From 9b9e18c5f57a39c5286a5dd190f1ad47f554b654 Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Thu, 8 Nov 2018 16:11:51 -0800 Subject: [PATCH 1/4] Reset rekey progress once threshold has been met --- vault/rekey.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/vault/rekey.go b/vault/rekey.go index 89b35737076b..5333cc4e5275 100644 --- a/vault/rekey.go +++ b/vault/rekey.go @@ -372,8 +372,10 @@ func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string) var recoveredKey []byte if existingConfig.SecretThreshold == 1 { recoveredKey = c.barrierRekeyConfig.RekeyProgress[0] + c.barrierRekeyConfig.RekeyProgress = nil } else { recoveredKey, err = shamir.Combine(c.barrierRekeyConfig.RekeyProgress) + c.barrierRekeyConfig.RekeyProgress = nil if err != nil { return nil, logical.CodedError(http.StatusInternalServerError, errwrap.Wrapf("failed to compute master key: {{err}}", err).Error()) } @@ -381,12 +383,12 @@ func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string) if useRecovery { if err := c.seal.VerifyRecoveryKey(ctx, recoveredKey); err != nil { - c.logger.Error("rekey recovery key verification failed", "error", err) + c.logger.Error("rekey recovery key verification failed, resetting rekey progress", "error", err) return nil, logical.CodedError(http.StatusBadRequest, errwrap.Wrapf("recovery key verification failed: {{err}}", err).Error()) } } else { if err := c.barrier.VerifyMaster(recoveredKey); err != nil { - c.logger.Error("master key verification failed", "error", err) + c.logger.Error("master key verification failed, resetting rekey progress", "error", err) return nil, logical.CodedError(http.StatusBadRequest, errwrap.Wrapf("master key verification failed: {{err}}", err).Error()) } } @@ -600,8 +602,11 @@ func (c *Core) RecoveryRekeyUpdate(ctx context.Context, key []byte, nonce string var recoveryKey []byte if existingConfig.SecretThreshold == 1 { recoveryKey = c.recoveryRekeyConfig.RekeyProgress[0] + c.recoveryRekeyConfig.RekeyProgress = nil + } else { recoveryKey, err = shamir.Combine(c.recoveryRekeyConfig.RekeyProgress) + c.recoveryRekeyConfig.RekeyProgress = nil if err != nil { return nil, logical.CodedError(http.StatusInternalServerError, errwrap.Wrapf("failed to compute recovery key: {{err}}", err).Error()) } @@ -609,7 +614,7 @@ func (c *Core) RecoveryRekeyUpdate(ctx context.Context, key []byte, nonce string // Verify the recovery key if err := c.seal.VerifyRecoveryKey(ctx, recoveryKey); err != nil { - c.logger.Error("recovery key verification failed", "error", err) + c.logger.Error("recovery key verification failed, esetting rekey progress", "error", err) return nil, logical.CodedError(http.StatusBadRequest, errwrap.Wrapf("recovery key verification failed: {{err}}", err).Error()) } From a1da3772117ef888ab603ebfba8d5c6b441201ab Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Thu, 8 Nov 2018 16:14:00 -0800 Subject: [PATCH 2/4] Reverting log message changes --- vault/rekey.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/vault/rekey.go b/vault/rekey.go index 5333cc4e5275..462109f4dbba 100644 --- a/vault/rekey.go +++ b/vault/rekey.go @@ -383,12 +383,12 @@ func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string) if useRecovery { if err := c.seal.VerifyRecoveryKey(ctx, recoveredKey); err != nil { - c.logger.Error("rekey recovery key verification failed, resetting rekey progress", "error", err) + c.logger.Error("rekey recovery key verification failed", "error", err) return nil, logical.CodedError(http.StatusBadRequest, errwrap.Wrapf("recovery key verification failed: {{err}}", err).Error()) } } else { if err := c.barrier.VerifyMaster(recoveredKey); err != nil { - c.logger.Error("master key verification failed, resetting rekey progress", "error", err) + c.logger.Error("master key verification failed", "error", err) return nil, logical.CodedError(http.StatusBadRequest, errwrap.Wrapf("master key verification failed: {{err}}", err).Error()) } } @@ -614,7 +614,7 @@ func (c *Core) RecoveryRekeyUpdate(ctx context.Context, key []byte, nonce string // Verify the recovery key if err := c.seal.VerifyRecoveryKey(ctx, recoveryKey); err != nil { - c.logger.Error("recovery key verification failed, esetting rekey progress", "error", err) + c.logger.Error("recovery key verification failed", "error", err) return nil, logical.CodedError(http.StatusBadRequest, errwrap.Wrapf("recovery key verification failed: {{err}}", err).Error()) } From 3c6c461170e4ce0bbe00f22e44c998b2b23c77f1 Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Thu, 8 Nov 2018 16:23:09 -0800 Subject: [PATCH 3/4] Add progress check on invalid rekey test --- vault/rekey.go | 1 - vault/rekey_test.go | 9 +++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/vault/rekey.go b/vault/rekey.go index 462109f4dbba..ad7d914f87f3 100644 --- a/vault/rekey.go +++ b/vault/rekey.go @@ -603,7 +603,6 @@ func (c *Core) RecoveryRekeyUpdate(ctx context.Context, key []byte, nonce string if existingConfig.SecretThreshold == 1 { recoveryKey = c.recoveryRekeyConfig.RekeyProgress[0] c.recoveryRekeyConfig.RekeyProgress = nil - } else { recoveryKey, err = shamir.Combine(c.recoveryRekeyConfig.RekeyProgress) c.recoveryRekeyConfig.RekeyProgress = nil diff --git a/vault/rekey_test.go b/vault/rekey_test.go index 9d61b9b1876e..e064cf690bb9 100644 --- a/vault/rekey_test.go +++ b/vault/rekey_test.go @@ -365,6 +365,15 @@ func testCore_Rekey_Invalid_Common(t *testing.T, c *Core, keys [][]byte, recover if err == nil { t.Fatalf("expected error, ret is %#v\noldkeystr: %s\nnewkeystr: %s", *ret, oldkeystr, newkeystr) } + + // Check status has been reset + _, num, err := c.RekeyProgress(recovery, false) + if err != nil { + t.Fatalf("err: %v", err) + } + if num != 0 { + t.Fatalf("rekey progress should be 0, got: %d", num) + } } func TestCore_Rekey_Standby(t *testing.T) { From 1fa92650bcc48d3b23494acb46809dbe3f1b45f8 Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Thu, 8 Nov 2018 16:26:08 -0800 Subject: [PATCH 4/4] Minor comment update --- vault/rekey_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vault/rekey_test.go b/vault/rekey_test.go index e064cf690bb9..9a09e748e64d 100644 --- a/vault/rekey_test.go +++ b/vault/rekey_test.go @@ -366,7 +366,7 @@ func testCore_Rekey_Invalid_Common(t *testing.T, c *Core, keys [][]byte, recover t.Fatalf("expected error, ret is %#v\noldkeystr: %s\nnewkeystr: %s", *ret, oldkeystr, newkeystr) } - // Check status has been reset + // Check progress has been reset _, num, err := c.RekeyProgress(recovery, false) if err != nil { t.Fatalf("err: %v", err)