diff options
Diffstat (limited to 'installation/sdnc/src/main/scripts/installCerts.oom.py')
-rw-r--r-- | installation/sdnc/src/main/scripts/installCerts.oom.py | 339 |
1 files changed, 0 insertions, 339 deletions
diff --git a/installation/sdnc/src/main/scripts/installCerts.oom.py b/installation/sdnc/src/main/scripts/installCerts.oom.py deleted file mode 100644 index 42af7d2c..00000000 --- a/installation/sdnc/src/main/scripts/installCerts.oom.py +++ /dev/null @@ -1,339 +0,0 @@ -# ============LICENSE_START======================================================= -# Copyright (C) 2019 Nordix Foundation. -# ================================================================================ -# extended by highstreet technologies GmbH (c) 2020 -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -# - - -# coding=utf-8 -import os -import http.client -import base64 -import time -import zipfile -import shutil -import subprocess -import logging - -odl_home = os.environ['ODL_HOME'] -log_directory = odl_home + '/data/log/' -log_file = log_directory + 'installCerts.log' -log_format = "%(asctime)s - %(name)s - %(levelname)s - %(message)s" -if not os.path.exists(log_directory): - os.makedirs(log_directory) -logging.basicConfig(filename=log_file,level=logging.DEBUG,filemode='w',format=log_format) -print ('Start cert provisioning. Log file: ' + log_file); - -Path = os.environ['ODL_CERT_DIR'] - -zipFileList = [] - -username = os.environ['ODL_ADMIN_USERNAME'] -password = os.environ['ODL_ADMIN_PASSWORD'] -newpassword = os.environ.get('ODL_ADMIN_NEWPASSWORD') -TIMEOUT=1000 -INTERVAL=30 -timePassed=0 - -postKeystore= "/rests/operations/netconf-keystore:add-keystore-entry" -postPrivateKey= "/rests/operations/netconf-keystore:add-private-key" -postTrustedCertificate= "/rests/operations/netconf-keystore:add-trusted-certificate" - -envOdlFeaturesBoot='ODL_FEATURES_BOOT' -# Strategy sli-api is default -certreadyCmd="POST" -certreadyUrl="/rests/operations/SLI-API:healthcheck" -odlFeaturesBoot=os.environ.get(envOdlFeaturesBoot) - -if odlFeaturesBoot is not None: - odlFeaturesBoot=odlFeaturesBoot.lower() - if 'odl-netconf-topology' in odlFeaturesBoot or 'odl-netconf-clustered-topology' in odlFeaturesBoot: - certreadyCmd="GET" - certreadyUrl="/rests/data/network-topology:network-topology" -logging.info('ODL ready strategy with command %s and url %s', certreadyCmd, certreadyUrl) - -cadi_file = '.pass' -odl_port = 8181 -cred_string = username + ":" + password -headers = {'Authorization':'Basic %s' % base64.b64encode(cred_string.encode()).decode(), - 'X-FromAppId': 'csit-sdnc', - 'X-TransactionId': 'csit-sdnc', - 'Accept':"application/json", - 'Content-type':"application/yang-data+json"} - -def readFile(folder, file): - key = open(Path + "/" + folder + "/" + file, "r") - fileRead = key.read() - key.close() - fileRead = "\n".join(fileRead.splitlines()[1:-1]) - return fileRead - -def readTrustedCertificate(folder, file): - listCert = list() - caPem = "" - startCa = False - key = open(folder + "/" + file, "r") - lines = key.readlines() - for line in lines: - if not "BEGIN CERTIFICATE" in line and not "END CERTIFICATE" in line and startCa: - caPem += line - elif "BEGIN CERTIFICATE" in line: - startCa = True - elif "END CERTIFICATE" in line: - startCa = False - listCert.append(caPem) - caPem = "" - return listCert - -def makeKeystoreKey(clientKey, count): - odl_private_key="ODL_private_key_%d" %count - - json_keystore_key='{{\"input\": {{ \"key-credential\": {{\"key-id\": \"{odl_private_key}\", \"private-key\" : ' \ - '\"{clientKey}\",\"passphrase\" : \"\"}}}}}}'.format( - odl_private_key=odl_private_key, - clientKey=clientKey) - - return json_keystore_key - -def makePrivateKey(clientKey, clientCrt, certList, count): - caPem = "" - if certList: - for cert in certList: - caPem += '\"%s\",' % cert - caPem = caPem.rsplit(',', 1)[0] - odl_private_key="ODL_private_key_%d" %count - - json_private_key='{{\"input\": {{ \"private-key\":{{\"name\": \"{odl_private_key}\", \"data\" : ' \ - '\"{clientKey}\",\"certificate-chain\":[\"{clientCrt}\",{caPem}]}}}}}}'.format( - odl_private_key=odl_private_key, - clientKey=clientKey, - clientCrt=clientCrt, - caPem=caPem) - - return json_private_key - -def makeTrustedCertificate(certList, count): - number = 0 - json_cert_format = "" - for cert in certList: - cert_name = "xNF_CA_certificate_%d_%d" %(count, number) - json_cert_format += '{{\"name\": \"{trusted_name}\",\"certificate\":\"{cert}\"}},\n'.format( - trusted_name=cert_name, - cert=cert.strip()) - number += 1 - - json_cert_format = json_cert_format.rsplit(',', 1)[0] - json_trusted_cert='{{\"input\": {{ \"trusted-certificate\": [{certificates}]}}}}'.format( - certificates=json_cert_format) - return json_trusted_cert - - -def makeRestconfPost(conn, json_file, apiCall): - req = conn.request("POST", apiCall, json_file, headers=headers) - res = conn.getresponse() - res.read() - if res.status != 200: - logging.error("Error here, response back wasnt 200: Response was : %d , %s" % (res.status, res.reason)) - else: - logging.debug("Response :%s Reason :%s ",res.status, res.reason) - -def extractZipFiles(zipFileList, count): - for zipFolder in zipFileList: - with zipfile.ZipFile(Path + "/" + zipFolder.strip(),"r") as zip_ref: - zip_ref.extractall(Path) - folder = zipFolder.rsplit(".")[0] - processFiles(folder, count) - -def processFiles(folder, count): - logging.info('Process folder: %d %s', count, folder) - for file in os.listdir(Path + "/" + folder): - if os.path.isfile(Path + "/" + folder + "/" + file.strip()): - if ".key" in file: - clientKey = readFile(folder, file.strip()) - elif "trustedCertificate" in file: - certList = readTrustedCertificate(Path + "/" + folder, file.strip()) - elif ".crt" in file: - clientCrt = readFile(folder, file.strip()) - else: - logging.error("Could not find file %s" % file.strip()) - shutil.rmtree(Path + "/" + folder) - post_content(clientKey, clientCrt, certList, count) - -def post_content(clientKey, clientCrt, certList, count): - logging.info('Post content: %d', count) - conn = http.client.HTTPConnection("localhost",odl_port) - if clientKey: - json_keystore_key = makeKeystoreKey(clientKey, count) - logging.debug("Posting private key in to ODL keystore") - makeRestconfPost(conn, json_keystore_key, postKeystore) - - if certList: - json_trusted_cert = makeTrustedCertificate(certList, count) - logging.debug("Posting trusted cert list in to ODL") - makeRestconfPost(conn, json_trusted_cert, postTrustedCertificate) - - if clientKey and clientCrt and certList: - json_private_key = makePrivateKey(clientKey, clientCrt, certList, count) - logging.debug("Posting the cert in to ODL") - makeRestconfPost(conn, json_private_key, postPrivateKey) - - -def makeHealthcheckCall(headers, timePassed): - connected = False - # WAIT 10 minutes maximum and test every 30 seconds if HealthCheck API is returning 200 - while timePassed < TIMEOUT: - try: - conn = http.client.HTTPConnection("localhost",odl_port) - req = conn.request(certreadyCmd, certreadyUrl,headers=headers) - res = conn.getresponse() - res.read() - httpStatus = res.status - if httpStatus == 200: - logging.debug("Healthcheck Passed in %d seconds." %timePassed) - connected = True - break - else: - logging.debug("Sleep: %d seconds before testing if Healthcheck worked. Total wait time up now is: %d seconds. Timeout is: %d seconds. Problem code was: %d" %(INTERVAL, timePassed, TIMEOUT, httpStatus)) - except: - logging.error("Cannot execute REST call. Sleep: %d seconds before testing if Healthcheck worked. Total wait time up now is: %d seconds. Timeout is: %d seconds." %(INTERVAL, timePassed, TIMEOUT)) - timePassed = timeIncrement(timePassed) - - if timePassed > TIMEOUT: - logging.error("TIME OUT: Healthcheck not passed in %d seconds... Could cause problems for testing activities..." %TIMEOUT) - - return connected - - -def timeIncrement(timePassed): - time.sleep(INTERVAL) - timePassed = timePassed + INTERVAL - return timePassed - -def get_cadi_password(): - try: - with open(Path + '/' + cadi_file , 'r') as file_obj: - cadi_pass = file_obj.read().split('=', 1)[1].strip() - return cadi_pass - except Exception as e: - logging.error("Error occurred while fetching password : %s", e) - exit() - -def cleanup(): - for file in os.listdir(Path): - if os.path.isfile(Path + '/' + file): - logging.debug("Cleaning up the file %s", Path + '/'+ file) - os.remove(Path + '/'+ file) - -def extract_content(file, password, count): - try: - certList = [] - key = None - cert = None - if (file.endswith('.jks')): - p12_file = file.replace('.jks', '.p12') - jks_cmd = 'keytool -importkeystore -srckeystore {src_file} -destkeystore {dest_file} -srcstoretype JKS -srcstorepass {src_pass} -deststoretype PKCS12 -deststorepass {dest_pass}'.format(src_file=file, dest_file=p12_file, src_pass=password, dest_pass=password) - logging.debug("Converting %s into p12 format", file) - os.system(jks_cmd) - file = p12_file - - clcrt_cmd = 'openssl pkcs12 -in {src_file} -clcerts -nokeys -passin pass:{src_pass}'.format(src_file=file, src_pass=password) - clkey_cmd = 'openssl pkcs12 -in {src_file} -nocerts -nodes -passin pass:{src_pass}'.format(src_file=file, src_pass=password) - trust_file = file.split('/')[2] + '.trust' - trustCerts_cmd = 'openssl pkcs12 -in {src_file} -out {out_file} -cacerts -nokeys -passin pass:{src_pass} '.format(src_file=file, out_file=Path + '/' + trust_file, src_pass=password) - - result_key = subprocess.check_output(clkey_cmd , shell=True) - if result_key: - key = result_key.split('-----BEGIN PRIVATE KEY-----', 1)[1].lstrip().split('-----END PRIVATE KEY-----')[0] - - os.system(trustCerts_cmd) - if os.path.exists(Path + '/' + trust_file): - certList = readTrustedCertificate(Path, trust_file) - - result_crt = subprocess.check_output(clcrt_cmd , shell=True) - if result_crt: - cert = result_crt.split('-----BEGIN CERTIFICATE-----', 1)[1].lstrip().split('-----END CERTIFICATE-----')[0] - """ - To-do: Posting the key, cert, certList might need modification - based on how AAF distributes the files. - - """ - post_content(key, cert, certList, count) - except Exception as e: - logging.error("Error occurred while processing the file %s : %s", file,e) - -def lookforfiles(): - count = 0 - for file in os.listdir(Path): - if (file.endswith(('.p12', '.jks'))): - if os.path.exists(Path + '/' + cadi_file): - cert_password = get_cadi_password() - logging.debug("Extracting contents from the file %s", file) - extract_content(Path + '/' + file, cert_password, count) - count += 1 - else: - logging.error("Cadi password file %s not present under cert directory", cadi_file) - exit() - if count > 0: - cleanup() - else: - logging.debug("No jks/p12 files found under cert directory %s", Path) - -def replaceAdminPassword(username, password, newpassword): - if newpassword is None: - logging.info('Not to replace password for user %s', username) - else: - logging.info('Replace password for user %s', username) - try: - jsondata = '{\"password\": \"{newpassword}\"}'.format(newpassword=newpassword) - url = '/auth/v1/users/{username}@sdn'.format(username=username) - loggin.info("Url %s data $s", url, jsondata) - conn = http.client.HTTPConnection("localhost",odl_port) - req = conn.request("PUT", url, jsondata, headers=headers) - res = conn.getresponse() - res.read() - httpStatus = res.status - if httpStatus == 200: - logging.debug("New password provided successfully for user %s", username) - else: - logging.debug("Password change was not possible. Problem code was: %d", httpStatus) - except: - logging.error("Cannot execute REST call to set password.") - -def readCertProperties(): - connected = makeHealthcheckCall(headers, timePassed) - logging.info('Connected status: %s', connected) - if connected: - replaceAdminPassword(username, password, newpassword) - count = 0 - if os.path.isfile(Path + "/certs.properties"): - with open(Path + "/certs.properties", "r") as f: - for line in f: - if not "*****" in line: - zipFileList.append(line) - else: - extractZipFiles(zipFileList, count) - count += 1 - del zipFileList[:] - else: - logging.debug("No zipfiles present under cert directory") - - logging.info("Looking for jks/p12 files under cert directory") - lookforfiles() - -readCertProperties() -logging.info('Cert installation ending') |