Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow using inband authentication with TLS #934

Merged
merged 1 commit into from
Nov 4, 2024
Merged

Allow using inband authentication with TLS #934

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions control/cli.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1056,8 +1056,6 @@ def host_add(self, args):
if args.psk:
if len(args.host_nqn) > 1:
self.cli.parser.error(f"Can't have more than one host NQN when PSK keys are used")
if args.dhchap_key:
self.cli.parser.error(f"PSK and DH-HMAC-CHAP keys are mutually exclusive")

if args.dhchap_key:
if len(args.host_nqn) > 1:
Expand Down
12 changes: 0 additions & 12 deletions control/grpc.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2320,11 +2320,6 @@ def add_host_safe(self, request, context):
self.logger.error(f"{errmsg}")
return pb2.req_status(status=errno.EINVAL, error_message=errmsg)

if request.psk and request.dhchap_key:
errmsg=f"{host_failure_prefix}: PSK and DH-HMAC-CHAP keys are mutually exclusive"
self.logger.error(f"{errmsg}")
return pb2.req_status(status=errno.EINVAL, error_message=errmsg)

host_already_exist = self.matching_host_exists(context, request.subsystem_nqn, request.host_nqn)
if host_already_exist:
if request.host_nqn == "*":
Expand Down Expand Up @@ -2608,13 +2603,6 @@ def change_host_keys_safe(self, request, context):
self.logger.error(f"{errmsg}")
return pb2.req_status(status=errno.EINVAL, error_message=errmsg)

if request.dhchap_key:
psk = self.host_info.is_psk_host(request.subsystem_nqn, request.host_nqn)
if psk:
errmsg=f"{failure_prefix}: Can't set DH-HMAC-CHAP key to a a host with PSK key"
self.logger.error(f"{errmsg}")
return pb2.req_status(status=errno.EINVAL, error_message=errmsg)

dhchap_file = None
dhchap_key_name = None
dhchap_ctrlr_file = None
Expand Down
6 changes: 6 additions & 0 deletions mk/demosecuredhchap.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,15 @@
HOSTNQN=`cat /etc/nvme/hostnqn`
HOSTNQN2=`cat /etc/nvme/hostnqn | sed 's/......$$/ffffff/'`
HOSTNQN3=`cat /etc/nvme/hostnqn | sed 's/......$$/fffffe/'`
HOSTNQN4=`cat /etc/nvme/hostnqn | sed 's/......$$/fffffd/'`
NVMEOF_IO_PORT2=`expr $(NVMEOF_IO_PORT) + 1`
NVMEOF_IO_PORT3=`expr $(NVMEOF_IO_PORT) + 2`
NVMEOF_IO_PORT4=`expr $(NVMEOF_IO_PORT) + 3`
DHCHAPKEY1=$(DHCHAP_KEY1)
DHCHAPKEY2=$(DHCHAP_KEY2)
DHCHAPKEY3=$(DHCHAP_KEY3)
DHCHAPKEY4=$(DHCHAP_KEY4)
PSKKEY1=$(PSK_KEY1)
# demosecuredhchap
demosecuredhchap:
$(NVMEOF_CLI) subsystem add --subsystem $(NQN) --no-group-append
Expand All @@ -16,9 +20,11 @@ demosecuredhchap:
$(NVMEOF_CLI) listener add --subsystem $(NQN) --host-name `docker ps -q -f name=$(NVMEOF_CONTAINER_NAME)` --traddr $(NVMEOF_IP_ADDRESS) --trsvcid $(NVMEOF_IO_PORT)
$(NVMEOF_CLI) listener add --subsystem $(NQN) --host-name `docker ps -q -f name=$(NVMEOF_CONTAINER_NAME)` --traddr $(NVMEOF_IP_ADDRESS) --trsvcid $(NVMEOF_IO_PORT2)
$(NVMEOF_CLI) listener add --subsystem $(NQN) --host-name `docker ps -q -f name=$(NVMEOF_CONTAINER_NAME)` --traddr $(NVMEOF_IP_ADDRESS) --trsvcid $(NVMEOF_IO_PORT3)
$(NVMEOF_CLI) listener add --subsystem $(NQN) --host-name `docker ps -q -f name=$(NVMEOF_CONTAINER_NAME)` --traddr $(NVMEOF_IP_ADDRESS) --trsvcid $(NVMEOF_IO_PORT4) --secure
$(NVMEOF_CLI) host add --subsystem $(NQN) --host-nqn $(HOSTNQN) --dhchap-key $(DHCHAPKEY1)
$(NVMEOF_CLI) host add --subsystem $(NQN) --host-nqn $(HOSTNQN2) --dhchap-key $(DHCHAPKEY2) --dhchap-ctrlr-key $(DHCHAPKEY3)
$(NVMEOF_CLI) host add --subsystem $(NQN) --host-nqn $(HOSTNQN3)
$(NVMEOF_CLI) namespace add_host --subsystem $(NQN) --nsid 2 --host-nqn $(HOSTNQN)
$(NVMEOF_CLI) host add --subsystem $(NQN) --host-nqn $(HOSTNQN4) --dhchap-key $(DHCHAPKEY4) --psk $(PSKKEY1)

.PHONY: demosecuredhchap
115 changes: 110 additions & 5 deletions tests/ha/demo_test.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,12 +46,16 @@ function demo_test_dhchap()
echo -n "${DHCHAP_KEY5}" > /tmp/temp-dhchap/dhchap/${NQN}/key2
echo -n "${DHCHAP_KEY6}" > /tmp/temp-dhchap/dhchap/${NQN}/key3
echo -n "${DHCHAP_KEY7}" > /tmp/temp-dhchap/dhchap/${NQN}/key4
echo -n "${DHCHAP_KEY8}" > /tmp/temp-dhchap/dhchap/${NQN}/key5
echo -n "${PSK_KEY1}" > /tmp/temp-dhchap/dhchap/${NQN}/key6
chmod 0600 /tmp/temp-dhchap/dhchap/${NQN}/key1
chmod 0600 /tmp/temp-dhchap/dhchap/${NQN}/key2
chmod 0600 /tmp/temp-dhchap/dhchap/${NQN}/key3
chmod 0600 /tmp/temp-dhchap/dhchap/${NQN}/key4
chmod 0600 /tmp/temp-dhchap/dhchap/${NQN}/key5
chmod 0600 /tmp/temp-dhchap/dhchap/${NQN}/key6

make demosecuredhchap OPTS=-T HOSTNQN="${NQN}host" HOSTNQN2="${NQN}host2" HOSTNQN3="${NQN}host3" NVMEOF_IO_PORT2=${port2} NVMEOF_IO_PORT3=${port3} DHCHAPKEY1="${DHCHAP_KEY4}" DHCHAPKEY2="${DHCHAP_KEY5}" DHCHAPKEY3="${DHCHAP_KEY6}"
make demosecuredhchap OPTS=-T HOSTNQN="${NQN}host" HOSTNQN2="${NQN}host2" HOSTNQN3="${NQN}host3" HOSTNQN4="${NQN}host4" NVMEOF_IO_PORT2=${port2} NVMEOF_IO_PORT3=${port3} NVMEOF_IO_PORT4=${port4} DHCHAPKEY1="${DHCHAP_KEY4}" DHCHAPKEY2="${DHCHAP_KEY5}" DHCHAPKEY3="${DHCHAP_KEY6}" DHCHAPKEY4="${DHCHAP_KEY8}" PSKKEY1="${PSK_KEY1}"
}

function demo_bdevperf_unsecured()
Expand Down Expand Up @@ -321,6 +325,8 @@ function demo_bdevperf_dhchap()
make exec SVC=bdevperf OPTS=-T CMD="chmod 0600 ${dhchap_path}/key2"
make exec SVC=bdevperf OPTS=-T CMD="chmod 0600 ${dhchap_path}/key3"
make exec SVC=bdevperf OPTS=-T CMD="chmod 0600 ${dhchap_path}/key4"
make exec SVC=bdevperf OPTS=-T CMD="chmod 0600 ${dhchap_path}/key5"
make exec SVC=bdevperf OPTS=-T CMD="chmod 0600 ${dhchap_path}/key6"
rm -rf /tmp/temp-dhchap

echo "ℹ️ bdevperf add DHCHAP key name key1 to keyring"
Expand All @@ -331,6 +337,10 @@ function demo_bdevperf_dhchap()
make -s exec SVC=bdevperf OPTS=-T CMD="$rpc -v -s $BDEVPERF_SOCKET keyring_file_add_key key3 ${dhchap_path}/key3"
echo "ℹ️ bdevperf add DHCHAP key name key4 to keyring"
make -s exec SVC=bdevperf OPTS=-T CMD="$rpc -v -s $BDEVPERF_SOCKET keyring_file_add_key key4 ${dhchap_path}/key4"
echo "ℹ️ bdevperf add DHCHAP key name key5 to keyring"
make -s exec SVC=bdevperf OPTS=-T CMD="$rpc -v -s $BDEVPERF_SOCKET keyring_file_add_key key5 ${dhchap_path}/key5"
echo "ℹ️ bdevperf add DHCHAP key name key6 to keyring"
make -s exec SVC=bdevperf OPTS=-T CMD="$rpc -v -s $BDEVPERF_SOCKET keyring_file_add_key key6 ${dhchap_path}/key6"

echo "ℹ️ bdevperf list keyring"
make -s exec SVC=bdevperf OPTS=-T CMD="$rpc -s $BDEVPERF_SOCKET keyring_get_keys"
Expand Down Expand Up @@ -414,7 +424,18 @@ function demo_bdevperf_dhchap()
[[ `echo $conns | jq -r '.connections[2].use_psk'` == "false" ]]
[[ `echo $conns | jq -r '.connections[2].use_dhchap'` == "false" ]]

[[ `echo $conns | jq -r '.connections[3]'` == "null" ]]
[[ `echo $conns | jq -r '.connections[3].nqn'` == "${NQN}host4" ]]
[[ `echo $conns | jq -r '.connections[3].trsvcid'` == 0 ]]
[[ `echo $conns | jq -r '.connections[3].traddr'` == "<n/a>" ]]
[[ `echo $conns | jq -r '.connections[3].adrfam'` == "ipv4" ]]
[[ `echo $conns | jq -r '.connections[3].trtype'` == "" ]]
[[ `echo $conns | jq -r '.connections[3].qpairs_count'` == -1 ]]
[[ `echo $conns | jq -r '.connections[3].controller_id'` == -1 ]]
[[ `echo $conns | jq -r '.connections[3].connected'` == "false" ]]
[[ `echo $conns | jq -r '.connections[3].use_psk'` == "true" ]]
[[ `echo $conns | jq -r '.connections[3].use_dhchap'` == "true" ]]

[[ `echo $conns | jq -r '.connections[4]'` == "null" ]]

echo "ℹ️ bdevperf perform_tests"
eval $(make run SVC=bdevperf OPTS="--entrypoint=env" | grep BDEVPERF_TEST_DURATION | tr -d '\n\r' )
Expand All @@ -436,10 +457,15 @@ function demo_bdevperf_dhchap()
path1_pre=`echo ${dhchap_key_list_pre_change} | jq -r '.[0].path'`
path2_pre=`echo ${dhchap_key_list_pre_change} | jq -r '.[1].path'`
path3_pre=`echo ${dhchap_key_list_pre_change} | jq -r '.[2].path'`
path4_pre=`echo ${dhchap_key_list_pre_change} | jq -r '.[3].path'`
name1_pre=`echo ${dhchap_key_list_pre_change} | jq -r '.[0].name'`
name2_pre=`echo ${dhchap_key_list_pre_change} | jq -r '.[1].name'`
name3_pre=`echo ${dhchap_key_list_pre_change} | jq -r '.[2].name'`
name4_pre=`echo ${dhchap_key_list_pre_change} | jq -r '.[3].name'`
name5_pre=`echo ${dhchap_key_list_pre_change} | jq -r '.[4].name'`
[[ `echo $dhchap_key_list_pre_change | jq -r '.[4].removed'` == "true" ]]
make exec SVC=nvmeof OPTS=-T CMD="test -f ${path1_pre}"
make exec SVC=nvmeof OPTS=-T CMD="test -f ${path4_pre}"

echo "ℹ️ change the key for host ${NQN}host"
cephnvmf_func host change_keys --subsystem $NQN --host-nqn ${NQN}host --dhchap-key "${DHCHAP_KEY7}"
Expand All @@ -458,42 +484,120 @@ function demo_bdevperf_dhchap()
make exec SVC=bdevperf OPTS=-T CMD="$rpc -v -s $BDEVPERF_SOCKET bdev_nvme_attach_controller -b Nvme5 -t tcp -a $NVMEOF_IP_ADDRESS -s ${NVMEOF_IO_PORT} -f ipv4 -n ${NQN} -q ${NQN}host -l -1 -o 10 --dhchap-key key4"
make exec SVC=bdevperf OPTS=-T CMD="$rpc -v -s $BDEVPERF_SOCKET bdev_nvme_detach_controller Nvme5"

echo "ℹ️ bdevperf tcp connect ip: $NVMEOF_IP_ADDRESS port: ${port4} nqn: ${NQN}host4 using no PSK key"
set +e
make exec SVC=bdevperf OPTS=-T CMD="$rpc -v -s $BDEVPERF_SOCKET bdev_nvme_attach_controller -b Nvme6 -t tcp -a $NVMEOF_IP_ADDRESS -s ${port4} -f ipv4 -n ${NQN} -q ${NQN}host4 -l -1 -o 10 --dhchap-key key5"
if [[ $? -eq 0 ]]; then
echo "Connecting using no PSK key should fail"
exit 1
fi
set -e

echo "ℹ️ bdevperf tcp connect ip: $NVMEOF_IP_ADDRESS port: ${port4} nqn: ${NQN}host4 using PSK key"
make exec SVC=bdevperf OPTS=-T CMD="$rpc -v -s $BDEVPERF_SOCKET bdev_nvme_attach_controller -b Nvme6 -t tcp -a $NVMEOF_IP_ADDRESS -s ${port4} -f ipv4 -n ${NQN} -q ${NQN}host4 -l -1 -o 10 --dhchap-key key5 --psk key6"

echo "ℹ️ verify connection list with PSK"
conns=`cephnvmf_func --output stdio --format json connection list --subsystem $NQN`

[[ `echo $conns | jq -r '.status'` == "0" ]]
[[ `echo $conns | jq -r '.subsystem_nqn'` == "${NQN}" ]]

[[ `echo $conns | jq -r '.connections[0].nqn'` == "${NQN}host4" ]]
[[ `echo $conns | jq -r '.connections[0].trsvcid'` == "${port4}" ]]
[[ `echo $conns | jq -r '.connections[0].traddr'` == "${NVMEOF_IP_ADDRESS}" ]]
[[ `echo $conns | jq -r '.connections[0].adrfam'` == "ipv4" ]]
[[ `echo $conns | jq -r '.connections[0].trtype'` == "TCP" ]]
[[ `echo $conns | jq -r '.connections[0].qpairs_count'` == "1" ]]
[[ `echo $conns | jq -r '.connections[0].controller_id'` == "9" ]]
[[ `echo $conns | jq -r '.connections[0].connected'` == "true" ]]
[[ `echo $conns | jq -r '.connections[0].secure'` == "true" ]]
[[ `echo $conns | jq -r '.connections[0].use_psk'` == "true" ]]
[[ `echo $conns | jq -r '.connections[0].use_dhchap'` == "true" ]]

[[ `echo $conns | jq -r '.connections[1].nqn'` == "${NQN}host3" ]]
[[ `echo $conns | jq -r '.connections[1].trsvcid'` == 0 ]]
[[ `echo $conns | jq -r '.connections[1].traddr'` == "<n/a>" ]]
[[ `echo $conns | jq -r '.connections[1].adrfam'` == "ipv4" ]]
[[ `echo $conns | jq -r '.connections[1].trtype'` == "" ]]
[[ `echo $conns | jq -r '.connections[1].qpairs_count'` == -1 ]]
[[ `echo $conns | jq -r '.connections[1].controller_id'` == -1 ]]
[[ `echo $conns | jq -r '.connections[1].connected'` == "false" ]]
[[ `echo $conns | jq -r '.connections[1].use_psk'` == "false" ]]
[[ `echo $conns | jq -r '.connections[1].use_dhchap'` == "false" ]]

[[ `echo $conns | jq -r '.connections[2].nqn'` == "${NQN}host2" ]]
[[ `echo $conns | jq -r '.connections[2].trsvcid'` == 0 ]]
[[ `echo $conns | jq -r '.connections[2].traddr'` == "<n/a>" ]]
[[ `echo $conns | jq -r '.connections[2].adrfam'` == "ipv4" ]]
[[ `echo $conns | jq -r '.connections[2].trtype'` == "" ]]
[[ `echo $conns | jq -r '.connections[2].qpairs_count'` == -1 ]]
[[ `echo $conns | jq -r '.connections[2].controller_id'` == -1 ]]
[[ `echo $conns | jq -r '.connections[2].connected'` == "false" ]]
[[ `echo $conns | jq -r '.connections[2].use_psk'` == "false" ]]
[[ `echo $conns | jq -r '.connections[2].use_dhchap'` == "true" ]]

[[ `echo $conns | jq -r '.connections[3].nqn'` == "${NQN}host" ]]
[[ `echo $conns | jq -r '.connections[3].trsvcid'` == 0 ]]
[[ `echo $conns | jq -r '.connections[3].traddr'` == "<n/a>" ]]
[[ `echo $conns | jq -r '.connections[3].adrfam'` == "ipv4" ]]
[[ `echo $conns | jq -r '.connections[3].trtype'` == "" ]]
[[ `echo $conns | jq -r '.connections[3].qpairs_count'` == -1 ]]
[[ `echo $conns | jq -r '.connections[3].controller_id'` == -1 ]]
[[ `echo $conns | jq -r '.connections[3].connected'` == "false" ]]
[[ `echo $conns | jq -r '.connections[3].use_psk'` == "false" ]]
[[ `echo $conns | jq -r '.connections[3].use_dhchap'` == "true" ]]

[[ `echo $conns | jq -r '.connections[4]'` == "null" ]]

echo "ℹ️ verify DHCHAP key files removal"
dhchap_key_list=`make -s exec SVC=nvmeof OPTS=-T CMD="/usr/local/bin/spdk_rpc -s /var/tmp/spdk.sock keyring_get_keys"`
path1=`echo ${dhchap_key_list} | jq -r '.[0].path'`
path2=`echo ${dhchap_key_list} | jq -r '.[1].path'`
path3=`echo ${dhchap_key_list} | jq -r '.[2].path'`
path4=`echo ${dhchap_key_list} | jq -r '.[3].path'`
name1=`echo ${dhchap_key_list} | jq -r '.[0].name'`
name2=`echo ${dhchap_key_list} | jq -r '.[1].name'`
name3=`echo ${dhchap_key_list} | jq -r '.[2].name'`
name4=`echo ${dhchap_key_list} | jq -r '.[3].name'`
name5=`echo ${dhchap_key_list} | jq -r '.[4].name'`
[[ "$path1_pre" != "$path1" ]]
[[ "$path1_pre" != "$path2" ]]
[[ "$path1_pre" != "$path3" ]]
[[ "$path1_pre" != "$path4" ]]
[[ "$name1_pre" != "$name1" ]]
[[ "$name1_pre" != "$name2" ]]
[[ "$name1_pre" == "$name3" ]]
[[ "$name1_pre" != "$name3" ]]
[[ "$name1_pre" == "$name4" ]]
[[ "$name1_pre" != "$name5" ]]
[[ "$path2_pre" == "$path1" ]]
[[ "$name2_pre" == "$name1" ]]
[[ "$path3_pre" == "$path2" ]]
[[ "$name3_pre" == "$name2" ]]
[[ "$path3" != "$path1_pre" ]]
[[ "$path4_pre" == "$path3" ]]
[[ "$name4_pre" == "$name3" ]]
[[ "$name5_pre" == "$name5" ]]
[[ "$path3" != "$path2_pre" ]]
[[ "$path3" != "$path3_pre" ]]
subsys_dir=`dirname ${path1}`
[[ `echo $dhchap_key_list | jq -r '.[0].removed'` == "false" ]]
[[ `echo $dhchap_key_list | jq -r '.[1].removed'` == "false" ]]
[[ `echo $dhchap_key_list | jq -r '.[2].removed'` == "false" ]]
[[ `echo $dhchap_key_list | jq -r '.[3].removed'` == "null" ]]
[[ `echo $dhchap_key_list | jq -r '.[3].removed'` == "false" ]]
[[ `echo $dhchap_key_list | jq -r '.[4].removed'` == "true" ]]
[[ `echo $dhchap_key_list | jq -r '.[5].removed'` == "null" ]]
make exec SVC=nvmeof OPTS=-T CMD="test -f ${path1}"
make exec SVC=nvmeof OPTS=-T CMD="test -f ${path2}"
make exec SVC=nvmeof OPTS=-T CMD="test -f ${path3}"
make exec SVC=nvmeof OPTS=-T CMD="test -f ${path4}"
make exec SVC=nvmeof OPTS=-T CMD="test -d ${subsys_dir}"
cephnvmf_func host del --subsystem $NQN --host-nqn ${NQN}host2
make exec SVC=nvmeof OPTS=-T CMD="test ! -f ${path1}"
make exec SVC=nvmeof OPTS=-T CMD="test ! -f ${path2}"
make exec SVC=nvmeof OPTS=-T CMD="test -f ${path3}"
make exec SVC=nvmeof OPTS=-T CMD="test -f ${path4}"
cephnvmf_func subsystem del --subsystem $NQN --force
make exec SVC=nvmeof OPTS=-T CMD="test ! -f ${path3}"
make exec SVC=nvmeof OPTS=-T CMD="test ! -f ${path4}"
make exec SVC=nvmeof OPTS=-T CMD="test ! -d ${subsys_dir}"
dhchap_key_list=`make -s exec SVC=nvmeof OPTS=-T CMD="/usr/local/bin/spdk_rpc -s /var/tmp/spdk.sock keyring_get_keys"`
[[ `echo $dhchap_key_list | jq -r '.[0]'` == "null" ]]
Expand All @@ -508,6 +612,7 @@ set -x
rpc="/usr/libexec/spdk/scripts/rpc.py"
port2=`expr ${NVMEOF_IO_PORT} + 10`
port3=`expr ${NVMEOF_IO_PORT} + 20`
port4=`expr ${NVMEOF_IO_PORT} + 30`
case "$1" in
test_unsecured)
demo_test_unsecured
Expand Down
6 changes: 4 additions & 2 deletions tests/test_cli_change_keys.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
key1 = "DHHC-1:01:rPTE0Q73nd3hEqqEuQNaPL11G/aFXpOHtldWXz9vNCeef4WV:"
key2 = "DHHC-1:01:eNNXGjidEHHStbUi2Gmpps0JcnofReFfy+NaulguGgt327hz:"
key3 = "DHHC-1:01:KD+sfH3/o2bRQoV0ESjBUywQlMnSaYpZISUbVa0k0nsWpNST:"
key4 = "DHHC-1:01:x7ecfGgIdOEl+J5cJ9JcZHOS2By2Me6eDJUnrsT9MVrCWRYV:"
hostpsk1 = "NVMeTLSkey-1:01:YzrPElk4OYy1uUERriPwiiyEJE/+J5ckYpLB+5NHMsR2iBuT:"
config = "ceph-nvmeof.conf"

Expand Down Expand Up @@ -87,6 +88,7 @@ def test_change_host_keys(caplog, two_gateways):
assert f"Adding host {hostnqn2} to {subsystem}: Successful" in caplog.text
caplog.clear()
cli(["--server-port", "5501", "host", "change_keys", "--subsystem", subsystem, "--host-nqn", hostnqn1, "--dhchap-key", key2])
assert f"Changing keys for host {hostnqn1} on subsystem {subsystem}: Successful" in caplog.text
time.sleep(15)
assert f"Received request to change inband authentication keys for host {hostnqn1} on subsystem {subsystem}, dhchap: {key2}, dhchap controller: , context: <grpc._server" in caplog.text
assert f"Received request to change inband authentication keys for host {hostnqn1} on subsystem {subsystem}, dhchap: {key2}, dhchap controller: , context: None" in caplog.text
Expand All @@ -107,8 +109,8 @@ def test_change_key_with_psk(caplog, two_gateways):
cli(["--server-port", "5501", "host", "add", "--subsystem", subsystem, "--host-nqn", hostnqn3, "--psk", hostpsk1])
assert f"Adding host {hostnqn3} to {subsystem}: Successful" in caplog.text
caplog.clear()
cli(["--server-port", "5501", "host", "change_keys", "--subsystem", subsystem, "--host-nqn", hostnqn3, "--dhchap-key", "junk"])
assert f"Failure changing keys for host {hostnqn3} on subsystem {subsystem}: Can't set DH-HMAC-CHAP key to a a host with PSK key" in caplog.text
cli(["--server-port", "5501", "host", "change_keys", "--subsystem", subsystem, "--host-nqn", hostnqn3, "--dhchap-key", key4])
assert f"Changing keys for host {hostnqn3} on subsystem {subsystem}: Successful" in caplog.text

def test_change_key_host_not_exist(caplog, two_gateways):
gatewayA, stubA, gatewayB, stubB = two_gateways
Expand Down
18 changes: 5 additions & 13 deletions tests/test_psk.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@
hostpsk3 = "junk"
hostpsk4 = "NVMeTLSkey-1:01:YzrPElk4OYy1uUERriPwiiyEJE/+J5ckYpLB+5NHMsR2iBuT:"

hostdhchap1 = "DHHC-1:00:MWPqcx1Ug1debg8fPIGpkqbQhLcYUt39k7UWirkblaKEH1kE:"

host_name = socket.gethostname()
addr = "127.0.0.1"
config = "ceph-nvmeof.conf"
Expand Down Expand Up @@ -69,17 +71,13 @@ def test_setup(caplog, gateway):
cli(["namespace", "add", "--subsystem", subsystem, "--rbd-pool", pool, "--rbd-image", image, "--rbd-create-image", "--size", "16MB"])
assert f"Adding namespace 1 to {subsystem}: Successful" in caplog.text

def test_allow_any_host(caplog, gateway):
def test_create_secure_with_any_host(caplog, gateway):
caplog.clear()
cli(["host", "add", "--subsystem", subsystem, "--host-nqn", "*"])
assert f"Allowing open host access to {subsystem}: Successful" in caplog.text

def test_create_secure_with_any_host(caplog, gateway):
caplog.clear()
cli(["listener", "add", "--subsystem", subsystem, "--host-name", host_name, "-a", addr, "-s", "5001", "--secure"])
assert f"Secure channel is only allowed for subsystems in which \"allow any host\" is off" in caplog.text

def test_remove_any_host_access(caplog, gateway):
caplog.clear()
cli(["host", "del", "--subsystem", subsystem, "--host-nqn", "*"])
assert f"Disabling open host access to {subsystem}: Successful" in caplog.text
Expand Down Expand Up @@ -174,14 +172,8 @@ def test_allow_any_host_with_psk(caplog, gateway):

def test_psk_with_dhchap(caplog, gateway):
caplog.clear()
rc = 0
try:
cli(["host", "add", "--subsystem", subsystem, "--host-nqn", hostnqn10, "--psk", hostpsk1, "--dhchap-key", "junk"])
except SystemExit as sysex:
rc = int(str(sysex))
pass
assert rc == 2
assert f"error: PSK and DH-HMAC-CHAP keys are mutually exclusive" in caplog.text
cli(["host", "add", "--subsystem", subsystem, "--host-nqn", hostnqn10, "--psk", hostpsk1, "--dhchap-key", hostdhchap1])
assert f"Adding host {hostnqn10} to {subsystem}: Successful" in caplog.text

def test_list_listeners(caplog, gateway):
caplog.clear()
Expand Down
Loading