server: Don't allow service offering change if encryption value would change (#6776)

This PR blocks change of service offering if the offering root volume encryption values don't match. We don't support dynamically removing or adding encryption to a VM.

Signed-off-by: Marcus Sorensen <mls@apple.com>
Co-authored-by: Marcus Sorensen <mls@apple.com>

Author: mlsorensen

server/src/main/java/com/cloud/vm/UserVmManagerImpl.java

@@ -2092,14 +2092,21 @@ private boolean upgradeRunningVirtualMachine(Long vmId, Long newServiceOfferingI
         return success;
     }
 
-    private void validateDiskOfferingChecks(ServiceOfferingVO currentServiceOffering, ServiceOfferingVO newServiceOffering) {
+    protected void validateDiskOfferingChecks(ServiceOfferingVO currentServiceOffering, ServiceOfferingVO newServiceOffering) {
         if (currentServiceOffering.getDiskOfferingStrictness() != newServiceOffering.getDiskOfferingStrictness()) {
             throw new InvalidParameterValueException("Unable to Scale VM, since disk offering strictness flag is not same for new service offering and old service offering");
         }
 
         if (currentServiceOffering.getDiskOfferingStrictness() && currentServiceOffering.getDiskOfferingId() != newServiceOffering.getDiskOfferingId()) {
             throw new InvalidParameterValueException("Unable to Scale VM, since disk offering id associated with the old service offering is not same for new service offering");
         }
+
+        DiskOfferingVO currentRootDiskOffering = _diskOfferingDao.findByIdIncludingRemoved(currentServiceOffering.getDiskOfferingId());
+        DiskOfferingVO newRootDiskOffering = _diskOfferingDao.findById(newServiceOffering.getDiskOfferingId());
+
+        if (currentRootDiskOffering.getEncrypt() != newRootDiskOffering.getEncrypt()) {
+            throw new InvalidParameterValueException("Cannot change volume encryption type via service offering change");
+        }
     }
 
     private void changeDiskOfferingForRootVolume(Long vmId, DiskOfferingVO newDiskOffering, Map<String, String> customParameters) throws ResourceAllocationException {

server/src/test/java/com/cloud/vm/UserVmManagerImplTest.java

@@ -565,6 +565,34 @@ public void prepareResizeVolumeCmdTestNewOfferingSmaller() {
         prepareAndRunResizeVolumeTest(2L, 10L, 20L, largerDisdkOffering, smallerDisdkOffering);
     }
 
+    @Test
+    public void validateDiskOfferingCheckForEncryption1Test() {
+        ServiceOfferingVO currentOffering = prepareOfferingsForEncryptionValidation(1L, true);
+        ServiceOfferingVO newOffering = prepareOfferingsForEncryptionValidation(2L, true);
+        userVmManagerImpl.validateDiskOfferingChecks(currentOffering, newOffering);
+    }
+
+    @Test
+    public void validateDiskOfferingCheckForEncryption2Test() {
+        ServiceOfferingVO currentOffering = prepareOfferingsForEncryptionValidation(1L, false);
+        ServiceOfferingVO newOffering = prepareOfferingsForEncryptionValidation(2L, false);
+        userVmManagerImpl.validateDiskOfferingChecks(currentOffering, newOffering);
+    }
+
+    @Test (expected = InvalidParameterValueException.class)
+    public void validateDiskOfferingCheckForEncryptionFail1Test() {
+        ServiceOfferingVO currentOffering = prepareOfferingsForEncryptionValidation(1L, false);
+        ServiceOfferingVO newOffering = prepareOfferingsForEncryptionValidation(2L, true);
+        userVmManagerImpl.validateDiskOfferingChecks(currentOffering, newOffering);
+    }
+
+    @Test (expected = InvalidParameterValueException.class)
+    public void validateDiskOfferingCheckForEncryptionFail2Test() {
+        ServiceOfferingVO currentOffering = prepareOfferingsForEncryptionValidation(1L, true);
+        ServiceOfferingVO newOffering = prepareOfferingsForEncryptionValidation(2L, false);
+        userVmManagerImpl.validateDiskOfferingChecks(currentOffering, newOffering);
+    }
+
     private void prepareAndRunResizeVolumeTest(Long expectedOfferingId, long expectedMinIops, long expectedMaxIops, DiskOfferingVO currentRootDiskOffering, DiskOfferingVO newRootDiskOffering) {
         long rootVolumeId = 1l;
         VolumeVO rootVolumeOfVm = Mockito.mock(VolumeVO.class);
@@ -588,6 +616,20 @@ private DiskOfferingVO prepareDiskOffering(long rootSize, long diskOfferingId, l
         return newRootDiskOffering;
     }
 
+    private ServiceOfferingVO prepareOfferingsForEncryptionValidation(long diskOfferingId, boolean encryption) {
+        ServiceOfferingVO svcOffering = Mockito.mock(ServiceOfferingVO.class);
+        DiskOfferingVO diskOffering = Mockito.mock(DiskOfferingVO.class);
+
+        Mockito.when(svcOffering.getDiskOfferingId()).thenReturn(diskOfferingId);
+        Mockito.when(diskOffering.getEncrypt()).thenReturn(encryption);
+
+        // Be aware - Multiple calls with the same disk offering ID could conflict
+        Mockito.when(diskOfferingDao.findByIdIncludingRemoved(diskOfferingId)).thenReturn(diskOffering);
+        Mockito.when(diskOfferingDao.findById(diskOfferingId)).thenReturn(diskOffering);
+
+        return svcOffering;
+    }
+
     @Test (expected = CloudRuntimeException.class)
     public void testUserDataDenyOverride() {
         Long userDataId = 1L;