From f93e810a9bd2eea97295fe35f01e192f27b625c4 Mon Sep 17 00:00:00 2001
From: Aaron Lehmann <aaron.lehmann@docker.com>
Date: Fri, 28 Oct 2016 16:35:49 -0700
Subject: [PATCH] Add unlock key rotation

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: 65e1e166ee8dd6b2afd3d50072ecb0c06d3e2a5c
Component: cli
---
 components/cli/command/swarm/unlock_key.go | 24 +++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/components/cli/command/swarm/unlock_key.go b/components/cli/command/swarm/unlock_key.go
index 19caa0cc2b..96450f55b8 100644
--- a/components/cli/command/swarm/unlock_key.go
+++ b/components/cli/command/swarm/unlock_key.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/spf13/cobra"
 
+	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/cli"
 	"github.com/docker/docker/cli/command"
 	"github.com/pkg/errors"
@@ -23,7 +24,24 @@ func newUnlockKeyCommand(dockerCli *command.DockerCli) *cobra.Command {
 			ctx := context.Background()
 
 			if rotate {
-				// FIXME(aaronl)
+				flags := swarm.UpdateFlags{RotateManagerUnlockKey: true}
+
+				swarm, err := client.SwarmInspect(ctx)
+				if err != nil {
+					return err
+				}
+
+				if !swarm.Spec.EncryptionConfig.AutoLockManagers {
+					return errors.New("cannot rotate because autolock is not turned on")
+				}
+
+				err = client.SwarmUpdate(ctx, swarm.Version, swarm.Spec, flags)
+				if err != nil {
+					return err
+				}
+				if !quiet {
+					fmt.Fprintf(dockerCli.Out(), "Successfully rotated manager unlock key.\n\n")
+				}
 			}
 
 			unlockKeyResp, err := client.SwarmGetUnlockKey(ctx)
@@ -31,6 +49,10 @@ func newUnlockKeyCommand(dockerCli *command.DockerCli) *cobra.Command {
 				return errors.Wrap(err, "could not fetch unlock key")
 			}
 
+			if unlockKeyResp.UnlockKey == "" {
+				return errors.New("no unlock key is set")
+			}
+
 			if quiet {
 				fmt.Fprintln(dockerCli.Out(), unlockKeyResp.UnlockKey)
 			} else {