backport of commit 770d902

hashicorp · Oct 9, 2024 · ef3980e · ef3980e
1 parent 2790e06
commit ef3980e
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/changelog/28631.txt b/changelog/28631.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core/seal: Fix an issue that could cause reading from sys/seal-backend-status to return stale information.
+```
diff --git a/vault/logical_system.go b/vault/logical_system.go
@@ -5641,7 +5641,16 @@ func (c *Core) GetSealBackendStatus(ctx context.Context) (*SealBackendStatusResp
 	if err != nil {
 		return nil, fmt.Errorf("could not list partially seal wrapped values: %w", err)
 	}
-	genInfo := c.seal.GetAccess().GetSealGenerationInfo()
+	// When multi-seal is enabled, use the stored seal generation information. Note that the in-memory
+	// value may not be up-to-date on non-active nodes.
+	genInfo, err := PhysicalSealGenInfo(ctx, c.physical)
+	if err != nil {
+		return nil, fmt.Errorf("could not read seal generation information: %w", err)
+	}
+	if genInfo == nil {
+		// Multi-seal is not enabled, use the in-memory value.
+		genInfo = c.seal.GetAccess().GetSealGenerationInfo()
+	}
 	r.FullyWrapped = genInfo.IsRewrapped() && len(pps) == 0
 	return &r, nil
 }