fixup

Author: vishesh92

engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql

@@ -80,6 +80,10 @@ CREATE TABLE IF NOT EXISTS `cloud`.`kms_hsm_profiles` (
     CONSTRAINT `fk_kms_hsm_profiles__zone_id` FOREIGN KEY (`zone_id`) REFERENCES `data_center`(`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COMMENT='HSM profiles for KMS providers';
 
+-- Add default database HSM profile (disabled by default)
+INSERT INTO `cloud`.`kms_hsm_profiles` (`uuid`, `name`, `protocol`, `account_id`, `domain_id`, `enabled`, `system`, `created`)
+VALUES (UUID(), 'default', 'database', 1, 1, 0, 1, NOW());
+
 -- KMS HSM Profile Details (Protocol-specific configuration)
 CREATE TABLE IF NOT EXISTS `cloud`.`kms_hsm_profile_details` (
     `id` BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,

framework/kms/src/main/java/org/apache/cloudstack/framework/kms/KMSProvider.java

@@ -103,6 +103,18 @@ default String createKek(KeyPurpose purpose, String label, int keyBits) throws K
      */
     void deleteKek(String kekId) throws KMSException;
 
+    /**
+     * Validates the configuration details for this provider before saving an HSM
+     * profile.
+     * Implementations should override this to perform provider-specific validation.
+     *
+     * @param details the configuration details to validate
+     * @throws KMSException if validation fails
+     */
+    default void validateProfileConfig(java.util.Map<String, String> details) throws KMSException {
+        // default no-op
+    }
+
     /**
      * Check if a KEK exists and is accessible
      *

plugins/kms/pkcs11/src/main/java/org/apache/cloudstack/kms/provider/pkcs11/PKCS11HSMProvider.java

@@ -296,69 +296,70 @@ Map<String, String> loadProfileConfig(Long profileId) {
     /**
      * Validates HSM profile configuration for PKCS#11 provider.
      *
-     * <p>Validates:
+     * <p>
+     * Validates:
      * <ul>
-     *   <li>{@code library}: Required, should point to PKCS#11 library</li>
-     *   <li>{@code slot} or {@code token_label}: At least one required</li>
-     *   <li>{@code pin}: Required for HSM authentication</li>
-     *   <li>{@code max_sessions}: Optional, must be positive integer if provided</li>
+     * <li>{@code library}: Required, should point to PKCS#11 library</li>
+     * <li>{@code slot}, {@code slot_list_index}, or {@code token_label}: At least
+     * one required</li>
+     * <li>{@code pin}: Required for HSM authentication</li>
+     * <li>{@code max_sessions}: Optional, must be positive integer if provided</li>
      * </ul>
      *
      * @param config Configuration map from HSM profile details
      * @throws KMSException with {@code INVALID_PARAMETER} if validation fails
      */
-    void validateProfileConfig(Map<String, String> config) throws KMSException {
+    @Override
+    public void validateProfileConfig(Map<String, String> config) throws KMSException {
         String libraryPath = config.get("library");
-        if (StringUtils.isEmpty(libraryPath)) {
+        if (StringUtils.isBlank(libraryPath)) {
             throw KMSException.invalidParameter("library is required for PKCS#11 HSM profile");
         }
 
         String slot = config.get("slot");
+        String slotListIndex = config.get("slot_list_index");
         String tokenLabel = config.get("token_label");
-        if (StringUtils.isEmpty(slot) && StringUtils.isEmpty(tokenLabel)) {
-            throw KMSException.invalidParameter("Either 'slot' or 'token_label' is required for PKCS#11 HSM profile");
+        if (StringUtils.isAllBlank(slot, slotListIndex, tokenLabel)) {
+            throw KMSException.invalidParameter(
+                    "One of 'slot', 'slot_list_index', or 'token_label' is required for PKCS#11 HSM profile");
         }
 
-        if (!StringUtils.isEmpty(slot)) {
+        if (StringUtils.isNotBlank(slot)) {
             try {
                 Integer.parseInt(slot);
             } catch (NumberFormatException e) {
                 throw KMSException.invalidParameter("slot must be a valid integer: " + slot);
             }
         }
 
+        if (StringUtils.isNotBlank(slotListIndex)) {
+            try {
+                int idx = Integer.parseInt(slotListIndex);
+                if (idx < 0) {
+                    throw KMSException.invalidParameter("slot_list_index must be a non-negative integer");
+                }
+            } catch (NumberFormatException e) {
+                throw KMSException.invalidParameter("slot_list_index must be a valid integer: " + slotListIndex);
+            }
+        }
+
         File libraryFile = new File(libraryPath);
         if (!libraryFile.exists() && !libraryFile.isAbsolute()) {
             // The HSM library might be in the system library path
             logger.debug("Library path {} does not exist as absolute path, will rely on system library path",
                     libraryPath);
         }
 
-        parsePositiveInteger(config, "max_sessions", "max_sessions");
-    }
-
-    /**
-     * Parses a positive integer from configuration.
-     *
-     * @param config      Configuration map
-     * @param key         Configuration key
-     * @param errorPrefix Prefix for error messages
-     * @return Parsed integer value, or -1 if not provided
-     * @throws KMSException if value is invalid or not positive
-     */
-    private int parsePositiveInteger(Map<String, String> config, String key, String errorPrefix) throws KMSException {
-        String value = config.get(key);
-        if (StringUtils.isEmpty(value)) {
-            return -1; // Not provided
-        }
-        try {
-            int parsed = Integer.parseInt(value);
-            if (parsed <= 0) {
-                throw KMSException.invalidParameter(errorPrefix + " must be greater than 0");
+        String max_sessions = config.get("max_sessions");
+        if (StringUtils.isNotBlank(max_sessions)) {
+            try {
+                int idx = Integer.parseInt(max_sessions);
+                if (idx <= 0) {
+                    throw KMSException.invalidParameter("max_sessions must be greater than 0");
+                }
+            } catch (NumberFormatException e) {
+                throw KMSException.invalidParameter("max_sessions must be a valid integer: " + max_sessions);
             }
-            return parsed;
-        } catch (NumberFormatException e) {
-            throw KMSException.invalidParameter(errorPrefix + " must be a valid integer: " + value);
         }
     }
 
@@ -615,7 +616,7 @@ private void connect(Map<String, String> config) throws KMSException {
          */
         private String buildSunPKCS11Config(Map<String, String> config, String nameSuffix) throws KMSException {
             String libraryPath = config.get("library");
-            if (StringUtils.isEmpty(libraryPath)) {
+            if (StringUtils.isBlank(libraryPath)) {
                 throw KMSException.invalidParameter("library is required");
             }
 
@@ -627,14 +628,17 @@ private String buildSunPKCS11Config(Map<String, String> config, String nameSuffi
             configBuilder.append("library=").append(libraryPath).append("\n");
 
             String tokenLabel = config.get("token_label");
+            String slotListIndex = config.get("slot_list_index");
             String slot = config.get("slot");
 
-            if (!StringUtils.isEmpty(tokenLabel)) {
+            if (StringUtils.isNotBlank(tokenLabel)) {
                 configBuilder.append("tokenLabel=").append(tokenLabel).append("\n");
-            } else if (!StringUtils.isEmpty(slot)) {
+            } else if (StringUtils.isNotBlank(slotListIndex)) {
+                configBuilder.append("slotListIndex=").append(slotListIndex).append("\n");
+            } else if (StringUtils.isNotBlank(slot)) {
                 configBuilder.append("slot=").append(slot).append("\n");
             } else {
-                throw KMSException.invalidParameter("Either 'slot' or 'token_label' is required");
+                throw KMSException.invalidParameter("One of 'slot', 'slot_list_index', or 'token_label' is required");
             }
 
             return configBuilder.toString();

server/src/main/java/org/apache/cloudstack/kms/KMSManagerImpl.java

@@ -969,12 +969,16 @@ public HSMProfile addHSMProfile(AddHSMProfileCmd cmd) throws KMSException {
             throw new InvalidParameterValueException("Protocol cannot be empty");
         }
 
+        KMSProvider provider;
         try {
-            getKMSProvider(protocol);
+            provider = getKMSProvider(protocol);
         } catch (CloudRuntimeException e) {
             throw new InvalidParameterValueException("No provider found for protocol: " + protocol);
         }
 
+        Map<String, String> details = cmd.getDetails() != null ? cmd.getDetails() : new HashMap<>();
+        provider.validateProfileConfig(details);
+
         boolean isSystem = cmd.isSystem();
         if (isSystem && !accountManager.isRootAdmin(caller.getId())) {
             throw new PermissionDeniedException("Only root admins can create system HSM profiles");

ui/src/config/section/kms.js

@@ -22,6 +22,9 @@ export default {
   name: 'kms',
   title: 'label.kms',
   icon: 'hdd-outlined',
+  show: (record, store) => {
+    return ['Admin'].includes(store.getters.userInfo.roletype) || store.getters.features.hashsmprofiles
+  },
   children: [
     {
       name: 'kmskey',
@@ -157,6 +160,7 @@ export default {
       title: 'label.hsm.profile',
       icon: 'safety-outlined',
       permission: ['listHSMProfiles'],
+      show: (record, route, user) => { return ['Admin'].includes(user.roletype) },
       resourceType: 'HSMProfile',
       columns: () => {
         const fields = ['name', 'enabled']

ui/src/store/modules/user.js

@@ -480,6 +480,16 @@ const user = {
           commit('SET_CLOUDIAN', cloudian)
         }).catch(ignored => {
         })
+
+        if ('listHSMProfiles' in store.getters.apis) {
+          getAPI('listHSMProfiles', { listall: true }).then(response => {
+            const hasHsmProfiles = (response.listhsmprofilesresponse.count > 0)
+            const features = Object.assign({}, store.getters.features)
+            features.hashsmprofiles = hasHsmProfiles
+            commit('SET_FEATURES', features)
+          }).catch(ignored => {
+          })
+        }
       }).catch(error => {
         console.error(error)
       })

ui/src/views/compute/DeployVM.vue

@@ -2030,9 +2030,14 @@ export default {
         domainid: this.owner.domainid,
         projectid: this.owner.projectid
       }).then(response => {
-        this.options.kmsKeys = response.listkmskeysresponse.kmskey || []
-      }).catch(error => {
-        this.$notifyError(error)
+        const kmskeyMap = response.listkmskeysresponse.kmskey || []
+        if (kmskeyMap.length > 0) {
+          this.options.kmsKeys = kmskeyMap
+        } else {
+          this.options.kmsKeys = null
+        }
+      }).catch(() => {
+        this.options.kmsKeys = null
       }).finally(() => {
         this.loading.kmsKeys = false
       })

ui/src/views/compute/wizard/DiskSizeSelection.vue

@@ -131,6 +131,9 @@ export default {
       return this.rootDiskSelected?.iscustomizediops || false
     },
     showKmsKeySelector () {
+      if (this.kmsKeys === null) {
+        return false
+      }
       const isRootDisk = this.inputDecorator === 'rootdisksize'
       const isDataDisk = this.inputDecorator === 'size'
 

ui/src/views/storage/CreateVolume.vue

@@ -116,7 +116,7 @@
             :placeholder="apiParams.maxiops.description"/>
         </a-form-item>
       </span>
-      <span v-if="diskOfferingSupportsEncryption">
+      <span v-if="diskOfferingSupportsEncryption && kmsKeys !== null">
         <a-form-item ref="kmskeyid" name="kmskeyid">
           <template #label>
             <tooltip-label :title="$t('label.kms.key')" :tooltip="apiParams.kmskeyid.description"/>
@@ -529,9 +529,14 @@ export default {
         purpose: 'volume'
       }
       getAPI('listKMSKeys', params).then(response => {
-        this.kmsKeys = response.listkmskeysresponse.kmskey || []
-      }).catch(error => {
-        this.$notifyError(error)
+        const kmskeyMap = response.listkmskeysresponse.kmskey || []
+        if (kmskeyMap.length > 0) {
+          this.kmsKeys = kmskeyMap
+        } else {
+          this.kmsKeys = null
+        }
+      }).catch(() => {
+        this.kmsKeys = null
       }).finally(() => {
         this.loadingKmsKeys = false
       })