Fix decoding of encryption key passed to dmcrypt

This patch fixes the decoding of the encryption key passed to dmcrypt.
During the key management move from Nova to Castellan, in the Newton
release, conversion of the encryption key (from a string to list of
unsigned ints) was removed from the key retrieval method. This patch
updates dmcrypt to decode an encryption key string, rather than a list
of unsigned ints. See the linked bug for more information.

The method used to decode the encryption key has been updated to use
binascii, as done in os-brick [1], to maintain consistency. The key
generation and decoding portions of test_dmcrypt have been updated to
reflect this change and ensure compatibility with both, Python 2 and
Python 3.

[1] https://github.com/openstack/os-brick/blob/6cf9b1cd689f70a2c50c0fa83a9a9f7c502712a1/os_brick/encryptors/cryptsetup.py#L100-L102

Closes-Bug: #1688342
Change-Id: I050585ecb55742a972038cf72b0650321ded2856
(cherry picked from commit 53a71c1241aac70018c16d174032427a172378ed)

diff --git a/nova/tests/unit/virt/libvirt/storage/test_dmcrypt.py b/nova/tests/unit/virt/libvirt/storage/test_dmcrypt.py
index df16f53bfd24d6ad381d963ae082b0880881c7d4..a09ee3931953af8ea85d54ba2a6637cd53f772a9 100644 (file)
--- a/nova/tests/unit/virt/libvirt/storage/test_dmcrypt.py
+++ b/nova/tests/unit/virt/libvirt/storage/test_dmcrypt.py
@@ -13,6 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import binascii
 import mock
 from oslo_concurrency import processutils
 
@@ -29,8 +30,8 @@ class LibvirtDmcryptTestCase(test.NoDBTestCase):
         self.NAME = 'disk'
         self.TARGET = dmcrypt.volume_name(self.NAME)
         self.PATH = '/dev/nova-lvm/instance_disk'
-        self.KEY = range(0, self.KEY_SIZE)
-        self.KEY_STR = ''.join(["%02x" % x for x in range(0, self.KEY_SIZE)])
+        self.KEY = bytes(bytearray(x for x in range(0, self.KEY_SIZE)))
+        self.KEY_STR = binascii.hexlify(self.KEY).decode('utf-8')
 
     @mock.patch('nova.utils.execute')
     def test_create_volume(self, mock_execute):

diff --git a/nova/virt/libvirt/storage/dmcrypt.py b/nova/virt/libvirt/storage/dmcrypt.py
index cb82a06a072076d450e8e7bb8717d24aaaa3ef54..7b21de7ab3ebb0a609c0eb44c7e4b007b5285f06 100644 (file)
--- a/nova/virt/libvirt/storage/dmcrypt.py
+++ b/nova/virt/libvirt/storage/dmcrypt.py
@@ -13,6 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import binascii
 import os
 
 from oslo_concurrency import processutils
@@ -52,7 +53,7 @@ def create_volume(target, device, cipher, key_size, key):
     :param device: underlying block device
     :param cipher: encryption cipher string digestible by cryptsetup
     :param key_size: encryption key size
-    :param key: encryption key as an array of unsigned bytes
+    :param key: encoded encryption key bytestring
     """
     cmd = ('cryptsetup',
            'create',
@@ -61,7 +62,7 @@ def create_volume(target, device, cipher, key_size, key):
            '--cipher=' + cipher,
            '--key-size=' + str(key_size),
            '--key-file=-')
-    key = ''.join(map(lambda byte: "%02x" % byte, key))
+    key = binascii.hexlify(key).decode('utf-8')
     try:
         utils.execute(*cmd, process_input=key, run_as_root=True)
     except processutils.ProcessExecutionError as e: