feat(sys/seal-status): send both barrier and recovery seal types (#1638)

* feat(sys/seal-status): send both barrier and recovery seal types

Signed-off-by: Pascal Reeb <pascal.reeb@secretz.io>

* chore: add changelog

Signed-off-by: Pascal Reeb <pascal.reeb@secretz.io>

* fix: typo

Signed-off-by: Pascal Reeb <pascal.reeb@secretz.io>

* chore: update test

Signed-off-by: Pascal Reeb <pascal.reeb@secretz.io>

* chore: add feedback from satoqz

Signed-off-by: Pascal Reeb <pascal.reeb@secretz.io>

---------

Signed-off-by: Pascal Reeb <pascal.reeb@secretz.io>

Author: pree

api/sys_seal.go

@@ -96,21 +96,22 @@ func sealStatusRequestWithContext(ctx context.Context, c *Sys, r *Request) (*Sea
 }
 
 type SealStatusResponse struct {
-	Type         string   `json:"type"`
-	Initialized  bool     `json:"initialized"`
-	Sealed       bool     `json:"sealed"`
-	T            int      `json:"t"`
-	N            int      `json:"n"`
-	Progress     int      `json:"progress"`
-	Nonce        string   `json:"nonce"`
-	Version      string   `json:"version"`
-	BuildDate    string   `json:"build_date"`
-	Migration    bool     `json:"migration"`
-	ClusterName  string   `json:"cluster_name,omitempty"`
-	ClusterID    string   `json:"cluster_id,omitempty"`
-	RecoverySeal bool     `json:"recovery_seal"`
-	StorageType  string   `json:"storage_type,omitempty"`
-	Warnings     []string `json:"warnings,omitempty"`
+	Type             string   `json:"type"`
+	Initialized      bool     `json:"initialized"`
+	Sealed           bool     `json:"sealed"`
+	T                int      `json:"t"`
+	N                int      `json:"n"`
+	Progress         int      `json:"progress"`
+	Nonce            string   `json:"nonce"`
+	Version          string   `json:"version"`
+	BuildDate        string   `json:"build_date"`
+	Migration        bool     `json:"migration"`
+	ClusterName      string   `json:"cluster_name,omitempty"`
+	ClusterID        string   `json:"cluster_id,omitempty"`
+	RecoverySeal     bool     `json:"recovery_seal"`
+	RecoverySealType string   `json:"recovery_seal_type,omitempty"`
+	StorageType      string   `json:"storage_type,omitempty"`
+	Warnings         []string `json:"warnings,omitempty"`
 }
 
 type UnsealOpts struct {

changelog/1638.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+core: sys/seal-status: endpoint now always returns the barrier seal type, explicitly adds recovery seal type
+```

command/format.go

@@ -290,13 +290,16 @@ func (t TableFormatter) Output(ui cli.Ui, secret *api.Secret, data interface{})
 func (t TableFormatter) OutputSealStatusStruct(ui cli.Ui, secret *api.Secret, data interface{}) error {
 	var status SealStatusOutput = data.(SealStatusOutput)
 	var sealPrefix string
+
+	out := []string{}
+	out = append(out, "Key | Value")
+	out = append(out, fmt.Sprintf("Seal Type | %s", status.Type))
+
 	if status.RecoverySeal {
 		sealPrefix = "Recovery "
+		out = append(out, fmt.Sprintf("Recovery Seal Type | %s", status.RecoverySealType))
 	}
 
-	out := []string{}
-	out = append(out, "Key | Value")
-	out = append(out, fmt.Sprintf("%sSeal Type | %s", sealPrefix, status.Type))
 	out = append(out, fmt.Sprintf("Initialized | %t", status.Initialized))
 	out = append(out, fmt.Sprintf("Sealed | %t", status.Sealed))
 	out = append(out, fmt.Sprintf("Total %sShares | %d", sealPrefix, status.N))

command/format_test.go

@@ -108,6 +108,7 @@ func TestStatusFormat(t *testing.T) {
 
 	expectedOutputString := `Key                           Value
 ---                           -----
+Seal Type                     type
 Recovery Seal Type            type
 Initialized                   true
 Sealed                        true
@@ -140,6 +141,7 @@ Warnings                      [warning]`
 
 	expectedOutputString = `Key                           Value
 ---                           -----
+Seal Type                     type
 Recovery Seal Type            type
 Initialized                   true
 Sealed                        true
@@ -167,21 +169,22 @@ func getMockStatusData(emptyFields bool) SealStatusOutput {
 	var sealStatusResponseMock api.SealStatusResponse
 	if !emptyFields {
 		sealStatusResponseMock = api.SealStatusResponse{
-			Type:         "type",
-			Initialized:  true,
-			Sealed:       true,
-			T:            1,
-			N:            2,
-			Progress:     3,
-			Nonce:        "nonce",
-			Version:      "version",
-			BuildDate:    "build date",
-			Migration:    true,
-			ClusterName:  "cluster name",
-			ClusterID:    "cluster id",
-			RecoverySeal: true,
-			StorageType:  "storage type",
-			Warnings:     []string{"warning"},
+			Type:             "type",
+			RecoverySealType: "type",
+			Initialized:      true,
+			Sealed:           true,
+			T:                1,
+			N:                2,
+			Progress:         3,
+			Nonce:            "nonce",
+			Version:          "version",
+			BuildDate:        "build date",
+			Migration:        true,
+			ClusterName:      "cluster name",
+			ClusterID:        "cluster id",
+			RecoverySeal:     true,
+			StorageType:      "storage type",
+			Warnings:         []string{"warning"},
 		}
 
 		// must initialize this struct without explicit field names due to embedding
@@ -200,20 +203,21 @@ func getMockStatusData(emptyFields bool) SealStatusOutput {
 		}
 	} else {
 		sealStatusResponseMock = api.SealStatusResponse{
-			Type:         "type",
-			Initialized:  true,
-			Sealed:       true,
-			T:            1,
-			N:            2,
-			Progress:     3,
-			Nonce:        "nonce",
-			Version:      "version",
-			BuildDate:    "build date",
-			Migration:    true,
-			ClusterName:  "",
-			ClusterID:    "",
-			RecoverySeal: true,
-			StorageType:  "",
+			Type:             "type",
+			RecoverySealType: "type",
+			Initialized:      true,
+			Sealed:           true,
+			T:                1,
+			N:                2,
+			Progress:         3,
+			Nonce:            "nonce",
+			Version:          "version",
+			BuildDate:        "build date",
+			Migration:        true,
+			ClusterName:      "",
+			ClusterID:        "",
+			RecoverySeal:     true,
+			StorageType:      "",
 		}
 
 		// must initialize this struct without explicit field names due to embedding

vault/logical_system.go

@@ -4508,21 +4508,22 @@ func (b *SystemBackend) pathInternalOpenAPI(ctx context.Context, req *logical.Re
 }
 
 type SealStatusResponse struct {
-	Type         string   `json:"type"`
-	Initialized  bool     `json:"initialized"`
-	Sealed       bool     `json:"sealed"`
-	T            int      `json:"t"`
-	N            int      `json:"n"`
-	Progress     int      `json:"progress"`
-	Nonce        string   `json:"nonce"`
-	Version      string   `json:"version"`
-	BuildDate    string   `json:"build_date"`
-	Migration    bool     `json:"migration"`
-	ClusterName  string   `json:"cluster_name,omitempty"`
-	ClusterID    string   `json:"cluster_id,omitempty"`
-	RecoverySeal bool     `json:"recovery_seal"`
-	StorageType  string   `json:"storage_type,omitempty"`
-	Warnings     []string `json:"warnings,omitempty"`
+	Type             string   `json:"type"`
+	Initialized      bool     `json:"initialized"`
+	Sealed           bool     `json:"sealed"`
+	T                int      `json:"t"`
+	N                int      `json:"n"`
+	Progress         int      `json:"progress"`
+	Nonce            string   `json:"nonce"`
+	Version          string   `json:"version"`
+	BuildDate        string   `json:"build_date"`
+	Migration        bool     `json:"migration"`
+	ClusterName      string   `json:"cluster_name,omitempty"`
+	ClusterID        string   `json:"cluster_id,omitempty"`
+	RecoverySeal     bool     `json:"recovery_seal"`
+	RecoverySealType string   `json:"recovery_seal_type,omitempty"`
+	StorageType      string   `json:"storage_type,omitempty"`
+	Warnings         []string `json:"warnings,omitempty"`
 }
 
 func (core *Core) GetSealStatus(ctx context.Context, lock bool) (*SealStatusResponse, error) {
@@ -4534,8 +4535,10 @@ func (core *Core) GetSealStatus(ctx context.Context, lock bool) (*SealStatusResp
 	}
 
 	var sealConfig *SealConfig
+	var recoveryType string
 	if core.SealAccess().RecoveryKeySupported() {
 		sealConfig, err = core.SealAccess().RecoveryConfig(ctx)
+		recoveryType = core.SealAccess().RecoveryType()
 	} else {
 		sealConfig, err = core.SealAccess().BarrierConfig(ctx)
 	}
@@ -4545,13 +4548,14 @@ func (core *Core) GetSealStatus(ctx context.Context, lock bool) (*SealStatusResp
 
 	if sealConfig == nil {
 		s := &SealStatusResponse{
-			Type:         core.SealAccess().BarrierType().String(),
-			Initialized:  initialized,
-			Sealed:       true,
-			RecoverySeal: core.SealAccess().RecoveryKeySupported(),
-			StorageType:  core.StorageType(),
-			Version:      version.GetVersion().VersionNumber(),
-			BuildDate:    version.BuildDate,
+			Type:             core.SealAccess().BarrierType().String(),
+			Initialized:      initialized,
+			Sealed:           true,
+			RecoverySeal:     core.SealAccess().RecoveryKeySupported(),
+			RecoverySealType: recoveryType,
+			StorageType:      core.StorageType(),
+			Version:          version.GetVersion().VersionNumber(),
+			BuildDate:        version.BuildDate,
 		}
 
 		return s, nil
@@ -4574,20 +4578,21 @@ func (core *Core) GetSealStatus(ctx context.Context, lock bool) (*SealStatusResp
 	progress, nonce := core.SecretProgress(lock)
 
 	s := &SealStatusResponse{
-		Type:         sealConfig.Type,
-		Initialized:  initialized,
-		Sealed:       sealed,
-		T:            sealConfig.SecretThreshold,
-		N:            sealConfig.SecretShares,
-		Progress:     progress,
-		Nonce:        nonce,
-		Version:      version.GetVersion().VersionNumber(),
-		BuildDate:    version.BuildDate,
-		Migration:    core.IsInSealMigrationMode(lock) && !core.IsSealMigrated(lock),
-		ClusterName:  clusterName,
-		ClusterID:    clusterID,
-		RecoverySeal: core.SealAccess().RecoveryKeySupported(),
-		StorageType:  core.StorageType(),
+		Type:             core.SealAccess().BarrierType().String(),
+		Initialized:      initialized,
+		Sealed:           sealed,
+		T:                sealConfig.SecretThreshold,
+		N:                sealConfig.SecretShares,
+		Progress:         progress,
+		Nonce:            nonce,
+		Version:          version.GetVersion().VersionNumber(),
+		BuildDate:        version.BuildDate,
+		Migration:        core.IsInSealMigrationMode(lock) && !core.IsSealMigrated(lock),
+		ClusterName:      clusterName,
+		ClusterID:        clusterID,
+		RecoverySeal:     core.SealAccess().RecoveryKeySupported(),
+		RecoverySealType: recoveryType,
+		StorageType:      core.StorageType(),
 	}
 
 	return s, nil

vault/seal_access.go

@@ -38,6 +38,10 @@ func (s *SealAccess) RecoveryKeySupported() bool {
 	return s.seal.RecoveryKeySupported()
 }
 
+func (s *SealAccess) RecoveryType() string {
+	return s.seal.RecoveryType()
+}
+
 func (s *SealAccess) RecoveryConfig(ctx context.Context) (*SealConfig, error) {
 	return s.seal.RecoveryConfig(ctx)
 }