From: Christopher Hoffman <choffman@redhat.com>
Date: Mon, 24 Feb 2025 20:29:14 +0000 (+0000)
Subject: client: Add is_encrypted libcephfs api
X-Git-Tag: v21.0.0~231^2~10^2~78
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=e0c4040aa158dbfd36cc569bc1d350f5cbd07517;p=ceph.git

client: Add is_encrypted libcephfs api

Given a fd, will return if is encrypted or not.
Optionally, an enctag will be returned if set.

Signed-off-by: Christopher Hoffman <choffman@redhat.com>
---

diff --git a/src/client/Client.cc b/src/client/Client.cc
index 1528ff3a67d..1a6353a8eba 100644
--- a/src/client/Client.cc
+++ b/src/client/Client.cc
@@ -18526,6 +18526,28 @@ int Client::ll_set_fscrypt_policy_v2(Inode *in, const struct fscrypt_policy_v2&
   return 0;
 }
 
+int Client::is_encrypted(int fd, UserPerm& perms, char* enctag)
+{
+  Fh *f = get_filehandle(fd);
+  if (!f) {
+    return -EBADF;
+  }
+
+  Inode *in = f->inode.get();
+  if (in->is_encrypted()) {
+    int r = ll_getxattr(in, "user.ceph.subvolume.enctag", enctag, sizeof(enctag), perms);
+    // dir can be encrypted and xattr DNE if it isn't setup via mgr subvolume
+    // this is an expected scenario
+    if (r < 0) {
+      enctag = nullptr;
+    }
+
+    return 0;
+  }
+  enctag = nullptr;
+  return -EINVAL;
+}
+
 int Client::get_fscrypt_key_status(fscrypt_get_key_status_arg* arg) {
   ceph_fscrypt_key_identifier kid;
   int r = kid.init(arg->key_spec);
diff --git a/src/client/Client.h b/src/client/Client.h
index deb1c98066d..8bbe6731d78 100644
--- a/src/client/Client.h
+++ b/src/client/Client.h
@@ -388,6 +388,7 @@ public:
   int get_inode_flags(int fd, int* file_attr_out);
 
   int set_fscrypt_policy_v2(int fd, const struct fscrypt_policy_v2& policy);
+  int is_encrypted(int fd, UserPerm& perms, char* enctag);
 
   int mds_command(
     const std::string &mds_spec,
diff --git a/src/include/cephfs/libcephfs.h b/src/include/cephfs/libcephfs.h
index c839f0f55c8..33a9324d556 100644
--- a/src/include/cephfs/libcephfs.h
+++ b/src/include/cephfs/libcephfs.h
@@ -2038,6 +2038,16 @@ int ceph_remove_fscrypt_key(struct ceph_mount_info *cmount,
 int ceph_set_fscrypt_policy_v2(struct ceph_mount_info *cmount,
                                int fd, const struct fscrypt_policy_v2 *policy);
 
+/**
+ * Checks to see if encryption is set on a directory.
+ *
+ * @param cmount the ceph mount handle to use.
+ * @param fd open directory file descriptor
+ * @param enctag, if set on dir, will return non-nullptr
+ * @returns zero on success, other returns a negative error code.
+ */
+int ceph_is_encrypted(struct ceph_mount_info *cmount,
+                      int fd, char* enctag);
 /**
  * Fill file_attr_out with content of i_flags
  * @param cmount the ceph mount handle to use.
diff --git a/src/libcephfs.cc b/src/libcephfs.cc
index d8f54032b0b..078acfdcc32 100644
--- a/src/libcephfs.cc
+++ b/src/libcephfs.cc
@@ -2543,6 +2543,15 @@ extern "C" int ceph_set_fscrypt_policy_v2(struct ceph_mount_info *cmount,
   return cmount->get_client()->set_fscrypt_policy_v2(fd, *policy);
 }
 
+extern "C" int ceph_is_encrypted(struct ceph_mount_info *cmount,
+                                          int fd, char* enctag)
+{
+  if (!cmount->is_mounted())
+    return -ENOTCONN;
+
+  return cmount->get_client()->is_encrypted(fd, cmount->default_perms, enctag);
+}
+
 
 // This is deprecated, use ceph_ll_register_callbacks2 instead.
 extern "C" void ceph_ll_register_callbacks(class ceph_mount_info *cmount,