[VAULT-31754] Check removed status in sys/unseal and error out if the node has been removed from the cluster (#28909)

http/sys_seal.go

@@ -85,6 +85,14 @@ func handleSysUnseal(core *vault.Core) http.Handler {
 			return
 		}
 
+		// Check if this node was removed from the cluster. If so, respond with an error and return,
+		// since we don't want a removed node to be able to unseal.
+		removed, ok := core.IsRemovedFromCluster()
+		if ok && removed {
+			respondError(w, http.StatusInternalServerError, errors.New("node was removed from a HA cluster"))
+			return
+		}
+
 		// Parse the request
 		var req UnsealRequest
 		if _, err := parseJSONRequest(core.PerfStandby(), r, w, &req); err != nil {

http/sys_seal_test.go

@@ -439,6 +439,35 @@ func TestSysUnseal_Reset(t *testing.T) {
 	}
 }
 
+// TestSysUnseal_NodeRemovedFromCluster verifies that a call to /sys/unseal fails
+// with an appropriate error when the node has been removed from a cluster.
+func TestSysUnseal_NodeRemovedFromCluster(t *testing.T) {
+	core, err := vault.TestCoreWithMockRemovableNodeHABackend(t, true)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+
+	// The value of key doesn't matter here, we just need to make a request.
+	resp := testHttpPut(t, "", addr+"/v1/sys/unseal", map[string]interface{}{
+		"key": "foo",
+	})
+
+	testResponseStatus(t, resp, 500)
+	var actual map[string]interface{}
+	testResponseBody(t, resp, &actual)
+
+	errors, ok := actual["errors"].([]interface{})
+	if !ok {
+		t.Fatalf("no errors in the response, request should be invalid")
+	}
+	expectedErrorMsg := "node was removed from a HA cluster"
+	if !strings.Contains(errors[0].(string), expectedErrorMsg) {
+		t.Fatalf("error message should contain %q", expectedErrorMsg)
+	}
+}
+
 // Test Seal's permissions logic, which is slightly different than normal code
 // paths in that it queries the ACL rather than having checkToken do it. This
 // is because it was abusing RootPaths in logical_system, but that caused some