Api keypair restructure

api/src/main/java/com/cloud/event/EventTypes.java

@@ -284,8 +284,9 @@ public class EventTypes {
     //registering userdata events
     public static final String EVENT_REGISTER_USER_DATA = "REGISTER.USER.DATA";
 
-    //register for user API and secret keys
+    // User API and secret keys
     public static final String EVENT_REGISTER_FOR_SECRET_API_KEY = "REGISTER.USER.KEY";
+    public static final String EVENT_DELETE_SECRET_API_KEY = "DELETE.USER.KEY";
 
     // Template Events
     public static final String EVENT_TEMPLATE_CREATE = "TEMPLATE.CREATE";

api/src/main/java/com/cloud/user/AccountService.java

@@ -22,8 +22,10 @@
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
 import org.apache.cloudstack.api.command.admin.account.CreateAccountCmd;
 import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.ListUserKeysCmd;
 import org.apache.cloudstack.api.command.admin.user.RegisterCmd;
 import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
 
@@ -34,6 +36,8 @@
 import com.cloud.offering.DiskOffering;
 import com.cloud.offering.NetworkOffering;
 import com.cloud.offering.ServiceOffering;
+import org.apache.cloudstack.api.response.ApiKeyPairResponse;
+import org.apache.cloudstack.api.response.ListResponse;
 import org.apache.cloudstack.auth.UserTwoFactorAuthenticator;
 
 public interface AccountService {
@@ -92,7 +96,7 @@ User createUser(String userName, String password, String firstName, String lastN
 
     void markUserRegistered(long userId);
 
-    public String[] createApiKeyAndSecretKey(RegisterCmd cmd);
+    public ApiKeyPair createApiKeyAndSecretKey(RegisterCmd cmd);
 
     public String[] createApiKeyAndSecretKey(final long userId);
 
@@ -125,9 +129,9 @@ User createUser(String userName, String password, String firstName, String lastN
      */
     UserAccount getUserAccountById(Long userId);
 
-    public Map<String, String> getKeys(GetUserKeysCmd cmd);
+    Map<String, String> getKeys(GetUserKeysCmd cmd);
 
-    public Map<String, String> getKeys(Long userId);
+    ListResponse<ApiKeyPairResponse> getKeys(ListUserKeysCmd cmd);
 
     /**
      * Lists user two-factor authentication provider plugins
@@ -142,4 +146,8 @@ User createUser(String userName, String password, String firstName, String lastN
      */
     UserTwoFactorAuthenticator getUserTwoFactorAuthenticationProvider(final Long domainId);
 
+    ApiKeyPair getLatestUserKeyPair(Long userId);
+
+    ApiKeyPair getKeyPairById(Long id);
+
 }

api/src/main/java/com/cloud/user/User.java

@@ -65,14 +65,6 @@ public enum Source {
 
     public void setState(Account.State state);
 
-    public String getApiKey();
-
-    public void setApiKey(String apiKey);
-
-    public String getSecretKey();
-
-    public void setSecretKey(String secretKey);
-
     public String getTimezone();
 
     public void setTimezone(String timezone);

api/src/main/java/com/cloud/user/UserAccount.java

@@ -39,10 +39,6 @@ public interface UserAccount extends InternalIdentity {
 
     String getState();
 
-    String getApiKey();
-
-    String getSecretKey();
-
     Date getCreated();
 
     Date getRemoved();

api/src/main/java/org/apache/cloudstack/acl/APIChecker.java

@@ -20,6 +20,7 @@
 import com.cloud.user.Account;
 import com.cloud.user.User;
 import com.cloud.utils.component.Adapter;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
 
 import java.util.List;
 
@@ -31,8 +32,9 @@ public interface APIChecker extends Adapter {
     // If true, apiChecker has checked the operation
     // If false, apiChecker is unable to handle the operation or not implemented
     // On exception, checkAccess failed don't allow
-    boolean checkAccess(User user, String apiCommandName) throws PermissionDeniedException;
-    boolean checkAccess(Account account, String apiCommandName) throws PermissionDeniedException;
+    boolean checkAccess(User user, String apiCommandName, ApiKeyPairPermission... apiKeyPairPermissions) throws PermissionDeniedException;
+    boolean checkAccess(Account account, String apiCommandName, ApiKeyPairPermission... apiKeyPairPermissions) throws PermissionDeniedException;
+
     /**
      * Verifies if the account has permission for the given list of APIs and returns only the allowed ones.
      *

api/src/main/java/org/apache/cloudstack/acl/RoleService.java

@@ -96,4 +96,6 @@ public interface RoleService {
     List<RolePermission> findAllPermissionsBy(Long roleId);
 
     Permission getRolePermission(String permission);
+
+    int removeRolesIfNeeded(List<? extends Role> roles);
 }

api/src/main/java/org/apache/cloudstack/acl/apikeypair/ApiKeyPair.java

@@ -0,0 +1,36 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.apikeypair;
+
+import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.api.Identity;
+import org.apache.cloudstack.api.InternalIdentity;
+
+import java.util.Date;
+
+public interface ApiKeyPair extends ControlledEntity, InternalIdentity, Identity {
+    Long getUserId();
+    Date getStartDate();
+    Date getEndDate();
+    Date getCreated();
+    String getDescription();
+    String getApiKey();
+    String getSecretKey();
+    String getName();
+    Date getRemoved();
+    boolean validateDate(boolean throwException);
+}

api/src/main/java/org/apache/cloudstack/acl/apikeypair/ApiKeyPairPermission.java

@@ -0,0 +1,23 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.apikeypair;
+
+import org.apache.cloudstack.acl.RolePermissionEntity;
+
+public interface ApiKeyPairPermission extends RolePermissionEntity {
+    long getApiKeyPairId();
+}

api/src/main/java/org/apache/cloudstack/acl/apikeypair/ApiKeyPairService.java

@@ -0,0 +1,31 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.apikeypair;
+
+import java.util.List;
+
+public interface ApiKeyPairService {
+    List<ApiKeyPairPermission> findAllPermissionsByKeyPairId(Long apiKeyPairId);
+
+    ApiKeyPair findByApiKey(String apiKey);
+
+    ApiKeyPair findById(Long id);
+
+    void deleteApiKey(ApiKeyPair id);
+
+    void validateCallingUserHasAccessToDesiredUser(Long userId);
+}

api/src/main/java/org/apache/cloudstack/api/ApiConstants.java

@@ -288,6 +288,7 @@ public class ApiConstants {
     public static final String KEEPALIVE_ENABLED = "keepaliveenabled";
     public static final String KERNEL_VERSION = "kernelversion";
     public static final String KEY = "key";
+    public static final String KEYPAIR_ID = "keypairid";
     public static final String LABEL = "label";
     public static final String LASTNAME = "lastname";
     public static final String LAST_BOOT = "lastboottime";

api/src/main/java/org/apache/cloudstack/api/BaseCmd.java

@@ -34,6 +34,7 @@
 import org.apache.cloudstack.acl.ProjectRoleService;
 import org.apache.cloudstack.acl.RoleService;
 import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairService;
 import org.apache.cloudstack.affinity.AffinityGroupService;
 import org.apache.cloudstack.alert.AlertService;
 import org.apache.cloudstack.annotation.AnnotationService;
@@ -217,6 +218,8 @@ public static enum CommandType {
     public VnfTemplateManager vnfTemplateManager;
     @Inject
     public BucketApiService _bucketService;
+    @Inject
+    public ApiKeyPairService apiKeyPairService;
 
 
     public abstract void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException,

api/src/main/java/org/apache/cloudstack/api/ResponseGenerator.java

@@ -22,6 +22,10 @@
 import java.util.Map;
 import java.util.Set;
 
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
+import org.apache.cloudstack.api.response.ApiKeyPairResponse;
+import org.apache.cloudstack.api.response.BaseRolePermissionResponse;
 import org.apache.cloudstack.storage.object.Bucket;
 import org.apache.cloudstack.affinity.AffinityGroup;
 import org.apache.cloudstack.affinity.AffinityGroupResponse;
@@ -549,4 +553,9 @@ List<TemplateResponse> createTemplateResponses(ResponseView view, VirtualMachine
     ObjectStoreResponse createObjectStoreResponse(ObjectStore os);
 
     BucketResponse createBucketResponse(Bucket bucket);
+
+    ApiKeyPairResponse createKeyPairResponse(ApiKeyPair keyPair);
+
+    ListResponse<BaseRolePermissionResponse> createKeypairPermissionsResponse(List<ApiKeyPairPermission> permissions);
+
 }

api/src/main/java/org/apache/cloudstack/api/command/admin/user/DeleteUserKeysCmd.java

@@ -0,0 +1,86 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.admin.user;
+
+import com.cloud.event.EventTypes;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.user.Account;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
+import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandResourceType;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseAsyncCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.response.ApiKeyPairResponse;
+import org.apache.cloudstack.api.response.SuccessResponse;
+
+@APICommand(name = "deleteUserKeys", description = "Deletes a keypair from a user", responseObject = SuccessResponse.class,
+        since = "4.20.0", requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
+public class DeleteUserKeysCmd extends BaseAsyncCmd {
+
+    @ACL
+    @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = ApiKeyPairResponse.class, required = true, description = "ID of the keypair to be deleted.")
+    private Long id;
+
+    @Override
+    public ApiCommandResourceType getApiResourceType() {
+        return ApiCommandResourceType.User;
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        ApiKeyPair keyPair = apiKeyPairService.findById(id);
+        if (keyPair != null) {
+            return keyPair.getAccountId();
+        }
+        return Account.ACCOUNT_ID_SYSTEM;
+    }
+
+    private Long getId() {
+        return id;
+    }
+
+    @Override
+    public void execute() {
+        ApiKeyPair keyPair = apiKeyPairService.findById(getId());
+        if (keyPair == null) {
+            throw new InvalidParameterValueException(String.format("No keypair found with the id [%s].", getId()));
+        }
+        apiKeyPairService.validateCallingUserHasAccessToDesiredUser(keyPair.getUserId());
+
+        apiKeyPairService.deleteApiKey(keyPair);
+
+        SuccessResponse response = new SuccessResponse(getCommandName());
+        this.setResponseObject(response);
+    }
+
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_DELETE_SECRET_API_KEY;
+    }
+
+    @Override
+    public String getEventDescription() {
+        return ("Deleting API keypair " + id);
+    }
+
+    @Override
+    public Long getSyncObjId() {
+        return getId();
+    }
+}