mirror of https://github.com/hashicorp/consul
thread local-only through the layers
$ consul keyring -list -local-only ==> Gathering installed encryption keys... dc1 (LAN): aUlAW4ST3+vwseI61so24CoORkyjZofcmHk+j7QPSYQ= [1/1]pull/8471/head
parent
8bea00d974
commit
07261db64d
|
@ -146,8 +146,8 @@ func ValidateLocalOnly(local bool, list bool) error {
|
||||||
|
|
||||||
// ListKeys lists out all keys installed on the collective Consul cluster. This
|
// ListKeys lists out all keys installed on the collective Consul cluster. This
|
||||||
// includes both servers and clients in all DC's.
|
// includes both servers and clients in all DC's.
|
||||||
func (a *Agent) ListKeys(token string, relayFactor uint8) (*structs.KeyringResponses, error) {
|
func (a *Agent) ListKeys(token string, localOnly bool, relayFactor uint8) (*structs.KeyringResponses, error) {
|
||||||
args := structs.KeyringRequest{Operation: structs.KeyringList}
|
args := structs.KeyringRequest{Operation: structs.KeyringList, LocalOnly: localOnly}
|
||||||
parseKeyringRequest(&args, token, relayFactor)
|
parseKeyringRequest(&args, token, relayFactor)
|
||||||
return a.keyringProcess(&args)
|
return a.keyringProcess(&args)
|
||||||
}
|
}
|
||||||
|
|
|
@ -280,13 +280,13 @@ func TestAgentKeyring_ACL(t *testing.T) {
|
||||||
defer a.Shutdown()
|
defer a.Shutdown()
|
||||||
|
|
||||||
// List keys without access fails
|
// List keys without access fails
|
||||||
_, err := a.ListKeys("", 0)
|
_, err := a.ListKeys("", false, 0)
|
||||||
if err == nil || !strings.Contains(err.Error(), "denied") {
|
if err == nil || !strings.Contains(err.Error(), "denied") {
|
||||||
t.Fatalf("expected denied error, got: %#v", err)
|
t.Fatalf("expected denied error, got: %#v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// List keys with access works
|
// List keys with access works
|
||||||
_, err = a.ListKeys("root", 0)
|
_, err = a.ListKeys("root", false, 0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("err: %s", err)
|
t.Fatalf("err: %s", err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -136,7 +136,7 @@ func (s *HTTPServer) KeyringInstall(resp http.ResponseWriter, req *http.Request,
|
||||||
|
|
||||||
// KeyringList is used to list the keys installed in the cluster
|
// KeyringList is used to list the keys installed in the cluster
|
||||||
func (s *HTTPServer) KeyringList(resp http.ResponseWriter, req *http.Request, args *keyringArgs) (interface{}, error) {
|
func (s *HTTPServer) KeyringList(resp http.ResponseWriter, req *http.Request, args *keyringArgs) (interface{}, error) {
|
||||||
responses, err := s.agent.ListKeys(args.Token, args.RelayFactor)
|
responses, err := s.agent.ListKeys(args.Token, args.LocalOnly, args.RelayFactor)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
@ -95,7 +95,7 @@ func TestOperator_KeyringInstall(t *testing.T) {
|
||||||
t.Fatalf("err: %s", err)
|
t.Fatalf("err: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
listResponse, err := a.ListKeys("", 0)
|
listResponse, err := a.ListKeys("", false, 0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("err: %s", err)
|
t.Fatalf("err: %s", err)
|
||||||
}
|
}
|
||||||
|
@ -161,6 +161,44 @@ func TestOperator_KeyringList(t *testing.T) {
|
||||||
t.Fatalf("bad: %v", ok)
|
t.Fatalf("bad: %v", ok)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
func TestOperator_KeyringListLocalOnly(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
key := "H3/9gBxcKKRf45CaI2DlRg=="
|
||||||
|
a := NewTestAgent(t, `
|
||||||
|
encrypt = "`+key+`"
|
||||||
|
`)
|
||||||
|
defer a.Shutdown()
|
||||||
|
|
||||||
|
req, _ := http.NewRequest("GET", "/v1/operator/keyring?local-only=1", nil)
|
||||||
|
resp := httptest.NewRecorder()
|
||||||
|
r, err := a.srv.OperatorKeyringEndpoint(resp, req)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("err: %v", err)
|
||||||
|
}
|
||||||
|
responses, ok := r.([]*structs.KeyringResponse)
|
||||||
|
if !ok {
|
||||||
|
t.Fatalf("err: %v", !ok)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check that we only get a LAN response with the original key
|
||||||
|
if len(responses) != 1 {
|
||||||
|
for _, r := range responses {
|
||||||
|
fmt.Println(r)
|
||||||
|
}
|
||||||
|
t.Fatalf("bad: %d", len(responses))
|
||||||
|
}
|
||||||
|
|
||||||
|
// LAN
|
||||||
|
if len(responses[0].Keys) != 1 {
|
||||||
|
t.Fatalf("bad: %d", len(responses[1].Keys))
|
||||||
|
}
|
||||||
|
if responses[0].WAN {
|
||||||
|
t.Fatalf("bad: %v", responses[1].WAN)
|
||||||
|
}
|
||||||
|
if _, ok := responses[0].Keys[key]; !ok {
|
||||||
|
t.Fatalf("bad: %v", ok)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func TestOperator_KeyringRemove(t *testing.T) {
|
func TestOperator_KeyringRemove(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
|
@ -177,7 +215,7 @@ func TestOperator_KeyringRemove(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Make sure the temp key is installed
|
// Make sure the temp key is installed
|
||||||
list, err := a.ListKeys("", 0)
|
list, err := a.ListKeys("", false, 0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("err: %v", err)
|
t.Fatalf("err: %v", err)
|
||||||
}
|
}
|
||||||
|
@ -202,7 +240,7 @@ func TestOperator_KeyringRemove(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Make sure the temp key has been removed
|
// Make sure the temp key has been removed
|
||||||
list, err = a.ListKeys("", 0)
|
list, err = a.ListKeys("", false, 0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("err: %v", err)
|
t.Fatalf("err: %v", err)
|
||||||
}
|
}
|
||||||
|
@ -246,7 +284,7 @@ func TestOperator_KeyringUse(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Make sure only the new key remains
|
// Make sure only the new key remains
|
||||||
list, err := a.ListKeys("", 0)
|
list, err := a.ListKeys("", false, 0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("err: %v", err)
|
t.Fatalf("err: %v", err)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue