Removed all reminants of the IdentityService. Created the KeysManager…

… to move the management

of keys out of management server

api/src/com/cloud/server/ResourceTag.java

@@ -24,25 +24,49 @@ public interface ResourceTag extends ControlledEntity, Identity, InternalIdentit
 
  // FIXME - extract enum to another interface as its used both by resourceTags and resourceMetaData code
  public enum ResourceObjectType {
- UserVm(true, true), Template(true, true), ISO(true, false), Volume(true, true), Snapshot(true, false), Network(true, true), Nic(false, true), LoadBalancer(true, true), PortForwardingRule(
- true, true), FirewallRule(true, true), SecurityGroup(true, false), PublicIpAddress(true, true), Project(true, false), Vpc(true, true), NetworkACL(true, true), StaticRoute(
- true, false), VMSnapshot(true, false), RemoteAccessVpn(true, true), Zone(false, true), ServiceOffering(false, true), Storage(false, true), PrivateGateway(false,
- true), NetworkACLList(false, true), VpnGateway(false, true), CustomerGateway(false, true), VpnConnection(false, true), User(true, true), DiskOffering(false, true);
+ UserVm(true, true),
+ Template(true, true),
+ ISO(true, false),
+ Volume(true, true),
+ Snapshot(true, false),
+ Network(true, true),
+ Nic(false, true),
+ LoadBalancer(true, true),
+ PortForwardingRule(true, true),
+ FirewallRule(true, true),
+ SecurityGroup(true, false),
+ PublicIpAddress(true, true),
+ Project(true, false),
+ Vpc(true, true),
+ NetworkACL(true, true),
+ StaticRoute(true, false),
+ VMSnapshot(true, false),
+ RemoteAccessVpn(true, true),
+ Zone(false, true),
+ ServiceOffering(false, true),
+ Storage(false, true),
+ PrivateGateway(false, true),
+ NetworkACLList(false, true),
+ VpnGateway(false, true),
+ CustomerGateway(false, true),
+ VpnConnection(false, true),
+ User(true, true),
+ DiskOffering(false, true);
 
  ResourceObjectType(boolean resourceTagsSupport, boolean resourceMetadataSupport) {
  this.resourceTagsSupport = resourceTagsSupport;
- this.metadataSupport = resourceMetadataSupport;
+ metadataSupport = resourceMetadataSupport;
  }
 
  private final boolean resourceTagsSupport;
  private final boolean metadataSupport;
 
  public boolean resourceTagsSupport() {
- return this.resourceTagsSupport;
+ return resourceTagsSupport;
  }
 
  public boolean resourceMetadataSupport() {
- return this.metadataSupport;
+ return metadataSupport;
  }
  }
 

api/src/org/apache/cloudstack/api/BaseCmd.java

@@ -26,14 +26,15 @@
 
 import javax.inject.Inject;
 
+import org.apache.log4j.Logger;
+
 import org.apache.cloudstack.affinity.AffinityGroupService;
 import org.apache.cloudstack.alert.AlertService;
 import org.apache.cloudstack.network.element.InternalLoadBalancerElementService;
 import org.apache.cloudstack.network.lb.ApplicationLoadBalancerService;
 import org.apache.cloudstack.network.lb.InternalLoadBalancerVMService;
 import org.apache.cloudstack.query.QueryService;
 import org.apache.cloudstack.usage.UsageService;
-import org.apache.log4j.Logger;
 
 import com.cloud.configuration.ConfigurationService;
 import com.cloud.domain.Domain;
@@ -153,8 +154,6 @@ public enum HTTPMethod {
  @Inject
  public ResourceLimitService _resourceLimitService;
  @Inject
- public IdentityService _identityService;
- @Inject
  public StorageNetworkService _storageNetworkService;
  @Inject
  public TaggedResourceService _taggedResourceService;
@@ -358,11 +357,11 @@ public static boolean isRootAdmin(short accountType) {
  }
 
  public void setFullUrlParams(Map<String, String> map) {
- this.fullUrlParams = map;
+ fullUrlParams = map;
  }
 
  public Map<String, String> getFullUrlParams() {
- return this.fullUrlParams;
+ return fullUrlParams;
  }
 
  public Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly) {

awsapi/pom.xml

@@ -223,7 +223,6 @@
  <dependency>
  <groupId>org.slf4j</groupId>
  <artifactId>slf4j-api</artifactId>
- <version>1.6.1</version>
  <scope>runtime</scope>
  </dependency>
  <dependency>
@@ -271,8 +270,6 @@
  <dependency>
  <groupId>org.bouncycastle</groupId>
  <artifactId>bcprov-jdk16</artifactId>
- <!-- TODO: do we need this explicit version override? -->
- <version>1.45</version>
  <scope>runtime</scope>
  </dependency>
  <dependency>
@@ -320,7 +317,6 @@
  <plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-checkstyle-plugin</artifactId>
- <version>${cs.checkstyle.version}</version>
  <executions>
  <execution>
  <phase>none</phase>

deps/XenServerJava/pom.xml

@@ -40,7 +40,6 @@
  <plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-checkstyle-plugin</artifactId>
- <version>${cs.checkstyle.version}</version>
  <executions>
  <execution>
  <phase>none</phase>

engine/schema/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml

@@ -171,7 +171,6 @@
  <bean id="hostTagsDaoImpl" class="com.cloud.host.dao.HostTagsDaoImpl" />
  <bean id="hostTransferMapDaoImpl" class="com.cloud.cluster.agentlb.dao.HostTransferMapDaoImpl" />
  <bean id="iPAddressDaoImpl" class="com.cloud.network.dao.IPAddressDaoImpl" />
- <bean id="identityDaoImpl" class="com.cloud.uuididentity.dao.IdentityDaoImpl" />
  <bean id="imageStoreDaoImpl" class="org.apache.cloudstack.storage.image.db.ImageStoreDaoImpl" />
  <bean id="imageStoreDetailsDaoImpl" class="org.apache.cloudstack.storage.image.db.ImageStoreDetailsDaoImpl" /> 
  <bean id="imageStoreJoinDaoImpl" class="com.cloud.api.query.dao.ImageStoreJoinDaoImpl" /> 

engine/storage/integration-test/pom.xml

@@ -119,8 +119,6 @@
  <dependency>
  <groupId>org.apache.httpcomponents</groupId>
  <artifactId>httpclient</artifactId>
- <!-- TODO: Is this version override required -->
- <version>4.2.2</version>
  <scope>compile</scope>
  </dependency>
  <dependency>

framework/config/src/org/apache/cloudstack/framework/config/ConfigDepot.java

@@ -27,4 +27,6 @@ public interface ConfigDepot {
  ConfigKey<?> get(String paramName);
 
  Set<ConfigKey<?>> getConfigListByScope(String scope);
+
+ <T> void set(ConfigKey<T> key, T value);
 }

framework/config/src/org/apache/cloudstack/framework/config/impl/ConfigDepotImpl.java

@@ -172,7 +172,7 @@ public List<ScopedConfigStorage> getScopedStorages() {
 
  @Inject
  public void setScopedStorages(List<ScopedConfigStorage> scopedStorages) {
- this._scopedStorages = scopedStorages;
+ _scopedStorages = scopedStorages;
  }
 
  public List<Configurable> getConfigurables() {
@@ -181,12 +181,16 @@ public List<Configurable> getConfigurables() {
 
  @Inject
  public void setConfigurables(List<Configurable> configurables) {
- this._configurables = configurables;
+ _configurables = configurables;
  }
 
  @Override
  public Set<ConfigKey<?>> getConfigListByScope(String scope) {
  return _scopeLevelConfigsMap.get(ConfigKey.Scope.valueOf(scope));
  }
 
+ @Override
+ public <T> void set(ConfigKey<T> key, T value) {
+ _configDao.update(key.key(), value.toString());
+ }
 }

framework/security/pom.xml

@@ -25,7 +25,7 @@
  <artifactId>cloudstack-framework</artifactId>
  <version>4.4.0-SNAPSHOT</version>
  <relativePath>../pom.xml</relativePath>
- </parent> 
+ </parent>
  <dependencies>
  <dependency>
  <groupId>org.apache.cloudstack</groupId>
@@ -42,6 +42,10 @@
  <artifactId>cloud-framework-ipc</artifactId>
  <version>${project.version}</version>
  </dependency>
+ <dependency>
+ <groupId>commons-codec</groupId>
+ <artifactId>commons-codec</artifactId>
+ </dependency>
  <dependency>
  <groupId>org.apache.cloudstack</groupId>
  <artifactId>cloud-framework-db</artifactId>
@@ -51,6 +55,6 @@
  <groupId>org.apache.cloudstack</groupId>
  <artifactId>cloud-framework-config</artifactId>
  <version>${project.version}</version>
- </dependency> 
+ </dependency>
  </dependencies>
 </project>

framework/security/resources/META-INF/cloudstack/core/spring-framework-security-core-context.xml

@@ -28,4 +28,5 @@
  >
  <bean id="keystoreManagerImpl" class="org.apache.cloudstack.framework.security.keystore.KeystoreManagerImpl" />
  <bean id="keystoreDaoImpl" class="org.apache.cloudstack.framework.security.keystore.KeystoreDaoImpl" />
+ <bean id="keysManagerImpl" class="org.apache.cloudstack.framework.security.keys.KeysManagerImpl"/>
 </beans>

server/src/com/cloud/uuididentity/dao/IdentityVO.java → framework/security/src/org/apache/cloudstack/framework/security/keys/KeysManager.java

@@ -14,12 +14,25 @@
 // KIND, either express or implied. See the License for the
 // specific language governing permissions and limitations
 // under the License.
-package com.cloud.uuididentity.dao;
+package org.apache.cloudstack.framework.security.keys;
 
-import javax.persistence.Entity;
+import org.apache.cloudstack.framework.config.ConfigKey;
 
 /**
+ *
+ * Started this file to manage keys. Will be needed by other services.
+ *
  */
-@Entity
-public class IdentityVO {
+public interface KeysManager {
+ final ConfigKey<String> EncryptionKey = new ConfigKey<String>("Hidden", String.class, "security.encryption.key", null, "base64 encoded key data", false);
+ final ConfigKey<String> EncryptionIV = new ConfigKey<String>("Hidden", String.class, "security.encryption.iv", null, "base64 encoded IV data", false);
+ final ConfigKey<String> HashKey = new ConfigKey<String>("Hidden", String.class, "security.hash.key", null, "for generic key-ed hash", false);
+
+ String getEncryptionKey();
+
+ String getEncryptionIV();
+
+ void resetEncryptionKeyIV();
+
+ String getHashKey();
 }

framework/security/src/org/apache/cloudstack/framework/security/keys/KeysManagerImpl.java

@@ -0,0 +1,127 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http:https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.framework.security.keys;
+
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+
+import javax.inject.Inject;
+import javax.net.ssl.KeyManager;
+
+import org.apache.commons.codec.binary.Base64;
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.framework.config.ConfigDepot;
+import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.framework.config.Configurable;
+import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import org.apache.cloudstack.framework.config.impl.ConfigurationVO;
+
+import com.cloud.utils.db.DB;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+
+/**
+ * To be perfectly honest, I'm not sure why we need this class. This used
+ * to be in ManagementServerImpl. I moved the functionality because it seems
+ * many features will need this. However, the right thing will be for setup
+ * and upgrade to take care of key generation. Here, the methods appear to
+ * mainly be used for dynamic generation. I added this class because after
+ * talking to Kelven, we think there will be other functionalities we need
+ * to centralize to this class. We'll see how that works out.
+ *
+ * There's multiple problems here that we need to fix.
+ * - Multiple servers can be generating keys. This is not atomic.
+ * - The functionality of generating the keys should be moved over to setup/upgrade.
+ *
+ */
+public class KeysManagerImpl implements KeysManager, Configurable {
+ private static final Logger s_logger = Logger.getLogger(KeysManagerImpl.class);
+
+ @Inject
+ ConfigurationDao _configDao;
+ @Inject
+ ConfigDepot _configDepot;
+
+ @Override
+ public String getHashKey() {
+ String value = HashKey.value();
+ if (value == null) {
+ _configDepot.set(HashKey, getBase64EncodedRandomKey(128));
+ }
+
+ return HashKey.value();
+ }
+
+ @Override
+ public String getEncryptionKey() {
+ String value = EncryptionKey.value();
+ if (value == null) {
+ _configDepot.set(EncryptionKey, getBase64EncodedRandomKey(128));
+ }
+ return EncryptionKey.value();
+ }
+
+ @Override
+ public String getEncryptionIV() {
+ String value = EncryptionIV.value();
+ if (value == null) {
+ _configDepot.set(EncryptionIV, getBase64EncodedRandomKey(128));
+ }
+ return EncryptionIV.value();
+ }
+
+ private static String getBase64EncodedRandomKey(int nBits) {
+ SecureRandom random;
+ try {
+ random = SecureRandom.getInstance("SHA1PRNG");
+ byte[] keyBytes = new byte[nBits / 8];
+ random.nextBytes(keyBytes);
+ return Base64.encodeBase64URLSafeString(keyBytes);
+ } catch (NoSuchAlgorithmException e) {
+ s_logger.error("Unhandled exception: ", e);
+ }
+ return null;
+ }
+
+ @Override
+ @DB
+ public void resetEncryptionKeyIV() {
+
+ SearchBuilder<ConfigurationVO> sb = _configDao.createSearchBuilder();
+ sb.and("name1", sb.entity().getName(), SearchCriteria.Op.EQ);
+ sb.or("name2", sb.entity().getName(), SearchCriteria.Op.EQ);
+ sb.done();
+
+ SearchCriteria<ConfigurationVO> sc = sb.create();
+ sc.setParameters("name1", EncryptionKey.key());
+ sc.setParameters("name2", EncryptionIV.key());
+
+ _configDao.expunge(sc);
+ }
+
+ @Override
+ public String getConfigComponentName() {
+ return KeyManager.class.getSimpleName();
+ }
+
+ @Override
+ public ConfigKey<?>[] getConfigKeys() {
+ return new ConfigKey<?>[] {EncryptionKey, EncryptionIV, HashKey};
+ }
+
+}