Avoid unnecessary rewraps, CE side (#25144)

* Avoid unnecessary rewraps, CE side * sealRewrap is only available ENT side * update stub * update stub, again
2025-11-02 11:38:02 +00:00 · 2024-01-31 17:27:52 -06:00
parent 9308fa1cb3
commit f0e7f114a1
4 changed files with 18 additions and 14 deletions
--- a/command/server.go
+++ b/command/server.go
@@ -2573,6 +2573,7 @@ type SetSealResponse struct {
 	// sealConfigError is present if there was an error configuring wrappers, other than KeyNotFound.
 	sealConfigError          error
 	sealConfigWarning        error
+	hasPartiallyWrappedPaths bool
 }

 func (r *SetSealResponse) getCreatedSeals() []*vault.Seal {
@@ -2775,6 +2776,9 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 				return nil, err
 			}
 			unwrapSeal = vault.NewAutoSeal(a)
+		} else if sealGenerationInfo.Generation == 1 {
+			// First generation, and shamir, with no disabled wrapperrs, so there can be no wrapped values
+			sealGenerationInfo.SetRewrapped(true)
 		}

 	case len(disabledSealWrappers) == 1 && containsShamir(disabledSealWrappers):
@@ -2827,6 +2831,7 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 		unwrapSeal:               unwrapSeal,
 		sealConfigError:          sealConfigError,
 		sealConfigWarning:        sealConfigWarning,
+		hasPartiallyWrappedPaths: hasPartiallyWrappedPaths,
 	}, nil
 }

@@ -3356,13 +3361,13 @@ func (c *ServerCommand) reloadSeals(ctx context.Context, core *vault.Core, confi
 		return nil, err
 	}

-	err = core.SetSeals(setSealResponse.barrierSeal, secureRandomReader)
+	newGen := setSealResponse.barrierSeal.GetAccess().GetSealGenerationInfo()
+
+	err = core.SetSeals(setSealResponse.barrierSeal, secureRandomReader, !newGen.IsRewrapped() || setSealResponse.hasPartiallyWrappedPaths)
 	if err != nil {
 		return nil, fmt.Errorf("error setting seal: %s", err)
 	}

-	newGen := setSealResponse.barrierSeal.GetAccess().GetSealGenerationInfo()
-
 	if err := core.SetPhysicalSealGenInfo(ctx, newGen); err != nil {
 		c.logger.Warn("could not update seal information in storage", "err", err)
 	}
--- a/vault/core.go
+++ b/vault/core.go
@@ -4452,7 +4452,7 @@ func (c *Core) Events() *eventbus.EventBus {
 	return c.events
 }

-func (c *Core) SetSeals(barrierSeal Seal, secureRandomReader io.Reader) error {
+func (c *Core) SetSeals(barrierSeal Seal, secureRandomReader io.Reader, shouldRewrap bool) error {
 	ctx, _ := c.GetContext()

 	c.stateLock.Lock()
@@ -4490,7 +4490,7 @@ func (c *Core) SetSeals(barrierSeal Seal, secureRandomReader io.Reader) error {

 	c.seal = barrierSeal

-	c.reloadSealsEnt(secureRandomReader, barrierSeal.GetAccess(), c.logger)
+	c.reloadSealsEnt(secureRandomReader, barrierSeal, c.logger, shouldRewrap)

 	return nil
 }
--- a/vault/core_test.go
+++ b/vault/core_test.go
@@ -3382,7 +3382,7 @@ func TestSetSeals(t *testing.T) {
 		Generation:   2,
 	})

-	err := testCore.SetSeals(newSeal, nil)
+	err := testCore.SetSeals(newSeal, nil, false)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/vault/reload_seal_stubs_oss.go
+++ b/vault/reload_seal_stubs_oss.go
@@ -9,10 +9,9 @@ import (
 	"io"

 	"github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/vault/vault/seal"
 )

 //go:generate go run github.com/hashicorp/vault/tools/stubmaker

-func (c *Core) reloadSealsEnt(secureRandomReader io.Reader, sealAccess seal.Access, logger hclog.Logger) {
+func (c *Core) reloadSealsEnt(secureRandomReader io.Reader, sealAccess Seal, logger hclog.Logger, shouldRewrap bool) {
 }