From d985dbc36b8184d65e476238e570ea2adfd13cbd Mon Sep 17 00:00:00 2001
From: Kyle Havlovitz <kylehav@gmail.com>
Date: Fri, 14 Jul 2017 17:31:52 -0700
Subject: [PATCH] Add TLS setting to router areas

---
 agent/consul/server.go              |  2 +-
 agent/consul/servers/router.go      | 25 ++++++++++++++++++++++++-
 agent/consul/servers/router_test.go | 22 +++++++++++-----------
 3 files changed, 36 insertions(+), 13 deletions(-)

diff --git a/agent/consul/server.go b/agent/consul/server.go
index 4d8b47855..1d0418cf8 100644
--- a/agent/consul/server.go
+++ b/agent/consul/server.go
@@ -371,7 +371,7 @@ func NewServerLogger(config *Config, logger *log.Logger) (*Server, error) {
 	go s.lanEventHandler()
 
 	// Add a "static route" to the WAN Serf and hook it up to Serf events.
-	if err := s.router.AddArea(types.AreaWAN, s.serfWAN, s.connPool); err != nil {
+	if err := s.router.AddArea(types.AreaWAN, s.serfWAN, s.connPool, s.config.VerifyOutgoing); err != nil {
 		s.Shutdown()
 		return nil, fmt.Errorf("Failed to add WAN serf route: %v", err)
 	}
diff --git a/agent/consul/servers/router.go b/agent/consul/servers/router.go
index 7bf4f2def..315e3a55a 100644
--- a/agent/consul/servers/router.go
+++ b/agent/consul/servers/router.go
@@ -76,6 +76,9 @@ type areaInfo struct {
 	// managers maps datacenter names to managers for that datacenter in
 	// this area.
 	managers map[string]*managerInfo
+
+	// useTLS specifies whether to use TLS to communicate for this network area.
+	useTLS bool
 }
 
 // NewRouter returns a new Router with the given configuration.
@@ -112,7 +115,7 @@ func (r *Router) Shutdown() {
 }
 
 // AddArea registers a new network area with the router.
-func (r *Router) AddArea(areaID types.AreaID, cluster RouterSerfCluster, pinger Pinger) error {
+func (r *Router) AddArea(areaID types.AreaID, cluster RouterSerfCluster, pinger Pinger, useTLS bool) error {
 	r.Lock()
 	defer r.Unlock()
 
@@ -128,6 +131,7 @@ func (r *Router) AddArea(areaID types.AreaID, cluster RouterSerfCluster, pinger
 		cluster:  cluster,
 		pinger:   pinger,
 		managers: make(map[string]*managerInfo),
+		useTLS:   useTLS,
 	}
 	r.areas[areaID] = area
 
@@ -168,6 +172,19 @@ func (r *Router) removeManagerFromIndex(datacenter string, manager *Manager) {
 	panic("managers index out of sync")
 }
 
+// Returns whether TLS is enabled for the given area ID
+func (r *Router) TLSEnabled(areaID types.AreaID) (bool, error) {
+	r.RLock()
+	defer r.RUnlock()
+
+	area, ok := r.areas[areaID]
+	if !ok {
+		return false, fmt.Errorf("area ID %q does not exist", areaID)
+	}
+
+	return area.useTLS, nil
+}
+
 // RemoveArea removes an existing network area from the router.
 func (r *Router) RemoveArea(areaID types.AreaID) error {
 	r.Lock()
@@ -207,6 +224,12 @@ func (r *Router) addServer(area *areaInfo, s *agent.Server) error {
 		go manager.Start()
 	}
 
+	// If TLS is enabled for the area, set it on the server so the manager
+	// knows to use TLS when pinging it.
+	if area.useTLS {
+		s.UseTLS = true
+	}
+
 	info.manager.AddServer(s)
 	return nil
 }
diff --git a/agent/consul/servers/router_test.go b/agent/consul/servers/router_test.go
index c04785c7d..230031f8a 100644
--- a/agent/consul/servers/router_test.go
+++ b/agent/consul/servers/router_test.go
@@ -105,7 +105,7 @@ func TestRouter_Shutdown(t *testing.T) {
 	// Create a WAN-looking area.
 	self := "node0.dc0"
 	wan := testCluster(self)
-	if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}); err != nil {
+	if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}, false); err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
@@ -113,7 +113,7 @@ func TestRouter_Shutdown(t *testing.T) {
 	otherID := types.AreaID("other")
 	other := newMockCluster(self)
 	other.AddMember("dcY", "node1", nil)
-	if err := r.AddArea(otherID, other, &fauxConnPool{}); err != nil {
+	if err := r.AddArea(otherID, other, &fauxConnPool{}, false); err != nil {
 		t.Fatalf("err: %v", err)
 	}
 	_, _, ok := r.FindRoute("dcY")
@@ -129,7 +129,7 @@ func TestRouter_Shutdown(t *testing.T) {
 	}
 
 	// You can't add areas once the router is shut down.
-	err := r.AddArea(otherID, other, &fauxConnPool{})
+	err := r.AddArea(otherID, other, &fauxConnPool{}, false)
 	if err == nil || !strings.Contains(err.Error(), "router is shut down") {
 		t.Fatalf("err: %v", err)
 	}
@@ -141,7 +141,7 @@ func TestRouter_Routing(t *testing.T) {
 	// Create a WAN-looking area.
 	self := "node0.dc0"
 	wan := testCluster(self)
-	if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}); err != nil {
+	if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}, false); err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
@@ -170,7 +170,7 @@ func TestRouter_Routing(t *testing.T) {
 	other.AddMember("dc0", "node0", nil)
 	other.AddMember("dc1", "node1", nil)
 	other.AddMember("dcY", "node1", nil)
-	if err := r.AddArea(otherID, other, &fauxConnPool{}); err != nil {
+	if err := r.AddArea(otherID, other, &fauxConnPool{}, false); err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
@@ -275,7 +275,7 @@ func TestRouter_Routing_Offline(t *testing.T) {
 	// Create a WAN-looking area.
 	self := "node0.dc0"
 	wan := testCluster(self)
-	if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{1.0}); err != nil {
+	if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{1.0}, false); err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
@@ -329,7 +329,7 @@ func TestRouter_Routing_Offline(t *testing.T) {
 	other := newMockCluster(self)
 	other.AddMember("dc0", "node0", nil)
 	other.AddMember("dc1", "node1", nil)
-	if err := r.AddArea(otherID, other, &fauxConnPool{}); err != nil {
+	if err := r.AddArea(otherID, other, &fauxConnPool{}, false); err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
@@ -354,7 +354,7 @@ func TestRouter_GetDatacenters(t *testing.T) {
 
 	self := "node0.dc0"
 	wan := testCluster(self)
-	if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}); err != nil {
+	if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}, false); err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
@@ -386,7 +386,7 @@ func TestRouter_GetDatacentersByDistance(t *testing.T) {
 	// Start with just the WAN area described in the diagram above.
 	self := "node0.dc0"
 	wan := testCluster(self)
-	if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}); err != nil {
+	if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}, false); err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
@@ -404,7 +404,7 @@ func TestRouter_GetDatacentersByDistance(t *testing.T) {
 	other := newMockCluster(self)
 	other.AddMember("dc0", "node0", lib.GenerateCoordinate(20*time.Millisecond))
 	other.AddMember("dc1", "node1", lib.GenerateCoordinate(21*time.Millisecond))
-	if err := r.AddArea(otherID, other, &fauxConnPool{}); err != nil {
+	if err := r.AddArea(otherID, other, &fauxConnPool{}, false); err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
@@ -423,7 +423,7 @@ func TestRouter_GetDatacenterMaps(t *testing.T) {
 
 	self := "node0.dc0"
 	wan := testCluster(self)
-	if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}); err != nil {
+	if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}, false); err != nil {
 		t.Fatalf("err: %v", err)
 	}