Add settings to mark cryptographic algorithms in vpn customer gateways as excluded or obsolete

api/src/main/java/com/cloud/event/EventTypes.java

@@ -503,6 +503,7 @@ public class EventTypes {
     public static final String EVENT_S2S_VPN_CUSTOMER_GATEWAY_CREATE = "VPN.S2S.CUSTOMER.GATEWAY.CREATE";
     public static final String EVENT_S2S_VPN_CUSTOMER_GATEWAY_DELETE = "VPN.S2S.CUSTOMER.GATEWAY.DELETE";
     public static final String EVENT_S2S_VPN_CUSTOMER_GATEWAY_UPDATE = "VPN.S2S.CUSTOMER.GATEWAY.UPDATE";
+    public static final String EVENT_S2S_VPN_GATEWAY_OBSOLETE_PARAMS = "VPN.S2S.GATEWAY.OBSOLETE.PARAMS";
     public static final String EVENT_S2S_VPN_CONNECTION_CREATE = "VPN.S2S.CONNECTION.CREATE";
     public static final String EVENT_S2S_VPN_CONNECTION_DELETE = "VPN.S2S.CONNECTION.DELETE";
     public static final String EVENT_S2S_VPN_CONNECTION_RESET = "VPN.S2S.CONNECTION.RESET";
@@ -1151,6 +1152,7 @@ public class EventTypes {
         entityEventDetails.put(EVENT_S2S_VPN_CUSTOMER_GATEWAY_CREATE, Site2SiteCustomerGateway.class);
         entityEventDetails.put(EVENT_S2S_VPN_CUSTOMER_GATEWAY_DELETE, Site2SiteCustomerGateway.class);
         entityEventDetails.put(EVENT_S2S_VPN_CUSTOMER_GATEWAY_UPDATE, Site2SiteCustomerGateway.class);
+        entityEventDetails.put(EVENT_S2S_VPN_GATEWAY_OBSOLETE_PARAMS, Site2SiteCustomerGateway.class);
         entityEventDetails.put(EVENT_S2S_VPN_CONNECTION_CREATE, Site2SiteVpnConnection.class);
         entityEventDetails.put(EVENT_S2S_VPN_CONNECTION_DELETE, Site2SiteVpnConnection.class);
         entityEventDetails.put(EVENT_S2S_VPN_CONNECTION_RESET, Site2SiteVpnConnection.class);

api/src/main/java/org/apache/cloudstack/alert/AlertService.java

@@ -74,6 +74,7 @@ private AlertType(short type, String name, boolean isDefault) {
         public static final AlertType ALERT_TYPE_VR_PUBLIC_IFACE_MTU = new AlertType((short)32, "ALERT.VR.PUBLIC.IFACE.MTU", true);
         public static final AlertType ALERT_TYPE_VR_PRIVATE_IFACE_MTU = new AlertType((short)32, "ALERT.VR.PRIVATE.IFACE.MTU", true);
         public static final AlertType ALERT_TYPE_EXTENSION_PATH_NOT_READY = new AlertType((short)33, "ALERT.TYPE.EXTENSION.PATH.NOT.READY", true);
+        public static final AlertType ALERT_TYPE_VPN_GATEWAY_OBSOLETE_PARAMETERS = new AlertType((short)34, "ALERT.S2S.VPN.GATEWAY.OBSOLETE.PARAMETERS", true);
         public static final AlertType ALERT_TYPE_BACKUP_STORAGE = new AlertType(Capacity.CAPACITY_TYPE_BACKUP_STORAGE, "ALERT.STORAGE.BACKUP", true);
         public static final AlertType ALERT_TYPE_OBJECT_STORAGE = new AlertType(Capacity.CAPACITY_TYPE_OBJECT_STORAGE, "ALERT.STORAGE.OBJECT", true);
 

api/src/main/java/org/apache/cloudstack/api/ApiConstants.java

@@ -1363,6 +1363,10 @@ public class ApiConstants {
 
     public static final String RECURSIVE_DOMAINS = "recursivedomains";
 
+    public static final String VPN_CUSTOMER_GATEWAY_PARAMETERS = "vpncustomergatewayparameters";
+    public static final String OBSOLETE_PARAMETERS = "obsoleteparameters";
+    public static final String EXCLUDED_PARAMETERS = "excludedparameters";
+
     /**
      * This enum specifies IO Drivers, each option controls specific policies on I/O.
      * Qemu guests support "threads" and "native" options Since 0.8.8 ; "io_uring" is supported Since 6.3.0 (QEMU 5.0).

api/src/main/java/org/apache/cloudstack/api/command/user/config/ListCapabilitiesCmd.java

@@ -21,7 +21,9 @@
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.response.CapabilitiesResponse;
+import org.apache.cloudstack.api.response.DomainResponse;
 import org.apache.cloudstack.config.ApiServiceConfiguration;
 
 import com.cloud.user.Account;
@@ -30,12 +32,22 @@
         requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
 public class ListCapabilitiesCmd extends BaseCmd {
 
+    @Parameter(name = ApiConstants.DOMAIN_ID,
+            type = CommandType.UUID,
+            entityType = DomainResponse.class,
+            description = "the domain for listing capabilities.",
+            since = "4.23.0")
+    private Long domainId;
 
     @Override
     public long getEntityOwnerId() {
         return Account.ACCOUNT_ID_SYSTEM;
     }
 
+    public Long getDomainId() {
+        return domainId;
+    }
+
     @Override
     public void execute() {
         Map<String, Object> capabilities = _mgr.listCapabilities(this);
@@ -76,6 +88,10 @@ public void execute() {
         response.setExtensionsPath((String)capabilities.get(ApiConstants.EXTENSIONS_PATH));
         response.setDynamicScalingEnabled((Boolean) capabilities.get(ApiConstants.DYNAMIC_SCALING_ENABLED));
         response.setAdditionalConfigEnabled((Boolean) capabilities.get(ApiConstants.ADDITONAL_CONFIG_ENABLED));
+        if (capabilities.containsKey(ApiConstants.VPN_CUSTOMER_GATEWAY_PARAMETERS)) {
+            Map<String, Object> vpnCustomerGatewayParameters = (Map<String, Object>) capabilities.get(ApiConstants.VPN_CUSTOMER_GATEWAY_PARAMETERS);
+            response.setVpnCustomerGatewayParameters(vpnCustomerGatewayParameters);
+        }
         response.setObjectName("capability");
         response.setResponseName(getCommandName());
         this.setResponseObject(response);

api/src/main/java/org/apache/cloudstack/api/response/CapabilitiesResponse.java

@@ -16,6 +16,8 @@
 // under the License.
 package org.apache.cloudstack.api.response;
 
+import java.util.Map;
+
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseResponse;
@@ -153,6 +155,10 @@ public class CapabilitiesResponse extends BaseResponse {
     @Param(description = "true if additional configurations or extraconfig can be passed to Instances", since = "4.20.2")
     private Boolean additionalConfigEnabled;
 
+    @SerializedName(ApiConstants.VPN_CUSTOMER_GATEWAY_PARAMETERS)
+    @Param(description = "Excluded and obsolete VPN customer gateway cryptographic parameters")
+    private Map<String, Object> vpnCustomerGatewayParameters;
+
     public void setSecurityGroupsEnabled(boolean securityGroupsEnabled) {
         this.securityGroupsEnabled = securityGroupsEnabled;
     }
@@ -280,4 +286,8 @@ public void setDynamicScalingEnabled(Boolean dynamicScalingEnabled) {
     public void setAdditionalConfigEnabled(Boolean additionalConfigEnabled) {
         this.additionalConfigEnabled = additionalConfigEnabled;
     }
+
+    public void setVpnCustomerGatewayParameters(Map<String, Object> vpnCustomerGatewayParameters) {
+        this.vpnCustomerGatewayParameters = vpnCustomerGatewayParameters;
+    }
 }

api/src/main/java/org/apache/cloudstack/api/response/Site2SiteCustomerGatewayResponse.java

@@ -114,6 +114,14 @@ public class Site2SiteCustomerGatewayResponse extends BaseResponseWithAnnotation
     @Param(description = "Which IKE Version to use, one of ike (autoselect), ikev1, or ikev2. Defaults to ike")
     private String ikeVersion;
 
+    @SerializedName(ApiConstants.OBSOLETE_PARAMETERS)
+    @Param(description = "Contains the list of obsolete/insecure cryptographic parameters that the vpn customer gateway is using.", since = "4.23.0")
+    private String obsoleteParameters;
+
+    @SerializedName(ApiConstants.EXCLUDED_PARAMETERS)
+    @Param(description = "Contains the list of excluded/not allowed cryptographic parameters that the vpn customer gateway is using.", since = "4.23.0")
+    private String excludedParameters;
+
     public void setId(String id) {
         this.id = id;
     }
@@ -202,4 +210,12 @@ public void setDomainPath(String domainPath) {
         this.domainPath = domainPath;
     }
 
+    public void setContainsObsoleteParameters(String obsoleteParameters) {
+        this.obsoleteParameters = obsoleteParameters;
+    }
+
+    public void setContainsExcludedParameters(String excludedParameters) {
+        this.excludedParameters = excludedParameters;
+    }
+
 }

framework/config/src/main/java/org/apache/cloudstack/framework/config/ConfigKeyScheduledExecutionWrapper.java

@@ -66,7 +66,7 @@ public ConfigKeyScheduledExecutionWrapper(ScheduledExecutorService executorServi
         this.unit = unit;
     }
 
-    protected ConfigKeyScheduledExecutionWrapper(ScheduledExecutorService executorService, Runnable command,
+    public ConfigKeyScheduledExecutionWrapper(ScheduledExecutorService executorService, Runnable command,
             ConfigKey<?> configKey, int enableIntervalSeconds, TimeUnit unit) {
         validateArgs(executorService, command, configKey);
         this.executorService = executorService;

server/src/main/java/com/cloud/alert/AlertManagerImpl.java

@@ -112,7 +112,8 @@ public class AlertManagerImpl extends ManagerBase implements AlertManager, Confi
             , AlertType.ALERT_TYPE_OOBM_AUTH_ERROR
             , AlertType.ALERT_TYPE_HA_ACTION
             , AlertType.ALERT_TYPE_CA_CERT
-            , AlertType.ALERT_TYPE_EXTENSION_PATH_NOT_READY);
+            , AlertType.ALERT_TYPE_EXTENSION_PATH_NOT_READY
+            , AlertType.ALERT_TYPE_VPN_GATEWAY_OBSOLETE_PARAMETERS);
 
     private static final long INITIAL_CAPACITY_CHECK_DELAY = 30L * 1000L; // Thirty seconds expressed in milliseconds.
 

server/src/main/java/com/cloud/api/ApiResponseHelper.java

@@ -50,6 +50,7 @@
 import com.cloud.dc.dao.VlanDetailsDao;
 import com.cloud.hypervisor.Hypervisor;
 import com.cloud.network.vpc.VpcGateway;
+import com.cloud.network.vpn.Site2SiteVpnManager;
 import com.cloud.storage.BucketVO;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
@@ -528,6 +529,8 @@ public class ApiResponseHelper implements ResponseGenerator {
     @Inject
     RoutedIpv4Manager routedIpv4Manager;
     @Inject
+    Site2SiteVpnManager site2SiteVpnManager;
+    @Inject
     ResourceIconManager resourceIconManager;
 
     public static String getPrettyDomainPath(String path) {
@@ -3884,6 +3887,16 @@ public Site2SiteCustomerGatewayResponse createSite2SiteCustomerGatewayResponse(S
         response.setRemoved(result.getRemoved());
         response.setIkeVersion(result.getIkeVersion());
         response.setSplitConnections(result.getSplitConnections());
+
+        Set<String> obsoleteParameters = site2SiteVpnManager.getObsoleteVpnGatewayParameters(result);
+        if (CollectionUtils.isNotEmpty(obsoleteParameters)) {
+            response.setContainsObsoleteParameters(obsoleteParameters.toString());
+        }
+        Set<String> excludedParameters = site2SiteVpnManager.getExcludedVpnGatewayParameters(result);
+        if (CollectionUtils.isNotEmpty(excludedParameters)) {
+            response.setContainsExcludedParameters(excludedParameters.toString());
+        }
+
         response.setObjectName("vpncustomergateway");
         response.setHasAnnotation(annotationDao.hasAnnotations(result.getUuid(), AnnotationService.EntityType.VPN_CUSTOMER_GATEWAY.name(),
                 _accountMgr.isRootAdmin(CallContext.current().getCallingAccount().getId())));

server/src/main/java/com/cloud/network/vpn/Site2SiteVpnManager.java

@@ -17,11 +17,17 @@
 package com.cloud.network.vpn;
 
 import java.util.List;
+import java.util.Set;
 
+import com.cloud.network.Site2SiteCustomerGateway;
 import com.cloud.network.dao.Site2SiteVpnConnectionVO;
 import com.cloud.vm.DomainRouterVO;
 
 public interface Site2SiteVpnManager extends Site2SiteVpnService {
+    Set<String> getExcludedVpnGatewayParameters(Site2SiteCustomerGateway customerGw);
+
+    Set<String> getObsoleteVpnGatewayParameters(Site2SiteCustomerGateway customerGw);
+
     boolean cleanupVpnConnectionByVpc(long vpcId);
 
     boolean cleanupVpnGatewayByVpc(long vpcId);