Make retry join work with shamir seal

hashicorp · Nov 13, 2019 · cfde5cd · cfde5cd
1 parent 9e2ae1f
commit cfde5cd
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 12 deletions.
diff --git a/physical/raft/raft.go b/physical/raft/raft.go
@@ -586,6 +586,29 @@ func (b *RaftBackend) RemovePeer(ctx context.Context, peerID string) error {
 	return future.Error()
 }
 
+// IsLeader tells if the current node is the leader node in the raft cluster
+func (b *RaftBackend) IsLeader(ctx context.Context) (bool, error) {
+	b.l.RLock()
+	defer b.l.RUnlock()
+
+	if b.raft == nil {
+		return false, errors.New("raft storage is not initialized")
+	}
+
+	future := b.raft.GetConfiguration()
+	if err := future.Error(); err != nil {
+		return false, err
+	}
+
+	for _, server := range future.Configuration().Servers {
+		if string(server.ID) == b.NodeID() {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
 func (b *RaftBackend) GetConfiguration(ctx context.Context) (*RaftConfigurationResponse, error) {
 	b.l.RLock()
 	defer b.l.RUnlock()

diff --git a/vault/logical_system_raft.go b/vault/logical_system_raft.go
@@ -5,10 +5,10 @@ import (
 	"crypto/subtle"
 	"encoding/base64"
 	"errors"
+	"github.com/hashicorp/go-uuid"
 	"strings"
 
-	proto "github.com/golang/protobuf/proto"
-	uuid "github.com/hashicorp/go-uuid"
+	"github.com/golang/protobuf/proto"
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/physical/raft"
 	"github.com/hashicorp/vault/sdk/framework"
@@ -176,23 +176,35 @@ func (b *SystemBackend) handleRaftRemovePeerUpdate() framework.OperationFunc {
 
 func (b *SystemBackend) handleRaftBootstrapChallengeWrite() framework.OperationFunc {
 	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-		_, ok := b.Core.underlyingPhysical.(*raft.RaftBackend)
+		raftStorage, ok := b.Core.underlyingPhysical.(*raft.RaftBackend)
 		if !ok {
 			return logical.ErrorResponse("raft storage is not in use"), logical.ErrInvalidRequest
 		}
 
+		leader, err := raftStorage.IsLeader(ctx)
+		if err != nil {
+			return nil, err
+		}
+		if !leader {
+			return logical.ErrorResponse("not the raft leader node"), logical.ErrInvalidRequest
+		}
+
 		serverID := d.Get("server_id").(string)
 		if len(serverID) == 0 {
 			return logical.ErrorResponse("no server id provided"), logical.ErrInvalidRequest
 		}
 
-		uuid, err := uuid.GenerateRandomBytes(16)
-		if err != nil {
-			return nil, err
+		answer, ok := b.Core.pendingRaftPeers[serverID]
+		if !ok {
+			var err error
+			answer, err = uuid.GenerateRandomBytes(16)
+			if err != nil {
+				return nil, err
+			}
 		}
 
 		sealAccess := b.Core.seal.GetAccess()
-		eBlob, err := sealAccess.Encrypt(ctx, uuid)
+		eBlob, err := sealAccess.Encrypt(ctx, answer)
 		if err != nil {
 			return nil, err
 		}
@@ -201,7 +213,7 @@ func (b *SystemBackend) handleRaftBootstrapChallengeWrite() framework.OperationF
 			return nil, err
 		}
 
-		b.Core.pendingRaftPeers[serverID] = uuid
+		b.Core.pendingRaftPeers[serverID] = answer
 		sealConfig, err := b.Core.seal.BarrierConfig(ctx)
 		if err != nil {
 			return nil, err

diff --git a/vault/raft.go b/vault/raft.go
@@ -596,7 +596,7 @@ func (c *Core) JoinRaftCluster(ctx context.Context, leaderInfo *RetryJoinLeaderI
 		leaderInfos = append(leaderInfos, leaderInfo)
 	}
 
-	join := func() error {
+	join := func(retry bool) error {
 		joinLeader := func(leaderInfo *RetryJoinLeaderInfo) error {
 			if leaderInfo == nil {
 				return errors.New("raft leader information is nil")
@@ -696,7 +696,14 @@ func (c *Core) JoinRaftCluster(ctx context.Context, leaderInfo *RetryJoinLeaderI
 			}
 			if c.seal.BarrierType() == seal.Shamir {
 				c.raftInfo = raftInfo
-				return c.seal.SetBarrierConfig(ctx, &sealConfig)
+				if err := c.seal.SetBarrierConfig(ctx, &sealConfig); err != nil {
+					return err
+				}
+				// If retry is set, continue to join after some time
+				if retry {
+					return errors.New("raft join is waiting for unseal keys to be supplied")
+				}
+				return nil
 			}
 
 			if err := c.joinRaftSendAnswer(ctx, c.seal.GetAccess(), raftInfo); err != nil {
@@ -720,7 +727,7 @@ func (c *Core) JoinRaftCluster(ctx context.Context, leaderInfo *RetryJoinLeaderI
 	case true:
 		go func() {
 			for {
-				err := join()
+				err := join(retry)
 				if err == nil {
 					return
 				}
@@ -732,7 +739,7 @@ func (c *Core) JoinRaftCluster(ctx context.Context, leaderInfo *RetryJoinLeaderI
 		// Backgrounded so return false
 		return false, nil
 	default:
-		if err := join(); err != nil {
+		if err := join(retry); err != nil {
 			c.logger.Error("failed to join raft cluster", "error", err)
 			return false, errwrap.Wrapf("failed to join raft cluster: {{err}}", err)
 		}