Add revoke certificates API

Author: nvazquez

api/src/main/java/org/apache/cloudstack/api/command/admin/direct/download/RevokeTemplateDirectDownloadCertificateCmd.java

@@ -0,0 +1,88 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+package org.apache.cloudstack.api.command.admin.direct.download;
+
+import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.exception.InsufficientCapacityException;
+import com.cloud.exception.NetworkRuleConflictException;
+import com.cloud.exception.ResourceAllocationException;
+import com.cloud.exception.ResourceUnavailableException;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.SuccessResponse;
+import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.direct.download.DirectDownloadManager;
+import org.apache.log4j.Logger;
+
+import javax.inject.Inject;
+
+@APICommand(name = RevokeTemplateDirectDownloadCertificateCmd.APINAME,
+        description = "Revoke a certificate alias from a KVM host",
+        responseObject = SuccessResponse.class,
+        requestHasSensitiveInfo = true,
+        responseHasSensitiveInfo = true,
+        since = "4.13",
+        authorized = {RoleType.Admin})
+public class RevokeTemplateDirectDownloadCertificateCmd extends BaseCmd {
+
+    @Inject
+    DirectDownloadManager directDownloadManager;
+
+    private static final Logger LOG = Logger.getLogger(RevokeTemplateDirectDownloadCertificateCmd.class);
+    public static final String APINAME = "revokeTemplateDirectDownloadCertificate";
+
+    @Parameter(name = ApiConstants.NAME, type = BaseCmd.CommandType.STRING, required = true,
+            description = "alias of the SSL certificate")
+    private String certificateAlias;
+
+    @Parameter(name = ApiConstants.HYPERVISOR, type = BaseCmd.CommandType.STRING, required = true,
+            description = "Hypervisor type")
+    private String hypervisor;
+
+    @Override
+    public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException, NetworkRuleConflictException {
+        if (!hypervisor.equalsIgnoreCase("kvm")) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Currently supporting KVM hosts only");
+        }
+        SuccessResponse response = new SuccessResponse(getCommandName());
+        try {
+            LOG.debug("Revoking certificate " + certificateAlias + " from " + hypervisor + " hosts");
+            boolean result = directDownloadManager.revokeCertificateAlias(certificateAlias, hypervisor);
+            response.setSuccess(result);
+            setResponseObject(response);
+        } catch (Exception e) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, e.getMessage());
+        }
+    }
+
+    @Override
+    public String getCommandName() {
+        return APINAME.toLowerCase() + BaseCmd.RESPONSE_SUFFIX;
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        return CallContext.current().getCallingAccount().getId();
+    }
+}

api/src/main/java/org/apache/cloudstack/direct/download/DirectDownloadManager.java

@@ -22,4 +22,8 @@
 
 public interface DirectDownloadManager extends DirectDownloadService, PluggableService {
 
+    /**
+     * Revoke direct download certificate with alias 'alias' from hosts of hypervisor type 'hypervisor'
+     */
+    boolean revokeCertificateAlias(String certificateAlias, String hypervisor);
 }

core/src/main/java/org/apache/cloudstack/agent/directdownload/RevokeDirectDownloadCertificateCommand.java

@@ -0,0 +1,39 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+package org.apache.cloudstack.agent.directdownload;
+
+import com.cloud.agent.api.Command;
+
+public class RevokeDirectDownloadCertificateCommand extends Command {
+
+    private String certificateAlias;
+
+    public RevokeDirectDownloadCertificateCommand(final String alias) {
+        this.certificateAlias = alias;
+    }
+
+    public String getCertificateAlias() {
+        return certificateAlias;
+    }
+
+    @Override
+    public boolean executeInSequence() {
+        return false;
+    }
+}

plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRevokeDirectDownloadCertificateWrapper.java

@@ -0,0 +1,106 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package com.cloud.hypervisor.kvm.resource.wrapper;
+
+import com.cloud.agent.api.Answer;
+import com.cloud.hypervisor.kvm.resource.LibvirtComputingResource;
+import com.cloud.resource.CommandWrapper;
+import com.cloud.resource.ResourceWrapper;
+import com.cloud.utils.PropertiesUtil;
+import com.cloud.utils.exception.CloudRuntimeException;
+import com.cloud.utils.script.Script;
+import org.apache.cloudstack.agent.directdownload.RevokeDirectDownloadCertificateCommand;
+import org.apache.cloudstack.utils.security.KeyStoreUtils;
+import org.apache.log4j.Logger;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+
+import static org.apache.commons.lang.StringUtils.isBlank;
+
+@ResourceWrapper(handles =  RevokeDirectDownloadCertificateCommand.class)
+public class LibvirtRevokeDirectDownloadCertificateWrapper extends CommandWrapper<RevokeDirectDownloadCertificateCommand, Answer, LibvirtComputingResource> {
+
+    private static final Logger s_logger = Logger.getLogger(LibvirtRevokeDirectDownloadCertificateWrapper.class);
+
+    /**
+     * Retrieve agent.properties file
+     */
+    private File getAgentPropertiesFile() throws FileNotFoundException {
+        final File agentFile = PropertiesUtil.findConfigFile("agent.properties");
+        if (agentFile == null) {
+            throw new FileNotFoundException("Failed to find agent.properties file");
+        }
+        return agentFile;
+    }
+
+    /**
+     * Get the property 'keystore.passphrase' value from agent.properties file
+     */
+    private String getKeystorePassword(File agentFile) {
+        String pass = null;
+        if (agentFile != null) {
+            try {
+                pass = PropertiesUtil.loadFromFile(agentFile).getProperty(KeyStoreUtils.KS_PASSPHRASE_PROPERTY);
+            } catch (IOException e) {
+                s_logger.error("Could not get 'keystore.passphrase' property value due to: " + e.getMessage());
+            }
+        }
+        return pass;
+    }
+
+    /**
+     * Get keystore path
+     */
+    private String getKeyStoreFilePath(File agentFile) {
+        return agentFile.getParent() + "/" + KeyStoreUtils.KS_FILENAME;
+    }
+
+    @Override
+    public Answer execute(RevokeDirectDownloadCertificateCommand command, LibvirtComputingResource serverResource) {
+        String certificateAlias = command.getCertificateAlias();
+        try {
+            File agentFile = getAgentPropertiesFile();
+            String privatePassword = getKeystorePassword(agentFile);
+            if (isBlank(privatePassword)) {
+                return new Answer(command, false, "No password found for keystore: " + KeyStoreUtils.KS_FILENAME);
+            }
+
+            final String keyStoreFile = getKeyStoreFilePath(agentFile);
+
+            String checkCmd = String.format("keytool -list -alias %s -keystore %s -storepass %s",
+                    certificateAlias, keyStoreFile, privatePassword);
+            int existsCmdResult = Script.runSimpleBashScriptForExitValue(checkCmd);
+            if (existsCmdResult == 1) {
+                s_logger.error("Certificate alias " + certificateAlias + " does not exist, no need to revoke it");
+            } else {
+                String revokeCmd = String.format("keytool -delete -alias %s -keystore %s -storepass %s",
+                        certificateAlias, keyStoreFile, privatePassword);
+                s_logger.debug("Revoking certificate alias " + certificateAlias + " from keystore " + keyStoreFile);
+                Script.runSimpleBashScriptForExitValue(revokeCmd);
+            }
+        } catch (FileNotFoundException | CloudRuntimeException e) {
+            s_logger.error("Error while setting up certificate " + certificateAlias, e);
+            return new Answer(command, false, e.getMessage());
+        }
+        return new Answer(command);
+    }
+}

server/src/main/java/com/cloud/server/ManagementServerImpl.java

@@ -65,6 +65,7 @@
 import org.apache.cloudstack.api.command.admin.config.ListHypervisorCapabilitiesCmd;
 import org.apache.cloudstack.api.command.admin.config.UpdateCfgCmd;
 import org.apache.cloudstack.api.command.admin.config.UpdateHypervisorCapabilitiesCmd;
+import org.apache.cloudstack.api.command.admin.direct.download.RevokeTemplateDirectDownloadCertificateCmd;
 import org.apache.cloudstack.api.command.admin.direct.download.UploadTemplateDirectDownloadCertificateCmd;
 import org.apache.cloudstack.api.command.admin.domain.CreateDomainCmd;
 import org.apache.cloudstack.api.command.admin.domain.DeleteDomainCmd;
@@ -3075,6 +3076,7 @@ public List<Class<?>> getCommands() {
         cmdList.add(CreateManagementNetworkIpRangeCmd.class);
         cmdList.add(DeleteManagementNetworkIpRangeCmd.class);
         cmdList.add(UploadTemplateDirectDownloadCertificateCmd.class);
+        cmdList.add(RevokeTemplateDirectDownloadCertificateCmd.class);
         cmdList.add(ListMgmtsCmd.class);
 
         // Out-of-band management APIs for admins

server/src/main/java/org/apache/cloudstack/direct/download/DirectDownloadManagerImpl.java

@@ -25,6 +25,8 @@
 import com.cloud.event.ActionEventUtils;
 import com.cloud.event.EventTypes;
 import com.cloud.event.EventVO;
+import com.cloud.exception.AgentUnavailableException;
+import com.cloud.exception.OperationTimedoutException;
 import com.cloud.host.Host;
 import com.cloud.host.HostVO;
 import com.cloud.host.Status;
@@ -62,6 +64,7 @@
 import org.apache.cloudstack.agent.directdownload.MetalinkDirectDownloadCommand;
 import org.apache.cloudstack.agent.directdownload.NfsDirectDownloadCommand;
 import org.apache.cloudstack.agent.directdownload.HttpsDirectDownloadCommand;
+import org.apache.cloudstack.agent.directdownload.RevokeDirectDownloadCertificateCommand;
 import org.apache.cloudstack.agent.directdownload.SetupDirectDownloadCertificateCommand;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.subsystem.api.storage.DataStore;
@@ -403,4 +406,31 @@ protected boolean uploadCertificate(String certificate, String certificateName,
         return true;
     }
 
+    @Override
+    public boolean revokeCertificateAlias(String certificateAlias, String hypervisor) {
+        HypervisorType hypervisorType = HypervisorType.getType(hypervisor);
+        List<HostVO> hosts = getRunningHostsToUploadCertificate(hypervisorType);
+        s_logger.info("Attempting to revoke certificate alias: " + certificateAlias + " from " + hosts.size() + " hosts");
+        if (CollectionUtils.isNotEmpty(hosts)) {
+            for (HostVO host : hosts) {
+                if (!revokeCertificateAliasFromHost(certificateAlias, host.getId())) {
+                    String msg = "Could not revoke certificate from host: " + host.getName() + " (" + host.getUuid() + ")";
+                    s_logger.error(msg);
+                    throw new CloudRuntimeException(msg);
+                }
+            }
+        }
+        return true;
+    }
+
+    protected boolean revokeCertificateAliasFromHost(String alias, Long hostId) {
+        RevokeDirectDownloadCertificateCommand cmd = new RevokeDirectDownloadCertificateCommand(alias);
+        try {
+            Answer answer = agentManager.send(hostId, cmd);
+            return answer != null && answer.getResult();
+        } catch (AgentUnavailableException | OperationTimedoutException e) {
+            s_logger.error("Error revoking certificate " + alias + " from host " + hostId, e);
+        }
+        return false;
+    }
 }

test/integration/smoke/test_direct_download.py

@@ -27,7 +27,7 @@
 from marvin.lib.common import (get_pod,
                                get_zone)
 from nose.plugins.attrib import attr
-from marvin.cloudstackAPI import uploadTemplateDirectDownloadCertificate
+from marvin.cloudstackAPI import (uploadTemplateDirectDownloadCertificate, revokeTemplateDirectDownloadCertificate)
 from marvin.lib.decoratorGenerators import skipTestIf
 
 
@@ -120,6 +120,7 @@ def test_02_upload_direct_download_certificates(self):
 
         # Validate the following
         # 1. Valid certificates are uploaded to hosts
+        # 2. Revoke uploaded certificate from host
 
         cmd = uploadTemplateDirectDownloadCertificate.uploadTemplateDirectDownloadCertificateCmd()
         cmd.hypervisor = self.hypervisor
@@ -131,6 +132,15 @@ def test_02_upload_direct_download_certificates(self):
         except Exception as e:
             self.fail("Valid certificate must be uploaded")
 
+        revokecmd = revokeTemplateDirectDownloadCertificate.revokeTemplateDirectDownloadCertificateCmd()
+        revokecmd.hypervisor = self.hypervisor
+        revokecmd.name = cmd.name
+
+        try:
+            self.apiclient.revokeTemplateDirectDownloadCertificate(cmd)
+        except Exception as e:
+            self.fail("Uploaded certificates should be revoked when needed")
+
         return