feature: change encryption keys

client/const.go

@@ -21,6 +21,10 @@ const (
 	stopCommand            = "stop"
 	monitorCommand         = "monitor"
 	leaveCommand           = "leave"
+	installKeyCommand      = "install-key"
+	useKeyCommand          = "use-key"
+	removeKeyCommand       = "remove-key"
+	listKeysCommand        = "list-keys"
 	tagsCommand            = "tags"
 	queryCommand           = "query"
 	respondCommand         = "respond"
@@ -95,6 +99,18 @@ type membersResponse struct {
 	Members []Member
 }
 
+type keyRequest struct {
+	Key string
+}
+
+type keyResponse struct {
+	Messages map[string]string
+	Keys     map[string]int
+	NumNodes int
+	NumErr   int
+	NumResp  int
+}
+
 type monitorRequest struct {
 	LogLevel string
 }

client/rpc_client.go

@@ -166,7 +166,7 @@ func ClientFromConfig(c *Config) (*RPCClient, error) {
 type StreamHandle uint64
 
 func (c *RPCClient) IsClosed() bool {
-	return c.shutdown;
+	return c.shutdown
 }
 
 // Close is used to free any resources associated with the client
@@ -292,6 +292,67 @@ func (c *RPCClient) Respond(id uint64, buf []byte) error {
 	return c.genericRPC(&header, &req, nil)
 }
 
+// IntallKey installs a new encryption key onto the keyring
+func (c *RPCClient) InstallKey(key string) (map[string]string, error) {
+	header := requestHeader{
+		Command: installKeyCommand,
+		Seq:     c.getSeq(),
+	}
+	req := keyRequest{
+		Key: key,
+	}
+
+	resp := keyResponse{}
+	err := c.genericRPC(&header, &req, &resp)
+
+	return resp.Messages, err
+}
+
+// UseKey changes the primary encryption key on the keyring
+func (c *RPCClient) UseKey(key string) (map[string]string, error) {
+	header := requestHeader{
+		Command: useKeyCommand,
+		Seq:     c.getSeq(),
+	}
+	req := keyRequest{
+		Key: key,
+	}
+
+	resp := keyResponse{}
+	err := c.genericRPC(&header, &req, &resp)
+
+	return resp.Messages, err
+}
+
+// RemoveKey changes the primary encryption key on the keyring
+func (c *RPCClient) RemoveKey(key string) (map[string]string, error) {
+	header := requestHeader{
+		Command: removeKeyCommand,
+		Seq:     c.getSeq(),
+	}
+	req := keyRequest{
+		Key: key,
+	}
+
+	resp := keyResponse{}
+	err := c.genericRPC(&header, &req, &resp)
+
+	return resp.Messages, err
+}
+
+// ListKeys returns all of the active keys on each member of the cluster
+func (c *RPCClient) ListKeys() (map[string]int, int, error) {
+	header := requestHeader{
+		Command: listKeysCommand,
+		Seq:     c.getSeq(),
+	}
+
+	resp := keyResponse{}
+	err := c.genericRPC(&header, nil, &resp)
+
+	return resp.Keys, resp.NumNodes, err
+}
+
 type monitorHandler struct {
 	client *RPCClient
 	closed bool

command/agent/agent.go

@@ -1,8 +1,10 @@
 package agent
 
 import (
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"github.com/hashicorp/memberlist"
 	"github.com/hashicorp/serf/serf"
 	"io"
 	"io/ioutil"
@@ -73,6 +75,13 @@ func Create(agentConf *Config, conf *serf.Config, logOutput io.Writer) (*Agent,
 		}
 	}
 
+	// Load in a keyring file if provided
+	if agentConf.KeyringFile != "" {
+		if err := agent.loadKeyringFile(agentConf.KeyringFile); err != nil {
+			return nil, err
+		}
+	}
+
 	return agent, nil
 }
 
@@ -237,6 +246,34 @@ func (a *Agent) eventLoop() {
 	}
 }
 
+// InstallKey initiates a query to install a new key on all members
+func (a *Agent) InstallKey(key string) (*serf.KeyResponse, error) {
+	a.logger.Print("[INFO] agent: Initiating key installation")
+	manager := a.serf.KeyManager()
+	return manager.InstallKey(key)
+}
+
+// UseKey sends a query instructing all members to switch primary keys
+func (a *Agent) UseKey(key string) (*serf.KeyResponse, error) {
+	a.logger.Print("[INFO] agent: Initiating primary key change")
+	manager := a.serf.KeyManager()
+	return manager.UseKey(key)
+}
+
+// RemoveKey sends a query to all members to remove a key from the keyring
+func (a *Agent) RemoveKey(key string) (*serf.KeyResponse, error) {
+	a.logger.Print("[INFO] agent: Initiating key removal")
+	manager := a.serf.KeyManager()
+	return manager.RemoveKey(key)
+}
+
+// ListKeys sends a query to all members to return a list of their keys
+func (a *Agent) ListKeys() (*serf.KeyResponse, error) {
+	a.logger.Print("[INFO] agent: Initiating key listing")
+	manager := a.serf.KeyManager()
+	return manager.ListKeys()
+}
+
 // SetTags is used to update the tags. The agent will make sure to
 // persist tags if necessary before gossiping to the cluster.
 func (a *Agent) SetTags(tags map[string]string) error {
@@ -315,3 +352,49 @@ func UnmarshalTags(tags []string) (map[string]string, error) {
 	}
 	return result, nil
 }
+
+// loadKeyringFile will load a keyring out of a file
+func (a *Agent) loadKeyringFile(keyringFile string) error {
+	// Avoid passing an encryption key and a keyring file at the same time
+	if len(a.agentConf.EncryptKey) > 0 {
+		return fmt.Errorf("Encryption key not allowed while using a keyring")
+	}
+
+	if _, err := os.Stat(keyringFile); err != nil {
+		return err
+	}
+
+	// Read in the keyring file data
+	keyringData, err := ioutil.ReadFile(keyringFile)
+	if err != nil {
+		return fmt.Errorf("Failed to read keyring file: %s", err)
+	}
+
+	// Decode keyring JSON
+	keys := make([]string, 0)
+	if err := json.Unmarshal(keyringData, &keys); err != nil {
+		return fmt.Errorf("Failed to decode keyring file: %s", err)
+	}
+
+	// Decode base64 values
+	keysDecoded := make([][]byte, len(keys))
+	for i, key := range keys {
+		keyBytes, err := base64.StdEncoding.DecodeString(key)
+		if err != nil {
+			return fmt.Errorf("Failed to decode key from keyring: %s", err)
+		}
+		keysDecoded[i] = keyBytes
+	}
+
+	// Create the keyring
+	keyring, err := memberlist.NewKeyring(keysDecoded, keysDecoded[0])
+	if err != nil {
+		return fmt.Errorf("Failed to restore keyring: %s", err)
+	}
+	a.conf.MemberlistConfig.Keyring = keyring
+	a.logger.Printf("[INFO] agent: Restored keyring with %d keys from %s",
+		len(keys), keyringFile)
+
+	// Success!
+	return nil
+}

command/agent/agent_test.go

@@ -1,6 +1,7 @@
 package agent
 
 import (
+	"encoding/json"
 	"github.com/hashicorp/serf/serf"
 	"github.com/hashicorp/serf/testutil"
 	"io/ioutil"
@@ -221,3 +222,57 @@ func TestAgent_UnmarshalTagsError(t *testing.T) {
 		}
 	}
 }
+
+func TestAgentKeyringFile(t *testing.T) {
+	keys := []string{
+		"enjTwAFRe4IE71bOFhirzQ==",
+		"csT9mxI7aTf9ap3HLBbdmA==",
+		"noha2tVc0OyD/2LtCBoAOQ==",
+	}
+
+	td, err := ioutil.TempDir("", "serf")
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	defer os.RemoveAll(td)
+
+	keyringFile := filepath.Join(td, "keyring.json")
+
+	serfConfig := serf.DefaultConfig()
+	agentConfig := DefaultConfig()
+	agentConfig.KeyringFile = keyringFile
+
+	encodedKeys, err := json.Marshal(keys)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	if err := ioutil.WriteFile(keyringFile, encodedKeys, 0600); err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	a1 := testAgentWithConfig(agentConfig, serfConfig, nil)
+
+	if err := a1.Start(); err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	defer a1.Shutdown()
+
+	testutil.Yield()
+
+	totalLoadedKeys := len(serfConfig.MemberlistConfig.Keyring.GetKeys())
+	if totalLoadedKeys != 3 {
+		t.Fatalf("Expected to load 3 keys but got %d", totalLoadedKeys)
+	}
+}
+
+func TestAgentKeyringFile_BadOptions(t *testing.T) {
+	agentConfig := DefaultConfig()
+	agentConfig.KeyringFile = "/some/path"
+	agentConfig.EncryptKey = "pL4owv4IE1x+ZXCyd5vLLg=="
+
+	_, err := Create(agentConfig, serf.DefaultConfig(), nil)
+	if err == nil || !strings.Contains(err.Error(), "not allowed") {
+		t.Fatalf("err: %s", err)
+	}
+}

command/agent/command.go

@@ -48,6 +48,7 @@ func (c *Command) readConfig() *Config {
 	cmdFlags.Var((*AppendSliceValue)(&configFiles), "config-dir",
 		"directory of json files to read")
 	cmdFlags.StringVar(&cmdConfig.EncryptKey, "encrypt", "", "encryption key")
+	cmdFlags.StringVar(&cmdConfig.KeyringFile, "keyring-file", "", "path to the keyring file")
 	cmdFlags.Var((*AppendSliceValue)(&cmdConfig.EventHandlers), "event-handler",
 		"command to execute when events occur")
 	cmdFlags.Var((*AppendSliceValue)(&cmdConfig.StartJoin), "join",
@@ -249,6 +250,9 @@ func (c *Command) setupAgent(config *Config, logOutput io.Writer) *Agent {
 		serfConfig.TombstoneTimeout = config.TombstoneTimeout
 	}
 	serfConfig.EnableNameConflictResolution = !config.DisableNameResolution
+	if config.KeyringFile != "" {
+		serfConfig.KeyringFile = config.KeyringFile
+	}
 
 	// Start Serf
 	c.Ui.Output("Starting Serf agent...")
@@ -345,7 +349,7 @@ func (c *Command) startAgent(config *Config, agent *Agent,
 	}
 
 	c.Ui.Info(fmt.Sprintf("      RPC addr: '%s'", config.RPCAddr))
-	c.Ui.Info(fmt.Sprintf("     Encrypted: %#v", config.EncryptKey != ""))
+	c.Ui.Info(fmt.Sprintf("     Encrypted: %#v", agent.serf.EncryptionEnabled()))
 	c.Ui.Info(fmt.Sprintf("      Snapshot: %v", config.SnapshotPath != ""))
 	c.Ui.Info(fmt.Sprintf("       Profile: %s", config.Profile))
 
@@ -551,6 +555,10 @@ Options:
                            peers join each other without an explicit join.
   -encrypt=foo             Key for encrypting network traffic within Serf.
                            Must be a base64-encoded 16-byte key.
+  -keyring-file            The keyring file is used to store encryption keys used
+                           by Serf. As encryption keys are changed, the content of
+                           this file is updated so that the same keys may be used
+                           during later agent starts.
   -event-handler=foo       Script to execute when events occur. This can
                            be specified multiple times. See the event scripts
                            section below for more info.

command/agent/config.go

@@ -73,6 +73,10 @@ type Config struct {
 	// traffic will not be encrypted.
 	EncryptKey string `mapstructure:"encrypt_key"`
 
+	// KeyringFile is the path to a file containing a serialized keyring.
+	// The keyring is used to facilitate encryption.
+	KeyringFile string `mapstructure:"keyring_file"`
+
 	// LogLevel is the level of the logs to output.
 	// This can be updated during a reload.
 	LogLevel string `mapstructure:"log_level"`
@@ -216,8 +220,8 @@ func DecodeConfig(r io.Reader) (*Config, error) {
 	var md mapstructure.Metadata
 	var result Config
 	msdec, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
-		Metadata: &md,
-		Result:   &result,
+		Metadata:    &md,
+		Result:      &result,
 		ErrorUnused: true,
 	})
 	if err != nil {
@@ -344,6 +348,9 @@ func MergeConfig(a, b *Config) *Config {
 	if b.TagsFile != "" {
 		result.TagsFile = b.TagsFile
 	}
+	if b.KeyringFile != "" {
+		result.KeyringFile = b.KeyringFile
+	}
 
 	// Copy the event handlers
 	result.EventHandlers = make([]string, 0, len(a.EventHandlers)+len(b.EventHandlers))