Add KMS framework

Author: vishesh92

api/pom.xml

@@ -71,6 +71,11 @@
             <artifactId>cloud-framework-direct-download</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.cloudstack</groupId>
+            <artifactId>cloud-framework-kms</artifactId>
+            <version>${project.version}</version>
+        </dependency>
     </dependencies>
     <build>
         <plugins>

api/src/main/java/com/cloud/event/EventTypes.java

@@ -271,6 +271,14 @@ public class EventTypes {
     public static final String EVENT_CA_CERTIFICATE_REVOKE = "CA.CERTIFICATE.REVOKE";
     public static final String EVENT_CA_CERTIFICATE_PROVISION = "CA.CERTIFICATE.PROVISION";
 
+    // KMS (Key Management Service) events
+    public static final String EVENT_KMS_KEY_WRAP = "KMS.KEY.WRAP";
+    public static final String EVENT_KMS_KEY_UNWRAP = "KMS.KEY.UNWRAP";
+    public static final String EVENT_KMS_KEK_CREATE = "KMS.KEK.CREATE";
+    public static final String EVENT_KMS_KEK_ROTATE = "KMS.KEK.ROTATE";
+    public static final String EVENT_KMS_KEK_DELETE = "KMS.KEK.DELETE";
+    public static final String EVENT_KMS_HEALTH_CHECK = "KMS.HEALTH.CHECK";
+
     // Account events
     public static final String EVENT_ACCOUNT_ENABLE = "ACCOUNT.ENABLE";
     public static final String EVENT_ACCOUNT_DISABLE = "ACCOUNT.DISABLE";

api/src/main/java/org/apache/cloudstack/api/ApiCommandResourceType.java

@@ -89,7 +89,8 @@ public enum ApiCommandResourceType {
     KubernetesSupportedVersion(null),
     SharedFS(org.apache.cloudstack.storage.sharedfs.SharedFS.class),
     Extension(org.apache.cloudstack.extension.Extension.class),
-    ExtensionCustomAction(org.apache.cloudstack.extension.ExtensionCustomAction.class);
+    ExtensionCustomAction(org.apache.cloudstack.extension.ExtensionCustomAction.class),
+    KmsKey(org.apache.cloudstack.kms.KMSKey.class);
 
     private final Class<?> clazz;
 

api/src/main/java/org/apache/cloudstack/api/ApiConstants.java

@@ -862,6 +862,9 @@ public class ApiConstants {
     public static final String SORT_BY = "sortby";
     public static final String CHANGE_CIDR = "changecidr";
     public static final String PURPOSE = "purpose";
+    public static final String KMS_KEY_ID = "kmskeyid";
+    public static final String KEK_LABEL = "keklabel";
+    public static final String KEY_BITS = "keybits";
     public static final String IS_TAGGED = "istagged";
     public static final String INSTANCE_NAME = "instancename";
     public static final String CONSIDER_LAST_HOST = "considerlasthost";

api/src/main/java/org/apache/cloudstack/api/ResponseGenerator.java

@@ -73,6 +73,8 @@
 import org.apache.cloudstack.api.response.IPAddressResponse;
 import org.apache.cloudstack.api.response.ImageStoreResponse;
 import org.apache.cloudstack.api.response.InstanceGroupResponse;
+import org.apache.cloudstack.api.response.KMSKeyResponse;
+import org.apache.cloudstack.kms.KMSKey;
 import org.apache.cloudstack.api.response.InternalLoadBalancerElementResponse;
 import org.apache.cloudstack.api.response.IpForwardingRuleResponse;
 import org.apache.cloudstack.api.response.IpQuarantineResponse;
@@ -583,4 +585,6 @@ List<TemplateResponse> createTemplateResponses(ResponseView view, VirtualMachine
     GuiThemeResponse createGuiThemeResponse(GuiThemeJoin guiThemeJoin);
 
     ConsoleSessionResponse createConsoleSessionResponse(ConsoleSession consoleSession, ResponseView responseView);
+
+    KMSKeyResponse createKMSKeyResponse(KMSKey kmsKey);
 }

api/src/main/java/org/apache/cloudstack/api/command/user/kms/CreateKMSKeyCmd.java

@@ -0,0 +1,166 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.api.command.user.kms;
+
+import com.cloud.exception.ResourceAllocationException;
+import com.cloud.user.Account;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandResourceType;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.command.user.UserCmd;
+import org.apache.cloudstack.api.response.DomainResponse;
+import org.apache.cloudstack.api.response.KMSKeyResponse;
+import org.apache.cloudstack.api.response.ZoneResponse;
+import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.framework.kms.KMSException;
+import org.apache.cloudstack.kms.KMSManager;
+
+import javax.inject.Inject;
+
+@APICommand(name = "createKMSKey",
+            description = "Creates a new KMS key (Key Encryption Key) for encryption",
+            responseObject = KMSKeyResponse.class,
+            since = "4.23.0",
+            authorized = {RoleType.Admin, RoleType.ResourceAdmin, RoleType.DomainAdmin, RoleType.User},
+            requestHasSensitiveInfo = false,
+            responseHasSensitiveInfo = false)
+public class CreateKMSKeyCmd extends BaseCmd implements UserCmd {
+    private static final String s_name = "createkmskeyresponse";
+
+    @Inject
+    private KMSManager kmsManager;
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name = ApiConstants.NAME,
+               required = true,
+               type = CommandType.STRING,
+               description = "Name of the KMS key")
+    private String name;
+
+    @Parameter(name = ApiConstants.DESCRIPTION,
+               type = CommandType.STRING,
+               description = "Description of the KMS key")
+    private String description;
+
+    @Parameter(name = ApiConstants.PURPOSE,
+               required = true,
+               type = CommandType.STRING,
+               description = "Purpose of the key: VOLUME_ENCRYPTION, TLS_CERT, CONFIG_SECRET")
+    private String purpose;
+
+    @Parameter(name = ApiConstants.ZONE_ID,
+               required = true,
+               type = CommandType.UUID,
+               entityType = ZoneResponse.class,
+               description = "Zone ID where the key will be valid")
+    private Long zoneId;
+
+    @Parameter(name = ApiConstants.ACCOUNT,
+               type = CommandType.STRING,
+               description = "Account name (for creating keys for child accounts - requires domain admin or admin)")
+    private String accountName;
+
+    @Parameter(name = ApiConstants.DOMAIN_ID,
+               type = CommandType.UUID,
+               entityType = DomainResponse.class,
+               description = "Domain ID (for creating keys for child accounts - requires domain admin or admin)")
+    private Long domainId;
+
+    @Parameter(name = ApiConstants.KEY_BITS,
+               type = CommandType.INTEGER,
+               description = "Key size in bits: 128, 192, or 256 (default: 256)")
+    private Integer keyBits;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public String getName() {
+        return name;
+    }
+
+    public String getDescription() {
+        return description;
+    }
+
+    public String getPurpose() {
+        return purpose;
+    }
+
+    public Long getZoneId() {
+        return zoneId;
+    }
+
+    public String getAccountName() {
+        return accountName;
+    }
+
+    public Long getDomainId() {
+        return domainId;
+    }
+
+    public Integer getKeyBits() {
+        return keyBits != null ? keyBits : 256; // Default to 256 bits
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    @Override
+    public void execute() throws ResourceAllocationException {
+        try {
+            KMSKeyResponse response = kmsManager.createKMSKey(this);
+            response.setResponseName(getCommandName());
+            setResponseObject(response);
+        } catch (KMSException e) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR,
+                    "Failed to create KMS key: " + e.getMessage());
+        }
+    }
+
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        Account caller = CallContext.current().getCallingAccount();
+        if (accountName != null || domainId != null) {
+            return _accountService.finalyzeAccountId(accountName, domainId, null, true);
+        }
+        return caller.getId();
+    }
+
+    @Override
+    public ApiCommandResourceType getApiResourceType() {
+        return ApiCommandResourceType.KmsKey;
+    }
+}
+

api/src/main/java/org/apache/cloudstack/api/command/user/kms/DeleteKMSKeyCmd.java

@@ -0,0 +1,113 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.api.command.user.kms;
+
+import com.cloud.event.EventTypes;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandResourceType;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseAsyncCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.command.user.UserCmd;
+import org.apache.cloudstack.api.response.KMSKeyResponse;
+import org.apache.cloudstack.api.response.SuccessResponse;
+import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.framework.kms.KMSException;
+import org.apache.cloudstack.kms.KMSManager;
+
+import javax.inject.Inject;
+
+@APICommand(name = "deleteKMSKey",
+            description = "Deletes a KMS key (only if not in use)",
+            responseObject = SuccessResponse.class,
+            since = "4.23.0",
+            authorized = {RoleType.Admin, RoleType.ResourceAdmin, RoleType.DomainAdmin, RoleType.User},
+            requestHasSensitiveInfo = false,
+            responseHasSensitiveInfo = false)
+public class DeleteKMSKeyCmd extends BaseAsyncCmd implements UserCmd {
+    private static final String s_name = "deletekmskeyresponse";
+
+    @Inject
+    private KMSManager kmsManager;
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name = ApiConstants.ID,
+               required = true,
+               type = CommandType.UUID,
+               entityType = KMSKeyResponse.class,
+               description = "The UUID of the KMS key to delete")
+    private Long id;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public Long getId() {
+        return id;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    @Override
+    public void execute() {
+        try {
+            SuccessResponse response = kmsManager.deleteKMSKey(this);
+            response.setResponseName(getCommandName());
+            setResponseObject(response);
+        } catch (KMSException e) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR,
+                    "Failed to delete KMS key: " + e.getMessage());
+        }
+    }
+
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        return CallContext.current().getCallingAccount().getId();
+    }
+
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_KMS_KEK_DELETE;
+    }
+
+    @Override
+    public String getEventDescription() {
+        return "deleting KMS key: " + getId();
+    }
+
+    @Override
+    public ApiCommandResourceType getApiResourceType() {
+        return ApiCommandResourceType.KmsKey;
+    }
+}
+