From 07261db64d4097940b877a8b10b38009f230cf84 Mon Sep 17 00:00:00 2001
From: Hans Hasselberg <me@hans.io>
Date: Mon, 10 Aug 2020 22:24:15 +0200
Subject: [PATCH] thread local-only through the layers

$ consul keyring -list -local-only
==> Gathering installed encryption keys...

dc1 (LAN):
  aUlAW4ST3+vwseI61so24CoORkyjZofcmHk+j7QPSYQ= [1/1]
---
 agent/keyring.go                |  4 +--
 agent/keyring_test.go           |  4 +--
 agent/operator_endpoint.go      |  2 +-
 agent/operator_endpoint_test.go | 46 ++++++++++++++++++++++++++++++---
 4 files changed, 47 insertions(+), 9 deletions(-)

diff --git a/agent/keyring.go b/agent/keyring.go
index 10817f5bd5..48c1ebc0ba 100644
--- a/agent/keyring.go
+++ b/agent/keyring.go
@@ -146,8 +146,8 @@ func ValidateLocalOnly(local bool, list bool) error {
 
 // ListKeys lists out all keys installed on the collective Consul cluster. This
 // includes both servers and clients in all DC's.
-func (a *Agent) ListKeys(token string, relayFactor uint8) (*structs.KeyringResponses, error) {
-	args := structs.KeyringRequest{Operation: structs.KeyringList}
+func (a *Agent) ListKeys(token string, localOnly bool, relayFactor uint8) (*structs.KeyringResponses, error) {
+	args := structs.KeyringRequest{Operation: structs.KeyringList, LocalOnly: localOnly}
 	parseKeyringRequest(&args, token, relayFactor)
 	return a.keyringProcess(&args)
 }
diff --git a/agent/keyring_test.go b/agent/keyring_test.go
index be30704546..2b160d4f78 100644
--- a/agent/keyring_test.go
+++ b/agent/keyring_test.go
@@ -280,13 +280,13 @@ func TestAgentKeyring_ACL(t *testing.T) {
 	defer a.Shutdown()
 
 	// List keys without access fails
-	_, err := a.ListKeys("", 0)
+	_, err := a.ListKeys("", false, 0)
 	if err == nil || !strings.Contains(err.Error(), "denied") {
 		t.Fatalf("expected denied error, got: %#v", err)
 	}
 
 	// List keys with access works
-	_, err = a.ListKeys("root", 0)
+	_, err = a.ListKeys("root", false, 0)
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
diff --git a/agent/operator_endpoint.go b/agent/operator_endpoint.go
index fb3c3a7316..badcae55fc 100644
--- a/agent/operator_endpoint.go
+++ b/agent/operator_endpoint.go
@@ -136,7 +136,7 @@ func (s *HTTPServer) KeyringInstall(resp http.ResponseWriter, req *http.Request,
 
 // KeyringList is used to list the keys installed in the cluster
 func (s *HTTPServer) KeyringList(resp http.ResponseWriter, req *http.Request, args *keyringArgs) (interface{}, error) {
-	responses, err := s.agent.ListKeys(args.Token, args.RelayFactor)
+	responses, err := s.agent.ListKeys(args.Token, args.LocalOnly, args.RelayFactor)
 	if err != nil {
 		return nil, err
 	}
diff --git a/agent/operator_endpoint_test.go b/agent/operator_endpoint_test.go
index 71f69634bc..b435410d7a 100644
--- a/agent/operator_endpoint_test.go
+++ b/agent/operator_endpoint_test.go
@@ -95,7 +95,7 @@ func TestOperator_KeyringInstall(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
-	listResponse, err := a.ListKeys("", 0)
+	listResponse, err := a.ListKeys("", false, 0)
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -161,6 +161,44 @@ func TestOperator_KeyringList(t *testing.T) {
 		t.Fatalf("bad: %v", ok)
 	}
 }
+func TestOperator_KeyringListLocalOnly(t *testing.T) {
+	t.Parallel()
+	key := "H3/9gBxcKKRf45CaI2DlRg=="
+	a := NewTestAgent(t, `
+		encrypt = "`+key+`"
+	`)
+	defer a.Shutdown()
+
+	req, _ := http.NewRequest("GET", "/v1/operator/keyring?local-only=1", nil)
+	resp := httptest.NewRecorder()
+	r, err := a.srv.OperatorKeyringEndpoint(resp, req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	responses, ok := r.([]*structs.KeyringResponse)
+	if !ok {
+		t.Fatalf("err: %v", !ok)
+	}
+
+	// Check that we only get a LAN response with the original key
+	if len(responses) != 1 {
+		for _, r := range responses {
+			fmt.Println(r)
+		}
+		t.Fatalf("bad: %d", len(responses))
+	}
+
+	// LAN
+	if len(responses[0].Keys) != 1 {
+		t.Fatalf("bad: %d", len(responses[1].Keys))
+	}
+	if responses[0].WAN {
+		t.Fatalf("bad: %v", responses[1].WAN)
+	}
+	if _, ok := responses[0].Keys[key]; !ok {
+		t.Fatalf("bad: %v", ok)
+	}
+}
 
 func TestOperator_KeyringRemove(t *testing.T) {
 	t.Parallel()
@@ -177,7 +215,7 @@ func TestOperator_KeyringRemove(t *testing.T) {
 	}
 
 	// Make sure the temp key is installed
-	list, err := a.ListKeys("", 0)
+	list, err := a.ListKeys("", false, 0)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -202,7 +240,7 @@ func TestOperator_KeyringRemove(t *testing.T) {
 	}
 
 	// Make sure the temp key has been removed
-	list, err = a.ListKeys("", 0)
+	list, err = a.ListKeys("", false, 0)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -246,7 +284,7 @@ func TestOperator_KeyringUse(t *testing.T) {
 	}
 
 	// Make sure only the new key remains
-	list, err := a.ListKeys("", 0)
+	list, err := a.ListKeys("", false, 0)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}