feat(vault): add recovery passphrase handling for bootstrap and unseal processes

2026-06-13 23:09:49 +02:00
parent 6017ef29ca
commit 9f9b6820c2
7 changed files with 125 additions and 8 deletions
--- a/server/crates/arbiter-server/src/db/schema.rs
+++ b/server/crates/arbiter-server/src/db/schema.rs
@@ -192,6 +192,17 @@ diesel::table! {
    }
 }

+diesel::table! {
+    recovery_operator (id) {
+        id -> Integer,
+        share -> Binary,
+        share_nonce -> Binary,
+        share_salt -> Binary,
+        created_at -> Integer,
+        updated_at -> Integer,
+    }
+}
+
 diesel::table! {
    recovery_operator_identity (id) {
        id -> Integer,
@@ -290,6 +301,7 @@ diesel::joinable!(proposal -> operator_identity (initiator_id));
 diesel::joinable!(proposal_result -> proposal (proposal_id));
 diesel::joinable!(proposal_vote -> proposal (proposal_id));
 diesel::joinable!(proposal_vote -> operator_identity (operator_id));
+diesel::joinable!(recovery_operator -> recovery_operator_identity (id));
 diesel::joinable!(recovery_proposal_vote -> proposal (proposal_id));
 diesel::joinable!(recovery_proposal_vote -> recovery_operator_identity (recovery_operator_id));
 diesel::joinable!(recovery_wakeup_request -> operator_identity (requested_by));
@@ -297,6 +309,7 @@ diesel::joinable!(recovery_wakeup_request -> operator_identity (requested_by));
 diesel::allow_tables_to_appear_in_same_query!(
    aead_encrypted,
    proposal_result,
+    recovery_operator,
    recovery_operator_identity,
    recovery_wakeup_request,
    recovery_proposal_vote,
--- a/server/crates/arbiter-server/src/grpc/operator/vault_gate/inbound.rs
+++ b/server/crates/arbiter-server/src/grpc/operator/vault_gate/inbound.rs
@@ -2,6 +2,7 @@ use crate::{
    grpc::{Convert, TryConvert},
    peers::operator::vault_gate::{
        self as vault_gate, HandleBootstrapEncryptedKey, HandleContributeBootstrapPassphrase,
+        HandleContributeRecoveryBootstrapPassphrase, HandleContributeRecoveryUnsealPassphrase,
        HandleContributeUnsealPassphrase, HandleDeclareCommittee, HandleHandshake,
        HandleUnsealEncryptedKey,
    },
@@ -82,6 +83,14 @@ impl TryConvert for UnsealRequestPayload {
                    },
                ),
            ),
+            Self::ContributeRecoveryPassphrase(crp) => Ok(
+                vault_gate::Inbound::HandleContributeRecoveryUnsealPassphrase(
+                    HandleContributeRecoveryUnsealPassphrase {
+                        recovery_operator_id: crp.recovery_operator_id,
+                        passphrase: crp.passphrase,
+                    },
+                ),
+            ),
        }
    }
 }
@@ -142,6 +151,14 @@ impl TryConvert for BootstrapRequestPayload {
                    },
                ),
            ),
+            Self::ContributeRecoveryPassphrase(crp) => Ok(
+                vault_gate::Inbound::HandleContributeRecoveryBootstrapPassphrase(
+                    HandleContributeRecoveryBootstrapPassphrase {
+                        recovery_operator_id: crp.recovery_operator_id,
+                        passphrase: crp.passphrase,
+                    },
+                ),
+            ),
        }
    }
 }
--- a/server/crates/arbiter-server/src/grpc/operator/vault_gate/outbound.rs
+++ b/server/crates/arbiter-server/src/grpc/operator/vault_gate/outbound.rs
@@ -131,6 +131,19 @@ impl TryConvert for vault_gate::Outbound {
                };
                Ok(wrap_bootstrap_response(proto_result))
            }
+            Self::HandleContributeRecoveryBootstrapPassphrase(result) => {
+                let proto_result = match result {
+                    Ok(true) => ProtoBootstrapResult::Success,
+                    Ok(false) => ProtoBootstrapResult::AwaitingContributions,
+                    Err(err) => {
+                        warn!(?err, "contribute recovery bootstrap passphrase failed");
+                        return Err(Status::internal(
+                            "Failed to contribute recovery bootstrap passphrase",
+                        ));
+                    }
+                };
+                Ok(wrap_bootstrap_response(proto_result))
+            }
            Self::HandleContributeUnsealPassphrase(result) => {
                let proto_result = match result {
                    Ok(true) => ProtoUnsealResult::Success,
@@ -144,6 +157,21 @@ impl TryConvert for vault_gate::Outbound {
                    proto_result.into(),
                )))
            }
+            Self::HandleContributeRecoveryUnsealPassphrase(result) => {
+                let proto_result = match result {
+                    Ok(true) => ProtoUnsealResult::Success,
+                    Ok(false) => ProtoUnsealResult::AwaitingContributions,
+                    Err(err) => {
+                        warn!(?err, "contribute recovery unseal passphrase failed");
+                        return Err(Status::internal(
+                            "Failed to contribute recovery unseal passphrase",
+                        ));
+                    }
+                };
+                Ok(wrap_unseal_response(UnsealResponsePayload::Result(
+                    proto_result.into(),
+                )))
+            }
        }
    }
 }
--- a/server/crates/arbiter-server/src/peers/operator/vault_gate/mod.rs
+++ b/server/crates/arbiter-server/src/peers/operator/vault_gate/mod.rs
@@ -3,7 +3,10 @@ use crate::{
    actors::{
        GlobalActors,
        vault::{self, Bootstrap, GetState, TryUnseal, VaultState, events},
-        vault_coordinator::{ContributeBootstrap, ContributeUnseal, StartBootstrap},
+        vault_coordinator::{
+            ContributeBootstrap, ContributeRecoveryBootstrap, ContributeRecoveryUnseal,
+            ContributeUnseal, StartBootstrap,
+        },
    },
    crypto::{KeyCell, integrity::{self}},
    db::DatabasePool,
@@ -266,6 +269,23 @@ impl VaultGate {
            .map_err(|_| Error::internal("VaultCoordinator unavailable"))
    }

+    #[message]
+    pub async fn handle_contribute_recovery_bootstrap_passphrase(
+        &mut self,
+        recovery_operator_id: i32,
+        passphrase: Vec<u8>,
+    ) -> Result<bool, Error> {
+        let passphrase_cell = SafeCell::new(passphrase);
+        self.actors
+            .vault_coordinator
+            .ask(ContributeRecoveryBootstrap {
+                recovery_operator_id,
+                passphrase: passphrase_cell,
+            })
+            .await
+            .map_err(|_| Error::internal("VaultCoordinator unavailable"))
+    }
+
    #[message]
    pub async fn handle_contribute_unseal_passphrase(
        &mut self,
@@ -281,6 +301,23 @@ impl VaultGate {
            .await
            .map_err(|_| Error::internal("VaultCoordinator unavailable"))
    }
+
+    #[message]
+    pub async fn handle_contribute_recovery_unseal_passphrase(
+        &mut self,
+        recovery_operator_id: i32,
+        passphrase: Vec<u8>,
+    ) -> Result<bool, Error> {
+        let passphrase_cell = SafeCell::new(passphrase);
+        self.actors
+            .vault_coordinator
+            .ask(ContributeRecoveryUnseal {
+                recovery_operator_id,
+                passphrase: passphrase_cell,
+            })
+            .await
+            .map_err(|_| Error::internal("VaultCoordinator unavailable"))
+    }
 }

 impl Message<events::Bootstrapped> for VaultGate {