2014-09-06 18:12:45 +00:00
|
|
|
package command
|
|
|
|
|
|
|
|
import (
|
|
|
|
"flag"
|
|
|
|
"fmt"
|
|
|
|
"strings"
|
2014-09-09 01:09:51 +00:00
|
|
|
|
2014-09-13 00:18:10 +00:00
|
|
|
"github.com/hashicorp/consul/command/agent"
|
2014-09-09 01:09:51 +00:00
|
|
|
"github.com/mitchellh/cli"
|
2014-09-06 18:12:45 +00:00
|
|
|
)
|
|
|
|
|
2014-09-13 03:08:54 +00:00
|
|
|
// KeyringCommand is a Command implementation that handles querying, installing,
|
2014-09-06 18:12:45 +00:00
|
|
|
// and removing gossip encryption keys from a keyring.
|
2014-09-13 03:08:54 +00:00
|
|
|
type KeyringCommand struct {
|
2014-09-06 18:12:45 +00:00
|
|
|
Ui cli.Ui
|
|
|
|
}
|
|
|
|
|
2014-09-13 03:08:54 +00:00
|
|
|
func (c *KeyringCommand) Run(args []string) int {
|
2014-10-03 05:05:00 +00:00
|
|
|
var installKey, useKey, removeKey string
|
2014-09-29 19:35:15 +00:00
|
|
|
var listKeys bool
|
2014-09-06 18:12:45 +00:00
|
|
|
|
|
|
|
cmdFlags := flag.NewFlagSet("keys", flag.ContinueOnError)
|
|
|
|
cmdFlags.Usage = func() { c.Ui.Output(c.Help()) }
|
|
|
|
|
|
|
|
cmdFlags.StringVar(&installKey, "install", "", "install key")
|
|
|
|
cmdFlags.StringVar(&useKey, "use", "", "use key")
|
|
|
|
cmdFlags.StringVar(&removeKey, "remove", "", "remove key")
|
|
|
|
cmdFlags.BoolVar(&listKeys, "list", false, "list keys")
|
|
|
|
|
|
|
|
rpcAddr := RPCAddrFlag(cmdFlags)
|
|
|
|
if err := cmdFlags.Parse(args); err != nil {
|
|
|
|
return 1
|
|
|
|
}
|
|
|
|
|
2014-09-09 05:27:17 +00:00
|
|
|
c.Ui = &cli.PrefixedUi{
|
|
|
|
OutputPrefix: "",
|
|
|
|
InfoPrefix: "==> ",
|
|
|
|
ErrorPrefix: "",
|
|
|
|
Ui: c.Ui,
|
|
|
|
}
|
|
|
|
|
2014-09-06 18:12:45 +00:00
|
|
|
// Only accept a single argument
|
|
|
|
found := listKeys
|
2014-10-03 05:05:00 +00:00
|
|
|
for _, arg := range []string{installKey, useKey, removeKey} {
|
2014-09-06 18:12:45 +00:00
|
|
|
if found && len(arg) > 0 {
|
2014-09-13 00:18:10 +00:00
|
|
|
c.Ui.Error("Only a single action is allowed")
|
2014-09-06 18:12:45 +00:00
|
|
|
return 1
|
|
|
|
}
|
|
|
|
found = found || len(arg) > 0
|
|
|
|
}
|
|
|
|
|
2014-09-09 04:45:15 +00:00
|
|
|
// Fail fast if no actionable args were passed
|
|
|
|
if !found {
|
|
|
|
c.Ui.Error(c.Help())
|
|
|
|
return 1
|
|
|
|
}
|
|
|
|
|
2014-09-13 00:18:10 +00:00
|
|
|
// All other operations will require a client connection
|
2014-09-09 04:45:15 +00:00
|
|
|
client, err := RPCClient(*rpcAddr)
|
|
|
|
if err != nil {
|
|
|
|
c.Ui.Error(fmt.Sprintf("Error connecting to Consul agent: %s", err))
|
|
|
|
return 1
|
|
|
|
}
|
|
|
|
defer client.Close()
|
|
|
|
|
2014-09-13 01:13:49 +00:00
|
|
|
if listKeys {
|
2014-09-29 22:49:47 +00:00
|
|
|
c.Ui.Info("Gathering installed encryption keys...")
|
2014-09-28 20:33:37 +00:00
|
|
|
r, err := client.ListKeys()
|
|
|
|
if err != nil {
|
|
|
|
c.Ui.Error(fmt.Sprintf("error: %s", err))
|
|
|
|
return 1
|
|
|
|
}
|
2014-09-30 22:31:07 +00:00
|
|
|
if rval := c.handleResponse(r.Info, r.Messages); rval != 0 {
|
2014-09-28 20:33:37 +00:00
|
|
|
return rval
|
|
|
|
}
|
2014-09-30 22:31:07 +00:00
|
|
|
c.handleList(r.Info, r.Keys)
|
2014-09-28 20:33:37 +00:00
|
|
|
return 0
|
2014-09-06 18:12:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if installKey != "" {
|
2014-09-24 23:39:14 +00:00
|
|
|
c.Ui.Info("Installing new gossip encryption key...")
|
2014-09-28 19:35:51 +00:00
|
|
|
r, err := client.InstallKey(installKey)
|
|
|
|
if err != nil {
|
|
|
|
c.Ui.Error(fmt.Sprintf("error: %s", err))
|
|
|
|
return 1
|
2014-09-09 06:25:38 +00:00
|
|
|
}
|
2014-09-30 22:31:07 +00:00
|
|
|
return c.handleResponse(r.Info, r.Messages)
|
2014-09-06 18:12:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if useKey != "" {
|
2014-09-24 23:39:14 +00:00
|
|
|
c.Ui.Info("Changing primary gossip encryption key...")
|
2014-09-28 19:35:51 +00:00
|
|
|
r, err := client.UseKey(useKey)
|
|
|
|
if err != nil {
|
|
|
|
c.Ui.Error(fmt.Sprintf("error: %s", err))
|
|
|
|
return 1
|
2014-09-09 06:55:02 +00:00
|
|
|
}
|
2014-09-30 22:31:07 +00:00
|
|
|
return c.handleResponse(r.Info, r.Messages)
|
2014-09-06 18:12:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if removeKey != "" {
|
2014-09-24 23:39:14 +00:00
|
|
|
c.Ui.Info("Removing gossip encryption key...")
|
2014-09-28 19:35:51 +00:00
|
|
|
r, err := client.RemoveKey(removeKey)
|
|
|
|
if err != nil {
|
|
|
|
c.Ui.Error(fmt.Sprintf("error: %s", err))
|
|
|
|
return 1
|
2014-09-09 07:08:38 +00:00
|
|
|
}
|
2014-09-30 22:31:07 +00:00
|
|
|
return c.handleResponse(r.Info, r.Messages)
|
2014-09-06 18:12:45 +00:00
|
|
|
}
|
|
|
|
|
2014-09-09 04:45:15 +00:00
|
|
|
// Should never make it here
|
|
|
|
return 0
|
2014-09-06 18:12:45 +00:00
|
|
|
}
|
|
|
|
|
2014-09-28 19:35:51 +00:00
|
|
|
func (c *KeyringCommand) handleResponse(
|
|
|
|
info []agent.KeyringInfo,
|
2014-09-30 22:31:07 +00:00
|
|
|
messages []agent.KeyringMessage) int {
|
2014-09-13 01:13:49 +00:00
|
|
|
|
2014-09-28 19:35:51 +00:00
|
|
|
var rval int
|
2014-09-13 01:13:49 +00:00
|
|
|
|
2014-09-28 19:35:51 +00:00
|
|
|
for _, i := range info {
|
|
|
|
if i.Error != "" {
|
|
|
|
pool := i.Pool
|
|
|
|
if pool != "WAN" {
|
|
|
|
pool = i.Datacenter + " (LAN)"
|
|
|
|
}
|
2014-09-13 01:13:49 +00:00
|
|
|
|
2014-09-28 19:35:51 +00:00
|
|
|
c.Ui.Error("")
|
|
|
|
c.Ui.Error(fmt.Sprintf("%s error: %s", pool, i.Error))
|
|
|
|
|
|
|
|
for _, msg := range messages {
|
|
|
|
if msg.Datacenter != i.Datacenter || msg.Pool != i.Pool {
|
|
|
|
continue
|
|
|
|
}
|
2014-09-29 22:49:47 +00:00
|
|
|
c.Ui.Error(fmt.Sprintf(" %s: %s", msg.Node, msg.Message))
|
2014-09-13 01:13:49 +00:00
|
|
|
}
|
2014-09-28 19:35:51 +00:00
|
|
|
rval = 1
|
2014-09-13 01:13:49 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-09-28 20:33:37 +00:00
|
|
|
if rval == 0 {
|
|
|
|
c.Ui.Info("Done!")
|
|
|
|
}
|
|
|
|
|
2014-09-28 19:35:51 +00:00
|
|
|
return rval
|
2014-09-13 01:13:49 +00:00
|
|
|
}
|
|
|
|
|
2014-09-28 20:33:37 +00:00
|
|
|
func (c *KeyringCommand) handleList(
|
|
|
|
info []agent.KeyringInfo,
|
|
|
|
keys []agent.KeyringEntry) {
|
|
|
|
|
|
|
|
installed := make(map[string]map[string][]int)
|
|
|
|
for _, key := range keys {
|
|
|
|
var nodes int
|
|
|
|
for _, i := range info {
|
|
|
|
if i.Datacenter == key.Datacenter && i.Pool == key.Pool {
|
|
|
|
nodes = i.NumNodes
|
2014-09-13 01:13:49 +00:00
|
|
|
}
|
|
|
|
}
|
2014-09-28 19:35:51 +00:00
|
|
|
|
2014-09-28 20:33:37 +00:00
|
|
|
pool := key.Pool
|
|
|
|
if pool != "WAN" {
|
|
|
|
pool = key.Datacenter + " (LAN)"
|
2014-09-28 19:35:51 +00:00
|
|
|
}
|
2014-09-28 20:33:37 +00:00
|
|
|
|
|
|
|
if _, ok := installed[pool]; !ok {
|
|
|
|
installed[pool] = map[string][]int{key.Key: []int{key.Count, nodes}}
|
|
|
|
} else {
|
|
|
|
installed[pool][key.Key] = []int{key.Count, nodes}
|
2014-09-28 19:35:51 +00:00
|
|
|
}
|
|
|
|
}
|
2014-09-29 22:49:47 +00:00
|
|
|
|
2014-09-28 20:33:37 +00:00
|
|
|
for pool, keys := range installed {
|
|
|
|
c.Ui.Output("")
|
|
|
|
c.Ui.Output(pool + ":")
|
|
|
|
for key, num := range keys {
|
2014-09-29 22:49:47 +00:00
|
|
|
c.Ui.Output(fmt.Sprintf(" %s [%d/%d]", key, num[0], num[1]))
|
2014-09-28 19:35:51 +00:00
|
|
|
}
|
2014-09-13 01:13:49 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-09-13 03:08:54 +00:00
|
|
|
func (c *KeyringCommand) Help() string {
|
2014-09-06 18:12:45 +00:00
|
|
|
helpText := `
|
2014-09-13 03:08:54 +00:00
|
|
|
Usage: consul keyring [options]
|
2014-09-06 18:12:45 +00:00
|
|
|
|
|
|
|
Manages encryption keys used for gossip messages. Gossip encryption is
|
|
|
|
optional. When enabled, this command may be used to examine active encryption
|
|
|
|
keys in the cluster, add new keys, and remove old ones. When combined, this
|
|
|
|
functionality provides the ability to perform key rotation cluster-wide,
|
|
|
|
without disrupting the cluster.
|
|
|
|
|
2014-09-21 18:52:28 +00:00
|
|
|
With the exception of the -init argument, all operations performed by this
|
2014-09-29 19:35:15 +00:00
|
|
|
command can only be run against server nodes, and affect both the LAN and
|
|
|
|
WAN keyrings in lock-step.
|
2014-09-13 03:08:54 +00:00
|
|
|
|
2014-09-06 18:12:45 +00:00
|
|
|
Options:
|
|
|
|
|
|
|
|
-install=<key> Install a new encryption key. This will broadcast
|
|
|
|
the new key to all members in the cluster.
|
|
|
|
-use=<key> Change the primary encryption key, which is used to
|
|
|
|
encrypt messages. The key must already be installed
|
|
|
|
before this operation can succeed.
|
|
|
|
-remove=<key> Remove the given key from the cluster. This
|
|
|
|
operation may only be performed on keys which are
|
|
|
|
not currently the primary key.
|
|
|
|
-list List all keys currently in use within the cluster.
|
|
|
|
-rpc-addr=127.0.0.1:8400 RPC address of the Consul agent.
|
|
|
|
`
|
|
|
|
return strings.TrimSpace(helpText)
|
|
|
|
}
|
|
|
|
|
2014-09-13 03:08:54 +00:00
|
|
|
func (c *KeyringCommand) Synopsis() string {
|
2014-09-06 18:12:45 +00:00
|
|
|
return "Manages gossip layer encryption keys"
|
|
|
|
}
|