SDNC script changes to support jks, p12 cert formats from AAF

Issue-ID: SDNC-991 Change-Id: I9d5e6ea7bc04673bf6d4706787dbe3fc03f35d4c Signed-off-by: zrrmmua <ramesh.murugan.iyer@est.tech> Former-commit-id: 7ccd7f9a9e1d026d0f989233260d8159d537f832
author: rameshiyer27 <ramesh.murugan.iyer@est.tech> 2020-01-08 16:29:46 +0000
committer: Dan Timoney <dtimoney@att.com> 2020-02-22 16:02:07 +0000
commit: ea6748dd31b0ff111841d9f8cb6ed98a1c99c41c (patch)
tree: 890120179f6667894503f7e4a944791bad660a84 /installation
parent: cecebba7bbe59af143791a6d7f0ecf436f5c23ff (diff)
2 files changed, 115 insertions, 23 deletions
diff --git a/installation/sdnc/src/main/scripts/installCerts.py b/installation/sdnc/src/main/scripts/installCerts.py
index 4afc4b6e..42763f4b 100644
--- a/installation/sdnc/src/main/scripts/installCerts.py
+++ b/installation/sdnc/src/main/scripts/installCerts.py
@@ -25,6 +25,12 @@ import base64
 import time
 import zipfile
 import shutil
+import subprocess
+import logging
+
+log_file = '/opt/opendaylight/data/log/installCerts.log'
+log_format = "%(asctime)s - %(name)s - %(levelname)s - %(message)s"
+logging.basicConfig(filename=log_file,level=logging.DEBUG,filemode='w',format=log_format)
 
 Path = os.environ['ODL_CERT_DIR']
 
@@ -40,7 +46,8 @@ postKeystore= "/restconf/operations/netconf-keystore:add-keystore-entry"
 postPrivateKey= "/restconf/operations/netconf-keystore:add-private-key"
 postTrustedCertificate= "/restconf/operations/netconf-keystore:add-trusted-certificate"
 
-
+cadi_file = '.pass'
+odl_port = 8181
 headers = {'Authorization':'Basic %s' % base64.b64encode(username + ":" + password),
            'X-FromAppId': 'csit-sdnc',
            'X-TransactionId': 'csit-sdnc',
@@ -58,7 +65,7 @@ def readTrustedCertificate(folder, file):
     listCert = list()
     caPem = ""
     startCa = False
-    key = open(Path + "/" + folder + "/" + file, "r")
+    key = open(folder + "/" + file, "r")
     lines = key.readlines()
     for line in lines:
         if not "BEGIN CERTIFICATE" in line and not "END CERTIFICATE" in line and startCa:
@@ -85,10 +92,10 @@ def makeKeystoreKey(clientKey, count):
 
 def makePrivateKey(clientKey, clientCrt, certList, count):
     caPem = ""
-    for cert in certList:
-        caPem += '\"%s\",' % cert
-
-    caPem = caPem.rsplit(',', 1)[0]
+    if certList:
+        for cert in certList:
+            caPem += '\"%s\",' % cert
+        caPem = caPem.rsplit(',', 1)[0]
     odl_private_key="ODL_private_key_%d" %count
 
     json_private_key='{{\"input\": {{ \"private-key\":{{\"name\": \"{odl_private_key}\", \"data\" : ' \
@@ -121,9 +128,9 @@ def makeRestconfPost(conn, json_file, apiCall):
     res = conn.getresponse()
     res.read()
     if res.status != 200:
-        print "Error here, response back wasnt 200: Response was : %d , %s" % (res.status, res.reason)
+        logging.error("Error here, response back wasnt 200: Response was : %d , %s" % (res.status, res.reason))
     else:
-        print res.status, res.reason
+        logging.debug("Response :%s Reason :%s ",res.status, res.reason)
 
 def extractZipFiles(zipFileList, count):
     for zipFolder in zipFileList:
@@ -133,47 +140,58 @@ def extractZipFiles(zipFileList, count):
         processFiles(folder, count)
 
 def processFiles(folder, count):
-    conn = httplib.HTTPConnection("localhost",8181)
     for file in os.listdir(Path + "/" + folder):
         if os.path.isfile(Path + "/" + folder + "/" + file.strip()):
             if ".key" in file:
                 clientKey = readFile(folder, file.strip())
             elif "trustedCertificate" in file:
-                certList = readTrustedCertificate(folder, file.strip())
+                certList = readTrustedCertificate(Path + "/" + folder, file.strip())
             elif ".crt" in file:
                 clientCrt = readFile(folder, file.strip())
         else:
-            print "Could not find file %s" % file.strip()
+            logging.error("Could not find file %s" % file.strip())
     shutil.rmtree(Path + "/" + folder)
-    json_keystore_key = makeKeystoreKey(clientKey, count)
-    json_private_key = makePrivateKey(clientKey, clientCrt, certList, count)
-    json_trusted_cert = makeTrustedCertificate(certList, count)
+    post_content(clientKey, clientCrt, certList, count)
+
+def post_content(clientKey, clientCrt, certList, count):
+    conn = httplib.HTTPConnection("localhost",odl_port)
+    if clientKey:
+        json_keystore_key = makeKeystoreKey(clientKey, count)
+        logging.debug("Posting private key in to ODL keystore")
+        makeRestconfPost(conn, json_keystore_key, postKeystore)
+
+    if certList:
+        json_trusted_cert = makeTrustedCertificate(certList, count)
+        logging.debug("Posting trusted cert list in to ODL")
+        makeRestconfPost(conn, json_trusted_cert, postTrustedCertificate)
+
+    if clientKey and clientCrt and certList:
+        json_private_key = makePrivateKey(clientKey, clientCrt, certList, count)
+        logging.debug("Posting the cert in to ODL")
+        makeRestconfPost(conn, json_private_key, postPrivateKey)
 
-    makeRestconfPost(conn, json_keystore_key, postKeystore)
-    makeRestconfPost(conn, json_private_key, postPrivateKey)
-    makeRestconfPost(conn, json_trusted_cert, postTrustedCertificate)
 
 def makeHealthcheckCall(headers, timePassed):
     connected = False
     # WAIT 10 minutes maximum and test every 30 seconds if HealthCheck API is returning 200
     while timePassed < TIMEOUT:
         try:
-            conn = httplib.HTTPConnection("localhost",8181)
+            conn = httplib.HTTPConnection("localhost",odl_port)
             req = conn.request("POST", "/restconf/operations/SLI-API:healthcheck",headers=headers)
             res = conn.getresponse()
             res.read()
             if res.status == 200:
-                print ("Healthcheck Passed in %d seconds." %timePassed)
+                logging.debug("Healthcheck Passed in %d seconds." %timePassed)
                 connected = True
                 break
             else:
-                print ("Sleep: %d seconds before testing if Healthcheck worked. Total wait time up now is: %d seconds. Timeout is: %d seconds" %(INTERVAL, timePassed, TIMEOUT))
+                logging.debug("Sleep: %d seconds before testing if Healthcheck worked. Total wait time up now is: %d seconds. Timeout is: %d seconds" %(INTERVAL, timePassed, TIMEOUT))
         except:
-            print ("Cannot execute REST call. Sleep: %d seconds before testing if Healthcheck worked. Total wait time up now is: %d seconds. Timeout is: %d seconds" %(INTERVAL, timePassed, TIMEOUT))
+            logging.error("Cannot execute REST call. Sleep: %d seconds before testing if Healthcheck worked. Total wait time up now is: %d seconds. Timeout is: %d seconds" %(INTERVAL, timePassed, TIMEOUT))
         timePassed = timeIncrement(timePassed)
 
     if timePassed > TIMEOUT:
-        print ("TIME OUT: Healthcheck not passed in  %d seconds... Could cause problems for testing activities..." %TIMEOUT)
+        logging.error("TIME OUT: Healthcheck not passed in  %d seconds... Could cause problems for testing activities..." %TIMEOUT)
     return connected
 
 
@@ -182,6 +200,76 @@ def timeIncrement(timePassed):
     timePassed = timePassed + INTERVAL
     return timePassed
 
+def get_cadi_password():
+    try:
+        with open(Path + '/' + cadi_file , 'r') as file_obj:
+            cadi_pass = file_obj.read().split('=', 1)[1].strip()
+        return cadi_pass
+    except Exception as e:
+        logging.error("Error occurred while fetching password : %s", e)
+        exit()
+
+def cleanup():
+    for file in os.listdir(Path):
+        if os.path.isfile(Path + '/' + file):
+            logging.debug("Cleaning up the file %s", Path + '/'+ file)
+            os.remove(Path + '/'+ file)
+
+def extract_content(file, password, count):
+    try:
+        certList = []
+        key = None
+        cert = None
+        if (file.endswith('.jks')):
+            p12_file = file.replace('.jks', '.p12')
+            jks_cmd = 'keytool -importkeystore -srckeystore {src_file} -destkeystore {dest_file} -srcstoretype JKS -srcstorepass {src_pass} -deststoretype PKCS12 -deststorepass {dest_pass}'.format(src_file=file, dest_file=p12_file, src_pass=password, dest_pass=password)
+            logging.debug("Converting %s into p12 format", file)
+            os.system(jks_cmd)
+            file = p12_file
+
+        clcrt_cmd = 'openssl pkcs12 -in {src_file} -clcerts -nokeys  -passin pass:{src_pass}'.format(src_file=file, src_pass=password)
+        clkey_cmd = 'openssl pkcs12 -in {src_file}  -nocerts -nodes -passin pass:{src_pass}'.format(src_file=file, src_pass=password)
+        trust_file = file.split('/')[2] + '.trust'
+        trustCerts_cmd = 'openssl pkcs12 -in {src_file} -out {out_file} -cacerts -nokeys -passin pass:{src_pass} '.format(src_file=file, out_file=Path + '/' + trust_file, src_pass=password)
+
+        result_key = subprocess.check_output(clkey_cmd , shell=True)
+        if result_key:
+            key = result_key.split('-----BEGIN PRIVATE KEY-----', 1)[1].lstrip().split('-----END PRIVATE KEY-----')[0]
+
+        os.system(trustCerts_cmd)
+        if os.path.exists(Path + '/' + trust_file):
+            certList = readTrustedCertificate(Path, trust_file)
+
+        result_crt = subprocess.check_output(clcrt_cmd , shell=True)
+        if result_crt:
+            cert = result_crt.split('-----BEGIN CERTIFICATE-----', 1)[1].lstrip().split('-----END CERTIFICATE-----')[0]
+        """
+        To-do: Posting the key, cert, certList might need modification
+        based on how AAF distributes the files.
+
+        """
+        post_content(key, cert, certList, count)
+    except Exception as e:
+        logging.error("Error occurred while processing the file %s : %s", file,e)
+
+def lookforfiles():
+    count = 0
+    for file in os.listdir(Path):
+        if (file.endswith(('.p12', '.jks'))):
+            if os.path.exists(Path + '/' + cadi_file):
+                cert_password = get_cadi_password()
+                logging.debug("Extracting contents from the file %s", file)
+                extract_content(Path + '/' + file, cert_password, count)
+                count += 1
+            else:
+                logging.error("Cadi password file %s not present under cert directory", cadi_file)
+                exit()
+    if count > 0:
+        cleanup()
+    else:
+        logging.debug("No jks/p12 files found under cert directory %s", Path)
+
+
 def readCertProperties():
     connected = makeHealthcheckCall(headers, timePassed)
 
@@ -197,6 +285,9 @@ def readCertProperties():
                         count += 1
                         del zipFileList[:]
         else:
-            print "Error: File not found in path entered"
+            logging.debug("No zipfiles present under cert directory")
+
+        logging.info("Looking for jks/p12 files under cert directory")
+        lookforfiles()
 
 readCertProperties()
diff --git a/installation/sdnc/src/main/scripts/startODL.sh b/installation/sdnc/src/main/scripts/startODL.sh
index f6fa43a8..e043bc04 100755
--- a/installation/sdnc/src/main/scripts/startODL.sh
+++ b/installation/sdnc/src/main/scripts/startODL.sh
@@ -171,6 +171,7 @@ then
 fi
 
 cp /opt/opendaylight/current/certs/* /tmp
+cp -r /opt/app/osaaf/local/. /tmp
 
 nohup python ${SDNC_BIN}/installCerts.py &
author	rameshiyer27 <ramesh.murugan.iyer@est.tech>	2020-01-08 16:29:46 +0000
committer	Dan Timoney <dtimoney@att.com>	2020-02-22 16:02:07 +0000
commit	ea6748dd31b0ff111841d9f8cb6ed98a1c99c41c (patch)
tree	890120179f6667894503f7e4a944791bad660a84 /installation
parent	cecebba7bbe59af143791a6d7f0ecf436f5c23ff (diff)