Merge branch 'fix-55369@@2' into 'master'

<feature>[crypto]: InfoSec MS envelope login

See merge request zstackio/zstack!4068

Author: gitlab

conf/db/upgrade/V4.5.1.1__schema.sql

@@ -0,0 +1,2 @@
+ALTER TABLE `zstack`.`InfoSecSecretResourcePoolVO` ADD COLUMN `encryptPublicKey` text DEFAULT NULL;
+ALTER TABLE `zstack`.`InfoSecSecretResourcePoolVO` ADD COLUMN `encryptSubjectDN` varchar(128) DEFAULT NULL;

conf/errorCodes/securityMachine.xml

@@ -30,5 +30,10 @@
         <id>3006</id>
         <description>The crypto service is not enabled</description>
     </code>
+
+    <code>
+        <id>3007</id>
+        <description>Operation not supported</description>
+    </code>
 </error>
 

conf/i18n/messages_en_US.properties

@@ -9719,8 +9719,8 @@ certificate[uuid\=%s]\ not\ found = CCS certificate[uuid:{0}] does not exist
 CCS\ certificate\ authentication\ disabled = CCS certificate authentication disabled. Please check whether the current secret resource pool is enabled
 
 # at: src/test/crypto/org/zstack/crypto/ccs/CCSCertificateManagerImpl.java:230
-# args: expectCryptoAuthenticationType, actualCryptoAuthenticationType
-wrong\ crypto\ authentication\ type,\ expect[%s],\ actual[%s] = wrong crypto authentication type in UKey system tag, expect[{0}], actual[{1}]. Please check out your UKey system tag in API parameter
+# args: expectCryptoAuthenticationId, actualCryptoAuthenticationId
+wrong\ crypto\ authentication\ id,\ expect[%s],\ actual[%s] = wrong crypto authentication id in UKey system tag, expect[{0}], actual[{1}]. Please check out your UKey system tag in API parameter
 
 # at: src/test/crypto/org/zstack/crypto/ccs/CCSCertificateManagerImpl.java:242
 # args: 
@@ -9749,3 +9749,15 @@ user[uuid\=%s]\ does\ not\ have\ any\ CCS\ certificate\ attached = user[uuid:{0}
 # at: src/test/crypto/org/zstack/crypto/ccs/CCSCertificateInterceptor.java:172
 # args: user.uuid, certificate.uuid
 user[uuid\=%s]\ already\ has\ the\ certificate[uuid\=%s]\ attached = user[uuid:{0}] already has the certificate[uuid:{1}] attached
+
+# at: src/main/java/org/zstack/encrypt/EncryptionParamApiInterceptor.java:77
+# args: encryptionType
+failed\ to\ parse\ API\ message\:\ can\ not\ parse\ encryption\ param\ with\ type\ %s = bad API request: invalid encryption mode {0}
+
+# at: src/main/java/org/zstack/encrypt/EncryptionParamApiInterceptor.java:87
+# args: encryptionType
+failed\ to\ parse\ API\ message\:\ cipher\ text\ can\ not\ be\ parsed,\ type\=%s = bad API request: fail to parse encryption param by {0} encryption mode
+
+# at: src/main/java/org/zstack/encrypt/EncryptionParamApiInterceptor.java:115
+# args: count
+failed\ to\ parse\ API\ message\:\ found\ %d\ encryption\ param\ system\ tags,\ expect\ 1 = bad API request: find {0} encryption param system tags, expect 1

conf/i18n/messages_zh_CN.properties

@@ -9719,8 +9719,8 @@ certificate[uuid\=%s]\ not\ found = CCS证书[uuid:{0}]不存在
 CCS\ certificate\ authentication\ disabled = CCS认证登录未启用。请检查当前是否启用密码机资源池
 
 # at: src/test/crypto/org/zstack/crypto/ccs/CCSCertificateManagerImpl.java:230
-# args: expectCryptoAuthenticationType, actualCryptoAuthenticationType
-wrong\ crypto\ authentication\ type,\ expect[%s],\ actual[%s] = 输入参数UKey的System Tag中, 认证类型错误, 期望是[{0}], 但实际传入[{1}]
+# args: expectCryptoAuthenticationId, actualCryptoAuthenticationId
+wrong\ crypto\ authentication\ id,\ expect[%s],\ actual[%s] = 输入参数UKey的System Tag中, 认证类型错误, 期望是[{0}], 但实际传入[{1}]
 
 # at: src/test/crypto/org/zstack/crypto/ccs/CCSCertificateManagerImpl.java:242
 # args: 
@@ -9749,3 +9749,15 @@ user[uuid\=%s]\ does\ not\ have\ any\ CCS\ certificate\ attached = = 用户[uuid
 # at: src/test/crypto/org/zstack/crypto/ccs/CCSCertificateInterceptor.java:172
 # args: certificate.uuid, user.uuid
 user[uuid\=%s]\ already\ has\ the\ certificate[uuid\=%s]\ attached = 用户[uuid:{0}]已经绑定了CCS证书[uuid:{1}]
+
+# at: src/main/java/org/zstack/encrypt/EncryptionParamApiInterceptor.java:77
+# args: encryptionType
+failed\ to\ parse\ API\ message\:\ can\ not\ parse\ encryption\ param\ with\ type\ %s = 错误的 API 输入: 无效的加密类型 {0}
+
+# at: src/main/java/org/zstack/encrypt/EncryptionParamApiInterceptor.java:87
+# args: encryptionType
+failed\ to\ parse\ API\ message\:\ cipher\ text\ can\ not\ be\ parsed,\ type\=%s = 错误的 API 输入: 无法将参数密文以 {0} 加密类型解析
+
+# at: src/main/java/org/zstack/encrypt/EncryptionParamApiInterceptor.java:115
+# args: count
+failed\ to\ parse\ API\ message\:\ found\ %d\ encryption\ param\ system\ tags,\ expect\ 1 = 错误的 API 输入: 发现 {0} 个加密参数 System Tags, 期望只传入一个

conf/springConfigXml/ApiMediator.xml

@@ -36,4 +36,10 @@
             <zstack:extension interface="org.zstack.header.message.ApiMessageValidator"/>
         </zstack:plugin>
     </bean>
+
+    <bean id="ApiParamValidator" class="org.zstack.portal.apimediator.ApiParamValidator">
+        <zstack:plugin>
+            <zstack:extension interface="org.zstack.header.apimediator.GlobalApiMessageInterceptor"/>
+        </zstack:plugin>
+    </bean>
 </beans>

conf/springConfigXml/Aspect.xml

@@ -19,6 +19,7 @@
     <bean class="org.zstack.core.aspect.AsyncSafeAspect" factory-method="aspectOf" />
     <bean class="org.zstack.core.aspect.BackAspect" factory-method="aspectOf" />
     <bean class="org.zstack.core.aspect.EncryptColumnAspect" factory-method="aspectOf" />
+    <bean class="org.zstack.core.aspect.ExceptionSafeAspect" factory-method="aspectOf" />
 
 </beans>
 

core/src/main/java/org/zstack/core/aspect/ExceptionSafeAspect.aj

@@ -1,16 +1,30 @@
 package org.zstack.core.aspect;
 
+import org.springframework.beans.factory.annotation.Autowired;
+import org.zstack.core.errorcode.ErrorFacade;
+import org.zstack.header.errorcode.ErrorableValue;
 import org.zstack.utils.Utils;
 import org.zstack.utils.logging.CLogger;
 
 public aspect ExceptionSafeAspect {
     private static final CLogger logger = Utils.getLogger(ExceptionSafeAspect.class);
 
-    void around() : execution(@org.zstack.header.core.ExceptionSafe * *.*(..)) {
+    @Autowired
+    private ErrorFacade errf;
+
+    void around() : execution(@org.zstack.header.core.ExceptionSafe void *.*(..)) {
         try {
             proceed();
         } catch (Throwable t) {
             logger.warn("unhandled exception happened", t);
         }
     }
+
+    ErrorableValue around() : execution(@org.zstack.header.core.ExceptionSafe ErrorableValue *.*(..)) {
+        try {
+            return proceed();
+        } catch (Throwable t) {
+            return ErrorableValue.ofErrorCode(errf.throwableToInternalError(t));
+        }
+    }
 }

core/src/main/java/org/zstack/core/encrypt/DefaultEncryptDriver.java

@@ -1,6 +1,7 @@
 package org.zstack.core.encrypt;
 
 import org.zstack.header.core.encrypt.EncryptConstant;
+import org.zstack.header.errorcode.ErrorableValue;
 import org.zstack.header.exception.CloudRuntimeException;
 
 public class DefaultEncryptDriver implements EncryptDriver {
@@ -32,18 +33,18 @@ public String decrypt(String data) {
     }
 
     @Override
-    public EncryptFacadeResult<String> encrypt(String data, String algType) {
+    public ErrorableValue<String> encrypt(String data, String algType) {
         try {
-            return new EncryptFacadeResult<>(rsa.encrypt(data, algType));
+            return ErrorableValue.of(rsa.encrypt(data, algType));
         } catch (Exception e) {
             throw new CloudRuntimeException(e.getMessage());
         }
     }
 
     @Override
-    public EncryptFacadeResult<String> decrypt(String data, String algType) {
+    public ErrorableValue<String> decrypt(String data, String algType) {
         try {
-            return new EncryptFacadeResult<>(rsa.decrypt(data, algType));
+            return ErrorableValue.of(rsa.decrypt(data, algType));
         } catch (Exception e) {
             throw new CloudRuntimeException(e.getMessage());
         }

core/src/main/java/org/zstack/core/encrypt/EncryptDriver.java

@@ -1,5 +1,7 @@
 package org.zstack.core.encrypt;
 
+import org.zstack.header.errorcode.ErrorableValue;
+
 public interface EncryptDriver {
     String encryptError = "%s encrypt failed";
     String decryptError = "%s decrypt failed";
@@ -10,7 +12,7 @@ public interface EncryptDriver {
 
     String decrypt(String data);
 
-    EncryptFacadeResult<String> encrypt(String data, String algType);
+    ErrorableValue<String> encrypt(String data, String algType);
 
-    EncryptFacadeResult<String> decrypt(String data, String algType);
+    ErrorableValue<String> decrypt(String data, String algType);
 }

core/src/main/java/org/zstack/core/encrypt/EncryptFacade.java

@@ -2,6 +2,7 @@
 
 import org.zstack.header.core.encrypt.EncryptEntityState;
 import org.zstack.header.core.encrypt.EncryptedFieldBundle;
+import org.zstack.header.errorcode.ErrorableValue;
 
 import java.util.List;
 
@@ -13,9 +14,9 @@ public interface EncryptFacade {
 
     String decrypt(String encryptString);
 
-    EncryptFacadeResult<String> encrypt(String data, String algType);
+    ErrorableValue<String> encrypt(String data, String algType);
 
-    EncryptFacadeResult<String> decrypt(String data, String algType);
+    ErrorableValue<String> decrypt(String data, String algType);
 
     void updateEncryptDataStateIfExists(String entity, String column, EncryptEntityState state);
 

core/src/main/java/org/zstack/core/encrypt/EncryptFacadeImpl.java

@@ -13,6 +13,7 @@
 import org.zstack.core.db.SQLBatch;
 import org.zstack.header.Component;
 import org.zstack.header.core.encrypt.*;
+import org.zstack.header.errorcode.ErrorableValue;
 import org.zstack.header.errorcode.OperationFailureException;
 import org.zstack.header.exception.CloudRuntimeException;
 import org.zstack.utils.BeanUtils;
@@ -64,12 +65,12 @@ public String decrypt(String encryptString) {
     }
 
     @Override
-    public EncryptFacadeResult<String> encrypt(String data, String algType) {
+    public ErrorableValue<String> encrypt(String data, String algType) {
         return encryptDriver.encrypt(data, algType);
     }
 
     @Override
-    public EncryptFacadeResult<String> decrypt(String data, String algType) {
+    public ErrorableValue<String> decrypt(String data, String algType) {
         return encryptDriver.decrypt(data, algType);
     }
 
@@ -197,7 +198,7 @@ protected void scripts() {
 
                             try {
                                 String decryptedString = decrypt(encryptedString);
-                                EncryptFacadeResult<String> encrypt = encrypt(decryptedString, key);
+                                ErrorableValue<String> encrypt = encrypt(decryptedString, key);
                                 if (encrypt.error != null) {
                                     logger.error(String.format("Encryption error : %s", encrypt.error));
                                     throw new OperationFailureException(operr("Encryption error : %s", encrypt.error));
@@ -206,7 +207,7 @@ protected void scripts() {
                                 String sql = String.format("update %s set %s = :encrypted where uuid = :uuid", className, field.getName());
 
                                 Query query = dbf.getEntityManager().createQuery(sql);
-                                query.setParameter("encrypted", encrypt.getResult());
+                                query.setParameter("encrypted", encrypt.result);
                                 query.setParameter("uuid", uuid);
                                 query.executeUpdate();
                             } catch (Exception e) {

core/src/main/java/org/zstack/core/encrypt/EncryptFacadeResult.java

@@ -10,4 +10,8 @@
  */
 public interface ApiMessageInterceptor {
     APIMessage intercept(APIMessage msg) throws ApiMessageInterceptionException;
+
+    default int getPriority() {
+        return 0;
+    }
 }

header/src/main/java/org/zstack/header/apimediator/ApiMessageInterceptor.java

@@ -4,12 +4,16 @@
 
 public interface GlobalApiMessageInterceptor extends ApiMessageInterceptor {
     enum InterceptorPosition {
-        SYSTEM,
-        FRONT,
-        END,
+        // In execution order
+        SYSTEM, FRONT, DEFAULT, END
     }
 
     List<Class> getMessageClassToIntercept();
 
-    InterceptorPosition getPosition();
+    /**
+     * Sort by position, then {@link #getPriority()}
+     */
+    default InterceptorPosition getPosition() {
+        return InterceptorPosition.FRONT;
+    }
 }

header/src/main/java/org/zstack/header/apimediator/GlobalApiMessageInterceptor.java

@@ -0,0 +1,36 @@
+package org.zstack.header.core.encrypt;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target({ElementType.TYPE})
+@Retention(RetentionPolicy.RUNTIME)
+public @interface EncryptionParamAllowed {
+    /**
+     * Encrypted fields are not allowed.
+     * 
+     * By default, except for the userTags/systemTags fields,
+     * all fields owned by {@link org.zstack.header.message.APIMessage} classes are not allowed
+     */
+    String[] forbiddenFields() default {};
+
+    String ACTION_CHECK_USER_INFO = "checkUserInfo";
+    String ACTION_PUT_USER_INFO_INTO_SYSTEM_TAG = "putUserInfoIntoSystemTag";
+
+    /**
+     * Check the result of parsing from the digital envelope
+     *
+     * - (Default) {@link #ACTION_CHECK_USER_INFO}
+     *   checks whether the user tag in the digital envelope matches the user of the APIMessage session
+     *   Mismatch will throw an error
+     * - {@link #ACTION_PUT_USER_INFO_INTO_SYSTEM_TAG}
+     *   system places the user data in the envelope in the system tag,
+     *   and this process will not generate errors and interrupts
+     *
+     * It is recommended to enable this option for all APIs
+     * that support digital envelopes except login
+     */
+    String[] actions() default { ACTION_CHECK_USER_INFO };
+}

header/src/main/java/org/zstack/header/core/encrypt/EncryptionParamAllowed.java

@@ -0,0 +1,29 @@
+package org.zstack.header.errorcode;
+
+import java.util.Objects;
+
+/**
+ * Created by Wenhao.Zhang on 22/11/21
+ */
+public class ErrorableValue<T> {
+    public final T result;
+    public final ErrorCode error;
+
+    public static <T> ErrorableValue<T> of(T result) {
+        return new ErrorableValue<>(result, null);
+    }
+
+    public static <T> ErrorableValue<T> ofErrorCode(ErrorCode error) {
+        return new ErrorableValue<>(null,
+                Objects.requireNonNull(error, "errorCode in ErrorableValue can not be null"));
+    }
+
+    protected ErrorableValue(T result, ErrorCode error) {
+        this.result = result;
+        this.error = error;
+    }
+
+    public boolean isSuccess() {
+        return error == null;
+    }
+}

header/src/main/java/org/zstack/header/errorcode/ErrorableValue.java

@@ -3,6 +3,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.springframework.http.HttpMethod;
 import org.zstack.header.identity.login.APICaptchaMessage;
+import org.zstack.header.core.encrypt.EncryptionParamAllowed;
 import org.zstack.header.log.NoLogging;
 import org.zstack.header.message.APIMessage;
 import org.zstack.header.message.APIParam;
@@ -19,6 +20,7 @@
         method = HttpMethod.PUT,
         responseClass = APILogInReply.class
 )
+@EncryptionParamAllowed(actions = { EncryptionParamAllowed.ACTION_PUT_USER_INFO_INTO_SYSTEM_TAG })
 public class APILogInByAccountMsg extends APISessionMessage implements APILoginAuditor, APICaptchaMessage {
     @APIParam
     private String accountName;

header/src/main/java/org/zstack/header/identity/APILogInByAccountMsg.java

@@ -28,6 +28,7 @@ public interface AccountConstant {
     String PRINCIPAL_ACCOUNT = "account";
 
     String LOGIN_TYPE = "account";
+    String LOGIN_TYPE_AUTHENTICATIONS_KEY = "authentications";
 
     String NO_EXIST_ACCOUNT ="no-exist-account:::%s";