From 665551a1826a5a0384c53593a4a96095496ad53f Mon Sep 17 00:00:00 2001
From: Ryan Uber <ru@ryanuber.com>
Date: Tue, 7 Jul 2015 10:30:34 -0600
Subject: [PATCH] agent: read-level keyring ACLs work

---
 command/agent/keyring.go    |  3 ++-
 command/agent/rpc.go        |  8 +++++---
 command/agent/rpc_client.go |  3 ++-
 command/keyring.go          | 15 +++++++++------
 4 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/command/agent/keyring.go b/command/agent/keyring.go
index 07bd19b0c..4d4499196 100644
--- a/command/agent/keyring.go
+++ b/command/agent/keyring.go
@@ -121,8 +121,9 @@ func (a *Agent) keyringProcess(args *structs.KeyringRequest) (*structs.KeyringRe
 
 // ListKeys lists out all keys installed on the collective Consul cluster. This
 // includes both servers and clients in all DC's.
-func (a *Agent) ListKeys() (*structs.KeyringResponses, error) {
+func (a *Agent) ListKeys(token string) (*structs.KeyringResponses, error) {
 	args := structs.KeyringRequest{Operation: structs.KeyringList}
+	args.Token = token
 	return a.keyringProcess(&args)
 }
 
diff --git a/command/agent/rpc.go b/command/agent/rpc.go
index 56d9bc7a3..0e64549a3 100644
--- a/command/agent/rpc.go
+++ b/command/agent/rpc.go
@@ -78,6 +78,7 @@ var msgpackHandle = &codec.MsgpackHandle{
 type requestHeader struct {
 	Command string
 	Seq     uint64
+	Token   string
 }
 
 // Response header is sent before each response
@@ -365,6 +366,7 @@ func (i *AgentRPC) handleRequest(client *rpcClient, reqHeader *requestHeader) er
 	// Look for a command field
 	command := reqHeader.Command
 	seq := reqHeader.Seq
+	token := reqHeader.Token
 
 	// Ensure the handshake is performed before other commands
 	if command != handshakeCommand && client.version == 0 {
@@ -406,7 +408,7 @@ func (i *AgentRPC) handleRequest(client *rpcClient, reqHeader *requestHeader) er
 		return i.handleReload(client, seq)
 
 	case installKeyCommand, useKeyCommand, removeKeyCommand, listKeysCommand:
-		return i.handleKeyring(client, seq, command)
+		return i.handleKeyring(client, seq, command, token)
 
 	default:
 		respHeader := responseHeader{Seq: seq, Error: unsupportedCommand}
@@ -618,7 +620,7 @@ func (i *AgentRPC) handleReload(client *rpcClient, seq uint64) error {
 	return client.Send(&resp, nil)
 }
 
-func (i *AgentRPC) handleKeyring(client *rpcClient, seq uint64, cmd string) error {
+func (i *AgentRPC) handleKeyring(client *rpcClient, seq uint64, cmd, token string) error {
 	var req keyringRequest
 	var queryResp *structs.KeyringResponses
 	var r keyringResponse
@@ -632,7 +634,7 @@ func (i *AgentRPC) handleKeyring(client *rpcClient, seq uint64, cmd string) erro
 
 	switch cmd {
 	case listKeysCommand:
-		queryResp, err = i.agent.ListKeys()
+		queryResp, err = i.agent.ListKeys(token)
 	case installKeyCommand:
 		queryResp, err = i.agent.InstallKey(req.Key)
 	case useKeyCommand:
diff --git a/command/agent/rpc_client.go b/command/agent/rpc_client.go
index cbc9689cf..4bcf4a4b8 100644
--- a/command/agent/rpc_client.go
+++ b/command/agent/rpc_client.go
@@ -188,10 +188,11 @@ func (c *RPCClient) WANMembers() ([]Member, error) {
 	return resp.Members, err
 }
 
-func (c *RPCClient) ListKeys() (keyringResponse, error) {
+func (c *RPCClient) ListKeys(token string) (keyringResponse, error) {
 	header := requestHeader{
 		Command: listKeysCommand,
 		Seq:     c.getSeq(),
+		Token:   token,
 	}
 	var resp keyringResponse
 	err := c.genericRPC(&header, nil, &resp)
diff --git a/command/keyring.go b/command/keyring.go
index ee072b879..50645230f 100644
--- a/command/keyring.go
+++ b/command/keyring.go
@@ -16,7 +16,7 @@ type KeyringCommand struct {
 }
 
 func (c *KeyringCommand) Run(args []string) int {
-	var installKey, useKey, removeKey string
+	var installKey, useKey, removeKey, token string
 	var listKeys bool
 
 	cmdFlags := flag.NewFlagSet("keys", flag.ContinueOnError)
@@ -26,6 +26,7 @@ func (c *KeyringCommand) Run(args []string) int {
 	cmdFlags.StringVar(&useKey, "use", "", "use key")
 	cmdFlags.StringVar(&removeKey, "remove", "", "remove key")
 	cmdFlags.BoolVar(&listKeys, "list", false, "list keys")
+	cmdFlags.StringVar(&token, "token", "", "acl token")
 
 	rpcAddr := RPCAddrFlag(cmdFlags)
 	if err := cmdFlags.Parse(args); err != nil {
@@ -65,7 +66,7 @@ func (c *KeyringCommand) Run(args []string) int {
 
 	if listKeys {
 		c.Ui.Info("Gathering installed encryption keys...")
-		r, err := client.ListKeys()
+		r, err := client.ListKeys(token)
 		if err != nil {
 			c.Ui.Error(fmt.Sprintf("error: %s", err))
 			return 1
@@ -199,13 +200,15 @@ Options:
 
   -install=<key>            Install a new encryption key. This will broadcast
                             the new key to all members in the cluster.
-  -use=<key>                Change the primary encryption key, which is used to
-                            encrypt messages. The key must already be installed
-                            before this operation can succeed.
+  -list                     List all keys currently in use within the cluster.
   -remove=<key>             Remove the given key from the cluster. This
                             operation may only be performed on keys which are
                             not currently the primary key.
-  -list                     List all keys currently in use within the cluster.
+  -token=""                 ACL token to use during requests. Defaults to that
+                            of the agent.
+  -use=<key>                Change the primary encryption key, which is used to
+                            encrypt messages. The key must already be installed
+                            before this operation can succeed.
   -rpc-addr=127.0.0.1:8400  RPC address of the Consul agent.
 `
 	return strings.TrimSpace(helpText)