From 2368df7e6990a6c39bba14bd7e9a4fac8c95e97c Mon Sep 17 00:00:00 2001
From: Michael Fritch <mfritch@suse.com>
Date: Mon, 26 Feb 2024 14:08:00 -0700
Subject: [PATCH] cephfs: return `ErrBadAuth` during keyFn retry

fscrypt will infinitely retry the keyFn during an auth failure,
preventing the csi driver from progressing when configured with
an invalid passphrase

See also:
https://github.com/google/fscrypt/blob/8c12cd64ab471d0a73ef4c300d7c40077cad5d5d/actions/callback.go#L102-L106

Signed-off-by: Michael Fritch <mfritch@suse.com>
---
 internal/util/fscrypt/fscrypt.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/internal/util/fscrypt/fscrypt.go b/internal/util/fscrypt/fscrypt.go
index 3b1d46b97..d7bbba556 100644
--- a/internal/util/fscrypt/fscrypt.go
+++ b/internal/util/fscrypt/fscrypt.go
@@ -58,6 +58,11 @@ var policyV2Support = []util.KernelVersion{
 	},
 }
 
+// error values
+var (
+	ErrBadAuth = errors.New("key authentication check failed")
+)
+
 func AppendEncyptedSubdirectory(dir string) string {
 	return path.Join(dir, FscryptSubdir)
 }
@@ -97,6 +102,10 @@ func createKeyFuncFromVolumeEncryption(
 	volID string,
 ) (func(fscryptactions.ProtectorInfo, bool) (*fscryptcrypto.Key, error), error) {
 	keyFunc := func(info fscryptactions.ProtectorInfo, retry bool) (*fscryptcrypto.Key, error) {
+		if retry {
+			return nil, ErrBadAuth
+		}
+
 		passphrase, err := getPassphrase(ctx, encryption, volID)
 		if err != nil {
 			return nil, err
@@ -375,7 +384,7 @@ func Unlock(
 		return err
 	}
 
-	// A proper set up fscrypy directory requires metadata and a kernel policy:
+	// A proper set up fscrypt directory requires metadata and a kernel policy:
 
 	// 1. Do we have a metadata directory (.fscrypt) set up?
 	metadataDirExists := false