From 7ee6e129f29262b3c7828299bf457004abf28614 Mon Sep 17 00:00:00 2001 From: ajay_dp001 Date: Tue, 11 Aug 2020 15:43:54 +0530 Subject: Resolved Intermittent failure issue in SDNC CSIT Issue-ID: INT-1679 Signed-off-by: ajay_dp001 Change-Id: I022f6c3dd9c651bf21f3201340ccf1dbd0ad20c7 --- .../sdnc_netconf_tls_post_deploy/csr/sdnc_csr.env | 2 +- .../libraries/ClientManager.py | 28 +++--- .../libraries/config_tls.sh | 104 +++++++++++++++++++++ .../resources/sdnc-keywords.robot | 2 +- 4 files changed, 123 insertions(+), 13 deletions(-) create mode 100755 tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/config_tls.sh diff --git a/tests/sdnc/sdnc_netconf_tls_post_deploy/csr/sdnc_csr.env b/tests/sdnc/sdnc_netconf_tls_post_deploy/csr/sdnc_csr.env index 57894753..5d647de6 100644 --- a/tests/sdnc/sdnc_netconf_tls_post_deploy/csr/sdnc_csr.env +++ b/tests/sdnc/sdnc_netconf_tls_post_deploy/csr/sdnc_csr.env @@ -2,7 +2,7 @@ REQUEST_TIMEOUT=30000 OUTPUT_PATH=/var/certs CA_NAME=RA -OUTPUT_TYPE=JKS +OUTPUT_TYPE=PEM KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks KEYSTORE_PASSWORD=secret TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/truststore.jks diff --git a/tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/ClientManager.py b/tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/ClientManager.py index b2399dfb..b1c024ff 100644 --- a/tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/ClientManager.py +++ b/tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/ClientManager.py @@ -25,7 +25,6 @@ import shutil import subprocess import docker -import jks from OpenSSL import crypto from docker.types import Mount @@ -39,13 +38,14 @@ class ClientManager: def __init__(self, mount_path, truststore_path): self.mount_path = mount_path self.truststore_path = truststore_path + self.keyPem = mount_path + '/key.pem' self.caCertPem = mount_path + '/ca.pem' self.serverKeyPem = mount_path + '/server_key.pem' self.serverCertPem = mount_path + '/server_cert.pem' - self.keystoreJksPath = mount_path + '/keystore.jks' + self.keystorePemPath = mount_path + '/keystore.pem' self.keystoreP12Path = mount_path + '/keystore.p12' self.keystorePassPath = mount_path + '/keystore.pass' - self.truststoreJksPath = mount_path + '/truststore.jks' + self.truststorePemPath = mount_path + '/truststore.pem' self.truststoreP12Path = mount_path + '/truststore.p12' self.truststorePassPath = mount_path + '/truststore.pass' @@ -71,18 +71,19 @@ class ClientManager: # Function to validate keystore/truststore can be opened with generated pass-phrase. def can_open_keystore_and_truststore_with_pass(self, container_name): if container_name != NETCONF_PNP_SIM_CONTAINER_NAME: - return self.can_open_keystore_and_truststore_jks_files() + return self.can_open_keystore_and_truststore_pem_files() else: return self.can_open_keystore_and_truststore_p12_files() - # Function to validate keystore.jks/truststore.jks can be opened with generated pass-phrase. - def can_open_keystore_and_truststore_jks_files(self): + # Function to validate keystore.pem/truststore.pem exist and are not empty. + def can_open_keystore_and_truststore_pem_files(self): try: - jks.KeyStore.load(self.keystoreJksPath, open(self.keystorePassPath, 'rb').read()) - jks.KeyStore.load(self.truststoreJksPath, open(self.truststorePassPath, 'rb').read()) - return True + private_key = self.file_exist_and_not_empty(self.keyPem) + keystore_pem = self.file_exist_and_not_empty(self.keystorePemPath) + truststore_pem = self.file_exist_and_not_empty(self.truststorePemPath) + return private_key and keystore_pem and truststore_pem except Exception as e: - print("UnExpected Error in validating keystore.jks/truststore.jks: {0}".format(e)) + print("UnExpected Error in validating keystore.pem/truststore.pem: {0}".format(e)) return False # Function to validate keystore.p12/truststore.p12 can be opened with generated pass-phrase. @@ -93,12 +94,14 @@ class ClientManager: # Method for Uploading Certificate in SDNC-Container. # Creating/Uploading Server-key, Server-cert, Ca-cert PEM files in Netconf-Pnp-Simulator. - def can_install_keystore_and_truststore_certs(self, cmd, container_name): + def can_install_keystore_and_truststore_certs(self, cmd, cmd_tls, container_name): continue_exec = True if container_name == NETCONF_PNP_SIM_CONTAINER_NAME: print("Generating PEM files for {0} from P12 files".format(container_name)) continue_exec = self.create_pem(self.keystorePassPath, self.keystoreP12Path, self.truststorePassPath, self.truststoreP12Path) + else: + cmd = cmd_tls if continue_exec: print("Initiate Configuration Push for : {0}".format(container_name)) resp_code = self.execute_bash_config(cmd, container_name) @@ -165,6 +168,9 @@ class ClientManager: def remove_mount_dir(self): shutil.rmtree(self.mount_path) + def file_exist_and_not_empty(self, path_to_file): + return os.path.isfile(path_to_file) and os.path.getsize(path_to_file) > 0 + @staticmethod def get_pkcs12(pass_file_path, p12_file_path): # Load PKCS12 Object diff --git a/tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/config_tls.sh b/tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/config_tls.sh new file mode 100755 index 00000000..323f8100 --- /dev/null +++ b/tests/sdnc/sdnc_netconf_tls_post_deploy/libraries/config_tls.sh @@ -0,0 +1,104 @@ +#!/bin/bash + +# ============LICENSE_START======================================================= +# Copyright (C) 2020 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +set -o errexit +set -o pipefail +set -o nounset +[ "${SHELL_XTRACE:-false}" = "true" ] && set -o xtrace + +CONFIG=${CONFIG:-"${WORKSPACE}"/tests/sdnc/sdnc_netconf_tls_post_deploy/cert-data} +CONTAINER_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.Gateway}}{{end}}' sdnc) +ODL_URL=${ODL_URL:-http://"${CONTAINER_IP}":8282} +PROC_NAME=${0##*/} +PROC_NAME=${PROC_NAME%.sh} + +function now_ms() { + # Requires coreutils package + date +"%Y-%m-%d %H:%M:%S.%3N" +} + +function log() { + local level=$1 + shift + local message="$*" + printf "%s %-5s [%s] %s\n" "$(now_ms)" $level $PROC_NAME "$message" +} + +# Extracts the body of a PEM file by removing the dashed header and footer +pem_body() { + grep -Fv -- ----- $1 +} + +CA_CERT_ID=xNF_CA_certificate_0_0 +CA_CERT=$(pem_body $CONFIG/truststore.pem) + +SERVER_PRIV_KEY_ID=ODL_private_key_0 +SERVER_KEY=$(pem_body $CONFIG/key.pem) +SERVER_CERT=$(pem_body $CONFIG/keystore.pem) + +RESTCONF_URL=$ODL_URL/restconf +NETCONF_KEYSTORE_PATH=$RESTCONF_URL/config/netconf-keystore:keystore + +xcurl() { + curl -s -o /dev/null -H "Authorization: Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ==" -w %{http_code} "$@" +} + +log INFO Delete Keystore +sc=$(xcurl -X DELETE $NETCONF_KEYSTORE_PATH) + +if [ "$sc" != "200" -a "$sc" != "404" ]; then + log ERROR "Keystore deletion failed with SC=$sc" + exit 1 +fi + +log INFO Load CA certificate +sc=$(xcurl -X POST $NETCONF_KEYSTORE_PATH --header "Content-Type: application/json" --data " +{ + \"trusted-certificate\": [ + { + \"name\": \"$CA_CERT_ID\", + \"certificate\": \"$CA_CERT\" + } + ] +} +") + +if [ "$sc" != "200" -a "$sc" != "204" ]; then + log ERROR Trusted-certificate update failed with SC=$sc + exit 1 +fi + +log INFO Load server private key and certificate +sc=$(xcurl -X POST $NETCONF_KEYSTORE_PATH --header "Content-Type: application/json" --data " +{ + \"private-key\": { + \"name\": \"$SERVER_PRIV_KEY_ID\", + \"certificate-chain\": [ + \"$SERVER_CERT\" + ], + \"data\": \"$SERVER_KEY\" + } +} +") + +if [ "$sc" != "200" -a "$sc" != "204" ]; then + log ERROR Private-key update failed with SC=$sc + exit 1 +fi \ No newline at end of file diff --git a/tests/sdnc/sdnc_netconf_tls_post_deploy/resources/sdnc-keywords.robot b/tests/sdnc/sdnc_netconf_tls_post_deploy/resources/sdnc-keywords.robot index a7fbcccc..52cc5d2f 100644 --- a/tests/sdnc/sdnc_netconf_tls_post_deploy/resources/sdnc-keywords.robot +++ b/tests/sdnc/sdnc_netconf_tls_post_deploy/resources/sdnc-keywords.robot @@ -77,7 +77,7 @@ Run Cert Service Client And Validate JKS File Creation And Client Exit Code [Arguments] ${env_file} ${CONTAINER_NAME} ${expected_exit_code} ${exit_code}= Run Client Container ${DOCKER_CLIENT_IMAGE} ${CLIENT_CONTAINER_NAME} ${env_file} ${CERT_SERVICE_ADDRESS}${CERT_SERVICE_ENDPOINT} ${CERT_SERVICE_NETWORK} ${can_open}= Can Open Keystore And Truststore With Pass ${CONTAINER_NAME} - ${install_certs}= Can Install Keystore And Truststore Certs ${CONF_SCRIPT} ${CONTAINER_NAME} + ${install_certs}= Can Install Keystore And Truststore Certs ${CONF_SCRIPT} ${CONF_TLS_SCRIPT} ${CONTAINER_NAME} Remove Client Container And Save Logs ${CLIENT_CONTAINER_NAME} positive_path Should Be Equal As Strings ${exit_code} ${expected_exit_code} Client return: ${exitcode} exit code, but expected: ${expected_exit_code} Should Be True ${can_open} Cannot Open Keystore/TrustStore by Passphrase -- cgit 1.2.3-korg