Fix background task for uploading certificates to hosts

Author: nvazquez

api/src/main/java/org/apache/cloudstack/api/command/admin/direct/download/RevokeTemplateDirectDownloadCertificateCmd.java

@@ -30,6 +30,7 @@
 import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.HostResponse;
 import org.apache.cloudstack.api.response.SuccessResponse;
 import org.apache.cloudstack.api.response.ZoneResponse;
 import org.apache.cloudstack.context.CallContext;
@@ -58,13 +59,17 @@ public class RevokeTemplateDirectDownloadCertificateCmd extends BaseCmd {
     private String certificateAlias;
 
     @Parameter(name = ApiConstants.HYPERVISOR, type = BaseCmd.CommandType.STRING, required = true,
-            description = "Hypervisor type")
+            description = "hypervisor type")
     private String hypervisor;
 
     @Parameter(name = ApiConstants.ZONE_ID, type = CommandType.UUID, entityType = ZoneResponse.class,
-            description = "Zone to upload certificate", required = true)
+            description = "zone to revoke certificate", required = true)
     private Long zoneId;
 
+    @Parameter(name = ApiConstants.HOST_ID, type = CommandType.UUID, entityType = HostResponse.class,
+            description = "(optional) the host ID to revoke certificate")
+    private Long hostId;
+
     @Override
     public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException, NetworkRuleConflictException {
         if (!hypervisor.equalsIgnoreCase("kvm")) {
@@ -73,7 +78,7 @@ public void execute() throws ResourceUnavailableException, InsufficientCapacityE
         SuccessResponse response = new SuccessResponse(getCommandName());
         try {
             LOG.debug("Revoking certificate " + certificateAlias + " from " + hypervisor + " hosts");
-            boolean result = directDownloadManager.revokeCertificateAlias(certificateAlias, hypervisor, zoneId);
+            boolean result = directDownloadManager.revokeCertificateAlias(certificateAlias, hypervisor, zoneId, hostId);
             response.setSuccess(result);
             setResponseObject(response);
         } catch (Exception e) {

api/src/main/java/org/apache/cloudstack/api/command/admin/direct/download/UploadTemplateDirectDownloadCertificateCmd.java

@@ -23,6 +23,7 @@
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.response.HostResponse;
 import org.apache.cloudstack.api.response.SuccessResponse;
 import org.apache.cloudstack.api.response.ZoneResponse;
 import org.apache.cloudstack.context.CallContext;
@@ -61,6 +62,10 @@ public class UploadTemplateDirectDownloadCertificateCmd extends BaseCmd {
             description = "Zone to upload certificate", required = true)
     private Long zoneId;
 
+    @Parameter(name = ApiConstants.HOST_ID, type = CommandType.UUID, entityType = HostResponse.class,
+            description = "(optional) the host ID to revoke certificate")
+    private Long hostId;
+
     @Override
     public void execute() {
         if (!hypervisor.equalsIgnoreCase("kvm")) {
@@ -69,7 +74,7 @@ public void execute() {
 
         try {
             LOG.debug("Uploading certificate " + name + " to agents for Direct Download");
-            boolean result = directDownloadManager.uploadCertificateToHosts(certificate, name, hypervisor, zoneId);
+            boolean result = directDownloadManager.uploadCertificateToHosts(certificate, name, hypervisor, zoneId, hostId);
             SuccessResponse response = new SuccessResponse(getCommandName());
             response.setSuccess(result);
             setResponseObject(response);

api/src/main/java/org/apache/cloudstack/direct/download/DirectDownloadManager.java

@@ -26,12 +26,14 @@ public interface DirectDownloadManager extends DirectDownloadService, PluggableS
 
     ConfigKey<Long> DirectDownloadCertificateUploadInterval = new ConfigKey<>("Advanced", Long.class,
             "direct.download.certificate.background.task.interval",
-            "24",
-            "The Direct Download framework background interval in hours.",
-            true);
+            "0",
+            "This interval (in hours) controls a background task to sync hosts within enabled zones " +
+                    "missing uploaded certificates for direct download." +
+                    "Only certificates which have not been revoked from hosts are uploaded",
+            false);
 
     /**
      * Revoke direct download certificate with alias 'alias' from hosts of hypervisor type 'hypervisor'
      */
-    boolean revokeCertificateAlias(String certificateAlias, String hypervisor, Long zoneId);
+    boolean revokeCertificateAlias(String certificateAlias, String hypervisor, Long zoneId, Long hostId);
 }

engine/schema/src/main/java/org/apache/cloudstack/direct/download/DirectDownloadCertificateHostMapVO.java

@@ -38,12 +38,16 @@ public class DirectDownloadCertificateHostMapVO {
     @Column(name = "certificate_id")
     private Long certificateId;
 
+    @Column(name = "revoked")
+    private Boolean revoked;
+
     public DirectDownloadCertificateHostMapVO() {
     }
 
     public DirectDownloadCertificateHostMapVO(Long certificateId, Long hostId) {
         this.certificateId = certificateId;
         this.hostId = hostId;
+        this.revoked = false;
     }
 
     public Long getId() {
@@ -69,4 +73,12 @@ public Long getCertificateId() {
     public void setCertificateId(Long certificateId) {
         this.certificateId = certificateId;
     }
+
+    public Boolean isRevoked() {
+        return revoked;
+    }
+
+    public void setRevoked(Boolean revoked) {
+        this.revoked = revoked;
+    }
 }

engine/schema/src/main/resources/META-INF/db/schema-41200to41300.sql

@@ -378,6 +378,7 @@ CREATE TABLE `cloud`.`direct_download_certificate_host_map` (
   `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
   `certificate_id` bigint(20) unsigned NOT NULL,
   `host_id` bigint(20) unsigned NOT NULL,
+  `revoked` int(1) NOT NULL DEFAULT 0,
   PRIMARY KEY (`id`),
   KEY `fk_direct_download_certificate_host_map__host_id` (`host_id`),
   KEY `fk_direct_download_certificate_host_map__certificate_id` (`certificate_id`),

framework/direct-download/src/main/java/org/apache/cloudstack/framework/agent/direct/download/DirectDownloadService.java

@@ -27,7 +27,7 @@ public interface DirectDownloadService {
     /**
      * Upload client certificate to each running host
      */
-    boolean uploadCertificateToHosts(String certificateCer, String certificateName, String hypervisor, Long zoneId);
+    boolean uploadCertificateToHosts(String certificateCer, String certificateName, String hypervisor, Long zoneId, Long hostId);
 
     /**
      * Upload a stored certificate on database with id 'certificateId' to host with id 'hostId'

server/src/main/java/org/apache/cloudstack/direct/download/DirectDownloadManagerImpl.java

@@ -41,6 +41,7 @@
 import com.cloud.storage.dao.VMTemplateDao;
 import com.cloud.storage.dao.VMTemplatePoolDao;
 import com.cloud.utils.component.ManagerBase;
+import com.cloud.utils.concurrency.NamedThreadFactory;
 import com.cloud.utils.exception.CloudRuntimeException;
 
 import java.net.URI;
@@ -55,8 +56,12 @@
 import java.util.Map;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.ScheduledThreadPoolExecutor;
+import java.util.concurrent.TimeUnit;
 import java.util.stream.Collectors;
 import javax.inject.Inject;
+import javax.naming.ConfigurationException;
 
 import com.cloud.utils.security.CertificateHelper;
 import org.apache.cloudstack.agent.directdownload.DirectDownloadCommand;
@@ -76,7 +81,6 @@
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
 import org.apache.cloudstack.poll.BackgroundPollManager;
-import org.apache.cloudstack.poll.BackgroundPollTask;
 import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
 import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
 import org.apache.cloudstack.storage.to.PrimaryDataStoreTO;
@@ -116,6 +120,8 @@ public class DirectDownloadManagerImpl extends ManagerBase implements DirectDown
     @Inject
     private DataCenterDao dataCenterDao;
 
+    protected ScheduledExecutorService executorService;
+
     @Override
     public List<Class<?>> getCommands() {
         final List<Class<?>> cmdList = new ArrayList<Class<?>>();
@@ -380,23 +386,36 @@ protected void certificateSanity(String certificatePem) {
     }
 
     @Override
-    public boolean uploadCertificateToHosts(String certificateCer, String alias, String hypervisor, Long zoneId) {
+    public boolean uploadCertificateToHosts(String certificateCer, String alias, String hypervisor, Long zoneId, Long hostId) {
         if (alias != null && (alias.equalsIgnoreCase("cloud") || alias.startsWith("cloudca"))) {
             throw new CloudRuntimeException("Please provide a different alias name for the certificate");
         }
 
+        List<HostVO> hosts;
+        DirectDownloadCertificateVO certificateVO;
         HypervisorType hypervisorType = HypervisorType.getType(hypervisor);
-        List<HostVO> hosts = getRunningHostsToUploadCertificate(zoneId, hypervisorType);
 
-        String certificatePem = getPretifiedCertificate(certificateCer);
-        certificateSanity(certificatePem);
+        if (hostId == null) {
+            hosts = getRunningHostsToUploadCertificate(zoneId, hypervisorType);
+
+            String certificatePem = getPretifiedCertificate(certificateCer);
+            certificateSanity(certificatePem);
 
-        DirectDownloadCertificateVO certificateVO = directDownloadCertificateDao.findByAlias(alias, hypervisorType, zoneId);
-        if (certificateVO != null) {
-            throw new CloudRuntimeException("Certificate alias " + alias + " has been already created");
+            certificateVO = directDownloadCertificateDao.findByAlias(alias, hypervisorType, zoneId);
+            if (certificateVO != null) {
+                throw new CloudRuntimeException("Certificate alias " + alias + " has been already created");
+            }
+            certificateVO = new DirectDownloadCertificateVO(alias, certificatePem, hypervisorType, zoneId);
+            directDownloadCertificateDao.persist(certificateVO);
+        } else {
+            HostVO host = hostDao.findById(hostId);
+            hosts = Collections.singletonList(host);
+            certificateVO = directDownloadCertificateDao.findByAlias(alias, hypervisorType, zoneId);
+            if (certificateVO == null) {
+                s_logger.info("Certificate must be uploaded on zone " + zoneId);
+                return false;
+            }
         }
-        certificateVO = new DirectDownloadCertificateVO(alias, certificatePem, hypervisorType, zoneId);
-        directDownloadCertificateDao.persist(certificateVO);
 
         s_logger.info("Attempting to upload certificate: " + alias + " to " + hosts.size() + " hosts on zone " + zoneId);
         int hostCount = 0;
@@ -418,12 +437,6 @@ public boolean uploadCertificateToHosts(String certificateCer, String alias, Str
      * Upload and import certificate to hostId on keystore
      */
     public boolean uploadCertificate(long certificateId, long hostId) {
-        DirectDownloadCertificateHostMapVO map = directDownloadCertificateHostMapDao.findByCertificateAndHost(certificateId, hostId);
-        if (map != null) {
-            s_logger.debug("Certificate " + certificateId + " is already uploaded on host " + hostId);
-            return true;
-        }
-
         DirectDownloadCertificateVO certificateVO = directDownloadCertificateDao.findById(certificateId);
         if (certificateVO == null) {
             throw new CloudRuntimeException("Could not find certificate with id " + certificateId + " to upload to host: " + hostId);
@@ -432,7 +445,7 @@ public boolean uploadCertificate(long certificateId, long hostId) {
         String certificate = certificateVO.getCertificate();
         String alias = certificateVO.getAlias();
 
-            s_logger.debug("Uploading certificate: " + certificateVO.getAlias() + " to host " + hostId);
+        s_logger.debug("Uploading certificate: " + certificateVO.getAlias() + " to host " + hostId);
         SetupDirectDownloadCertificateCommand cmd = new SetupDirectDownloadCertificateCommand(certificate, alias);
         Answer answer = agentManager.easySend(hostId, cmd);
         if (answer == null || !answer.getResult()) {
@@ -444,31 +457,51 @@ public boolean uploadCertificate(long certificateId, long hostId) {
             return false;
         }
 
-        DirectDownloadCertificateHostMapVO mapVO = new DirectDownloadCertificateHostMapVO(certificateId, hostId);
-        directDownloadCertificateHostMapDao.persist(mapVO);
         s_logger.info("Certificate " + alias + " successfully uploaded to host: " + hostId);
+        DirectDownloadCertificateHostMapVO map = directDownloadCertificateHostMapDao.findByCertificateAndHost(certificateId, hostId);
+        if (map != null) {
+            map.setRevoked(false);
+            directDownloadCertificateHostMapDao.update(map.getId(), map);
+        } else {
+            DirectDownloadCertificateHostMapVO mapVO = new DirectDownloadCertificateHostMapVO(certificateId, hostId);
+            directDownloadCertificateHostMapDao.persist(mapVO);
+        }
+
         return true;
     }
 
     @Override
-    public boolean revokeCertificateAlias(String certificateAlias, String hypervisor, Long zoneId) {
+    public boolean revokeCertificateAlias(String certificateAlias, String hypervisor, Long zoneId, Long hostId) {
         HypervisorType hypervisorType = HypervisorType.getType(hypervisor);
         DirectDownloadCertificateVO certificateVO = directDownloadCertificateDao.findByAlias(certificateAlias, hypervisorType, zoneId);
         if (certificateVO == null) {
             throw new CloudRuntimeException("Certificate alias " + certificateAlias + " does not exist");
         }
 
-        List<DirectDownloadCertificateHostMapVO> maps = directDownloadCertificateHostMapDao.listByCertificateId(certificateVO.getId());
+        List<DirectDownloadCertificateHostMapVO> maps = null;
+        if (hostId == null) {
+             maps = directDownloadCertificateHostMapDao.listByCertificateId(certificateVO.getId());
+        } else {
+            DirectDownloadCertificateHostMapVO hostMap = directDownloadCertificateHostMapDao.findByCertificateAndHost(certificateVO.getId(), hostId);
+            if (hostMap == null) {
+                s_logger.info("Certificate " + certificateAlias + " cannot be revoked from host " + hostId + " as it is not available on the host");
+                return false;
+            }
+            maps = Collections.singletonList(hostMap);
+        }
+
         s_logger.info("Attempting to revoke certificate alias: " + certificateAlias + " from " + maps.size() + " hosts");
         if (CollectionUtils.isNotEmpty(maps)) {
             for (DirectDownloadCertificateHostMapVO map : maps) {
-                Long hostId = map.getHostId();
-                if (!revokeCertificateAliasFromHost(certificateAlias, hostId)) {
-                    String msg = "Could not revoke certificate from host: " + hostId;
+                Long mappingHostId = map.getHostId();
+                if (!revokeCertificateAliasFromHost(certificateAlias, mappingHostId)) {
+                    String msg = "Could not revoke certificate from host: " + mappingHostId;
                     s_logger.error(msg);
                     throw new CloudRuntimeException(msg);
                 }
-                directDownloadCertificateHostMapDao.remove(map.getId());
+                s_logger.info("Certificate " + certificateAlias + " revoked from host " + mappingHostId);
+                map.setRevoked(true);
+                directDownloadCertificateHostMapDao.update(map.getId(), map);
             }
         }
         return true;
@@ -485,6 +518,29 @@ protected boolean revokeCertificateAliasFromHost(String alias, Long hostId) {
         return false;
     }
 
+    @Override
+    public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
+        executorService = new ScheduledThreadPoolExecutor(1, new NamedThreadFactory("DirectDownloadCertificateMonitor"));
+        return true;
+    }
+
+    @Override
+    public boolean stop() {
+        executorService.shutdownNow();
+        return true;
+    }
+
+    @Override
+    public boolean start() {
+        if (DirectDownloadCertificateUploadInterval.value() > 0L) {
+            executorService.scheduleWithFixedDelay(
+                    new DirectDownloadCertificateUploadBackgroundTask(this, hostDao, dataCenterDao,
+                            directDownloadCertificateDao, directDownloadCertificateHostMapDao),
+                    60L, DirectDownloadCertificateUploadInterval.value(), TimeUnit.HOURS);
+        }
+        return true;
+    }
+
     @Override
     public String getConfigComponentName() {
         return DirectDownloadManager.class.getSimpleName();
@@ -497,7 +553,7 @@ public ConfigKey<?>[] getConfigKeys() {
         };
     }
 
-    public static final class DirectDownloadCertificateUploadBackgroundTask extends ManagedContextRunnable implements BackgroundPollTask {
+    public static final class DirectDownloadCertificateUploadBackgroundTask extends ManagedContextRunnable {
 
         private DirectDownloadManager directDownloadManager;
         private HostDao hostDao;
@@ -506,12 +562,12 @@ public static final class DirectDownloadCertificateUploadBackgroundTask extends
         private DataCenterDao dataCenterDao;
 
         public DirectDownloadCertificateUploadBackgroundTask(
-                final DirectDownloadManager caManager,
+                final DirectDownloadManager manager,
                 final HostDao hostDao,
                 final DataCenterDao dataCenterDao,
                 final DirectDownloadCertificateDao directDownloadCertificateDao,
                 final DirectDownloadCertificateHostMapDao directDownloadCertificateHostMapDao) {
-            this.directDownloadManager = caManager;
+            this.directDownloadManager = manager;
             this.hostDao = hostDao;
             this.dataCenterDao = dataCenterDao;
             this.directDownloadCertificateDao = directDownloadCertificateDao;
@@ -552,11 +608,5 @@ protected void runInContext() {
                 s_logger.error("Error trying to run Direct Download background task", t);
             }
         }
-
-        @Override
-        public Long getDelay() {
-            return DirectDownloadCertificateUploadInterval.value()
-                    * 60L * 60L * 1000L; //From hours to milliseconds
-        }
     }
 }