thread local-only through the layers

$ consul keyring -list -local-only
==> Gathering installed encryption keys...

dc1 (LAN):
  aUlAW4ST3+vwseI61so24CoORkyjZofcmHk+j7QPSYQ= [1/1]
This commit is contained in:
Hans Hasselberg 2020-08-10 22:24:15 +02:00
parent 095eb22dd0
commit 08b1fea379
4 changed files with 47 additions and 9 deletions

View File

@ -146,8 +146,8 @@ func ValidateLocalOnly(local bool, list bool) error {
// ListKeys lists out all keys installed on the collective Consul cluster. This
// includes both servers and clients in all DC's.
func (a *Agent) ListKeys(token string, relayFactor uint8) (*structs.KeyringResponses, error) {
args := structs.KeyringRequest{Operation: structs.KeyringList}
func (a *Agent) ListKeys(token string, localOnly bool, relayFactor uint8) (*structs.KeyringResponses, error) {
args := structs.KeyringRequest{Operation: structs.KeyringList, LocalOnly: localOnly}
parseKeyringRequest(&args, token, relayFactor)
return a.keyringProcess(&args)
}

View File

@ -280,13 +280,13 @@ func TestAgentKeyring_ACL(t *testing.T) {
defer a.Shutdown()
// List keys without access fails
_, err := a.ListKeys("", 0)
_, err := a.ListKeys("", false, 0)
if err == nil || !strings.Contains(err.Error(), "denied") {
t.Fatalf("expected denied error, got: %#v", err)
}
// List keys with access works
_, err = a.ListKeys("root", 0)
_, err = a.ListKeys("root", false, 0)
if err != nil {
t.Fatalf("err: %s", err)
}

View File

@ -136,7 +136,7 @@ func (s *HTTPServer) KeyringInstall(resp http.ResponseWriter, req *http.Request,
// KeyringList is used to list the keys installed in the cluster
func (s *HTTPServer) KeyringList(resp http.ResponseWriter, req *http.Request, args *keyringArgs) (interface{}, error) {
responses, err := s.agent.ListKeys(args.Token, args.RelayFactor)
responses, err := s.agent.ListKeys(args.Token, args.LocalOnly, args.RelayFactor)
if err != nil {
return nil, err
}

View File

@ -95,7 +95,7 @@ func TestOperator_KeyringInstall(t *testing.T) {
t.Fatalf("err: %s", err)
}
listResponse, err := a.ListKeys("", 0)
listResponse, err := a.ListKeys("", false, 0)
if err != nil {
t.Fatalf("err: %s", err)
}
@ -161,6 +161,44 @@ func TestOperator_KeyringList(t *testing.T) {
t.Fatalf("bad: %v", ok)
}
}
func TestOperator_KeyringListLocalOnly(t *testing.T) {
t.Parallel()
key := "H3/9gBxcKKRf45CaI2DlRg=="
a := NewTestAgent(t, `
encrypt = "`+key+`"
`)
defer a.Shutdown()
req, _ := http.NewRequest("GET", "/v1/operator/keyring?local-only=1", nil)
resp := httptest.NewRecorder()
r, err := a.srv.OperatorKeyringEndpoint(resp, req)
if err != nil {
t.Fatalf("err: %v", err)
}
responses, ok := r.([]*structs.KeyringResponse)
if !ok {
t.Fatalf("err: %v", !ok)
}
// Check that we only get a LAN response with the original key
if len(responses) != 1 {
for _, r := range responses {
fmt.Println(r)
}
t.Fatalf("bad: %d", len(responses))
}
// LAN
if len(responses[0].Keys) != 1 {
t.Fatalf("bad: %d", len(responses[1].Keys))
}
if responses[0].WAN {
t.Fatalf("bad: %v", responses[1].WAN)
}
if _, ok := responses[0].Keys[key]; !ok {
t.Fatalf("bad: %v", ok)
}
}
func TestOperator_KeyringRemove(t *testing.T) {
t.Parallel()
@ -177,7 +215,7 @@ func TestOperator_KeyringRemove(t *testing.T) {
}
// Make sure the temp key is installed
list, err := a.ListKeys("", 0)
list, err := a.ListKeys("", false, 0)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -202,7 +240,7 @@ func TestOperator_KeyringRemove(t *testing.T) {
}
// Make sure the temp key has been removed
list, err = a.ListKeys("", 0)
list, err = a.ListKeys("", false, 0)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -246,7 +284,7 @@ func TestOperator_KeyringUse(t *testing.T) {
}
// Make sure only the new key remains
list, err := a.ListKeys("", 0)
list, err := a.ListKeys("", false, 0)
if err != nil {
t.Fatalf("err: %v", err)
}