Fix NPE with ApiKeyPair during listApis call (from cmk)

[sureshanaparti]

Description

This PR fixes NPE issue with ApiKeyPair during listApis call (from cmk).

(localcloud) 🐱 > sync
[debug] ExecLine line:sync
[debug] ExecCmd args: sync
[debug] NewAPIRequest API request URL:http://10.0.33.254:8080/client/api?apiKey=LIN6rqXuaJwMPfGYFh13qDwYz5VNNz1J2J6qIOWcd3oLQOq0WtD4CwRundBL6rzXToa3lQOC_vKjI3nkHtiD8Q&command=listApis&expires=2026-05-12T10%3A52%3A21Z&listall=true&response=json&signatureversion=3
[debug] Using HTTP POST for the request: http://10.0.33.254:8080/client/api
⣷ 😸 discovering APIs, please wait...[debug] NewAPIRequest response status code:401
[debug] Login POST URL:http://10.0.33.254:8080/client/apimap[command:[login] domain:[/] password:[password] response:[json] username:[admin]]
[debug] Login POST response status code:200
[debug] Login response body:{"loginresponse":{"username":"admin","userid":"0058d371-493c-11f1-8b72-1e00f0000291","domainid":"a728ab4b-493b-11f1-8b72-1e00f0000291","timeout":1800,"account":"admin","firstname":"admin","lastname":"cloud","type":"1","timezone":"UTC","timezoneoffset":"0.0","registered":"false","sessionkey":"WjoANDlHyxTdO9Aa_LXOa4rei34","is2faenabled":"false","is2faverified":"true","issuerfor2fa":"CloudStack","managementserverid":"c5a6dd86-fead-4397-8cf5-55250df33c24"}}
[debug] Login sessionkey:WjoANDlHyxTdO9Aa_LXOa4rei34
[debug] Checking if 2FA is enabled and verified for the user map[account:admin domainid:a728ab4b-493b-11f1-8b72-1e00f0000291 firstname:admin is2faenabled:false is2faverified:true issuerfor2fa:CloudStack lastname:cloud managementserverid:c5a6dd86-fead-4397-8cf5-55250df33c24 registered:false sessionkey:WjoANDlHyxTdO9Aa_LXOa4rei34 timeout:1800 timezone:UTC timezoneoffset:0.0 type:1 userid:0058d371-493c-11f1-8b72-1e00f0000291 username:admin]
[debug] 2FA is not enabled for the user, skipping 2FA validation
[debug] NewAPIRequest API request URL:http://10.0.33.254:8080/client/api?apiKey=LIN6rqXuaJwMPfGYFh13qDwYz5VNNz1J2J6qIOWcd3oLQOq0WtD4CwRundBL6rzXToa3lQOC_vKjI3nkHtiD8Q&command=listApis&expires=2026-05-12T10%3A52%3A21Z&listall=true&response=json&sessionkey=WjoANDlHyxTdO9Aa_LXOa4rei34&signature=9kJbbP3gtVaU2N6XZzKPmYRDYFE%3D&signatureversion=3
[debug] Using HTTP POST for the request: http://10.0.33.254:8080/client/api
[debug] NewAPIRequest response body:{"listapisresponse":{"uuidList":[],"errorcode":530,"cserrorcode":9999,"errortext":"Cannot invoke \"org.apache.cloudstack.acl.apikeypair.ApiKeyPair.getAccountId()\" because \"apiKeyPair\" is null"}}
🙈 Error: (HTTP 530, error code 9999) Cannot invoke "org.apache.cloudstack.acl.apikeypair.ApiKeyPair.getAccountId()" because "apiKeyPair" is null
(localcloud) 🐱 > 

2026-05-12 10:37:22,051 DEBUG [c.c.a.ApiServlet] (qtp253011924-24:[ctx-313ce9a0]) (logid:d4f7907a) ===START===  10.0.33.254 -- POST  
apiKey=LIN6rqXuaJwMPfGYFh13qDwYz5VNNz1J2J6qIOWcd3oLQOq0WtD4CwRundBL6rzXToa3lQOC_vKjI3nkHtiD8Q 
command=listApis 
expires=2026-05-12T10:52:21Z 
listall=true 
response=json 
sessionkey=WjoANDlHyxTdO9Aa_LXOa4rei34 
signature=9kJbbP3gtVaU2N6XZzKPmYRDYFE= 
signatureversion=3 

2026-05-12 10:37:22,054 DEBUG [c.c.a.ApiServer] (qtp253011924-24:[ctx-313ce9a0, ctx-e535ff0f]) (logid:d4f7907a) CIDRs from which account 'Account [{"accountName":"admin","id":2,"uuid":"00583461-493c-11f1-8b72-1e00f0000291"}]' is allowed to perform API calls: 0.0.0.0/0,::/0
2026-05-12 10:37:22,055 INFO  [o.a.c.a.DynamicRoleBasedAPIAccessChecker] (qtp253011924-24:[ctx-313ce9a0, ctx-e535ff0f]) (logid:d4f7907a) Account [Account [{"accountName":"admin","id":2,"uuid":"00583461-493c-11f1-8b72-1e00f0000291"}]] is Root Admin and there aren't any API key pair permissions involved, thus, all APIs are allowed.
2026-05-12 10:37:22,055 DEBUG [o.a.c.a.StaticRoleBasedAPIAccessChecker] (qtp253011924-24:[ctx-313ce9a0, ctx-e535ff0f]) (logid:d4f7907a) RoleService is enabled. We will use it instead of StaticRoleBasedAPIAccessChecker.
2026-05-12 10:37:22,055 DEBUG [o.a.c.r.ApiRateLimitServiceImpl] (qtp253011924-24:[ctx-313ce9a0, ctx-e535ff0f]) (logid:d4f7907a) API rate limiting is disabled. We will not use ApiRateLimitService.
2026-05-12 10:37:22,056 WARN  [c.c.a.d.ParamGenericValidationWorker] (qtp253011924-24:[ctx-313ce9a0, ctx-e535ff0f]) (logid:d4f7907a) Received unknown parameters for command listApis. Unknown parameters : listall
2026-05-12 10:37:22,059 ERROR [c.c.a.ApiServer] (qtp253011924-24:[ctx-313ce9a0, ctx-e535ff0f]) (logid:d4f7907a) unhandled exception executing api command: [Ljava.lang.String;@1e71e72d java.lang.NullPointerException: Cannot invoke "org.apache.cloudstack.acl.apikeypair.ApiKeyPair.getAccountId()" because "apiKeyPair" is null
	at com.cloud.user.AccountManagerImpl.getAllKeypairPermissions(AccountManagerImpl.java:3585)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:569)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:215)
	at jdk.proxy3/jdk.proxy3.$Proxy104.getAllKeypairPermissions(Unknown Source)
	at org.apache.cloudstack.discovery.ApiDiscoveryServiceImpl.listApisForKeyPair(ApiDiscoveryServiceImpl.java:357)
	at org.apache.cloudstack.discovery.ApiDiscoveryServiceImpl.listApis(ApiDiscoveryServiceImpl.java:283)
	at org.apache.cloudstack.api.command.user.discovery.ListApisCmd.execute(ListApisCmd.java:55)
	at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:173)
	at com.cloud.api.ApiServer.queueCommand(ApiServer.java:883)
	at com.cloud.api.ApiServer.handleRequest(ApiServer.java:697)
	at com.cloud.api.ApiServlet.processRequestInContext(ApiServlet.java:414)
	at com.cloud.api.ApiServlet$1.run(ApiServlet.java:191)

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[sureshanaparti]

@KlausDornsbach can you review this.

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[codecov]

Codecov Report

❌ Patch coverage is 9.09091% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 18.09%. Comparing base (5893ba5) to head (492b5d1).

Files with missing lines	Patch %	Lines
...c/main/java/com/cloud/user/AccountManagerImpl.java	9.09%	10 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #13149      +/-   ##
============================================
- Coverage     18.09%   18.09%   -0.01%     
  Complexity    16723    16723              
============================================
  Files          6037     6037              
  Lines        542580   542588       +8     
  Branches      66427    66430       +3     
============================================
+ Hits          98155    98156       +1     
- Misses       433399   433406       +7     
  Partials      11026    11026              

Flag	Coverage Δ
uitests	3.51% <ø> (ø)
unittests	19.25% <9.09%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17820

[winterhazel]

@KlausDornsbach can you review this.

@sureshanaparti, @KlausDornsbach is not active in the community anymore. I am asking @bernardodemarco to review this, as he was responsible for maintaning the keypairs PR.

[bernardodemarco]

@sureshanaparti, thanks for the PR! I'll try to review and test it during this week.