tape: allocate new media set when pool encryption key changes

2021-01-20 11:24:58 +01:00 · 2021-01-20 11:24:58 +01:00 · 6dd0513546
parent 8abe51b71d
commit 6dd0513546
2 changed files with 25 additions and 2 deletions
--- a/docs/tape-backup.rst
+++ b/docs/tape-backup.rst
@ -426,6 +426,8 @@ one media pool, so a job only uses tapes from that pool.

   - Current set contains damaged of retired tapes.

+   - Media pool encryption changed
+
   - Database consistency errors, e.g. if the inventory does not
     contain required media info, or contain conflicting infos
     (outdated data).
--- a/src/tape/media_pool.rs
+++ b/src/tape/media_pool.rs
@ -421,7 +421,9 @@ impl MediaPool {
    /// longer because of consistency errors.
    pub fn current_set_usable(&self) -> Result<bool, Error> {

-        let media_count = self.current_media_set.media_list().len();
+        let media_list = self.current_media_set.media_list();
+
+        let media_count = media_list.len();
        if media_count == 0 {
            return Ok(false);
        }
@ -429,7 +431,9 @@ impl MediaPool {
        let set_uuid =  self.current_media_set.uuid();
        let mut last_is_writable = false;

-        for (seq, opt_uuid) in self.current_media_set.media_list().iter().enumerate() {
+        let mut last_enc: Option<Option<Fingerprint>> = None;
+
+        for (seq, opt_uuid) in media_list.iter().enumerate() {
            let uuid = match opt_uuid {
                None => bail!("media set is incomplete (missing media information)"),
                Some(uuid) => uuid,
@ -443,6 +447,23 @@ impl MediaPool {
                Some(MediaSetLabel { uuid, ..}) => bail!("media owner error ({} != {}", uuid, set_uuid),
                None => bail!("media owner error (no owner)"),
            }
+
+            if let Some(set) = media.media_set_label() { // always true here
+                if set.encryption_key_fingerprint != self.encrypt_fingerprint {
+                    bail!("pool encryption key changed");
+                }
+                match last_enc {
+                    None => {
+                        last_enc = Some(set.encryption_key_fingerprint.clone());
+                    }
+                    Some(ref last_enc) => {
+                        if last_enc != &set.encryption_key_fingerprint {
+                            bail!("inconsistent media encryption key");
+                        }
+                    }
+                }
+            }
+
            match media.status() {
                MediaStatus::Full => { /* OK */ },
                MediaStatus::Writable if (seq + 1) == media_count =>  {