From 770d902f601a6ba318bec4fa72e5bc7f33305b9e Mon Sep 17 00:00:00 2001
From: Victor Rodriguez <vrizo@hashicorp.com>
Date: Wed, 9 Oct 2024 10:04:50 -0400
Subject: [PATCH] Use stored seal generation info for response to
 sys/seal-backend-status (#28631)

Use stored seal generation info for response to sys/seal-backend-status.
---
 changelog/28631.txt     |  3 +++
 vault/logical_system.go | 11 ++++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 changelog/28631.txt

diff --git a/changelog/28631.txt b/changelog/28631.txt
new file mode 100644
index 0000000000..a4857ea112
--- /dev/null
+++ b/changelog/28631.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core/seal: Fix an issue that could cause reading from sys/seal-backend-status to return stale information.
+```
diff --git a/vault/logical_system.go b/vault/logical_system.go
index 2fcfcc788f..f57c239d8b 100644
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@@ -5642,7 +5642,16 @@ func (c *Core) GetSealBackendStatus(ctx context.Context) (*SealBackendStatusResp
 	if err != nil {
 		return nil, fmt.Errorf("could not list partially seal wrapped values: %w", err)
 	}
-	genInfo := c.seal.GetAccess().GetSealGenerationInfo()
+	// When multi-seal is enabled, use the stored seal generation information. Note that the in-memory
+	// value may not be up-to-date on non-active nodes.
+	genInfo, err := PhysicalSealGenInfo(ctx, c.physical)
+	if err != nil {
+		return nil, fmt.Errorf("could not read seal generation information: %w", err)
+	}
+	if genInfo == nil {
+		// Multi-seal is not enabled, use the in-memory value.
+		genInfo = c.seal.GetAccess().GetSealGenerationInfo()
+	}
 	r.FullyWrapped = genInfo.IsRewrapped() && len(pps) == 0
 	return &r, nil
 }