Add settings to mark cryptographic algorithms in vpn customer gateways as excluded or obsolete (#12193)

This PR introduces several configuration settings using which an operator can mark certain cryptographic algorithms and parameters as excluded or obsolete for VPN Customer Gateway creation for Site-to-Site VPN.

Cloud providers following modern security frameworks (e.g., ISO 27001/27017) are required to enforce and communicate approved cryptographic standards. CloudStack currently accepts several weak or deprecated algorithms without guidance to users. This PR closes that gap by giving operators explicit control over what is disallowed vs discouraged, improving security posture without breaking existing deployments.

These settings are:

1. vpn.customer.gateway.excluded.encryption.algorithms
2. vpn.customer.gateway.excluded.hashing.algorithms
3. vpn.customer.gateway.excluded.ike.versions
4. vpn.customer.gateway.excluded.dh.group
5. vpn.customer.gateway.obsolete.encryption.algorithms
6. vpn.customer.gateway.obsolete.hashing.algorithms
7. vpn.customer.gateway.obsolete.ike.versions
8. vpn.customer.gateway.obsolete.dh.group

Author: abh1sar

api/src/main/java/com/cloud/event/EventTypes.java

@@ -503,6 +503,7 @@ public class EventTypes {
     public static final String EVENT_S2S_VPN_CUSTOMER_GATEWAY_CREATE = "VPN.S2S.CUSTOMER.GATEWAY.CREATE";
     public static final String EVENT_S2S_VPN_CUSTOMER_GATEWAY_DELETE = "VPN.S2S.CUSTOMER.GATEWAY.DELETE";
     public static final String EVENT_S2S_VPN_CUSTOMER_GATEWAY_UPDATE = "VPN.S2S.CUSTOMER.GATEWAY.UPDATE";
+    public static final String EVENT_S2S_VPN_GATEWAY_OBSOLETE_PARAMS = "VPN.S2S.GATEWAY.OBSOLETE.PARAMS";
     public static final String EVENT_S2S_VPN_CONNECTION_CREATE = "VPN.S2S.CONNECTION.CREATE";
     public static final String EVENT_S2S_VPN_CONNECTION_DELETE = "VPN.S2S.CONNECTION.DELETE";
     public static final String EVENT_S2S_VPN_CONNECTION_RESET = "VPN.S2S.CONNECTION.RESET";
@@ -1151,6 +1152,7 @@ public class EventTypes {
         entityEventDetails.put(EVENT_S2S_VPN_CUSTOMER_GATEWAY_CREATE, Site2SiteCustomerGateway.class);
         entityEventDetails.put(EVENT_S2S_VPN_CUSTOMER_GATEWAY_DELETE, Site2SiteCustomerGateway.class);
         entityEventDetails.put(EVENT_S2S_VPN_CUSTOMER_GATEWAY_UPDATE, Site2SiteCustomerGateway.class);
+        entityEventDetails.put(EVENT_S2S_VPN_GATEWAY_OBSOLETE_PARAMS, Site2SiteCustomerGateway.class);
         entityEventDetails.put(EVENT_S2S_VPN_CONNECTION_CREATE, Site2SiteVpnConnection.class);
         entityEventDetails.put(EVENT_S2S_VPN_CONNECTION_DELETE, Site2SiteVpnConnection.class);
         entityEventDetails.put(EVENT_S2S_VPN_CONNECTION_RESET, Site2SiteVpnConnection.class);

api/src/main/java/org/apache/cloudstack/alert/AlertService.java

@@ -74,6 +74,7 @@ private AlertType(short type, String name, boolean isDefault) {
         public static final AlertType ALERT_TYPE_VR_PUBLIC_IFACE_MTU = new AlertType((short)32, "ALERT.VR.PUBLIC.IFACE.MTU", true);
         public static final AlertType ALERT_TYPE_VR_PRIVATE_IFACE_MTU = new AlertType((short)32, "ALERT.VR.PRIVATE.IFACE.MTU", true);
         public static final AlertType ALERT_TYPE_EXTENSION_PATH_NOT_READY = new AlertType((short)33, "ALERT.TYPE.EXTENSION.PATH.NOT.READY", true);
+        public static final AlertType ALERT_TYPE_VPN_GATEWAY_OBSOLETE_PARAMETERS = new AlertType((short)34, "ALERT.S2S.VPN.GATEWAY.OBSOLETE.PARAMETERS", true);
         public static final AlertType ALERT_TYPE_BACKUP_STORAGE = new AlertType(Capacity.CAPACITY_TYPE_BACKUP_STORAGE, "ALERT.STORAGE.BACKUP", true);
         public static final AlertType ALERT_TYPE_OBJECT_STORAGE = new AlertType(Capacity.CAPACITY_TYPE_OBJECT_STORAGE, "ALERT.STORAGE.OBJECT", true);
 

api/src/main/java/org/apache/cloudstack/api/ApiConstants.java

@@ -1364,6 +1364,10 @@ public class ApiConstants {
 
     public static final String RECURSIVE_DOMAINS = "recursivedomains";
 
+    public static final String VPN_CUSTOMER_GATEWAY_PARAMETERS = "vpncustomergatewayparameters";
+    public static final String OBSOLETE_PARAMETERS = "obsoleteparameters";
+    public static final String EXCLUDED_PARAMETERS = "excludedparameters";
+
     /**
      * This enum specifies IO Drivers, each option controls specific policies on I/O.
      * Qemu guests support "threads" and "native" options Since 0.8.8 ; "io_uring" is supported Since 6.3.0 (QEMU 5.0).

api/src/main/java/org/apache/cloudstack/api/command/user/config/ListCapabilitiesCmd.java

@@ -21,7 +21,9 @@
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.response.CapabilitiesResponse;
+import org.apache.cloudstack.api.response.DomainResponse;
 import org.apache.cloudstack.config.ApiServiceConfiguration;
 
 import com.cloud.user.Account;
@@ -30,12 +32,22 @@
         requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
 public class ListCapabilitiesCmd extends BaseCmd {
 
+    @Parameter(name = ApiConstants.DOMAIN_ID,
+            type = CommandType.UUID,
+            entityType = DomainResponse.class,
+            description = "the domain for listing capabilities.",
+            since = "4.23.0")
+    private Long domainId;
 
     @Override
     public long getEntityOwnerId() {
         return Account.ACCOUNT_ID_SYSTEM;
     }
 
+    public Long getDomainId() {
+        return domainId;
+    }
+
     @Override
     public void execute() {
         Map<String, Object> capabilities = _mgr.listCapabilities(this);
@@ -76,6 +88,10 @@ public void execute() {
         response.setExtensionsPath((String)capabilities.get(ApiConstants.EXTENSIONS_PATH));
         response.setDynamicScalingEnabled((Boolean) capabilities.get(ApiConstants.DYNAMIC_SCALING_ENABLED));
         response.setAdditionalConfigEnabled((Boolean) capabilities.get(ApiConstants.ADDITONAL_CONFIG_ENABLED));
+        if (capabilities.containsKey(ApiConstants.VPN_CUSTOMER_GATEWAY_PARAMETERS)) {
+            Map<String, Object> vpnCustomerGatewayParameters = (Map<String, Object>) capabilities.get(ApiConstants.VPN_CUSTOMER_GATEWAY_PARAMETERS);
+            response.setVpnCustomerGatewayParameters(vpnCustomerGatewayParameters);
+        }
         response.setObjectName("capability");
         response.setResponseName(getCommandName());
         this.setResponseObject(response);

api/src/main/java/org/apache/cloudstack/api/response/CapabilitiesResponse.java

@@ -16,6 +16,8 @@
 // under the License.
 package org.apache.cloudstack.api.response;
 
+import java.util.Map;
+
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseResponse;
@@ -153,6 +155,10 @@ public class CapabilitiesResponse extends BaseResponse {
     @Param(description = "true if additional configurations or extraconfig can be passed to Instances", since = "4.20.2")
     private Boolean additionalConfigEnabled;
 
+    @SerializedName(ApiConstants.VPN_CUSTOMER_GATEWAY_PARAMETERS)
+    @Param(description = "Excluded and obsolete VPN customer gateway cryptographic parameters")
+    private Map<String, Object> vpnCustomerGatewayParameters;
+
     public void setSecurityGroupsEnabled(boolean securityGroupsEnabled) {
         this.securityGroupsEnabled = securityGroupsEnabled;
     }
@@ -280,4 +286,8 @@ public void setDynamicScalingEnabled(Boolean dynamicScalingEnabled) {
     public void setAdditionalConfigEnabled(Boolean additionalConfigEnabled) {
         this.additionalConfigEnabled = additionalConfigEnabled;
     }
+
+    public void setVpnCustomerGatewayParameters(Map<String, Object> vpnCustomerGatewayParameters) {
+        this.vpnCustomerGatewayParameters = vpnCustomerGatewayParameters;
+    }
 }

api/src/main/java/org/apache/cloudstack/api/response/Site2SiteCustomerGatewayResponse.java

@@ -114,6 +114,14 @@ public class Site2SiteCustomerGatewayResponse extends BaseResponseWithAnnotation
     @Param(description = "Which IKE Version to use, one of ike (autoselect), IKEv1, or IKEv2. Defaults to ike")
     private String ikeVersion;
 
+    @SerializedName(ApiConstants.OBSOLETE_PARAMETERS)
+    @Param(description = "Contains the list of obsolete/insecure cryptographic parameters that the vpn customer gateway is using.", since = "4.23.0")
+    private String obsoleteParameters;
+
+    @SerializedName(ApiConstants.EXCLUDED_PARAMETERS)
+    @Param(description = "Contains the list of excluded/not allowed cryptographic parameters that the vpn customer gateway is using.", since = "4.23.0")
+    private String excludedParameters;
+
     public void setId(String id) {
         this.id = id;
     }
@@ -202,4 +210,12 @@ public void setDomainPath(String domainPath) {
         this.domainPath = domainPath;
     }
 
+    public void setContainsObsoleteParameters(String obsoleteParameters) {
+        this.obsoleteParameters = obsoleteParameters;
+    }
+
+    public void setContainsExcludedParameters(String excludedParameters) {
+        this.excludedParameters = excludedParameters;
+    }
+
 }

framework/config/src/main/java/org/apache/cloudstack/framework/config/ConfigKeyScheduledExecutionWrapper.java

@@ -66,7 +66,7 @@ public ConfigKeyScheduledExecutionWrapper(ScheduledExecutorService executorServi
         this.unit = unit;
     }
 
-    protected ConfigKeyScheduledExecutionWrapper(ScheduledExecutorService executorService, Runnable command,
+    public ConfigKeyScheduledExecutionWrapper(ScheduledExecutorService executorService, Runnable command,
             ConfigKey<?> configKey, int enableIntervalSeconds, TimeUnit unit) {
         validateArgs(executorService, command, configKey);
         this.executorService = executorService;

server/src/main/java/com/cloud/alert/AlertManagerImpl.java

@@ -112,7 +112,8 @@ public class AlertManagerImpl extends ManagerBase implements AlertManager, Confi
             , AlertType.ALERT_TYPE_OOBM_AUTH_ERROR
             , AlertType.ALERT_TYPE_HA_ACTION
             , AlertType.ALERT_TYPE_CA_CERT
-            , AlertType.ALERT_TYPE_EXTENSION_PATH_NOT_READY);
+            , AlertType.ALERT_TYPE_EXTENSION_PATH_NOT_READY
+            , AlertType.ALERT_TYPE_VPN_GATEWAY_OBSOLETE_PARAMETERS);
 
     private static final long INITIAL_CAPACITY_CHECK_DELAY = 30L * 1000L; // Thirty seconds expressed in milliseconds.
 

server/src/main/java/com/cloud/api/ApiResponseHelper.java

@@ -50,6 +50,7 @@
 import com.cloud.dc.dao.VlanDetailsDao;
 import com.cloud.hypervisor.Hypervisor;
 import com.cloud.network.vpc.VpcGateway;
+import com.cloud.network.vpn.Site2SiteVpnManager;
 import com.cloud.storage.BucketVO;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
@@ -528,6 +529,8 @@ public class ApiResponseHelper implements ResponseGenerator {
     @Inject
     RoutedIpv4Manager routedIpv4Manager;
     @Inject
+    Site2SiteVpnManager site2SiteVpnManager;
+    @Inject
     ResourceIconManager resourceIconManager;
 
     public static String getPrettyDomainPath(String path) {
@@ -3884,6 +3887,16 @@ public Site2SiteCustomerGatewayResponse createSite2SiteCustomerGatewayResponse(S
         response.setRemoved(result.getRemoved());
         response.setIkeVersion(result.getIkeVersion());
         response.setSplitConnections(result.getSplitConnections());
+
+        Set<String> obsoleteParameters = site2SiteVpnManager.getObsoleteVpnGatewayParameters(result);
+        if (CollectionUtils.isNotEmpty(obsoleteParameters)) {
+            response.setContainsObsoleteParameters(obsoleteParameters.toString());
+        }
+        Set<String> excludedParameters = site2SiteVpnManager.getExcludedVpnGatewayParameters(result);
+        if (CollectionUtils.isNotEmpty(excludedParameters)) {
+            response.setContainsExcludedParameters(excludedParameters.toString());
+        }
+
         response.setObjectName("vpncustomergateway");
         response.setHasAnnotation(annotationDao.hasAnnotations(result.getUuid(), AnnotationService.EntityType.VPN_CUSTOMER_GATEWAY.name(),
                 _accountMgr.isRootAdmin(CallContext.current().getCallingAccount().getId())));

server/src/main/java/com/cloud/network/vpn/Site2SiteVpnManager.java

@@ -17,11 +17,17 @@
 package com.cloud.network.vpn;
 
 import java.util.List;
+import java.util.Set;
 
+import com.cloud.network.Site2SiteCustomerGateway;
 import com.cloud.network.dao.Site2SiteVpnConnectionVO;
 import com.cloud.vm.DomainRouterVO;
 
 public interface Site2SiteVpnManager extends Site2SiteVpnService {
+    Set<String> getExcludedVpnGatewayParameters(Site2SiteCustomerGateway customerGw);
+
+    Set<String> getObsoleteVpnGatewayParameters(Site2SiteCustomerGateway customerGw);
+
     boolean cleanupVpnConnectionByVpc(long vpcId);
 
     boolean cleanupVpnGatewayByVpc(long vpcId);