Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Abstract generate-root authentication into the strategy interface #7698

Merged
merged 3 commits into from
Oct 23, 2019
Merged

Abstract generate-root authentication into the strategy interface #7698

merged 3 commits into from
Oct 23, 2019

Conversation

vishalnayak
Copy link
Member

No description provided.

@vishalnayak vishalnayak added this to the 1.3 milestone Oct 18, 2019
briankassouf
briankassouf reviewed Oct 18, 2019
View reviewed changes
vault/generate_root_recovery.go Outdated
return errors.New("recovery key verified but stored keys unsupported")
}

masterKeyShares, err := c.seal.GetStoredKeys(ctx)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to support the new shamir as kek changes. Maybe @ncabatoff can help?

vault/generate_root.go Show resolved Hide resolved
briankassouf
briankassouf reviewed Oct 18, 2019
View reviewed changes
vault/core.go Show resolved Hide resolved
vault/generate_root_recovery.go
@@ -19,6 +19,25 @@ type generateRecoveryToken struct {
token *atomic.String
}

func (g *generateRecoveryToken) authenticate(ctx context.Context, c *Core, combinedKey []byte) error {
key, err := c.unsealKeyToMasterKey(ctx, combinedKey)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If an old style shamir is in use wouldn't this return an error since VerifyMaster requires Vault to already be unsealed?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ooh, good point.

@ncabatoff
Don't try to verify the master key when we might still be sealed (in
b563b5d 
recovery mode).  Instead, verify it in the authenticate methods.
briankassouf
briankassouf approved these changes Oct 23, 2019
View reviewed changes
Copy link
Member

@briankassouf briankassouf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Thanks for doing this refactor

@briankassouf briankassouf merged commit fe8cfc1 into master Oct 23, 2019
@briankassouf briankassouf deleted the generate-root-strategy branch October 23, 2019 16:52
ncabatoff added a commit that referenced this pull request Oct 24, 2019
@ncabatoff
Fix a regression introduced in #7698 that breaks root token generation.
bc503a7
ncabatoff added a commit that referenced this pull request Oct 24, 2019
@ncabatoff
Fix a regression introduced in #7698 that breaks root token generatio…
87207df 
…n. (#7727)
catsby added a commit that referenced this pull request Oct 24, 2019
@catsby
Merge branch 'master' into f-template-followups
d5ce465 
* master:
  changelog++
  Update CHANGELOG.md
  Abstract generate-root authentication into the strategy interface (#7698)
  Changelog: clarify enterprise seal migration fix
  changelog++
  Update transit docs to add aes128/p384/p521 information (#7718)
  Show versions that are active when delete_version_after is configured (#7685)
  changelog++
  agent: fix data race on inmemSink's token (#7707)
  Use docker instead of an external LDAP server that sometimes goes down (#7522)
  changelog++
  Fix a nil map pointer in mergeEntity. (#7711)
  changelog++
  TestSysRekey_Verification would fail sometimes when recovery=true (#7710)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briankassouf briankassouf briankassouf approved these changes

@ncabatoff ncabatoff Awaiting requested review from ncabatoff

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.3
Development

Successfully merging this pull request may close these issues.
3 participants
@vishalnayak @briankassouf @ncabatoff