<feature>[keyprovider]: Add key provider canonical events

[ZStack-Robot]

Add key provider canonical events and emit host/key-provider abnormal
events when encrypted volume secret preparation, envelope generation, or
libvirt secret operations fail.

Resolves: ZSV-237
Change-Id: I77716165756971736379216977626b6f6f65656b

sync from gitlab !10128

[coderabbitai]

Warning

Review limit reached

@MatheMatrix, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 3 hours, 14 minutes, and 40 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: d590ae7a-c544-4912-b494-3cc0924fd1ce

📥 Commits

Reviewing files that changed from the base of the PR and between 400d23a and 8915cd4.

📒 Files selected for processing (2)

• conf/db/zsv/V5.1.0__schema.sql
• header/src/main/java/org/zstack/header/keyprovider/KeyProviderCanonicalEvents.java

Walkthrough

该 PR 引入关键提供方连接失败的规范事件基础结构，并在 LUKS 密钥物化和 DEK 处理的多个代码路径中集成事件触发，以报告密钥提供方不可用或连接异常情况。

Changes

Key Provider Connection Failure Event Reporting

Layer / File(s)	Summary
Event contract definition header/src/main/java/org/zstack/header/keyprovider/KeyProviderCanonicalEvents.java	Defines four event path constants and four event payload DTOs (KeyProviderServiceUnavailableData, KeyProviderServiceRecoveredData, KeyProviderCertificateExpiringData, HostKeyProviderConnectionAbnormalData) annotated with @NeedJsonSchema, each containing related status/identity fields and complete getter/setter methods for JSON serialization.
EventFacade injection and helper methods storage/src/main/java/org/zstack/storage/encrypt/VolumeEncryptedSecretHelper.java	Imports EventFacade and KeyProviderCanonicalEvents, autowires EventFacade field, and adds two private helper method overloads to construct and fire HostKeyProviderConnectionAbnormalData events and extract readable failure reasons from OperationFailureException.
DEK and secret materialization error handling storage/src/main/java/org/zstack/storage/encrypt/VolumeEncryptedSecretHelper.java	Wraps DEK materialization and envelope-DEK sealing in try/catch blocks; on IllegalArgumentException, OperationFailureException, or generic Exception, constructs OperationFailureException, fires connection abnormal event with keyProviderUuid and failure reason, then rethrows. Adds new public method overload prepareLuksEnvelopeDekOnHost(hostUuid, resourceUuid, keyProviderUuid, dekBase64).
Secret resolution and volume migration error handling storage/src/main/java/org/zstack/storage/encrypt/VolumeEncryptedSecretHelper.java	Adds exception handling around getSecretOnHost calls in defineSecretFromBinding, resolveOrDefineSecretForVolume, and resolveOrDefineSecretForVolumeMigration; on OperationFailureException, fires connection abnormal event with host and key provider identifiers before rethrowing.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 新事件架构上线啦，
Key provider 连接不坦然，
四个数据类齐上阵，
DEK 物化有异常不怕，
层层捕捉事件响当当！

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 1.75% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title '[feature][keyprovider]: Add key provider canonical events' accurately reflects the main change, which is adding a new KeyProviderCanonicalEvents class with event-related constants and data structures.
Description check	✅ Passed	The description directly relates to the changeset, explaining the addition of key provider canonical events and the emission of abnormal events when encrypted volume operations fail.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sync/zstackio/codex/keyprovider-events-alarms@@2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

storage/src/main/java/org/zstack/storage/encrypt/VolumeEncryptedSecretHelper.java (1)

271-293: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

materializeDek 调用缺少异常事件上报

此方法中第 284 行调用 materializeDek(volumeUuid, kpUuid) 未包裹在 try-catch 中，因此当 materializeDek 失败时不会触发 HOST_KEY_PROVIDER_CONNECTION_ABNORMAL 事件。

这与 prepareLuksSecretMaterialFileOnHost（第 147-160 行）的处理方式不一致，后者对 materializeDek 进行了异常捕获和事件上报。

🔧 建议修复

 public String prepareLuksEnvelopeDekOnHost(String hostUuid, String volumeUuid) {
     if (StringUtils.isBlank(hostUuid) || StringUtils.isBlank(volumeUuid)) {
         throw new OperationFailureException(operr(
                 "prepare LUKS envelope DEK requires non-blank hostUuid and volumeUuid"));
     }

     String kpUuid = volumeEncryptedResourceKeyBackend.findKeyProviderUuidByVolume(volumeUuid);
     if (StringUtils.isBlank(kpUuid)) {
         throw new OperationFailureException(operr(
                 "volume[uuid:%s] requires LUKS secret material but has no key provider binding",
                 volumeUuid));
     }

-    EncryptedResourceKeyManager.ResourceKeyResult keyResult = materializeDek(volumeUuid, kpUuid);
-    String dekBase64 = keyResult.getDekBase64();
-    if (StringUtils.isBlank(dekBase64)) {
-        throw new OperationFailureException(operr(
-                "encrypted volume[uuid:%s]: key manager returned empty DEK for LUKS envelope",
-                volumeUuid));
+    String dekBase64;
+    try {
+        EncryptedResourceKeyManager.ResourceKeyResult keyResult = materializeDek(volumeUuid, kpUuid);
+        dekBase64 = keyResult.getDekBase64();
+        if (StringUtils.isBlank(dekBase64)) {
+            throw new OperationFailureException(operr(
+                    "encrypted volume[uuid:%s]: key manager returned empty DEK for LUKS envelope",
+                    volumeUuid));
+        }
+    } catch (OperationFailureException e) {
+        fireHostKeyProviderConnectionAbnormal(hostUuid, kpUuid, failureReason(e));
+        throw e;
     }

-    return prepareLuksEnvelopeDekOnHost(hostUuid, volumeUuid, dekBase64);
+    return prepareLuksEnvelopeDekOnHost(hostUuid, volumeUuid, kpUuid, dekBase64);
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@storage/src/main/java/org/zstack/storage/encrypt/VolumeEncryptedSecretHelper.java`
around lines 271 - 293, The call to materializeDek(volumeUuid, kpUuid) inside
prepareLuksEnvelopeDekOnHost(String hostUuid, String volumeUuid) must be wrapped
in a try-catch that mirrors prepareLuksSecretMaterialFileOnHost: catch the
exception from materializeDek, publish/emit the
HOST_KEY_PROVIDER_CONNECTION_ABNORMAL event (including hostUuid and
kpUuid/volumeUuid context) so the failure is reported, and then rethrow or
convert the exception to the existing OperationFailureException path; ensure the
catch targets the same exception types and uses the same event payload/utility
used by prepareLuksSecretMaterialFileOnHost to keep behavior consistent.

🧹 Nitpick comments (2)

header/src/main/java/org/zstack/header/keyprovider/KeyProviderCanonicalEvents.java (2)

12-67: 💤 Low value

建议抽取公共基类以消除重复代码

KeyProviderServiceUnavailableData 与 KeyProviderServiceRecoveredData 的字段完全相同（keyProviderUuid、keyProviderName、keyProviderType、statusCode、statusMessage、defaultProvider），可以抽取一个公共基类（如 KeyProviderServiceStatusData）来减少重复。

Also applies to: 70-125

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@header/src/main/java/org/zstack/header/keyprovider/KeyProviderCanonicalEvents.java`
around lines 12 - 67, Extract a new base class KeyProviderServiceStatusData
containing the shared fields (keyProviderUuid, keyProviderName, keyProviderType,
statusCode, statusMessage, defaultProvider) with their getters/setters, then
make KeyProviderServiceUnavailableData and KeyProviderServiceRecoveredData
extend KeyProviderServiceStatusData and remove the duplicated fields and
accessor methods from those subclasses; ensure the new base class and subclasses
keep the original visibility and any annotations so serialization/usage (e.g.,
in KeyProviderServiceUnavailableData and KeyProviderServiceRecoveredData)
continues to work.

---

128-135: 💤 Low value

字段类型语义建议

daysLeft 字段使用 String 类型，但语义上应为数值类型（如 Integer 或 Long），便于事件消费端进行数值比较和计算。同样，defaultProvider 字段语义上更适合使用 Boolean 类型。

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@header/src/main/java/org/zstack/header/keyprovider/KeyProviderCanonicalEvents.java`
around lines 128 - 135, The fields in KeyProviderCertificateExpiringData have
wrong types: change daysLeft from String to an appropriate numeric type (e.g.,
Integer or Long) and change defaultProvider from String to Boolean; update the
class KeyProviderCertificateExpiringData by renaming types for fields daysLeft
and defaultProvider, adjust their getters/setters and any constructors/builders
that reference them, and update JSON (de)serialization or mapping annotations
and any callers/consumers to handle numeric/boolean values instead of strings to
preserve compatibility.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@storage/src/main/java/org/zstack/storage/encrypt/VolumeEncryptedSecretHelper.java`:
- Around line 177-179: The method in VolumeEncryptedSecretHelper mistakenly
redeclares a local variable String dekBase64 which shadows the method parameter
and causes the passed-in dekBase64 to be ignored; remove the local declaration
and change the logic so it uses the method parameter when non-null/non-empty and
only calls materializeDek() when the parameter is null/empty (or otherwise
absent), updating the code paths that reference dekBase64 accordingly (look for
the method containing the materializeDek() call and the local "String
dekBase64;" declaration).
- Around line 163-193: The method prepareLuksEnvelopeDekOnHost(hostUuid,
resourceUuid, dekBase64) incorrectly references volumeUuid, redeclares
dekBase64, and calls materializeDek() (ignoring the passed dek); fix it to
validate non-blank hostUuid/resourceUuid/dekBase64, use resourceUuid when
calling
volumeEncryptedResourceKeyBackend.findKeyProviderUuidByVolume(resourceUuid),
throw an OperationFailureException mentioning resourceUuid if kpUuid is blank,
do NOT redeclare or overwrite dekBase64 or call
materializeDek()/fireHostKeyProviderConnectionAbnormal, and simply return
prepareLuksEnvelopeDekOnHost(hostUuid, resourceUuid, kpUuid, dekBase64).

---

Outside diff comments:
In
`@storage/src/main/java/org/zstack/storage/encrypt/VolumeEncryptedSecretHelper.java`:
- Around line 271-293: The call to materializeDek(volumeUuid, kpUuid) inside
prepareLuksEnvelopeDekOnHost(String hostUuid, String volumeUuid) must be wrapped
in a try-catch that mirrors prepareLuksSecretMaterialFileOnHost: catch the
exception from materializeDek, publish/emit the
HOST_KEY_PROVIDER_CONNECTION_ABNORMAL event (including hostUuid and
kpUuid/volumeUuid context) so the failure is reported, and then rethrow or
convert the exception to the existing OperationFailureException path; ensure the
catch targets the same exception types and uses the same event payload/utility
used by prepareLuksSecretMaterialFileOnHost to keep behavior consistent.

---

Nitpick comments:
In
`@header/src/main/java/org/zstack/header/keyprovider/KeyProviderCanonicalEvents.java`:
- Around line 12-67: Extract a new base class KeyProviderServiceStatusData
containing the shared fields (keyProviderUuid, keyProviderName, keyProviderType,
statusCode, statusMessage, defaultProvider) with their getters/setters, then
make KeyProviderServiceUnavailableData and KeyProviderServiceRecoveredData
extend KeyProviderServiceStatusData and remove the duplicated fields and
accessor methods from those subclasses; ensure the new base class and subclasses
keep the original visibility and any annotations so serialization/usage (e.g.,
in KeyProviderServiceUnavailableData and KeyProviderServiceRecoveredData)
continues to work.
- Around line 128-135: The fields in KeyProviderCertificateExpiringData have
wrong types: change daysLeft from String to an appropriate numeric type (e.g.,
Integer or Long) and change defaultProvider from String to Boolean; update the
class KeyProviderCertificateExpiringData by renaming types for fields daysLeft
and defaultProvider, adjust their getters/setters and any constructors/builders
that reference them, and update JSON (de)serialization or mapping annotations
and any callers/consumers to handle numeric/boolean values instead of strings to
preserve compatibility.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 20b2e24f-4d2b-434a-9d1a-5e5103f1880a

📥 Commits

Reviewing files that changed from the base of the PR and between a4c18f7 and 400d23a.

📒 Files selected for processing (2)

• header/src/main/java/org/zstack/header/keyprovider/KeyProviderCanonicalEvents.java
• storage/src/main/java/org/zstack/storage/encrypt/VolumeEncryptedSecretHelper.java

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

方法 prepareLuksEnvelopeDekOnHost(hostUuid, resourceUuid, dekBase64) 实现与签名不匹配

该方法存在根本性问题：方法签名表明它接收 dekBase64 参数并直接使用，但方法体却：

1. 引用了未定义的变量 volumeUuid（应使用参数 resourceUuid）
2. 重新声明了 String dekBase64 局部变量，遮蔽了同名参数
3. 调用 materializeDek() 重新获取 DEK，完全忽略了传入的 dekBase64 参数

这表明该方法是从其他重载方法复制而来但未正确修改。需要明确该方法的设计意图后重新实现。

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@storage/src/main/java/org/zstack/storage/encrypt/VolumeEncryptedSecretHelper.java`
around lines 163 - 193, The method prepareLuksEnvelopeDekOnHost(hostUuid,
resourceUuid, dekBase64) incorrectly references volumeUuid, redeclares
dekBase64, and calls materializeDek() (ignoring the passed dek); fix it to
validate non-blank hostUuid/resourceUuid/dekBase64, use resourceUuid when
calling
volumeEncryptedResourceKeyBackend.findKeyProviderUuidByVolume(resourceUuid),
throw an OperationFailureException mentioning resourceUuid if kpUuid is blank,
do NOT redeclare or overwrite dekBase64 or call
materializeDek()/fireHostKeyProviderConnectionAbnormal, and simply return
prepareLuksEnvelopeDekOnHost(hostUuid, resourceUuid, kpUuid, dekBase64).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

严重：参数 dekBase64 被局部变量遮蔽

第 163 行方法参数已声明 dekBase64，但第 178 行又重新声明了同名局部变量 String dekBase64;，遮蔽了方法参数。这导致传入的 dekBase64 参数完全被忽略，而是重新调用 materializeDek() 获取新的 DEK。

这表明该方法的实现逻辑与方法签名的设计意图不符。如果方法已接收 dekBase64 参数，则不应再次调用 materializeDek()。

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@storage/src/main/java/org/zstack/storage/encrypt/VolumeEncryptedSecretHelper.java`
around lines 177 - 179, The method in VolumeEncryptedSecretHelper mistakenly
redeclares a local variable String dekBase64 which shadows the method parameter
and causes the passed-in dekBase64 to be ignored; remove the local declaration
and change the logic so it uses the method parameter when non-null/non-empty and
only calls materializeDek() when the parameter is null/empty (or otherwise
absent), updating the code paths that reference dekBase64 accordingly (look for
the method containing the materializeDek() call and the local "String
dekBase64;" declaration).

[ZStack-Robot]

Comment on storage/src/main/java/org/zstack/storage/encrypt/VolumeEncryptedSecretHelper.java:

Comment from 刘志建:

这个文件都已经回退了，不存在该问题

[zstack-robot-2]

Comment from yaohua.wu:

Review: MR !10128 — ZSV-237

Background (preserved across rounds)

• Jira: ZSV-237 — 标题为 "[主机]主机操作…'修改配置'/'更新ssh信息'无反应"，是 2023 年的 UI Bug，与本 MR 内容（key provider canonical events）完全无关，疑似 Change-Id / Resolves 引用串号
• Bug summary: 本 MR 目标是为 key provider 增加 canonical event 定义，并在加密卷 secret 准备 / envelope 生成 / libvirt secret 操作失败时发出 host/key-provider 异常事件
• Intent & scope: 最终 diff 仅 1 个新文件 header/.../keyprovider/KeyProviderCanonicalEvents.java（368 行），包含 6 个事件 path 常量 + 6 个 @NeedJsonSchema 数据类 + 1 个 buildKeyInvalidBarrierKey 静态工具。早期版本中 storage/.../enc* 的事件发射逻辑（含 prepareLuksEnvelopeDekOnHost）已被回退
• Round 1 initial findings: 0 × P0, 2 × P1（特性完整性 / Jira 串号）
• Suggested fix direction: 确认事件发射逻辑是否在后续 MR 落地并修正 MR 描述；修正 Resolves 引用到正确 issue

---

P1 — High

#	File:Line	Issue	Fix	Reviewer(s)	Conf	Route
1	KeyProviderCanonicalEvents.java (整文件)	MR 描述承诺"在 secret 准备 / envelope 生成 / libvirt secret 失败时发出异常事件"，但最终 diff 仅含事件定义，无任何发射/订阅/接入逻辑（发射代码已回退）。这 6 个数据类与 buildKeyInvalidBarrierKey 均为新增类型，本分支内无任何调用方，合入后即为 unreferenced（dead code）	确认事件发射是在后续 MR 落地（若是则属可接受的脚手架，但 MR 描述需改为"仅定义"以免误导）；若回退误删了应保留的接入逻辑，则本特性不完整	correctness, architecture	0.80	manual → author
2	MR metadata	Resolves: ZSV-237 指向的是 2023 年 UI Bug（主机修改配置按钮无反应），与 key provider events 无关；Change-Id: I777161... 也呈手写 ASCII 串而非随机 hash	修正 Resolves 为正确的 ZSV issue，保证可追溯性	correctness	0.90	advisory → author

P3 — Low

#	File:Line	Issue	Fix	Reviewer(s)	Conf	Route
1	KeyProviderCanonicalEvents.java:14-149	ServiceUnavailableData/ServiceRecoveredData（6 字段)、CertificateExpiring/Recovered（8 字段)、KeyInvalid/Recovered（4 字段）三对结构完全相同，约 150 行重复	canonical event 按 path 拆独立数据类是 ZStack 惯例（@NeedJsonSchema 按类生成 schema、UI 按类型区分），属可接受。如需精简可让 recovered/abnormal 对共享父类	craftsmanship	0.55	advisory → author
2	KeyProviderCanonicalEvents.java:358-367	buildKeyInvalidBarrierKey 用 : 拼接 key 未转义；若 resourceType/resourceUuid 含 : 会产生 key 碰撞	当前入参为 enum/UUID，无 :，风险低；如需严谨可改用不会出现在内容中的分隔符或对段做编码	adversarial	0.50	advisory → author

Coverage

• 改动文件：1（新增），全部 deep-reviewed；无 generated/vendored 文件被过滤
• 高信号（多 persona 独立命中）：1 条（特性完整性，correctness+architecture）
• 早期 coderabbit 报出的 prepareLuksEnvelopeDekOnHost 变量遮蔽 / volumeUuid 未定义等 Critical 已随文件回退消失，不在当前 diff 内，故不复报
• Upstream freshness：merge_status=can_be_merged，分支已 rebase 到最新 target（11 commits synced），新文件无冲突风险
• 文件内代码本身正确、可编译，无运行时缺陷；P1 均为"完整性/可追溯性"层面，非代码 bug

Verdict: REVISION_REQUIRED

本 MR 代码无缺陷，但存在两项需作者确认的完整性问题：(1) 描述承诺的事件发射逻辑缺失（仅剩定义，且当前无调用方），需确认是否后续 MR 落地并相应修正描述；(2) Jira Resolves 引用串号，需修正。两项均不阻塞编译，但建议合入前澄清。

---

🤖 Robot Reviewer