Add marvin tests and command to revoke certificates

Author: nvazquez

api/src/org/apache/cloudstack/api/command/admin/direct/download/RevokeTemplateDirectDownloadCertificateCmd.java

@@ -0,0 +1,86 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.admin.direct.download;
+
+import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.exception.InsufficientCapacityException;
+import com.cloud.exception.NetworkRuleConflictException;
+import com.cloud.exception.ResourceAllocationException;
+import com.cloud.exception.ResourceUnavailableException;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.SuccessResponse;
+import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.direct.download.DirectDownloadManager;
+import org.apache.log4j.Logger;
+
+import javax.inject.Inject;
+
+@APICommand(name = RevokeTemplateDirectDownloadCertificateCmd.APINAME,
+        description = "Revoke a certificate alias from a KVM host",
+        responseObject = SuccessResponse.class,
+        requestHasSensitiveInfo = true,
+        responseHasSensitiveInfo = true,
+        since = "4.11.3",
+        authorized = {RoleType.Admin})
+public class RevokeTemplateDirectDownloadCertificateCmd extends BaseCmd {
+
+    @Inject
+    DirectDownloadManager directDownloadManager;
+
+    private static final Logger LOG = Logger.getLogger(RevokeTemplateDirectDownloadCertificateCmd.class);
+    public static final String APINAME = "revokeTemplateDirectDownloadCertificate";
+
+    @Parameter(name = ApiConstants.NAME, type = BaseCmd.CommandType.STRING, required = true,
+            description = "alias of the SSL certificate")
+    private String certificateAlias;
+
+    @Parameter(name = ApiConstants.HYPERVISOR, type = BaseCmd.CommandType.STRING, required = true,
+            description = "Hypervisor type")
+    private String hypervisor;
+
+    @Override
+    public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException, NetworkRuleConflictException {
+        if (!hypervisor.equalsIgnoreCase("kvm")) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Currently supporting KVM hosts only");
+        }
+        SuccessResponse response = new SuccessResponse(getCommandName());
+        try {
+            LOG.debug("Revoking certificate " + certificateAlias + " from " + hypervisor + " hosts");
+            boolean result = directDownloadManager.revokeCertificateAlias(certificateAlias, hypervisor);
+            response.setSuccess(result);
+            setResponseObject(response);
+        } catch (Exception e) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, e.getMessage());
+        }
+    }
+
+    @Override
+    public String getCommandName() {
+        return APINAME.toLowerCase() + BaseCmd.RESPONSE_SUFFIX;
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        return CallContext.current().getCallingAccount().getId();
+    }
+}

api/src/org/apache/cloudstack/direct/download/DirectDownloadManager.java

@@ -22,4 +22,8 @@
 
 public interface DirectDownloadManager extends DirectDownloadService, PluggableService {
 
+    /**
+     * Revoke direct download certificate with alias 'alias' from hosts of hypervisor type 'hypervisor'
+     */
+    boolean revokeCertificateAlias(String certificateAlias, String hypervisor);
 }

core/src/org/apache/cloudstack/agent/directdownload/RevokeDirectDownloadCertificateCommand.java

@@ -0,0 +1,39 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+package org.apache.cloudstack.agent.directdownload;
+
+import com.cloud.agent.api.Command;
+
+public class RevokeDirectDownloadCertificateCommand extends Command {
+
+    private String certificateAlias;
+
+    public RevokeDirectDownloadCertificateCommand(final String alias) {
+        this.certificateAlias = alias;
+    }
+
+    public String getCertificateAlias() {
+        return certificateAlias;
+    }
+
+    @Override
+    public boolean executeInSequence() {
+        return false;
+    }
+}

plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRevokeDirectDownloadCertificateWrapper.java

@@ -0,0 +1,100 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package com.cloud.hypervisor.kvm.resource.wrapper;
+
+import com.cloud.agent.api.Answer;
+import com.cloud.hypervisor.kvm.resource.LibvirtComputingResource;
+import com.cloud.resource.CommandWrapper;
+import com.cloud.resource.ResourceWrapper;
+import com.cloud.utils.PropertiesUtil;
+import com.cloud.utils.exception.CloudRuntimeException;
+import com.cloud.utils.script.Script;
+import org.apache.cloudstack.agent.directdownload.RevokeDirectDownloadCertificateCommand;
+import org.apache.cloudstack.utils.security.KeyStoreUtils;
+import org.apache.log4j.Logger;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+
+import static org.apache.commons.lang.StringUtils.isBlank;
+
+@ResourceWrapper(handles =  RevokeDirectDownloadCertificateCommand.class)
+public class LibvirtRevokeDirectDownloadCertificateWrapper extends CommandWrapper<RevokeDirectDownloadCertificateCommand, Answer, LibvirtComputingResource> {
+
+    private static final Logger s_logger = Logger.getLogger(LibvirtRevokeDirectDownloadCertificateWrapper.class);
+
+    /**
+     * Retrieve agent.properties file
+     */
+    private File getAgentPropertiesFile() throws FileNotFoundException {
+        final File agentFile = PropertiesUtil.findConfigFile("agent.properties");
+        if (agentFile == null) {
+            throw new FileNotFoundException("Failed to find agent.properties file");
+        }
+        return agentFile;
+    }
+
+    /**
+     * Get the property 'keystore.passphrase' value from agent.properties file
+     */
+    private String getKeystorePassword(File agentFile) {
+        s_logger.debug("Retrieving keystore password from agent.properties file");
+        String privatePasswordFormat = "sed -n '/keystore.passphrase/p' '%s' 2>/dev/null  | sed 's/keystore.passphrase=//g' 2>/dev/null";
+        String privatePasswordCmd = String.format(privatePasswordFormat, agentFile.getAbsolutePath());
+        return Script.runSimpleBashScript(privatePasswordCmd);
+    }
+
+    /**
+     * Get keystore path
+     */
+    private String getKeyStoreFilePath(File agentFile) {
+        return agentFile.getParent() + "/" + KeyStoreUtils.KS_FILENAME;
+    }
+
+    @Override
+    public Answer execute(RevokeDirectDownloadCertificateCommand command, LibvirtComputingResource serverResource) {
+        String certificateAlias = command.getCertificateAlias();
+        try {
+            File agentFile = getAgentPropertiesFile();
+            String privatePassword = getKeystorePassword(agentFile);
+            if (isBlank(privatePassword)) {
+                return new Answer(command, false, "No password found for keystore: " + KeyStoreUtils.KS_FILENAME);
+            }
+
+            final String keyStoreFile = getKeyStoreFilePath(agentFile);
+
+            String checkCmd = String.format("keytool -list -alias %s -keystore %s -storepass %s",
+                    certificateAlias, keyStoreFile, privatePassword);
+            int existsCmdResult = Script.runSimpleBashScriptForExitValue(checkCmd);
+            if (existsCmdResult == 1) {
+                s_logger.debug("Certificate alias " + certificateAlias + " does not exist, no need to revoke it");
+            } else {
+                String revokeCmd = String.format("keytool -delete -alias %s -keystore %s -storepass %s",
+                        certificateAlias, keyStoreFile, privatePassword);
+                s_logger.debug("Revoking certificate alias " + certificateAlias + " from keystore " + keyStoreFile);
+                Script.runSimpleBashScriptForExitValue(revokeCmd);
+            }
+        } catch (FileNotFoundException | CloudRuntimeException e) {
+            s_logger.error("Error while setting up certificate " + certificateAlias, e);
+            return new Answer(command, false, e.getMessage());
+        }
+        return new Answer(command);
+    }
+}

server/src/com/cloud/server/ManagementServerImpl.java

@@ -65,6 +65,7 @@
 import org.apache.cloudstack.api.command.admin.config.ListHypervisorCapabilitiesCmd;
 import org.apache.cloudstack.api.command.admin.config.UpdateCfgCmd;
 import org.apache.cloudstack.api.command.admin.config.UpdateHypervisorCapabilitiesCmd;
+import org.apache.cloudstack.api.command.admin.direct.download.RevokeTemplateDirectDownloadCertificateCmd;
 import org.apache.cloudstack.api.command.admin.direct.download.UploadTemplateDirectDownloadCertificateCmd;
 import org.apache.cloudstack.api.command.admin.domain.CreateDomainCmd;
 import org.apache.cloudstack.api.command.admin.domain.DeleteDomainCmd;
@@ -3052,6 +3053,7 @@ public List<Class<?>> getCommands() {
         cmdList.add(CreateManagementNetworkIpRangeCmd.class);
         cmdList.add(DeleteManagementNetworkIpRangeCmd.class);
         cmdList.add(UploadTemplateDirectDownloadCertificateCmd.class);
+        cmdList.add(RevokeTemplateDirectDownloadCertificateCmd.class);
 
         // Out-of-band management APIs for admins
         cmdList.add(EnableOutOfBandManagementForHostCmd.class);

server/src/org/apache/cloudstack/direct/download/DirectDownloadManagerImpl.java

@@ -25,6 +25,8 @@
 import com.cloud.event.ActionEventUtils;
 import com.cloud.event.EventTypes;
 import com.cloud.event.EventVO;
+import com.cloud.exception.AgentUnavailableException;
+import com.cloud.exception.OperationTimedoutException;
 import com.cloud.host.Host;
 import com.cloud.host.HostVO;
 import com.cloud.host.Status;
@@ -62,6 +64,7 @@
 import org.apache.cloudstack.agent.directdownload.MetalinkDirectDownloadCommand;
 import org.apache.cloudstack.agent.directdownload.NfsDirectDownloadCommand;
 import org.apache.cloudstack.agent.directdownload.HttpsDirectDownloadCommand;
+import org.apache.cloudstack.agent.directdownload.RevokeDirectDownloadCertificateCommand;
 import org.apache.cloudstack.agent.directdownload.SetupDirectDownloadCertificateCommand;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.subsystem.api.storage.DataStore;
@@ -400,4 +403,31 @@ protected boolean uploadCertificate(String certificate, String certificateName,
         s_logger.info("Certificate " + certificateName + " successfully uploaded to host: " + hostId);
         return true;
     }
+
+    @Override
+    public boolean revokeCertificateAlias(String certificateAlias, String hypervisor) {
+        HypervisorType hypervisorType = HypervisorType.getType(hypervisor);
+        List<HostVO> hosts = getRunningHostsToUploadCertificate(hypervisorType);
+        s_logger.info("Attempting to revoke certificate alias: " + certificateAlias + " from " + hosts.size() + " hosts");
+        if (CollectionUtils.isNotEmpty(hosts)) {
+            for (HostVO host : hosts) {
+                if (!revokeCertificateAliasFromHost(certificateAlias, host.getId())) {
+                    s_logger.error("Could not revoke certificate from host: " + host.getName() + " (" + host.getUuid() + ")");
+                    throw new CloudRuntimeException("Revoking certificate " + certificateAlias + " failed from host: " + host.getUuid());
+                }
+            }
+        }
+        return true;
+    }
+
+    protected boolean revokeCertificateAliasFromHost(String alias, Long hostId) {
+        RevokeDirectDownloadCertificateCommand cmd = new RevokeDirectDownloadCertificateCommand(alias);
+        try {
+            Answer answer = agentManager.send(hostId, cmd);
+            return answer != null && answer.getResult();
+        } catch (AgentUnavailableException | OperationTimedoutException e) {
+            s_logger.error("Error revoking certificate " + alias + " from host " + hostId, e);
+        }
+        return false;
+    }
 }

server/test/org/apache/cloudstack/direct/download/DirectDownloadManagerImplTest.java

@@ -51,25 +51,25 @@ public class DirectDownloadManagerImplTest {
     private static final String HTTP_HEADER_2 = "Accept-Encoding";
     private static final String HTTP_VALUE_2 = "gzip";
 
-    private static final String VALID_HUNDRED_YEARS_CERTIFICATE =
-            "MIIDSzCCAjMCFExHvjXI7ffTZqcH4urbc6bqazFaMA0GCSqGSIb3DQEBCwUAMGEx" +
-            "CzAJBgNVBAYTAkNTMQswCQYDVQQIDAJDUzELMAkGA1UEBwwCQ1MxCzAJBgNVBAoM" +
-            "AkNTMQswCQYDVQQLDAJDUzELMAkGA1UEAwwCQ1MxETAPBgkqhkiG9w0BCQEWAkNT" +
-            "MCAXDTE5MDQwMzEzMzgyOFoYDzIxMTkwMzEwMTMzODI4WjBhMQswCQYDVQQGEwJD" +
-            "UzELMAkGA1UECAwCQ1MxCzAJBgNVBAcMAkNTMQswCQYDVQQKDAJDUzELMAkGA1UE" +
-            "CwwCQ1MxCzAJBgNVBAMMAkNTMREwDwYJKoZIhvcNAQkBFgJDUzCCASIwDQYJKoZI" +
-            "hvcNAQEBBQADggEPADCCAQoCggEBANEuKuCOjnRJZtqBeKwZD4XNVDTKmxGLNJ3j" +
-            "6q71qlLa8quu115di6IxHkeerB9XnQMHHmqCv1qgpoWDuxA8uAra8T/teCvQjGRl" +
-            "lWDlBBajFZZ4Crsj0MxGIbuoHTQ4Ossyv3vJztbm+RZ79nTEA35xzQj7HxeFVyk+" +
-            "zqC6e4mMCzhI+UTKd3sOZBt8/y34egCv2UK9Lso9950dHnmlXYREd1j85Kestqjh" +
-            "tKntw3DLo5i8RLQ/11iW4Z+xOlL11ubhvJ0S8UAF5BU8pcLMNv+WztaoAAc3N+Yc" +
-            "WSTIXjQUtMT9TlHec8+NKlF9e62o4XMNHiaGEOf1idXC2URqqy8CAwEAATANBgkq" +
-            "hkiG9w0BAQsFAAOCAQEAFSAjv8dw0Lo8U7CsjWNlW/LBZdP9D54vx0kXOLyWjeYH" +
-            "7u4DTikoigjunm1lB5QPL2k5jSQEpTclcN313hMGCEMW9GZEtcSoUxqkiTEtKlyw" +
-            "cC/PO/NHHgDrp1Fg9yhUOLKXJyBp9bfjKtm2YqPNyrpTB5cLfjRp69Hx5G5KuKCm" +
-            "fAxcVdrfUluu6l+d4Y4FnuvS3rb9rDy/ES36SXczXNQFAzvI8ZuTlgxTRIvM184N" +
-            "GA0utaoFPJAzZ01HYlRSYmipHx6NZE7roTAC5wmT3R1jkFlfkw8LSBynsR6U6Vkw" +
-            "90kMmEH4NoYTV+mF4A0iY+NkEsuvnSsqheDknO/8OA==";
+    private static final String VALID_CERTIFICATE =
+            "MIIDSzCCAjMCFDa0LoW+1O8/cEwCI0nIqfl8c1TLMA0GCSqGSIb3DQEBCwUAMGEx\n" +
+            "CzAJBgNVBAYTAkNTMQswCQYDVQQIDAJDUzELMAkGA1UEBwwCQ1MxCzAJBgNVBAoM\n" +
+            "AkNTMQswCQYDVQQLDAJDUzELMAkGA1UEAwwCQ1MxETAPBgkqhkiG9w0BCQEWAkNT\n" +
+            "MCAXDTE5MDQyNDE1NTIzNVoYDzIwOTgwOTE1MTU1MjM1WjBhMQswCQYDVQQGEwJD\n" +
+            "UzELMAkGA1UECAwCQ1MxCzAJBgNVBAcMAkNTMQswCQYDVQQKDAJDUzELMAkGA1UE\n" +
+            "CwwCQ1MxCzAJBgNVBAMMAkNTMREwDwYJKoZIhvcNAQkBFgJDUzCCASIwDQYJKoZI\n" +
+            "hvcNAQEBBQADggEPADCCAQoCggEBAKstLRcMGCo6+2hojRMjEuuimnWp27yfYhDU\n" +
+            "w/Cj03MJe/KCOhwsDqX82QNIr/bNtLdFf2ZJEUQd08sLLlHeUy9y5aOcxt9SGx2j\n" +
+            "xolqO4MBL7BW3dklO0IvjaEfBeFP6udz8ajeVur/iPPZb2Edd0zlXuHvDozfQisv\n" +
+            "bpuJImnTUVx0ReCXP075PBGvlqQXW2uEht+E/w3H8/2rra3JFV6J5xc77KyQSq2t\n" +
+            "1+2ZU7PJiy/rppXf5rjTvNm6ydfag8/av7lcgs2ntdkK4koAmkmROhAwNonlL7cD\n" +
+            "xIC83cKOqOFiQXSwr1IgoLf7zBNafKoTlSb/ev6Zt18BXEMLGpkCAwEAATANBgkq\n" +
+            "hkiG9w0BAQsFAAOCAQEAVS5uWZRz2m3yx7EUQm47RTMW5WMXU4pI8D+N5WZ9xubY\n" +
+            "OqtU3r2OAYpfL/QO8iT7jcqNYGoDqe8ZjEaNvfxiTG8cOI6TSXhKBG6hjSaSFQSH\n" +
+            "OZ5mfstM36y/3ENFh6JCJ2ao1rgWSbfDRyAaHuvt6aCkaV6zRq2OMEgoJqZSgwxL\n" +
+            "QO230xa2hYgKXOePMVZyHFA2oKJtSOc3jCke9Y8zDUwm0McGdMRBD8tVB0rcaOqQ\n" +
+            "0PlDLjB9sQuhhLu8vjdgbznmPbUmMG7JN0yhT1eJbIX5ImXyh0DoTwiaGcYwW6Sq\n" +
+            "YodjXACsC37xaQXAPYBiaAs4iI80TJSx1DVFO1LV0g==";
 
     @Before
     public void setUp() {
@@ -127,13 +127,13 @@ public void testGetHeadersFromDetailsNonHttpHeaders() {
 
     @Test
     public void testCertificateSanityValidCertificate() {
-        String pretifiedCertificate = manager.getPretifiedCertificate(VALID_HUNDRED_YEARS_CERTIFICATE);
+        String pretifiedCertificate = manager.getPretifiedCertificate(VALID_CERTIFICATE);
         manager.certificateSanity(pretifiedCertificate);
     }
 
     @Test(expected = CloudRuntimeException.class)
     public void testCertificateSanityInvalidCertificate() {
-        String pretifiedCertificate = manager.getPretifiedCertificate(VALID_HUNDRED_YEARS_CERTIFICATE + "xxx");
+        String pretifiedCertificate = manager.getPretifiedCertificate(VALID_CERTIFICATE + "xxx");
         manager.certificateSanity(pretifiedCertificate);
     }
 }