<fix>[crypto]: secret get in vm pre instantiate

Resolves: ZSV-11630

Change-Id: I616a776e78666179637976616c776162616c6577

Author: zhong.zhou

compute/src/main/java/org/zstack/compute/vm/devices/DummyTpmEncryptedResourceKeyBackend.java

@@ -33,6 +33,11 @@ public String findKeyProviderNameByTpm(String tpmUuid) {
         return null;
     }
 
+    @Override
+    public Integer findKeyVersionByTpm(String tpmUuid) {
+        return null;
+    }
+
     @Override
     public String defaultKeyProviderUuid() {
         return null;

compute/src/main/java/org/zstack/compute/vm/devices/TpmEncryptedResourceKeyBackend.java

@@ -35,6 +35,11 @@ public interface TpmEncryptedResourceKeyBackend {
      */
     String findKeyProviderNameByTpm(String tpmUuid);
 
+    /**
+     * maybe null (when crypto module is not installed)
+     */
+    Integer findKeyVersionByTpm(String tpmUuid);
+
     /**
      * maybe null (when crypto module is not installed)
      */

header/src/main/java/org/zstack/header/keyprovider/EncryptedResourceKeyManager.java

@@ -87,6 +87,7 @@ class ResourceKeyResult {
         private String resourceType;
         private String keyProviderUuid;
         private String keyProviderName;
+        private Integer keyVersion;
         private String dekBase64;
         private String secretRef;
         private boolean createdNewKey;
@@ -124,6 +125,14 @@ public void setKeyProviderName(String keyProviderName) {
             this.keyProviderName = keyProviderName;
         }
 
+        public Integer getKeyVersion() {
+            return keyVersion;
+        }
+
+        public void setKeyVersion(Integer keyVersion) {
+            this.keyVersion = keyVersion;
+        }
+
         public String getDekBase64() {
             return dekBase64;
         }

header/src/main/java/org/zstack/header/secret/SecretHostDefineMsg.java

@@ -5,17 +5,17 @@
 import org.zstack.header.message.NeedReplyMessage;
 
 /**
- * Request to define secret on KVM host (for VM e.g. vTPM). Caller provides plaintext DEK (dekBase64).
- * Host seals it with host public key (HPKE) and sends envelope to agent.
- * vmUuid, purpose, providerName are required by key-agent for DEK cache key.
+ * Request to ensure secret on KVM host (for VM e.g. vTPM).
+ * Caller provides plaintext DEK (dekBase64), then host seals it with host public key
+ * and forwards the envelope to key-agent.
  */
 public class SecretHostDefineMsg extends NeedReplyMessage implements HostMessage {
     private String hostUuid;
     @NoLogging
     private String dekBase64;
     private String vmUuid;
     private String purpose;
-    private String providerName;
+    private Integer keyVersion;
     private String description;
 
     @Override
@@ -51,12 +51,12 @@ public void setPurpose(String purpose) {
         this.purpose = purpose;
     }
 
-    public String getProviderName() {
-        return providerName;
+    public Integer getKeyVersion() {
+        return keyVersion;
     }
 
-    public void setProviderName(String providerName) {
-        this.providerName = providerName;
+    public void setKeyVersion(Integer keyVersion) {
+        this.keyVersion = keyVersion;
     }
 
     public String getDescription() {

header/src/main/java/org/zstack/header/secret/SecretHostGetMsg.java

@@ -0,0 +1,47 @@
+package org.zstack.header.secret;
+
+import org.zstack.header.host.HostMessage;
+import org.zstack.header.message.NeedReplyMessage;
+
+/**
+ * Request to get an existing secret on KVM host by vmUuid, purpose and keyVersion.
+ */
+public class SecretHostGetMsg extends NeedReplyMessage implements HostMessage {
+    private String hostUuid;
+    private String vmUuid;
+    private String purpose;
+    private Integer keyVersion;
+
+    @Override
+    public String getHostUuid() {
+        return hostUuid;
+    }
+
+    public void setHostUuid(String hostUuid) {
+        this.hostUuid = hostUuid;
+    }
+
+    public String getVmUuid() {
+        return vmUuid;
+    }
+
+    public void setVmUuid(String vmUuid) {
+        this.vmUuid = vmUuid;
+    }
+
+    public String getPurpose() {
+        return purpose;
+    }
+
+    public void setPurpose(String purpose) {
+        this.purpose = purpose;
+    }
+
+    public Integer getKeyVersion() {
+        return keyVersion;
+    }
+
+    public void setKeyVersion(Integer keyVersion) {
+        this.keyVersion = keyVersion;
+    }
+}

header/src/main/java/org/zstack/header/secret/SecretHostGetReply.java

@@ -0,0 +1,18 @@
+package org.zstack.header.secret;
+
+import org.zstack.header.message.MessageReply;
+
+/** Reply for SecretHostGetMsg. */
+public class SecretHostGetReply extends MessageReply {
+    public static final String ERROR_CODE_SECRET_NOT_FOUND = "KEY_AGENT_SECRET_NOT_FOUND";
+
+    private String secretUuid;
+
+    public String getSecretUuid() {
+        return secretUuid;
+    }
+
+    public void setSecretUuid(String secretUuid) {
+        this.secretUuid = secretUuid;
+    }
+}

plugin/kvm/src/main/java/org/zstack/kvm/KVMAgentCommands.java

@@ -410,7 +410,7 @@ public static class SecretHostDefineCmd extends AgentCommand {
         private String encryptedDek;
         private String vmUuid;
         private String purpose;
-        private String providerName;
+        private Integer keyVersion;
         private String description;
 
         public String getEncryptedDek() {
@@ -437,12 +437,12 @@ public void setPurpose(String purpose) {
             this.purpose = purpose;
         }
 
-        public String getProviderName() {
-            return providerName;
+        public Integer getKeyVersion() {
+            return keyVersion;
         }
 
-        public void setProviderName(String providerName) {
-            this.providerName = providerName;
+        public void setKeyVersion(Integer keyVersion) {
+            this.keyVersion = keyVersion;
         }
 
         public String getDescription() {
@@ -466,6 +466,48 @@ public void setSecretUuid(String secretUuid) {
         }
     }
 
+    public static class SecretHostGetCmd extends AgentCommand {
+        private String vmUuid;
+        private String purpose;
+        private Integer keyVersion;
+
+        public String getVmUuid() {
+            return vmUuid;
+        }
+
+        public void setVmUuid(String vmUuid) {
+            this.vmUuid = vmUuid;
+        }
+
+        public String getPurpose() {
+            return purpose;
+        }
+
+        public void setPurpose(String purpose) {
+            this.purpose = purpose;
+        }
+
+        public Integer getKeyVersion() {
+            return keyVersion;
+        }
+
+        public void setKeyVersion(Integer keyVersion) {
+            this.keyVersion = keyVersion;
+        }
+    }
+
+    public static class SecretHostGetResponse extends AgentResponse {
+        private String secretUuid;
+
+        public String getSecretUuid() {
+            return secretUuid;
+        }
+
+        public void setSecretUuid(String secretUuid) {
+            this.secretUuid = secretUuid;
+        }
+    }
+
     public static class PingCmd extends AgentCommand {
         public String hostUuid;
         public Map<String, Object> configs;

plugin/kvm/src/main/java/org/zstack/kvm/KVMConstant.java

@@ -129,6 +129,7 @@ public interface KVMConstant {
     String KVM_GET_ENVELOPE_KEY_PATH = "/host/key/envelope/getEnvelopePublicKey";
     String KVM_ROTATE_ENVELOPE_KEY_PATH = "/host/key/envelope/rotateEnvelopeKey";
     String KVM_VERIFY_ENVELOPE_KEY_PATH = "/host/key/envelope/checkEnvelopeKey";
+    String KVM_GET_SECRET_PATH = "/host/key/envelope/getSecret";
     String KVM_ENSURE_SECRET_PATH = "/host/key/envelope/ensureSecret";
 
     /** HTTP timeout in seconds for envelope key sync (verify/create/rotate/get) to agent. */

plugin/kvm/src/main/java/org/zstack/kvm/KVMHost.java

@@ -57,6 +57,8 @@
 import org.zstack.header.host.MigrateVmOnHypervisorMsg.StorageMigrationPolicy;
 import org.zstack.header.secret.SecretHostDefineMsg;
 import org.zstack.header.secret.SecretHostDefineReply;
+import org.zstack.header.secret.SecretHostGetMsg;
+import org.zstack.header.secret.SecretHostGetReply;
 import org.zstack.header.message.APIMessage;
 import org.zstack.header.message.Message;
 import org.zstack.header.message.MessageReply;
@@ -750,6 +752,8 @@ protected void handleLocalMessage(Message msg) {
             handle((GetFileDownloadProgressMsg) msg);
         } else if (msg instanceof RestartKvmAgentMsg) {
             handle((RestartKvmAgentMsg) msg);
+        } else if (msg instanceof SecretHostGetMsg) {
+            handle((SecretHostGetMsg) msg);
         } else if (msg instanceof SecretHostDefineMsg) {
             handle((SecretHostDefineMsg) msg);
         } else {
@@ -5310,15 +5314,52 @@ public void handle(ErrorCode errCode, Map data) {
         }).start();
     }
 
+    private void handle(SecretHostGetMsg msg) {
+        SecretHostGetReply reply = new SecretHostGetReply();
+        if (StringUtils.isBlank(msg.getVmUuid()) || StringUtils.isBlank(msg.getPurpose()) || msg.getKeyVersion() == null) {
+            reply.setError(operr("vmUuid, purpose and keyVersion are required for get secret"));
+            bus.reply(msg, reply);
+            return;
+        }
+
+        String url = buildUrl(KVMConstant.KVM_GET_SECRET_PATH);
+        KVMAgentCommands.SecretHostGetCmd cmd = new KVMAgentCommands.SecretHostGetCmd();
+        cmd.setVmUuid(msg.getVmUuid());
+        cmd.setPurpose(msg.getPurpose());
+        cmd.setKeyVersion(msg.getKeyVersion());
+        restf.asyncJsonPost(url, cmd, new JsonAsyncRESTCallback<KVMAgentCommands.SecretHostGetResponse>(msg, reply) {
+            @Override
+            public void fail(ErrorCode err) {
+                reply.setError(err != null ? err : operr("get secret on agent failed"));
+                bus.reply(msg, reply);
+            }
+
+            @Override
+            public void success(KVMAgentCommands.SecretHostGetResponse rsp) {
+                if (rsp != null && rsp.isSuccess()) {
+                    reply.setSecretUuid(rsp.getSecretUuid());
+                } else {
+                    reply.setError(buildSecretAgentError(rsp, "get secret failed"));
+                }
+                bus.reply(msg, reply);
+            }
+
+            @Override
+            public Class<KVMAgentCommands.SecretHostGetResponse> getReturnClass() {
+                return KVMAgentCommands.SecretHostGetResponse.class;
+            }
+        }, TimeUnit.SECONDS, KVMConstant.ENVELOPE_KEY_HTTP_TIMEOUT_SEC);
+    }
+
     private void handle(SecretHostDefineMsg msg) {
         SecretHostDefineReply reply = new SecretHostDefineReply();
         if (org.apache.commons.lang.StringUtils.isBlank(msg.getDekBase64())) {
             reply.setError(operr("dekBase64 is required"));
             bus.reply(msg, reply);
             return;
         }
-        if (StringUtils.isBlank(msg.getVmUuid()) || StringUtils.isBlank(msg.getPurpose()) || StringUtils.isBlank(msg.getProviderName())) {
-            reply.setError(operr("vmUuid, purpose and providerName are required for ensure secret"));
+        if (StringUtils.isBlank(msg.getVmUuid()) || StringUtils.isBlank(msg.getPurpose()) || msg.getKeyVersion() == null) {
+            reply.setError(operr("vmUuid, purpose and keyVersion are required for ensure secret"));
             bus.reply(msg, reply);
             return;
         }
@@ -5396,7 +5437,7 @@ private void handle(SecretHostDefineMsg msg) {
         cmd.setEncryptedDek(envelopeDekBase64);
         cmd.setVmUuid(msg.getVmUuid());
         cmd.setPurpose(msg.getPurpose());
-        cmd.setProviderName(msg.getProviderName());
+        cmd.setKeyVersion(msg.getKeyVersion());
         cmd.setDescription(msg.getDescription() != null ? msg.getDescription() : "");
         restf.asyncJsonPost(url, cmd, new JsonAsyncRESTCallback<KVMAgentCommands.SecretHostDefineResponse>(msg, reply) {
             @Override
@@ -5412,14 +5453,7 @@ public void success(KVMAgentCommands.SecretHostDefineResponse rsp) {
                         reply.setSecretUuid(rsp.getSecretUuid());
                     }
                 } else {
-                    if (rsp != null && rsp.getError() != null) {
-                        ErrorCode err = new ErrorCode();
-                        err.setCode(rsp.getError());
-                        err.setDetails(rsp.getError());
-                        reply.setError(err);
-                    } else {
-                        reply.setError(operr(rsp != null ? rsp.getError() : "ensure secret failed"));
-                    }
+                    reply.setError(buildSecretAgentError(rsp, "ensure secret failed"));
                 }
                 bus.reply(msg, reply);
             }
@@ -5431,6 +5465,16 @@ public Class<KVMAgentCommands.SecretHostDefineResponse> getReturnClass() {
         }, TimeUnit.SECONDS, KVMConstant.ENVELOPE_KEY_HTTP_TIMEOUT_SEC);
     }
 
+    private ErrorCode buildSecretAgentError(KVMAgentCommands.AgentResponse rsp, String defaultMessage) {
+        if (rsp != null && rsp.getError() != null) {
+            ErrorCode err = new ErrorCode();
+            err.setCode(rsp.getError());
+            err.setDetails(rsp.getError());
+            return err;
+        }
+        return operr(defaultMessage);
+    }
+
     @Override
     protected void deleteTakeOverFlag(Completion completion) {
         if (CoreGlobalProperty.UNIT_TEST_ON) {