diff options
author | Zuul <zuul@review.opendev.org> | 2020-12-05 02:14:46 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2020-12-05 02:14:46 +0000 |
commit | 2f0d236440b6816ae2e50ae10192777fcf4117dd (patch) | |
tree | b9c8b494792130e60ad640f4d7dffbd34defe5d5 | |
parent | 25c40ac16fafc92c4cf79202120239c31fbd592c (diff) | |
parent | ae7a6acc86365bc00e4328e230809afdb7493f9f (diff) | |
download | cinder-2f0d236440b6816ae2e50ae10192777fcf4117dd.tar.gz |
Merge "Fix volume rekey during clone" into stable/ussuri16.2.1
-rw-r--r-- | cinder/tests/unit/volume/test_volume.py | 45 | ||||
-rw-r--r-- | cinder/volume/flows/manager/create_volume.py | 2 | ||||
-rw-r--r-- | releasenotes/notes/bug-1904440-clone-rekey-fd57a2b5f6224e0f.yaml | 8 |
3 files changed, 54 insertions, 1 deletions
diff --git a/cinder/tests/unit/volume/test_volume.py b/cinder/tests/unit/volume/test_volume.py index a0c888573..d1517278c 100644 --- a/cinder/tests/unit/volume/test_volume.py +++ b/cinder/tests/unit/volume/test_volume.py @@ -21,6 +21,7 @@ import time from unittest import mock import uuid +import castellan from castellan.common import exception as castellan_exception from castellan import key_manager import ddt @@ -89,6 +90,16 @@ def create_snapshot(volume_id, size=1, metadata=None, ctxt=None, return snap +class KeyObject(object): + def get_encoded(arg): + return "asdf".encode('utf-8') + + +class KeyObject2(object): + def get_encoded(arg): + return "qwert".encode('utf-8') + + @ddt.ddt class VolumeTestCase(base.BaseVolumeTestCase): @@ -1763,6 +1774,40 @@ class VolumeTestCase(base.BaseVolumeTestCase): mock_at.assert_called() mock_det.assert_called() + @mock.patch('cinder.db.sqlalchemy.api.volume_encryption_metadata_get') + def test_setup_encryption_keys(self, mock_enc_metadata_get): + key_mgr = fake_keymgr.fake_api() + self.mock_object(castellan.key_manager, 'API', return_value=key_mgr) + key_id = key_mgr.store(self.context, KeyObject()) + key2_id = key_mgr.store(self.context, KeyObject2()) + + params = {'status': 'creating', + 'size': 1, + 'host': CONF.host, + 'encryption_key_id': key_id} + vol = tests_utils.create_volume(self.context, **params) + + self.volume.create_volume(self.context, vol) + db.volume_update(self.context, + vol['id'], + {'encryption_key_id': key_id}) + + mock_enc_metadata_get.return_value = {'cipher': 'aes-xts-plain64', + 'key_size': 256, + 'provider': 'luks'} + ctxt = context.get_admin_context() + + enc_info = {'encryption_key_id': key_id} + with mock.patch('cinder.volume.volume_utils.create_encryption_key', + return_value=key2_id): + r = cinder.volume.flows.manager.create_volume.\ + CreateVolumeFromSpecTask._setup_encryption_keys(ctxt, + vol, + enc_info) + (source_pass, new_pass, new_key_id) = r + self.assertNotEqual(source_pass, new_pass) + self.assertEqual(new_key_id, key2_id) + @mock.patch.object(key_manager, 'API', fake_keymgr.fake_api) def test_create_volume_from_snapshot_with_encryption(self): """Test volume can be created from a snapshot of an encrypted volume""" diff --git a/cinder/volume/flows/manager/create_volume.py b/cinder/volume/flows/manager/create_volume.py index 27cd40bd6..721c6c4e5 100644 --- a/cinder/volume/flows/manager/create_volume.py +++ b/cinder/volume/flows/manager/create_volume.py @@ -498,7 +498,7 @@ class CreateVolumeFromSpecTask(flow_utils.CinderTask): new_key_id = volume_utils.create_encryption_key(context, keymgr, volume.volume_type_id) - new_key = keymgr.get(context, encryption['encryption_key_id']) + new_key = keymgr.get(context, new_key_id) new_pass = binascii.hexlify(new_key.get_encoded()).decode('utf-8') return (source_pass, new_pass, new_key_id) diff --git a/releasenotes/notes/bug-1904440-clone-rekey-fd57a2b5f6224e0f.yaml b/releasenotes/notes/bug-1904440-clone-rekey-fd57a2b5f6224e0f.yaml new file mode 100644 index 000000000..b24017874 --- /dev/null +++ b/releasenotes/notes/bug-1904440-clone-rekey-fd57a2b5f6224e0f.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + `Bug #1904440 <https://bugs.launchpad.net/cinder/+bug/1904440>`_: + When an iSCSI/FC encrypted volume was cloned, the rekey operation would + stamp the wrong encryption key on the newly cloned volume. This resulted + in a volume that could not be attached. It does not present a security + problem. |