Address Copilot review feedback on NAS backup PR #12898

- nasbackup.sh: Replace exit 1 with return 1 in encrypt_backup and
  verify_backup so callers can run cleanup before terminating
- nasbackup.sh: Append (>>) instead of truncate (>) agent.log in
  qemu-img convert for stopped VM backups
- nasbackup.sh: Add return 1 after cleanup on qemu-img convert failure
  to stop execution
- nasbackup.sh: Callers of encrypt_backup/verify_backup now check
  return code and run cleanup on failure
- LibvirtTakeBackupCommandWrapper: Fail with error when encryption is
  enabled but passphrase is missing instead of silently skipping
- LibvirtTakeBackupCommandWrapper: Delete temp passphrase file in
  finally block, set 0600 permissions, use explicit UTF-8 charset
- NASBackupProvider: Throw CloudRuntimeException when encryption is
  enabled but passphrase is null/empty
- NASBackupProviderTest: Add tests for compression, bandwidth,
  integrity check, encryption+passphrase, and encryption-without-
  passphrase failure scenarios
- TakeBackupCommand: Add @loglevel(Off) to details field to prevent
  passphrase leaking in debug logs
- TakeBackupCommand: Normalize null to empty HashMap in setDetails

Author: jmsperu

core/src/main/java/org/apache/cloudstack/backup/TakeBackupCommand.java

@@ -37,6 +37,7 @@ public class TakeBackupCommand extends Command {
     private Boolean quiesce;
     @LogLevel(LogLevel.Log4jLevel.Off)
     private String mountOptions;
+    @LogLevel(LogLevel.Log4jLevel.Off)
     private Map<String, String> details = new HashMap<>();
 
     public TakeBackupCommand(String vmName, String backupPath) {
@@ -114,7 +115,7 @@ public Map<String, String> getDetails() {
     }
 
     public void setDetails(Map<String, String> details) {
-        this.details = details;
+        this.details = details != null ? details : new HashMap<>();
     }
 
     public void addDetail(String key, String value) {

plugins/backup/nas/src/main/java/org/apache/cloudstack/backup/NASBackupProvider.java

@@ -251,11 +251,12 @@ public Pair<Boolean, Backup> takeBackup(final VirtualMachine vm, Boolean quiesce
             command.addDetail("compression", "true");
         }
         if (Boolean.TRUE.equals(NASBackupEncryptionEnabled.valueIn(zoneId))) {
-            command.addDetail("encryption", "true");
             String passphrase = NASBackupEncryptionPassphrase.valueIn(zoneId);
-            if (passphrase != null && !passphrase.isEmpty()) {
-                command.addDetail("encryption_passphrase", passphrase);
+            if (passphrase == null || passphrase.isEmpty()) {
+                throw new CloudRuntimeException("NAS backup encryption is enabled but no passphrase is configured (nas.backup.encryption.passphrase)");
             }
+            command.addDetail("encryption", "true");
+            command.addDetail("encryption_passphrase", passphrase);
         }
         Integer bandwidthLimit = NASBackupBandwidthLimitMbps.valueIn(zoneId);
         if (bandwidthLimit != null && bandwidthLimit > 0) {

plugins/backup/nas/src/test/java/org/apache/cloudstack/backup/NASBackupProviderTest.java

@@ -19,14 +19,18 @@
 import static org.mockito.ArgumentMatchers.anyLong;
 import static org.mockito.Mockito.mock;
 
+import java.lang.reflect.Field;
 import java.util.Collections;
 import java.util.List;
+import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
 
+import org.apache.cloudstack.framework.config.ConfigKey;
 import org.junit.Assert;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.mockito.ArgumentCaptor;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.Mockito;
@@ -47,6 +51,7 @@
 import com.cloud.storage.VolumeVO;
 import com.cloud.storage.dao.VolumeDao;
 import com.cloud.utils.Pair;
+import com.cloud.utils.exception.CloudRuntimeException;
 import com.cloud.vm.VMInstanceVO;
 import com.cloud.vm.dao.VMInstanceDao;
 
@@ -349,4 +354,203 @@ public void testGetVMHypervisorHostFallbackToZoneWideKVMHost() {
         Mockito.verify(hostDao).findHypervisorHostInCluster(clusterId);
         Mockito.verify(resourceManager).findOneRandomRunningHostByHypervisor(Hypervisor.HypervisorType.KVM, zoneId);
     }
+
+    private void overrideConfigValue(final ConfigKey configKey, final Object value) {
+        try {
+            Field f = ConfigKey.class.getDeclaredField("_value");
+            f.setAccessible(true);
+            f.set(configKey, value);
+        } catch (IllegalAccessException | NoSuchFieldException e) {
+            Assert.fail(e.getMessage());
+        }
+    }
+
+    private VMInstanceVO setupVmForTakeBackup(Long vmId, Long hostId, Long backupOfferingId,
+            Long accountId, Long domainId, Long zoneId) {
+        VMInstanceVO vm = mock(VMInstanceVO.class);
+        Mockito.when(vm.getId()).thenReturn(vmId);
+        Mockito.when(vm.getHostId()).thenReturn(hostId);
+        Mockito.when(vm.getInstanceName()).thenReturn("test-vm");
+        Mockito.when(vm.getBackupOfferingId()).thenReturn(backupOfferingId);
+        Mockito.when(vm.getAccountId()).thenReturn(accountId);
+        Mockito.when(vm.getDomainId()).thenReturn(domainId);
+        Mockito.when(vm.getDataCenterId()).thenReturn(zoneId);
+        Mockito.when(vm.getState()).thenReturn(VMInstanceVO.State.Running);
+        return vm;
+    }
+
+    private void setupHostAndRepo(Long hostId, Long backupOfferingId) {
+        BackupRepository backupRepository = mock(BackupRepository.class);
+        Mockito.when(backupRepository.getType()).thenReturn("nfs");
+        Mockito.when(backupRepository.getAddress()).thenReturn("address");
+        Mockito.when(backupRepository.getMountOptions()).thenReturn("sync");
+        Mockito.when(backupRepositoryDao.findByBackupOfferingId(backupOfferingId)).thenReturn(backupRepository);
+
+        HostVO host = mock(HostVO.class);
+        Mockito.when(host.getId()).thenReturn(hostId);
+        Mockito.when(host.getStatus()).thenReturn(Status.Up);
+        Mockito.when(host.getHypervisorType()).thenReturn(Hypervisor.HypervisorType.KVM);
+        Mockito.when(hostDao.findById(hostId)).thenReturn(host);
+    }
+
+    @Test
+    public void testTakeBackupDetailsCompressionEnabled() throws AgentUnavailableException, OperationTimedoutException {
+        Long vmId = 1L; Long hostId = 2L; Long backupOfferingId = 3L;
+        Long accountId = 4L; Long domainId = 5L; Long zoneId = 6L;
+
+        VMInstanceVO vm = setupVmForTakeBackup(vmId, hostId, backupOfferingId, accountId, domainId, zoneId);
+        setupHostAndRepo(hostId, backupOfferingId);
+
+        VolumeVO volume = mock(VolumeVO.class);
+        Mockito.when(volume.getState()).thenReturn(Volume.State.Ready);
+        Mockito.when(volume.getSize()).thenReturn(100L);
+        Mockito.when(volumeDao.findByInstance(vmId)).thenReturn(List.of(volume));
+
+        overrideConfigValue(nasBackupProvider.NASBackupCompressionEnabled, "true");
+
+        BackupAnswer answer = mock(BackupAnswer.class);
+        Mockito.when(answer.getResult()).thenReturn(true);
+        Mockito.when(answer.getSize()).thenReturn(100L);
+
+        ArgumentCaptor<TakeBackupCommand> cmdCaptor = ArgumentCaptor.forClass(TakeBackupCommand.class);
+        Mockito.when(agentManager.send(anyLong(), cmdCaptor.capture())).thenReturn(answer);
+        Mockito.when(backupDao.persist(Mockito.any(BackupVO.class))).thenAnswer(invocation -> invocation.getArgument(0));
+        Mockito.when(backupDao.update(Mockito.anyLong(), Mockito.any(BackupVO.class))).thenReturn(true);
+
+        nasBackupProvider.takeBackup(vm, false);
+
+        TakeBackupCommand capturedCmd = cmdCaptor.getValue();
+        Map<String, String> details = capturedCmd.getDetails();
+        Assert.assertEquals("true", details.get("compression"));
+
+        // Reset config
+        overrideConfigValue(nasBackupProvider.NASBackupCompressionEnabled, "false");
+    }
+
+    @Test
+    public void testTakeBackupDetailsBandwidthLimit() throws AgentUnavailableException, OperationTimedoutException {
+        Long vmId = 1L; Long hostId = 2L; Long backupOfferingId = 3L;
+        Long accountId = 4L; Long domainId = 5L; Long zoneId = 6L;
+
+        VMInstanceVO vm = setupVmForTakeBackup(vmId, hostId, backupOfferingId, accountId, domainId, zoneId);
+        setupHostAndRepo(hostId, backupOfferingId);
+
+        VolumeVO volume = mock(VolumeVO.class);
+        Mockito.when(volume.getState()).thenReturn(Volume.State.Ready);
+        Mockito.when(volume.getSize()).thenReturn(100L);
+        Mockito.when(volumeDao.findByInstance(vmId)).thenReturn(List.of(volume));
+
+        overrideConfigValue(nasBackupProvider.NASBackupBandwidthLimitMbps, "50");
+
+        BackupAnswer answer = mock(BackupAnswer.class);
+        Mockito.when(answer.getResult()).thenReturn(true);
+        Mockito.when(answer.getSize()).thenReturn(100L);
+
+        ArgumentCaptor<TakeBackupCommand> cmdCaptor = ArgumentCaptor.forClass(TakeBackupCommand.class);
+        Mockito.when(agentManager.send(anyLong(), cmdCaptor.capture())).thenReturn(answer);
+        Mockito.when(backupDao.persist(Mockito.any(BackupVO.class))).thenAnswer(invocation -> invocation.getArgument(0));
+        Mockito.when(backupDao.update(Mockito.anyLong(), Mockito.any(BackupVO.class))).thenReturn(true);
+
+        nasBackupProvider.takeBackup(vm, false);
+
+        TakeBackupCommand capturedCmd = cmdCaptor.getValue();
+        Map<String, String> details = capturedCmd.getDetails();
+        Assert.assertEquals("50", details.get("bandwidth_limit"));
+
+        overrideConfigValue(nasBackupProvider.NASBackupBandwidthLimitMbps, "0");
+    }
+
+    @Test
+    public void testTakeBackupDetailsIntegrityCheck() throws AgentUnavailableException, OperationTimedoutException {
+        Long vmId = 1L; Long hostId = 2L; Long backupOfferingId = 3L;
+        Long accountId = 4L; Long domainId = 5L; Long zoneId = 6L;
+
+        VMInstanceVO vm = setupVmForTakeBackup(vmId, hostId, backupOfferingId, accountId, domainId, zoneId);
+        setupHostAndRepo(hostId, backupOfferingId);
+
+        VolumeVO volume = mock(VolumeVO.class);
+        Mockito.when(volume.getState()).thenReturn(Volume.State.Ready);
+        Mockito.when(volume.getSize()).thenReturn(100L);
+        Mockito.when(volumeDao.findByInstance(vmId)).thenReturn(List.of(volume));
+
+        overrideConfigValue(nasBackupProvider.NASBackupIntegrityCheckEnabled, "true");
+
+        BackupAnswer answer = mock(BackupAnswer.class);
+        Mockito.when(answer.getResult()).thenReturn(true);
+        Mockito.when(answer.getSize()).thenReturn(100L);
+
+        ArgumentCaptor<TakeBackupCommand> cmdCaptor = ArgumentCaptor.forClass(TakeBackupCommand.class);
+        Mockito.when(agentManager.send(anyLong(), cmdCaptor.capture())).thenReturn(answer);
+        Mockito.when(backupDao.persist(Mockito.any(BackupVO.class))).thenAnswer(invocation -> invocation.getArgument(0));
+        Mockito.when(backupDao.update(Mockito.anyLong(), Mockito.any(BackupVO.class))).thenReturn(true);
+
+        nasBackupProvider.takeBackup(vm, false);
+
+        TakeBackupCommand capturedCmd = cmdCaptor.getValue();
+        Map<String, String> details = capturedCmd.getDetails();
+        Assert.assertEquals("true", details.get("integrity_check"));
+
+        overrideConfigValue(nasBackupProvider.NASBackupIntegrityCheckEnabled, "false");
+    }
+
+    @Test
+    public void testTakeBackupDetailsEncryptionWithPassphrase() throws AgentUnavailableException, OperationTimedoutException {
+        Long vmId = 1L; Long hostId = 2L; Long backupOfferingId = 3L;
+        Long accountId = 4L; Long domainId = 5L; Long zoneId = 6L;
+
+        VMInstanceVO vm = setupVmForTakeBackup(vmId, hostId, backupOfferingId, accountId, domainId, zoneId);
+        setupHostAndRepo(hostId, backupOfferingId);
+
+        VolumeVO volume = mock(VolumeVO.class);
+        Mockito.when(volume.getState()).thenReturn(Volume.State.Ready);
+        Mockito.when(volume.getSize()).thenReturn(100L);
+        Mockito.when(volumeDao.findByInstance(vmId)).thenReturn(List.of(volume));
+
+        overrideConfigValue(nasBackupProvider.NASBackupEncryptionEnabled, "true");
+        overrideConfigValue(nasBackupProvider.NASBackupEncryptionPassphrase, "my-secret-passphrase");
+
+        BackupAnswer answer = mock(BackupAnswer.class);
+        Mockito.when(answer.getResult()).thenReturn(true);
+        Mockito.when(answer.getSize()).thenReturn(100L);
+
+        ArgumentCaptor<TakeBackupCommand> cmdCaptor = ArgumentCaptor.forClass(TakeBackupCommand.class);
+        Mockito.when(agentManager.send(anyLong(), cmdCaptor.capture())).thenReturn(answer);
+        Mockito.when(backupDao.persist(Mockito.any(BackupVO.class))).thenAnswer(invocation -> invocation.getArgument(0));
+        Mockito.when(backupDao.update(Mockito.anyLong(), Mockito.any(BackupVO.class))).thenReturn(true);
+
+        nasBackupProvider.takeBackup(vm, false);
+
+        TakeBackupCommand capturedCmd = cmdCaptor.getValue();
+        Map<String, String> details = capturedCmd.getDetails();
+        Assert.assertEquals("true", details.get("encryption"));
+        Assert.assertEquals("my-secret-passphrase", details.get("encryption_passphrase"));
+
+        overrideConfigValue(nasBackupProvider.NASBackupEncryptionEnabled, "false");
+        overrideConfigValue(nasBackupProvider.NASBackupEncryptionPassphrase, "");
+    }
+
+    @Test(expected = CloudRuntimeException.class)
+    public void testTakeBackupEncryptionWithoutPassphraseThrows() throws AgentUnavailableException, OperationTimedoutException {
+        Long vmId = 1L; Long hostId = 2L; Long backupOfferingId = 3L;
+        Long accountId = 4L; Long domainId = 5L; Long zoneId = 6L;
+
+        VMInstanceVO vm = setupVmForTakeBackup(vmId, hostId, backupOfferingId, accountId, domainId, zoneId);
+        setupHostAndRepo(hostId, backupOfferingId);
+
+        VolumeVO volume = mock(VolumeVO.class);
+        Mockito.when(volume.getState()).thenReturn(Volume.State.Ready);
+        Mockito.when(volume.getSize()).thenReturn(100L);
+        Mockito.when(volumeDao.findByInstance(vmId)).thenReturn(List.of(volume));
+
+        overrideConfigValue(nasBackupProvider.NASBackupEncryptionEnabled, "true");
+        overrideConfigValue(nasBackupProvider.NASBackupEncryptionPassphrase, "");
+
+        Mockito.when(backupDao.persist(Mockito.any(BackupVO.class))).thenAnswer(invocation -> invocation.getArgument(0));
+
+        try {
+            nasBackupProvider.takeBackup(vm, false);
+        } finally {
+            overrideConfigValue(nasBackupProvider.NASBackupEncryptionEnabled, "false");
+        }
+    }
 }

plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtTakeBackupCommandWrapper.java

@@ -35,10 +35,16 @@
 import org.apache.cloudstack.storage.to.PrimaryDataStoreTO;
 
 import java.io.File;
-import java.io.FileWriter;
 import java.io.IOException;
+import java.io.OutputStreamWriter;
+import java.io.FileOutputStream;
+import java.io.Writer;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.attribute.PosixFilePermission;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.EnumSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
@@ -92,18 +98,24 @@ public Answer execute(TakeBackupCommand command, LibvirtComputingResource libvir
             }
             if ("true".equals(details.get("encryption"))) {
                 String passphrase = details.get("encryption_passphrase");
-                if (passphrase != null && !passphrase.isEmpty()) {
-                    try {
-                        passphraseFile = File.createTempFile("cs-backup-enc-", ".key");
-                        passphraseFile.deleteOnExit();
-                        try (FileWriter fw = new FileWriter(passphraseFile)) {
-                            fw.write(passphrase);
-                        }
-                        cmdArgs.add("-e"); cmdArgs.add(passphraseFile.getAbsolutePath());
-                    } catch (IOException e) {
-                        logger.error("Failed to create encryption passphrase file", e);
-                        return new BackupAnswer(command, false, "Failed to create encryption passphrase file: " + e.getMessage());
+                if (passphrase == null || passphrase.isEmpty()) {
+                    return new BackupAnswer(command, false, "Encryption is enabled but no passphrase was provided");
+                }
+                try {
+                    passphraseFile = File.createTempFile("cs-backup-enc-", ".key");
+                    passphraseFile.deleteOnExit();
+                    Files.setPosixFilePermissions(passphraseFile.toPath(),
+                            EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE));
+                    try (Writer fw = new OutputStreamWriter(new FileOutputStream(passphraseFile), StandardCharsets.UTF_8)) {
+                        fw.write(passphrase);
+                    }
+                    cmdArgs.add("-e"); cmdArgs.add(passphraseFile.getAbsolutePath());
+                } catch (IOException e) {
+                    logger.error("Failed to create encryption passphrase file", e);
+                    if (passphraseFile != null && passphraseFile.exists()) {
+                        passphraseFile.delete();
                     }
+                    return new BackupAnswer(command, false, "Failed to create encryption passphrase file: " + e.getMessage());
                 }
             }
             String bwLimit = details.get("bandwidth_limit");
@@ -118,11 +130,14 @@ public Answer execute(TakeBackupCommand command, LibvirtComputingResource libvir
         List<String[]> commands = new ArrayList<>();
         commands.add(cmdArgs.toArray(new String[0]));
 
-        Pair<Integer, String> result = Script.executePipedCommands(commands, libvirtComputingResource.getCmdsTimeout());
-
-        // Clean up passphrase file after backup completes
-        if (passphraseFile != null && passphraseFile.exists()) {
-            passphraseFile.delete();
+        Pair<Integer, String> result;
+        try {
+            result = Script.executePipedCommands(commands, libvirtComputingResource.getCmdsTimeout());
+        } finally {
+            // Clean up passphrase file after backup completes
+            if (passphraseFile != null && passphraseFile.exists()) {
+                passphraseFile.delete();
+            }
         }
 
         if (result.first() != 0) {