From 8a131ef4f7733a99f142b74da61d77573f85c438 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Sat, 11 Jun 2022 16:13:15 -0400
Subject: [PATCH] Fix missing guardrail for worker kms auth population (#2172)

* Fix missing guardrail for worker kms auth population
---
 internal/cmd/commands/server/server.go | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/internal/cmd/commands/server/server.go b/internal/cmd/commands/server/server.go
index d70b72a4f1..0f5e214514 100644
--- a/internal/cmd/commands/server/server.go
+++ b/internal/cmd/commands/server/server.go
@@ -178,6 +178,8 @@ func (c *Command) Run(args []string) int {
 
 	base.StartMemProfiler(c.Context)
 
+	// Note: the checks directly after this must remain where they are because
+	// they rely on the state of configured KMSes.
 	if err := c.SetupKMSes(c.Context, c.UI, c.Config); err != nil {
 		c.UI.Error(err.Error())
 		return base.CommandUserError
@@ -188,6 +190,20 @@ func (c *Command) Run(args []string) int {
 			return base.CommandUserError
 		}
 	}
+	if c.Config.Worker != nil {
+		switch c.WorkerAuthKms {
+		case nil:
+			if c.Config.Worker.AuthStoragePath == "" {
+				c.UI.Error("No worker auth KMS specified and no worker auth storage path specified.")
+				return base.CommandUserError
+			}
+		default:
+			if c.Config.Worker.Name == "" {
+				c.UI.Error("Worker is using KMS auth but has no name set. It must be the unique name of this instance.")
+				return base.CommandUserError
+			}
+		}
+	}
 
 	if c.Config.DefaultMaxRequestDuration != 0 {
 		globals.DefaultMaxRequestDuration = c.Config.DefaultMaxRequestDuration
@@ -547,16 +563,6 @@ func (c *Command) ParseFlagsAndConfig(args []string) int {
 		c.UI.Error("Controller has no name set. It must be the unique name of this instance.")
 		return base.CommandUserError
 	}
-	if c.Config.Worker != nil {
-		if c.Config.Worker.Name == "" {
-			c.UI.Error("Worker has no name set. It must be the unique name of this instance.")
-			return base.CommandUserError
-		}
-		if c.Config.Worker.AuthStoragePath == "" {
-			c.UI.Error("No worker auth KMS specified and no worker auth storage path specified.")
-			return base.CommandUserError
-		}
-	}
 
 	return base.CommandSuccess
 }