From ebc79b2ed5b7b4bb2e8eb1d43d8710aa654b3421 Mon Sep 17 00:00:00 2001 From: ajay_dp001 Date: Tue, 14 Apr 2020 13:07:48 +0530 Subject: E2E Integration Test for NETCONF/TLS Configuration in SDNC. Story intended to capture needed updates to E2E Integration Test for NETCONF/TLS Configuration. Involve updates to the PNF simulator. Issue-ID: INT-1295 Signed-off-by: ajay_dp001 Change-Id: Ie08fe9618a9a0522e00fe0af8d13ab48b0634a70 --- .../sdnc_netconf_tls_post_deploy/certs/Makefile | 110 +++ .../certs/certs.properties | 2 - .../sdnc_netconf_tls_post_deploy/certs/keys0.zip | Bin 5057 -> 0 bytes .../sdnc_netconf_tls_post_deploy/sdnc-csit.env | 16 + plans/sdnc/sdnc_netconf_tls_post_deploy/setup.sh | 249 +++--- .../sdnc/sdnc_netconf_tls_post_deploy/teardown.sh | 27 +- .../certprofile_MY_ENDUSER-1667220921.xml | 594 +++++++++++++ .../entityprofile_My_EndEntity-161023208.xml | 917 +++++++++++++++++++++ scripts/sdnc/certservice/config/cmpServers.json | 24 + scripts/sdnc/certservice/docker-compose.yml | 46 ++ scripts/sdnc/certservice/scripts/cmp.cmpRA.dump | 6 + .../certservice/scripts/ejbca-configuration.sh | 13 + .../sdnc/netconf-pnp-simulator/docker-compose.yml | 12 + .../netconf-pnp-simulator/netconf-config/data.json | 10 + .../netconf-config/model.yang | 29 + .../netconf-config/subscriber.py | 136 +++ scripts/sdnc/sdnc/certs/certs.properties | 2 + scripts/sdnc/sdnc/certs/keys0.zip | Bin 0 -> 5057 bytes scripts/sdnc/sdnc/config/mount.xml | 14 + scripts/sdnc/sdnc/docker-compose.yml | 50 ++ .../sdnc_netconf_tls_post_deploy/__init__.robot | 2 + .../sdnc/sdnc_netconf_tls_post_deploy/_init_.robot | 2 - .../csr/netconf_pnp_simulator_csr.env | 16 + .../sdnc_netconf_tls_post_deploy/csr/sdnc_csr.env | 16 + .../sdnc_netconf_tls_post_deploy/data/mount.xml | 14 - .../libraries/ClientManager.py | 179 ++++ .../libraries/config.sh | 129 +++ .../resources/sdnc-keywords.robot | 84 ++ .../resources/sdnc-properties.robot | 37 + .../sdnc_post_deploy_cert_check.robot | 97 ++- 30 files changed, 2645 insertions(+), 188 deletions(-) create mode 100644 plans/sdnc/sdnc_netconf_tls_post_deploy/certs/Makefile delete mode 100644 plans/sdnc/sdnc_netconf_tls_post_deploy/certs/certs.properties delete mode 100644 plans/sdnc/sdnc_netconf_tls_post_deploy/certs/keys0.zip create mode 100644 plans/sdnc/sdnc_netconf_tls_post_deploy/sdnc-csit.env create mode 100644 scripts/sdnc/certservice/certprofile/certprofile_MY_ENDUSER-1667220921.xml create mode 100644 scripts/sdnc/certservice/certprofile/entityprofile_My_EndEntity-161023208.xml create mode 100644 scripts/sdnc/certservice/config/cmpServers.json create mode 100644 scripts/sdnc/certservice/docker-compose.yml create mode 100644 scripts/sdnc/certservice/scripts/cmp.cmpRA.dump create mode 100755 scripts/sdnc/certservice/scripts/ejbca-configuration.sh create mode 100755 scripts/sdnc/netconf-pnp-simulator/docker-compose.yml create mode 100644 scripts/sdnc/netconf-pnp-simulator/netconf-config/data.json create mode 100644 scripts/sdnc/netconf-pnp-simulator/netconf-config/model.yang create mode 100755 scripts/sdnc/netconf-pnp-simulator/netconf-config/subscriber.py create mode 100644 scripts/sdnc/sdnc/certs/certs.properties create mode 100644 scripts/sdnc/sdnc/certs/keys0.zip create mode 100644 scripts/sdnc/sdnc/config/mount.xml create mode 100755 scripts/sdnc/sdnc/docker-compose.yml create mode 100644 tests/sdnc/sdnc_netconf_tls_post_deploy/__init__.robot delete mode 100644 tests/sdnc/sdnc_netconf_tls_post_deploy/_init_.robot create mode 100644 tests/sdnc/sdnc_netconf_tls_post_deploy/csr/netconf_pnp_simulator_csr.env create mode 100644 tests/sdnc/sdnc_netconf_tls_post_deploy/csr/sdnc_csr.env delete mode 100644 tests/sdnc/sdnc_netconf_tls_post_deploy/data/mount.xml create mode 100644 tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/ClientManager.py create mode 100755 tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/config.sh create mode 100644 tests/sdnc/sdnc_netconf_tls_post_deploy/resources/sdnc-keywords.robot create mode 100644 tests/sdnc/sdnc_netconf_tls_post_deploy/resources/sdnc-properties.robot diff --git a/plans/sdnc/sdnc_netconf_tls_post_deploy/certs/Makefile b/plans/sdnc/sdnc_netconf_tls_post_deploy/certs/Makefile new file mode 100644 index 00000000..b284e61e --- /dev/null +++ b/plans/sdnc/sdnc_netconf_tls_post_deploy/certs/Makefile @@ -0,0 +1,110 @@ +all: step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15 +.PHONY: all +#Clear certificates +clear: + @echo "***** Clear certificates *****" + rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 + @echo "***** done *****" + +#Generate root private and public keys +step_1: + @echo "***** Generate root private and public keys *****" + keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \ + -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \ + -storepass secret -ext BasicConstraints:critical="ca:true" + @echo "***** done *****" + +#Export public key as certificate +step_2: + @echo "***** Export public key as certificate *****" + keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc + @echo "***** done *****" + +#Self-signed root (import root certificate into truststore) +step_3: + @echo "***** Self-signed root import root certificate into truststore *****" + keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt + @echo "***** done *****" + +#Generate certService's client private and public keys +step_4: + @echo "***** Generate certService's client private and public keys *****" + keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 730 \ + -keystore certServiceClient-keystore.jks -storetype JKS \ + -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \ + -keypass secret -storepass secret + @echo "***** done *****" + +#Generate certificate signing request for certService's client +step_5: + @echo "***** Generate certificate signing request for certService's client *****" + keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr + @echo "***** done *****" + +#Sign certService's client certificate by root CA +step_6: + @echo "***** Sign certService's client certificate by root CA *****" + keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \ + -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" + @echo "***** done *****" + +#Import root certificate into client +step_7: + @echo "***** Import root certificate into intermediate *****" + cat root.crt >> certServiceClientByRoot.crt + @echo "***** done *****" + +#Import signed certificate into certService's client +step_8: + @echo "***** Import signed certificate into certService's client *****" + keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt + @echo "***** done *****" + +#Generate certService private and public keys +step_9: + @echo "***** Generate certService private and public keys *****" + keytool -genkeypair -v -alias aaf-cert-service -keyalg RSA -keysize 2048 -validity 730 \ + -keystore certServiceServer-keystore.jks -storetype JKS \ + -dname "CN=aaf-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \ + -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false" + @echo "***** done *****" + +#Generate certificate signing request for certService +step_10: + @echo "***** Generate certificate signing request for certService***** " + keytool -certreq -keystore certServiceServer-keystore.jks -alias aaf-cert-service -storepass secret -file certServiceServer.csr + @echo "***** done *****" + +#Sign certService certificate by root CA +step_11: + @echo "***** Sign certService certificate by root CA *****" + keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \ + -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \ + -ext SubjectAlternativeName:="DNS:aaf-cert-service,DNS:localhost" + @echo "***** done *****" + +#Import root certificate into server +step_12: + @echo "***** Import root certificate into intermediate *****" + cat root.crt >> certServiceServerByRoot.crt + @echo "***** done *****" + +#Import signed certificate into certService +step_13: + @echo "***** Import signed certificate into certService *****" + keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias aaf-cert-service \ + -storepass secret -noprompt + @echo "***** done *****" + +#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12) +step_14: + @echo "***** Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12) *****" + keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \ + -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret + @echo "***** done *****" + +#Clear unused certificates +step_15: + @echo "***** Clear unused certificates *****" + rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr + @echo "***** done *****" diff --git a/plans/sdnc/sdnc_netconf_tls_post_deploy/certs/certs.properties b/plans/sdnc/sdnc_netconf_tls_post_deploy/certs/certs.properties deleted file mode 100644 index f8f3fa72..00000000 --- a/plans/sdnc/sdnc_netconf_tls_post_deploy/certs/certs.properties +++ /dev/null @@ -1,2 +0,0 @@ -keys0.zip -***** diff --git a/plans/sdnc/sdnc_netconf_tls_post_deploy/certs/keys0.zip b/plans/sdnc/sdnc_netconf_tls_post_deploy/certs/keys0.zip deleted file mode 100644 index 48b4d90a..00000000 Binary files a/plans/sdnc/sdnc_netconf_tls_post_deploy/certs/keys0.zip and /dev/null differ diff --git a/plans/sdnc/sdnc_netconf_tls_post_deploy/sdnc-csit.env b/plans/sdnc/sdnc_netconf_tls_post_deploy/sdnc-csit.env new file mode 100644 index 00000000..75f5db85 --- /dev/null +++ b/plans/sdnc/sdnc_netconf_tls_post_deploy/sdnc-csit.env @@ -0,0 +1,16 @@ +GERRIT_BRANCH=master +NEXUS_USERNAME=docker +NEXUS_PASSWD=docker +SDNC_CONTAINER_NAME=sdnc +SDNC_IMAGE_TAG=1.8.2 +NEXUS_DOCKER_REPO=nexus3.onap.org:10001 +CLIENT_CONTAINER_NAME=CertServiceClient +SDNC_CERT_PATH=${SCRIPTS}/sdnc/sdnc/certs +REQUEST_DATA_PATH=${SCRIPTS}/sdnc/sdnc/config +NETCONF_PNP_SIM_CONTAINER_NAME=netconf-simulator +EJBCA_CERTPROFILE_PATH=${SCRIPTS}/sdnc/certservice/certprofile +AAF_CERTSERVICE_SCRIPTS_PATH=${SCRIPTS}/sdnc/certservice/scripts +TEMP_DIR_PATH=${WORKSPACE}/tests/sdnc/sdnc_netconf_tls_post_deploy/tmp +NETCONF_CONFIG_PATH=${SCRIPTS}/sdnc/netconf-pnp-simulator/netconf-config +AAF_INITIAL_CERTS=${WORKSPACE}/plans/sdnc/sdnc_netconf_tls_post_deploy/certs +AAF_CERTSERVICE_CONFIG_PATH=${SCRIPTS}/sdnc/certservice/config/cmpServers.json \ No newline at end of file diff --git a/plans/sdnc/sdnc_netconf_tls_post_deploy/setup.sh b/plans/sdnc/sdnc_netconf_tls_post_deploy/setup.sh index f77b5632..2a0451d1 100644 --- a/plans/sdnc/sdnc_netconf_tls_post_deploy/setup.sh +++ b/plans/sdnc/sdnc_netconf_tls_post_deploy/setup.sh @@ -1,151 +1,172 @@ #!/bin/bash # -# Copyright 2016-2017 Huawei Technologies Co., Ltd. +# ============LICENSE_START======================================================= +# Copyright (C) 2020 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at # -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 # -# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. # -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Modifications copyright (c) 2017 AT&T Intellectual Property -# -# Place the scripts in run order: -SCRIPTS="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -source ${WORKSPACE}/scripts/sdnc/script1.sh -export DOCKER_SDNC_TAG=1.8-STAGING-latest -export NEXUS_USERNAME=docker -export NEXUS_PASSWD=docker -export NEXUS_DOCKER_REPO=nexus3.onap.org:10001 -export DMAAP_TOPIC=AUTO -export DOCKER_IMAGE_VERSION=1.8-STAGING-latest -export CCSDK_DOCKER_IMAGE_VERSION=0.7-STAGING-latest -export SDNC_GERRIT_BRANCH=frankfurt -export INTEGRATION_GERRIT_BRANCH=master +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +# @author Ajay Deep Singh (ajay.deep.singh@est.tech) + +# Source SDNC, AAF-CertService, Netconf-Pnp-Simulator config env +source "${WORKSPACE}"/plans/sdnc/sdnc_netconf_tls_post_deploy/sdnc-csit.env + +chmod +x "${WORKSPACE}"/tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/config.sh +chmod +x "${WORKSPACE}"/tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/config_tls.sh + +# Export temp directory +export TEMP_DIR_PATH=${TEMP_DIR_PATH} + +# Create temp directory to bind with docker containers +mkdir -m 755 -p "${WORKSPACE}"/tests/sdnc/sdnc_netconf_tls_post_deploy/tmp +mkdir -m 755 -p "${WORKSPACE}"/tests/sdnc/sdnc_netconf_tls_post_deploy/certs +mkdir -m 755 -p "${WORKSPACE}"/tests/sdnc/sdnc_netconf_tls_post_deploy/cert-data export MTU=$(/sbin/ifconfig | grep MTU | sed 's/.*MTU://' | sed 's/ .*//' | sort -n | head -1) if [ "$MTU" == "" ]; then - export MTU="1450" + export MTU="1450" fi -# Clone SDNC repo to get docker-compose for SDNC -mkdir -p $WORKSPACE/archives/integration -cd $WORKSPACE/archives -git clone -b ${INTEGRATION_GERRIT_BRANCH} --single-branch --depth=1 http://gerrit.onap.org/r/integration.git integration -cd $WORKSPACE/archives/integration -git pull -HOST_IP_ADDR=localhost -# Clone SDNC repo to get docker-compose for SDNC -mkdir -p $WORKSPACE/archives/sdnc -cd $WORKSPACE/archives -git clone -b ${SDNC_GERRIT_BRANCH} --single-branch --depth=1 http://gerrit.onap.org/r/sdnc/oam.git sdnc -cd $WORKSPACE/archives/sdnc -git pull -unset http_proxy https_proxy -cd $WORKSPACE/archives/sdnc/installation/src/main/yaml - -sed -i "s/DMAAP_TOPIC_ENV=.*/DMAAP_TOPIC_ENV=\"AUTO\"/g" docker-compose.yml -docker login -u $NEXUS_USERNAME -p $NEXUS_PASSWD $NEXUS_DOCKER_REPO +# Export default Networking bridge created on the host machine +export LOCAL_IP=$(ip -4 addr show docker0 | grep -Po 'inet \K[\d.]+') -docker pull $NEXUS_DOCKER_REPO/onap/sdnc-image:$DOCKER_SDNC_TAG -docker tag $NEXUS_DOCKER_REPO/onap/sdnc-image:$DOCKER_SDNC_TAG onap/sdnc-image:latest +# Prepare enviroment +echo "Uninstall docker-py and reinstall docker." +pip uninstall -y docker-py +pip uninstall -y docker +pip install -U docker==2.7.0 -docker pull $NEXUS_DOCKER_REPO/onap/sdnc-ansible-server-image:$DOCKER_IMAGE_VERSION -docker tag $NEXUS_DOCKER_REPO/onap/sdnc-ansible-server-image:$DOCKER_IMAGE_VERSION onap/sdnc-ansible-server-image:latest +# Reinstall pyOpenSSL library +echo "Reinstall pyOpenSSL library." +pip uninstall pyopenssl -y +pip install pyopenssl==17.5.0 -docker pull $NEXUS_DOCKER_REPO/onap/ccsdk-dgbuilder-image:$CCSDK_DOCKER_IMAGE_VERSION -docker tag $NEXUS_DOCKER_REPO/onap/ccsdk-dgbuilder-image:$CCSDK_DOCKER_IMAGE_VERSION onap/ccsdk-dgbuilder-image:latest +# Disable Proxy - for local run +unset http_proxy https_proxy -docker pull $NEXUS_DOCKER_REPO/onap/admportal-sdnc-image:$DOCKER_IMAGE_VERSION -docker tag $NEXUS_DOCKER_REPO/onap/admportal-sdnc-image:$DOCKER_IMAGE_VERSION onap/admportal-sdnc-image:latest +# Export AAF Certservice config path +export AAF_INITIAL_CERTS +export EJBCA_CERTPROFILE_PATH +export AAF_CERTSERVICE_CONFIG_PATH +export AAF_CERTSERVICE_SCRIPTS_PATH +export CERT_PROFILE=${EJBCA_CERTPROFILE_PATH} +export SCRIPTS_PATH=${AAF_CERTSERVICE_SCRIPTS_PATH} +export CONFIGURATION_PATH=${AAF_CERTSERVICE_CONFIG_PATH} + +# Generate Keystores, Truststores, Certificates and Keys +make all -C ./certs/ + +cp "${WORKSPACE}"/plans/sdnc/sdnc_netconf_tls_post_deploy/certs/root.crt "${WORKSPACE}"/tests/sdnc/sdnc_netconf_tls_post_deploy/certs/root.crt +openssl pkcs12 -in "${WORKSPACE}"/plans/sdnc/sdnc_netconf_tls_post_deploy/certs/certServiceServer-keystore.p12 -clcerts -nokeys -password pass:secret | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >"${WORKSPACE}"/tests/sdnc/sdnc_netconf_tls_post_deploy/certs/certServiceServer.crt +openssl pkcs12 -in "${WORKSPACE}"/plans/sdnc/sdnc_netconf_tls_post_deploy/certs/certServiceServer-keystore.p12 -nocerts -nodes -password pass:secret | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' >"${WORKSPACE}"/tests/sdnc/sdnc_netconf_tls_post_deploy/certs/certServiceServer.key + +echo "Generated KeyStores, Server Certificate and Key" + +# Start EJBCA, AAF-CertService Containers with docker-compose and configuration from docker-compose.yml +docker-compose -f "${SCRIPTS}"/sdnc/certservice/docker-compose.yml up -d + +# Check if AAF-Certservice Service is healthy and ready +AAFCERT_IP='none' +for i in {1..9}; do + AAFCERT_IP=$(get-instance-ip.sh aaf-cert-service) + RESP_CODE=$(curl -s https://localhost:8443/actuator/health --cacert ./certs/root.crt --cert-type p12 --cert ./certs/certServiceServer-keystore.p12 --pass secret | + python2 -c 'import json,sys;obj=json.load(sys.stdin);print obj["status"]') + if [[ "${RESP_CODE}" == "UP" ]]; then + echo "AAF Cert Service is Ready." + export AAFCERT_IP=${AAFCERT_IP} + docker exec aafcert-ejbca /opt/primekey/scripts/ejbca-configuration.sh + break + fi + echo "Waiting for AAF Cert Service to Start Up..." + sleep 2m +done -docker pull $NEXUS_DOCKER_REPO/onap/sdnc-ueb-listener-image:$DOCKER_IMAGE_VERSION -docker tag $NEXUS_DOCKER_REPO/onap/sdnc-ueb-listener-image:$DOCKER_IMAGE_VERSION onap/sdnc-ueb-listener-image:latest +if [[ "${AAFCERT_IP}" == "none" || "${AAFCERT_IP}" == '' || "${RESP_CODE}" != "UP" ]]; then + echo "AAF CertService not started Could cause problems for testing activities...!" +fi -docker pull $NEXUS_DOCKER_REPO/onap/sdnc-dmaap-listener-image:$DOCKER_IMAGE_VERSION +############################## SDNC Setup ############################## -docker tag $NEXUS_DOCKER_REPO/onap/sdnc-dmaap-listener-image:$DOCKER_IMAGE_VERSION onap/sdnc-dmaap-listener-image:latest +# Export Mariadb, SDNC tmp, cert directory path +export SDNC_CERT_PATH=${SDNC_CERT_PATH} -CERT_SUBPATH=plans/sdnc/sdnc_netconf_tls_post_deploy/certs +docker pull "${NEXUS_DOCKER_REPO}"/onap/sdnc-image:"${SDNC_IMAGE_TAG}" +docker tag "${NEXUS_DOCKER_REPO}"/onap/sdnc-image:"${SDNC_IMAGE_TAG}" onap/sdnc-image:latest -export SDNC_CERT_PATH=${WORKSPACE}/${CERT_SUBPATH} -sed -i 's/sdnc_controller_container/sdnc_controller_container\n volumes: \n - $SDNC_CERT_PATH:\/opt\/opendaylight\/current\/certs/' docker-compose.yml -# start SDNC containers with docker compose and configuration from docker-compose.yml -docker-compose up -d +# Start Mariadb, SDNC Containers with docker-compose and configuration from docker-compose.yml +docker-compose -f "${SCRIPTS}"/sdnc/sdnc/docker-compose.yml up -d -# PNF simulator has permission problems - creates files as root, which causes build to be unstable -# Commenting it out for now, since netconf mount is not working anyway. -# cd $WORKSPACE/archives/integration/test/mocks/pnfsimulator/pnfsimulator -# docker-compose up -d +# Check if SDNC Service is healthy and ready +for i in {1..10}; do + SDNC_IP=$(get-instance-ip.sh sdnc) + RESP_CODE=$(curl --write-out '%{http_code}' --silent --output /dev/null -H "Authorization: Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ==" -X POST -H "X-FromAppId: csit-sdnc" -H "X-TransactionId: csit-sdnc" -H "Accept: application/json" -H "Content-Type: application/json" http://localhost:8282/restconf/operations/SLI-API:healthcheck) + if [[ "${RESP_CODE}" == '200' ]]; then + echo "SDNC Service is Ready." + break + fi + echo "Waiting for SDNC Service to Start Up..." + sleep 2m +done -# WAIT 10 minutes maximum and test every 5 seconds if SDNC is up using HealthCheck API -TIME_OUT=1000 -INTERVAL=30 -TIME=0 -while [ "$TIME" -lt "$TIME_OUT" ]; do - response=$(curl --write-out '%{http_code}' --silent --output /dev/null -H "Authorization: Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ==" -X POST -H "X-FromAppId: csit-sdnc" -H "X-TransactionId: csit-sdnc" -H "Accept: application/json" -H "Content-Type: application/json" http://localhost:8282/restconf/operations/SLI-API:healthcheck ); echo $response +if [[ "${SDNC_IP}" == 'none' || "${SDNC_IP}" == '' || "${RESP_CODE}" != '200' ]]; then + echo "SDNC Service not started Could cause problems for testing activities...!" +fi - if [ "$response" == "200" ]; then - echo SDNC started in $TIME seconds - break; +# Check if SDNC-ODL Karaf Session started +for i in {1..15}; do + EXEC_RESP=$(docker exec -it sdnc /opt/opendaylight/current/bin/client system:start-level) + if grep -q 'Level 100' <<<"${EXEC_RESP}"; then + echo "SDNC-ODL Karaf Session Started." + break fi - - echo Sleep: $INTERVAL seconds before testing if SDNC is up. Total wait time up now is: $TIME seconds. Timeout is: $TIME_OUT seconds - sleep $INTERVAL - TIME=$(($TIME+$INTERVAL)) + echo "Waiting for SDNC-ODL Karaf Session to Start Up..." + sleep 2m done -export PNF_IP=$(ip -4 addr show docker0 | grep -Po 'inet \K[\d.]+') -sed -i "s/pnfaddr/$PNF_IP/g" $WORKSPACE/tests/sdnc/sdnc_netconf_tls_post_deploy/data/mount.xml - -if [ "$TIME" -ge "$TIME_OUT" ]; then - echo TIME OUT: Docker containers not started in $TIME_OUT seconds... Could cause problems for testing activities... +if ! grep -q 'Level 100' <<<"${EXEC_RESP}"; then + echo "SDNC-ODL Karaf Session not Started, Could cause problems for testing activities...!" fi -#sleep 800 +echo "Sleeping 5 minutes" +sleep 5m -TIME_OUT=1500 -INTERVAL=60 -TIME=0 -while [ "$TIME" -lt "$TIME_OUT" ]; do - response=$(docker exec -ti sdnc_controller_container /opt/opendaylight/current/bin/client system:start-level) +###################### Netconf-PNP-Simulator Setup ###################### - if grep -q 'Level 100' <<< ${response}; then - echo SDNC karaf started in $TIME seconds - break; - fi +# Export netconf-pnp simulator conf path +export NETCONF_CONFIG_PATH=${NETCONF_CONFIG_PATH} - echo Sleep: $INTERVAL seconds before testing if SDNC is up. Total wait time up now is: $TIME seconds. Timeout is: $TIME_OUT seconds - sleep $INTERVAL - TIME=$(($TIME+$INTERVAL)) -done +# Start Netconf-Pnp-Simulator Container with docker-compose and configuration from docker-compose.yml +docker-compose -f "${SCRIPTS}"/sdnc/netconf-pnp-simulator/docker-compose.yml up -d -if [ "$TIME" -ge "$TIME_OUT" ]; then - echo TIME OUT: karaf session not started in $TIME_OUT seconds... Could cause problems for testing activities... -fi +# Update default Networking bridge IP in mount.json file +sed -i "s/pnfaddr/${LOCAL_IP}/g" "${REQUEST_DATA_PATH}"/mount.xml -response=$(docker exec -ti sdnc_controller_container /opt/opendaylight/current/bin/client system:start-level) +######################################################################### - if grep -q 'Level 100' <<< ${response}; then - num_failed_bundles=$(docker exec -ti sdnc_controller_container /opt/opendaylight/current/bin/client bundle:list | grep Failure | wc -l) - failed_bundles=$(docker exec -ti sdnc_controller_container /opt/opendaylight/current/bin/client bundle:list | grep Failure) - echo There is/are $num_failed_bundles failed bundles out of $num_bundles installed bundles. - fi +echo "Sleeping additional for 3 minutes to give application time to finish" +sleep 3m -if [ "$num_failed_bundles" -ge 1 ]; then - echo "The following bundle(s) are in a failed state: " - echo " $failed_bundles" -fi +# Export SDNC, AAF-Certservice-Cient, Netconf-Pnp-Simulator Continer Names +export REQUEST_DATA_PATH="${REQUEST_DATA_PATH}" +export SDNC_CONTAINER_NAME="${SDNC_CONTAINER_NAME}" +export CLIENT_CONTAINER_NAME="${CLIENT_CONTAINER_NAME}" +export NETCONF_PNP_SIM_CONTAINER_NAME="${NETCONF_PNP_SIM_CONTAINER_NAME}" -# Sleep additional 5 minutes (300 secs) to give application time to finish -sleep 200 +REPO_IP='127.0.0.1' +ROBOT_VARIABLES+=" -v REPO_IP:${REPO_IP} " +ROBOT_VARIABLES+=" -v SCRIPTS:${SCRIPTS} " -# Pass any variables required by Robot test suites in ROBOT_VARIABLES -ROBOT_VARIABLES="-v SCRIPTS:${SCRIPTS}" +echo "Finished executing setup for SDNC-Netconf-TLS-Post-Deploy" diff --git a/plans/sdnc/sdnc_netconf_tls_post_deploy/teardown.sh b/plans/sdnc/sdnc_netconf_tls_post_deploy/teardown.sh index 43294df5..2f451d50 100644 --- a/plans/sdnc/sdnc_netconf_tls_post_deploy/teardown.sh +++ b/plans/sdnc/sdnc_netconf_tls_post_deploy/teardown.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# Copyright 2016-2017 Huawei Technologies Co., Ltd. +# Copyright 2017 ZTE, Inc. and others. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,22 +14,13 @@ # See the License for the specific language governing permissions and # limitations under the License. # -# Modifications copyright (c) 2017 AT&T Intellectual Property -# -docker cp sdnc_controller_container:/opt/opendaylight/data/log/karaf.log $WORKSPACE/archives/karaf.log -docker cp sdnc_controller_container:/opt/opendaylight/data/log/installCerts.log $WORKSPACE/archives/installCerts.log -kill-instance.sh sdnc_controller_container -kill-instance.sh sdnc_dgbuilder_container -kill-instance.sh sdnc_portal_container -kill-instance.sh sdnc_db_container -kill-instance.sh sdnc_ueblistener_container -kill-instance.sh sdnc_dmaaplistener_container -kill-instance.sh sdnc_ansible_container -# Commented out startup of PNF simulator due to permission issues. Following lines can be uncommented -# when/if that problem is resolved. -#kill-instance.sh pnfsimulator_pnf-simulator_1 -#kill-instance.sh pnfsimulator_mongo-express_1 -#ill-instance.sh pnfsimulator_mongo_1 +docker-compose -f "${SCRIPTS}"/sdnc/certservice/docker-compose.yml down -v +docker-compose -f "${SCRIPTS}"/sdnc/sdnc/docker-compose.yml down -v +docker-compose -f "${SCRIPTS}"/sdnc/netconf-pnp-simulator/docker-compose.yml down -v + +make clear -C "${WORKSPACE}"/plans/sdnc/sdnc_netconf_tls_post_deploy/certs -# $WORKSPACE/archives/appc deleted with archives folder when tests starts so we keep it at the end for debugging +rm -rf "${WORKSPACE}"/tests/sdnc/sdnc_netconf_tls_post_deploy/tmp +rm -rf "${WORKSPACE}"/tests/sdnc/sdnc_netconf_tls_post_deploy/certs +rm -rf "${WORKSPACE}"/tests/sdnc/sdnc_netconf_tls_post_deploy/cert-data \ No newline at end of file diff --git a/scripts/sdnc/certservice/certprofile/certprofile_MY_ENDUSER-1667220921.xml b/scripts/sdnc/certservice/certprofile/certprofile_MY_ENDUSER-1667220921.xml new file mode 100644 index 00000000..92fbdee5 --- /dev/null +++ b/scripts/sdnc/certservice/certprofile/certprofile_MY_ENDUSER-1667220921.xml @@ -0,0 +1,594 @@ + + + + + version + 46.0 + + + type + 1 + + + certversion + X509v3 + + + encodedvalidity + 2y + + + usecertificatevalidityoffset + false + + + certificatevalidityoffset + -10m + + + useexpirationrestrictionforweekdays + false + + + expirationrestrictionforweekdaysbefore + true + + + expirationrestrictionweekdays + + + true + + + true + + + false + + + false + + + false + + + true + + + true + + + + + allowvalidityoverride + false + + + allowextensionoverride + false + + + allowdnoverride + false + + + allowdnoverridebyeei + false + + + allowbackdatedrevokation + false + + + usecertificatestorage + true + + + storecertificatedata + true + + + storesubjectaltname + true + + + usebasicconstrants + true + + + basicconstraintscritical + true + + + usesubjectkeyidentifier + true + + + subjectkeyidentifiercritical + false + + + useauthoritykeyidentifier + true + + + authoritykeyidentifiercritical + false + + + usesubjectalternativename + true + + + subjectalternativenamecritical + false + + + useissueralternativename + true + + + issueralternativenamecritical + false + + + usecrldistributionpoint + false + + + usedefaultcrldistributionpoint + false + + + crldistributionpointcritical + false + + + crldistributionpointuri + + + + usefreshestcrl + false + + + usecadefinedfreshestcrl + false + + + freshestcrluri + + + + crlissuer + + + + usecertificatepolicies + false + + + certificatepoliciescritical + false + + + certificatepolicies + + + + availablekeyalgorithms + + + DSA + + + ECDSA + + + RSA + + + + + availableeccurves + + + ANY_EC_CURVE + + + + + availablebitlengths + + + 0 + + + 192 + + + 224 + + + 239 + + + 256 + + + 384 + + + 512 + + + 521 + + + 1024 + + + 1536 + + + 2048 + + + 3072 + + + 4096 + + + 6144 + + + 8192 + + + + + minimumavailablebitlength + 0 + + + maximumavailablebitlength + 8192 + + + signaturealgorithm + + + + usekeyusage + true + + + keyusage + + + true + + + true + + + true + + + false + + + false + + + false + + + false + + + false + + + false + + + + + allowkeyusageoverride + false + + + keyusagecritical + true + + + useextendedkeyusage + true + + + extendedkeyusage + + + 1.3.6.1.5.5.7.3.2 + + + 1.3.6.1.5.5.7.3.4 + + + 1.3.6.1.5.5.7.3.1 + + + + + extendedkeyusagecritical + false + + + usedocumenttypelist + false + + + documenttypelistcritical + false + + + documenttypelist + + + + availablecas + + + -1 + + + 1295313472 + + + + + usedpublishers + + + + useocspnocheck + false + + + useldapdnorder + true + + + usecustomdnorder + false + + + usemicrosofttemplate + false + + + microsofttemplate + + + + usecardnumber + false + + + usecnpostfix + false + + + cnpostfix + + + + usesubjectdnsubset + false + + + subjectdnsubset + + + + usesubjectaltnamesubset + false + + + subjectaltnamesubset + + + + usepathlengthconstraint + false + + + pathlengthconstraint + 0 + + + useqcstatement + false + + + usepkixqcsyntaxv2 + false + + + useqcstatementcritical + false + + + useqcstatementraname + + + + useqcsematicsid + + + + useqcetsiqccompliance + false + + + useqcetsisignaturedevice + false + + + useqcetsivaluelimit + false + + + qcetsivaluelimit + 0 + + + qcetsivaluelimitexp + 0 + + + qcetsivaluelimitcurrency + + + + useqcetsiretentionperiod + false + + + qcetsiretentionperiod + 0 + + + useqccustomstring + false + + + qccustomstringoid + + + + qccustomstringtext + + + + qcetsipds + + + + qcetsitype + + + + usecertificatetransparencyincerts + false + + + usecertificatetransparencyinocsp + false + + + usecertificatetransparencyinpublisher + false + + + usesubjectdirattributes + false + + + usenameconstraints + false + + + useauthorityinformationaccess + false + + + caissuers + + + + usedefaultcaissuer + false + + + usedefaultocspservicelocator + false + + + ocspservicelocatoruri + + + + cvcaccessrights + 3 + + + usedcertificateextensions + + + + approvals + + + + org.cesecore.certificates.ca.ApprovalRequestType + KEYRECOVER + + -1 + + + + org.cesecore.certificates.ca.ApprovalRequestType + ADDEDITENDENTITY + + -1 + + + + org.cesecore.certificates.ca.ApprovalRequestType + REVOCATION + + -1 + + + + + useprivkeyusageperiodnotbefore + false + + + useprivkeyusageperiod + false + + + useprivkeyusageperiodnotafter + false + + + privkeyusageperiodstartoffset + 0 + + + privkeyusageperiodlength + 63072000 + + + usesingleactivecertificateconstraint + false + + + overridableextensionoids + + + + nonoverridableextensionoids + + + + usecustomdnorderldap + false + + + diff --git a/scripts/sdnc/certservice/certprofile/entityprofile_My_EndEntity-161023208.xml b/scripts/sdnc/certservice/certprofile/entityprofile_My_EndEntity-161023208.xml new file mode 100644 index 00000000..cad4ca7f --- /dev/null +++ b/scripts/sdnc/certservice/certprofile/entityprofile_My_EndEntity-161023208.xml @@ -0,0 +1,917 @@ + + + + + version + 14.0 + + + NUMBERARRAY + + + 1 + + + 1 + + + 0 + + + 0 + + + 0 + + + 1 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 1 + + + 1 + + + 1 + + + 1 + + + 0 + + + 1 + + + 0 + + + 2 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 1 + + + 0 + + + 0 + + + 1 + + + 1 + + + 1 + + + 1 + + + 1 + + + 1 + + + 0 + + + 0 + + + 1 + + + 1 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 1 + + + 1 + + + 0 + + + 1 + + + 0 + + + 1 + + + 1 + + + 1 + + + 1 + + + 1 + + + 1 + + + 1 + + + 0 + + + 0 + + + 0 + + + + + SUBJECTDNFIELDORDER + + + 500 + + + 1100 + + + 1200 + + + 1300 + + + 1400 + + + 1600 + + + + + SUBJECTALTNAMEFIELDORDER + + + 1800 + + + 1801 + + + + + SUBJECTDIRATTRFIELDORDER + + + + 0 + + + + 20000 + true + + + 10000 + true + + + 30000 + true + + + 1 + + + + 20001 + true + + + 10001 + true + + + 30001 + true + + + 95 + + + + 20095 + false + + + 10095 + true + + + 30095 + true + + + 96 + + + + 20096 + false + + + 10096 + true + + + 30096 + true + + + 5 + + + + 20005 + true + + + 10005 + true + + + 30005 + true + + + 26 + + + + 20026 + false + + + 10026 + true + + + 30026 + true + + + 29 + 1667220921 + + + 20029 + true + + + 10029 + true + + + 30029 + true + + + 30 + 1667220921 + + + 20030 + true + + + 10030 + true + + + 30030 + true + + + 31 + 1 + + + 20031 + true + + + 10031 + true + + + 30031 + true + + + 32 + 1;2;3;4 + + + 20032 + true + + + 10032 + true + + + 30032 + true + + + 33 + + + + 20033 + true + + + 10033 + true + + + 30033 + true + + + 34 + + + + 20034 + true + + + 10034 + false + + + 30034 + true + + + 38 + 1295313472 + + + 20038 + true + + + 10038 + true + + + 30038 + true + + + 37 + 1295313472 + + + 20037 + true + + + 10037 + true + + + 30037 + true + + + 98 + + + + 20098 + false + + + 10098 + false + + + 30098 + true + + + 99 + + + + 20099 + false + + + 10099 + false + + + 30099 + true + + + 97 + + + + 20097 + false + + + 10097 + false + + + 30097 + true + + + 91 + false + + + 20091 + false + + + 10091 + false + + + 30091 + true + + + 94 + -1 + + + 20094 + true + + + 10094 + false + + + 30094 + false + + + 93 + -1 + + + 20093 + false + + + 10093 + false + + + 30093 + false + + + 89 + + + + 20089 + false + + + 10089 + false + + + 30089 + true + + + 88 + + + + 20088 + false + + + 10088 + false + + + 30088 + true + + + ALLOW_MERGEDN_WEBSERVICES + false + + + 2 + + + + 20002 + false + + + 10002 + false + + + 10090 + true + + + 90 + 0 + + + REVERSEFFIELDCHECKS + false + + + 28 + false + + + 20028 + false + + + 10028 + false + + + REUSECERTIFICATE + false + + + 35 + false + + + 20035 + false + + + 10035 + false + + + 10092 + false + + + USEEXTENSIONDATA + false + + + PRINTINGUSE + false + + + PRINTINGDEFAULT + false + + + PRINTINGREQUIRED + false + + + PRINTINGCOPIES + 1 + + + PRINTINGPRINTERNAME + + + + PRINTINGSVGDATA + + + + PRINTINGSVGFILENAME + + + + 11 + + + + 20011 + true + + + 10011 + true + + + 30011 + true + + + 12 + + + + 20012 + true + + + 10012 + true + + + 30012 + true + + + 13 + + + + 20013 + true + + + 10013 + true + + + 30013 + true + + + 14 + + + + 20014 + true + + + 10014 + true + + + 30014 + true + + + 16 + + + + 20016 + true + + + 10016 + true + + + 30016 + true + + + 18 + + + + 20018 + true + + + 10018 + true + + + 30018 + true + + + 118 + + + + 20118 + true + + + 10118 + true + + + 30118 + true + + + diff --git a/scripts/sdnc/certservice/config/cmpServers.json b/scripts/sdnc/certservice/config/cmpServers.json new file mode 100644 index 00000000..ce427c53 --- /dev/null +++ b/scripts/sdnc/certservice/config/cmpServers.json @@ -0,0 +1,24 @@ +{ + "cmpv2Servers": [ + { + "caName": "Client", + "url": "http://aafcert-ejbca:8080/ejbca/publicweb/cmp/cmp", + "issuerDN": "CN=My_ManagementCA", + "caMode": "CLIENT", + "authentication": { + "iak": "mypassword", + "rv": "mypassword" + } + }, + { + "caName": "RA", + "url": "http://aafcert-ejbca:8080/ejbca/publicweb/cmp/cmpRA", + "issuerDN": "CN=My_ManagementCA", + "caMode": "RA", + "authentication": { + "iak": "mypassword", + "rv": "mypassword" + } + } + ] +} diff --git a/scripts/sdnc/certservice/docker-compose.yml b/scripts/sdnc/certservice/docker-compose.yml new file mode 100644 index 00000000..6e4c4b60 --- /dev/null +++ b/scripts/sdnc/certservice/docker-compose.yml @@ -0,0 +1,46 @@ +version: "2.1" + +services: + ejbca: + image: primekey/ejbca-ce:6.15.2.5 + hostname: cahostname + container_name: aafcert-ejbca + ports: + - "80:8080" + - "443:8443" + volumes: + - $SCRIPTS_PATH:/opt/primekey/scripts + - $CERT_PROFILE:/opt/primekey/certprofile + healthcheck: + test: ["CMD-SHELL", "curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth"] + interval: 20s + timeout: 3s + retries: 9 + networks: + - certservice + + aaf-cert-service: + image: nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-api:latest + volumes: + - $CONFIGURATION_PATH:/etc/onap/aaf/certservice/cmpServers.json + - $AAF_INITIAL_CERTS/truststore.jks:/etc/onap/aaf/certservice/certs/truststore.jks + - $AAF_INITIAL_CERTS/root.crt:/etc/onap/aaf/certservice/certs/root.crt + - $AAF_INITIAL_CERTS/certServiceServer-keystore.jks:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks + - $AAF_INITIAL_CERTS/certServiceServer-keystore.p12:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 + container_name: aaf-cert-service + ports: + - "8443:8443" + depends_on: + ejbca: + condition: service_healthy + healthcheck: + test: ["CMD-SHELL", "curl https://localhost:8443/actuator/health --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass secret"] + interval: 10s + timeout: 3s + retries: 15 + networks: + - certservice + +networks: + certservice: + driver: bridge \ No newline at end of file diff --git a/scripts/sdnc/certservice/scripts/cmp.cmpRA.dump b/scripts/sdnc/certservice/scripts/cmp.cmpRA.dump new file mode 100644 index 00000000..900e676d --- /dev/null +++ b/scripts/sdnc/certservice/scripts/cmp.cmpRA.dump @@ -0,0 +1,6 @@ +cmpRA.operationmode = ra +cmpRA.responseprotection = pbe +cmpRA.ra.endentityprofileid = 161023208 +cmpRA.ra.certificateprofile = MY_ENDUSER +cmpRA.ra.caname = My_ManagementCA +cmpRA.allowautomatickeyupdate = true \ No newline at end of file diff --git a/scripts/sdnc/certservice/scripts/ejbca-configuration.sh b/scripts/sdnc/certservice/scripts/ejbca-configuration.sh new file mode 100755 index 00000000..64045a7f --- /dev/null +++ b/scripts/sdnc/certservice/scripts/ejbca-configuration.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +configureEjbca() { + ejbca.sh ca init My_ManagementCA "C=SE,O=PrimeKey,CN=My_ManagementCA" soft foo123 2048 RSA 365 --policy 2.5.29.32.0 SHA256WithRSA + ejbca.sh ca editca --caname My_ManagementCA --field cmpRaAuthSecret --value mypassword + ejbca.sh config cmp addalias --alias cmpRA + ejbca.sh ca importprofiles -d /opt/primekey/certprofile + ejbca.sh config cmp uploadfile --alias cmpRA --file /opt/primekey/scripts/cmp.cmpRA.dump + ejbca.sh config cmp dumpalias --alias cmpRA + ejbca.sh ca getcacert --caname My_ManagementCA -f /dev/stdout > cacert.pem +} + +configureEjbca diff --git a/scripts/sdnc/netconf-pnp-simulator/docker-compose.yml b/scripts/sdnc/netconf-pnp-simulator/docker-compose.yml new file mode 100755 index 00000000..67a75c94 --- /dev/null +++ b/scripts/sdnc/netconf-pnp-simulator/docker-compose.yml @@ -0,0 +1,12 @@ +version: '3' + +services: + netconf-pnp-simulator: + image: nexus3.onap.org:10001/onap/integration/simulators/netconf-pnp-simulator:2.8.5 + container_name: netconf-simulator + restart: always + ports: + - "830:830" + - "6513:6513" + volumes: + - ${NETCONF_CONFIG_PATH}:/config/modules/mynetconf diff --git a/scripts/sdnc/netconf-pnp-simulator/netconf-config/data.json b/scripts/sdnc/netconf-pnp-simulator/netconf-config/data.json new file mode 100644 index 00000000..63872eef --- /dev/null +++ b/scripts/sdnc/netconf-pnp-simulator/netconf-config/data.json @@ -0,0 +1,10 @@ +{ + "mynetconf:netconflist": { + "netconf": [ + { + "netconf-id": 3, + "netconf-param": 3 + } + ] + } +} diff --git a/scripts/sdnc/netconf-pnp-simulator/netconf-config/model.yang b/scripts/sdnc/netconf-pnp-simulator/netconf-config/model.yang new file mode 100644 index 00000000..6c8c36ab --- /dev/null +++ b/scripts/sdnc/netconf-pnp-simulator/netconf-config/model.yang @@ -0,0 +1,29 @@ +module mynetconf { + yang-version 1.1; + namespace "urn:mynetconf:test"; + + prefix nft; + + organization + "mynetconf"; + contact + "my netconf address"; + description + "yang model for mynetconf"; + revision "2019-03-01" { + description + "initial version"; + } + + container netconflist { + list netconf { + key netconf-id; + leaf netconf-id { + type uint16; + } + leaf netconf-param { + type uint32; + } + } + } +} diff --git a/scripts/sdnc/netconf-pnp-simulator/netconf-config/subscriber.py b/scripts/sdnc/netconf-pnp-simulator/netconf-config/subscriber.py new file mode 100755 index 00000000..61272967 --- /dev/null +++ b/scripts/sdnc/netconf-pnp-simulator/netconf-config/subscriber.py @@ -0,0 +1,136 @@ +#!/usr/bin/env python3 + +__author__ = "Mislav Novakovic " +__copyright__ = "Copyright 2018, Deutsche Telekom AG" +__license__ = "Apache 2.0" + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This sample application demonstrates use of Python programming language bindings for sysrepo library. +# Original c application was rewritten in Python to show similarities and differences +# between the two. +# +# Most notable difference is in the very different nature of languages, c is weakly statically typed language +# while Python is strongly dynamically typed. Python code is much easier to read and logic easier to comprehend +# for smaller scripts. Memory safety is not an issue but lower performance can be expected. +# +# The original c implementation is also available in the source, so one can refer to it to evaluate trade-offs. + +import sysrepo as sr +import sys + + +# Helper function for printing changes given operation, old and new value. +def print_change(op, old_val, new_val): + if op == sr.SR_OP_CREATED: + print(f"CREATED: {new_val.to_string()}") + elif op == sr.SR_OP_DELETED: + print(f"DELETED: {old_val.to_string()}") + elif op == sr.SR_OP_MODIFIED: + print(f"MODIFIED: {old_val.to_string()} to {new_val.to_string()}") + elif op == sr.SR_OP_MOVED: + print(f"MOVED: {new_val.xpath()} after {old_val.xpath()}") + + +# Helper function for printing events. +def ev_to_str(ev): + if ev == sr.SR_EV_VERIFY: + return "verify" + elif ev == sr.SR_EV_APPLY: + return "apply" + elif ev == sr.SR_EV_ABORT: + return "abort" + else: + return "unknown" + + +# Function to print current configuration state. +# It does so by loading all the items of a session and printing them out. +def print_current_config(session, module_name): + select_xpath = f"/{module_name}:*//*" + + values = session.get_items(select_xpath) + + if values is not None: + print("========== BEGIN CONFIG ==========") + for i in range(values.val_cnt()): + print(values.val(i).to_string(), end='') + print("=========== END CONFIG ===========") + + +# Function to be called for subscribed client of given session whenever configuration changes. +def module_change_cb(sess, module_name, event, private_ctx): + try: + print("========== Notification " + ev_to_str(event) + " =============================================") + if event == sr.SR_EV_APPLY: + print_current_config(sess, module_name) + + print("========== CHANGES: =============================================") + + change_path = f"/{module_name}:*" + + it = sess.get_changes_iter(change_path) + + while True: + change = sess.get_change_next(it) + if change is None: + break + print_change(change.oper(), change.old_val(), change.new_val()) + + print("========== END OF CHANGES =======================================") + except Exception as e: + print(e) + + return sr.SR_ERR_OK + + +def main(): + # Notable difference between c implementation is using exception mechanism for open handling unexpected events. + # Here it is useful because `Connection`, `Session` and `Subscribe` could throw an exception. + try: + module_name = "ietf-interfaces" + if len(sys.argv) > 1: + module_name = sys.argv[1] + else: + print("\nYou can pass the module name to be subscribed as the first argument") + + print(f"Application will watch for changes in {module_name}") + + # connect to sysrepo + conn = sr.Connection(module_name) + + # start session + sess = sr.Session(conn) + + # subscribe for changes in running config */ + subscribe = sr.Subscribe(sess) + + subscribe.module_change_subscribe(module_name, module_change_cb) + + try: + print_current_config(sess, module_name) + except Exception as e: + print(e) + + print("========== STARTUP CONFIG APPLIED AS RUNNING ==========") + + sr.global_loop() + + print("Application exit requested, exiting.") + + except Exception as e: + print(e) + + +if __name__ == '__main__': + main() diff --git a/scripts/sdnc/sdnc/certs/certs.properties b/scripts/sdnc/sdnc/certs/certs.properties new file mode 100644 index 00000000..f8f3fa72 --- /dev/null +++ b/scripts/sdnc/sdnc/certs/certs.properties @@ -0,0 +1,2 @@ +keys0.zip +***** diff --git a/scripts/sdnc/sdnc/certs/keys0.zip b/scripts/sdnc/sdnc/certs/keys0.zip new file mode 100644 index 00000000..48b4d90a Binary files /dev/null and b/scripts/sdnc/sdnc/certs/keys0.zip differ diff --git a/scripts/sdnc/sdnc/config/mount.xml b/scripts/sdnc/sdnc/config/mount.xml new file mode 100644 index 00000000..04305252 --- /dev/null +++ b/scripts/sdnc/sdnc/config/mount.xml @@ -0,0 +1,14 @@ + + PNFDemo + + ODL_private_key_0 + netconf + + pnfaddr + 6513 + false + + TLS + + 5 + diff --git a/scripts/sdnc/sdnc/docker-compose.yml b/scripts/sdnc/sdnc/docker-compose.yml new file mode 100755 index 00000000..c47fab50 --- /dev/null +++ b/scripts/sdnc/sdnc/docker-compose.yml @@ -0,0 +1,50 @@ +version: '3' + +services: + mariadb: + image: nexus3.onap.org:10001/mariadb:10.1.11 + ports: + - "3306:3306" + container_name: mariadb + volumes: + - /etc/localtime:/etc/localtime:ro + environment: + - MYSQL_ROOT_PASSWORD=password + hostname: + mariadb.so.testlab.onap.org + logging: + driver: "json-file" + options: + max-size: "30m" + max-file: "5" + + sdnc: + image: onap/sdnc-image:latest + container_name: sdnc + volumes: + - /etc/localtime:/etc/localtime:ro + - $SDNC_CERT_PATH:/opt/opendaylight/current/certs + entrypoint: ["/opt/onap/sdnc/bin/startODL.sh"] + ports: + - "8282:8181" + hostname: + sdnc + environment: + - MYSQL_ROOT_PASSWORD=password + - SDNC_CONFIG_DIR=/opt/onap/sdnc/data/properties + - MYSQL_PASSWD=password + - ODL_ADMIN_USERNAME=admin + - ODL_ADMIN_PASSWORD=Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + depends_on: + - mariadb + dns: + - ${DNS_IP_ADDR-10.0.100.1} + logging: + driver: "json-file" + options: + max-size: "30m" + max-file: "5" + extra_hosts: + - sdnctldb02:${LOCAL_IP} + - sdnctldb01:${LOCAL_IP} + - dbhost:${LOCAL_IP} \ No newline at end of file diff --git a/tests/sdnc/sdnc_netconf_tls_post_deploy/__init__.robot b/tests/sdnc/sdnc_netconf_tls_post_deploy/__init__.robot new file mode 100644 index 00000000..d7353060 --- /dev/null +++ b/tests/sdnc/sdnc_netconf_tls_post_deploy/__init__.robot @@ -0,0 +1,2 @@ +1 *** Settings *** +2 Documentation SDNC - keystorecheck diff --git a/tests/sdnc/sdnc_netconf_tls_post_deploy/_init_.robot b/tests/sdnc/sdnc_netconf_tls_post_deploy/_init_.robot deleted file mode 100644 index d7353060..00000000 --- a/tests/sdnc/sdnc_netconf_tls_post_deploy/_init_.robot +++ /dev/null @@ -1,2 +0,0 @@ -1 *** Settings *** -2 Documentation SDNC - keystorecheck diff --git a/tests/sdnc/sdnc_netconf_tls_post_deploy/csr/netconf_pnp_simulator_csr.env b/tests/sdnc/sdnc_netconf_tls_post_deploy/csr/netconf_pnp_simulator_csr.env new file mode 100644 index 00000000..557860de --- /dev/null +++ b/tests/sdnc/sdnc_netconf_tls_post_deploy/csr/netconf_pnp_simulator_csr.env @@ -0,0 +1,16 @@ +#Client Envs +REQUEST_TIMEOUT=30000 +OUTPUT_PATH=/var/certs +CA_NAME=RA +KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks +KEYSTORE_PASSWORD=secret +TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/truststore.jks +TRUSTSTORE_PASSWORD=secret +#CSR Config Envs +COMMON_NAME=netconf.pnp.simulator.onap.org +ORGANIZATION=Linux-Foundation +ORGANIZATION_UNIT=ONAP +LOCATION=San-Francisco +STATE=California +COUNTRY=US +SANS=netconf.com:netconfsimulator.com diff --git a/tests/sdnc/sdnc_netconf_tls_post_deploy/csr/sdnc_csr.env b/tests/sdnc/sdnc_netconf_tls_post_deploy/csr/sdnc_csr.env new file mode 100644 index 00000000..28411797 --- /dev/null +++ b/tests/sdnc/sdnc_netconf_tls_post_deploy/csr/sdnc_csr.env @@ -0,0 +1,16 @@ +#Client CSR +REQUEST_TIMEOUT=30000 +OUTPUT_PATH=/var/certs +CA_NAME=RA +KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks +KEYSTORE_PASSWORD=secret +TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/truststore.jks +TRUSTSTORE_PASSWORD=secret +#CSR Config Envs +COMMON_NAME=sdnc.onap.org +ORGANIZATION=Linux-Foundation +ORGANIZATION_UNIT=ONAP +LOCATION=San-Francisco +STATE=California +COUNTRY=US +SANS=example.com:sample.com \ No newline at end of file diff --git a/tests/sdnc/sdnc_netconf_tls_post_deploy/data/mount.xml b/tests/sdnc/sdnc_netconf_tls_post_deploy/data/mount.xml deleted file mode 100644 index 108369bc..00000000 --- a/tests/sdnc/sdnc_netconf_tls_post_deploy/data/mount.xml +++ /dev/null @@ -1,14 +0,0 @@ - - netopeer2 - - ODL_private_key_0 - netconf - - pnfaddr - 6513 - false - - TLS - - 2 - diff --git a/tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/ClientManager.py b/tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/ClientManager.py new file mode 100644 index 00000000..ceff9742 --- /dev/null +++ b/tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/ClientManager.py @@ -0,0 +1,179 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2020 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +__author__ = "Ajay Deep Singh (ajay.deep.singh@est.tech)" +__copyright__ = "Copyright (C) 2020 Nordix Foundation" +__license__ = "Apache 2.0" + +import os +import shutil +import subprocess + +import docker +from OpenSSL import crypto +from docker.types import Mount + +DEV_NULL = open(os.devnull, 'wb') +NETCONF_PNP_SIM_CONTAINER_NAME = 'netconf-simulator' +ARCHIVES_PATH = os.getenv("WORKSPACE") + "/archives/" + + +class ClientManager: + + def __init__(self, mount_path, truststore_path): + self.mount_path = mount_path + self.truststore_path = truststore_path + self.caCertPem = mount_path + '/ca.pem' + self.serverKeyPem = mount_path + '/server_key.pem' + self.serverCertPem = mount_path + '/server_cert.pem' + self.keystoreJksPath = mount_path + '/keystore.jks' + self.keystorePassPath = mount_path + '/keystore.pass' + self.truststoreJksPath = mount_path + '/truststore.jks' + self.truststorePassPath = mount_path + '/truststore.pass' + + # Function Create docker container. + def run_client_container(self, client_image, container_name, path_to_env, request_url, network): + self.create_mount_dir() + client = docker.from_env() + environment = self.read_env_list_from_file(path_to_env) + environment.append("REQUEST_URL=" + request_url) + container = client.containers.run( + image=client_image, + name=container_name, + environment=environment, + network=network, + user='root', + mounts=[Mount(target='/var/certs', source=self.mount_path, type='bind'), + Mount(target='/etc/onap/aaf/certservice/certs/', source=self.truststore_path, type='bind')], + detach=True + ) + exitcode = container.wait() + return exitcode + + # Function to validate keystore.jks/truststore.jks can be opened with generated pass-phrase. + def can_open_keystore_and_truststore_with_pass(self): + can_open_keystore = self.can_open_jks_file_with_pass_file(self.keystorePassPath, self.keystoreJksPath) + can_open_truststore = self.can_open_jks_file_with_pass_file(self.truststorePassPath, self.truststoreJksPath) + return can_open_keystore & can_open_truststore + + # Method for Uploading Certificate in SDNC-Container. + # Creating/Uploading Server-key, Server-cert, Ca-cert PEM files in Netconf-Pnp-Simulator. + def can_install_keystore_and_truststore_certs(self, cmd, container_name): + continue_exec = True + if container_name == NETCONF_PNP_SIM_CONTAINER_NAME: + print("Generating PEM files for {0} from JKS files".format(container_name)) + continue_exec = self.create_pem(self.keystorePassPath, self.keystoreJksPath, self.truststorePassPath, + self.truststoreJksPath) + if continue_exec: + print("Initiate Configuration Push for : {0}".format(container_name)) + resp_code = self.execute_bash_config(cmd, container_name) + if resp_code == 0: + print("Execution Successful for: {0}".format(container_name)) + return True + else: + print("Execution Failed for: {0}".format(container_name)) + return False + + def create_pem(self, keystore_pass_file_path, keystore_jks_file_path, truststore_pass_file_path, + truststore_jks_file_path): + # Create [server_key.pem, server_cert.pem, ca.pem] files for Netconf-Pnp-Simulation/TLS Configuration. + try: + keystore_p12 = self.get_pkcs12(keystore_pass_file_path, keystore_jks_file_path) + truststore_p12 = self.get_pkcs12(truststore_pass_file_path, truststore_jks_file_path) + with open(self.serverKeyPem, "wb+") as key_file: + key_file.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, keystore_p12.get_privatekey())) + with open(self.serverCertPem, "wb+") as server_cert_file: + server_cert_file.write(crypto.dump_certificate(crypto.FILETYPE_PEM, keystore_p12.get_certificate())) + with open(self.caCertPem, "wb+") as ca_cert_file: + ca_cert_file.write( + crypto.dump_certificate(crypto.FILETYPE_PEM, truststore_p12.get_ca_certificates()[0])) + return True + except IOError as err: + print("I/O Error: {0}".format(err)) + return False + except Exception as e: + print("UnExpected Error: {0}".format(e)) + return False + + def can_open_jks_file_with_pass_file(self, pass_file_path, jks_file_path): + try: + if jks_file_path.split('/')[-1] == 'truststore.jks': + pkcs12 = self.get_pkcs12(pass_file_path, jks_file_path).get_ca_certificates()[0] + else: + pkcs12 = self.get_pkcs12(pass_file_path, jks_file_path).get_certificate() + if pkcs12 is None: + return False + return True + except IOError as err: + print("I/O Error PKCS12 Creation failed: {0}".format(err)) + return False + except Exception as e: + print("UnExpected Error PKCS12 Creation failed: {0}".format(e)) + return False + + def remove_client_container_and_save_logs(self, container_name, log_file_name): + client = docker.from_env() + container = client.containers.get(container_name) + text_file = open(ARCHIVES_PATH + container_name + '_' + log_file_name + ".log", "w") + text_file.write(container.logs()) + text_file.close() + container.remove() + self.remove_mount_dir() + + def create_mount_dir(self): + if not os.path.exists(self.mount_path): + os.makedirs(self.mount_path) + + def remove_mount_dir(self): + shutil.rmtree(self.mount_path) + + @staticmethod + def get_pkcs12(pass_file_path, jks_file_path): + # Load PKCS12 Object + password = open(pass_file_path, 'rb').read() + p12 = crypto.load_pkcs12(open(jks_file_path, 'rb').read(), password) + return p12 + + @staticmethod + def execute_bash_config(cmd, container_name): + # Run command with arguments. Wait for command to complete or timeout, return code attribute. + try: + resp_code = subprocess.call(["%s %s" % (cmd, container_name)], shell=True, stdout=DEV_NULL, + stderr=subprocess.STDOUT) + print("Response Code from Config.sh execution: {0}".format(resp_code)) + return resp_code + except subprocess.CalledProcessError as e: + print("CalledProcessError Certificate installation failed in SDNC-ODL Container: {0}".format(e)) + return 1 # Return Error Code + + @staticmethod + def get_container_logs(container_name): + client = docker.from_env() + container = client.containers.get(container_name) + logs = container.logs() + return logs + + @staticmethod + def read_env_list_from_file(path): + f = open(path, "r") + r_list = [] + for line in f: + line = line.strip() + if line[0] != "#": + r_list.append(line) + return r_list diff --git a/tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/config.sh b/tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/config.sh new file mode 100755 index 00000000..cc6bf188 --- /dev/null +++ b/tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/config.sh @@ -0,0 +1,129 @@ +#!/bin/bash + +# +# ============LICENSE_START======================================================= +# Copyright (C) 2020 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +# @author Ajay Deep Singh (ajay.deep.singh@est.tech) + +CONTAINER_NAME="$1" +LOGFILE="${WORKSPACE}"/archives/config.log +CONTAINER_ID=$(docker inspect --format="{{.Id}}" "$CONTAINER_NAME") + +OWNER="odl" +DEST_DIR="/tmp" + +CERT_DIR="${WORKSPACE}"/tests/sdnc/sdnc_netconf_tls_post_deploy/cert-data/* + +function now_ms() { + date +"%Y-%m-%d %H:%M:%S.%3N" +} + +function log() { + local level=$1 + shift + local message="$*" + printf "%s %-5s %s\n" "$(now_ms)" "$level" "$message" >>"$LOGFILE" +} + +# Copy [keystore.jks, truststore.jks, truststore.pass, keystore.pass] files into SDNC container. +function docker_cp() { + local file=$1 + docker cp "$file" "$CONTAINER_ID":"$DEST_DIR" + docker exec -u 0 "$CONTAINER_ID" chown "$OWNER":"$OWNER" "$DEST_DIR"/"${file##*/}" +} + +# Run installCerts.py script to push X509 Certificates to SDNC-ODL Keystore/Truststore. +function sdnc_conf() { + log INFO "Configuring SDNC-ODL Keystore..." + count=0 + exit_code=false + for i in {1..4}; do + for file in $CERT_DIR; do + if [[ -f $file ]]; then + log INFO "Uploading file :" "$file" + docker_cp "$file" + count=$((count + 1)) + fi + done + if [[ $count -eq 4 ]]; then + log INFO "SDNC JKS files upload successful" + exit_code=true + break + fi + log DEBUG "Waiting for JKS files to be uploaded to SDNC container.." + sleep 2m + done + if [[ "$exit_code" != "true" ]]; then + log DEBUG "JKS files Not found in $CERT_DIR" + exit 1 # Return error code + fi + sleep 2m + docker exec "$CONTAINER_ID" rm -rf /tmp/certs.properties + docker exec "$CONTAINER_ID" rm -rf /tmp/keys0.zip + if ! docker exec "$CONTAINER_ID" /usr/bin/python /opt/onap/sdnc/bin/installCerts.py; then + log DEBUG "Issue executing installCerts.py script" + docker cp "$CONTAINER_ID":/opt/opendaylight/data/log/installCerts.log "${WORKSPACE}"/archives + exit 1 # Return error code + fi + log INFO "Configuring SDNC-ODL Keystore successful" +} + +# Copy [Server_key.pem, Server_cert.pem, Ca.pem] files into Netconf-Simulator container. +# Reconfigure TLS config by invoking reconfigure-tls.sh script. +function netconf-simulator_conf() { + log INFO "Configuring Netconf-Pnp-Simulator..." + count=0 + exit_code=false + for i in {1..4}; do + for file in $CERT_DIR; do + if [[ -f $file && ${file: -4} == ".pem" ]]; then + log INFO "Uploading file :" "$file" + docker cp "$file" "$CONTAINER_ID":/config/tls + count=$((count + 1)) + fi + done + if [[ $count -eq 3 ]]; then + log INFO "PEM files upload successful" + exit_code=true + break + fi + log DEBUG "Waiting for PEM files to be uploaded to Netconf-Pnp-Simulator.." + sleep 2m + done + if [[ "$exit_code" != "true" ]]; then + log DEBUG "PEM files Not found in $CERT_DIR" + exit 1 # Return error code + fi + sleep 2m + if ! docker exec "$CONTAINER_ID" /opt/bin/reconfigure-tls.sh; then + log DEBUG "Issue executing reconfigure-tls.sh script" + docker logs "$CONTAINER_ID" > "${WORKSPACE}"/archives/simulator.log + exit 1 # Return error code + fi + log INFO "Configuring Netconf-Pnp-Simulator successful" +} + +# Push Config on SDNC, Netconf-Simulator. +if [[ -n $CONTAINER_ID ]]; then + log INFO "Container Name: $CONTAINER_NAME, Container Id: $CONTAINER_ID" + if [[ "$CONTAINER_NAME" == "sdnc" ]]; then + sdnc_conf + elif [[ "$CONTAINER_NAME" == "netconf-simulator" ]]; then + netconf-simulator_conf + fi +fi diff --git a/tests/sdnc/sdnc_netconf_tls_post_deploy/resources/sdnc-keywords.robot b/tests/sdnc/sdnc_netconf_tls_post_deploy/resources/sdnc-keywords.robot new file mode 100644 index 00000000..8e36e65f --- /dev/null +++ b/tests/sdnc/sdnc_netconf_tls_post_deploy/resources/sdnc-keywords.robot @@ -0,0 +1,84 @@ +*** Settings *** + +Resource ../../../common.robot +Resource ./sdnc-properties.robot + +Library Collections +Library RequestsLibrary +Library HttpLibrary.HTTP +Library ../libraries/ClientManager.py ${MOUNT_PATH} ${TRUSTSTORE_PATH} + +*** Keywords *** + +Create sessions + [Documentation] Create all required sessions + ${certs}= Create List ${CERTSERVICE_SERVER_CRT} ${CERTSERVICE_SERVER_KEY} + Create Client Cert Session alias ${AAFCERT_URL} client_certs=${certs} verify=${ROOTCA} disable_warnings=1 + Set Suite Variable ${https_valid_cert_session} alias + +Run Healthcheck + [Documentation] Run Healthcheck + ${resp}= Get Request ${https_valid_cert_session} /actuator/health + Should Be Equal As Strings ${resp.status_code} 200 + Validate Recieved Response ${resp} status UP + +Validate Recieved Response + [Documentation] Validate message that has been received + [Arguments] ${resp} ${key} ${expected_value} + ${json}= Parse Json ${resp.content} + ${value}= Get From Dictionary ${json} ${key} + Should Be Equal As Strings ${value} ${expected_value} + +Send Get Request And Validate Response + [Documentation] Send request to passed url and validate received response + [Arguments] ${path} ${resp_code} + ${resp}= Get Request ${https_valid_cert_session} ${path} + Should Be Equal As Strings ${resp.status_code} ${resp_code} + +Send Get Request And Validate Response Sdnc + [Documentation] Send request to passed url and validate received response + [Arguments] ${path} ${resp_code} + Create Session sdnc_restconf ${SDNC_RESTCONF_URL} + &{headers}= Create Dictionary Authorization=Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ== Content-Type=application/json Accept=application/json + ${resp}= Get Request sdnc_restconf ${path} headers=${headers} + Should Be Equal As Strings ${resp.status_code} ${resp_code} + +Send Get Request And Validate TLS Connection Response + [Documentation] Send request to passed url and validate received response + [Arguments] ${path} ${resp_code} + Create Session sdnc_restconf ${SDNC_RESTCONF_URL} + ${mount}= Get File ${REQUEST_DATA_PATH}${/}mount.xml + &{headers}= Create Dictionary Authorization=Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ== Content-Type=application/xml Accept=application/xml + ${resp}= Put Request sdnc_restconf ${path} data=${mount} headers=${headers} + Should Be Equal As Strings ${resp.status_code} 201 + Sleep 30 + &{headers1}= Create Dictionary Authorization=Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ== Content-Type=application/json Accept=application/json + ${resp1}= Get Request sdnc_restconf ${PNFSIM_MOUNT_PATH} headers=${headers1} + Should Be Equal As Strings ${resp1.status_code} ${resp_code} + Should Contain ${resp1.content} netconf-id + Should Contain ${resp1.content} netconf-param + +Send Delete Request And Validate PNF Mount Deleted + [Documentation] Send request to passed url and validate received response + [Arguments] ${path} ${resp_code} + Create Session sdnc_restconf ${SDNC_RESTCONF_URL} + ${mount}= Get File ${REQUEST_DATA_PATH}${/}mount.xml + &{headers}= Create Dictionary Authorization=Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ== Content-Type=application/json Accept=application/json + ${deleteresponse}= Delete Request sdnc_restconf ${path} data=${mount} headers=${headers} + Should Be Equal As Strings ${deleteresponse.status_code} ${resp_code} + Sleep 30 + ${del_topology}= Delete Request sdnc_restconf ${SDNC_NETWORK_TOPOLOGY} + ${del_keystore}= Delete Request sdnc_restconf ${SDNC_KEYSTORE_CONFIG_PATH} + Should Be Equal As Strings ${del_keystore.status_code} ${resp_code} + Should Be Equal As Strings ${del_topology.status_code} ${resp_code} + +Run Cert Service Client And Validate JKS File Creation And Client Exit Code + [Documentation] Run Cert Service Client Container And Validate Exit Code For SDNC + [Arguments] ${env_file} ${CONTAINER_NAME} ${expected_exit_code} + ${exit_code}= Run Client Container ${DOCKER_CLIENT_IMAGE} ${CLIENT_CONTAINER_NAME} ${env_file} ${CERT_SERVICE_ADDRESS}${CERT_SERVICE_ENDPOINT} ${CERT_SERVICE_NETWORK} + ${can_open}= Can Open Keystore And Truststore With Pass + ${install_certs}= Can Install Keystore And Truststore Certs ${CONF_SCRIPT} ${CONTAINER_NAME} + Remove Client Container And Save Logs ${CLIENT_CONTAINER_NAME} positive_path + Should Be Equal As Strings ${exit_code} ${expected_exit_code} Client return: ${exitcode} exit code, but expected: ${expected_exit_code} + Should Be True ${can_open} Cannot Open Keystore/TrustStore by Passphrase + Should Be True ${install_certs} Cannot Install Keystore/Truststore \ No newline at end of file diff --git a/tests/sdnc/sdnc_netconf_tls_post_deploy/resources/sdnc-properties.robot b/tests/sdnc/sdnc_netconf_tls_post_deploy/resources/sdnc-properties.robot new file mode 100644 index 00000000..131a52f9 --- /dev/null +++ b/tests/sdnc/sdnc_netconf_tls_post_deploy/resources/sdnc-properties.robot @@ -0,0 +1,37 @@ +*** Variables *** + +# AAF CertService +${NEXUS_DOCKER_REPO} nexus3.onap.org:10001 + +${RA_CA_NAME} RA +${CERT_SERVICE_PORT} 8443 +${CERT_SERVICE_CONTAINER_NAME} aaf-cert-service +${CERT_SERVICE_NETWORK} certservice_certservice +${AAFCERT_URL} https://localhost:${CERT_SERVICE_PORT} +${CERT_SERVICE_ENDPOINT} /v1/certificate/ +${CERT_SERVICE_ADDRESS} https://${CERT_SERVICE_CONTAINER_NAME}:${CERT_SERVICE_PORT} +${ROOTCA} %{WORKSPACE}/tests/sdnc/sdnc_netconf_tls_post_deploy/certs/root.crt +${CERTSERVICE_SERVER_CRT} %{WORKSPACE}/tests/sdnc/sdnc_netconf_tls_post_deploy/certs/certServiceServer.crt +${CERTSERVICE_SERVER_KEY} %{WORKSPACE}/tests/sdnc/sdnc_netconf_tls_post_deploy/certs/certServiceServer.key + +#AAF CerService Client +${CLIENT_CONTAINER_NAME} %{CLIENT_CONTAINER_NAME} +${DOCKER_CLIENT_IMAGE} nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest +${TRUSTSTORE_PATH} %{WORKSPACE}/plans/sdnc/sdnc_netconf_tls_post_deploy/certs + +# SDNC Configuration +${REQUEST_DATA_PATH} %{REQUEST_DATA_PATH} +${SDNC_CONTAINER_NAME} %{SDNC_CONTAINER_NAME} +${SDNC_RESTCONF_URL} http://localhost:8282/restconf +${SDNC_KEYSTORE_CONFIG_PATH} /config/netconf-keystore:keystore +${SDNC_NETWORK_TOPOLOGY} /config/network-topology:network-topology +${MOUNT_PATH} %{WORKSPACE}/tests/sdnc/sdnc_netconf_tls_post_deploy/cert-data +${SDNC_CSR_FILE} %{WORKSPACE}/tests/sdnc/sdnc_netconf_tls_post_deploy/csr/sdnc_csr.env +${SDNC_MOUNT_PATH} /config/network-topology:network-topology/topology/topology-netconf/node/PNFDemo +${PNFSIM_MOUNT_PATH} /config/network-topology:network-topology/topology/topology-netconf/node/PNFDemo/yang-ext:mount/mynetconf:netconflist + +# Netconf-Pnp-Simulator +${NETCONF_PNP_SIM_CONTAINER_NAME} %{NETCONF_PNP_SIM_CONTAINER_NAME} +${NETCONF_PNP_SIM_CSR_FILE} %{WORKSPACE}/tests/sdnc/sdnc_netconf_tls_post_deploy/csr/netconf_pnp_simulator_csr.env +${CONF_SCRIPT} %{WORKSPACE}/tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/config.sh +${CONF_TLS_SCRIPT} %{WORKSPACE}/tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/config_tls.sh \ No newline at end of file diff --git a/tests/sdnc/sdnc_netconf_tls_post_deploy/sdnc_post_deploy_cert_check.robot b/tests/sdnc/sdnc_netconf_tls_post_deploy/sdnc_post_deploy_cert_check.robot index 75283dcb..c2b35e12 100644 --- a/tests/sdnc/sdnc_netconf_tls_post_deploy/sdnc_post_deploy_cert_check.robot +++ b/tests/sdnc/sdnc_netconf_tls_post_deploy/sdnc_post_deploy_cert_check.robot @@ -1,39 +1,60 @@ *** Settings *** -Library Collections -Library RequestsLibrary -Library OperatingSystem -Library json -Library String - -*** Variables *** -${SDNC_KEYSTORE_CONFIG_PATH} /config/netconf-keystore:keystore -${SDNC_MOUNT_PATH} /config/network-topology:network-topology/topology/topology-netconf/node/netopeer2 -${PNFSIM_MOUNT_PATH} /config/network-topology:network-topology/topology/topology-netconf/node/netopeer2/yang-ext:mount/mynetconf:netconflist - - *** Test Cases *** - Test SDNC Keystore - [Documentation] Checking keystore after SDNC installation - Create Session sdnc http://localhost:8282/restconf - &{headers}= Create Dictionary Authorization=Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ== Content-Type=application/json Accept=application/json - ${resp}= Get Request sdnc ${SDNC_KEYSTORE_CONFIG_PATH} headers=${headers} - Should Be Equal As Strings ${resp.status_code} 200 - ${keystoreContent}= Convert To String ${resp.content} - Log to console ************************* - Log to console ${resp.content} - Log to console ************************* - -# Test SDNC PNF Mount -# [Documentation] Checking PNF mount after SDNC installation -# Create Session sdnc http://localhost:8282/restconf -# ${mount}= Get File ${CURDIR}${/}data${/}mount.xml -# Log to console ${mount} -# &{headers}= Create Dictionary Authorization=Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ== Content-Type=application/xml Accept=application/xml -# ${resp}= Put Request sdnc ${SDNC_MOUNT_PATH} data=${mount} headers=${headers} -# Should Be Equal As Strings ${resp.status_code} 201 -# Sleep 30 -# &{headers1}= Create Dictionary Authorization=Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ== Content-Type=application/json Accept=application/json -# ${resp1}= Get Request sdnc ${PNFSIM_MOUNT_PATH} headers=${headers1} -# Should Be Equal As Strings ${resp1.status_code} 200 -# Log to console ${resp1.content} -# Should Contain ${resp1.content} netconf-id -# Should Contain ${resp1.content} netconf-param \ No newline at end of file + +Documentation SDNC, Netconf-Pnp-Simulator E2E Test Case Scenarios + +Library RequestsLibrary +Resource ./resources/sdnc-keywords.robot + +Suite Setup Create sessions + +*** Test Cases *** + +Health Check AAF CertService + [Tags] AAF-CERT-SERVICE + [Documentation] Service is Up and Running + Run health check + +Reload AAF CertService Configuration + [Tags] AAF-CERT-SERVICE + [Documentation] Configuration is Reloaded + Send Get Request And Validate Response /reload 200 + +Check AAF CertService Container Is Ready + [Tags] AAF-CERT-SERVICE + [Documentation] Send Request to /ready Endpoint and Expect 200 + Send Get Request And Validate Response /ready 200 + +Check SDNC Keystore For Netopeer2 Certificates + [Tags] SDNC-NETOPEER2-CERT-DEPLOYMENT + [Documentation] Checking Keystore after SDNC istallation + Send Get Request And Validate Response Sdnc ${SDNC_KEYSTORE_CONFIG_PATH} 200 + +Check SDNC And PNF TLS Connection Over Netopeer2 Certificates + [Tags] SDNC-PNF-TLS-CONNECTION-CHECK + [Documentation] Checking PNF Mount after SDNC Installation + Send Get Request And Validate TLS Connection Response ${SDNC_MOUNT_PATH} 200 + +Check PNF Delete And Remove Netopeer2 Certificates From Keystore + [Tags] SDNC-PNF-MOUNT-DELETE-CLEAR-KEYSTORE + [Documentation] Checking PNF Mount Delete from SDNC + Send Delete Request And Validate PNF Mount Deleted ${SDNC_MOUNT_PATH} 200 + +Check AAF-CertService Successfully Creates Certificates for SDNC + [Tags] AAF-CERT-SERVICE-SDNC + [Documentation] Run with SDNC CSR and Expected Exit Code 0 + Run Cert Service Client And Validate JKS File Creation And Client Exit Code ${SDNC_CSR_FILE} ${SDNC_CONTAINER_NAME} 0 + +Check SDNC-ODL Certificates Installation In Keystore And Truststore + [Tags] SDNC-ODL-CERTIFICATE-KEYSTORE-VALIDATE + [Documentation] Validate Certificates Got Installed in SDNC-ODL Keystore + Send Get Request And Validate Response Sdnc ${SDNC_KEYSTORE_CONFIG_PATH} 200 + +Check AAF-CertService Successfully Creates Certificates for Netconf-Pnp-Simulator + [Tags] AAF-CERT-SERVICE-NETCONF_PNP_SIMULATOR + [Documentation] Run with NETCONF-PNP-SIMULATOR CSR and Expect Exit Code 0 + Run Cert Service Client And Validate JKS File Creation And Client Exit Code ${NETCONF_PNP_SIM_CSR_FILE} ${NETCONF_PNP_SIM_CONTAINER_NAME} 0 + +Check SDNC-ODL Netconf-Pnp-Simulatore TLS Connection Establishment + [Tags] SDNC-ODL-NETCONF-PNP_SIMULATION-TLS-CONNECTION + [Documentation] Validate SDNC-ODL and Netconf-Pnp-Simulation TLS Connection Establishment + Send Get Request And Validate TLS Connection Response ${SDNC_MOUNT_PATH} 200 \ No newline at end of file -- cgit 1.2.3-korg