reloadSeals reloads configuration files and determines whether it needs to re-create the Seal.Access() objects. This function needs do detect that core.SealAccess() is no longer using the seal Wrapper that is specified in the seal configuration files. This function returns true if the newConfig was
(ctx context.Context, grabStateLock bool, core *vault.Core, newConfig *server.Config)
| 3288 | // This function returns true if the newConfig was used to re-create the Seal.Access() objects. In other words, |
| 3289 | // if false is returned, there were no changes done to the seals. |
| 3290 | func (c *ServerCommand) reloadSeals(ctx context.Context, grabStateLock bool, core *vault.Core, newConfig *server.Config) (bool, error) { |
| 3291 | if core.IsInSealMigrationMode(grabStateLock) { |
| 3292 | c.logger.Debug("not reloading seal configuration since Vault is in migration mode") |
| 3293 | return false, nil |
| 3294 | } |
| 3295 | |
| 3296 | currentConfig := core.GetCoreConfigInternal() |
| 3297 | |
| 3298 | // We only want to reload if multiseal is currently enabled, or it is being enabled |
| 3299 | if !(currentConfig.IsMultisealEnabled() || newConfig.IsMultisealEnabled()) { |
| 3300 | c.logger.Debug("not reloading seal configuration since enable_multiseal is not set, nor is it being disabled") |
| 3301 | return false, nil |
| 3302 | } |
| 3303 | |
| 3304 | if conf, err := core.PhysicalBarrierSealConfig(ctx); err != nil { |
| 3305 | return false, fmt.Errorf("error reading barrier seal configuration from storage while reloading seals: %w", err) |
| 3306 | } else if conf == nil { |
| 3307 | c.logger.Debug("not reloading seal configuration since there is no barrier config in storage (the seal has not been initialized)") |
| 3308 | return false, nil |
| 3309 | } |
| 3310 | |
| 3311 | if core.SealAccess().BarrierSealConfigType() == vault.SealConfigTypeShamir { |
| 3312 | switch { |
| 3313 | case len(newConfig.Seals) == 0: |
| 3314 | // We are fine, our ServerCommand.reloadConfigFiles() does not do the "automagic" creation |
| 3315 | // of the Shamir seal configuration. |
| 3316 | c.logger.Debug("not reloading seal configuration since the new one has no seal stanzas") |
| 3317 | return false, nil |
| 3318 | |
| 3319 | case len(newConfig.Seals) == 1 && newConfig.Seals[0].Disabled: |
| 3320 | // If we have only one seal and it is disabled, it means that the newConfig wants to migrate |
| 3321 | // to Shamir, which is not supported by seal reloading. |
| 3322 | c.logger.Debug("not reloading seal configuration since the new one specifies migration to Shamir") |
| 3323 | return false, nil |
| 3324 | |
| 3325 | case len(newConfig.Seals) == 1 && newConfig.Seals[0].Type == vault.SealConfigTypeShamir.String(): |
| 3326 | // Having a single Shamir seal in newConfig is not really possible, since a Shamir seal |
| 3327 | // is specified in configuration by *not* having a seal stanza. If we were to hit this |
| 3328 | // case, though, it is equivalent to trying to migrate to Shamir, which is not supported |
| 3329 | // by seal reloading. |
| 3330 | c.logger.Debug("not reloading seal configuration since the new one has single Shamir stanza") |
| 3331 | return false, nil |
| 3332 | } |
| 3333 | } |
| 3334 | |
| 3335 | // Verify that the new config we picked up is not trying to migrate from autoseal to shamir |
| 3336 | if len(newConfig.Seals) == 1 && newConfig.Seals[0].Disabled { |
| 3337 | // If we get here, it means the node was not started in migration mode, but the new config says |
| 3338 | // we should go into migration mode. This case should be caught by the core.IsInSealMigrationMode() |
| 3339 | // above. |
| 3340 | |
| 3341 | return false, errors.New("not reloading seal configuration: moving from autoseal to shamir requires seal migration") |
| 3342 | } |
| 3343 | |
| 3344 | // Verify that the new config we picked up is not trying to migrate shamir to autoseal |
| 3345 | if core.SealAccess().BarrierSealConfigType() == vault.SealConfigTypeShamir { |
| 3346 | return false, errors.New("not reloading seal configuration: moving from Shamir to autoseal requires seal migration") |
| 3347 | } |
no test coverage detected