prevent domain deletion in case any vm is deletion protected under it

Author: sudo87

engine/schema/src/main/java/com/cloud/vm/dao/VMInstanceDao.java

@@ -194,4 +194,6 @@ List<VMInstanceVO> searchRemovedByRemoveDate(final Date startDate, final Date en
     List<VMInstanceVO> listByIdsIncludingRemoved(List<Long> ids);
 
     List<VMInstanceVO> listDeleteProtectedVmsByAccountId(long accountId);
+
+    List<VMInstanceVO> listDeleteProtectedVmsByDomainIds(List<Long> domainIds);
 }

engine/schema/src/main/java/com/cloud/vm/dao/VMInstanceDaoImpl.java

@@ -107,7 +107,8 @@ public class VMInstanceDaoImpl extends GenericDaoBase<VMInstanceVO, Long> implem
     protected SearchBuilder<VMInstanceVO> IdsPowerStateSelectSearch;
     GenericSearchBuilder<VMInstanceVO, Integer> CountByOfferingId;
     GenericSearchBuilder<VMInstanceVO, Integer> CountUserVmNotInDomain;
-    SearchBuilder<VMInstanceVO> DeleteProtectedVmSearch;
+    SearchBuilder<VMInstanceVO> DeleteProtectedVmSearchByAccount;
+    SearchBuilder<VMInstanceVO> DeleteProtectedVmSearchByDomainIds;
 
     @Inject
     ResourceTagDao tagsDao;
@@ -370,12 +371,19 @@ protected void init() {
         CountUserVmNotInDomain.and("domainIdsNotIn", CountUserVmNotInDomain.entity().getDomainId(), Op.NIN);
         CountUserVmNotInDomain.done();
 
-        DeleteProtectedVmSearch = createSearchBuilder();
-        DeleteProtectedVmSearch.selectFields(DeleteProtectedVmSearch.entity().getUuid());
-        DeleteProtectedVmSearch.and(ApiConstants.ACCOUNT_ID, DeleteProtectedVmSearch.entity().getAccountId(), Op.EQ);
-        DeleteProtectedVmSearch.and(ApiConstants.DELETE_PROTECTION, DeleteProtectedVmSearch.entity().isDeleteProtection(), Op.EQ);
-        DeleteProtectedVmSearch.and(ApiConstants.REMOVED, DeleteProtectedVmSearch.entity().getRemoved(), Op.NULL);
-        DeleteProtectedVmSearch.done();
+        DeleteProtectedVmSearchByAccount = createSearchBuilder();
+        DeleteProtectedVmSearchByAccount.selectFields(DeleteProtectedVmSearchByAccount.entity().getUuid());
+        DeleteProtectedVmSearchByAccount.and(ApiConstants.ACCOUNT_ID, DeleteProtectedVmSearchByAccount.entity().getAccountId(), Op.EQ);
+        DeleteProtectedVmSearchByAccount.and(ApiConstants.DELETE_PROTECTION, DeleteProtectedVmSearchByAccount.entity().isDeleteProtection(), Op.EQ);
+        DeleteProtectedVmSearchByAccount.and(ApiConstants.REMOVED, DeleteProtectedVmSearchByAccount.entity().getRemoved(), Op.NULL);
+        DeleteProtectedVmSearchByAccount.done();
+
+        DeleteProtectedVmSearchByDomainIds = createSearchBuilder();
+        DeleteProtectedVmSearchByDomainIds.selectFields(DeleteProtectedVmSearchByDomainIds.entity().getUuid());
+        DeleteProtectedVmSearchByDomainIds.and(ApiConstants.DOMAIN_IDS, DeleteProtectedVmSearchByDomainIds.entity().getDomainId(), Op.IN);
+        DeleteProtectedVmSearchByDomainIds.and(ApiConstants.DELETE_PROTECTION, DeleteProtectedVmSearchByDomainIds.entity().isDeleteProtection(), Op.EQ);
+        DeleteProtectedVmSearchByDomainIds.and(ApiConstants.REMOVED, DeleteProtectedVmSearchByDomainIds.entity().getRemoved(), Op.NULL);
+        DeleteProtectedVmSearchByDomainIds.done();
     }
 
     @Override
@@ -1307,9 +1315,17 @@ public List<VMInstanceVO> listByIdsIncludingRemoved(List<Long> ids) {
 
     @Override
     public List<VMInstanceVO> listDeleteProtectedVmsByAccountId(long accountId)  {
-        SearchCriteria<VMInstanceVO> sc = DeleteProtectedVmSearch.create();
+        SearchCriteria<VMInstanceVO> sc = DeleteProtectedVmSearchByAccount.create();
         sc.setParameters(ApiConstants.ACCOUNT_ID, accountId);
         sc.setParameters(ApiConstants.DELETE_PROTECTION, true);
         return listBy(sc);
     }
+
+    @Override
+    public List<VMInstanceVO> listDeleteProtectedVmsByDomainIds(List<Long> domainIds)  {
+        SearchCriteria<VMInstanceVO> sc = DeleteProtectedVmSearchByDomainIds.create();
+        sc.setParameters(ApiConstants.DOMAIN_IDS, domainIds);
+        sc.setParameters(ApiConstants.DELETE_PROTECTION, true);
+        return listBy(sc);
+    }
 }

server/src/main/java/com/cloud/user/AccountManagerImpl.java

@@ -2097,7 +2097,7 @@ public boolean deleteUserAccount(long accountId) {
             return true;
         }
 
-        validateNoDeleteProtectedVms(account);
+        validateNoDeleteProtectedVmsForAccount(account);
         checkIfAccountManagesProjects(accountId);
         verifyCallerPrivilegeForUserOrAccountOperations(account);
 
@@ -2139,7 +2139,7 @@ protected boolean isDeleteNeeded(AccountVO account, long accountId, Account call
         return true;
     }
 
-    private void validateNoDeleteProtectedVms(Account account) {
+    private void validateNoDeleteProtectedVmsForAccount(Account account) {
         long accountId = account.getId();
         List<VMInstanceVO> deleteProtectedVms = _vmDao.listDeleteProtectedVmsByAccountId(accountId);
         if (deleteProtectedVms.isEmpty()) {
@@ -2148,8 +2148,7 @@ private void validateNoDeleteProtectedVms(Account account) {
 
         if (logger.isDebugEnabled()) {
             List<String> vmUuids = deleteProtectedVms.stream().map(VMInstanceVO::getUuid).collect(Collectors.toList());
-            logger.debug("Cannot delete Account {} (id={}), delete protection enabled for Instances: {}",
-                    account.getAccountName(), accountId, vmUuids);
+            logger.debug("Cannot delete Account {}, delete protection enabled for Instances: {}", account, vmUuids);
         }
 
         throw new InvalidParameterValueException(

server/src/main/java/com/cloud/user/DomainManagerImpl.java

@@ -25,6 +25,7 @@
 import java.util.UUID;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import java.util.stream.Collectors;
 
 import javax.inject.Inject;
 
@@ -104,6 +105,7 @@
 import com.cloud.utils.net.NetUtils;
 import com.cloud.vm.ReservationContext;
 import com.cloud.vm.ReservationContextImpl;
+import com.cloud.vm.VMInstanceVO;
 import com.cloud.vm.dao.VMInstanceDao;
 
 import org.apache.commons.lang3.StringUtils;
@@ -629,6 +631,9 @@ protected boolean cleanupDomain(Long domainId, Long ownerId) throws ConcurrentOp
             sc.addAnd("parent", SearchCriteria.Op.EQ, domainId);
             List<DomainVO> domains = _domainDao.search(sc, null);
 
+            List<Long> domainIds = domains.stream().map(Domain::getId).collect(Collectors.toList());
+            validateNoDeleteProtectedVmsForDomainIds(domainHandle, domainIds);
+
             SearchCriteria<DomainVO> sc1 = _domainDao.createSearchCriteria();
             sc1.addAnd("path", SearchCriteria.Op.LIKE, "%" + "replace(" + domainHandle.getPath() + ", '%', '[%]')" + "%");
             List<DomainVO> domainsToBeInactivated = _domainDao.search(sc1, null);
@@ -724,6 +729,22 @@ protected boolean cleanupDomain(Long domainId, Long ownerId) throws ConcurrentOp
         return success && deleteDomainSuccess;
     }
 
+    private void validateNoDeleteProtectedVmsForDomainIds(Domain domainHandle, List<Long> domainIds) {
+        List<VMInstanceVO> deleteProtectedVms = vmInstanceDao.listDeleteProtectedVmsByDomainIds(domainIds);
+        if (deleteProtectedVms.isEmpty()) {
+            return;
+        }
+
+        if (logger.isDebugEnabled()) {
+            List<String> vmUuids = deleteProtectedVms.stream().map(VMInstanceVO::getUuid).collect(Collectors.toList());
+            logger.debug("Cannot delete Domain {}, it has delete protection enabled for Instances: {}", domainHandle, vmUuids);
+        }
+
+        throw new InvalidParameterValueException(
+                String.format("Cannot delete Domain '%s'. One or more Instances have delete protection enabled.",
+                        domainHandle.getName()));
+    }
+
     @Override
     public Pair<List<? extends Domain>, Integer> searchForDomains(ListDomainsCmd cmd) {
         Account caller = getCaller();