Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Seal migration with Raft #8103

Merged
merged 38 commits into from
Feb 13, 2020
Merged
Changes from 1 commit
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
4164481
Seal migration after unsealing
vishalnayak Jan 6, 2020
2047eed
Refactor migration fields migrationInformation in core
vishalnayak Jan 7, 2020
b96f840
Perform seal migration as part of postUnseal
vishalnayak Jan 8, 2020
e668955
Remove the sleep logic
vishalnayak Jan 8, 2020
67e870e
Use proper seal in the unseal function
vishalnayak Jan 8, 2020
f486b16
Fix migration from Auto to Shamir
vishalnayak Jan 10, 2020
96cb241
Merge branch 'master-oss' into raft-seal-migration
vishalnayak Jan 14, 2020
032a5dc
Merge branch 'master-oss' into raft-seal-migration
vishalnayak Jan 21, 2020
df92ebb
Merge branch 'master-oss' into raft-seal-migration
vishalnayak Jan 21, 2020
23b948e
Fix the recovery config missing issue
vishalnayak Jan 23, 2020
b2ab3c4
Address the non-ha migration case
vishalnayak Jan 23, 2020
cf1a5bf
Fix the multi cluster case
vishalnayak Jan 23, 2020
640c5a1
Avoid re-running seal migration
vishalnayak Jan 27, 2020
bbb79b8
Merge branch 'master' into raft-seal-migration
vishalnayak Jan 27, 2020
6fb8f69
Run the post migration code in new leaders
vishalnayak Jan 27, 2020
8852469
Fix the issue of wrong recovery being set
vishalnayak Jan 27, 2020
146adc6
Address review feedback
vishalnayak Jan 28, 2020
d3b4811
Merge branch 'master-oss' into raft-seal-migration
vishalnayak Jan 28, 2020
3739f17
Add more complete testing coverage for seal migrations. (#8247)
ncabatoff Jan 28, 2020
faed5ef
Fix all known issues
vishalnayak Jan 29, 2020
10066be
Remove warning
vishalnayak Jan 30, 2020
c9d4025
Merge branch 'master-oss' into raft-seal-migration
vishalnayak Jan 30, 2020
06b53eb
Review feedback.
ncabatoff Feb 5, 2020
d89ce53
Revert my previous change that broke raft tests. We'll need to come …
ncabatoff Feb 6, 2020
b19544a
Don't allow migration between same types for now
vishalnayak Feb 6, 2020
cf76c32
Disable auto to auto tests for now since it uses migration between sa…
vishalnayak Feb 6, 2020
5042988
Merge branch 'master' into raft-seal-migration
vishalnayak Feb 6, 2020
841cb7f
Merge branch 'master-oss' into raft-seal-migration
vishalnayak Feb 7, 2020
cb0ef6a
Merge branch 'master-oss' into raft-seal-migration
vishalnayak Feb 12, 2020
925d758
Update vault/core.go
vishalnayak Feb 12, 2020
69ff49d
Add migration logs
vishalnayak Feb 12, 2020
5a14ddf
Address review comments
vishalnayak Feb 12, 2020
d6faa9a
Add the recovery config check back
vishalnayak Feb 12, 2020
0ddd2c2
Skip a few steps if migration is already done
vishalnayak Feb 12, 2020
48c7832
Merge branch 'master-oss' into raft-seal-migration
vishalnayak Feb 13, 2020
a31fcfb
Return from waitForLeadership if migration fails
vishalnayak Feb 13, 2020
d668aff
Merge branch 'master' into raft-seal-migration
vishalnayak Feb 13, 2020
1cfbc19
Merge branch 'master' into raft-seal-migration
vishalnayak Feb 13, 2020
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 37 additions & 6 deletions vault/core.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package vault

import (
"bytes"
"context"
"crypto/ecdsa"
"crypto/rand"
Expand Down Expand Up @@ -1050,9 +1051,6 @@ func (c *Core) unseal(key []byte, useRecoveryKeys bool) (bool, error) {

// If there is a stored key, retrieve it.
if cfg.StoredShares > 0 {
if err != nil {
return false, err
}
// Here's where we actually test that the provided unseal
// key is valid: can it decrypt the stored master key?
storedKeys, err := sealToUse.GetStoredKeys(ctx)
Expand Down Expand Up @@ -1250,7 +1248,8 @@ func (c *Core) unsealPart(ctx context.Context, seal Seal, key []byte, useRecover

switch {
case c.migrationInfo != nil:
// Make a copy to avoid accidental reference changes for the values in migrationInfo
// Make copies of fields that gets passed on to migration via migrationInfo to
// avoid accidental reference changes
c.migrationInfo.shamirCombinedKey = make([]byte, len(recoveredKey))
copy(c.migrationInfo.shamirCombinedKey, recoveredKey)
if seal.StoredKeysSupported() == vaultseal.StoredKeysSupportedShamirMaster {
Expand Down Expand Up @@ -1286,9 +1285,41 @@ func (c *Core) migrateSeal(ctx context.Context) error {
if err != nil {
return fmt.Errorf("failed to read existing seal configuration during migration: %v", err)
}
if existBarrierSealConfig.Type == c.seal.BarrierType() {
c.logger.Info("seal migration has been performed by previous leader")

switch {
case existBarrierSealConfig.Type != c.migrationInfo.seal.BarrierType():
// If the existing barrier type is not the same as the type of seal we are
// migrating from, it can be concluded that migration has already been performed
c.logger.Info("migration is already performed since existing seal type and source seal types are different")
goto DONE
case existBarrierSealConfig.Type == c.seal.BarrierType():
// If the existing barrier type and the new seal type that we are moving to are
// the same, migration is assumed to have been completed, unless, migration is
// happening between same types (for example, transit to transit). When the
// migration is happening between same types, we need a different criteria to
// determine if the migration has happened or not. We can encrypt a sample value
// using the new seal that we are going to and attempt a decrypt from the
// existing seal. If that succeeds, we conclude that the migration has already
// been done.
plaintext := []byte("foo")
eblob, err := c.seal.GetAccess().Wrapper.Encrypt(ctx, []byte("foo"), nil)
if err != nil || eblob == nil {
c.logger.Warn("failed to encrypt using new seal", "error", err)
return err
}

decrypted, err := c.migrationInfo.seal.GetAccess().Wrapper.Decrypt(ctx, eblob, nil)
// Swallowing the error here since migration might have been complete and that
// migration seal might have become invalid due to valid reasons. We only care
// if migration seal is still around and if it the same as the new seal.
if err != nil {
c.logger.Warn("failed to decrypt using migration seal", "error", err)
vishalnayak marked this conversation as resolved.
Show resolved Hide resolved
}

if bytes.Compare(plaintext, decrypted) == 0 {
c.logger.Info("migration is already performed since existing and destination seals are same")
goto DONE
}
}
}

Expand Down