From 18327971ca7231807294a6b1dbf3d80c23cb6796 Mon Sep 17 00:00:00 2001
From: Eric Harney <eharney@redhat.com>
Date: Fri, 11 May 2018 11:56:27 -0400
Subject: [PATCH] Disallow multiattach for encrypted volumes

We can't assume that the LUKS layer used for
volume encryption functions in a way that will
safely work with multiattach.

Closes-Bug: #1770689

Change-Id: I613b48a9e89270b2f0266bffc5aeeefad37ce8fb
---
 cinder/tests/unit/volume/test_volume.py  | 32 ++++++++++++++++++++++++
 cinder/volume/flows/api/create_volume.py |  6 +++++
 2 files changed, 38 insertions(+)

diff --git a/cinder/tests/unit/volume/test_volume.py b/cinder/tests/unit/volume/test_volume.py
index 855981cfcb9..0a48688c922 100644
--- a/cinder/tests/unit/volume/test_volume.py
+++ b/cinder/tests/unit/volume/test_volume.py
@@ -680,6 +680,38 @@ class VolumeTestCase(base.BaseVolumeTestCase):
                               volume_api.create, self.context, 1, 'name',
                               'description', multiattach=True)
 
+    @mock.patch.object(key_manager, 'API', fake_keymgr.fake_api)
+    def test_create_volume_with_encrypted_volume_type_multiattach(self):
+        ctxt = context.get_admin_context()
+
+        cipher = 'aes-xts-plain64'
+        key_size = 256
+        control_location = 'front-end'
+
+        db.volume_type_create(ctxt,
+                              {'id': '61298380-0c12-11e3-bfd6-4b48424183be',
+                               'name': 'LUKS',
+                               'extra_specs': {'multiattach': '<is> True'}})
+        db.volume_type_encryption_create(
+            ctxt,
+            '61298380-0c12-11e3-bfd6-4b48424183be',
+            {'control_location': control_location,
+             'provider': ENCRYPTION_PROVIDER,
+             'cipher': cipher,
+             'key_size': key_size})
+
+        volume_api = cinder.volume.api.API()
+
+        db_vol_type = db.volume_type_get_by_name(ctxt, 'LUKS')
+
+        self.assertRaises(exception.InvalidVolume,
+                          volume_api.create,
+                          self.context,
+                          1,
+                          'name',
+                          'description',
+                          volume_type=db_vol_type)
+
     @mock.patch.object(key_manager, 'API', fake_keymgr.fake_api)
     def test_create_volume_with_encrypted_volume_type_aes(self):
         ctxt = context.get_admin_context()
diff --git a/cinder/volume/flows/api/create_volume.py b/cinder/volume/flows/api/create_volume.py
index 91e000cf0b2..2e0b40eddb1 100644
--- a/cinder/volume/flows/api/create_volume.py
+++ b/cinder/volume/flows/api/create_volume.py
@@ -464,6 +464,12 @@ class ExtractVolumeRequestTask(flow_utils.CinderTask):
             source_volume,
             image_meta)
 
+        if encryption_key_id is not None and volume_type is not None:
+            extra_specs = volume_type.get('extra_specs', {})
+            if extra_specs.get('multiattach', '') == '<is> True':
+                msg = _('Multiattach cannot be used with encrypted volumes.')
+                raise exception.InvalidVolume(reason=msg)
+
         specs = {}
         if volume_type_id:
             qos_specs = volume_types.get_volume_type_qos_specs(volume_type_id)