fix marvin tests

vishesh92 · vishesh92 · commit 294ca3b44952 · 2026-06-08T14:08:02.000+05:30
diff --git a/server/src/main/java/org/apache/cloudstack/kms/KMSManagerImpl.java b/server/src/main/java/org/apache/cloudstack/kms/KMSManagerImpl.java
@@ -1235,8 +1235,9 @@ public boolean deleteHSMProfile(DeleteHSMProfileCmd cmd) throws KMSException {
         Account caller = CallContext.current().getCallingAccount();
         checkHSMProfileAccess(caller, profile, true);
 
-        if (profile.getProtocol().equals(DATABASE_PROVIDER_NAME)) {
-            throw new InvalidParameterValueException("Database HSM profile is default and cannot be deleted");
+        if (profile.getProtocol().equals(DATABASE_PROVIDER_NAME)
+                && profile.getAccountId() == Account.ACCOUNT_ID_SYSTEM) {
+            throw new InvalidParameterValueException("Default database HSM profile cannot be deleted");
         }
 
         long keyCount = kmsKeyDao.countByHsmProfileId(profile.getId());
diff --git a/server/src/test/java/org/apache/cloudstack/kms/KMSManagerImplHSMTest.java b/server/src/test/java/org/apache/cloudstack/kms/KMSManagerImplHSMTest.java
@@ -20,11 +20,19 @@
 import com.cloud.api.ApiResponseHelper;
 import com.cloud.dc.dao.DataCenterDao;
 import com.cloud.domain.dao.DomainDao;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
 import com.cloud.user.dao.AccountDao;
+import org.apache.cloudstack.api.command.user.kms.hsm.DeleteHSMProfileCmd;
 import org.apache.cloudstack.api.response.HSMProfileResponse;
+import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.framework.kms.KMSProvider;
 import org.apache.cloudstack.kms.dao.HSMProfileDao;
 import org.apache.cloudstack.kms.dao.HSMProfileDetailsDao;
+import org.apache.cloudstack.kms.dao.KMSKekVersionDao;
+import org.apache.cloudstack.kms.dao.KMSKeyDao;
+import org.apache.cloudstack.kms.dao.KMSWrappedKeyDao;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.InjectMocks;
@@ -35,10 +43,12 @@
 import org.mockito.junit.MockitoJUnitRunner;
 
 import java.util.Arrays;
+import java.util.Collections;
 
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
@@ -66,6 +76,12 @@ public class KMSManagerImplHSMTest {
     private DomainDao domainDao;
     @Mock
     private AccountDao accountDao;
+    @Mock
+    private KMSKeyDao kmsKeyDao;
+    @Mock
+    private KMSKekVersionDao kmsKekVersionDao;
+    @Mock
+    private KMSWrappedKeyDao kmsWrappedKeyDao;
 
     /**
      * Test: isSensitiveKey correctly identifies "pin" as sensitive
@@ -157,4 +173,70 @@ public void testCreateHSMProfileResponse_PopulatesDetails() {
             verify(hsmProfileDetailsDao).listByProfileId(profileId);
         }
     }
+
+    /**
+     * Test: the seeded default (system-owned) database profile cannot be deleted.
+     */
+    @Test(expected = InvalidParameterValueException.class)
+    public void testDeleteHSMProfile_RejectsSystemOwnedDatabaseProfile() {
+        Long profileId = 10L;
+        HSMProfileVO profile = mock(HSMProfileVO.class);
+        when(profile.getProtocol()).thenReturn("database");
+        when(profile.getAccountId()).thenReturn(Account.ACCOUNT_ID_SYSTEM);
+        when(profile.getIsPublic()).thenReturn(true);
+        when(hsmProfileDao.findById(profileId)).thenReturn(profile);
+
+        Account caller = mock(Account.class);
+        when(caller.getId()).thenReturn(2L);
+        when(accountManager.isRootAdmin(2L)).thenReturn(true);
+
+        DeleteHSMProfileCmd cmd = mock(DeleteHSMProfileCmd.class);
+        when(cmd.getId()).thenReturn(profileId);
+
+        try (MockedStatic<CallContext> mockedCallContext = Mockito.mockStatic(CallContext.class)) {
+            CallContext callContext = mock(CallContext.class);
+            mockedCallContext.when(CallContext::current).thenReturn(callContext);
+            when(callContext.getCallingAccount()).thenReturn(caller);
+
+            kmsManager.deleteHSMProfile(cmd);
+        }
+    }
+
+    /**
+     * Test: an admin-created (non-system) database profile with no keys can be deleted.
+     */
+    @Test
+    public void testDeleteHSMProfile_AllowsAdminOwnedDatabaseProfile() {
+        Long profileId = 10L;
+        HSMProfileVO profile = mock(HSMProfileVO.class);
+        when(profile.getId()).thenReturn(profileId);
+        when(profile.getProtocol()).thenReturn("database");
+        when(profile.getAccountId()).thenReturn(200L);
+        when(profile.getIsPublic()).thenReturn(false);
+        when(hsmProfileDao.findById(profileId)).thenReturn(profile);
+
+        when(kmsKeyDao.countByHsmProfileId(profileId)).thenReturn(0L);
+        when(kmsKekVersionDao.listByHsmProfileId(profileId)).thenReturn(Collections.emptyList());
+
+        KMSProvider kmsProvider = mock(KMSProvider.class);
+        doReturn(kmsProvider).when(kmsManager).getKMSProvider("database");
+        when(hsmProfileDao.remove(profileId)).thenReturn(true);
+
+        Account caller = mock(Account.class);
+
+        DeleteHSMProfileCmd cmd = mock(DeleteHSMProfileCmd.class);
+        when(cmd.getId()).thenReturn(profileId);
+
+        try (MockedStatic<CallContext> mockedCallContext = Mockito.mockStatic(CallContext.class)) {
+            CallContext callContext = mock(CallContext.class);
+            mockedCallContext.when(CallContext::current).thenReturn(callContext);
+            when(callContext.getCallingAccount()).thenReturn(caller);
+
+            boolean result = kmsManager.deleteHSMProfile(cmd);
+
+            assertTrue("Admin-owned database profile should be deletable", result);
+            verify(kmsProvider).invalidateProfileCache(profileId);
+            verify(hsmProfileDao).remove(profileId);
+        }
+    }
 }
diff --git a/test/integration/smoke/test_kms_lifecycle.py b/test/integration/smoke/test_kms_lifecycle.py
@@ -68,17 +68,27 @@ def setUpClass(cls):
 
         cls._cleanup = []
 
-        cls.default_profile = None
-        profiles = HSMProfile.list(cls.apiclient, name="HSM Database Provider")
-        if profiles and len(profiles) > 0:
-            cls.default_profile = profiles[0]
-            if hasattr(cls.default_profile, 'enabled') and not cls.default_profile.enabled:
-                hsm = HSMProfile({"id": cls.default_profile.id})
-                hsm.update(cls.apiclient, enabled=True)
+        # The built-in database provider is seeded as a public, system-owned profile named
+        # "HSM Database Provider". listHSMProfiles has no server-side name filter, and a root
+        # admin's listing without listall is restricted to admin-owned profiles, so we must
+        # pass listall=True and match the name client-side.
+        cls.default_profile = cls._find_default_profile(cls.apiclient)
+        if cls.default_profile and not cls.default_profile.enabled:
+            hsm = HSMProfile({"id": cls.default_profile.id})
+            hsm.update(cls.apiclient, enabled=True)
             # Re-fetch to get updated state
-            profiles = HSMProfile.list(cls.apiclient, name="HSM Database Provider")
-            if profiles and len(profiles) > 0:
-                cls.default_profile = profiles[0]
+            cls.default_profile = cls._find_default_profile(cls.apiclient)
+
+    @staticmethod
+    def _find_default_profile(apiclient):
+        """Locate the seeded public 'HSM Database Provider' profile."""
+        profiles = HSMProfile.list(
+            apiclient, listall=True, keyword="HSM Database Provider"
+        ) or []
+        for profile in profiles:
+            if profile.name == "HSM Database Provider":
+                return profile
+        return None
 
 
     @classmethod
@@ -139,13 +149,12 @@ def _create_kms_key(self, name, profile_id, apiclient=None, zoneid=None, purpose
         self.cleanup.append(key)
         return key
 
-    def _create_hsm_profile(self, name, protocol="database", system=True, zoneid=None):
+    def _create_hsm_profile(self, name, protocol="database", zoneid=None):
         zone_id = zoneid or self.zone.id
         profile = HSMProfile.create(
             self.apiclient,
             name=name,
             protocol=protocol,
-            system=system,
             zoneid=zone_id,
         )
         self.cleanup.append(profile)
@@ -344,6 +353,7 @@ def test_09_delete_kms_key(self):
         key = self._create_kms_key(name=_random_name("key-del"), profile_id=profile.id)
 
         key.delete(self.apiclient)
+        self.cleanup.remove(key)
 
         # Verify the key no longer appears in listings
         keys = KMSKey.list(self.apiclient, id=key.id)
@@ -480,6 +490,7 @@ def test_13_delete_hsm_profile(self):
         profile = self._create_hsm_profile(name=_random_name("hsm-gone"))
 
         profile.delete(self.apiclient)
+        self.cleanup.remove(profile)
 
         profiles = HSMProfile.list(self.apiclient, id=profile.id)
         self.assertTrue(
