properly unlock policy when returning key setting errors (#2974)

hashicorp · Jul 5, 2017 · c6f9dbd · c6f9dbd
1 parent c682065
commit c6f9dbd
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/helper/keysutil/lock_manager.go b/helper/keysutil/lock_manager.go
@@ -243,20 +243,24 @@ func (lm *LockManager) getPolicyCommon(req PolicyRequest, lockType bool) (*Polic
 		switch req.KeyType {
 		case KeyType_AES256_GCM96:
 			if req.Convergent && !req.Derived {
+				lm.UnlockPolicy(lock, lockType)
 				return nil, nil, false, fmt.Errorf("convergent encryption requires derivation to be enabled")
 			}
 
 		case KeyType_ECDSA_P256:
 			if req.Derived || req.Convergent {
-				return nil, nil, false, fmt.Errorf("key derivation and convergent encryption not supported for keys of type %v", KeyType_ECDSA_P256)
+				lm.UnlockPolicy(lock, lockType)
+				return nil, nil, false, fmt.Errorf("key derivation and convergent encryption not supported for keys of type %v", req.KeyType)
 			}
 
 		case KeyType_ED25519:
 			if req.Convergent {
-				return nil, nil, false, fmt.Errorf("convergent encryption not not supported for keys of type %v", KeyType_ED25519)
+				lm.UnlockPolicy(lock, lockType)
+				return nil, nil, false, fmt.Errorf("convergent encryption not not supported for keys of type %v", req.KeyType)
 			}
 
 		default:
+			lm.UnlockPolicy(lock, lockType)
 			return nil, nil, false, fmt.Errorf("unsupported key type %v", req.KeyType)
 		}