vault/seal.go | 8 ++++---- vault/seal_access.go | 10 +++++----- vault/testing.go | 2 +- 13 files changed, 55 insertions(+), 55 deletions(-) diff --git a/command/server.go b/command/server.go index 8b7b263493..2df9b77f61 100644 --- a/command/server.go +++ b/command/server.go @@ -922,19 +922,19 @@ func (c *ServerCommand) enableDev(core *vault.Core, coreConfig *vault.CoreConfig SecretThreshold: 1, } - ctx := context.Background() - - if core.SealAccess().RecoveryKeySupported(ctx) { + if core.SealAccess().RecoveryKeySupported() { recoveryConfig = &vault.SealConfig{ SecretShares: 1, SecretThreshold: 1, } } - if core.SealAccess().StoredKeysSupported(ctx) { + if core.SealAccess().StoredKeysSupported() { barrierConfig.StoredShares = 1 } + ctx := context.Background() + // Initialize it with a basic single key init, err := core.Initialize(ctx, &vault.InitParams{ BarrierConfig: barrierConfig, @@ -945,7 +945,7 @@ func (c *ServerCommand) enableDev(core *vault.Core, coreConfig *vault.CoreConfig } // Handle unseal with stored keys - if core.SealAccess().StoredKeysSupported(ctx) { + if core.SealAccess().StoredKeysSupported() { err := core.UnsealWithStoredKeys(ctx) if err != nil { return nil, err diff --git a/http/sys_generate_root.go b/http/sys_generate_root.go index e063adb1d7..205dae1b1a 100644 --- a/http/sys_generate_root.go +++ b/http/sys_generate_root.go @@ -42,7 +42,7 @@ func handleSysGenerateRootAttemptGet(core *vault.Core, w http.ResponseWriter, r } sealConfig := barrierConfig - if core.SealAccess().RecoveryKeySupported(ctx) { + if core.SealAccess().RecoveryKeySupported() { sealConfig, err = core.SealAccess().RecoveryConfig(ctx) if err != nil { respondError(w, http.StatusInternalServerError, err) diff --git a/http/sys_init.go b/http/sys_init.go index 08ba597e3f..908d719f68 100644 --- a/http/sys_init.go +++ b/http/sys_init.go @@ -68,7 +68,7 @@ func handleSysInitPut(core *vault.Core, w http.ResponseWriter, r *http.Request) // which means both that the shares will be different *AND* there would // need to be a way to actually allow fetching of the generated keys by // operators. - if core.SealAccess().StoredKeysSupported(ctx) { + if core.SealAccess().StoredKeysSupported() { if barrierConfig.SecretShares != 1 { respondError(w, http.StatusBadRequest, fmt.Errorf("secret shares must be 1")) return @@ -97,7 +97,7 @@ func handleSysInitPut(core *vault.Core, w http.ResponseWriter, r *http.Request) return } - if core.SealAccess().RecoveryKeySupported(ctx) { + if core.SealAccess().RecoveryKeySupported() { if len(recoveryConfig.PGPKeys) > 0 && len(recoveryConfig.PGPKeys) != recoveryConfig.SecretShares-recoveryConfig.StoredShares { respondError(w, http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys for recovery")) return diff --git a/http/sys_rekey.go b/http/sys_rekey.go index da1bbc05f6..23caf2b25c 100644 --- a/http/sys_rekey.go +++ b/http/sys_rekey.go @@ -32,7 +32,7 @@ func handleSysRekeyInit(core *vault.Core, recovery bool) http.Handler { defer cancel() switch { - case recovery && !core.SealAccess().RecoveryKeySupported(ctx): + case recovery && !core.SealAccess().RecoveryKeySupported(): respondError(w, http.StatusBadRequest, fmt.Errorf("recovery rekeying not supported")) case r.Method == "GET": handleSysRekeyInitGet(ctx, core, recovery, w, r) @@ -119,7 +119,7 @@ func handleSysRekeyInitPut(ctx context.Context, core *vault.Core, recovery bool, // If the seal supports recovery keys and stored keys, then we allow rekeying the barrier key // iff the secret shares, secret threshold, and stored shares are set to 1. - if !recovery && core.SealAccess().RecoveryKeySupported(ctx) && core.SealAccess().StoredKeysSupported(ctx) { + if !recovery && core.SealAccess().RecoveryKeySupported() && core.SealAccess().StoredKeysSupported() { if req.SecretShares != 1 || req.SecretThreshold != 1 || req.StoredShares != 1 { respondError(w, http.StatusBadRequest, fmt.Errorf("secret shares, secret threshold, and stored shares must be set to 1")) return @@ -132,7 +132,7 @@ func handleSysRekeyInitPut(ctx context.Context, core *vault.Core, recovery bool, } // Initialize the rekey - err := core.RekeyInit(ctx, &vault.SealConfig{ + err := core.RekeyInit(&vault.SealConfig{ SecretShares: req.SecretShares, SecretThreshold: req.SecretThreshold, StoredShares: req.StoredShares, diff --git a/http/sys_seal.go b/http/sys_seal.go index 25d06cc862..a6ba9241cc 100644 --- a/http/sys_seal.go +++ b/http/sys_seal.go @@ -124,7 +124,7 @@ func handleSysUnseal(core *vault.Core) http.Handler { // Attempt the unseal ctx := context.Background() - if core.SealAccess().RecoveryKeySupported(ctx) { + if core.SealAccess().RecoveryKeySupported() { _, err = core.UnsealWithRecoveryKeys(ctx, key) } else { _, err = core.Unseal(key) @@ -171,7 +171,7 @@ func handleSysSealStatusRaw(core *vault.Core, w http.ResponseWriter, r *http.Req } var sealConfig *vault.SealConfig - if core.SealAccess().RecoveryKeySupported(ctx) { + if core.SealAccess().RecoveryKeySupported() { sealConfig, err = core.SealAccess().RecoveryConfig(ctx) } else { sealConfig, err = core.SealAccess().BarrierConfig(ctx) diff --git a/vault/core.go b/vault/core.go index ed3e7a184a..956404b96f 100644 --- a/vault/core.go +++ b/vault/core.go @@ -1071,7 +1071,7 @@ func (c *Core) UnsealWithRecoveryKeys(ctx context.Context, key []byte) (bool, er var config *SealConfig // If recovery keys are supported then use recovery seal config to unseal - if c.seal.RecoveryKeySupported(ctx) { + if c.seal.RecoveryKeySupported() { config, err = c.seal.RecoveryConfig(ctx) if err != nil { return false, err @@ -1148,7 +1148,7 @@ func (c *Core) unsealPart(ctx context.Context, config *SealConfig, key []byte, u } } - if c.seal.RecoveryKeySupported(ctx) && useRecoveryKeys { + if c.seal.RecoveryKeySupported() && useRecoveryKeys { // Verify recovery key if err := c.seal.VerifyRecoveryKey(ctx, recoveredKey); err != nil { return nil, err @@ -1160,7 +1160,7 @@ func (c *Core) unsealPart(ctx context.Context, config *SealConfig, key []byte, u // If insuffiencient shares are provided, shamir.Combine will error, and if // no stored keys are found it will return masterKey as nil. var masterKey []byte - if c.seal.StoredKeysSupported(ctx) { + if c.seal.StoredKeysSupported() { masterKeyShares, err := c.seal.GetStoredKeys(ctx) if err != nil { return nil, fmt.Errorf("unable to retrieve stored keys: %v", err) @@ -1227,7 +1227,7 @@ func (c *Core) unsealInternal(ctx context.Context, masterKey []byte) (bool, erro c.sealed = false // Force a cache bust here, which will also run migration code - if c.seal.RecoveryKeySupported(ctx) { + if c.seal.RecoveryKeySupported() { c.seal.SetRecoveryConfig(ctx, nil) } @@ -1573,7 +1573,7 @@ func (c *Core) postUnseal() (retErr error) { // Purge these for safety in case of a rekey c.seal.SetBarrierConfig(c.activeContext, nil) - if c.seal.RecoveryKeySupported(c.activeContext) { + if c.seal.RecoveryKeySupported() { c.seal.SetRecoveryConfig(c.activeContext, nil) } @@ -1768,7 +1768,7 @@ func (c *Core) runStandby(doneCh, stopCh, manualStepDownCh chan struct{}) { // seal, as there's little we can do. { c.seal.SetBarrierConfig(ctx, nil) - if c.seal.RecoveryKeySupported(ctx) { + if c.seal.RecoveryKeySupported() { c.seal.SetRecoveryConfig(ctx, nil) } diff --git a/vault/generate_root.go b/vault/generate_root.go index e4703b204c..5b5939ce38 100644 --- a/vault/generate_root.go +++ b/vault/generate_root.go @@ -190,7 +190,7 @@ func (c *Core) GenerateRootUpdate(ctx context.Context, key []byte, nonce string, // Get the seal configuration var config *SealConfig var err error - if c.seal.RecoveryKeySupported(ctx) { + if c.seal.RecoveryKeySupported() { config, err = c.seal.RecoveryConfig(ctx) if err != nil { return nil, err @@ -270,7 +270,7 @@ func (c *Core) GenerateRootUpdate(ctx context.Context, key []byte, nonce string, } // Verify the master key - if c.seal.RecoveryKeySupported(ctx) { + if c.seal.RecoveryKeySupported() { if err := c.seal.VerifyRecoveryKey(ctx, masterKey); err != nil { c.logger.Error("core: root generation aborted, recovery key verification failed", "error", err) return nil, err diff --git a/vault/init.go b/vault/init.go index 7fd6761909..3a26ea6906 100644 --- a/vault/init.go +++ b/vault/init.go @@ -93,7 +93,7 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes barrierConfig := initParams.BarrierConfig recoveryConfig := initParams.RecoveryConfig - if c.seal.RecoveryKeySupported(ctx) { + if c.seal.RecoveryKeySupported() { if recoveryConfig == nil { return nil, fmt.Errorf("recovery configuration must be supplied") } @@ -202,7 +202,7 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes // Save the configuration regardless, but only generate a key if it's not // disabled. When using recovery keys they are stored in the barrier, so // this must happen post-unseal. - if c.seal.RecoveryKeySupported(ctx) { + if c.seal.RecoveryKeySupported() { err = c.seal.SetRecoveryConfig(ctx, recoveryConfig) if err != nil { c.logger.Error("core: failed to save recovery configuration", "error", err) @@ -254,7 +254,7 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes // UnsealWithStoredKeys performs auto-unseal using stored keys. func (c *Core) UnsealWithStoredKeys(ctx context.Context) error { - if !c.seal.StoredKeysSupported(ctx) { + if !c.seal.StoredKeysSupported() { return nil } diff --git a/vault/rekey.go b/vault/rekey.go index 950dd18f4e..62c4955b30 100644 --- a/vault/rekey.go +++ b/vault/rekey.go @@ -65,7 +65,7 @@ func (c *Core) RekeyThreshold(ctx context.Context, recovery bool) (int, error) { // If we are rekeying the recovery key, or if the seal supports // recovery keys and we are rekeying the barrier key, we use the // recovery config as the threshold instead. - if recovery || c.seal.RecoveryKeySupported(ctx) { + if recovery || c.seal.RecoveryKeySupported() { config, err = c.seal.RecoveryConfig(ctx) } else { config, err = c.seal.BarrierConfig(ctx) @@ -128,17 +128,17 @@ func (c *Core) RekeyConfig(recovery bool) (*SealConfig, error) { // RekeyInit will either initialize the rekey of barrier or recovery key. // recovery determines whether this is a rekey on the barrier or recovery key. -func (c *Core) RekeyInit(ctx context.Context, config *SealConfig, recovery bool) error { +func (c *Core) RekeyInit(config *SealConfig, recovery bool) error { if recovery { - return c.RecoveryRekeyInit(ctx, config) + return c.RecoveryRekeyInit(config) } - return c.BarrierRekeyInit(ctx, config) + return c.BarrierRekeyInit(config) } // BarrierRekeyInit is used to initialize the rekey settings for the barrier key -func (c *Core) BarrierRekeyInit(ctx context.Context, config *SealConfig) error { +func (c *Core) BarrierRekeyInit(config *SealConfig) error { if config.StoredShares > 0 { - if !c.seal.StoredKeysSupported(ctx) { + if !c.seal.StoredKeysSupported() { return fmt.Errorf("storing keys not supported by barrier seal") } if len(config.PGPKeys) > 0 { @@ -149,7 +149,7 @@ func (c *Core) BarrierRekeyInit(ctx context.Context, config *SealConfig) error { } } - if c.seal.RecoveryKeySupported(ctx) && c.seal.RecoveryType() == config.Type { + if c.seal.RecoveryKeySupported() && c.seal.RecoveryType() == config.Type { c.logger.Debug("core: using recovery seal configuration to rekey barrier key") } @@ -194,7 +194,7 @@ func (c *Core) BarrierRekeyInit(ctx context.Context, config *SealConfig) error { } // RecoveryRekeyInit is used to initialize the rekey settings for the recovery key -func (c *Core) RecoveryRekeyInit(ctx context.Context, config *SealConfig) error { +func (c *Core) RecoveryRekeyInit(config *SealConfig) error { if config.StoredShares > 0 { return fmt.Errorf("stored shares not supported by recovery key") } @@ -205,7 +205,7 @@ func (c *Core) RecoveryRekeyInit(ctx context.Context, config *SealConfig) error return fmt.Errorf("invalid recovery configuration: %v", err) } - if !c.seal.RecoveryKeySupported(ctx) { + if !c.seal.RecoveryKeySupported() { return fmt.Errorf("recovery keys not supported") } @@ -284,7 +284,7 @@ func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string) var existingConfig *SealConfig var err error var useRecovery bool // Determines whether recovery key is being used to rekey the master key - if c.seal.StoredKeysSupported(ctx) && c.seal.RecoveryKeySupported(ctx) { + if c.seal.StoredKeysSupported() && c.seal.RecoveryKeySupported() { existingConfig, err = c.seal.RecoveryConfig(ctx) useRecovery = true } else { @@ -378,7 +378,7 @@ func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string) // If we are storing any shares, add them to the shares to store and remove // from the returned keys var keysToStore [][]byte - if c.seal.StoredKeysSupported(ctx) && c.barrierRekeyConfig.StoredShares > 0 { + if c.seal.StoredKeysSupported() && c.barrierRekeyConfig.StoredShares > 0 { for i := 0; i < c.barrierRekeyConfig.StoredShares; i++ { keysToStore = append(keysToStore, results.SecretShares[0]) results.SecretShares = results.SecretShares[1:] diff --git a/vault/rekey_test.go b/vault/rekey_test.go index a914d292d8..a3650f1c2f 100644 --- a/vault/rekey_test.go +++ b/vault/rekey_test.go @@ -69,7 +69,7 @@ func testCore_Rekey_Lifecycle_Common(t *testing.T, c *Core, masterKeys [][]byte, SecretThreshold: 3, SecretShares: 5, } - err = c.RekeyInit(context.Background(), newConf, recovery) + err = c.RekeyInit(newConf, recovery) if err != nil { t.Fatalf("err: %v", err) } @@ -111,7 +111,7 @@ func testCore_Rekey_Init_Common(t *testing.T, c *Core, recovery bool) { SecretThreshold: 5, SecretShares: 1, } - err := c.RekeyInit(context.Background(), badConf, recovery) + err := c.RekeyInit(badConf, recovery) if err == nil { t.Fatalf("should fail") } @@ -121,13 +121,13 @@ func testCore_Rekey_Init_Common(t *testing.T, c *Core, recovery bool) { SecretThreshold: 3, SecretShares: 5, } - err = c.RekeyInit(context.Background(), newConf, recovery) + err = c.RekeyInit(newConf, recovery) if err != nil { t.Fatalf("err: %v", err) } // Second should fail - err = c.RekeyInit(context.Background(), newConf, recovery) + err = c.RekeyInit(newConf, recovery) if err == nil { t.Fatalf("should fail") } @@ -155,7 +155,7 @@ func testCore_Rekey_Update_Common(t *testing.T, c *Core, keys [][]byte, root str SecretThreshold: 3, SecretShares: 5, } - err := c.RekeyInit(context.Background(), newConf, recovery) + err := c.RekeyInit(newConf, recovery) if err != nil { t.Fatalf("err: %v", err) } @@ -242,7 +242,7 @@ func testCore_Rekey_Update_Common(t *testing.T, c *Core, keys [][]byte, root str // Skip this step if we are rekeying the barrier key with // recovery keys, since a new rekey should still be using // the same set of recovery keys. - if !recovery && c.seal.RecoveryKeySupported(context.Background()) { + if !recovery && c.seal.RecoveryKeySupported() { return } @@ -251,7 +251,7 @@ func testCore_Rekey_Update_Common(t *testing.T, c *Core, keys [][]byte, root str SecretThreshold: 1, SecretShares: 1, } - err = c.RekeyInit(context.Background(), newConf, recovery) + err = c.RekeyInit(newConf, recovery) if err != nil { t.Fatalf("err: %v", err) } @@ -332,7 +332,7 @@ func testCore_Rekey_Invalid_Common(t *testing.T, c *Core, keys [][]byte, recover SecretThreshold: 3, SecretShares: 5, } - err := c.RekeyInit(context.Background(), newConf, recovery) + err := c.RekeyInit(newConf, recovery) if err != nil { t.Fatalf("err: %v", err) } @@ -420,7 +420,7 @@ func TestCore_Standby_Rekey(t *testing.T) { SecretShares: 1, SecretThreshold: 1, } - err = core.RekeyInit(context.Background(), newConf, false) + err = core.RekeyInit(newConf, false) if err != nil { t.Fatalf("err: %v", err) } @@ -453,7 +453,7 @@ func TestCore_Standby_Rekey(t *testing.T) { TestWaitActive(t, core2) // Rekey the master key again - err = core2.RekeyInit(context.Background(), newConf, false) + err = core2.RekeyInit(newConf, false) if err != nil { t.Fatalf("err: %v", err) } diff --git a/vault/seal.go b/vault/seal.go index 4119880b69..592b1e1c97 100644 --- a/vault/seal.go +++ b/vault/seal.go @@ -68,7 +68,7 @@ type Seal interface { Init(context.Context) error Finalize(context.Context) error - StoredKeysSupported(context.Context) bool + StoredKeysSupported() bool SetStoredKeys(context.Context, [][]byte) error GetStoredKeys(context.Context) ([][]byte, error) @@ -76,7 +76,7 @@ type Seal interface { BarrierConfig(context.Context) (*SealConfig, error) SetBarrierConfig(context.Context, *SealConfig) error - RecoveryKeySupported(context.Context) bool + RecoveryKeySupported() bool RecoveryType() string RecoveryConfig(context.Context) (*SealConfig, error) SetRecoveryConfig(context.Context, *SealConfig) error @@ -112,11 +112,11 @@ func (d *DefaultSeal) BarrierType() string { return SealTypeShamir } -func (d *DefaultSeal) StoredKeysSupported(ctx context.Context) bool { +func (d *DefaultSeal) StoredKeysSupported() bool { return false } -func (d *DefaultSeal) RecoveryKeySupported(ctx context.Context) bool { +func (d *DefaultSeal) RecoveryKeySupported() bool { return false } diff --git a/vault/seal_access.go b/vault/seal_access.go index f2b980fe74..92a016faae 100644 --- a/vault/seal_access.go +++ b/vault/seal_access.go @@ -13,16 +13,16 @@ func NewSealAccess(seal Seal) *SealAccess { return &SealAccess{seal: seal} } -func (s *SealAccess) StoredKeysSupported(ctx context.Context) bool { - return s.seal.StoredKeysSupported(ctx) +func (s *SealAccess) StoredKeysSupported() bool { + return s.seal.StoredKeysSupported() } func (s *SealAccess) BarrierConfig(ctx context.Context) (*SealConfig, error) { return s.seal.BarrierConfig(ctx) } -func (s *SealAccess) RecoveryKeySupported(ctx context.Context) bool { - return s.seal.RecoveryKeySupported(ctx) +func (s *SealAccess) RecoveryKeySupported() bool { + return s.seal.RecoveryKeySupported() } func (s *SealAccess) RecoveryConfig(ctx context.Context) (*SealConfig, error) { @@ -35,7 +35,7 @@ func (s *SealAccess) VerifyRecoveryKey(ctx context.Context, key []byte) error { func (s *SealAccess) ClearCaches(ctx context.Context) { s.seal.SetBarrierConfig(ctx, nil) - if s.RecoveryKeySupported(ctx) { + if s.RecoveryKeySupported() { s.seal.SetRecoveryConfig(ctx, nil) } } diff --git a/vault/testing.go b/vault/testing.go index c1d8b6f483..85b34466a1 100644 --- a/vault/testing.go +++ b/vault/testing.go @@ -209,7 +209,7 @@ func TestCoreInitClusterWrapperSetup(t testing.T, core *Core, clusterAddrs []*ne } // If we support storing barrier keys, then set that to equal the min threshold to unseal - if core.seal.StoredKeysSupported(context.Background()) { + if core.seal.StoredKeysSupported() { barrierConfig.StoredShares = barrierConfig.SecretThreshold }