rbd: add EncryptionOptionsLUKS for opening LUKS images

Add EncryptionOptionsLUKS type for opening, but not formatting, existing
LUKS images generically.

Signed-off-by: John Mulligan <[email protected]>

Author: phlogistonjohn

rbd/encryption_opt_luks.go

@@ -0,0 +1,51 @@
+//go:build !octopus && !pacific && !quincy && ceph_preview
+
+package rbd
+
+// #cgo LDFLAGS: -lrbd
+// /* force XSI-complaint strerror_r() */
+// #define _POSIX_C_SOURCE 200112L
+// #undef _GNU_SOURCE
+// #include <stdlib.h>
+// #include <rbd/librbd.h>
+import "C"
+
+import (
+	"unsafe"
+)
+
+// EncryptionOptionsLUKS generic options for either LUKS v1 or v2. May only be
+// used for opening existing images - not valid for the EncryptionFormat call.
+type EncryptionOptionsLUKS struct {
+	Passphrase []byte
+}
+
+func (opts EncryptionOptionsLUKS) allocateEncryptionOptions() cEncryptionData {
+	var cOpts C.rbd_encryption_luks_format_options_t
+	var retData cEncryptionData
+	// CBytes allocates memory. it will be freed when cEncryptionData.free is called
+	cOpts.passphrase = (*C.char)(C.CBytes(opts.Passphrase))
+	cOpts.passphrase_size = C.size_t(len(opts.Passphrase))
+	retData.opts = C.rbd_encryption_options_t(&cOpts)
+	retData.optsSize = C.size_t(C.sizeof_rbd_encryption_luks_format_options_t)
+	retData.free = func() { C.free(unsafe.Pointer(cOpts.passphrase)) }
+	retData.format = C.RBD_ENCRYPTION_FORMAT_LUKS
+	return retData
+}
+
+func (opts EncryptionOptionsLUKS) writeEncryptionSpec(spec *C.rbd_encryption_spec_t) func() {
+	/* only C memory should be attached to spec */
+	cPassphrase := (*C.char)(C.CBytes(opts.Passphrase))
+	cOptsSize := C.size_t(C.sizeof_rbd_encryption_luks_format_options_t)
+	cOpts := (*C.rbd_encryption_luks_format_options_t)(C.malloc(cOptsSize))
+	cOpts.passphrase = cPassphrase
+	cOpts.passphrase_size = C.size_t(len(opts.Passphrase))
+
+	spec.format = C.RBD_ENCRYPTION_FORMAT_LUKS
+	spec.opts = C.rbd_encryption_options_t(cOpts)
+	spec.opts_size = cOptsSize
+	return func() {
+		C.free(unsafe.Pointer(cOpts.passphrase))
+		C.free(unsafe.Pointer(cOpts))
+	}
+}

rbd/encryption_opt_luks_test.go

@@ -0,0 +1,119 @@
+//go:build !octopus && !pacific && !quincy && ceph_preview
+
+package rbd
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestEncryptionOptionsLUKS(t *testing.T) {
+	conn := radosConnect(t)
+	defer conn.Shutdown()
+
+	poolname := GetUUID()
+	err := conn.MakePool(poolname)
+	assert.NoError(t, err)
+	defer conn.DeletePool(poolname)
+
+	ioctx, err := conn.OpenIOContext(poolname)
+	require.NoError(t, err)
+	defer ioctx.Destroy()
+
+	name := GetUUID()
+	testImageSize := uint64(50) * 1024 * 1024
+	options := NewRbdImageOptions()
+	assert.NoError(t,
+		options.SetUint64(ImageOptionOrder, uint64(testImageOrder)))
+	err = CreateImage(ioctx, name, testImageSize, options)
+	assert.NoError(t, err)
+
+	img, err := OpenImage(ioctx, name, NoSnapshot)
+	assert.NoError(t, err)
+
+	encOpts := EncryptionOptionsLUKS2{
+		Alg:        EncryptionAlgorithmAES256,
+		Passphrase: []byte("sesame-123-luks-ury"),
+	}
+	err = img.EncryptionFormat(encOpts)
+	assert.NoError(t, err)
+
+	// close the image so we can reopen it and load the encryption info
+	// then write some encrypted data at the end of the image
+	err = img.Close()
+	assert.NoError(t, err)
+	defer func() {
+		assert.NoError(t, img.Remove())
+	}()
+
+	testData := []byte("Another day another image to unlock")
+	var offset int64
+
+	t.Run("prepare", func(t *testing.T) {
+		img, err = OpenImage(ioctx, name, NoSnapshot)
+		assert.NoError(t, err)
+		defer img.Close()
+		err = img.EncryptionLoad2([]EncryptionOptions{encOpts})
+		assert.NoError(t, err)
+
+		stats, err := img.Stat()
+		require.NoError(t, err)
+		offset = int64(stats.Size) - int64(len(testData))
+
+		nOut, err := img.WriteAt(testData, offset)
+		assert.Equal(t, len(testData), nOut)
+		assert.NoError(t, err)
+	})
+
+	unlock := []EncryptionOptions{
+		EncryptionOptionsLUKS{Passphrase: []byte("sesame-123-luks-ury")},
+	}
+
+	t.Run("readEncLoad", func(t *testing.T) {
+		require.NotEqual(t, offset, 0)
+		// Re-open the image, using the generic luks encryption options
+		img, err = OpenImage(ioctx, name, NoSnapshot)
+		assert.NoError(t, err)
+		defer img.Close()
+		err = img.EncryptionLoad(unlock[0])
+		assert.NoError(t, err)
+
+		inData := make([]byte, len(testData))
+		nIn, err := img.ReadAt(inData, offset)
+		assert.Equal(t, nIn, len(testData))
+		assert.Equal(t, inData, testData)
+		assert.NoError(t, err)
+	})
+
+	t.Run("readEncLoad2", func(t *testing.T) {
+		require.NotEqual(t, offset, 0)
+		// Re-open the image, using the generic luks encryption options
+		img, err = OpenImage(ioctx, name, NoSnapshot)
+		assert.NoError(t, err)
+		defer img.Close()
+		err = img.EncryptionLoad2(unlock)
+		assert.NoError(t, err)
+
+		inData := make([]byte, len(testData))
+		nIn, err := img.ReadAt(inData, offset)
+		assert.Equal(t, nIn, len(testData))
+		assert.Equal(t, inData, testData)
+		assert.NoError(t, err)
+	})
+
+	t.Run("noEnc", func(t *testing.T) {
+		require.NotEqual(t, offset, 0)
+		// Re-open the image and attempt to read the encrypted data without loading the encryption
+		img, err = OpenImage(ioctx, name, NoSnapshot)
+		assert.NoError(t, err)
+		defer img.Close()
+
+		inData := make([]byte, len(testData))
+		nIn, err := img.ReadAt(inData, offset)
+		assert.Equal(t, nIn, len(testData))
+		assert.NotEqual(t, inData, testData)
+		assert.NoError(t, err)
+	})
+}