From 56fe343397ba57a8b583cd7b4cfa9c03af3e0b41 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Mon, 1 Mar 2021 17:05:27 -0500
Subject: [PATCH] Add parameter for chap_algs in iscsid.conf

We need to be able to specify the CHAP algorithms in iscscid.conf
so that we can, for example, remove MD5 from the list.

This will allow iscsid to run on FIPS enabled systems where MD5
is disallowed.

Co-Authored-By: Alan Bishop <abishop@redhat.com>
Change-Id: I89023603147e21d5c211041f70fc2c988d5f4de1
---
 manifests/profile/base/iscsid.pp              | 38 ++++++++++++++++++-
 .../tripleo_profile_base_iscsid_spec.rb       | 30 ++++++++++++---
 2 files changed, 61 insertions(+), 7 deletions(-)

diff --git a/manifests/profile/base/iscsid.pp b/manifests/profile/base/iscsid.pp
index 363709714..755152d36 100644
--- a/manifests/profile/base/iscsid.pp
+++ b/manifests/profile/base/iscsid.pp
@@ -14,23 +14,40 @@
 #
 # == Class: tripleo::profile::base::iscsid
 #
-# Nova Compute profile for tripleo
+# Iscsid profile for tripleo
 #
 # === Parameters
 #
+# [*chap_algs*]
+#   (Optional) Comma separated list of algorithms to use in CHAP protocol
+#   Defaults to 'SHA3-256,SHA256,SHA1,MD5'
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
 #   Defaults to hiera('step')
 #
 class tripleo::profile::base::iscsid (
-  $step               = Integer(hiera('step')),
+  $chap_algs = 'SHA3-256,SHA256,SHA1,MD5',
+  $step      = Integer(hiera('step')),
 ) {
 
   if $step >= 2 {
     # When utilising images for deployment, we need to reset the iSCSI initiator name to make it unique
     # https://bugzilla.redhat.com/show_bug.cgi?id=1244328
     ensure_resource('package', 'iscsi-initiator-utils', { ensure => 'present' })
+
+    # THT supplies a volume mount to the host's /etc/iscsi directory (at
+    # /tmp/iscsi.host). If the sentinel file (.initiator_reset) exists on the
+    # host, then copy the IQN from the host. This ensures the IQN is reset
+    # once, and only once.
+    exec { 'sync-iqn-from-host':
+      command => '/bin/cp /tmp/iscsi.host/.initiator_reset /tmp/iscsi.host/initiatorname.iscsi /etc/iscsi/',
+      onlyif  => '/usr/bin/test -f /tmp/iscsi.host/.initiator_reset',
+      before  => Exec['reset-iscsi-initiator-name'],
+      tag     => 'iscsid_config'
+    }
+
     exec { 'reset-iscsi-initiator-name':
       command => '/bin/echo InitiatorName=$(/usr/sbin/iscsi-iname) > /etc/iscsi/initiatorname.iscsi',
       onlyif  => '/usr/bin/test ! -f /etc/iscsi/.initiator_reset',
@@ -38,8 +55,25 @@ class tripleo::profile::base::iscsid (
       require => Package['iscsi-initiator-utils'],
       tag     => 'iscsid_config'
     }
+
     file { '/etc/iscsi/.initiator_reset':
       ensure => present,
+      before => Exec['sync-iqn-to-host'],
+    }
+
+    exec { 'sync-iqn-to-host':
+      command => '/bin/cp /etc/iscsi/initiatorname.iscsi /etc/iscsi/.initiator_reset /tmp/iscsi.host/',
+      onlyif  => [
+        '/usr/bin/test -d /tmp/iscsi.host',
+        '/usr/bin/test ! -f /tmp/iscsi.host/iscsi/.initiator_reset',
+        ],
+      tag     => 'iscsid_config',
+    }
+
+    $chap_algs_real = join(any2array($chap_algs), ',')
+    augeas {'chap_algs in /etc/iscsi/iscsid.conf':
+      context => '/files/etc/iscsi/iscsid.conf',
+      changes => ["set node.session.auth.chap_algs ${chap_algs_real}"],
     }
   }
 }
diff --git a/spec/classes/tripleo_profile_base_iscsid_spec.rb b/spec/classes/tripleo_profile_base_iscsid_spec.rb
index 04f3c2c4e..f795a7922 100644
--- a/spec/classes/tripleo_profile_base_iscsid_spec.rb
+++ b/spec/classes/tripleo_profile_base_iscsid_spec.rb
@@ -18,18 +18,38 @@ require 'spec_helper'
 
 describe 'tripleo::profile::base::iscsid' do
   shared_examples_for 'tripleo::profile::base::iscsid' do
-    context 'default params' do
-      let(:params) { { :step => 2, } }
+    context 'with step less than 2' do
+      let(:params) { { :step => 1 } }
 
-      it {
+      it 'should do nothing' do
+        is_expected.to_not contain_package('iscsi-initiator-utils')
+        is_expected.to_not contain_exec('sync-iqn-from-host')
+        is_expected.to_not contain_exec('reset-iscsi-initiator-name')
+        is_expected.to_not contain_file('/etc/iscsi/.initiator_reset')
+        is_expected.to_not contain_exec('sync-iqn-to-host')
+        is_expected.to_not contain_augeas('chap_algs in /etc/iscsi/iscsid.conf')
+      end
+    end
+
+    context 'with step 2' do
+      let(:params) { {
+        :step      => 2,
+        :chap_algs => "SHA3-256,SHA256,SHA1",
+      } }
+
+      it 'should trigger complete configuration' do
         is_expected.to contain_package('iscsi-initiator-utils')
+        is_expected.to contain_exec('sync-iqn-from-host')
         is_expected.to contain_exec('reset-iscsi-initiator-name')
         is_expected.to contain_file('/etc/iscsi/.initiator_reset')
-      }
+        is_expected.to contain_exec('sync-iqn-to-host')
+        is_expected.to contain_augeas('chap_algs in /etc/iscsi/iscsid.conf')
+          .with_changes(
+            ["set node.session.auth.chap_algs #{params[:chap_algs]}"])
+      end
     end
   end
 
-
   on_supported_os.each do |os, facts|
     context "on #{os}" do
       let(:facts) do