From e28c1c3697b4bd5066217307f2f56691b5c7eb2a Mon Sep 17 00:00:00 2001
From: Calvin Leung Huang <cleung2010@gmail.com>
Date: Mon, 19 Nov 2018 17:03:07 -0800
Subject: [PATCH] Reset rekey progress once threshold has been met (#5743)

* Reset rekey progress once threshold has been met

* Reverting log message changes

* Add progress check on invalid rekey test

* Minor comment update
---
 vault/rekey.go      | 4 ++++
 vault/rekey_test.go | 9 +++++++++
 2 files changed, 13 insertions(+)

diff --git a/vault/rekey.go b/vault/rekey.go
index 89b35737076b..ad7d914f87f3 100644
--- a/vault/rekey.go
+++ b/vault/rekey.go
@@ -372,8 +372,10 @@ func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string)
 	var recoveredKey []byte
 	if existingConfig.SecretThreshold == 1 {
 		recoveredKey = c.barrierRekeyConfig.RekeyProgress[0]
+		c.barrierRekeyConfig.RekeyProgress = nil
 	} else {
 		recoveredKey, err = shamir.Combine(c.barrierRekeyConfig.RekeyProgress)
+		c.barrierRekeyConfig.RekeyProgress = nil
 		if err != nil {
 			return nil, logical.CodedError(http.StatusInternalServerError, errwrap.Wrapf("failed to compute master key: {{err}}", err).Error())
 		}
@@ -600,8 +602,10 @@ func (c *Core) RecoveryRekeyUpdate(ctx context.Context, key []byte, nonce string
 	var recoveryKey []byte
 	if existingConfig.SecretThreshold == 1 {
 		recoveryKey = c.recoveryRekeyConfig.RekeyProgress[0]
+		c.recoveryRekeyConfig.RekeyProgress = nil
 	} else {
 		recoveryKey, err = shamir.Combine(c.recoveryRekeyConfig.RekeyProgress)
+		c.recoveryRekeyConfig.RekeyProgress = nil
 		if err != nil {
 			return nil, logical.CodedError(http.StatusInternalServerError, errwrap.Wrapf("failed to compute recovery key: {{err}}", err).Error())
 		}
diff --git a/vault/rekey_test.go b/vault/rekey_test.go
index 9d61b9b1876e..9a09e748e64d 100644
--- a/vault/rekey_test.go
+++ b/vault/rekey_test.go
@@ -365,6 +365,15 @@ func testCore_Rekey_Invalid_Common(t *testing.T, c *Core, keys [][]byte, recover
 	if err == nil {
 		t.Fatalf("expected error, ret is %#v\noldkeystr: %s\nnewkeystr: %s", *ret, oldkeystr, newkeystr)
 	}
+
+	// Check progress has been reset
+	_, num, err := c.RekeyProgress(recovery, false)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if num != 0 {
+		t.Fatalf("rekey progress should be 0, got: %d", num)
+	}
 }
 
 func TestCore_Rekey_Standby(t *testing.T) {