From 04d7e2d80d4cfe0d3a2cae477d9e09b6dc1071a2 Mon Sep 17 00:00:00 2001
From: Alan Bishop <abishop@redhat.com>
Date: Thu, 4 Jan 2018 16:26:25 +0000
Subject: [PATCH] Block attempts to transfer encrypted volumes

Block attempts to transfer encrypted volumes until [1] gets resolved.

[1] documents the fact that encryption keys are not properly transferred
to the new volume owner. Resolving this will be tricky because Key
Managers such as Barbican currently provide no API for transferring
ownership, and Key Manager ACLs are insufficient because they don't
allow the new volume owner to delete the key.

[1] https://bugs.launchpad.net/cinder/+bug/1735285

Related-Bug: #1735285
Change-Id: I5dbeb46adc9da1fce6359a96b981aa8d673d50c4
---
 cinder/tests/unit/test_volume_transfer.py | 11 +++++++++++
 cinder/transfer/api.py                    |  3 +++
 2 files changed, 14 insertions(+)

diff --git a/cinder/tests/unit/test_volume_transfer.py b/cinder/tests/unit/test_volume_transfer.py
index c4c40a61b8b..b260cc687d1 100644
--- a/cinder/tests/unit/test_volume_transfer.py
+++ b/cinder/tests/unit/test_volume_transfer.py
@@ -17,6 +17,7 @@ import mock
 from oslo_utils import timeutils
 
 from cinder import context
+from cinder import db
 from cinder import exception
 from cinder import objects
 from cinder import quota
@@ -68,6 +69,16 @@ class VolumeTransferTestCase(test.TestCase):
         volume = objects.Volume.get_by_id(self.ctxt, volume.id)
         self.assertEqual('in-use', volume['status'], 'Unexpected state')
 
+    def test_transfer_invalid_encrypted_volume(self):
+        tx_api = transfer_api.API()
+        volume = utils.create_volume(self.ctxt, updated_at=self.updated_at)
+        db.volume_update(self.ctxt,
+                         volume.id,
+                         {'encryption_key_id': fake.ENCRYPTION_KEY_ID})
+        self.assertRaises(exception.InvalidVolume,
+                          tx_api.create,
+                          self.ctxt, volume.id, 'Description')
+
     @mock.patch('cinder.volume.utils.notify_about_volume_usage')
     def test_transfer_accept_invalid_authkey(self, mock_notify):
         svc = self.start_service('volume', host='test_host')
diff --git a/cinder/transfer/api.py b/cinder/transfer/api.py
index 19550eacce0..4c0e25c2cd4 100644
--- a/cinder/transfer/api.py
+++ b/cinder/transfer/api.py
@@ -120,6 +120,9 @@ class API(base.Base):
         volume_ref = self.db.volume_get(context, volume_id)
         if volume_ref['status'] != "available":
             raise exception.InvalidVolume(reason=_("status must be available"))
+        if volume_ref['encryption_key_id'] is not None:
+            raise exception.InvalidVolume(
+                reason=_("transferring encrypted volume is not supported"))
 
         volume_utils.notify_about_volume_usage(context, volume_ref,
                                                "transfer.create.start")