cephfs: return ErrBadAuth during keyFn retry

fscrypt will infinitely retry the keyFn during an auth failure,
preventing the csi driver from progressing when configured with
an invalid passphrase

See also:
8c12cd64ab/actions/callback.go (L102-L106)

Signed-off-by: Michael Fritch <mfritch@suse.com>
This commit is contained in:
Michael Fritch 2024-02-26 14:08:00 -07:00 committed by mergify[bot]
parent b8ab1c8bd8
commit 2368df7e69

View File

@ -58,6 +58,11 @@ var policyV2Support = []util.KernelVersion{
}, },
} }
// error values
var (
ErrBadAuth = errors.New("key authentication check failed")
)
func AppendEncyptedSubdirectory(dir string) string { func AppendEncyptedSubdirectory(dir string) string {
return path.Join(dir, FscryptSubdir) return path.Join(dir, FscryptSubdir)
} }
@ -97,6 +102,10 @@ func createKeyFuncFromVolumeEncryption(
volID string, volID string,
) (func(fscryptactions.ProtectorInfo, bool) (*fscryptcrypto.Key, error), error) { ) (func(fscryptactions.ProtectorInfo, bool) (*fscryptcrypto.Key, error), error) {
keyFunc := func(info fscryptactions.ProtectorInfo, retry bool) (*fscryptcrypto.Key, error) { keyFunc := func(info fscryptactions.ProtectorInfo, retry bool) (*fscryptcrypto.Key, error) {
if retry {
return nil, ErrBadAuth
}
passphrase, err := getPassphrase(ctx, encryption, volID) passphrase, err := getPassphrase(ctx, encryption, volID)
if err != nil { if err != nil {
return nil, err return nil, err
@ -375,7 +384,7 @@ func Unlock(
return err return err
} }
// A proper set up fscrypy directory requires metadata and a kernel policy: // A proper set up fscrypt directory requires metadata and a kernel policy:
// 1. Do we have a metadata directory (.fscrypt) set up? // 1. Do we have a metadata directory (.fscrypt) set up?
metadataDirExists := false metadataDirExists := false