check for primary key revocation on startup

johnstcn · johnstcn · commit feae634540d7 · 2023-09-05T14:10:17.000Z
diff --git a/enterprise/dbcrypt/dbcrypt.go b/enterprise/dbcrypt/dbcrypt.go
@@ -343,16 +343,26 @@ func (db *dbCrypt) ensureEncrypted(ctx context.Context) error {
 		}
 
 		var highestNumber int32
+		var activeCipherFound bool
 		for _, k := range ks {
+			// If our primary key has been revoked, then we can't do anything.
+			if k.RevokedKeyDigest.Valid && k.RevokedKeyDigest.String == db.primaryCipherDigest {
+				return xerrors.Errorf("primary encryption key %q has been revoked", db.primaryCipherDigest)
+			}
+
 			if k.ActiveKeyDigest.Valid && k.ActiveKeyDigest.String == db.primaryCipherDigest {
-				// This is our currently active key. We don't need to do anything further.
-				return nil
+				activeCipherFound = true
 			}
+
 			if k.Number > highestNumber {
 				highestNumber = k.Number
 			}
 		}
 
+		if activeCipherFound {
+			return nil
+		}
+
 		// If we get here, then we have a new key that we need to insert.
 		// If this conflicts with another transaction, we do not need to retry as
 		// the other transaction will have inserted the key for us.
diff --git a/enterprise/dbcrypt/dbcrypt_internal_test.go b/enterprise/dbcrypt/dbcrypt_internal_test.go
@@ -446,6 +446,30 @@ func TestNew(t *testing.T) {
 		require.NoError(t, err, "no error should be returned")
 		require.Empty(t, keys, "no keys should be present")
 	})
+
+	t.Run("PrimaryRevoked", func(t *testing.T) {
+		t.Parallel()
+		// Given: a cipher is loaded
+		cipher := initCipher(t)
+		ctx, cancel := context.WithCancel(context.Background())
+		t.Cleanup(cancel)
+		rawDB, _ := dbtestutil.NewDB(t)
+
+		// And: the cipher is revoked before we init the crypt db
+		err := rawDB.InsertDBCryptKey(ctx, database.InsertDBCryptKeyParams{
+			Number:          1,
+			ActiveKeyDigest: cipher.HexDigest(),
+			Test:            fakeBase64RandomData(t, 32),
+		})
+		require.NoError(t, err, "no error should be returned")
+		err = rawDB.RevokeDBCryptKey(ctx, cipher.HexDigest())
+		require.NoError(t, err, "no error should be returned")
+
+		// Then: when we init the crypt db, we error because the key is revoked
+		_, err = New(ctx, rawDB, cipher)
+		require.Error(t, err)
+		require.ErrorContains(t, err, "has been revoked")
+	})
 }
 
 func requireEncryptedEquals(t *testing.T, c Cipher, value, expected string) {
