From 31f399d14773d847b6b91a396eeeb28e7258c5e5 Mon Sep 17 00:00:00 2001 From: Scott Miller Date: Wed, 29 Nov 2023 15:42:07 -0600 Subject: [PATCH] Re-wrap partial failure improvements, CE side (#24293) * Re-wrap partial failure improvements, CE side * Resolve import cycle --- vault/seal/seal_wrapper.go | 8 ++++++++ vault/seal_util.go | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/vault/seal/seal_wrapper.go b/vault/seal/seal_wrapper.go index 067a557f8058..421024c7e8a1 100644 --- a/vault/seal/seal_wrapper.go +++ b/vault/seal/seal_wrapper.go @@ -15,6 +15,14 @@ import ( wrapping "github.com/hashicorp/go-kms-wrapping/v2" ) +type PartialSealWrapError struct { + Err error +} + +func (p *PartialSealWrapError) Error() string { + return p.Err.Error() +} + // SealWrapper contains a Wrapper and related information needed by the seal that uses it. // Use NewSealWrapper to construct new instances, do not do it directly. type SealWrapper struct { diff --git a/vault/seal_util.go b/vault/seal_util.go index 3435ba9c51b9..4ba94f6a98c6 100644 --- a/vault/seal_util.go +++ b/vault/seal_util.go @@ -23,7 +23,7 @@ type PartialWrapFailCallback func(context.Context, map[string]error) error // Helper function to use for partial wrap fail callbacks where we don't want to allow a partial failure. See // for example barrier or recovery key wrapping. Just don't allow for those risky scenarios var DisallowPartialSealWrap = func(ctx context.Context, errs map[string]error) error { - return seal.JoinSealWrapErrors("not allowing operation to proceed without full wrapping involving all configured seals", errs) + return &seal.PartialSealWrapError{seal.JoinSealWrapErrors("not allowing operation to proceed without full wrapping involving all configured seals", errs)} } // SealWrapValue creates a SealWrappedValue wrapper with the entryValue being optionally encrypted with the give seal Access.