Add some more test structure and update test

api/sys_rekey_ext_test.go

@@ -1,6 +1,7 @@
 package api_test
 
 import (
+	"strings"
 	"testing"
 
 	"github.com/hashicorp/vault/api"
@@ -17,20 +18,40 @@ func TestSysRekey_Verification(t *testing.T) {
 
 	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	client := cluster.Cores[0].Client
+	client.SetMaxRetries(0)
 
+	// This first block verifies that if we are using recovery keys to force a
+	// rekey of a stored-shares barrier that verification is not allowed since
+	// the keys aren't returned
 	vault.DefaultSealPretendsToAllowRecoveryKeys = true
 	vault.DefaultSealPretendsToAllowStoredShares = true
+	vault.DefaultSealPretendRecoveryConfig = &vault.SealConfig{}
 	status, err := client.Sys().RekeyInit(&api.RekeyInitRequest{
 		StoredShares:        1,
 		RequireVerification: true,
 	})
+	if err == nil {
+		t.Fatal("expected error")
+	}
+	if !strings.Contains(err.Error(), "requiring verification not supported") {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	// Now we set things back and start a normal rekey with the verification process
+	vault.DefaultSealPretendsToAllowRecoveryKeys = false
+	vault.DefaultSealPretendsToAllowStoredShares = false
+	vault.DefaultSealPretendRecoveryConfig = nil
+	status, err = client.Sys().RekeyInit(&api.RekeyInitRequest{
+		SecretShares:        5,
+		SecretThreshold:     3,
+		RequireVerification: true,
+	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	if status == nil {
-		t.Fatal("empty status")
+		t.Fatal("nil status")
 	}
-
 	/*
 		cluster.EnsureCoresSealed(t)
 		cluster.UnsealCores(t)

vault/rekey.go

@@ -181,12 +181,12 @@ func (c *Core) BarrierRekeyInit(config *SealConfig) logical.HTTPCodedError {
 		if config.Backup {
 			return logical.CodedError(http.StatusBadRequest, "key backup not supported when using stored keys")
 		}
-	}
 
-	if c.seal.RecoveryKeySupported() && c.seal.RecoveryType() == config.Type {
-		c.logger.Debug("using recovery seal configuration to rekey barrier key")
-		if config.VerificationRequired {
-			return logical.CodedError(http.StatusBadRequest, "requiring verification not supported when rekeying the barrier key with recovery keys")
+		if c.seal.RecoveryKeySupported() {
+			if config.VerificationRequired {
+				return logical.CodedError(http.StatusBadRequest, "requiring verification not supported when rekeying the barrier key with recovery keys")
+			}
+			c.logger.Debug("using recovery seal configuration to rekey barrier key")
 		}
 	}
 

vault/seal.go

@@ -89,6 +89,7 @@ type Seal interface {
 var (
 	DefaultSealPretendsToAllowRecoveryKeys bool
 	DefaultSealPretendsToAllowStoredShares bool
+	DefaultSealPretendRecoveryConfig       *SealConfig
 )
 
 type defaultSeal struct {
@@ -228,10 +229,16 @@ func (d *defaultSeal) SetBarrierConfig(ctx context.Context, config *SealConfig)
 }
 
 func (d *defaultSeal) RecoveryType() string {
+	if DefaultSealPretendRecoveryConfig != nil {
+		return RecoveryTypeShamir
+	}
 	return RecoveryTypeUnsupported
 }
 
 func (d *defaultSeal) RecoveryConfig(ctx context.Context) (*SealConfig, error) {
+	if DefaultSealPretendRecoveryConfig != nil {
+		return DefaultSealPretendRecoveryConfig, nil
+	}
 	return nil, fmt.Errorf("recovery not supported")
 }