PR11468: address Daan's comments

Author: weizhouapache

core/src/main/java/com/cloud/network/HAProxyConfigurator.java

@@ -734,20 +734,24 @@ public SslCertEntry[] generateSslCertEntries(LoadBalancerConfigCommand lbCmd) {
         final Set<SslCertEntry> sslCertEntries = new HashSet<SslCertEntry>();
         for (final LoadBalancerTO lbTO : lbCmd.getLoadBalancers()) {
             if (lbTO.getSslCert() != null) {
-                final LbSslCert cert = lbTO.getSslCert();
-                if (cert.isRevoked()) {
-                    continue;
-                }
-                if (lbTO.getLbProtocol() == null || ! lbTO.getLbProtocol().equals(NetUtils.SSL_PROTO)) {
-                    continue;
-                }
-                StringBuilder sb = new StringBuilder();
-                final String name = sb.append(lbTO.getSrcIp().replace(".", "_")).append('-').append(lbTO.getSrcPort()).toString();
-                final SslCertEntry sslCertEntry = new SslCertEntry(name, cert.getCert(), cert.getKey(), cert.getChain(), cert.getPassword());
-                sslCertEntries.add(sslCertEntry);
+                addSslCertEntry(sslCertEntries, lbTO);
             }
         }
         final SslCertEntry[] result = sslCertEntries.toArray(new SslCertEntry[sslCertEntries.size()]);
         return result;
     }
+
+    private void addSslCertEntry(Set<SslCertEntry> sslCertEntries, LoadBalancerTO lbTO) {
+        final LbSslCert cert = lbTO.getSslCert();
+        if (cert.isRevoked()) {
+            return;
+        }
+        if (lbTO.getLbProtocol() == null || ! lbTO.getLbProtocol().equals(NetUtils.SSL_PROTO)) {
+            return;
+        }
+        StringBuilder sb = new StringBuilder();
+        final String name = sb.append(lbTO.getSrcIp().replace(".", "_")).append('-').append(lbTO.getSrcPort()).toString();
+        final SslCertEntry sslCertEntry = new SslCertEntry(name, cert.getCert(), cert.getKey(), cert.getChain(), cert.getPassword());
+        sslCertEntries.add(sslCertEntry);
+    }
 }

server/src/main/java/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java

@@ -1270,7 +1270,7 @@ public LbSslCert getLbSslCert(long lbRuleId) {
     public boolean assignCertToLoadBalancer(long lbRuleId, Long certId, boolean forced) {
         CallContext caller = CallContext.current();
 
-        LoadBalancerVO loadBalancer = _lbDao.findById(Long.valueOf(lbRuleId));
+        LoadBalancerVO loadBalancer = _lbDao.findById(lbRuleId);
         if (loadBalancer == null) {
             throw new InvalidParameterValueException("Invalid load balancer id: " + lbRuleId);
         }
@@ -1292,15 +1292,7 @@ public boolean assignCertToLoadBalancer(long lbRuleId, Long certId, boolean forc
             throw new InvalidParameterValueException("Ssl termination not supported by the loadbalancer");
         }
 
-        //check if the lb is already bound
-        LoadBalancerCertMapVO certMapRule = _lbCertMapDao.findByLbRuleId(loadBalancer.getId());
-        if (certMapRule != null) {
-            if (!forced) {
-                throw new InvalidParameterValueException("Another certificate is already bound to the LB");
-            }
-            logger.debug("Another certificate is already bound to the LB, removing it");
-            removeCertFromLoadBalancer(lbRuleId);
-        }
+        validateCertMapRule(lbRuleId, forced);
 
         //check for correct port
         if (loadBalancer.getLbProtocol() == null || !(loadBalancer.getLbProtocol().equals(NetUtils.SSL_PROTO)))
@@ -1331,6 +1323,18 @@ public boolean assignCertToLoadBalancer(long lbRuleId, Long certId, boolean forc
         return success;
     }
 
+    private void validateCertMapRule(long lbRuleId, boolean forced) {
+        //check if the lb is already bound
+        LoadBalancerCertMapVO certMapRule = _lbCertMapDao.findByLbRuleId(lbRuleId);
+        if (certMapRule != null) {
+            if (!forced) {
+                throw new InvalidParameterValueException("Another certificate is already bound to the LB");
+            }
+            logger.debug("Another certificate is already bound to the LB, removing it");
+            removeCertFromLoadBalancer(lbRuleId);
+        }
+    }
+
     @Override
     @DB
     @ActionEvent(eventType = EventTypes.EVENT_LB_CERT_REMOVE, eventDescription = "removing certificate from load balancer", async = true)
@@ -2271,11 +2275,7 @@ public LoadBalancer updateLoadBalancerRule(UpdateLoadBalancerRuleCmd cmd) {
                 _lbDao.persist(lb);
                 applyLoadBalancerConfig(lbRuleId);
                 if (!lb.getLbProtocol().equals(NetUtils.SSL_PROTO)) {
-                    LoadBalancerCertMapVO loadBalancerCertMapVO = _lbCertMapDao.findByLbRuleId(lbRuleId);
-                    if (loadBalancerCertMapVO != null) {
-                        logger.debug("Removing SSL cert for load balancer %s as the new protocol is not ssl but %s", lbRuleId, lb.getLbProtocol());
-                        _lbCertMapDao.remove(loadBalancerCertMapVO.getId());
-                    }
+                    removeCertMapIfExists(lb);
                 }
             } catch (ResourceUnavailableException e) {
                 if (isRollBackAllowedForProvider(lb)) {
@@ -2323,6 +2323,13 @@ private void validateInputsForExternalNetworkProvider(LoadBalancerVO lb, String
             if (Objects.nonNull(protocol) && "tcp-proxy".equalsIgnoreCase(protocol)) {
                 throw new InvalidParameterValueException("TCP Proxy protocol is not supported for Netris Provider.");
             }
+    }
+
+    private void removeCertMapIfExists(LoadBalancerVO lb) {
+        LoadBalancerCertMapVO loadBalancerCertMapVO = _lbCertMapDao.findByLbRuleId(lb.getId());
+        if (loadBalancerCertMapVO != null) {
+            logger.debug("Removing SSL cert for load balancer %s as the new protocol is not ssl but %s", lb, lb.getLbProtocol());
+            _lbCertMapDao.remove(loadBalancerCertMapVO.getId());
         }
     }
 

server/src/main/java/com/cloud/network/router/NetworkHelperImpl.java

@@ -929,10 +929,7 @@ public boolean validateHAProxyLBRule(final LoadBalancingRule rule) {
             return false;
         }
 
-        List<String> lbProtocols = Arrays.asList("tcp", "udp", "tcp-proxy", "ssl");
-        if (rule.getLbProtocol() != null && !lbProtocols.contains(rule.getLbProtocol())) {
-            throw new InvalidParameterValueException("protocol " + rule.getLbProtocol() + " is not in valid protocols " + lbProtocols);
-        }
+        validateHAproxyLbProtocol(rule.getLbProtocol());
 
         for (final LoadBalancingRule.LbStickinessPolicy stickinessPolicy : rule.getStickinessPolicies()) {
             final List<Pair<String, String>> paramsList = stickinessPolicy.getParams();
@@ -987,6 +984,13 @@ public boolean validateHAProxyLBRule(final LoadBalancingRule rule) {
         return true;
     }
 
+    private void validateHAproxyLbProtocol(String lbProtocol) {
+        List<String> lbProtocols = Arrays.asList("tcp", "udp", "tcp-proxy", "ssl");
+        if (lbProtocol != null && !lbProtocols.contains(lbProtocol)) {
+            throw new InvalidParameterValueException(String.format("protocol %s is not in valid protocols %s", lbProtocol, lbProtocols));
+        }
+    }
+
     /*
      * This function detects numbers like 12 ,32h ,42m .. etc,. 1) plain number
      * like 12 2) time or tablesize like 12h, 34m, 45k, 54m , here last

server/src/main/java/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java

@@ -1743,13 +1743,7 @@ private void updateWithLbRules(final DomainRouterJoinVO routerJoinVO, final Stri
                             .append(",destPortEnd=").append(loadBalancerVO.getDefaultPortEnd())
                             .append(",algorithm=").append(loadBalancerVO.getAlgorithm())
                             .append(",protocol=").append(loadBalancerVO.getLbProtocol());
-                    if (loadBalancerVO.getLbProtocol() != null && loadBalancerVO.getLbProtocol().equals(NetUtils.SSL_PROTO)) {
-                        final LbSslCert sslCert = _lbMgr.getLbSslCert(firewallRuleVO.getId());
-                        if (sslCert != null && ! sslCert.isRevoked()) {
-                            loadBalancingData.append(",sslcert=").append(sourceIp.replace(".", "_")).append('-')
-                                    .append(loadBalancerVO.getSourcePortStart()).append(".pem");
-                        }
-                    }
+                    updateWithLbRuleSslCertificates(loadBalancingData, loadBalancerVO, sourceIp);
                 } else if (firewallRuleVO instanceof ApplicationLoadBalancerRuleVO) {
                     ApplicationLoadBalancerRuleVO appLoadBalancerVO = (ApplicationLoadBalancerRuleVO) firewallRuleVO;
                     loadBalancingData.append(",sourceIp=").append(appLoadBalancerVO.getSourceIp())
@@ -1768,6 +1762,16 @@ private void updateWithLbRules(final DomainRouterJoinVO routerJoinVO, final Stri
         }
     }
 
+    private void updateWithLbRuleSslCertificates(final StringBuilder loadBalancingData, LoadBalancerVO loadBalancerVO, String sourceIp) {
+        if (NetUtils.SSL_PROTO.equals(loadBalancerVO.getLbProtocol())) {
+            final LbSslCert sslCert = _lbMgr.getLbSslCert(loadBalancerVO.getId());
+            if (sslCert != null && ! sslCert.isRevoked()) {
+                loadBalancingData.append(",sslcert=").append(sourceIp.replace(".", "_")).append('-')
+                        .append(loadBalancerVO.getSourcePortStart()).append(".pem");
+            }
+        }
+    }
+
     protected Map<String, String> getRouterHealthChecksConfig(final DomainRouterVO router) {
         Map<String, String> data = new HashMap<>();
         List<DomainRouterJoinVO> routerJoinVOs = domainRouterJoinDao.searchByIds(router.getId());

server/src/main/java/org/apache/cloudstack/network/ssl/CertServiceImpl.java

@@ -441,25 +441,9 @@ public PrivateKey parsePrivateKey(final String key, String password) throws IOEx
         }
         PrivateKey privateKey;
         if (privateKeyObj instanceof PKCS8EncryptedPrivateKeyInfo) {
-            if (password == null) {
-                throw new CloudRuntimeException("Key is encrypted by PKCS#8 but password is null");
-            }
-            PKCS8EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = (PKCS8EncryptedPrivateKeyInfo)privateKeyObj;
-            JceOpenSSLPKCS8DecryptorProviderBuilder builder = new JceOpenSSLPKCS8DecryptorProviderBuilder();
-            InputDecryptorProvider decryptor = builder.build(password.toCharArray());
-
-            PrivateKeyInfo privateKeyInfo = encryptedPrivateKeyInfo.decryptPrivateKeyInfo(decryptor);
-            String algorithm = privateKeyInfo.getPrivateKeyAlgorithm().getAlgorithm().getId();
-            KeyFactory keyFactory = KeyFactory.getInstance(algorithm);
-            PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKeyInfo.getEncoded());
-            return keyFactory.generatePrivate(keySpec);
+            privateKey = parsePKCS8EncryptedPrivateKeyInfo((PKCS8EncryptedPrivateKeyInfo)privateKeyObj, password);
         } else if (privateKeyObj instanceof PEMEncryptedKeyPair) {
-            if (password == null) {
-                throw new CloudRuntimeException("Key is encrypted but password is null");
-            }
-            PEMEncryptedKeyPair encryptedKeyPair = (PEMEncryptedKeyPair)privateKeyObj;
-            privateKey = new JcaPEMKeyConverter().getKeyPair(
-                    encryptedKeyPair.decryptKeyPair(new JcePEMDecryptorProviderBuilder().build(password.toCharArray()))).getPrivate();
+            privateKey = parsePEMEncryptedKeyPair((PEMEncryptedKeyPair)privateKeyObj, password);
         } else if (privateKeyObj instanceof PEMKeyPair) {
             // Key pair
             PEMKeyPair pemKeyPair = (PEMKeyPair) privateKeyObj;
@@ -475,6 +459,30 @@ public PrivateKey parsePrivateKey(final String key, String password) throws IOEx
         return privateKey;
     }
 
+    private PrivateKey parsePKCS8EncryptedPrivateKeyInfo(PKCS8EncryptedPrivateKeyInfo privateKeyObj, String password)
+            throws IOException, OperatorCreationException, PKCSException, NoSuchAlgorithmException, InvalidKeySpecException {
+        if (password == null) {
+            throw new CloudRuntimeException("Key is encrypted by PKCS#8 but password is null");
+        }
+        PKCS8EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = (PKCS8EncryptedPrivateKeyInfo)privateKeyObj;
+        JceOpenSSLPKCS8DecryptorProviderBuilder builder = new JceOpenSSLPKCS8DecryptorProviderBuilder();
+        InputDecryptorProvider decryptor = builder.build(password.toCharArray());
+
+        PrivateKeyInfo privateKeyInfo = encryptedPrivateKeyInfo.decryptPrivateKeyInfo(decryptor);
+        String algorithm = privateKeyInfo.getPrivateKeyAlgorithm().getAlgorithm().getId();
+        KeyFactory keyFactory = KeyFactory.getInstance(algorithm);
+        PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKeyInfo.getEncoded());
+        return keyFactory.generatePrivate(keySpec);
+    }
+
+    private PrivateKey parsePEMEncryptedKeyPair(PEMEncryptedKeyPair encryptedKeyPair, String password) throws IOException {
+        if (password == null) {
+            throw new CloudRuntimeException("Key is encrypted but password is null");
+        }
+        return new JcaPEMKeyConverter().getKeyPair(
+                encryptedKeyPair.decryptKeyPair(new JcePEMDecryptorProviderBuilder().build(password.toCharArray()))).getPrivate();
+    }
+
     @Override
     public Certificate parseCertificate(final String cert) {
         Preconditions.checkArgument(StringUtils.isNotEmpty(cert));

test/integration/smoke/test_ssl_offloading.py

@@ -193,16 +193,6 @@ def setUpClass(cls):
 
         cls.services["virtual_machine"]["zoneid"] = cls.zone.id
 
-        #Create an account, network, VM and IP addresses
-        cls.account = Account.create(
-                            cls.apiclient,
-                            cls.services["account"],
-                            admin=True,
-                            domainid=cls.domain.id
-                            )
-        cls.user = cls.account.user[0]
-        cls.userapiclient = cls.testClient.getUserApiClient(cls.user.username, cls.domain.name)
-
         # Save full chain as a file
         with open(FULL_CHAIN, "w", encoding="utf-8") as f:
             f.write(CERT["certchain"])
@@ -231,6 +221,7 @@ def setUpClass(cls):
                                         cls.apiclient,
                                         cls.services["service_offerings"]["big"]    # 512MB memory
                                         )
+        cls._cleanup.append(cls.service_offering)
 
         # Create network offering
         cls.services["isolated_network_offering"]["egress_policy"] = "true"
@@ -240,8 +231,17 @@ def setUpClass(cls):
         cls.network_offering.update(cls.apiclient, state='Enabled')
 
         cls._cleanup.append(cls.network_offering)
-        cls._cleanup.append(cls.service_offering)
+
+        #Create an account, network, VM and IP addresses
+        cls.account = Account.create(
+            cls.apiclient,
+            cls.services["account"],
+            admin=True,
+            domainid=cls.domain.id
+        )
         cls._cleanup.append(cls.account)
+        cls.user = cls.account.user[0]
+        cls.userapiclient = cls.testClient.getUserApiClient(cls.user.username, cls.domain.name)
 
     def setUp(self):
         self.apiclient = self.testClient.getApiClient()