From e609aa8e9cfcbe639c63026f02a3fa070a009859 Mon Sep 17 00:00:00 2001
From: Pearl Dsilva <pearl1594@gmail.com>
Date: Wed, 9 Feb 2022 00:14:01 +0530
Subject: [PATCH 01/13] Skip systemVM template registration for Simulator
 (#5954)

* Skip systemVM template registration for Simulator

* simplify
---
 server/src/main/java/com/cloud/storage/StorageManagerImpl.java | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/server/src/main/java/com/cloud/storage/StorageManagerImpl.java b/server/src/main/java/com/cloud/storage/StorageManagerImpl.java
index 7e5110ba56c..a0b5406d01c 100644
--- a/server/src/main/java/com/cloud/storage/StorageManagerImpl.java
+++ b/server/src/main/java/com/cloud/storage/StorageManagerImpl.java
@@ -2808,6 +2808,9 @@ public class StorageManagerImpl extends ManagerBase implements StorageManager, C
                             Pair<String, Long> storeUrlAndId = new Pair<>(url, store.getId());
                             for (HypervisorType hypervisorType : hypSet) {
                                 try {
+                                    if (HypervisorType.Simulator == hypervisorType) {
+                                        continue;
+                                    }
                                     String templateName = getValidTemplateName(zoneId, hypervisorType);
                                     Pair<Hypervisor.HypervisorType, String> hypervisorAndTemplateName =
                                             new Pair<>(hypervisorType, templateName);

From c7885f55eb0b79c89005dfea98545b5ac046203a Mon Sep 17 00:00:00 2001
From: PJ Fanning <pjfanning@users.noreply.github.com>
Date: Tue, 8 Feb 2022 19:52:28 +0100
Subject: [PATCH 02/13] maven: upgrade bouncycastle due to cve (#5949)

Fixes: #5948
---
 client/pom.xml                                | 12 +++++++++++
 .../integrations/kubernetes-service/pom.xml   |  5 +++++
 pom.xml                                       |  7 ++++++-
 services/console-proxy/rdpconsole/pom.xml     |  4 ++++
 .../streamer/bco/BcoSocketWrapperImpl.java    | 21 ++++++++++---------
 utils/pom.xml                                 |  4 ++++
 6 files changed, 42 insertions(+), 11 deletions(-)

diff --git a/client/pom.xml b/client/pom.xml
index 1995158d8b7..d1a95b0aea2 100644
--- a/client/pom.xml
+++ b/client/pom.xml
@@ -564,6 +564,11 @@
                         <artifactId>bcpkix-jdk15on</artifactId>
                         <version>${cs.bcprov.version}</version>
                     </dependency>
+                    <dependency>
+                        <groupId>org.bouncycastle</groupId>
+                        <artifactId>bctls-jdk15on</artifactId>
+                        <version>${cs.bcprov.version}</version>
+                    </dependency>
                 </dependencies>
                 <configuration>
                     <supportedPackagings>
@@ -751,6 +756,12 @@
                                     <overWrite>false</overWrite>
                                     <outputDirectory>${project.build.directory}/lib</outputDirectory>
                                 </artifactItem>
+                                <artifactItem>
+                                    <groupId>org.bouncycastle</groupId>
+                                    <artifactId>bctls-jdk15on</artifactId>
+                                    <overWrite>false</overWrite>
+                                    <outputDirectory>${project.build.directory}/lib</outputDirectory>
+                                </artifactItem>
                             </artifactItems>
                         </configuration>
                     </execution>
@@ -786,6 +797,7 @@
                                     <exclude>org.apache.geronimo.specs:geronimo-javamail_1.4_spec</exclude>
                                     <exclude>org.bouncycastle:bcprov-jdk15on</exclude>
                                     <exclude>org.bouncycastle:bcpkix-jdk15on</exclude>
+                                    <exclude>org.bouncycastle:bctls-jdk15on</exclude>
                                     <exclude>mysql:mysql-connector-java</exclude>
                                 </excludes>
                             </artifactSet>
diff --git a/plugins/integrations/kubernetes-service/pom.xml b/plugins/integrations/kubernetes-service/pom.xml
index 5cff3d3aa2e..4be08f276cc 100644
--- a/plugins/integrations/kubernetes-service/pom.xml
+++ b/plugins/integrations/kubernetes-service/pom.xml
@@ -126,6 +126,11 @@
             <artifactId>bcprov-jdk15on</artifactId>
             <version>${cs.bcprov.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bctls-jdk15on</artifactId>
+            <version>${cs.bcprov.version}</version>
+        </dependency>
         <dependency>
             <groupId>joda-time</groupId>
             <artifactId>joda-time</artifactId>
diff --git a/pom.xml b/pom.xml
index 5e77126b22d..10448b56e23 100644
--- a/pom.xml
+++ b/pom.xml
@@ -123,7 +123,7 @@
         <cs.axiom.version>1.2.8</cs.axiom.version>
         <cs.axis.version>1.4</cs.axis.version>
         <cs.batik.version>1.14</cs.batik.version>
-        <cs.bcprov.version>1.64</cs.bcprov.version>
+        <cs.bcprov.version>1.70</cs.bcprov.version>
         <cs.cglib.version>3.3.0</cs.cglib.version>
         <cs.checkstyle-lib.version>8.18</cs.checkstyle-lib.version>
         <cs.cxf.version>3.2.14</cs.cxf.version>
@@ -554,6 +554,11 @@
                 <artifactId>bcprov-jdk15on</artifactId>
                 <version>${cs.bcprov.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bctls-jdk15on</artifactId>
+                <version>${cs.bcprov.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.codehaus.groovy</groupId>
                 <artifactId>groovy-all</artifactId>
diff --git a/services/console-proxy/rdpconsole/pom.xml b/services/console-proxy/rdpconsole/pom.xml
index d0f7c78e6be..35dcfadb5d7 100644
--- a/services/console-proxy/rdpconsole/pom.xml
+++ b/services/console-proxy/rdpconsole/pom.xml
@@ -48,6 +48,10 @@
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcprov-jdk15on</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bctls-jdk15on</artifactId>
+        </dependency>
         <dependency>
             <groupId>com.sun.xml.security</groupId>
             <artifactId>xml-security-impl</artifactId>
diff --git a/services/console-proxy/rdpconsole/src/main/java/streamer/bco/BcoSocketWrapperImpl.java b/services/console-proxy/rdpconsole/src/main/java/streamer/bco/BcoSocketWrapperImpl.java
index 3d6635c7f5e..39aaba9e340 100644
--- a/services/console-proxy/rdpconsole/src/main/java/streamer/bco/BcoSocketWrapperImpl.java
+++ b/services/console-proxy/rdpconsole/src/main/java/streamer/bco/BcoSocketWrapperImpl.java
@@ -17,12 +17,13 @@
 package streamer.bco;
 
 import org.apache.log4j.Logger;
-import org.bouncycastle.crypto.tls.Certificate;
-import org.bouncycastle.crypto.tls.DefaultTlsClient;
-import org.bouncycastle.crypto.tls.ServerOnlyTlsAuthentication;
-import org.bouncycastle.crypto.tls.TlsAuthentication;
-import org.bouncycastle.crypto.tls.TlsClientProtocol;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.tls.DefaultTlsClient;
+import org.bouncycastle.tls.ServerOnlyTlsAuthentication;
+import org.bouncycastle.tls.TlsAuthentication;
+import org.bouncycastle.tls.TlsClientProtocol;
+import org.bouncycastle.tls.TlsServerCertificate;
+import org.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto;
 import streamer.Direction;
 import streamer.Event;
 import streamer.SocketWrapperImpl;
@@ -60,18 +61,18 @@ public class BcoSocketWrapperImpl extends SocketWrapperImpl {
 
         try {
 
-            SecureRandom secureRandom = new SecureRandom();
-            bcoSslSocket = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), secureRandom);
+            bcoSslSocket = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream());
 
-            bcoSslSocket.connect(new DefaultTlsClient() {
+            bcoSslSocket.connect(new DefaultTlsClient(new BcTlsCrypto(new SecureRandom())) {
                 @Override
                 public TlsAuthentication getAuthentication() throws IOException {
                     return new ServerOnlyTlsAuthentication() {
                         @Override
-                        public void notifyServerCertificate(final Certificate certificate) throws IOException {
+                        public void notifyServerCertificate(final TlsServerCertificate certificate) throws IOException {
                             try {
                                 if (sslState != null) {
-                                    sslState.serverCertificateSubjectPublicKeyInfo = certificate.getCertificateAt(0).getSubjectPublicKeyInfo().getEncoded();
+                                    sslState.serverCertificateSubjectPublicKeyInfo =
+                                            certificate.getCertificate().getCertificateAt(0).getEncoded();
                                 }
                             } catch (IOException e) {
                                 throw new RuntimeException("Cannot get server public key.", e);
diff --git a/utils/pom.xml b/utils/pom.xml
index 9fcacb16511..8b0cf07a79b 100755
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -70,6 +70,10 @@
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcpkix-jdk15on</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bctls-jdk15on</artifactId>
+        </dependency>
         <dependency>
             <groupId>com.jcraft</groupId>
             <artifactId>jsch</artifactId>

From 453aeb02f016e82a82b0a06fd80f0ef39aee2634 Mon Sep 17 00:00:00 2001
From: davidjumani <dj.davidjumani1994@gmail.com>
Date: Wed, 9 Feb 2022 09:34:00 +0530
Subject: [PATCH 03/13] Add ID search capability to sshkeypairs (#5963)

---
 .../cloudstack/api/command/user/ssh/ListSSHKeyPairsCmd.java | 5 +++++
 .../apache/cloudstack/api/response/SSHKeyPairResponse.java  | 6 +++++-
 .../main/java/com/cloud/server/ManagementServerImpl.java    | 5 +++++
 ui/src/components/view/InfoCard.vue                         | 2 +-
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/ssh/ListSSHKeyPairsCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/ssh/ListSSHKeyPairsCmd.java
index 1a77a660dcd..560974937ef 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/ssh/ListSSHKeyPairsCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/ssh/ListSSHKeyPairsCmd.java
@@ -40,6 +40,8 @@ public class ListSSHKeyPairsCmd extends BaseListProjectAndAccountResourcesCmd {
     /////////////////////////////////////////////////////
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////
+    @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = SSHKeyPairResponse.class, description = "the ID of the ssh keypair")
+    private Long id;
 
     @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, description = "A key pair name to look for")
     private String name;
@@ -50,6 +52,9 @@ public class ListSSHKeyPairsCmd extends BaseListProjectAndAccountResourcesCmd {
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
+    public Long getId() {
+        return id;
+    }
 
     public String getName() {
         return name;
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/SSHKeyPairResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/SSHKeyPairResponse.java
index 5a4d69b76cc..7bd423910be 100644
--- a/api/src/main/java/org/apache/cloudstack/api/response/SSHKeyPairResponse.java
+++ b/api/src/main/java/org/apache/cloudstack/api/response/SSHKeyPairResponse.java
@@ -21,8 +21,12 @@ import com.google.gson.annotations.SerializedName;
 import org.apache.cloudstack.api.ApiConstants;
 
 import com.cloud.serializer.Param;
-import org.apache.cloudstack.api.BaseResponseWithAnnotations;
+import com.cloud.user.SSHKeyPair;
 
+import org.apache.cloudstack.api.BaseResponseWithAnnotations;
+import org.apache.cloudstack.api.EntityReference;
+
+@EntityReference(value = SSHKeyPair.class)
 public class SSHKeyPairResponse extends BaseResponseWithAnnotations {
 
     @SerializedName(ApiConstants.ID)
diff --git a/server/src/main/java/com/cloud/server/ManagementServerImpl.java b/server/src/main/java/com/cloud/server/ManagementServerImpl.java
index 581a6da6a1e..565efa7545e 100644
--- a/server/src/main/java/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/main/java/com/cloud/server/ManagementServerImpl.java
@@ -4150,6 +4150,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
 
     @Override
     public Pair<List<? extends SSHKeyPair>, Integer> listSSHKeyPairs(final ListSSHKeyPairsCmd cmd) {
+        final Long id = cmd.getId();
         final String name = cmd.getName();
         final String fingerPrint = cmd.getFingerprint();
         final String keyword = cmd.getKeyword();
@@ -4169,6 +4170,10 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
         final SearchCriteria<SSHKeyPairVO> sc = sb.create();
         _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
 
+        if (id != null) {
+            sc.addAnd("id", SearchCriteria.Op.EQ, id);
+        }
+
         if (name != null) {
             sc.addAnd("name", SearchCriteria.Op.EQ, name);
         }
diff --git a/ui/src/components/view/InfoCard.vue b/ui/src/components/view/InfoCard.vue
index 6347c4c3a89..6b61dad2c13 100644
--- a/ui/src/components/view/InfoCard.vue
+++ b/ui/src/components/view/InfoCard.vue
@@ -605,7 +605,7 @@
         <div v-for="item in $route.meta.related" :key="item.path">
           <router-link
             v-if="$router.resolve('/' + item.name).route.name !== '404'"
-            :to="{ path: '/' + item.name + '?' + item.param + '=' + (item.value ? resource[item.value] : item.param === 'account' ? resource.name + '&domainid=' + resource.domainid : resource.id) }">
+            :to="{ path: '/' + item.name + '?' + item.param + '=' + (item.value ? resource[item.value] : item.param === 'account' ? resource.name + '&domainid=' + resource.domainid : item.param === 'keypair' ? resource.name : resource.id) }">
             <a-button style="margin-right: 10px" :icon="$router.resolve('/' + item.name).route.meta.icon" >
               {{ $t('label.view') + ' ' + $t(item.title) }}
             </a-button>

From ce81a8e708c4af1853bb054503085c252aef5286 Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Wed, 9 Feb 2022 05:07:28 +0100
Subject: [PATCH 04/13] test: sleep 30s after restarting mgt server in
 test_kubernetes_supported_versions.py to fix test failures with
 test_secondary_storage.py (#5962)

---
 test/integration/smoke/test_kubernetes_supported_versions.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/test/integration/smoke/test_kubernetes_supported_versions.py b/test/integration/smoke/test_kubernetes_supported_versions.py
index a6e47866673..52fb2d8752d 100644
--- a/test/integration/smoke/test_kubernetes_supported_versions.py
+++ b/test/integration/smoke/test_kubernetes_supported_versions.py
@@ -94,7 +94,9 @@ class TestKubernetesSupportedVersion(cloudstackTestCase):
         #Waits for management to come up in 5 mins, when it's up it will continue
         timeout = time.time() + 300
         while time.time() < timeout:
-            if cls.isManagementUp() is True: return
+            if cls.isManagementUp() is True:
+                time.sleep(30)
+                return
             time.sleep(5)
         return cls.fail("Management server did not come up, failing")
 

From b275c297094e7d28b2c3721ed828ac00117657c4 Mon Sep 17 00:00:00 2001
From: Hoang Nguyen <hoangnm@unitech.vn>
Date: Wed, 9 Feb 2022 15:43:31 +0700
Subject: [PATCH 05/13] UI - Add Network: shows "Offering for Isolated networks
 with no Source Nat service" on Network Offering for normal users (#5904)

* shows "Offering for Isolated networks with no Source Nat service" for normal users

* fixes roles

* fix selected tabs
---
 ui/src/views/network/CreateIsolatedNetworkForm.vue | 1 -
 ui/src/views/network/CreateNetwork.vue             | 9 ++++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/ui/src/views/network/CreateIsolatedNetworkForm.vue b/ui/src/views/network/CreateIsolatedNetworkForm.vue
index 1f717710b85..761d8128dad 100644
--- a/ui/src/views/network/CreateIsolatedNetworkForm.vue
+++ b/ui/src/views/network/CreateIsolatedNetworkForm.vue
@@ -344,7 +344,6 @@ export default {
       var params = {
         zoneid: this.selectedZone.id,
         guestiptype: 'Isolated',
-        supportedServices: 'SourceNat',
         state: 'Enabled'
       }
       if (isAdminOrDomainAdmin() && this.selectedDomain.id !== '-1') { // domain is visible only for admins
diff --git a/ui/src/views/network/CreateNetwork.vue b/ui/src/views/network/CreateNetwork.vue
index 56c144932cf..ababc337394 100644
--- a/ui/src/views/network/CreateNetwork.vue
+++ b/ui/src/views/network/CreateNetwork.vue
@@ -17,7 +17,7 @@
 
 <template>
   <a-spin :spinning="loading" class="form-layout">
-    <a-tabs defaultActiveKey="1" :animated="false" v-if="!loading">
+    <a-tabs :default-active-key="defaultNetworkTypeTabKey" :animated="false" v-if="!loading">
       <a-tab-pane :tab="$t('label.isolated')" key="1" v-if="isAdvancedZoneWithoutSGAvailable">
         <CreateIsolatedNetworkForm
           :loading="loading"
@@ -68,7 +68,7 @@ export default {
   },
   data () {
     return {
-      isAdvancedZoneWithoutSGAvailable: true,
+      isAdvancedZoneWithoutSGAvailable: false,
       defaultNetworkTypeTabKey: '1',
       loading: false,
       actionZones: [],
@@ -79,14 +79,17 @@ export default {
     const promises = []
     promises.push(this.fetchActionZoneData())
     Promise.all(promises).then(() => {
+      this.isAdvancedZoneWithoutSGAvailable = false
+      this.defaultNetworkTypeTabKey = '2'
+
       for (const i in this.actionZones) {
         const zone = this.actionZones[i]
         if (zone.networktype === 'Advanced' && zone.securitygroupsenabled !== true) {
           this.isAdvancedZoneWithoutSGAvailable = true
+          this.defaultNetworkTypeTabKey = '1'
           return
         }
       }
-      this.isAdvancedZoneWithoutSGAvailable = false
     })
   },
   methods: {

From 143b72d67ecf25f9ee3d5f3785a9e17d234236b6 Mon Sep 17 00:00:00 2001
From: dahn <daan.hoogland@gmail.com>
Date: Wed, 9 Feb 2022 10:19:47 +0100
Subject: [PATCH 06/13] cleanup: Network Throttling for Additional Networks
 code in DirectVifDriver.java  (#5875)

---
 .../cloud/hypervisor/kvm/resource/DirectVifDriver.java   | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/DirectVifDriver.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/DirectVifDriver.java
index 86a45ecc8aa..5037ad1aec7 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/DirectVifDriver.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/DirectVifDriver.java
@@ -19,6 +19,7 @@
 
 package com.cloud.hypervisor.kvm.resource;
 
+import org.apache.commons.compress.utils.Sets;
 import org.apache.log4j.Logger;
 import org.libvirt.LibvirtException;
 
@@ -47,12 +48,8 @@ public class DirectVifDriver extends VifDriverBase {
     public LibvirtVMDef.InterfaceDef plug(NicTO nic, String guestOsType, String nicAdapter, Map<String, String> extraConfig) throws InternalErrorException, LibvirtException {
         LibvirtVMDef.InterfaceDef intf = new LibvirtVMDef.InterfaceDef();
 
-        if (nic.getType() == Networks.TrafficType.Guest) {
-            Integer networkRateKBps = (nic.getNetworkRateMbps() != null && nic.getNetworkRateMbps().intValue() != -1) ? nic.getNetworkRateMbps().intValue() * 128 : 0;
-            intf.defDirectNet(_libvirtComputingResource.getNetworkDirectDevice(), null, nic.getMac(), getGuestNicModel(guestOsType, nicAdapter),
-                _libvirtComputingResource.getNetworkDirectSourceMode(), networkRateKBps);
-
-        } else if (nic.getType() == Networks.TrafficType.Public) {
+        if (Sets.newHashSet(Networks.TrafficType.Guest,
+                            Networks.TrafficType.Public).contains(nic.getType())) {
             Integer networkRateKBps = (nic.getNetworkRateMbps() != null && nic.getNetworkRateMbps().intValue() != -1) ? nic.getNetworkRateMbps().intValue() * 128 : 0;
             intf.defDirectNet(_libvirtComputingResource.getNetworkDirectDevice(), null, nic.getMac(), getGuestNicModel(guestOsType, nicAdapter),
                 _libvirtComputingResource.getNetworkDirectSourceMode(), networkRateKBps);

From 85ced4447bb894523bf088d08409f57ef356f2c5 Mon Sep 17 00:00:00 2001
From: Pearl Dsilva <pearl1594@gmail.com>
Date: Wed, 9 Feb 2022 19:55:27 +0530
Subject: [PATCH 07/13] API: Fix listSSHKeyPairs API when listing all resources
 (listall=true & projectid=-1) (#5958)

* API: Fix listSSHKeyPairs API when listing all resources (listall=true & projectid=-1)

* fix issue with indexing
---
 .../com/cloud/utils/db/GenericDaoBase.java    | 20 +++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/framework/db/src/main/java/com/cloud/utils/db/GenericDaoBase.java b/framework/db/src/main/java/com/cloud/utils/db/GenericDaoBase.java
index 7d1b7b75ec9..3f1c7ec2938 100644
--- a/framework/db/src/main/java/com/cloud/utils/db/GenericDaoBase.java
+++ b/framework/db/src/main/java/com/cloud/utils/db/GenericDaoBase.java
@@ -56,6 +56,7 @@ import javax.persistence.Enumerated;
 import javax.persistence.Table;
 import javax.persistence.TableGenerator;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.log4j.Logger;
 
 import com.cloud.utils.DateUtil;
@@ -878,7 +879,7 @@ public abstract class GenericDaoBase<T, ID extends Serializable> extends Compone
             for (final Field field : clazz.getDeclaredFields()) {
                 sql.append(_table).append(".").append(DbUtil.getColumnName(field, overrides)).append(" = ? AND ");
             }
-            sql.delete(sql.length() - 4, sql.length());
+            removeAndClause(sql);
         }
 
         return sql.toString();
@@ -1262,10 +1263,11 @@ public abstract class GenericDaoBase<T, ID extends Serializable> extends Compone
 
     @DB()
     protected void addJoins(StringBuilder str, Collection<JoinBuilder<SearchCriteria<?>>> joins) {
+        boolean hasWhereClause = true;
         int fromIndex = str.lastIndexOf("WHERE");
         if (fromIndex == -1) {
             fromIndex = str.length();
-            str.append(" WHERE ");
+            hasWhereClause = false;
         } else {
             str.append(" AND ");
         }
@@ -1287,13 +1289,19 @@ public abstract class GenericDaoBase<T, ID extends Serializable> extends Compone
             .append(" ");
             str.insert(fromIndex, onClause);
             String whereClause = join.getT().getWhereClause();
-            if ((whereClause != null) && !"".equals(whereClause)) {
+            if (StringUtils.isNotEmpty(whereClause)) {
+                if (!hasWhereClause) {
+                    str.append(" WHERE ");
+                    hasWhereClause = true;
+                }
                 str.append(" (").append(whereClause).append(") AND");
             }
             fromIndex += onClause.length();
         }
 
-        str.delete(str.length() - 4, str.length());
+        if (hasWhereClause) {
+            removeAndClause(str);
+        }
 
         for (JoinBuilder<SearchCriteria<?>> join : joins) {
             if (join.getT().getJoins() != null) {
@@ -1302,6 +1310,10 @@ public abstract class GenericDaoBase<T, ID extends Serializable> extends Compone
         }
     }
 
+    private void removeAndClause(StringBuilder sql) {
+        sql.delete(sql.length() - 4, sql.length());
+    }
+
     @Override
     @DB()
     public List<T> search(final SearchCriteria<T> sc, final Filter filter) {

From 3fc4ef478d03cd20169d5a3dcdef6233724446be Mon Sep 17 00:00:00 2001
From: dahn <daan.hoogland@shapeblue.com>
Date: Wed, 9 Feb 2022 16:38:33 +0100
Subject: [PATCH 08/13] replace Random with SecureRandom (#5966)

Co-authored-by: Daan Hoogland <dahn@onecht.net>
---
 .../main/java/com/cloud/projects/ProjectManagerImpl.java   | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/server/src/main/java/com/cloud/projects/ProjectManagerImpl.java b/server/src/main/java/com/cloud/projects/ProjectManagerImpl.java
index eb8c58b3060..02d371aa981 100644
--- a/server/src/main/java/com/cloud/projects/ProjectManagerImpl.java
+++ b/server/src/main/java/com/cloud/projects/ProjectManagerImpl.java
@@ -17,10 +17,10 @@
 package com.cloud.projects;
 
 import java.io.UnsupportedEncodingException;
+import java.security.SecureRandom;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
-import java.util.Random;
 import java.util.TimeZone;
 import java.util.UUID;
 import java.util.concurrent.Executors;
@@ -106,6 +106,8 @@ import org.apache.commons.lang3.BooleanUtils;
 public class ProjectManagerImpl extends ManagerBase implements ProjectManager, Configurable {
     public static final Logger s_logger = Logger.getLogger(ProjectManagerImpl.class);
 
+    private static final SecureRandom secureRandom = new SecureRandom();
+
     @Inject
     private DomainDao _domainDao;
     @Inject
@@ -1349,10 +1351,9 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager, C
 
     public static String generateToken(int length) {
         String charset = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
-        Random rand = new Random(System.currentTimeMillis());
         StringBuffer sb = new StringBuffer();
         for (int i = 0; i < length; i++) {
-            int pos = rand.nextInt(charset.length());
+            int pos = secureRandom.nextInt(charset.length());
             sb.append(charset.charAt(pos));
         }
         return sb.toString();

From b5655c3b77070c21499c66a2f5ac1fb1d5b57e04 Mon Sep 17 00:00:00 2001
From: PJ Fanning <pjfanning@users.noreply.github.com>
Date: Wed, 9 Feb 2022 17:23:14 +0100
Subject: [PATCH 09/13] [issue-5952] upgrade to jetty 9.4.44.v20210927 (#5953)

* [issue-5952] upgrade to maven 9.4.44.v20210927

* Update pom.xml

Co-authored-by: Rohit Yadav <rohityadav89@gmail.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 10448b56e23..ce17690130d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -145,7 +145,7 @@
         <cs.jaxb.version>2.3.0</cs.jaxb.version>
         <cs.jaxws.version>2.3.2-1</cs.jaxws.version>
         <cs.jersey-client.version>2.26</cs.jersey-client.version>
-        <cs.jetty.version>9.4.36.v20210114</cs.jetty.version>
+        <cs.jetty.version>9.4.44.v20210927</cs.jetty.version>
         <cs.jetty-maven-plugin.version>9.4.27.v20200227</cs.jetty-maven-plugin.version>
         <cs.jna.version>5.5.0</cs.jna.version>
         <cs.joda-time.version>2.10.9</cs.joda-time.version>

From 791d0634f74e0b24592ca41cb3bbf1306362fdeb Mon Sep 17 00:00:00 2001
From: PJ Fanning <pjfanning@users.noreply.github.com>
Date: Thu, 10 Feb 2022 05:04:14 +0100
Subject: [PATCH 10/13] [issue-5943] xerces 2.12.2 (#5968)

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index ce17690130d..5721b3e3b60 100644
--- a/pom.xml
+++ b/pom.xml
@@ -669,7 +669,7 @@
             <dependency>
                 <groupId>xerces</groupId>
                 <artifactId>xercesimpl</artifactId>
-                <version>2.12.0</version>
+                <version>${cs.xercesImpl.version}</version>
             </dependency>
             <dependency>
                 <groupId>xml-apis</groupId>

From 640118ce2b631e155c0477c46f37bea562ecb714 Mon Sep 17 00:00:00 2001
From: Pearl Dsilva <pearl1594@gmail.com>
Date: Thu, 10 Feb 2022 09:50:12 +0530
Subject: [PATCH 11/13] Add disk space in systemVM template registration script
 (#5956)

---
 scripts/storage/secondary/setup-sysvm-tmplt | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/storage/secondary/setup-sysvm-tmplt b/scripts/storage/secondary/setup-sysvm-tmplt
index fa33f33f040..89195e406e6 100755
--- a/scripts/storage/secondary/setup-sysvm-tmplt
+++ b/scripts/storage/secondary/setup-sysvm-tmplt
@@ -45,6 +45,8 @@ if [[ ! $@ =~ ^\-.+ ]]; then
 fi
 
 OPTERR=0
+DISKSPACE=2120000  #free disk space required in kilobytes
+
 while getopts 'h:f:d:u::'# OPTION
 do
   case $OPTION in

From f88f934274793174ed72164ffed8562003d1a28b Mon Sep 17 00:00:00 2001
From: Abhishek Kumar <abhishek.mrt22@gmail.com>
Date: Thu, 10 Feb 2022 10:07:23 +0530
Subject: [PATCH 12/13] api, server: fix add-remove vpn user without vpn owner
 (#5850)

* api, server: fix add-remove vpn user without vpn owner

Fixes #5711

ACS should not add a new user in Add state when the owner account does not have VPN access.
While removing VPN user ACS should not fail completely when owner account ahs no VPN.

* change , fixes

* remove unused method

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
---
 .../network/vpn/RemoteAccessVpnService.java   |  2 +
 .../command/user/vpn/RemoveVpnUserCmd.java    |  3 +-
 .../vpn/RemoteAccessVpnManagerImpl.java       | 58 ++++++++++++++++---
 3 files changed, 52 insertions(+), 11 deletions(-)

diff --git a/api/src/main/java/com/cloud/network/vpn/RemoteAccessVpnService.java b/api/src/main/java/com/cloud/network/vpn/RemoteAccessVpnService.java
index 5426d181e70..bbb9771d27a 100644
--- a/api/src/main/java/com/cloud/network/vpn/RemoteAccessVpnService.java
+++ b/api/src/main/java/com/cloud/network/vpn/RemoteAccessVpnService.java
@@ -43,6 +43,8 @@ public interface RemoteAccessVpnService {
 
     List<? extends VpnUser> listVpnUsers(long vpnOwnerId, String userName);
 
+    boolean applyVpnUsers(long vpnOwnerId, String userName, boolean forRemove) throws ResourceUnavailableException;
+
     boolean applyVpnUsers(long vpnOwnerId, String userName) throws ResourceUnavailableException;
 
     Pair<List<? extends RemoteAccessVpn>, Integer> searchForRemoteAccessVpns(ListRemoteAccessVpnsCmd cmd);
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/vpn/RemoveVpnUserCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/vpn/RemoveVpnUserCmd.java
index 33cbb46485c..caeb0608b6a 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/vpn/RemoveVpnUserCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/vpn/RemoveVpnUserCmd.java
@@ -120,9 +120,8 @@ public class RemoveVpnUserCmd extends BaseAsyncCmd {
         }
 
         boolean appliedVpnUsers = false;
-
         try {
-            appliedVpnUsers = _ravService.applyVpnUsers(ownerId, userName);
+            appliedVpnUsers = _ravService.applyVpnUsers(ownerId, userName, true);
         } catch (ResourceUnavailableException ex) {
             String errorMessage = String.format("Failed to refresh VPN user=[%s] due to resource unavailable. VPN owner id=[%s].", userName, ownerId);
             s_logger.error(errorMessage, ex);
diff --git a/server/src/main/java/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java b/server/src/main/java/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
index 74b53f14f07..61d247d7b8a 100644
--- a/server/src/main/java/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
@@ -16,16 +16,16 @@
 // under the License.
 package com.cloud.network.vpn;
 
+import java.lang.reflect.InvocationTargetException;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.stream.Collectors;
 
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
-import org.apache.log4j.Logger;
-
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.command.user.vpn.ListRemoteAccessVpnsCmd;
 import org.apache.cloudstack.api.command.user.vpn.ListVpnUsersCmd;
@@ -33,6 +33,8 @@ import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.Configurable;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.log4j.Logger;
 
 import com.cloud.configuration.Config;
 import com.cloud.domain.DomainVO;
@@ -91,9 +93,6 @@ import com.cloud.utils.db.TransactionCallbackWithException;
 import com.cloud.utils.db.TransactionStatus;
 import com.cloud.utils.exception.CloudRuntimeException;
 import com.cloud.utils.net.NetUtils;
-import java.lang.reflect.InvocationTargetException;
-import java.util.stream.Collectors;
-import org.apache.commons.collections.CollectionUtils;
 
 public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAccessVpnService, Configurable {
     private final static Logger s_logger = Logger.getLogger(RemoteAccessVpnManagerImpl.class);
@@ -138,6 +137,24 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
     int _pskLength;
     SearchBuilder<RemoteAccessVpnVO> VpnSearch;
 
+    private List<RemoteAccessVpnVO> getValidRemoteAccessVpnForAccount(long accountId) {
+        List<RemoteAccessVpnVO> vpns = _remoteAccessVpnDao.findByAccount(accountId);
+        if (CollectionUtils.isNotEmpty(vpns)) {
+            List<RemoteAccessVpnVO> validVpns = new ArrayList<>();
+            for (RemoteAccessVpnVO vpn : vpns) {
+                if (vpn.getNetworkId() != null) {
+                    Network network = _networkMgr.getNetwork(vpn.getNetworkId());
+                    if (!Network.State.Implemented.equals(network.getState())) {
+                        continue;
+                    }
+                }
+                validVpns.add(vpn);
+            }
+            vpns = validVpns;
+        }
+        return vpns;
+    }
+
     @Override
     @DB
     public RemoteAccessVpn createRemoteAccessVpn(final long publicIpId, String ipRange, boolean openFirewall, final Boolean forDisplay) throws NetworkRuleConflictException {
@@ -499,19 +516,36 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
         }
     }
 
+    @DB
+    private boolean removeVpnUserWithoutRemoteAccessVpn(long vpnOwnerId, String userName) {
+        VpnUserVO vpnUser = _vpnUsersDao.findByAccountAndUsername(vpnOwnerId, userName);
+        if (vpnUser == null) {
+            s_logger.error(String.format("VPN user not found with ownerId: %d and username: %s", vpnOwnerId, userName));
+            return false;
+        }
+        if (!State.Revoke.equals(vpnUser.getState())) {
+            s_logger.error(String.format("VPN user with ownerId: %d and username: %s is not in revoked state, current state: %s", vpnOwnerId, userName, vpnUser.getState()));
+            return false;
+        }
+        return _vpnUsersDao.remove(vpnUser.getId());
+    }
+
     @DB
     @Override
-    public boolean applyVpnUsers(long vpnOwnerId, String userName) throws  ResourceUnavailableException {
+    public boolean applyVpnUsers(long vpnOwnerId, String userName, boolean forRemove) throws  ResourceUnavailableException {
         Account caller = CallContext.current().getCallingAccount();
         Account owner = _accountDao.findById(vpnOwnerId);
         _accountMgr.checkAccess(caller, null, true, owner);
 
         s_logger.debug(String.format("Applying VPN users for %s.", owner.toString()));
-        List<RemoteAccessVpnVO> vpns = _remoteAccessVpnDao.findByAccount(vpnOwnerId);
+        List<RemoteAccessVpnVO> vpns = getValidRemoteAccessVpnForAccount(vpnOwnerId);
 
         if (CollectionUtils.isEmpty(vpns)) {
-            s_logger.debug(String.format("Unable to add VPN user due to there are no remote access VPNs configured on %s to apply VPN user.", owner.toString()));
-            return false;
+            if (forRemove) {
+                return removeVpnUserWithoutRemoteAccessVpn(vpnOwnerId, userName);
+            }
+            s_logger.warn(String.format("Unable to apply VPN user due to there are no remote access VPNs configured on %s to apply VPN user.", owner.toString()));
+            return true;
         }
 
         RemoteAccessVpnVO vpnTemp  = null;
@@ -597,6 +631,12 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
         return success;
     }
 
+    @DB
+    @Override
+    public boolean applyVpnUsers(long vpnOwnerId, String userName) throws  ResourceUnavailableException {
+        return applyVpnUsers(vpnOwnerId, userName, false);
+    }
+
     @Override
     public Pair<List<? extends VpnUser>, Integer> searchForVpnUsers(ListVpnUsersCmd cmd) {
         String username = cmd.getUsername();

From 4ffb949a584934cefe69b75905eec5961096f85a Mon Sep 17 00:00:00 2001
From: slavkap <51903378+slavkap@users.noreply.github.com>
Date: Thu, 10 Feb 2022 06:52:21 +0200
Subject: [PATCH 13/13] Fix of revert RBD snapshots (#5544)

* Fix of revert RBD snapshots

If snapshot is taken only on Primary storage with the option "snapshot.backup.to.secondary" set to true, when you set this option to false the revert will fail. Added check if the snapshot is not on Secondary to check for it on Primary

* Check if snapshot is on primary storage

Will check first if the snapshot is on Primary storage, if not will
return Image as data store

* Fix unit tests

* removed unused method's params

* Formatted error message and added the snapshot ID to it

* Return to the old logic, the fix will only apply to RBD

* Formatted Exception's messages
---
 .../storage/snapshot/SnapshotManagerImpl.java | 23 ++++++++-----------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/server/src/main/java/com/cloud/storage/snapshot/SnapshotManagerImpl.java b/server/src/main/java/com/cloud/storage/snapshot/SnapshotManagerImpl.java
index d94811a53a3..ffa393bd866 100755
--- a/server/src/main/java/com/cloud/storage/snapshot/SnapshotManagerImpl.java
+++ b/server/src/main/java/com/cloud/storage/snapshot/SnapshotManagerImpl.java
@@ -308,11 +308,12 @@ public class SnapshotManagerImpl extends MutualExclusiveIdsManagerBase implement
             }
         }
 
-        DataStoreRole dataStoreRole = getDataStoreRole(snapshot, _snapshotStoreDao, dataStoreMgr);
+        DataStoreRole dataStoreRole = getDataStoreRole(snapshot);
 
         SnapshotInfo snapshotInfo = snapshotFactory.getSnapshot(snapshotId, dataStoreRole);
+
         if (snapshotInfo == null) {
-            throw new CloudRuntimeException("snapshot:" + snapshotId + " not exist in data store");
+            throw new CloudRuntimeException(String.format("snapshot %s [%s] does not exists in data store", snapshot.getName(), snapshot.getUuid()));
         }
 
         SnapshotStrategy snapshotStrategy = _storageStrategyFactory.getSnapshotStrategy(snapshot, SnapshotOperation.REVERT);
@@ -587,7 +588,7 @@ public class SnapshotManagerImpl extends MutualExclusiveIdsManagerBase implement
             return false;
         }
 
-        DataStoreRole dataStoreRole = getDataStoreRole(snapshotCheck, _snapshotStoreDao, dataStoreMgr);
+        DataStoreRole dataStoreRole = getDataStoreRole(snapshotCheck);
 
         SnapshotDataStoreVO snapshotStoreRef = _snapshotStoreDao.findBySnapshot(snapshotId, dataStoreRole);
 
@@ -1238,15 +1239,11 @@ public class SnapshotManagerImpl extends MutualExclusiveIdsManagerBase implement
             try {
                 postCreateSnapshot(volume.getId(), snapshotId, payload.getSnapshotPolicyId());
 
-                DataStoreRole dataStoreRole = getDataStoreRole(snapshot, _snapshotStoreDao, dataStoreMgr);
+                DataStoreRole dataStoreRole = getDataStoreRole(snapshot);
 
                 SnapshotDataStoreVO snapshotStoreRef = _snapshotStoreDao.findBySnapshot(snapshotId, dataStoreRole);
                 if (snapshotStoreRef == null) {
-                    // The snapshot was not backed up to secondary.  Find the snap on primary
-                    snapshotStoreRef = _snapshotStoreDao.findBySnapshot(snapshotId, DataStoreRole.Primary);
-                    if (snapshotStoreRef == null) {
-                        throw new CloudRuntimeException("Could not find snapshot");
-                    }
+                    throw new CloudRuntimeException(String.format("Could not find snapshot %s [%s] on [%s]", snapshot.getName(), snapshot.getUuid(), snapshot.getLocationType()));
                 }
                 UsageEventUtils.publishUsageEvent(EventTypes.EVENT_SNAPSHOT_CREATE, snapshot.getAccountId(), snapshot.getDataCenterId(), snapshotId, snapshot.getName(), null, null,
                         snapshotStoreRef.getPhysicalSize(), volume.getSize(), snapshot.getClass().getName(), snapshot.getUuid());
@@ -1332,8 +1329,8 @@ public class SnapshotManagerImpl extends MutualExclusiveIdsManagerBase implement
         }
     }
 
-    private DataStoreRole getDataStoreRole(Snapshot snapshot, SnapshotDataStoreDao snapshotStoreDao, DataStoreManager dataStoreMgr) {
-        SnapshotDataStoreVO snapshotStore = snapshotStoreDao.findBySnapshot(snapshot.getId(), DataStoreRole.Primary);
+    private DataStoreRole getDataStoreRole(Snapshot snapshot) {
+        SnapshotDataStoreVO snapshotStore = _snapshotStoreDao.findBySnapshot(snapshot.getId(), DataStoreRole.Primary);
 
         if (snapshotStore == null) {
             return DataStoreRole.Image;
@@ -1346,7 +1343,7 @@ public class SnapshotManagerImpl extends MutualExclusiveIdsManagerBase implement
 
         if (mapCapabilities != null) {
             String value = mapCapabilities.get(DataStoreCapabilities.STORAGE_SYSTEM_SNAPSHOT.toString());
-            Boolean supportsStorageSystemSnapshots = new Boolean(value);
+            Boolean supportsStorageSystemSnapshots = Boolean.valueOf(value);
 
             if (supportsStorageSystemSnapshots) {
                 return DataStoreRole.Primary;
@@ -1354,7 +1351,7 @@ public class SnapshotManagerImpl extends MutualExclusiveIdsManagerBase implement
         }
 
         StoragePoolVO storagePoolVO = _storagePoolDao.findById(storagePoolId);
-        if ((storagePoolVO.getPoolType() == StoragePoolType.RBD || storagePoolVO.getPoolType() == StoragePoolType.PowerFlex) && !BackupSnapshotAfterTakingSnapshot.value()) {
+        if (storagePoolVO.getPoolType() == StoragePoolType.RBD) {
             return DataStoreRole.Primary;
         }