2023-03-28 19:39:22 +01:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
2023-08-11 09:12:13 -04:00
|
|
|
// SPDX-License-Identifier: BUSL-1.1
|
2023-03-28 19:39:22 +01:00
|
|
|
|
2014-09-21 11:21:54 -07:00
|
|
|
package agent
|
|
|
|
|
|
|
|
import (
|
2020-02-13 20:35:09 +01:00
|
|
|
"bytes"
|
2022-12-14 09:24:22 -06:00
|
|
|
"context"
|
2014-09-21 11:21:54 -07:00
|
|
|
"encoding/base64"
|
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
|
|
|
"os"
|
2014-10-02 22:05:00 -07:00
|
|
|
"path/filepath"
|
2014-09-21 11:21:54 -07:00
|
|
|
|
2020-08-10 20:20:06 -04:00
|
|
|
"github.com/hashicorp/consul/agent/config"
|
pkg refactor
command/agent/* -> agent/*
command/consul/* -> agent/consul/*
command/agent/command{,_test}.go -> command/agent{,_test}.go
command/base/command.go -> command/base.go
command/base/* -> command/*
commands.go -> command/commands.go
The script which did the refactor is:
(
cd $GOPATH/src/github.com/hashicorp/consul
git mv command/agent/command.go command/agent.go
git mv command/agent/command_test.go command/agent_test.go
git mv command/agent/flag_slice_value{,_test}.go command/
git mv command/agent .
git mv command/base/command.go command/base.go
git mv command/base/config_util{,_test}.go command/
git mv commands.go command/
git mv consul agent
rmdir command/base/
gsed -i -e 's|package agent|package command|' command/agent{,_test}.go
gsed -i -e 's|package agent|package command|' command/flag_slice_value{,_test}.go
gsed -i -e 's|package base|package command|' command/base.go command/config_util{,_test}.go
gsed -i -e 's|package main|package command|' command/commands.go
gsed -i -e 's|base.Command|BaseCommand|' command/commands.go
gsed -i -e 's|agent.Command|AgentCommand|' command/commands.go
gsed -i -e 's|\tCommand:|\tBaseCommand:|' command/commands.go
gsed -i -e 's|base\.||' command/commands.go
gsed -i -e 's|command\.||' command/commands.go
gsed -i -e 's|command|c|' main.go
gsed -i -e 's|range Commands|range command.Commands|' main.go
gsed -i -e 's|Commands: Commands|Commands: command.Commands|' main.go
gsed -i -e 's|base\.BoolValue|BoolValue|' command/operator_autopilot_set.go
gsed -i -e 's|base\.DurationValue|DurationValue|' command/operator_autopilot_set.go
gsed -i -e 's|base\.StringValue|StringValue|' command/operator_autopilot_set.go
gsed -i -e 's|base\.UintValue|UintValue|' command/operator_autopilot_set.go
gsed -i -e 's|\bCommand\b|BaseCommand|' command/base.go
gsed -i -e 's|BaseCommand Options|Command Options|' command/base.go
gsed -i -e 's|base.Command|BaseCommand|' command/*.go
gsed -i -e 's|c\.Command|c.BaseCommand|g' command/*.go
gsed -i -e 's|\tCommand:|\tBaseCommand:|' command/*_test.go
gsed -i -e 's|base\.||' command/*_test.go
gsed -i -e 's|\bCommand\b|AgentCommand|' command/agent{,_test}.go
gsed -i -e 's|cmd.AgentCommand|cmd.BaseCommand|' command/agent.go
gsed -i -e 's|cli.AgentCommand = new(Command)|cli.Command = new(AgentCommand)|' command/agent_test.go
gsed -i -e 's|exec.AgentCommand|exec.Command|' command/agent_test.go
gsed -i -e 's|exec.BaseCommand|exec.Command|' command/agent_test.go
gsed -i -e 's|NewTestAgent|agent.NewTestAgent|' command/agent_test.go
gsed -i -e 's|= TestConfig|= agent.TestConfig|' command/agent_test.go
gsed -i -e 's|: RetryJoin|: agent.RetryJoin|' command/agent_test.go
gsed -i -e 's|\.\./\.\./|../|' command/config_util_test.go
gsed -i -e 's|\bverifyUniqueListeners|VerifyUniqueListeners|' agent/config{,_test}.go command/agent.go
gsed -i -e 's|\bserfLANKeyring\b|SerfLANKeyring|g' agent/{agent,keyring,testagent}.go command/agent.go
gsed -i -e 's|\bserfWANKeyring\b|SerfWANKeyring|g' agent/{agent,keyring,testagent}.go command/agent.go
gsed -i -e 's|\bNewAgent\b|agent.New|g' command/agent{,_test}.go
gsed -i -e 's|\bNewAgent|New|' agent/{acl_test,agent,testagent}.go
gsed -i -e 's|\bAgent\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bBool\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bDefaultConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bDevConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bMergeConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bReadConfigPaths\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bParseMetaPair\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bSerfLANKeyring\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bSerfWANKeyring\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|circonus\.agent|circonus|g' command/agent{,_test}.go
gsed -i -e 's|logger\.agent|logger|g' command/agent{,_test}.go
gsed -i -e 's|metrics\.agent|metrics|g' command/agent{,_test}.go
gsed -i -e 's|// agent.Agent|// agent|' command/agent{,_test}.go
gsed -i -e 's|a\.agent\.Config|a.Config|' command/agent{,_test}.go
gsed -i -e 's|agent\.AppendSliceValue|AppendSliceValue|' command/{configtest,validate}.go
gsed -i -e 's|consul/consul|agent/consul|' GNUmakefile
gsed -i -e 's|\.\./test|../../test|' agent/consul/server_test.go
# fix imports
f=$(grep -rl 'github.com/hashicorp/consul/command/agent' * | grep '\.go')
gsed -i -e 's|github.com/hashicorp/consul/command/agent|github.com/hashicorp/consul/agent|' $f
goimports -w $f
f=$(grep -rl 'github.com/hashicorp/consul/consul' * | grep '\.go')
gsed -i -e 's|github.com/hashicorp/consul/consul|github.com/hashicorp/consul/agent/consul|' $f
goimports -w $f
goimports -w command/*.go main.go
)
2017-06-10 00:28:28 +02:00
|
|
|
"github.com/hashicorp/consul/agent/consul"
|
2017-07-06 12:34:00 +02:00
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
2020-08-10 20:20:06 -04:00
|
|
|
"github.com/hashicorp/go-hclog"
|
2014-09-21 11:21:54 -07:00
|
|
|
"github.com/hashicorp/memberlist"
|
|
|
|
"github.com/hashicorp/serf/serf"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
pkg refactor
command/agent/* -> agent/*
command/consul/* -> agent/consul/*
command/agent/command{,_test}.go -> command/agent{,_test}.go
command/base/command.go -> command/base.go
command/base/* -> command/*
commands.go -> command/commands.go
The script which did the refactor is:
(
cd $GOPATH/src/github.com/hashicorp/consul
git mv command/agent/command.go command/agent.go
git mv command/agent/command_test.go command/agent_test.go
git mv command/agent/flag_slice_value{,_test}.go command/
git mv command/agent .
git mv command/base/command.go command/base.go
git mv command/base/config_util{,_test}.go command/
git mv commands.go command/
git mv consul agent
rmdir command/base/
gsed -i -e 's|package agent|package command|' command/agent{,_test}.go
gsed -i -e 's|package agent|package command|' command/flag_slice_value{,_test}.go
gsed -i -e 's|package base|package command|' command/base.go command/config_util{,_test}.go
gsed -i -e 's|package main|package command|' command/commands.go
gsed -i -e 's|base.Command|BaseCommand|' command/commands.go
gsed -i -e 's|agent.Command|AgentCommand|' command/commands.go
gsed -i -e 's|\tCommand:|\tBaseCommand:|' command/commands.go
gsed -i -e 's|base\.||' command/commands.go
gsed -i -e 's|command\.||' command/commands.go
gsed -i -e 's|command|c|' main.go
gsed -i -e 's|range Commands|range command.Commands|' main.go
gsed -i -e 's|Commands: Commands|Commands: command.Commands|' main.go
gsed -i -e 's|base\.BoolValue|BoolValue|' command/operator_autopilot_set.go
gsed -i -e 's|base\.DurationValue|DurationValue|' command/operator_autopilot_set.go
gsed -i -e 's|base\.StringValue|StringValue|' command/operator_autopilot_set.go
gsed -i -e 's|base\.UintValue|UintValue|' command/operator_autopilot_set.go
gsed -i -e 's|\bCommand\b|BaseCommand|' command/base.go
gsed -i -e 's|BaseCommand Options|Command Options|' command/base.go
gsed -i -e 's|base.Command|BaseCommand|' command/*.go
gsed -i -e 's|c\.Command|c.BaseCommand|g' command/*.go
gsed -i -e 's|\tCommand:|\tBaseCommand:|' command/*_test.go
gsed -i -e 's|base\.||' command/*_test.go
gsed -i -e 's|\bCommand\b|AgentCommand|' command/agent{,_test}.go
gsed -i -e 's|cmd.AgentCommand|cmd.BaseCommand|' command/agent.go
gsed -i -e 's|cli.AgentCommand = new(Command)|cli.Command = new(AgentCommand)|' command/agent_test.go
gsed -i -e 's|exec.AgentCommand|exec.Command|' command/agent_test.go
gsed -i -e 's|exec.BaseCommand|exec.Command|' command/agent_test.go
gsed -i -e 's|NewTestAgent|agent.NewTestAgent|' command/agent_test.go
gsed -i -e 's|= TestConfig|= agent.TestConfig|' command/agent_test.go
gsed -i -e 's|: RetryJoin|: agent.RetryJoin|' command/agent_test.go
gsed -i -e 's|\.\./\.\./|../|' command/config_util_test.go
gsed -i -e 's|\bverifyUniqueListeners|VerifyUniqueListeners|' agent/config{,_test}.go command/agent.go
gsed -i -e 's|\bserfLANKeyring\b|SerfLANKeyring|g' agent/{agent,keyring,testagent}.go command/agent.go
gsed -i -e 's|\bserfWANKeyring\b|SerfWANKeyring|g' agent/{agent,keyring,testagent}.go command/agent.go
gsed -i -e 's|\bNewAgent\b|agent.New|g' command/agent{,_test}.go
gsed -i -e 's|\bNewAgent|New|' agent/{acl_test,agent,testagent}.go
gsed -i -e 's|\bAgent\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bBool\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bDefaultConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bDevConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bMergeConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bReadConfigPaths\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bParseMetaPair\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bSerfLANKeyring\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bSerfWANKeyring\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|circonus\.agent|circonus|g' command/agent{,_test}.go
gsed -i -e 's|logger\.agent|logger|g' command/agent{,_test}.go
gsed -i -e 's|metrics\.agent|metrics|g' command/agent{,_test}.go
gsed -i -e 's|// agent.Agent|// agent|' command/agent{,_test}.go
gsed -i -e 's|a\.agent\.Config|a.Config|' command/agent{,_test}.go
gsed -i -e 's|agent\.AppendSliceValue|AppendSliceValue|' command/{configtest,validate}.go
gsed -i -e 's|consul/consul|agent/consul|' GNUmakefile
gsed -i -e 's|\.\./test|../../test|' agent/consul/server_test.go
# fix imports
f=$(grep -rl 'github.com/hashicorp/consul/command/agent' * | grep '\.go')
gsed -i -e 's|github.com/hashicorp/consul/command/agent|github.com/hashicorp/consul/agent|' $f
goimports -w $f
f=$(grep -rl 'github.com/hashicorp/consul/consul' * | grep '\.go')
gsed -i -e 's|github.com/hashicorp/consul/consul|github.com/hashicorp/consul/agent/consul|' $f
goimports -w $f
goimports -w command/*.go main.go
)
2017-06-10 00:28:28 +02:00
|
|
|
SerfLANKeyring = "serf/local.keyring"
|
|
|
|
SerfWANKeyring = "serf/remote.keyring"
|
2014-09-21 11:21:54 -07:00
|
|
|
)
|
|
|
|
|
2020-08-10 20:20:06 -04:00
|
|
|
// setupKeyrings in config.SerfLANConfig and config.SerfWANConfig.
|
|
|
|
func setupKeyrings(config *consul.Config, rtConfig *config.RuntimeConfig, logger hclog.Logger) error {
|
|
|
|
// First set up the LAN and WAN keyrings.
|
|
|
|
if err := setupBaseKeyrings(config, rtConfig, logger); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// If there's no LAN keyring then there's nothing else to set up for
|
|
|
|
// any segments.
|
|
|
|
lanKeyring := config.SerfLANConfig.MemberlistConfig.Keyring
|
|
|
|
if lanKeyring == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Copy the initial state of the LAN keyring into each segment config.
|
|
|
|
// Segments don't have their own keyring file, they rely on the LAN
|
|
|
|
// holding the state so things can't get out of sync.
|
|
|
|
k, pk := lanKeyring.GetKeys(), lanKeyring.GetPrimaryKey()
|
|
|
|
for _, segment := range config.Segments {
|
|
|
|
keyring, err := memberlist.NewKeyring(k, pk)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
segment.SerfConfig.MemberlistConfig.Keyring = keyring
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// setupBaseKeyrings configures the LAN and WAN keyrings.
|
|
|
|
func setupBaseKeyrings(config *consul.Config, rtConfig *config.RuntimeConfig, logger hclog.Logger) error {
|
|
|
|
// If the keyring file is disabled then just poke the provided key
|
|
|
|
// into the in-memory keyring.
|
|
|
|
federationEnabled := config.SerfWANConfig != nil
|
|
|
|
if rtConfig.DisableKeyringFile {
|
|
|
|
if rtConfig.EncryptKey == "" {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
keys := []string{rtConfig.EncryptKey}
|
|
|
|
if err := loadKeyring(config.SerfLANConfig, keys); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if rtConfig.ServerMode && federationEnabled {
|
|
|
|
if err := loadKeyring(config.SerfWANConfig, keys); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Otherwise, we need to deal with the keyring files.
|
|
|
|
fileLAN := filepath.Join(rtConfig.DataDir, SerfLANKeyring)
|
|
|
|
fileWAN := filepath.Join(rtConfig.DataDir, SerfWANKeyring)
|
|
|
|
|
|
|
|
var existingLANKeyring, existingWANKeyring bool
|
|
|
|
if rtConfig.EncryptKey == "" {
|
|
|
|
goto LOAD
|
|
|
|
}
|
|
|
|
if _, err := os.Stat(fileLAN); err != nil {
|
|
|
|
if err := initKeyring(fileLAN, rtConfig.EncryptKey); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
existingLANKeyring = true
|
|
|
|
}
|
|
|
|
if rtConfig.ServerMode && federationEnabled {
|
|
|
|
if _, err := os.Stat(fileWAN); err != nil {
|
|
|
|
if err := initKeyring(fileWAN, rtConfig.EncryptKey); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
existingWANKeyring = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
LOAD:
|
|
|
|
if _, err := os.Stat(fileLAN); err == nil {
|
|
|
|
config.SerfLANConfig.KeyringFile = fileLAN
|
|
|
|
}
|
|
|
|
if err := loadKeyringFile(config.SerfLANConfig); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if rtConfig.ServerMode && federationEnabled {
|
|
|
|
if _, err := os.Stat(fileWAN); err == nil {
|
|
|
|
config.SerfWANConfig.KeyringFile = fileWAN
|
|
|
|
}
|
|
|
|
if err := loadKeyringFile(config.SerfWANConfig); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Only perform the following checks if there was an encrypt_key
|
|
|
|
// provided in the configuration.
|
|
|
|
if rtConfig.EncryptKey != "" {
|
|
|
|
msg := " keyring doesn't include key provided with -encrypt, using keyring"
|
|
|
|
if existingLANKeyring &&
|
|
|
|
keyringIsMissingKey(
|
|
|
|
config.SerfLANConfig.MemberlistConfig.Keyring,
|
|
|
|
rtConfig.EncryptKey,
|
|
|
|
) {
|
|
|
|
logger.Warn(msg, "keyring", "LAN")
|
|
|
|
}
|
|
|
|
if existingWANKeyring &&
|
|
|
|
keyringIsMissingKey(
|
|
|
|
config.SerfWANConfig.MemberlistConfig.Keyring,
|
|
|
|
rtConfig.EncryptKey,
|
|
|
|
) {
|
|
|
|
logger.Warn(msg, "keyring", "WAN")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2014-10-10 11:13:30 -07:00
|
|
|
// initKeyring will create a keyring file at a given path.
|
|
|
|
func initKeyring(path, key string) error {
|
2014-10-04 13:43:10 -07:00
|
|
|
var keys []string
|
|
|
|
|
2020-02-13 20:35:09 +01:00
|
|
|
if keyBytes, err := decodeStringKey(key); err != nil {
|
2016-06-28 23:19:18 -05:00
|
|
|
return fmt.Errorf("Invalid key: %s", err)
|
|
|
|
} else if err := memberlist.ValidateKey(keyBytes); err != nil {
|
2014-10-10 11:13:30 -07:00
|
|
|
return fmt.Errorf("Invalid key: %s", err)
|
2014-10-02 22:05:00 -07:00
|
|
|
}
|
|
|
|
|
2014-10-09 15:28:38 -07:00
|
|
|
// Just exit if the file already exists.
|
2014-10-04 13:43:10 -07:00
|
|
|
if _, err := os.Stat(path); err == nil {
|
2014-10-10 11:13:30 -07:00
|
|
|
return nil
|
2014-10-04 13:43:10 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
keys = append(keys, key)
|
2014-10-02 22:05:00 -07:00
|
|
|
keyringBytes, err := json.Marshal(keys)
|
|
|
|
if err != nil {
|
2014-10-10 11:13:30 -07:00
|
|
|
return err
|
2014-10-02 22:05:00 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil {
|
2014-10-10 11:13:30 -07:00
|
|
|
return err
|
2014-10-02 22:05:00 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
fh, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0600)
|
|
|
|
if err != nil {
|
2014-10-10 11:13:30 -07:00
|
|
|
return err
|
2014-10-02 22:05:00 -07:00
|
|
|
}
|
|
|
|
defer fh.Close()
|
|
|
|
|
|
|
|
if _, err := fh.Write(keyringBytes); err != nil {
|
|
|
|
os.Remove(path)
|
2014-10-10 11:13:30 -07:00
|
|
|
return err
|
2014-10-02 22:05:00 -07:00
|
|
|
}
|
|
|
|
|
2014-10-10 11:13:30 -07:00
|
|
|
return nil
|
2014-10-02 22:05:00 -07:00
|
|
|
}
|
|
|
|
|
2014-09-21 11:21:54 -07:00
|
|
|
// loadKeyringFile will load a gossip encryption keyring out of a file. The file
|
|
|
|
// must be in JSON format and contain a list of encryption key strings.
|
|
|
|
func loadKeyringFile(c *serf.Config) error {
|
|
|
|
if c.KeyringFile == "" {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
if _, err := os.Stat(c.KeyringFile); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-11-10 10:26:01 -06:00
|
|
|
keyringData, err := os.ReadFile(c.KeyringFile)
|
2014-09-21 11:21:54 -07:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
keys := make([]string, 0)
|
|
|
|
if err := json.Unmarshal(keyringData, &keys); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2017-07-17 12:48:45 -07:00
|
|
|
return loadKeyring(c, keys)
|
|
|
|
}
|
|
|
|
|
|
|
|
// loadKeyring takes a list of base64-encoded strings and installs them in the
|
|
|
|
// given Serf's keyring.
|
|
|
|
func loadKeyring(c *serf.Config, keys []string) error {
|
2014-09-21 11:21:54 -07:00
|
|
|
keysDecoded := make([][]byte, len(keys))
|
|
|
|
for i, key := range keys {
|
2020-02-13 20:35:09 +01:00
|
|
|
keyBytes, err := decodeStringKey(key)
|
2014-09-21 11:21:54 -07:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
keysDecoded[i] = keyBytes
|
|
|
|
}
|
|
|
|
|
2014-10-02 17:14:52 -07:00
|
|
|
if len(keysDecoded) == 0 {
|
2017-07-17 12:48:45 -07:00
|
|
|
return fmt.Errorf("no keys present in keyring: %s", c.KeyringFile)
|
2014-10-02 17:14:52 -07:00
|
|
|
}
|
|
|
|
|
2014-09-21 11:21:54 -07:00
|
|
|
keyring, err := memberlist.NewKeyring(keysDecoded, keysDecoded[0])
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
c.MemberlistConfig.Keyring = keyring
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-02-13 20:35:09 +01:00
|
|
|
func decodeStringKey(key string) ([]byte, error) {
|
|
|
|
return base64.StdEncoding.DecodeString(key)
|
|
|
|
}
|
|
|
|
|
2014-09-24 16:39:14 -07:00
|
|
|
// keyringProcess is used to abstract away the semantic similarities in
|
|
|
|
// performing various operations on the encryption keyring.
|
2014-10-06 15:14:30 -07:00
|
|
|
func (a *Agent) keyringProcess(args *structs.KeyringRequest) (*structs.KeyringResponses, error) {
|
2014-09-24 18:30:34 -07:00
|
|
|
var reply structs.KeyringResponses
|
2017-05-15 16:05:17 +02:00
|
|
|
|
2022-12-14 09:24:22 -06:00
|
|
|
if err := a.RPC(context.Background(), "Internal.KeyringOperation", args, &reply); err != nil {
|
2014-09-24 16:39:14 -07:00
|
|
|
return &reply, err
|
2014-09-21 11:21:54 -07:00
|
|
|
}
|
|
|
|
|
2014-09-24 16:39:14 -07:00
|
|
|
return &reply, nil
|
2014-09-21 11:21:54 -07:00
|
|
|
}
|
|
|
|
|
2017-02-01 21:42:41 -05:00
|
|
|
// ParseRelayFactor validates and converts the given relay factor to uint8
|
|
|
|
func ParseRelayFactor(n int) (uint8, error) {
|
|
|
|
if n < 0 || n > 5 {
|
|
|
|
return 0, fmt.Errorf("Relay factor must be in range: [0, 5]")
|
|
|
|
}
|
|
|
|
return uint8(n), nil
|
|
|
|
}
|
|
|
|
|
2019-08-12 11:11:11 -07:00
|
|
|
// ValidateLocalOnly validates the local-only flag, requiring that it only be
|
|
|
|
// set for list requests.
|
|
|
|
func ValidateLocalOnly(local bool, list bool) error {
|
|
|
|
if local && !list {
|
|
|
|
return fmt.Errorf("local-only can only be set for list requests")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2014-09-24 16:39:14 -07:00
|
|
|
// ListKeys lists out all keys installed on the collective Consul cluster. This
|
|
|
|
// includes both servers and clients in all DC's.
|
2020-08-10 22:24:15 +02:00
|
|
|
func (a *Agent) ListKeys(token string, localOnly bool, relayFactor uint8) (*structs.KeyringResponses, error) {
|
|
|
|
args := structs.KeyringRequest{Operation: structs.KeyringList, LocalOnly: localOnly}
|
2017-02-01 21:42:41 -05:00
|
|
|
parseKeyringRequest(&args, token, relayFactor)
|
2014-10-06 15:14:30 -07:00
|
|
|
return a.keyringProcess(&args)
|
2014-09-21 11:21:54 -07:00
|
|
|
}
|
|
|
|
|
2014-09-24 16:39:14 -07:00
|
|
|
// InstallKey installs a new gossip encryption key
|
2017-02-01 21:42:41 -05:00
|
|
|
func (a *Agent) InstallKey(key, token string, relayFactor uint8) (*structs.KeyringResponses, error) {
|
2014-10-02 18:12:01 -07:00
|
|
|
args := structs.KeyringRequest{Key: key, Operation: structs.KeyringInstall}
|
2017-02-01 21:42:41 -05:00
|
|
|
parseKeyringRequest(&args, token, relayFactor)
|
2014-10-06 15:14:30 -07:00
|
|
|
return a.keyringProcess(&args)
|
2014-09-21 11:21:54 -07:00
|
|
|
}
|
|
|
|
|
2014-09-24 16:39:14 -07:00
|
|
|
// UseKey changes the primary encryption key used to encrypt messages
|
2017-02-01 21:42:41 -05:00
|
|
|
func (a *Agent) UseKey(key, token string, relayFactor uint8) (*structs.KeyringResponses, error) {
|
2014-10-02 18:12:01 -07:00
|
|
|
args := structs.KeyringRequest{Key: key, Operation: structs.KeyringUse}
|
2017-02-01 21:42:41 -05:00
|
|
|
parseKeyringRequest(&args, token, relayFactor)
|
2014-10-06 15:14:30 -07:00
|
|
|
return a.keyringProcess(&args)
|
2014-09-21 11:21:54 -07:00
|
|
|
}
|
|
|
|
|
2014-09-24 16:39:14 -07:00
|
|
|
// RemoveKey will remove a gossip encryption key from the keyring
|
2017-02-01 21:42:41 -05:00
|
|
|
func (a *Agent) RemoveKey(key, token string, relayFactor uint8) (*structs.KeyringResponses, error) {
|
2014-10-02 18:12:01 -07:00
|
|
|
args := structs.KeyringRequest{Key: key, Operation: structs.KeyringRemove}
|
2017-02-01 21:42:41 -05:00
|
|
|
parseKeyringRequest(&args, token, relayFactor)
|
2014-10-06 15:14:30 -07:00
|
|
|
return a.keyringProcess(&args)
|
2014-09-21 11:21:54 -07:00
|
|
|
}
|
2017-02-01 21:42:41 -05:00
|
|
|
|
|
|
|
func parseKeyringRequest(req *structs.KeyringRequest, token string, relayFactor uint8) {
|
|
|
|
req.Token = token
|
|
|
|
req.RelayFactor = relayFactor
|
|
|
|
}
|
2020-02-13 20:35:09 +01:00
|
|
|
|
|
|
|
// keyringIsMissingKey checks whether a key is part of a keyring. Returns true
|
|
|
|
// if it is not included.
|
|
|
|
func keyringIsMissingKey(keyring *memberlist.Keyring, key string) bool {
|
|
|
|
k1, err := decodeStringKey(key)
|
|
|
|
if err != nil {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
for _, k2 := range keyring.GetKeys() {
|
|
|
|
if bytes.Equal(k1, k2) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|