<fix>[kms]: add test case for delete secret

Resolves: ZSV-11630

Author: zhijian.liu

conf/springConfigXml/Kvm.xml

@@ -256,7 +256,9 @@
         <zstack:plugin>
             <zstack:extension interface="org.zstack.kvm.KVMStartVmExtensionPoint" />
             <zstack:extension interface="org.zstack.header.vm.PreVmInstantiateResourceExtensionPoint" />
+            <zstack:extension interface="org.zstack.header.vm.VmInstanceMigrateExtensionPoint" />
             <zstack:extension interface="org.zstack.header.vm.VmAfterExpungeExtensionPoint" />
+            <zstack:extension interface="org.zstack.header.vm.VmStateChangedExtensionPoint" />
         </zstack:plugin>
     </bean>
 

header/src/main/java/org/zstack/header/secret/SecretHostDeleteMsg.java

@@ -3,10 +3,6 @@
 import org.zstack.header.host.HostMessage;
 import org.zstack.header.message.NeedReplyMessage;
 
-/**
- * Request to delete existing secret on KVM host by vmUuid/purpose/keyVersion.
- * keyVersion can be null, then agent may remove all matched versions for the vm+purpose.
- */
 public class SecretHostDeleteMsg extends NeedReplyMessage implements HostMessage {
     private String hostUuid;
     private String vmUuid;

plugin/kvm/src/main/java/org/zstack/kvm/KVMAgentCommands.java

@@ -412,6 +412,7 @@ public static class SecretHostDefineCmd extends AgentCommand {
         private String purpose;
         private Integer keyVersion;
         private String description;
+        private String usageInstance;
 
         public String getEncryptedDek() {
             return encryptedDek;
@@ -452,6 +453,14 @@ public String getDescription() {
         public void setDescription(String description) {
             this.description = description;
         }
+
+        public String getUsageInstance() {
+            return usageInstance;
+        }
+
+        public void setUsageInstance(String usageInstance) {
+            this.usageInstance = usageInstance;
+        }
     }
 
     public static class SecretHostDefineResponse extends AgentResponse {
@@ -470,6 +479,7 @@ public static class SecretHostGetCmd extends AgentCommand {
         private String vmUuid;
         private String purpose;
         private Integer keyVersion;
+        private String usageInstance;
 
         public String getVmUuid() {
             return vmUuid;
@@ -494,6 +504,14 @@ public Integer getKeyVersion() {
         public void setKeyVersion(Integer keyVersion) {
             this.keyVersion = keyVersion;
         }
+
+        public String getUsageInstance() {
+            return usageInstance;
+        }
+
+        public void setUsageInstance(String usageInstance) {
+            this.usageInstance = usageInstance;
+        }
     }
 
     public static class SecretHostGetResponse extends AgentResponse {
@@ -512,6 +530,7 @@ public static class SecretHostDeleteCmd extends AgentCommand {
         private String vmUuid;
         private String purpose;
         private Integer keyVersion;
+        private String usageInstance;
 
         public String getVmUuid() {
             return vmUuid;
@@ -536,6 +555,14 @@ public Integer getKeyVersion() {
         public void setKeyVersion(Integer keyVersion) {
             this.keyVersion = keyVersion;
         }
+
+        public String getUsageInstance() {
+            return usageInstance;
+        }
+
+        public void setUsageInstance(String usageInstance) {
+            this.usageInstance = usageInstance;
+        }
     }
 
     public static class SecretHostDeleteResponse extends AgentResponse {

plugin/kvm/src/main/java/org/zstack/kvm/KVMConstant.java

@@ -138,6 +138,7 @@ public interface KVMConstant {
 
     /** Max size in bytes for DEK payload in SecretHostDefine (decoded from dekBase64). */
     int MAX_DEK_BYTES = 1024;
+    String HOST_SECRET_USAGE_INSTANCE_VTPM = "tpm0";
 
     String KVM_HOST_FILE_DOWNLOAD_PATH = "/host/file/download";
     String KVM_HOST_FILE_UPLOAD_PATH = "/host/file/upload";

plugin/kvm/src/main/java/org/zstack/kvm/KVMHost.java

@@ -5327,11 +5327,14 @@ private void handle(SecretHostGetMsg msg) {
         }
 
         String url = buildUrl(KVMConstant.KVM_GET_SECRET_PATH);
+        Map<String, String> headers = new HashMap<>();
+        headers.put(Constants.AGENT_HTTP_HEADER_RESOURCE_UUID, getSelf().getUuid());
         KVMAgentCommands.SecretHostGetCmd cmd = new KVMAgentCommands.SecretHostGetCmd();
         cmd.setVmUuid(msg.getVmUuid());
         cmd.setPurpose(msg.getPurpose());
         cmd.setKeyVersion(msg.getKeyVersion());
-        restf.asyncJsonPost(url, cmd, new JsonAsyncRESTCallback<KVMAgentCommands.SecretHostGetResponse>(msg, reply) {
+        cmd.setUsageInstance(KVMConstant.HOST_SECRET_USAGE_INSTANCE_VTPM);
+        restf.asyncJsonPost(url, cmd, headers, new JsonAsyncRESTCallback<KVMAgentCommands.SecretHostGetResponse>(msg, reply) {
             @Override
             public void fail(ErrorCode err) {
                 reply.setError(err != null ? err : operr("get secret on agent failed"));
@@ -5437,13 +5440,16 @@ private void handle(SecretHostDefineMsg msg) {
         }
         String envelopeDekBase64 = java.util.Base64.getEncoder().encodeToString(envelope);
         String url = buildUrl(KVMConstant.KVM_ENSURE_SECRET_PATH);
+        Map<String, String> headers = new HashMap<>();
+        headers.put(Constants.AGENT_HTTP_HEADER_RESOURCE_UUID, getSelf().getUuid());
         KVMAgentCommands.SecretHostDefineCmd cmd = new KVMAgentCommands.SecretHostDefineCmd();
         cmd.setEncryptedDek(envelopeDekBase64);
         cmd.setVmUuid(msg.getVmUuid());
         cmd.setPurpose(msg.getPurpose());
         cmd.setKeyVersion(msg.getKeyVersion());
         cmd.setDescription(msg.getDescription() != null ? msg.getDescription() : "");
-        restf.asyncJsonPost(url, cmd, new JsonAsyncRESTCallback<KVMAgentCommands.SecretHostDefineResponse>(msg, reply) {
+        cmd.setUsageInstance(KVMConstant.HOST_SECRET_USAGE_INSTANCE_VTPM);
+        restf.asyncJsonPost(url, cmd, headers, new JsonAsyncRESTCallback<KVMAgentCommands.SecretHostDefineResponse>(msg, reply) {
             @Override
             public void fail(ErrorCode err) {
                 reply.setError(err != null ? err : operr("ensure secret on agent failed"));
@@ -5476,24 +5482,41 @@ private void handle(SecretHostDeleteMsg msg) {
             bus.reply(msg, reply);
             return;
         }
+        if (msg.getKeyVersion() == null) {
+            logger.debug(String.format(
+                    "skip delete host secret on host[uuid:%s]: keyVersion is null (vm[uuid:%s], purpose:%s)",
+                    getSelf().getUuid(), msg.getVmUuid(), msg.getPurpose()));
+            bus.reply(msg, reply);
+            return;
+        }
 
         String url = buildUrl(KVMConstant.KVM_DELETE_SECRET_PATH);
+        Map<String, String> headers = new HashMap<>();
+        headers.put(Constants.AGENT_HTTP_HEADER_RESOURCE_UUID, getSelf().getUuid());
         KVMAgentCommands.SecretHostDeleteCmd cmd = new KVMAgentCommands.SecretHostDeleteCmd();
         cmd.setVmUuid(msg.getVmUuid());
         cmd.setPurpose(msg.getPurpose());
         cmd.setKeyVersion(msg.getKeyVersion());
+        cmd.setUsageInstance(KVMConstant.HOST_SECRET_USAGE_INSTANCE_VTPM);
 
-        restf.asyncJsonPost(url, cmd, new JsonAsyncRESTCallback<KVMAgentCommands.SecretHostDeleteResponse>(msg, reply) {
+        restf.asyncJsonPost(url, cmd, headers, new JsonAsyncRESTCallback<KVMAgentCommands.SecretHostDeleteResponse>(msg, reply) {
             @Override
             public void fail(ErrorCode err) {
-                reply.setError(err != null ? err : operr("delete secret on agent failed"));
+                logger.warn(String.format(
+                        "best-effort delete secret on agent failed on host[uuid:%s] for vm[uuid:%s]: %s",
+                        getSelf().getUuid(), msg.getVmUuid(),
+                        err != null ? err.getDetails() : "unknown error"));
                 bus.reply(msg, reply);
             }
 
             @Override
             public void success(KVMAgentCommands.SecretHostDeleteResponse rsp) {
                 if (rsp == null || !rsp.isSuccess()) {
-                    reply.setError(buildSecretAgentError(rsp, "delete secret failed"));
+                    ErrorCode agentErr = buildSecretAgentError(rsp, "delete secret failed");
+                    logger.warn(String.format(
+                            "best-effort delete secret on agent failed on host[uuid:%s] for vm[uuid:%s]: %s",
+                            getSelf().getUuid(), msg.getVmUuid(),
+                            agentErr.getDetails()));
                 }
                 bus.reply(msg, reply);
             }
@@ -5506,13 +5529,34 @@ public Class<KVMAgentCommands.SecretHostDeleteResponse> getReturnClass() {
     }
 
     private ErrorCode buildSecretAgentError(KVMAgentCommands.AgentResponse rsp, String defaultMessage) {
-        if (rsp != null && rsp.getError() != null) {
+        String raw = rsp != null ? StringUtils.trimToNull(rsp.getError()) : null;
+        if (raw == null) {
+            return operr(defaultMessage);
+        }
+        String stable = stableKeyAgentErrorCodeFromRawMessage(raw);
+        if (stable != null) {
             ErrorCode err = new ErrorCode();
-            err.setCode(rsp.getError());
-            err.setDetails(rsp.getError());
+            err.setCode(stable);
+            err.setDetails(raw);
             return err;
         }
-        return operr(defaultMessage);
+        return operr("%s: %s", defaultMessage, raw);
+    }
+
+    private static String stableKeyAgentErrorCodeFromRawMessage(String raw) {
+        String t = raw.trim();
+        int colon = t.indexOf(':');
+        String head = (colon >= 0 ? t.substring(0, colon) : t).trim();
+        if (head.isEmpty()) {
+            return null;
+        }
+        if (SecretHostGetReply.ERROR_CODE_SECRET_NOT_FOUND.equals(head)) {
+            return head;
+        }
+        if (head.startsWith("KEY_AGENT_")) {
+            return head;
+        }
+        return null;
     }
 
     @Override

plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmExtensions.java

@@ -2,6 +2,7 @@
 
 import org.apache.commons.lang.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.zstack.compute.vm.VmGlobalConfig;
 import org.zstack.compute.vm.devices.TpmEncryptedResourceKeyBackend;
 import org.zstack.compute.vm.devices.TpmEncryptedResourceKeyBackend.CloneEncryptedResourceKeyContext;
 import org.zstack.core.Platform;
@@ -42,7 +43,9 @@
 import org.zstack.header.vm.VmInstanceInventory;
 import org.zstack.header.vm.VmInstanceMigrateExtensionPoint;
 import org.zstack.header.vm.VmInstanceSpec;
+import org.zstack.header.vm.VmInstanceState;
 import org.zstack.header.vm.VmInstantiateResourceException;
+import org.zstack.header.vm.VmStateChangedExtensionPoint;
 import org.zstack.header.vm.additions.VmHostBackupFileVO;
 import org.zstack.header.vm.additions.VmHostBackupFileVO_;
 import org.zstack.header.vm.VmInstanceVO;
@@ -69,7 +72,8 @@
 public class KvmTpmExtensions implements KVMStartVmExtensionPoint,
         PreVmInstantiateResourceExtensionPoint,
         VmInstanceMigrateExtensionPoint,
-        VmAfterExpungeExtensionPoint {
+        VmAfterExpungeExtensionPoint,
+        VmStateChangedExtensionPoint {
     private static final CLogger logger = Utils.getLogger(KvmTpmExtensions.class);
 
     @Autowired
@@ -220,7 +224,6 @@ public void run(FlowTrigger trigger, Map data) {
                     @Override
                     public void success() {
                         context.providerUuid = resourceKeyBackend.findKeyProviderUuidByTpm(context.tpmUuid);
-                        context.providerName = resourceKeyBackend.findKeyProviderNameByTpm(context.tpmUuid);
                         trigger.next();
                     }
 
@@ -322,9 +325,7 @@ public void run(MessageReply reply) {
                         }
 
                         ErrorCode errorCode = reply.getError();
-                        if (errorCode != null
-                                && (SecretHostGetReply.ERROR_CODE_SECRET_NOT_FOUND.equals(errorCode.getCode())
-                                || SecretHostGetReply.ERROR_CODE_SECRET_NOT_FOUND.equals(errorCode.getDetails()))) {
+                        if (errorCode != null && isVtpmSecretNotFoundOnHost(errorCode)) {
                             trigger.next();
                             return;
                         }
@@ -527,6 +528,27 @@ public void afterMigrateVm(VmInstanceInventory inv, String srcHostUuid, NoErrorC
         completion.done();
     }
 
+    @Override
+    public void vmStateChanged(VmInstanceInventory vm, VmInstanceState oldState, VmInstanceState newState) {
+        if (oldState != VmInstanceState.VolumeMigrating) {
+            return;
+        }
+
+        String vmUuid = vm == null ? null : vm.getUuid();
+        String srcHostUuid = vm == null ? null : vm.getLastHostUuid();
+        String destHostUuid = vm == null ? null : vm.getHostUuid();
+        if (StringUtils.isBlank(vmUuid) || StringUtils.isBlank(srcHostUuid) || srcHostUuid.equals(destHostUuid)) {
+            return;
+        }
+
+        if (!isVmCurrentlyOnExpectedHost(vmUuid, destHostUuid)) {
+            return;
+        }
+
+        Integer keyVersion = findTpmKeyVersionByVmUuid(vmUuid);
+        deleteHostSecretBestEffort(srcHostUuid, vmUuid, keyVersion, "volume-migrated-host-change");
+    }
+
     @Override
     public void vmAfterExpunge(VmInstanceInventory vm) {
         String vmUuid = vm.getUuid();
@@ -572,8 +594,16 @@ private boolean isVmCurrentlyOnExpectedHost(String vmUuid, String expectedHostUu
         return expectedHostUuid.equals(currentHostUuid);
     }
 
+    private static boolean isVtpmSecretNotFoundOnHost(ErrorCode errorCode) {
+        if (SecretHostGetReply.ERROR_CODE_SECRET_NOT_FOUND.equals(errorCode.getCode())) {
+            return true;
+        }
+        String details = errorCode.getDetails();
+        return details != null && details.contains(SecretHostGetReply.ERROR_CODE_SECRET_NOT_FOUND);
+    }
+
     private void deleteHostSecretBestEffort(String hostUuid, String vmUuid, Integer keyVersion, String reason) {
-        if (StringUtils.isBlank(hostUuid) || StringUtils.isBlank(vmUuid)) {
+        if (StringUtils.isBlank(hostUuid) || StringUtils.isBlank(vmUuid) || keyVersion == null) {
             return;
         }
 
@@ -587,9 +617,11 @@ private void deleteHostSecretBestEffort(String hostUuid, String vmUuid, Integer
             @Override
             public void run(MessageReply reply) {
                 if (!reply.isSuccess()) {
+                    ErrorCode err = reply.getError();
+                    String errMsg = err != null && err.getDetails() != null ? err.getDetails() : "unknown error";
                     logger.warn(String.format(
                             "best-effort delete host secret failed on %s for vm[uuid:%s], host[uuid:%s]: %s",
-                            reason, vmUuid, hostUuid, reply.getError().getDetails()));
+                            reason, vmUuid, hostUuid, errMsg));
                 }
             }
         });

plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmManager.java

@@ -420,8 +420,10 @@ public void done(ErrorCodeList errorCodeList) {
                             @Override
                             public void run(MessageReply reply) {
                                 if (!reply.isSuccess()) {
+                                    ErrorCode err = reply.getError();
+                                    String errMsg = err != null && err.getDetails() != null ? err.getDetails() : "unknown error";
                                     logger.warn(String.format("failed to delete host secret on host[uuid:%s] for vm[uuid:%s], continue cleanup: %s",
-                                            hostUuid, context.vmInstanceUuid, reply.getError().getDetails()));
+                                            hostUuid, context.vmInstanceUuid, errMsg));
                                 }
                                 whileCompletion.done();
                             }
@@ -717,6 +719,10 @@ public void done(ErrorCodeList errorCodeList) {
                 .build())
             .then(Flow.of("delete-host-secret")
                 .handle(trigger -> {
+                    if (context.keyVersion == null) {
+                        trigger.next();
+                        return;
+                    }
                     Set<String> hostUuids = new HashSet<>();
                     for (VmHostFileVO file : context.hostFiles) {
                         hostUuids.add(file.getHostUuid());
@@ -740,8 +746,10 @@ public void done(ErrorCodeList errorCodeList) {
                             @Override
                             public void run(MessageReply reply) {
                                 if (!reply.isSuccess()) {
+                                    ErrorCode err = reply.getError();
+                                    String errMsg = err != null && err.getDetails() != null ? err.getDetails() : "unknown error";
                                     logger.warn(String.format("failed to delete host secret on host[uuid:%s] for vm[uuid:%s], continue reset: %s",
-                                            hostUuid, vmUuid, reply.getError().getDetails()));
+                                            hostUuid, vmUuid, errMsg));
                                 }
                                 whileCompletion.done();
                             }