Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport of UI cluster unseal bug into release/1.13.x #20909

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions changelog/20897.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
ui: Fixes issue unsealing cluster for seal types other than shamir
```
3 changes: 2 additions & 1 deletion ui/app/controllers/vault/cluster/init.js
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,15 @@ export default Controller.extend(DEFAULTS, {
if (isCloudSeal) {
data.stored_shares = 1;
data.recovery_shares = shares;
delete data.secret_shares; // API will throw an error if secret_shares is passed for seal types other than shamir (transit, AWSKMS etc.)
}
}
if (data.secret_threshold) {
const threshold = parseInt(data.secret_threshold, 10);
data.secret_threshold = threshold;
if (isCloudSeal) {
data.recovery_threshold = threshold;
delete data.secret_threshold; // API will throw an error if secret_threshold is passed for seal types other than shamir (transit, AWSKMS etc.)
}
}
if (!data.use_pgp) {
Expand All @@ -58,7 +60,6 @@ export default Controller.extend(DEFAULTS, {
if (data.use_pgp && isCloudSeal) {
data.recovery_pgp_keys = data.pgp_keys;
}

if (!data.use_pgp_for_root) {
delete data.root_token_pgp_key;
}
Expand Down
38 changes: 25 additions & 13 deletions ui/tests/acceptance/init-test.js
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,22 @@ const SEAL_STATUS_RESPONSE = {
initialized: false,
};

const assertRequest = (req, assert, isCloud) => {
const json = JSON.parse(req.requestBody);
for (const key of ['recovery_shares', 'recovery_threshold']) {
assert[isCloud ? 'ok' : 'notOk'](
json[key],
`requestBody ${isCloud ? 'includes' : 'does not include'} cloud seal specific attribute: ${key}`
);
}
for (const key of ['secret_shares', 'secret_threshold']) {
assert[isCloud ? 'notOk' : 'ok'](
json[key],
`requestBody ${isCloud ? 'does not include' : 'includes'} shamir specific attribute: ${key}`
);
}
};

module('Acceptance | init', function (hooks) {
setupApplicationTest(hooks);

Expand All @@ -85,36 +101,32 @@ module('Acceptance | init', function (hooks) {
});

test('cloud seal init', async function (assert) {
assert.expect(4);
assert.expect(6);

setInitResponse(this.server, CLOUD_SEAL_RESPONSE);
setStatusResponse(this.server, CLOUD_SEAL_STATUS_RESPONSE);

await initPage.init(5, 3);

assert.strictEqual(
initPage.keys.length,
CLOUD_SEAL_RESPONSE.recovery_keys.length,
'shows all of the recovery keys'
);
assert.strictEqual(initPage.buttonText, 'Continue to Authenticate', 'links to authenticate');
let { requestBody } = this.server.handledRequests.findBy('url', '/v1/sys/init');
requestBody = JSON.parse(requestBody);
for (const attr of ['recovery_shares', 'recovery_threshold']) {
assert.ok(requestBody[attr], `requestBody includes cloud seal specific attribute: ${attr}`);
}
assertRequest(this.server.handledRequests.findBy('url', '/v1/sys/init'), assert, true);
});

test('shamir seal init', async function (assert) {
assert.expect(4);
assert.expect(6);

setInitResponse(this.server, SEAL_RESPONSE);
setStatusResponse(this.server, SEAL_STATUS_RESPONSE);

await initPage.init(3, 2);

assert.strictEqual(initPage.keys.length, SEAL_RESPONSE.keys.length, 'shows all of the recovery keys');
assert.strictEqual(initPage.buttonText, 'Continue to Unseal', 'links to unseal');

let { requestBody } = this.server.handledRequests.findBy('url', '/v1/sys/init');
requestBody = JSON.parse(requestBody);
for (const attr of ['recovery_shares', 'recovery_threshold']) {
assert.notOk(requestBody[attr], `requestBody does not include cloud seal specific attribute: ${attr}`);
}
assertRequest(this.server.handledRequests.findBy('url', '/v1/sys/init'), assert, false);
});
});