1 # ============LICENSE_START=======================================================
2 # Copyright (C) 2019 Nordix Foundation.
3 # ================================================================================
4 # extended by highstreet technologies GmbH (c) 2020
5 # ================================================================================
6 # Licensed under the Apache License, Version 2.0 (the "License");
7 # you may not use this file except in compliance with the License.
8 # You may obtain a copy of the License at
10 # http://www.apache.org/licenses/LICENSE-2.0
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS,
14 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 # See the License for the specific language governing permissions and
16 # limitations under the License.
18 # SPDX-License-Identifier: Apache-2.0
19 # ============LICENSE_END=========================================================
33 odl_home = os.environ['ODL_HOME']
34 log_directory = odl_home + '/data/log/'
35 log_file = log_directory + 'installCerts.log'
36 log_format = "%(asctime)s - %(name)s - %(levelname)s - %(message)s"
37 if not os.path.exists(log_directory):
38 os.makedirs(log_directory)
39 logging.basicConfig(filename=log_file,level=logging.DEBUG,filemode='w',format=log_format)
40 print ('Start cert provisioning. Log file: ' + log_file);
42 Path = os.environ['ODL_CERT_DIR']
46 username = os.environ['ODL_ADMIN_USERNAME']
47 password = os.environ['ODL_ADMIN_PASSWORD']
48 newpassword = os.environ.get('ODL_ADMIN_NEWPASSWORD')
53 postKeystore= "/rests/operations/netconf-keystore:add-keystore-entry"
54 postPrivateKey= "/rests/operations/netconf-keystore:add-private-key"
55 postTrustedCertificate= "/rests/operations/netconf-keystore:add-trusted-certificate"
57 envOdlFeaturesBoot='ODL_FEATURES_BOOT'
58 # Strategy sli-api is default
60 certreadyUrl="/rests/operations/SLI-API:healthcheck"
61 odlFeaturesBoot=os.environ.get(envOdlFeaturesBoot)
63 if odlFeaturesBoot is not None:
64 odlFeaturesBoot=odlFeaturesBoot.lower()
65 if 'odl-netconf-topology' in odlFeaturesBoot or 'odl-netconf-clustered-topology' in odlFeaturesBoot:
67 certreadyUrl="/rests/data/network-topology:network-topology"
68 logging.info('ODL ready strategy with command %s and url %s', certreadyCmd, certreadyUrl)
72 cred_string = username + ":" + password
73 headers = {'Authorization':'Basic %s' % base64.b64encode(cred_string.encode()).decode(),
74 'X-FromAppId': 'csit-sdnc',
75 'X-TransactionId': 'csit-sdnc',
76 'Accept':"application/json",
77 'Content-type':"application/yang-data+json"}
79 def readFile(folder, file):
80 key = open(Path + "/" + folder + "/" + file, "r")
83 fileRead = "\n".join(fileRead.splitlines()[1:-1])
86 def readTrustedCertificate(folder, file):
90 key = open(folder + "/" + file, "r")
91 lines = key.readlines()
93 if not "BEGIN CERTIFICATE" in line and not "END CERTIFICATE" in line and startCa:
95 elif "BEGIN CERTIFICATE" in line:
97 elif "END CERTIFICATE" in line:
99 listCert.append(caPem)
103 def makeKeystoreKey(clientKey, count):
104 odl_private_key="ODL_private_key_%d" %count
106 json_keystore_key='{{\"input\": {{ \"key-credential\": {{\"key-id\": \"{odl_private_key}\", \"private-key\" : ' \
107 '\"{clientKey}\",\"passphrase\" : \"\"}}}}}}'.format(
108 odl_private_key=odl_private_key,
111 return json_keystore_key
113 def makePrivateKey(clientKey, clientCrt, certList, count):
116 for cert in certList:
117 caPem += '\"%s\",' % cert
118 caPem = caPem.rsplit(',', 1)[0]
119 odl_private_key="ODL_private_key_%d" %count
121 json_private_key='{{\"input\": {{ \"private-key\":{{\"name\": \"{odl_private_key}\", \"data\" : ' \
122 '\"{clientKey}\",\"certificate-chain\":[\"{clientCrt}\",{caPem}]}}}}}}'.format(
123 odl_private_key=odl_private_key,
128 return json_private_key
130 def makeTrustedCertificate(certList, count):
132 json_cert_format = ""
133 for cert in certList:
134 cert_name = "xNF_CA_certificate_%d_%d" %(count, number)
135 json_cert_format += '{{\"name\": \"{trusted_name}\",\"certificate\":\"{cert}\"}},\n'.format(
136 trusted_name=cert_name,
140 json_cert_format = json_cert_format.rsplit(',', 1)[0]
141 json_trusted_cert='{{\"input\": {{ \"trusted-certificate\": [{certificates}]}}}}'.format(
142 certificates=json_cert_format)
143 return json_trusted_cert
146 def makeRestconfPost(conn, json_file, apiCall):
147 req = conn.request("POST", apiCall, json_file, headers=headers)
148 res = conn.getresponse()
150 if res.status != 200:
151 logging.error("Error here, response back wasnt 200: Response was : %d , %s" % (res.status, res.reason))
153 logging.debug("Response :%s Reason :%s ",res.status, res.reason)
155 def extractZipFiles(zipFileList, count):
156 for zipFolder in zipFileList:
157 with zipfile.ZipFile(Path + "/" + zipFolder.strip(),"r") as zip_ref:
158 zip_ref.extractall(Path)
159 folder = zipFolder.rsplit(".")[0]
160 processFiles(folder, count)
162 def processFiles(folder, count):
163 logging.info('Process folder: %d %s', count, folder)
164 for file in os.listdir(Path + "/" + folder):
165 if os.path.isfile(Path + "/" + folder + "/" + file.strip()):
167 clientKey = readFile(folder, file.strip())
168 elif "trustedCertificate" in file:
169 certList = readTrustedCertificate(Path + "/" + folder, file.strip())
171 clientCrt = readFile(folder, file.strip())
173 logging.error("Could not find file %s" % file.strip())
174 shutil.rmtree(Path + "/" + folder)
175 post_content(clientKey, clientCrt, certList, count)
177 def post_content(clientKey, clientCrt, certList, count):
178 logging.info('Post content: %d', count)
179 conn = http.client.HTTPConnection("localhost",odl_port)
181 json_keystore_key = makeKeystoreKey(clientKey, count)
182 logging.debug("Posting private key in to ODL keystore")
183 makeRestconfPost(conn, json_keystore_key, postKeystore)
186 json_trusted_cert = makeTrustedCertificate(certList, count)
187 logging.debug("Posting trusted cert list in to ODL")
188 makeRestconfPost(conn, json_trusted_cert, postTrustedCertificate)
190 if clientKey and clientCrt and certList:
191 json_private_key = makePrivateKey(clientKey, clientCrt, certList, count)
192 logging.debug("Posting the cert in to ODL")
193 makeRestconfPost(conn, json_private_key, postPrivateKey)
196 def makeHealthcheckCall(headers, timePassed):
198 # WAIT 10 minutes maximum and test every 30 seconds if HealthCheck API is returning 200
199 while timePassed < TIMEOUT:
201 conn = http.client.HTTPConnection("localhost",odl_port)
202 req = conn.request(certreadyCmd, certreadyUrl,headers=headers)
203 res = conn.getresponse()
205 httpStatus = res.status
206 if httpStatus == 200:
207 logging.debug("Healthcheck Passed in %d seconds." %timePassed)
211 logging.debug("Sleep: %d seconds before testing if Healthcheck worked. Total wait time up now is: %d seconds. Timeout is: %d seconds. Problem code was: %d" %(INTERVAL, timePassed, TIMEOUT, httpStatus))
213 logging.error("Cannot execute REST call. Sleep: %d seconds before testing if Healthcheck worked. Total wait time up now is: %d seconds. Timeout is: %d seconds." %(INTERVAL, timePassed, TIMEOUT))
214 timePassed = timeIncrement(timePassed)
216 if timePassed > TIMEOUT:
217 logging.error("TIME OUT: Healthcheck not passed in %d seconds... Could cause problems for testing activities..." %TIMEOUT)
222 def timeIncrement(timePassed):
224 timePassed = timePassed + INTERVAL
227 def get_cadi_password():
229 with open(Path + '/' + cadi_file , 'r') as file_obj:
230 cadi_pass = file_obj.read().split('=', 1)[1].strip()
232 except Exception as e:
233 logging.error("Error occurred while fetching password : %s", e)
237 for file in os.listdir(Path):
238 if os.path.isfile(Path + '/' + file):
239 logging.debug("Cleaning up the file %s", Path + '/'+ file)
240 os.remove(Path + '/'+ file)
242 def extract_content(file, password, count):
247 if (file.endswith('.jks')):
248 p12_file = file.replace('.jks', '.p12')
249 jks_cmd = 'keytool -importkeystore -srckeystore {src_file} -destkeystore {dest_file} -srcstoretype JKS -srcstorepass {src_pass} -deststoretype PKCS12 -deststorepass {dest_pass}'.format(src_file=file, dest_file=p12_file, src_pass=password, dest_pass=password)
250 logging.debug("Converting %s into p12 format", file)
254 clcrt_cmd = 'openssl pkcs12 -in {src_file} -clcerts -nokeys -passin pass:{src_pass}'.format(src_file=file, src_pass=password)
255 clkey_cmd = 'openssl pkcs12 -in {src_file} -nocerts -nodes -passin pass:{src_pass}'.format(src_file=file, src_pass=password)
256 trust_file = file.split('/')[2] + '.trust'
257 trustCerts_cmd = 'openssl pkcs12 -in {src_file} -out {out_file} -cacerts -nokeys -passin pass:{src_pass} '.format(src_file=file, out_file=Path + '/' + trust_file, src_pass=password)
259 result_key = subprocess.check_output(clkey_cmd , shell=True)
261 key = result_key.split('-----BEGIN PRIVATE KEY-----', 1)[1].lstrip().split('-----END PRIVATE KEY-----')[0]
263 os.system(trustCerts_cmd)
264 if os.path.exists(Path + '/' + trust_file):
265 certList = readTrustedCertificate(Path, trust_file)
267 result_crt = subprocess.check_output(clcrt_cmd , shell=True)
269 cert = result_crt.split('-----BEGIN CERTIFICATE-----', 1)[1].lstrip().split('-----END CERTIFICATE-----')[0]
271 To-do: Posting the key, cert, certList might need modification
272 based on how AAF distributes the files.
275 post_content(key, cert, certList, count)
276 except Exception as e:
277 logging.error("Error occurred while processing the file %s : %s", file,e)
281 for file in os.listdir(Path):
282 if (file.endswith(('.p12', '.jks'))):
283 if os.path.exists(Path + '/' + cadi_file):
284 cert_password = get_cadi_password()
285 logging.debug("Extracting contents from the file %s", file)
286 extract_content(Path + '/' + file, cert_password, count)
289 logging.error("Cadi password file %s not present under cert directory", cadi_file)
294 logging.debug("No jks/p12 files found under cert directory %s", Path)
296 def replaceAdminPassword(username, password, newpassword):
297 if newpassword is None:
298 logging.info('Not to replace password for user %s', username)
300 logging.info('Replace password for user %s', username)
302 jsondata = '{\"password\": \"{newpassword}\"}'.format(newpassword=newpassword)
303 url = '/auth/v1/users/{username}@sdn'.format(username=username)
304 loggin.info("Url %s data $s", url, jsondata)
305 conn = http.client.HTTPConnection("localhost",odl_port)
306 req = conn.request("PUT", url, jsondata, headers=headers)
307 res = conn.getresponse()
309 httpStatus = res.status
310 if httpStatus == 200:
311 logging.debug("New password provided successfully for user %s", username)
313 logging.debug("Password change was not possible. Problem code was: %d", httpStatus)
315 logging.error("Cannot execute REST call to set password.")
317 def readCertProperties():
318 connected = makeHealthcheckCall(headers, timePassed)
319 logging.info('Connected status: %s', connected)
321 replaceAdminPassword(username, password, newpassword)
323 if os.path.isfile(Path + "/certs.properties"):
324 with open(Path + "/certs.properties", "r") as f:
326 if not "*****" in line:
327 zipFileList.append(line)
329 extractZipFiles(zipFileList, count)
333 logging.debug("No zipfiles present under cert directory")
335 logging.info("Looking for jks/p12 files under cert directory")
339 logging.info('Cert installation ending')