status-im/consul
2
0
Fork 0
mirror of https://github.com/status-im/consul.git synced 2025-02-20 09:28:34 +00:00
Code Issues Projects Releases Wiki Activity

command/keys: refactor, restrict key operations to server nodes

Browse Source
This commit is contained in:
Ryan Uber 2014-09-12 18:13:49 -07:00
parent 8a40f3888c
commit 530f3ba747
3 changed files with 102 additions and 122 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
command/agent/agent.go
View File

@ -20,8 +20,7 @@ import (
) )
const ( const (
SerfLANKeyring = "serf/local.keyring" SerfKeyring = "serf/keyring"
SerfWANKeyring = "serf/remote.keyring"
) )
/* /*
@ -176,10 +175,8 @@ func (a *Agent) consulConfig() *consul.Config {
base.SerfWANConfig.MemberlistConfig.SecretKey = key base.SerfWANConfig.MemberlistConfig.SecretKey = key
} }
if a.config.Server && a.config.keyringFilesExist() { if a.config.Server && a.config.keyringFilesExist() {
pathWAN := filepath.Join(base.DataDir, SerfWANKeyring) path := filepath.Join(base.DataDir, SerfKeyring)
pathLAN := filepath.Join(base.DataDir, SerfLANKeyring) base.SerfLANConfig.KeyringFile = path
base.SerfWANConfig.KeyringFile = pathWAN
base.SerfLANConfig.KeyringFile = pathLAN
} }
if a.config.NodeName != "" { if a.config.NodeName != "" {
base.NodeName = a.config.NodeName base.NodeName = a.config.NodeName

7
command/agent/config.go
View File

@ -413,14 +413,9 @@ func (c *Config) ClientListenerAddr(override string, port int) (string, error) {
// keyringFilesExist checks for existence of the keyring files for Serf // keyringFilesExist checks for existence of the keyring files for Serf
func (c *Config) keyringFilesExist() bool { func (c *Config) keyringFilesExist() bool {
if _, err := os.Stat(filepath.Join(c.DataDir, SerfLANKeyring)); err != nil { if _, err := os.Stat(filepath.Join(c.DataDir, SerfKeyring)); err != nil {
return false return false
} }
if c.Server {
if _, err := os.Stat(filepath.Join(c.DataDir, SerfWANKeyring)); err != nil {
return false
}
}
return true return true
} }

228
command/keys.go
View File

@ -22,7 +22,7 @@ type KeysCommand struct {
func (c *KeysCommand) Run(args []string) int { func (c *KeysCommand) Run(args []string) int {
var installKey, useKey, removeKey, init, dataDir string var installKey, useKey, removeKey, init, dataDir string
var listKeys, wan bool var listKeys bool
cmdFlags := flag.NewFlagSet("keys", flag.ContinueOnError) cmdFlags := flag.NewFlagSet("keys", flag.ContinueOnError)
cmdFlags.Usage = func() { c.Ui.Output(c.Help()) } cmdFlags.Usage = func() { c.Ui.Output(c.Help()) }
@ -31,7 +31,6 @@ func (c *KeysCommand) Run(args []string) int {
cmdFlags.StringVar(&useKey, "use", "", "use key") cmdFlags.StringVar(&useKey, "use", "", "use key")
cmdFlags.StringVar(&removeKey, "remove", "", "remove key") cmdFlags.StringVar(&removeKey, "remove", "", "remove key")
cmdFlags.BoolVar(&listKeys, "list", false, "list keys") cmdFlags.BoolVar(&listKeys, "list", false, "list keys")
cmdFlags.BoolVar(&wan, "wan", false, "operate on wan keys")
cmdFlags.StringVar(&init, "init", "", "initialize keyring") cmdFlags.StringVar(&init, "init", "", "initialize keyring")
cmdFlags.StringVar(&dataDir, "data-dir", "", "data directory") cmdFlags.StringVar(&dataDir, "data-dir", "", "data directory")
@ -63,39 +62,17 @@ func (c *KeysCommand) Run(args []string) int {
return 1 return 1
} }
var out, paths []string
var failures map[string]string
var err error
if init != "" { if init != "" {
if dataDir == "" { if dataDir == "" {
c.Ui.Error("Must provide -data-dir") c.Ui.Error("Must provide -data-dir")
return 1 return 1
} }
if _, err := base64.StdEncoding.DecodeString(init); err != nil { path := filepath.Join(dataDir, agent.SerfKeyring)
c.Ui.Error(fmt.Sprintf("Invalid key: %s", err)) if err := initializeKeyring(path, init); err != nil {
return 1
}
paths = append(paths, filepath.Join(dataDir, agent.SerfLANKeyring))
if wan {
paths = append(paths, filepath.Join(dataDir, agent.SerfWANKeyring))
}
keys := []string{init}
keyringBytes, err := json.MarshalIndent(keys, "", " ")
if err != nil {
c.Ui.Error(fmt.Sprintf("Error: %s", err)) c.Ui.Error(fmt.Sprintf("Error: %s", err))
return 1 return 1
} }
for _, path := range paths {
if err := initializeKeyring(path, keyringBytes); err != nil {
c.Ui.Error("Error: %s", err)
return 1
}
}
return 0 return 0
} }
@ -107,17 +84,100 @@ func (c *KeysCommand) Run(args []string) int {
} }
defer client.Close() defer client.Close()
if listKeys { // For all key-related operations, we must be querying a server node.
var keys map[string]int s, err := client.Stats()
var numNodes int if err != nil {
c.Ui.Error(fmt.Sprintf("Error: %s", err))
if wan { return 1
c.Ui.Info("Asking all WAN members for installed keys...")
keys, numNodes, failures, err = client.ListKeysWAN()
} else {
c.Ui.Info("Asking all LAN members for installed keys...")
keys, numNodes, failures, err = client.ListKeysLAN()
} }
if s["consul"]["server"] != "true" {
c.Ui.Error("Error: Key modification can only be handled by a server")
return 1
}
if listKeys {
c.Ui.Info("Asking all WAN members for installed keys...")
if rval := c.listKeysOperation(client.ListKeysWAN); rval != 0 {
return rval
}
c.Ui.Info("Asking all LAN members for installed keys...")
if rval := c.listKeysOperation(client.ListKeysLAN); rval != 0 {
return rval
}
return 0
}
if installKey != "" {
c.Ui.Info("Installing new WAN gossip encryption key...")
if rval := c.keyOperation(installKey, client.InstallKeyWAN); rval != 0 {
return rval
}
c.Ui.Info("Installing new LAN gossip encryption key...")
if rval := c.keyOperation(installKey, client.InstallKeyLAN); rval != 0 {
return rval
}
c.Ui.Info("Successfully installed key!")
return 0
}
if useKey != "" {
c.Ui.Info("Changing primary WAN gossip encryption key...")
if rval := c.keyOperation(useKey, client.UseKeyWAN); rval != 0 {
return rval
}
c.Ui.Info("Changing primary LAN gossip encryption key...")
if rval := c.keyOperation(useKey, client.UseKeyLAN); rval != 0 {
return rval
}
c.Ui.Info("Successfully changed primary key!")
return 0
}
if removeKey != "" {
c.Ui.Info("Removing WAN gossip encryption key...")
if rval := c.keyOperation(removeKey, client.RemoveKeyWAN); rval != 0 {
return rval
}
c.Ui.Info("Removing LAN gossip encryption key...")
if rval := c.keyOperation(removeKey, client.RemoveKeyLAN); rval != 0 {
return rval
}
c.Ui.Info("Successfully removed key!")
return 0
}
// Should never make it here
return 0
}
type keyFunc func(string) (map[string]string, error)
func (c *KeysCommand) keyOperation(key string, fn keyFunc) int {
var out []string
failures, err := fn(key)
if err != nil {
if len(failures) > 0 {
for node, msg := range failures {
out = append(out, fmt.Sprintf("failed: %s | %s", node, msg))
}
c.Ui.Error(columnize.SimpleFormat(out))
}
c.Ui.Error("")
c.Ui.Error(fmt.Sprintf("Error: %s", err))
return 1
}
return 0
}
type listKeysFunc func() (map[string]int, int, map[string]string, error)
func (c *KeysCommand) listKeysOperation(fn listKeysFunc) int {
var out []string
keys, numNodes, failures, err := fn()
if err != nil { if err != nil {
if len(failures) > 0 { if len(failures) > 0 {
@ -130,99 +190,27 @@ func (c *KeysCommand) Run(args []string) int {
c.Ui.Error(fmt.Sprintf("Failed gathering member keys: %s", err)) c.Ui.Error(fmt.Sprintf("Failed gathering member keys: %s", err))
return 1 return 1
} }
c.Ui.Info("Keys gathered, listing cluster keys...")
c.Ui.Output("")
for key, num := range keys { for key, num := range keys {
out = append(out, fmt.Sprintf("%s | [%d/%d]", key, num, numNodes)) out = append(out, fmt.Sprintf("%s | [%d/%d]", key, num, numNodes))
} }
c.Ui.Output(columnize.SimpleFormat(out)) c.Ui.Output(columnize.SimpleFormat(out))
return 0 c.Ui.Output("")
}
if installKey != "" {
if wan {
c.Ui.Info("Installing new WAN gossip encryption key...")
failures, err = client.InstallKeyWAN(installKey)
} else {
c.Ui.Info("Installing new LAN gossip encryption key...")
failures, err = client.InstallKeyLAN(installKey)
}
if err != nil {
if len(failures) > 0 {
for node, msg := range failures {
out = append(out, fmt.Sprintf("failed: %s | %s", node, msg))
}
c.Ui.Error(columnize.SimpleFormat(out))
}
c.Ui.Error("")
c.Ui.Error(fmt.Sprintf("Error installing key: %s", err))
return 1
}
c.Ui.Info("Successfully installed key!")
return 0
}
if useKey != "" {
if wan {
c.Ui.Info("Changing primary encryption key on WAN members...")
failures, err = client.UseKeyWAN(useKey)
} else {
c.Ui.Info("Changing primary encryption key on LAN members...")
failures, err = client.UseKeyLAN(useKey)
}
if err != nil {
if len(failures) > 0 {
for node, msg := range failures {
out = append(out, fmt.Sprintf("failed: %s | %s", node, msg))
}
c.Ui.Error(columnize.SimpleFormat(out))
}
c.Ui.Error("")
c.Ui.Error(fmt.Sprintf("Error changing primary key: %s", err))
return 1
}
c.Ui.Info("Successfully changed primary key!")
return 0
}
if removeKey != "" {
if wan {
c.Ui.Info("Removing key from WAN members...")
failures, err = client.RemoveKeyWAN(removeKey)
} else {
c.Ui.Info("Removing key from LAN members...")
failures, err = client.RemoveKeyLAN(removeKey)
}
if err != nil {
if len(failures) > 0 {
for node, msg := range failures {
out = append(out, fmt.Sprintf("failed: %s | %s", node, msg))
}
c.Ui.Error(columnize.SimpleFormat(out))
}
c.Ui.Error("")
c.Ui.Error(fmt.Sprintf("Error removing key: %s", err))
return 1
}
c.Ui.Info("Successfully removed key!")
return 0
}
// Should never make it here
return 0 return 0
} }
// initializeKeyring will create a keyring file at a given path. // initializeKeyring will create a keyring file at a given path.
func initializeKeyring(path string, key []byte) error { func initializeKeyring(path, key string) error {
if _, err := base64.StdEncoding.DecodeString(key); err != nil {
return fmt.Errorf("Invalid key: %s", err)
}
keys := []string{key}
keyringBytes, err := json.MarshalIndent(keys, "", " ")
if err != nil {
return err
}
if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil { if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil {
return err return err
} }