-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Abstract generate-root authentication into the strategy interface #7698
Conversation
vault/generate_root_recovery.go
Outdated
return errors.New("recovery key verified but stored keys unsupported") | ||
} | ||
|
||
masterKeyShares, err := c.seal.GetStoredKeys(ctx) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to support the new shamir as kek changes. Maybe @ncabatoff can help?
98d960b
to
fed7bcf
Compare
* Adapt to new shamir-as-kek reality.
2811dd7
to
f061112
Compare
@@ -19,6 +19,25 @@ type generateRecoveryToken struct { | |||
token *atomic.String | |||
} | |||
|
|||
func (g *generateRecoveryToken) authenticate(ctx context.Context, c *Core, combinedKey []byte) error { | |||
key, err := c.unsealKeyToMasterKey(ctx, combinedKey) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If an old style shamir is in use wouldn't this return an error since VerifyMaster
requires Vault to already be unsealed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ooh, good point.
recovery mode). Instead, verify it in the authenticate methods.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Thanks for doing this refactor
* master: changelog++ Update CHANGELOG.md Abstract generate-root authentication into the strategy interface (#7698) Changelog: clarify enterprise seal migration fix changelog++ Update transit docs to add aes128/p384/p521 information (#7718) Show versions that are active when delete_version_after is configured (#7685) changelog++ agent: fix data race on inmemSink's token (#7707) Use docker instead of an external LDAP server that sometimes goes down (#7522) changelog++ Fix a nil map pointer in mergeEntity. (#7711) changelog++ TestSysRekey_Verification would fail sometimes when recovery=true (#7710)
No description provided.