215 lines
5.7 KiB
Go
215 lines
5.7 KiB
Go
package command
|
|
|
|
import (
|
|
"flag"
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/mitchellh/cli"
|
|
"github.com/ryanuber/columnize"
|
|
)
|
|
|
|
// KeysCommand is a Command implementation that handles querying, installing,
|
|
// and removing gossip encryption keys from a keyring.
|
|
type KeysCommand struct {
|
|
Ui cli.Ui
|
|
}
|
|
|
|
func (c *KeysCommand) Run(args []string) int {
|
|
var installKey, useKey, removeKey string
|
|
var listKeys, wan bool
|
|
|
|
cmdFlags := flag.NewFlagSet("keys", flag.ContinueOnError)
|
|
cmdFlags.Usage = func() { c.Ui.Output(c.Help()) }
|
|
|
|
cmdFlags.StringVar(&installKey, "install", "", "install key")
|
|
cmdFlags.StringVar(&useKey, "use", "", "use key")
|
|
cmdFlags.StringVar(&removeKey, "remove", "", "remove key")
|
|
cmdFlags.BoolVar(&listKeys, "list", false, "list keys")
|
|
cmdFlags.BoolVar(&wan, "wan", false, "operate on wan keys")
|
|
|
|
rpcAddr := RPCAddrFlag(cmdFlags)
|
|
if err := cmdFlags.Parse(args); err != nil {
|
|
return 1
|
|
}
|
|
|
|
c.Ui = &cli.PrefixedUi{
|
|
OutputPrefix: "",
|
|
InfoPrefix: "==> ",
|
|
ErrorPrefix: "",
|
|
Ui: c.Ui,
|
|
}
|
|
|
|
var out []string
|
|
var failures map[string]string
|
|
var err error
|
|
|
|
// Only accept a single argument
|
|
found := listKeys
|
|
for _, arg := range []string{installKey, useKey, removeKey} {
|
|
if found && len(arg) > 0 {
|
|
c.Ui.Error("Only one of -list, -install, -use, or -remove allowed")
|
|
return 1
|
|
}
|
|
found = found || len(arg) > 0
|
|
}
|
|
|
|
// Fail fast if no actionable args were passed
|
|
if !found {
|
|
c.Ui.Error(c.Help())
|
|
return 1
|
|
}
|
|
|
|
client, err := RPCClient(*rpcAddr)
|
|
if err != nil {
|
|
c.Ui.Error(fmt.Sprintf("Error connecting to Consul agent: %s", err))
|
|
return 1
|
|
}
|
|
defer client.Close()
|
|
|
|
if listKeys {
|
|
var keys map[string]int
|
|
var numNodes int
|
|
|
|
if wan {
|
|
c.Ui.Info("Asking all WAN members for installed keys...")
|
|
keys, numNodes, failures, err = client.ListKeysWAN()
|
|
} else {
|
|
c.Ui.Info("Asking all LAN members for installed keys...")
|
|
keys, numNodes, failures, err = client.ListKeysLAN()
|
|
}
|
|
|
|
if err != nil {
|
|
if len(failures) > 0 {
|
|
for node, msg := range failures {
|
|
out = append(out, fmt.Sprintf("failed: %s | %s", node, msg))
|
|
}
|
|
c.Ui.Error(columnize.SimpleFormat(out))
|
|
}
|
|
c.Ui.Error("")
|
|
c.Ui.Error(fmt.Sprintf("Failed gathering member keys: %s", err))
|
|
return 1
|
|
}
|
|
|
|
c.Ui.Info("Keys gathered, listing cluster keys...")
|
|
c.Ui.Output("")
|
|
|
|
for key, num := range keys {
|
|
out = append(out, fmt.Sprintf("%s | [%d/%d]", key, num, numNodes))
|
|
}
|
|
c.Ui.Output(columnize.SimpleFormat(out))
|
|
|
|
return 0
|
|
}
|
|
|
|
if installKey != "" {
|
|
if wan {
|
|
c.Ui.Info("Installing new WAN gossip encryption key...")
|
|
failures, err = client.InstallKeyWAN(installKey)
|
|
} else {
|
|
c.Ui.Info("Installing new LAN gossip encryption key...")
|
|
failures, err = client.InstallKeyLAN(installKey)
|
|
}
|
|
|
|
if err != nil {
|
|
if len(failures) > 0 {
|
|
for node, msg := range failures {
|
|
out = append(out, fmt.Sprintf("failed: %s | %s", node, msg))
|
|
}
|
|
c.Ui.Error(columnize.SimpleFormat(out))
|
|
}
|
|
c.Ui.Error("")
|
|
c.Ui.Error(fmt.Sprintf("Error installing key: %s", err))
|
|
return 1
|
|
}
|
|
|
|
c.Ui.Info("Successfully installed key!")
|
|
return 0
|
|
}
|
|
|
|
if useKey != "" {
|
|
if wan {
|
|
c.Ui.Info("Changing primary encryption key on WAN members...")
|
|
failures, err = client.UseKeyWAN(useKey)
|
|
} else {
|
|
c.Ui.Info("Changing primary encryption key on LAN members...")
|
|
failures, err = client.UseKeyLAN(useKey)
|
|
}
|
|
|
|
if err != nil {
|
|
if len(failures) > 0 {
|
|
for node, msg := range failures {
|
|
out = append(out, fmt.Sprintf("failed: %s | %s", node, msg))
|
|
}
|
|
c.Ui.Error(columnize.SimpleFormat(out))
|
|
}
|
|
c.Ui.Error("")
|
|
c.Ui.Error(fmt.Sprintf("Error changing primary key: %s", err))
|
|
return 1
|
|
}
|
|
|
|
c.Ui.Info("Successfully changed primary key!")
|
|
return 0
|
|
}
|
|
|
|
if removeKey != "" {
|
|
if wan {
|
|
c.Ui.Info("Removing key from WAN members...")
|
|
failures, err = client.RemoveKeyWAN(removeKey)
|
|
} else {
|
|
c.Ui.Info("Removing key from LAN members...")
|
|
failures, err = client.RemoveKeyLAN(removeKey)
|
|
}
|
|
|
|
if err != nil {
|
|
if len(failures) > 0 {
|
|
for node, msg := range failures {
|
|
out = append(out, fmt.Sprintf("failed: %s | %s", node, msg))
|
|
}
|
|
c.Ui.Error(columnize.SimpleFormat(out))
|
|
}
|
|
c.Ui.Error("")
|
|
c.Ui.Error(fmt.Sprintf("Error removing key: %s", err))
|
|
return 1
|
|
}
|
|
|
|
c.Ui.Info("Successfully removed key!")
|
|
return 0
|
|
}
|
|
|
|
// Should never make it here
|
|
return 0
|
|
}
|
|
|
|
func (c *KeysCommand) Help() string {
|
|
helpText := `
|
|
Usage: consul keys [options]
|
|
|
|
Manages encryption keys used for gossip messages. Gossip encryption is
|
|
optional. When enabled, this command may be used to examine active encryption
|
|
keys in the cluster, add new keys, and remove old ones. When combined, this
|
|
functionality provides the ability to perform key rotation cluster-wide,
|
|
without disrupting the cluster.
|
|
|
|
Options:
|
|
|
|
-install=<key> Install a new encryption key. This will broadcast
|
|
the new key to all members in the cluster.
|
|
-use=<key> Change the primary encryption key, which is used to
|
|
encrypt messages. The key must already be installed
|
|
before this operation can succeed.
|
|
-remove=<key> Remove the given key from the cluster. This
|
|
operation may only be performed on keys which are
|
|
not currently the primary key.
|
|
-list List all keys currently in use within the cluster.
|
|
-wan If talking with a server node, this flag can be used
|
|
to operate on the WAN gossip layer.
|
|
-rpc-addr=127.0.0.1:8400 RPC address of the Consul agent.
|
|
`
|
|
return strings.TrimSpace(helpText)
|
|
}
|
|
|
|
func (c *KeysCommand) Synopsis() string {
|
|
return "Manages gossip layer encryption keys"
|
|
}
|