From 1a8fd84979882f0013e1ca059364d0cd6f61c27a Mon Sep 17 00:00:00 2001 From: Niraj Yadav Date: Tue, 25 Jun 2024 18:13:26 +0530 Subject: [PATCH] Fix typos and misc refactors Signed-off-by: Niraj Yadav --- internal/rbd/encryption.go | 65 +++++++++++++++++++++++++++++++++++++ internal/rbd/rbd_util.go | 65 ------------------------------------- internal/util/crypto.go | 2 +- internal/util/cryptsetup.go | 2 +- internal/util/file.go | 16 +++++---- 5 files changed, 77 insertions(+), 73 deletions(-) diff --git a/internal/rbd/encryption.go b/internal/rbd/encryption.go index 11cd4e7e4bc..f9f9aae9dec 100644 --- a/internal/rbd/encryption.go +++ b/internal/rbd/encryption.go @@ -442,3 +442,68 @@ func (ri *rbdImage) RemoveDEK(ctx context.Context, volumeID string) error { func GetEncryptionPassphraseSize() int { return encryptionPassphraseSize } + +// RotateKey processes the key rotation for the RBD Volume +func (rv *rbdVolume) RotateEncryptionKey(ctx context.Context) error { + if !rv.isBlockEncrypted() { + return fmt.Errorf("key rotation not supported for the encryption type") + } + + // Verify that the underlying device has been setup for encryption + currState, err := rv.checkRbdImageEncrypted(ctx) + if err != nil { + return fmt.Errorf("error: %v while checking encrpytion state", err) + } + + if currState != rbdImageEncrypted { + return fmt.Errorf("key rotation not supported for unencrypted device") + } + + // Get the device path for the underlying image + useNbd := rv.Mounter == rbdNbdMounter && hasNBD + devicePath, found := waitForPath(ctx, rv.Pool, rv.RadosNamespace, rv.RbdImageName, 1, useNbd) + if !found { + return fmt.Errorf("unable to get the device path for the image") + } + + // Step 1: Get the current passphrase + oldPassphrase, err := rv.blockEncryption.GetCryptoPassphrase(ctx, rv.VolID) + if err != nil { + return fmt.Errorf("error in fetching the current passphrase: %v", err) + } + + // Step 2: Add current key to slot 1 + err = util.LuksAddKey(devicePath, oldPassphrase, oldPassphrase, "1") + if err != nil { + return fmt.Errorf("error in adding curr key to slot 1: %v", err) + } + + // Step 3: Generate new key and add it to slot 0 + newPassphrase, err := rv.blockEncryption.GetNewCryptoPassphrase( + GetEncryptionPassphraseSize()) + if err != nil { + return fmt.Errorf("error in generating a new passphrase: %v", err) + } + + err = util.LuksAddKey(devicePath, oldPassphrase, newPassphrase, "0") + if err != nil { + return fmt.Errorf("error in adding the new key to slot 0: %v", err) + } + + // Step 4: Add the new key to KMS + err = rv.blockEncryption.StoreCryptoPassphrase(ctx, rv.VolID, newPassphrase) + if err != nil { + return fmt.Errorf("failed to update the new key into the KMS: %v", err) + } + + // Step 5: Remove the old key from slot 1 + // We use the newPassphrase to authenticate LUKS here + err = util.LuksRemoveKey(devicePath, newPassphrase, "1") + if err != nil { + // FIXME: Discuss if we should return an error here + return nil + } + + // Return error accordingly. + return nil +} diff --git a/internal/rbd/rbd_util.go b/internal/rbd/rbd_util.go index c178714a6da..ee955d7458b 100644 --- a/internal/rbd/rbd_util.go +++ b/internal/rbd/rbd_util.go @@ -2158,68 +2158,3 @@ func (rv *rbdVolume) unsetAllMetadata(keys []string) error { return nil } - -// RotateKey processes the key rotation for the RBD Volume -func (rv *rbdVolume) RotateEncryptionKey(ctx context.Context) error { - if !rv.isBlockEncrypted() { - return fmt.Errorf("key rotation not supported for the encryption type") - } - - // Verify that the underlying device has been setup for encryption - currState, err := rv.checkRbdImageEncrypted(ctx) - if err != nil { - return fmt.Errorf("error: %v while checking encrpytion state", err) - } - - if currState != rbdImageEncrypted { - return fmt.Errorf("key rotation not supported for unencrypted device") - } - - // Get the device path for the underlying image - useNbd := rv.Mounter == rbdNbdMounter && hasNBD - devicePath, found := waitForPath(ctx, rv.Pool, rv.RadosNamespace, rv.RbdImageName, 1, useNbd) - if !found { - return fmt.Errorf("unable to get the device path for the image") - } - - // Step 1: Get the current passphrase - oldPassphrase, err := rv.blockEncryption.GetCryptoPassphrase(ctx, rv.VolID) - if err != nil { - return fmt.Errorf("error in fetching the current passphrase: %v", err) - } - - // Step 2: Add current key to slot 1 - err = util.LuksAddKey(devicePath, oldPassphrase, oldPassphrase, "1") - if err != nil { - return fmt.Errorf("error in adding curr key to slot 1: %v", err) - } - - // Step 3: Generate new key and add it to slot 0 - newPassphrase, err := rv.blockEncryption.GetNewCryptoPassphrase( - GetEncryptionPassphraseSize()) - if err != nil { - return fmt.Errorf("error in generating a new passphrase: %v", err) - } - - err = util.LuksAddKey(devicePath, oldPassphrase, newPassphrase, "0") - if err != nil { - return fmt.Errorf("error in adding the new key to slot 0: %v", err) - } - - // Step 4: Add the new key to KMS - err = rv.blockEncryption.StoreCryptoPassphrase(ctx, rv.VolID, newPassphrase) - if err != nil { - return fmt.Errorf("failed to update the new key into the KMS: %v", err) - } - - // Step 5: Remove the old key from slot 1 - // We use the newPassphrase to autheticate LUKS here - err = util.LuksRemoveKey(devicePath, newPassphrase, "1") - if err != nil { - // FIXME: Discuss if we should return an error here - return nil - } - - // Return error accordingly. - return nil -} diff --git a/internal/util/crypto.go b/internal/util/crypto.go index 59bf914f28c..00762239ba5 100644 --- a/internal/util/crypto.go +++ b/internal/util/crypto.go @@ -237,7 +237,7 @@ func (ve *VolumeEncryption) GetCryptoPassphrase(ctx context.Context, volumeID st return ve.KMS.DecryptDEK(ctx, volumeID, passphrase) } -// GetNewCryptoPassphrase return a random passphrase of given length +// GetNewCryptoPassphrase returns a random passphrase of given length func (ve *VolumeEncryption) GetNewCryptoPassphrase(length int) (string, error) { return generateNewEncryptionPassphrase(length) } diff --git a/internal/util/cryptsetup.go b/internal/util/cryptsetup.go index 9611a851efa..83a64724913 100644 --- a/internal/util/cryptsetup.go +++ b/internal/util/cryptsetup.go @@ -132,7 +132,7 @@ func LuksAddKey(devicePath, passphrase, newPassphrase, slot string) error { return nil } - // The exisitng passphrase is wrong and the slot is empty + // The existing passphrase is wrong and the slot is empty return err } diff --git a/internal/util/file.go b/internal/util/file.go index e57c30b9ec2..142944c8769 100644 --- a/internal/util/file.go +++ b/internal/util/file.go @@ -16,17 +16,20 @@ limitations under the License. package util -import "os" +import ( + "fmt" + "os" +) // CreateTempFile create a temporary file with the given string // content and returns the reference to the file. // The caller is responsible for disposing the file. -func CreateTempFile(content string) (*os.File, error) { +func CreateTempFile(contents string) (*os.File, error) { // Create a temp file // FIXME: Discuss location and prefix.. file, err := os.CreateTemp("", "") if err != nil { - return nil, err + return nil, fmt.Errorf("failed to create temporary file: %w", err) } // In case of error, remove the file if it was created @@ -37,13 +40,14 @@ func CreateTempFile(content string) (*os.File, error) { }() // Write the contents - if _, err = file.WriteString(content); err != nil { - return nil, err + c, err := file.WriteString(contents) + if err != nil || c != len(contents) { + return nil, fmt.Errorf("failed to write temporary file: %w", err) } // Close the handle if err = file.Close(); err != nil { - return nil, err + return nil, fmt.Errorf("failed to close temporary file: %w", err) } return file, nil