agent: read-level keyring ACLs work

2015-07-07 10:30:34 -06:00 · 2015-07-07 10:30:34 -06:00 · 665551a182
parent 4ef6545583
commit 665551a182
4 changed files with 18 additions and 11 deletions
--- a/command/agent/keyring.go
+++ b/command/agent/keyring.go
@ -121,8 +121,9 @@ func (a *Agent) keyringProcess(args *structs.KeyringRequest) (*structs.KeyringRe

 // ListKeys lists out all keys installed on the collective Consul cluster. This
 // includes both servers and clients in all DC's.
-func (a *Agent) ListKeys() (*structs.KeyringResponses, error) {
+func (a *Agent) ListKeys(token string) (*structs.KeyringResponses, error) {
 	args := structs.KeyringRequest{Operation: structs.KeyringList}
+	args.Token = token
 	return a.keyringProcess(&args)
 }

--- a/command/agent/rpc.go
+++ b/command/agent/rpc.go
@ -78,6 +78,7 @@ var msgpackHandle = &codec.MsgpackHandle{
 type requestHeader struct {
 	Command string
 	Seq     uint64
+	Token   string
 }

 // Response header is sent before each response
@ -365,6 +366,7 @@ func (i *AgentRPC) handleRequest(client *rpcClient, reqHeader *requestHeader) er
 	// Look for a command field
 	command := reqHeader.Command
 	seq := reqHeader.Seq
+	token := reqHeader.Token

 	// Ensure the handshake is performed before other commands
 	if command != handshakeCommand && client.version == 0 {
@ -406,7 +408,7 @@ func (i *AgentRPC) handleRequest(client *rpcClient, reqHeader *requestHeader) er
 		return i.handleReload(client, seq)

 	case installKeyCommand, useKeyCommand, removeKeyCommand, listKeysCommand:
-		return i.handleKeyring(client, seq, command)
+		return i.handleKeyring(client, seq, command, token)

 	default:
 		respHeader := responseHeader{Seq: seq, Error: unsupportedCommand}
@ -618,7 +620,7 @@ func (i *AgentRPC) handleReload(client *rpcClient, seq uint64) error {
 	return client.Send(&resp, nil)
 }

-func (i *AgentRPC) handleKeyring(client *rpcClient, seq uint64, cmd string) error {
+func (i *AgentRPC) handleKeyring(client *rpcClient, seq uint64, cmd, token string) error {
 	var req keyringRequest
 	var queryResp *structs.KeyringResponses
 	var r keyringResponse
@ -632,7 +634,7 @@ func (i *AgentRPC) handleKeyring(client *rpcClient, seq uint64, cmd string) erro

 	switch cmd {
 	case listKeysCommand:
-		queryResp, err = i.agent.ListKeys()
+		queryResp, err = i.agent.ListKeys(token)
 	case installKeyCommand:
 		queryResp, err = i.agent.InstallKey(req.Key)
 	case useKeyCommand:
--- a/command/agent/rpc_client.go
+++ b/command/agent/rpc_client.go
@ -188,10 +188,11 @@ func (c *RPCClient) WANMembers() ([]Member, error) {
 	return resp.Members, err
 }

-func (c *RPCClient) ListKeys() (keyringResponse, error) {
+func (c *RPCClient) ListKeys(token string) (keyringResponse, error) {
 	header := requestHeader{
 		Command: listKeysCommand,
 		Seq:     c.getSeq(),
+		Token:   token,
 	}
 	var resp keyringResponse
 	err := c.genericRPC(&header, nil, &resp)
--- a/command/keyring.go
+++ b/command/keyring.go
@ -16,7 +16,7 @@ type KeyringCommand struct {
 }

 func (c *KeyringCommand) Run(args []string) int {
-	var installKey, useKey, removeKey string
+	var installKey, useKey, removeKey, token string
 	var listKeys bool

 	cmdFlags := flag.NewFlagSet("keys", flag.ContinueOnError)
@ -26,6 +26,7 @@ func (c *KeyringCommand) Run(args []string) int {
 	cmdFlags.StringVar(&useKey, "use", "", "use key")
 	cmdFlags.StringVar(&removeKey, "remove", "", "remove key")
 	cmdFlags.BoolVar(&listKeys, "list", false, "list keys")
+	cmdFlags.StringVar(&token, "token", "", "acl token")

 	rpcAddr := RPCAddrFlag(cmdFlags)
 	if err := cmdFlags.Parse(args); err != nil {
@ -65,7 +66,7 @@ func (c *KeyringCommand) Run(args []string) int {

 	if listKeys {
 		c.Ui.Info("Gathering installed encryption keys...")
-		r, err := client.ListKeys()
+		r, err := client.ListKeys(token)
 		if err != nil {
 			c.Ui.Error(fmt.Sprintf("error: %s", err))
 			return 1
@ -199,13 +200,15 @@ Options:

  -install=<key>            Install a new encryption key. This will broadcast
                            the new key to all members in the cluster.
-  -use=<key>                Change the primary encryption key, which is used to
-                            encrypt messages. The key must already be installed
-                            before this operation can succeed.
+  -list                     List all keys currently in use within the cluster.
  -remove=<key>             Remove the given key from the cluster. This
                            operation may only be performed on keys which are
                            not currently the primary key.
-  -list                     List all keys currently in use within the cluster.
+  -token=""                 ACL token to use during requests. Defaults to that
+                            of the agent.
+  -use=<key>                Change the primary encryption key, which is used to
+                            encrypt messages. The key must already be installed
+                            before this operation can succeed.
  -rpc-addr=127.0.0.1:8400  RPC address of the Consul agent.
 `
 	return strings.TrimSpace(helpText)