diff --git a/SOURCES/udisks-2.10.0-block_format_ata_secure_erase.patch b/SOURCES/udisks-2.10.0-block_format_ata_secure_erase.patch new file mode 100644 index 0000000..3ad878d --- /dev/null +++ b/SOURCES/udisks-2.10.0-block_format_ata_secure_erase.patch @@ -0,0 +1,60 @@ +From eb917d346bc8592924c5f6566b01841176c53c8c Mon Sep 17 00:00:00 2001 +From: Tomas Bzatek +Date: Mon, 22 Aug 2022 16:27:11 +0200 +Subject: [PATCH] udiskslinuxblock: Only permit ATA Secure Erase during + Format() on a whole block device + +ATA Secure Erase requested as an option to the Format() method call used +to perform the actual erase on a whole drive object it looked up. When +Format() was called on a partition, this led to data loss on a whole drive. +This commit adds a safeguard to check that the Format() is requested +on a whole block device. + +Severity of this issue was slightly lowered by a failure to submit +the ATA Secure erase command in case some filesystem was mounted +at that point. +--- + src/udiskslinuxblock.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/udiskslinuxblock.c b/src/udiskslinuxblock.c +index d1da94edf..db0ed2bf6 100644 +--- a/src/udiskslinuxblock.c ++++ b/src/udiskslinuxblock.c +@@ -2354,6 +2354,7 @@ erase_ata_device (UDisksBlock *block, + { + gboolean ret = FALSE; + UDisksObject *drive_object = NULL; ++ UDisksLinuxBlockObject *block_object = NULL; + UDisksDriveAta *ata = NULL; + + drive_object = udisks_daemon_find_object (daemon, udisks_block_get_drive (block)); +@@ -2369,6 +2370,20 @@ erase_ata_device (UDisksBlock *block, + goto out; + } + ++ /* Reverse check to ensure we're erasing whole block device and not a partition */ ++ block_object = udisks_linux_drive_object_get_block (UDISKS_LINUX_DRIVE_OBJECT (drive_object), FALSE /* get_hw */); ++ if (block_object == NULL) ++ { ++ g_set_error (error, UDISKS_ERROR, UDISKS_ERROR_FAILED, "Couldn't find a block device for the drive to erase"); ++ goto out; ++ } ++ if (g_strcmp0 (g_dbus_object_get_object_path (G_DBUS_OBJECT (object)), ++ g_dbus_object_get_object_path (G_DBUS_OBJECT (block_object))) != 0) ++ { ++ g_set_error (error, UDISKS_ERROR, UDISKS_ERROR_FAILED, "ATA secure erase needs to be performed on a whole block device"); ++ goto out; ++ } ++ + /* sleep a tiny bit here to avoid the secure erase code racing with + * programs spawned by udev + */ +@@ -2382,6 +2397,7 @@ erase_ata_device (UDisksBlock *block, + out: + g_clear_object (&ata); + g_clear_object (&drive_object); ++ g_clear_object (&block_object); + return ret; + } + diff --git a/SOURCES/udisks-2.10.0-iscsi-auth-info.patch b/SOURCES/udisks-2.10.0-iscsi-auth-info.patch new file mode 100644 index 0000000..633386e --- /dev/null +++ b/SOURCES/udisks-2.10.0-iscsi-auth-info.patch @@ -0,0 +1,29 @@ +From 9a6e6b700b19539465ab6b241f04b94d4b3769c4 Mon Sep 17 00:00:00 2001 +From: Tomas Bzatek +Date: Mon, 10 Oct 2022 13:55:29 +0200 +Subject: [PATCH] iscsi: Always set auth info + +In case of reusing a context auth info needs to be +always set to override previous data. +--- + modules/iscsi/udisksiscsiutil.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/modules/iscsi/udisksiscsiutil.c b/modules/iscsi/udisksiscsiutil.c +index 8fdae889c7..78890106f0 100644 +--- a/modules/iscsi/udisksiscsiutil.c ++++ b/modules/iscsi/udisksiscsiutil.c +@@ -171,11 +171,8 @@ iscsi_perform_login_action (UDisksLinuxModuleISCSI *module, + /* Get a libiscsi context. */ + ctx = udisks_linux_module_iscsi_get_libiscsi_context (module); + +- if (action == ACTION_LOGIN && +- auth_info && auth_info->method == libiscsi_auth_chap) +- { +- libiscsi_node_set_auth (ctx, node, auth_info); +- } ++ if (action == ACTION_LOGIN && auth_info) ++ libiscsi_node_set_auth (ctx, node, auth_info); + + /* Login or Logout */ + err = action == ACTION_LOGIN ? diff --git a/SOURCES/udisks-2.10.0-iscsi_test_01_badauth.patch b/SOURCES/udisks-2.10.0-iscsi_test_01_badauth.patch new file mode 100644 index 0000000..48a41ff --- /dev/null +++ b/SOURCES/udisks-2.10.0-iscsi_test_01_badauth.patch @@ -0,0 +1,75 @@ +commit fab797fcf5e4c8e09e4cde45647951acd764415e +Author: Tomas Bzatek +Date: Mon Oct 10 13:58:15 2022 +0200 + + tests: Add bad auth test for iscsi + + This tests that the auth info is properly set for each login call, + overriding previously set auth info with no trace. + +diff --git a/src/tests/dbus-tests/test_30_iscsi.py b/src/tests/dbus-tests/test_30_iscsi.py +index 34bdfc4b..6ac8386b 100644 +--- a/src/tests/dbus-tests/test_30_iscsi.py ++++ b/src/tests/dbus-tests/test_30_iscsi.py +@@ -284,3 +284,61 @@ class UdisksISCSITest(udiskstestcase.UdisksTestCase): + # make sure the session object is no longer on dbus + objects = udisks.GetManagedObjects(dbus_interface='org.freedesktop.DBus.ObjectManager') + self.assertNotIn(session_path, objects.keys()) ++ ++ def test_login_noauth_badauth(self): ++ """ ++ Test auth info override ++ """ ++ manager = self.get_object('/Manager') ++ nodes, _ = manager.DiscoverSendTargets(self.address, self.port, self.no_options, ++ dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator', ++ timeout=self.iscsi_timeout) ++ ++ node = next((node for node in nodes if node[0] == self.noauth_iqn), None) ++ self.assertIsNotNone(node) ++ ++ (iqn, tpg, host, port, iface) = node ++ self.assertEqual(iqn, self.noauth_iqn) ++ self.assertEqual(host, self.address) ++ self.assertEqual(port, self.port) ++ ++ self.addCleanup(self._force_lougout, self.noauth_iqn) ++ ++ # first attempt - wrong password ++ options = dbus.Dictionary(signature='sv') ++ options['username'] = self.initiator ++ msg = 'Login failed: initiator reported error' ++ with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg): ++ options['password'] = '12345' ++ manager.Login(iqn, tpg, host, port, iface, options, ++ dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator', ++ timeout=self.iscsi_timeout) ++ ++ # second atttempt - no password ++ manager.Login(iqn, tpg, host, port, iface, self.no_options, ++ dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator', ++ timeout=self.iscsi_timeout) ++ ++ devs = glob.glob('/dev/disk/by-path/*%s*' % iqn) ++ self.assertEqual(len(devs), 1) ++ ++ # check if the block device have 'Symlinks' property updated ++ disk_name = os.path.realpath(devs[0]).split('/')[-1] ++ disk_obj = self.get_object('/block_devices/' + disk_name) ++ dbus_path = str(disk_obj.object_path) ++ self.assertIsNotNone(disk_obj) ++ ++ symlinks = self.get_property_raw(disk_obj, '.Block', 'Symlinks') ++ self.assertIn(self.str_to_ay(devs[0]), symlinks) ++ ++ manager.Logout(iqn, tpg, host, port, iface, self.no_options, ++ dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator', ++ timeout=self.iscsi_timeout) ++ ++ devs = glob.glob('/dev/disk/by-path/*%s*' % iqn) ++ self.assertEqual(len(devs), 0) ++ ++ # make sure the disk is no longer on dbus ++ udisks = self.get_object('') ++ objects = udisks.GetManagedObjects(dbus_interface='org.freedesktop.DBus.ObjectManager') ++ self.assertNotIn(dbus_path, objects.keys()) diff --git a/SOURCES/udisks-2.10.0-iscsi_test_02_lio_target_conf.patch b/SOURCES/udisks-2.10.0-iscsi_test_02_lio_target_conf.patch new file mode 100644 index 0000000..cf269a5 --- /dev/null +++ b/SOURCES/udisks-2.10.0-iscsi_test_02_lio_target_conf.patch @@ -0,0 +1,51 @@ +commit 13a6a27eecdd1fb527b9151309366970b182a58d +Author: Tomas Bzatek +Date: Thu Oct 20 17:17:10 2022 +0200 + + tests: Fix LIO target config auth + + Linux kernel 6.0 brought number of the LIO target changes related to authentication + that made our tests fail. Turned out our target config was incorrect, e.g. + not requiring auth for CHAP tests, etc. The kernel 6.0 looks to be more strict + in this regard. + +diff --git a/src/tests/dbus-tests/targetcli_config.json b/src/tests/dbus-tests/targetcli_config.json +index 25d506b6..3be9eac2 100644 +--- a/src/tests/dbus-tests/targetcli_config.json ++++ b/src/tests/dbus-tests/targetcli_config.json +@@ -385,7 +385,7 @@ + "tpgs": [ + { + "attributes": { +- "authentication": 0, ++ "authentication": 1, + "cache_dynamic_acls": 0, + "default_cmdsn_depth": 64, + "default_erl": 0, +@@ -432,7 +432,7 @@ + } + ], + "parameters": { +- "AuthMethod": "CHAP,None", ++ "AuthMethod": "CHAP", + "DataDigest": "CRC32C,None", + "DataPDUInOrder": "Yes", + "DataSequenceInOrder": "Yes", +@@ -471,7 +471,7 @@ + "tpgs": [ + { + "attributes": { +- "authentication": 0, ++ "authentication": 1, + "cache_dynamic_acls": 0, + "default_cmdsn_depth": 64, + "default_erl": 0, +@@ -520,7 +520,7 @@ + } + ], + "parameters": { +- "AuthMethod": "CHAP,None", ++ "AuthMethod": "CHAP", + "DataDigest": "CRC32C,None", + "DataPDUInOrder": "Yes", + "DataSequenceInOrder": "Yes", diff --git a/SOURCES/udisks-2.10.0-iscsi_test_03_iscsid_cache_clean.patch b/SOURCES/udisks-2.10.0-iscsi_test_03_iscsid_cache_clean.patch new file mode 100644 index 0000000..5473b8a --- /dev/null +++ b/SOURCES/udisks-2.10.0-iscsi_test_03_iscsid_cache_clean.patch @@ -0,0 +1,84 @@ +commit 68115b16181db7a38f852b101ec965b9fc3e59cb +Author: Tomas Bzatek +Date: Thu Oct 20 17:32:29 2022 +0200 + + tests: Clean the discovered test target iscsid node cache + + After each DiscoverSendTargets() and Login() calls iscsid caches + the node info in /var/lib/iscsi/nodes. That includes auth info and + passwords in plaintext. This might potentially lead to lingering + attributes sneaking into subsequent tests, affecting the results. + + Let's clean that after each test run. + +diff --git a/src/tests/dbus-tests/test_30_iscsi.py b/src/tests/dbus-tests/test_30_iscsi.py +index 6ac8386b..2b75462a 100644 +--- a/src/tests/dbus-tests/test_30_iscsi.py ++++ b/src/tests/dbus-tests/test_30_iscsi.py +@@ -6,6 +6,7 @@ import os + import re + import six + import time ++import shutil + import unittest + + +@@ -26,6 +27,7 @@ class UdisksISCSITest(udiskstestcase.UdisksTestCase): + chap_iqn = 'iqn.2003-01.udisks.test:iscsi-test-chap' + mutual_iqn = 'iqn.2003-01.udisks.test:iscsi-test-mutual' + ++ + # Define common D-Bus method call timeout that needs to be slightly longer + # than the corresponding timeout defined in libiscsi: + # #define ISCSID_REQ_TIMEOUT 1000 +@@ -61,6 +63,10 @@ class UdisksISCSITest(udiskstestcase.UdisksTestCase): + initiator = bytearray(data) + return initiator.strip().split(b"InitiatorName=")[1] + ++ def _clean_iscsid_node_dir(self): ++ for iqn in [self.noauth_iqn, self.chap_iqn, self.mutual_iqn]: ++ shutil.rmtree(os.path.join('/var/lib/iscsi/nodes/', iqn), ignore_errors=True) ++ + def test__manager_interface(self): + '''Test for module D-Bus Manager interface presence''' + +@@ -86,6 +92,7 @@ class UdisksISCSITest(udiskstestcase.UdisksTestCase): + nodes, _ = manager.DiscoverSendTargets(self.address, self.port, self.no_options, + dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator', + timeout=self.iscsi_timeout) ++ self.addCleanup(self._clean_iscsid_node_dir) + + node = next((node for node in nodes if node[0] == self.noauth_iqn), None) + self.assertIsNotNone(node) +@@ -131,6 +138,7 @@ class UdisksISCSITest(udiskstestcase.UdisksTestCase): + nodes, _ = manager.DiscoverSendTargets(self.address, self.port, self.no_options, + dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator', + timeout=self.iscsi_timeout) ++ self.addCleanup(self._clean_iscsid_node_dir) + + node = next((node for node in nodes if node[0] == self.chap_iqn), None) + self.assertIsNotNone(node) +@@ -190,6 +198,7 @@ class UdisksISCSITest(udiskstestcase.UdisksTestCase): + nodes, _ = manager.DiscoverSendTargets(self.address, self.port, self.no_options, + dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator', + timeout=self.iscsi_timeout) ++ self.addCleanup(self._clean_iscsid_node_dir) + + node = next((node for node in nodes if node[0] == self.mutual_iqn), None) + self.assertIsNotNone(node) +@@ -246,6 +255,7 @@ class UdisksISCSITest(udiskstestcase.UdisksTestCase): + nodes, _ = manager.DiscoverSendTargets(self.address, self.port, self.no_options, + dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator', + timeout=self.iscsi_timeout) ++ self.addCleanup(self._clean_iscsid_node_dir) + + node = next((node for node in nodes if node[0] == self.noauth_iqn), None) + self.assertIsNotNone(node) +@@ -293,6 +303,7 @@ class UdisksISCSITest(udiskstestcase.UdisksTestCase): + nodes, _ = manager.DiscoverSendTargets(self.address, self.port, self.no_options, + dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator', + timeout=self.iscsi_timeout) ++ self.addCleanup(self._clean_iscsid_node_dir) + + node = next((node for node in nodes if node[0] == self.noauth_iqn), None) + self.assertIsNotNone(node) diff --git a/SOURCES/udisks-2.10.0-iscsi_test_04_fix_test_login_chap_auth.patch b/SOURCES/udisks-2.10.0-iscsi_test_04_fix_test_login_chap_auth.patch new file mode 100644 index 0000000..bf759fe --- /dev/null +++ b/SOURCES/udisks-2.10.0-iscsi_test_04_fix_test_login_chap_auth.patch @@ -0,0 +1,37 @@ +commit 1bf172603e4cc77da70d8fd13b6ba6c8b8c91600 +Author: Tomas Bzatek +Date: Thu Oct 20 17:53:20 2022 +0200 + + tests: Test iscsi noauth in test_login_chap_auth + + The other way is already tested in test_login_noauth_badauth. + +diff --git a/src/tests/dbus-tests/test_30_iscsi.py b/src/tests/dbus-tests/test_30_iscsi.py +index 2b75462a..f2594d99 100644 +--- a/src/tests/dbus-tests/test_30_iscsi.py ++++ b/src/tests/dbus-tests/test_30_iscsi.py +@@ -151,8 +151,14 @@ class UdisksISCSITest(udiskstestcase.UdisksTestCase): + options = dbus.Dictionary(signature='sv') + options['username'] = self.initiator + ++ msg = 'Login failed: initiator reported error \(24 - iSCSI login failed due to authorization failure\)' ++ # missing auth info ++ with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg): ++ manager.Login(iqn, tpg, host, port, iface, self.no_options, ++ dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator', ++ timeout=self.iscsi_timeout) ++ + # wrong password +- msg = 'Login failed: initiator reported error' + with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg): + options['password'] = '12345' + manager.Login(iqn, tpg, host, port, iface, options, +@@ -318,7 +324,7 @@ class UdisksISCSITest(udiskstestcase.UdisksTestCase): + # first attempt - wrong password + options = dbus.Dictionary(signature='sv') + options['username'] = self.initiator +- msg = 'Login failed: initiator reported error' ++ msg = r'Login failed: initiator reported error \((19 - encountered non-retryable iSCSI login failure|24 - iSCSI login failed due to authorization failure)\)' + with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg): + options['password'] = '12345' + manager.Login(iqn, tpg, host, port, iface, options, diff --git a/SOURCES/udisks-2.10.0-iscsi_test_05_restart_iscsid.patch b/SOURCES/udisks-2.10.0-iscsi_test_05_restart_iscsid.patch new file mode 100644 index 0000000..eeb5e19 --- /dev/null +++ b/SOURCES/udisks-2.10.0-iscsi_test_05_restart_iscsid.patch @@ -0,0 +1,42 @@ +From fbe970add68e6d9d998fb7f78377368c403e200d Mon Sep 17 00:00:00 2001 +From: Tomas Bzatek +Date: Mon, 31 Oct 2022 15:15:31 +0100 +Subject: [PATCH] tests: Restart iscsid on every InitiatorName change + +The test LIO target config expects a specific initiator name as set +by the ACLs. However the iscsid daemon only seems to be reading +the InitiatorName string on startup and in case the service is running +with a different name, the auth tests will fail. + +As a workaround, restart the iscsid service after each change. +A proper way through libiscsi or libopeniscsiusr would be nice -> TODO. +--- + src/tests/dbus-tests/test_30_iscsi.py | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/tests/dbus-tests/test_30_iscsi.py b/src/tests/dbus-tests/test_30_iscsi.py +index f2594d992..09e975f30 100644 +--- a/src/tests/dbus-tests/test_30_iscsi.py ++++ b/src/tests/dbus-tests/test_30_iscsi.py +@@ -48,9 +48,21 @@ def _force_lougout(self, target): + def _set_initiator_name(self): + manager = self.get_object('/Manager') + ++ # make backup of INITIATOR_FILE and restore it at the end ++ try: ++ initiatorname_backup = self.read_file(INITIATOR_FILE) ++ self.addCleanup(self.write_file, INITIATOR_FILE, initiatorname_backup) ++ except FileNotFoundError as e: ++ # no existing file, simply remove it once finished ++ self.addCleanup(self.remove_file, INITIATOR_FILE, True) ++ + manager.SetInitiatorName(self.initiator, self.no_options, + dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator') + ++ # running iscsid needs to be restarted to reflect the change ++ self.run_command('systemctl try-reload-or-restart iscsid.service') ++ # ignore the return code in case of non-systemd distros ++ + init = manager.GetInitiatorName(self.no_options, + dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator') + self.assertEqual(init, self.initiator) diff --git a/SPECS/udisks2.spec b/SPECS/udisks2.spec index d1cfc29..aa3913a 100644 --- a/SPECS/udisks2.spec +++ b/SPECS/udisks2.spec @@ -48,7 +48,7 @@ Name: udisks2 Summary: Disk Manager Version: 2.9.4 -Release: 3%{?dist} +Release: 7%{?dist} License: GPLv2+ URL: https://github.com/storaged-project/udisks Source0: https://github.com/storaged-project/udisks/releases/download/udisks-%{version}/udisks-%{version}.tar.bz2 @@ -59,6 +59,18 @@ Patch1: udisks-2.10.0-static_daemon_resources_free.patch Patch2: udisks-2.10.0-lvm2_teardown_tests.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2030916 Patch3: udisks-2.10.0-vdo_test_writeAmplificationRatio.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2120329 +Patch4: udisks-2.10.0-block_format_ata_secure_erase.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1983602 +Patch5: udisks-2.10.0-iscsi-auth-info.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=2136557 +Patch10: udisks-2.10.0-iscsi_test_01_badauth.patch +Patch11: udisks-2.10.0-iscsi_test_02_lio_target_conf.patch +Patch12: udisks-2.10.0-iscsi_test_03_iscsid_cache_clean.patch +Patch13: udisks-2.10.0-iscsi_test_04_fix_test_login_chap_auth.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1958932 +Patch14: udisks-2.10.0-iscsi_test_05_restart_iscsid.patch BuildRequires: make BuildRequires: glib2-devel >= %{glib2_version} @@ -434,6 +446,18 @@ fi %endif %changelog +* Tue Nov 01 2022 Tomas Bzatek - 2.9.4-7 +- Fix iscsi test auth failures (#1958932) + +* Fri Oct 21 2022 Tomas Bzatek - 2.9.4-6 +- Fix iscsi test LIO target config (#2136557) + +* Wed Oct 19 2022 Tomas Bzatek - 2.9.4-5 +- Fix iscsi authentication info override (#1983602) + +* Fri Sep 16 2022 Tomas Bzatek - 2.9.4-4 +- Restrict ATA Secure Erase Format() options (#2120329) + * Tue Feb 01 2022 Tomas Bzatek - 2.9.4-3 - Fix LVM-VDO statistics tests (#2030916)