fixup

vishesh92 · vishesh92 · commit ba00a5d7d9ff · 2026-02-26T17:30:41.000+05:30
diff --git a/framework/kms/src/main/java/org/apache/cloudstack/framework/kms/KMSProvider.java b/framework/kms/src/main/java/org/apache/cloudstack/framework/kms/KMSProvider.java
@@ -103,6 +103,18 @@ default String createKek(KeyPurpose purpose, String label, int keyBits) throws K
      */
     void deleteKek(String kekId) throws KMSException;
 
+    /**
+     * Validates the configuration details for this provider before saving an HSM
+     * profile.
+     * Implementations should override this to perform provider-specific validation.
+     *
+     * @param details the configuration details to validate
+     * @throws KMSException if validation fails
+     */
+    default void validateProfileConfig(java.util.Map<String, String> details) throws KMSException {
+        // default no-op
+    }
+
     /**
      * Check if a KEK exists and is accessible
      *
diff --git a/plugins/kms/pkcs11/src/main/java/org/apache/cloudstack/kms/provider/pkcs11/PKCS11HSMProvider.java b/plugins/kms/pkcs11/src/main/java/org/apache/cloudstack/kms/provider/pkcs11/PKCS11HSMProvider.java
@@ -296,69 +296,70 @@ Map<String, String> loadProfileConfig(Long profileId) {
     /**
      * Validates HSM profile configuration for PKCS#11 provider.
      *
-     * <p>Validates:
+     * <p>
+     * Validates:
      * <ul>
-     *   <li>{@code library}: Required, should point to PKCS#11 library</li>
-     *   <li>{@code slot} or {@code token_label}: At least one required</li>
-     *   <li>{@code pin}: Required for HSM authentication</li>
-     *   <li>{@code max_sessions}: Optional, must be positive integer if provided</li>
+     * <li>{@code library}: Required, should point to PKCS#11 library</li>
+     * <li>{@code slot}, {@code slot_list_index}, or {@code token_label}: At least
+     * one required</li>
+     * <li>{@code pin}: Required for HSM authentication</li>
+     * <li>{@code max_sessions}: Optional, must be positive integer if provided</li>
      * </ul>
      *
      * @param config Configuration map from HSM profile details
      * @throws KMSException with {@code INVALID_PARAMETER} if validation fails
      */
-    void validateProfileConfig(Map<String, String> config) throws KMSException {
+    @Override
+    public void validateProfileConfig(Map<String, String> config) throws KMSException {
         String libraryPath = config.get("library");
-        if (StringUtils.isEmpty(libraryPath)) {
+        if (StringUtils.isBlank(libraryPath)) {
             throw KMSException.invalidParameter("library is required for PKCS#11 HSM profile");
         }
 
         String slot = config.get("slot");
+        String slotListIndex = config.get("slot_list_index");
         String tokenLabel = config.get("token_label");
-        if (StringUtils.isEmpty(slot) && StringUtils.isEmpty(tokenLabel)) {
-            throw KMSException.invalidParameter("Either 'slot' or 'token_label' is required for PKCS#11 HSM profile");
+        if (StringUtils.isAllBlank(slot, slotListIndex, tokenLabel)) {
+            throw KMSException.invalidParameter(
+                    "One of 'slot', 'slot_list_index', or 'token_label' is required for PKCS#11 HSM profile");
         }
 
-        if (!StringUtils.isEmpty(slot)) {
+        if (StringUtils.isNotBlank(slot)) {
             try {
                 Integer.parseInt(slot);
             } catch (NumberFormatException e) {
                 throw KMSException.invalidParameter("slot must be a valid integer: " + slot);
             }
         }
 
+        if (StringUtils.isNotBlank(slotListIndex)) {
+            try {
+                int idx = Integer.parseInt(slotListIndex);
+                if (idx < 0) {
+                    throw KMSException.invalidParameter("slot_list_index must be a non-negative integer");
+                }
+            } catch (NumberFormatException e) {
+                throw KMSException.invalidParameter("slot_list_index must be a valid integer: " + slotListIndex);
+            }
+        }
+
         File libraryFile = new File(libraryPath);
         if (!libraryFile.exists() && !libraryFile.isAbsolute()) {
             // The HSM library might be in the system library path
             logger.debug("Library path {} does not exist as absolute path, will rely on system library path",
                     libraryPath);
         }
 
-        parsePositiveInteger(config, "max_sessions", "max_sessions");
-    }
-
-    /**
-     * Parses a positive integer from configuration.
-     *
-     * @param config      Configuration map
-     * @param key         Configuration key
-     * @param errorPrefix Prefix for error messages
-     * @return Parsed integer value, or -1 if not provided
-     * @throws KMSException if value is invalid or not positive
-     */
-    private int parsePositiveInteger(Map<String, String> config, String key, String errorPrefix) throws KMSException {
-        String value = config.get(key);
-        if (StringUtils.isEmpty(value)) {
-            return -1; // Not provided
-        }
-        try {
-            int parsed = Integer.parseInt(value);
-            if (parsed <= 0) {
-                throw KMSException.invalidParameter(errorPrefix + " must be greater than 0");
+        String max_sessions = config.get("max_sessions");
+        if (StringUtils.isNotBlank(max_sessions)) {
+            try {
+                int idx = Integer.parseInt(max_sessions);
+                if (idx <= 0) {
+                    throw KMSException.invalidParameter("max_sessions must be greater than 0");
+                }
+            } catch (NumberFormatException e) {
+                throw KMSException.invalidParameter("max_sessions must be a valid integer: " + max_sessions);
             }
-            return parsed;
-        } catch (NumberFormatException e) {
-            throw KMSException.invalidParameter(errorPrefix + " must be a valid integer: " + value);
         }
     }
 
@@ -615,7 +616,7 @@ private void connect(Map<String, String> config) throws KMSException {
          */
         private String buildSunPKCS11Config(Map<String, String> config, String nameSuffix) throws KMSException {
             String libraryPath = config.get("library");
-            if (StringUtils.isEmpty(libraryPath)) {
+            if (StringUtils.isBlank(libraryPath)) {
                 throw KMSException.invalidParameter("library is required");
             }
 
@@ -627,14 +628,17 @@ private String buildSunPKCS11Config(Map<String, String> config, String nameSuffi
             configBuilder.append("library=").append(libraryPath).append("\n");
 
             String tokenLabel = config.get("token_label");
+            String slotListIndex = config.get("slot_list_index");
             String slot = config.get("slot");
 
-            if (!StringUtils.isEmpty(tokenLabel)) {
+            if (StringUtils.isNotBlank(tokenLabel)) {
                 configBuilder.append("tokenLabel=").append(tokenLabel).append("\n");
-            } else if (!StringUtils.isEmpty(slot)) {
+            } else if (StringUtils.isNotBlank(slotListIndex)) {
+                configBuilder.append("slotListIndex=").append(slotListIndex).append("\n");
+            } else if (StringUtils.isNotBlank(slot)) {
                 configBuilder.append("slot=").append(slot).append("\n");
             } else {
-                throw KMSException.invalidParameter("Either 'slot' or 'token_label' is required");
+                throw KMSException.invalidParameter("One of 'slot', 'slot_list_index', or 'token_label' is required");
             }
 
             return configBuilder.toString();
diff --git a/server/src/main/java/org/apache/cloudstack/kms/KMSManagerImpl.java b/server/src/main/java/org/apache/cloudstack/kms/KMSManagerImpl.java
@@ -969,12 +969,16 @@ public HSMProfile addHSMProfile(AddHSMProfileCmd cmd) throws KMSException {
             throw new InvalidParameterValueException("Protocol cannot be empty");
         }
 
+        KMSProvider provider;
         try {
-            getKMSProvider(protocol);
+            provider = getKMSProvider(protocol);
         } catch (CloudRuntimeException e) {
             throw new InvalidParameterValueException("No provider found for protocol: " + protocol);
         }
 
+        Map<String, String> details = cmd.getDetails() != null ? cmd.getDetails() : new HashMap<>();
+        provider.validateProfileConfig(details);
+
         boolean isSystem = cmd.isSystem();
         if (isSystem && !accountManager.isRootAdmin(caller.getId())) {
             throw new PermissionDeniedException("Only root admins can create system HSM profiles");
