commit 00f000812ccfc719160c122803f07402665128eb
author Vladimir Khlyunev <vkhlyunev@mirantis.com> Tue Aug 02 13:57:12 2022 +0400
committer Vladimir Khlyunev <vkhlyunev@mirantis.com> Wed Aug 10 10:53:23 2022 +0000
tree 552c227fc8f429c5bfec819929565c193f6d3564
parent 86dce292de1d6d0d5cb8b17ba0db9f9187841106

Adjust check for ceph global id reclaim CVE

PROD-36942

Change-Id: I318ac7945ddd680eef1fe8b3ab973ad4473517fd

src/com/mirantis/mcp/UpgradeChecks.groovy

diff --git a/src/com/mirantis/mcp/UpgradeChecks.groovy b/src/com/mirantis/mcp/UpgradeChecks.groovy
index c9b0192..009dccd 100644
--- a/src/com/mirantis/mcp/UpgradeChecks.groovy
+++ b/src/com/mirantis/mcp/UpgradeChecks.groovy
@@ -138,18 +138,39 @@
 }
 
 def check_36461_2 (salt, venvPepper, String cluster_name, Boolean raise_exc) {
-    def cephMonPillar = salt.getPillar(venvPepper, 'I@ceph:mon', 'ceph:common:config:mon:auth_allow_insecure_global_id_reclaim').get("return")[0].values()[0]
-    def cephVersion = salt.getPillar(venvPepper, 'I@ceph:mon', 'ceph:common:version').get("return")[0].values()[0]
-    def waStatus = [prodId: "PROD-36461_2", isFixed: "", waInfo: ""]
-    if (cephMonPillar.toString().toLowerCase() != 'false' && cephVersion.toString().toLowerCase() == 'nautilus') {
+    def saltTarget = salt.getFirstMinion(venvPepper, 'I@ceph:mon')
+    def cephVersionNum = salt.cmdRun(venvPepper, saltTarget, "ceph version | awk '{print \$3}'").get('return')[0].values()[0].replaceAll('Salt command execution success', '').trim()
+    List cephVersion = cephVersionNum.tokenize('.')
+
+    def majorVersion = cephVersion[0].toInteger()
+    def minorVersion = cephVersion[1].toInteger()
+    def minorSubversion = cephVersion[2].toInteger()
+
+    def waStatus = [prodId: "PROD-36461,PROD-36942", isFixed: "", waInfo: ""]
+
+    def allowInsecureReclaimIdPillar = salt.getPillar(venvPepper, 'I@ceph:mon', 'ceph:common:config:mon:auth_allow_insecure_global_id_reclaim').get("return")[0].values()[0]
+    allowInsecureReclaimIdPillar = allowInsecureReclaimIdPillar.toString().toLowerCase().trim()
+
+    if (majorVersion >= 14 && minorVersion >= 2 && minorSubversion >= 20) {
+        if ( allowInsecureReclaimIdPillar == 'false' ){
+            waStatus.isFixed = "Installed ceph version is 14.2.20+ and insecure global reclaim_id is disabled. Nothing to do."
+            return waStatus
+        }
         waStatus.isFixed = "Work-around should be applied manually"
-        waStatus.waInfo = "See https://docs.mirantis.com/mcp/q4-18/mcp-release-notes/single/index.html#i-cve-2021-20288 for more info"
+        waStatus.waInfo = "Ceph is vulnerable for CVE-2021-20288. See https://docs.mirantis.com/mcp/q4-18/mcp-release-notes/single/index.html#i-cve-2021-20288 for more info"
         if (raise_exc) {
-            error('Needed option is not set.\n' +
-            waStatus.waInfo)
+            error('Option is not set to required value.\n' + waStatus.waInfo)
         }
         return waStatus
     }
-    waStatus.isFixed = "Work-around for PROD-36461_2 already applied, nothing todo"
+
+    if ( allowInsecureReclaimIdPillar == 'false' ) {
+        waStatus.isFixed = "Work-around should be applied manually"
+        waStatus.waInfo = "To upgrade ceph from version below 14.2.20 you MUST set ceph:common:config:mon:auth_allow_insecure_global_id_reclaim pillar to \"true\"."
+        if (raise_exc) {
+            error('Option is not set to required value.\n' + waStatus.waInfo)
+        }
+        return waStatus
+    }
     return waStatus
 }