Api changes to mark cryptographic parameters are excluded/obsolete

abh1sar · abh1sar · commit 6f995fbc4a68 · 2025-12-04T21:36:21.000+05:30
diff --git a/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java b/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
@@ -1194,6 +1194,10 @@ public class ApiConstants {
             "value will be applied.";
     public static final String VMWARE_DC = "vmwaredc";
 
+    public static final String VPN_CUSTOMER_GATEWAY_PARAMETERS = "vpncustomergatewayparameters";
+    public static final String CONTAINS_OBSOLETE_PARAMETERS = "containsobsoleteparameters";
+    public static final String CONTAINS_EXCLUDED_PARAMETERS = "containsexcludedparameters";
+
     /**
      * This enum specifies IO Drivers, each option controls specific policies on I/O.
      * Qemu guests support "threads" and "native" options Since 0.8.8 ; "io_uring" is supported Since 6.3.0 (QEMU 5.0).
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/config/ListCapabilitiesCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/config/ListCapabilitiesCmd.java
@@ -74,6 +74,10 @@ public void execute() {
         response.setSharedFsVmMinRamSize((Integer)capabilities.get(ApiConstants.SHAREDFSVM_MIN_RAM_SIZE));
         response.setDynamicScalingEnabled((Boolean) capabilities.get(ApiConstants.DYNAMIC_SCALING_ENABLED));
         response.setAdditionalConfigEnabled((Boolean) capabilities.get(ApiConstants.ADDITONAL_CONFIG_ENABLED));
+        if (capabilities.containsKey(ApiConstants.VPN_CUSTOMER_GATEWAY_PARAMETERS)) {
+            Map<String, Object> vpnCustomerGatewayParameters = (Map<String, Object>) capabilities.get(ApiConstants.VPN_CUSTOMER_GATEWAY_PARAMETERS);
+            response.setVpnCustomerGatewayParameters(vpnCustomerGatewayParameters);
+        }
         response.setObjectName("capability");
         response.setResponseName(getCommandName());
         this.setResponseObject(response);
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/CapabilitiesResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/CapabilitiesResponse.java
@@ -16,6 +16,8 @@
 // under the License.
 package org.apache.cloudstack.api.response;
 
+import java.util.Map;
+
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseResponse;
 
@@ -144,6 +146,10 @@ public class CapabilitiesResponse extends BaseResponse {
     @Param(description = "true if additional configurations or extraconfig can be passed to Instances", since = "4.20.2")
     private Boolean additionalConfigEnabled;
 
+    @SerializedName(ApiConstants.VPN_CUSTOMER_GATEWAY_PARAMETERS)
+    @Param(description = "Excluded and obsolete VPN customer gateway cryptographic parameters")
+    private Map<String, Object> vpnCustomerGatewayParameters;
+
     public void setSecurityGroupsEnabled(boolean securityGroupsEnabled) {
         this.securityGroupsEnabled = securityGroupsEnabled;
     }
@@ -263,4 +269,8 @@ public void setDynamicScalingEnabled(Boolean dynamicScalingEnabled) {
     public void setAdditionalConfigEnabled(Boolean additionalConfigEnabled) {
         this.additionalConfigEnabled = additionalConfigEnabled;
     }
+
+    public void setVpnCustomerGatewayParameters(Map<String, Object> vpnCustomerGatewayParameters) {
+        this.vpnCustomerGatewayParameters = vpnCustomerGatewayParameters;
+    }
 }
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/Site2SiteCustomerGatewayResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/Site2SiteCustomerGatewayResponse.java
@@ -114,6 +114,14 @@ public class Site2SiteCustomerGatewayResponse extends BaseResponseWithAnnotation
     @Param(description = "Which IKE Version to use, one of ike (autoselect), ikev1, or ikev2. Defaults to ike")
     private String ikeVersion;
 
+    @SerializedName(ApiConstants.CONTAINS_OBSOLETE_PARAMETERS)
+    @Param(description = "Whether the vpn customer gateway contains obsolete parameters. The listCapabilities api can be used to determine which parameters are obsolete.")
+    private Boolean containsObsoleteAlgorithms;
+
+    @SerializedName(ApiConstants.CONTAINS_EXCLUDED_PARAMETERS)
+    @Param(description = "Whether the vpn customer gateway contains excluded parameters. The listCapabilities api can be used to determine which parameters are excluded.")
+    private Boolean containsExcludedAlgorithms;
+
     public void setId(String id) {
         this.id = id;
     }
@@ -202,4 +210,12 @@ public void setDomainPath(String domainPath) {
         this.domainPath = domainPath;
     }
 
+    public void setContainsObsoleteParameters(Boolean containsObsoleteAlgorithms) {
+        this.containsObsoleteAlgorithms = containsObsoleteAlgorithms;
+    }
+
+    public void setContainsExcludedParameters(Boolean containsExcludedAlgorithms) {
+        this.containsExcludedAlgorithms = containsExcludedAlgorithms;
+    }
+
 }
diff --git a/server/src/main/java/com/cloud/api/ApiResponseHelper.java b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
@@ -48,6 +48,7 @@
 import com.cloud.dc.dao.ASNumberRangeDao;
 import com.cloud.dc.dao.VlanDetailsDao;
 import com.cloud.hypervisor.Hypervisor;
+import com.cloud.network.vpn.Site2SiteVpnManager;
 import com.cloud.storage.BucketVO;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
@@ -521,6 +522,8 @@ public class ApiResponseHelper implements ResponseGenerator {
     BgpPeerDao bgpPeerDao;
     @Inject
     RoutedIpv4Manager routedIpv4Manager;
+    @Inject
+    Site2SiteVpnManager site2SiteVpnManager;
 
     @Override
     public UserResponse createUserResponse(User user) {
@@ -3821,6 +3824,8 @@ public Site2SiteCustomerGatewayResponse createSite2SiteCustomerGatewayResponse(S
         response.setRemoved(result.getRemoved());
         response.setIkeVersion(result.getIkeVersion());
         response.setSplitConnections(result.getSplitConnections());
+        response.setContainsExcludedParameters(site2SiteVpnManager.vpnGatewayContainsExcludedParameters(result));
+        response.setContainsObsoleteParameters(site2SiteVpnManager.vpnGatewayContainsObsoleteParameters(result));
         response.setObjectName("vpncustomergateway");
         response.setHasAnnotation(annotationDao.hasAnnotations(result.getUuid(), AnnotationService.EntityType.VPN_CUSTOMER_GATEWAY.name(),
                 _accountMgr.isRootAdmin(CallContext.current().getCallingAccount().getId())));
diff --git a/server/src/main/java/com/cloud/network/vpn/Site2SiteVpnManager.java b/server/src/main/java/com/cloud/network/vpn/Site2SiteVpnManager.java
@@ -18,10 +18,15 @@
 
 import java.util.List;
 
+import com.cloud.network.Site2SiteCustomerGateway;
 import com.cloud.network.dao.Site2SiteVpnConnectionVO;
 import com.cloud.vm.DomainRouterVO;
 
 public interface Site2SiteVpnManager extends Site2SiteVpnService {
+    boolean vpnGatewayContainsExcludedParameters(Site2SiteCustomerGateway customerGateway);
+
+    boolean vpnGatewayContainsObsoleteParameters(Site2SiteCustomerGateway customerGateway);
+
     boolean cleanupVpnConnectionByVpc(long vpcId);
 
     boolean cleanupVpnGatewayByVpc(long vpcId);
diff --git a/server/src/main/java/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java b/server/src/main/java/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
diff --git a/server/src/main/java/com/cloud/server/ManagementServerImpl.java b/server/src/main/java/com/cloud/server/ManagementServerImpl.java
diff --git a/server/src/test/java/com/cloud/vpc/MockSite2SiteVpnManagerImpl.java b/server/src/test/java/com/cloud/vpc/MockSite2SiteVpnManagerImpl.java
