Add keyring http endpoints

api/operator.go

@@ -43,6 +43,26 @@ type RaftConfiguration struct {
 	Index uint64
 }
 
+// keyringRequest is used for performing Keyring operations
+type keyringRequest struct {
+	Key string
+}
+
+// KeyringResponse is returned when listing the gossip encryption keys
+type KeyringResponse struct {
+	// Whether this response is for a WAN ring
+	WAN bool
+
+	// The datacenter name this request corresponds to
+	Datacenter string
+
+	// A map of the encryption keys to the number of nodes they're installed on
+	Keys map[string]int
+
+	// The total number of nodes in this ring
+	NumNodes int
+}
+
 // RaftGetConfiguration is used to query the current Raft peer set.
 func (op *Operator) RaftGetConfiguration(q *QueryOptions) (*RaftConfiguration, error) {
 	r := op.c.newRequest("GET", "/v1/operator/raft/configuration")
@@ -79,3 +99,65 @@ func (op *Operator) RaftRemovePeerByAddress(address string, q *WriteOptions) err
 	resp.Body.Close()
 	return nil
 }
+
+// KeyringInstall is used to install a new gossip encryption key into the cluster
+func (op *Operator) KeyringInstall(key string, q *WriteOptions) error {
+	r := op.c.newRequest("POST", "/v1/operator/keyring")
+	r.setWriteOptions(q)
+	r.obj = keyringRequest{
+		Key: key,
+	}
+	_, resp, err := requireOK(op.c.doRequest(r))
+	if err != nil {
+		return err
+	}
+	resp.Body.Close()
+	return nil
+}
+
+// KeyringList is used to list the gossip keys installed in the cluster
+func (op *Operator) KeyringList(q *QueryOptions) ([]*KeyringResponse, error) {
+	r := op.c.newRequest("GET", "/v1/operator/keyring")
+	r.setQueryOptions(q)
+	_, resp, err := requireOK(op.c.doRequest(r))
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	var out []*KeyringResponse
+	if err := decodeBody(resp, &out); err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// KeyringRemove is used to remove a gossip encryption key from the cluster
+func (op *Operator) KeyringRemove(key string, q *WriteOptions) error {
+	r := op.c.newRequest("DELETE", "/v1/operator/keyring")
+	r.setWriteOptions(q)
+	r.obj = keyringRequest{
+		Key: key,
+	}
+	_, resp, err := requireOK(op.c.doRequest(r))
+	if err != nil {
+		return err
+	}
+	resp.Body.Close()
+	return nil
+}
+
+// KeyringUse is used to change the active gossip encryption key
+func (op *Operator) KeyringUse(key string, q *WriteOptions) error {
+	r := op.c.newRequest("PUT", "/v1/operator/keyring")
+	r.setWriteOptions(q)
+	r.obj = keyringRequest{
+		Key: key,
+	}
+	_, resp, err := requireOK(op.c.doRequest(r))
+	if err != nil {
+		return err
+	}
+	resp.Body.Close()
+	return nil
+}

api/operator_test.go

@@ -3,6 +3,8 @@ package api
 import (
 	"strings"
 	"testing"
+
+	"github.com/hashicorp/consul/testutil"
 )
 
 func TestOperator_RaftGetConfiguration(t *testing.T) {
@@ -36,3 +38,69 @@ func TestOperator_RaftRemovePeerByAddress(t *testing.T) {
 		t.Fatalf("err: %v", err)
 	}
 }
+
+func TestOperator_KeyringInstallListPutRemove(t *testing.T) {
+	oldKey := "d8wu8CSUrqgtjVsvcBPmhQ=="
+	newKey := "qxycTi/SsePj/TZzCBmNXw=="
+	t.Parallel()
+	c, s := makeClientWithConfig(t, nil, func(c *testutil.TestServerConfig) {
+		c.Encrypt = oldKey
+	})
+	defer s.Stop()
+
+	operator := c.Operator()
+	if err := operator.KeyringInstall(newKey, nil); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	listResponses, err := operator.KeyringList(nil)
+	if err != nil {
+		t.Fatalf("err %v", err)
+	}
+
+	// Make sure the new key is installed
+	if len(listResponses) != 2 {
+		t.Fatalf("bad: %v", len(listResponses))
+	}
+	for _, response := range listResponses {
+		if len(response.Keys) != 2 {
+			t.Fatalf("bad: %v", len(response.Keys))
+		}
+		if _, ok := response.Keys[oldKey]; !ok {
+			t.Fatalf("bad: %v", ok)
+		}
+		if _, ok := response.Keys[newKey]; !ok {
+			t.Fatalf("bad: %v", ok)
+		}
+	}
+
+	// Switch the primary to the new key
+	if err := operator.KeyringUse(newKey, nil); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	if err := operator.KeyringRemove(oldKey, nil); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	listResponses, err = operator.KeyringList(nil)
+	if err != nil {
+		t.Fatalf("err %v", err)
+	}
+
+	// Make sure the old key is removed
+	if len(listResponses) != 2 {
+		t.Fatalf("bad: %v", len(listResponses))
+	}
+	for _, response := range listResponses {
+		if len(response.Keys) != 1 {
+			t.Fatalf("bad: %v", len(response.Keys))
+		}
+		if _, ok := response.Keys[oldKey]; ok {
+			t.Fatalf("bad: %v", ok)
+		}
+		if _, ok := response.Keys[newKey]; !ok {
+			t.Fatalf("bad: %v", ok)
+		}
+	}
+}

command/agent/http.go

@@ -291,6 +291,7 @@ func (s *HTTPServer) registerHandlers(enableDebug bool) {
 	s.handleFuncMetrics("/v1/kv/", s.wrap(s.KVSEndpoint))
 	s.handleFuncMetrics("/v1/operator/raft/configuration", s.wrap(s.OperatorRaftConfiguration))
 	s.handleFuncMetrics("/v1/operator/raft/peer", s.wrap(s.OperatorRaftPeer))
+	s.handleFuncMetrics("/v1/operator/keyring", s.wrap(s.OperatorKeyringEndpoint))
 	s.handleFuncMetrics("/v1/query", s.wrap(s.PreparedQueryGeneral))
 	s.handleFuncMetrics("/v1/query/", s.wrap(s.PreparedQuerySpecific))
 	s.handleFuncMetrics("/v1/session/create", s.wrap(s.SessionCreate))

command/agent/operator_endpoint.go

@@ -1,9 +1,11 @@
 package agent
 
 import (
+	"fmt"
 	"net/http"
 
 	"github.com/hashicorp/consul/consul/structs"
+	multierror "github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/raft"
 )
 
@@ -55,3 +57,86 @@ func (s *HTTPServer) OperatorRaftPeer(resp http.ResponseWriter, req *http.Reques
 	}
 	return nil, nil
 }
+
+type keyringArgs struct {
+	Key   string
+	Token string
+}
+
+// OperatorKeyringEndpoint handles keyring operations (install, list, use, remove)
+func (s *HTTPServer) OperatorKeyringEndpoint(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
+	var args keyringArgs
+	if req.Method == "POST" || req.Method == "PUT" || req.Method == "DELETE" {
+		if err := decodeBody(req, &args, nil); err != nil {
+			resp.WriteHeader(400)
+			resp.Write([]byte(fmt.Sprintf("Request decode failed: %v", err)))
+			return nil, nil
+		}
+	}
+	s.parseToken(req, &args.Token)
+
+	// Switch on the method
+	switch req.Method {
+	case "GET":
+		return s.KeyringList(resp, req, &args)
+	case "POST":
+		return s.KeyringInstall(resp, req, &args)
+	case "PUT":
+		return s.KeyringUse(resp, req, &args)
+	case "DELETE":
+		return s.KeyringRemove(resp, req, &args)
+	default:
+		resp.WriteHeader(405)
+		return nil, nil
+	}
+}
+
+// KeyringInstall is used to install a new gossip encryption key into the cluster
+func (s *HTTPServer) KeyringInstall(resp http.ResponseWriter, req *http.Request, args *keyringArgs) (interface{}, error) {
+	responses, err := s.agent.InstallKey(args.Key, args.Token)
+	if err != nil {
+		return nil, err
+	}
+
+	return nil, keyringErrorsOrNil(responses.Responses)
+}
+
+// KeyringList is used to list the keys installed in the cluster
+func (s *HTTPServer) KeyringList(resp http.ResponseWriter, req *http.Request, args *keyringArgs) (interface{}, error) {
+	responses, err := s.agent.ListKeys(args.Token)
+	if err != nil {
+		return nil, err
+	}
+
+	return responses.Responses, keyringErrorsOrNil(responses.Responses)
+}
+
+// KeyringRemove is used to list the keys installed in the cluster
+func (s *HTTPServer) KeyringRemove(resp http.ResponseWriter, req *http.Request, args *keyringArgs) (interface{}, error) {
+	responses, err := s.agent.RemoveKey(args.Key, args.Token)
+	if err != nil {
+		return nil, err
+	}
+
+	return nil, keyringErrorsOrNil(responses.Responses)
+}
+
+// KeyringUse is used to change the primary gossip encryption key
+func (s *HTTPServer) KeyringUse(resp http.ResponseWriter, req *http.Request, args *keyringArgs) (interface{}, error) {
+	responses, err := s.agent.UseKey(args.Key, args.Token)
+	if err != nil {
+		return nil, err
+	}
+
+	return nil, keyringErrorsOrNil(responses.Responses)
+}
+
+func keyringErrorsOrNil(responses []*structs.KeyringResponse) error {
+	var errs error
+	for _, response := range responses {
+		if response.Error != "" {
+			errs = multierror.Append(errs, fmt.Errorf(response.Error))
+		}
+	}
+	return errs
+}