Add unlock key rotation

Aaron Lehmann · Aaron Lehmann · commit a6030a50c95c · 2016-11-09T16:09:01.000-08:00
Signed-off-by: Aaron Lehmann &lt;aaron.lehmann@docker.com&gt;
diff --git a/api/server/router/swarm/cluster_routes.go b/api/server/router/swarm/cluster_routes.go
@@ -87,6 +87,15 @@ func (sr *swarmRouter) updateCluster(ctx context.Context, w http.ResponseWriter,
 		flags.RotateManagerToken = rot
 	}
 
+	if value := r.URL.Query().Get("rotateManagerUnlockKey"); value != "" {
+		rot, err := strconv.ParseBool(value)
+		if err != nil {
+			return fmt.Errorf("invalid value for rotateManagerUnlockKey: %s", value)
+		}
+
+		flags.RotateManagerUnlockKey = rot
+	}
+
 	if err := sr.backend.Update(version, swarm, flags); err != nil {
 		logrus.Errorf("Error configuring swarm: %v", err)
 		return err
diff --git a/cli/command/swarm/unlock_key.go b/cli/command/swarm/unlock_key.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/spf13/cobra"
 
+	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/cli"
 	"github.com/docker/docker/cli/command"
 	"github.com/pkg/errors"
@@ -23,14 +24,35 @@ func newUnlockKeyCommand(dockerCli *command.DockerCli) *cobra.Command {
 			ctx := context.Background()
 
 			if rotate {
-				// FIXME(aaronl)
+				flags := swarm.UpdateFlags{RotateManagerUnlockKey: true}
+
+				swarm, err := client.SwarmInspect(ctx)
+				if err != nil {
+					return err
+				}
+
+				if !swarm.Spec.EncryptionConfig.AutoLockManagers {
+					return errors.New("cannot rotate because autolock is not turned on")
+				}
+
+				err = client.SwarmUpdate(ctx, swarm.Version, swarm.Spec, flags)
+				if err != nil {
+					return err
+				}
+				if !quiet {
+					fmt.Fprintf(dockerCli.Out(), "Successfully rotated manager unlock key.\n\n")
+				}
 			}
 
 			unlockKeyResp, err := client.SwarmGetUnlockKey(ctx)
 			if err != nil {
 				return errors.Wrap(err, "could not fetch unlock key")
 			}
 
+			if unlockKeyResp.UnlockKey == "" {
+				return errors.New("no unlock key is set")
+			}
+
 			if quiet {
 				fmt.Fprintln(dockerCli.Out(), unlockKeyResp.UnlockKey)
 			} else {
diff --git a/client/swarm_update.go b/client/swarm_update.go
@@ -15,6 +15,7 @@ func (cli *Client) SwarmUpdate(ctx context.Context, version swarm.Version, swarm
 	query.Set("version", strconv.FormatUint(version.Index, 10))
 	query.Set("rotateWorkerToken", fmt.Sprintf("%v", flags.RotateWorkerToken))
 	query.Set("rotateManagerToken", fmt.Sprintf("%v", flags.RotateManagerToken))
+	query.Set("rotateManagerUnlockKey", fmt.Sprintf("%v", flags.RotateManagerUnlockKey))
 	resp, err := cli.post(ctx, "/swarm/update", query, swarm, nil)
 	ensureReaderClosed(resp)
 	return err
diff --git a/daemon/cluster/cluster.go b/daemon/cluster/cluster.go
@@ -558,6 +558,11 @@ func (c *Cluster) GetUnlockKey() (string, error) {
 		return "", err
 	}
 
+	if len(r.UnlockKey) == 0 {
+		// no key
+		return "", nil
+	}
+
 	return encryption.HumanReadableKey(r.UnlockKey), nil
 }
 

Original file line number	Diff line number	Diff line change
`@@ -558,6 +558,11 @@ func (c *Cluster) GetUnlockKey() (string, error) {`
`558`	`558`	`return "", err`
`559`	`559`	`}`
`560`	`560`
	`561`	`+ if len(r.UnlockKey) == 0 {`
	`562`	`+ // no key`
	`563`	`+ return "", nil`
	`564`	`+ }`
	`565`	`+`
`561`	`566`	`return encryption.HumanReadableKey(r.UnlockKey), nil`
`562`	`567`	`}`
`563`	`568`