# ============LICENSE_START=======================================================
# Copyright (C) 2019 Nordix Foundation.
# ================================================================================
+# extended by highstreet technologies GmbH (c) 2020
+# Copyright (c) 2021 Nokia Intellectual Property.
+# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# coding=utf-8
import os
-import httplib
+import re
+import http.client
import base64
import time
import zipfile
import shutil
+import subprocess
+import logging
+
+odl_home = os.environ['ODL_HOME']
+log_directory = odl_home + '/data/log/'
+log_file = log_directory + 'installCerts.log'
+with open(os.path.join(log_directory, 'installCerts.log'), 'w') as fp:
+ pass
+log_format = "%(asctime)s - %(name)s - %(levelname)s - %(message)s"
+if not os.path.exists(log_directory):
+ os.makedirs(log_directory)
+logging.basicConfig(filename=log_file,level=logging.DEBUG,filemode='w',format=log_format)
+print ('Start cert provisioning. Log file: ' + log_file);
Path = "/tmp"
+if "ODL_CERT_DIR" in os.environ:
+ Path = os.environ['ODL_CERT_DIR']
zipFileList = []
-username = "admin"
-password = "Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U"
-TIME_OUT=1000
+username = os.environ['ODL_ADMIN_USERNAME']
+password = os.environ['ODL_ADMIN_PASSWORD']
+newpassword = os.environ.get('ODL_ADMIN_NEWPASSWORD')
+TIMEOUT=1000
INTERVAL=30
-TIME=0
+timePassed=0
+
+postKeystore= "/rests/operations/netconf-keystore:add-keystore-entry"
+postPrivateKey= "/rests/operations/netconf-keystore:add-private-key"
+postTrustedCertificate= "/rests/operations/netconf-keystore:add-trusted-certificate"
+
+truststore_pass_file = Path + '/truststore.pass'
+truststore_file = Path + '/truststore.jks'
+
+keystore_pass_file = Path + '/keystore.pass'
+keystore_file = Path + '/keystore.jks'
-postKeystore= "/restconf/operations/netconf-keystore:add-keystore-entry"
-postPrivateKey= "/restconf/operations/netconf-keystore:add-private-key"
-postTrustedCertificate= "/restconf/operations/netconf-keystore:add-trusted-certificate"
+jks_files = [truststore_pass_file, keystore_pass_file, keystore_file, truststore_file]
+envOdlFeaturesBoot='ODL_FEATURES_BOOT'
+# Strategy sli-api is default
+certreadyCmd="POST"
+certreadyUrl="/rests/operations/SLI-API:healthcheck"
-headers = {'Authorization':'Basic %s' % base64.b64encode(username + ":" + password),
+if "SDNRWT" in os.environ:
+ sdnrWt = os.environ['SDNRWT']
+ if sdnrWt == "true":
+ certreadyCmd="GET"
+ certreadyUrl="/rests/data/network-topology:network-topology"
+logging.info('ODL ready strategy with command %s and url %s', certreadyCmd, certreadyUrl)
+
+odl_port = 8181
+cred_string = username + ":" + password
+headers = {'Authorization':'Basic %s' % base64.b64encode(cred_string.encode()).decode(),
'X-FromAppId': 'csit-sdnc',
'X-TransactionId': 'csit-sdnc',
'Accept':"application/json",
- 'Content-type':"application/json"}
+ 'Content-type':"application/yang-data+json"}
def readFile(folder, file):
key = open(Path + "/" + folder + "/" + file, "r")
return fileRead
def readTrustedCertificate(folder, file):
+ listCert = list()
caPem = ""
- serverCrt = ""
startCa = False
- startCrt = False
- key = open(Path + "/" + folder + "/" + file, "r")
+ key = open(folder + "/" + file, "r")
lines = key.readlines()
for line in lines:
- if not "BEGIN CERTIFICATE CA.pem" in line and not "END CERTIFICATE CA.pem" in line and startCa:
+ if not "BEGIN CERTIFICATE" in line and not "END CERTIFICATE" in line and startCa:
caPem += line
- elif "BEGIN CERTIFICATE CA.pem" in line:
+ elif "BEGIN CERTIFICATE" in line:
startCa = True
- elif "END CERTIFICATE CA.pem" in line:
+ elif "END CERTIFICATE" in line:
startCa = False
-
- if not "BEGIN CERTIFICATE Server.crt" in line and not "END CERTIFICATE Server.crt" in line and startCrt:
- serverCrt += line
- elif "BEGIN CERTIFICATE Server.crt" in line:
- startCrt = True
- elif "END CERTIFICATE Server.crt" in line:
- startCrt = False
- return caPem, serverCrt
+ listCert.append(caPem)
+ caPem = ""
+ return listCert
def makeKeystoreKey(clientKey, count):
- odl_private_key="ODL_private_key_%d" %count
+ odl_private_key = "ODL_private_key_%d" %count
json_keystore_key='{{\"input\": {{ \"key-credential\": {{\"key-id\": \"{odl_private_key}\", \"private-key\" : ' \
'\"{clientKey}\",\"passphrase\" : \"\"}}}}}}'.format(
return json_keystore_key
-
-
-def makePrivateKey(clientKey, clientCrt, caPem, count):
+def makePrivateKey(clientKey, clientCrt, certList, count):
+ caPem = ""
+ if certList:
+ for cert in certList:
+ caPem += '\"%s\",' % cert
+ caPem = caPem.rsplit(',', 1)[0]
odl_private_key="ODL_private_key_%d" %count
json_private_key='{{\"input\": {{ \"private-key\":{{\"name\": \"{odl_private_key}\", \"data\" : ' \
- '\"{clientKey}\",\"certificate-chain\":[\"{clientCrt}\",\"{caPem}\"]}}}}}}'.format(
+ '\"{clientKey}\",\"certificate-chain\":[\"{clientCrt}\",{caPem}]}}}}}}'.format(
odl_private_key=odl_private_key,
clientKey=clientKey,
clientCrt=clientCrt,
return json_private_key
-def makeTrustedCertificate(serverCrt, caPem, count):
- trusted_cert_name = "xNF_Server_certificate_%d" %count
- trusted_name = "xNF_CA_certificate_%d" %count
-
- json_trusted_cert='{{\"input\": {{ \"trusted-certificate\": [{{\"name\":\"{trusted_cert_name}\",\"certificate\" : ' \
- '\"{serverCrt}\"}},{{\"name\": \"{trusted_name}\",\"certificate\":\"{caPem}\"}}]}}}}'.format(
- trusted_cert_name=trusted_cert_name,
- serverCrt=serverCrt,
- trusted_name=trusted_name,
- caPem=caPem)
-
+def makeTrustedCertificate(certList, count):
+ number = 0
+ json_cert_format = ""
+ for cert in certList:
+ cert_name = "xNF_CA_certificate_%d_%d" %(count, number)
+ json_cert_format += '{{\"name\": \"{trusted_name}\",\"certificate\":\"{cert}\"}},\n'.format(
+ trusted_name=cert_name,
+ cert=cert.strip())
+ number += 1
+
+ json_cert_format = json_cert_format.rsplit(',', 1)[0]
+ json_trusted_cert='{{\"input\": {{ \"trusted-certificate\": [{certificates}]}}}}'.format(
+ certificates=json_cert_format)
return json_trusted_cert
res = conn.getresponse()
res.read()
if res.status != 200:
- print "Error here, response back wasnt 200: Response was : %d , %s" % (res.status, res.reason)
+ logging.error("Error here, response back wasnt 200: Response was : %d , %s" % (res.status, res.reason))
else:
- print res.status, res.reason
+ logging.debug("Response :%s Reason :%s ",res.status, res.reason)
def extractZipFiles(zipFileList, count):
for zipFolder in zipFileList:
processFiles(folder, count)
def processFiles(folder, count):
- conn = httplib.HTTPConnection("localhost",8181)
+ logging.info('Process folder: %d %s', count, folder)
for file in os.listdir(Path + "/" + folder):
if os.path.isfile(Path + "/" + folder + "/" + file.strip()):
if ".key" in file:
clientKey = readFile(folder, file.strip())
elif "trustedCertificate" in file:
- caPem, serverCrt = readTrustedCertificate(folder, file.strip())
+ certList = readTrustedCertificate(Path + "/" + folder, file.strip())
elif ".crt" in file:
clientCrt = readFile(folder, file.strip())
else:
- print "Could not find file %s" % file.strip()
+ logging.error("Could not find file %s" % file.strip())
shutil.rmtree(Path + "/" + folder)
- json_keystore_key = makeKeystoreKey(clientKey, count)
- json_private_key = makePrivateKey(clientKey, clientCrt, caPem, count)
- json_trusted_cert = makeTrustedCertificate(serverCrt, caPem, count)
+ post_content(clientKey, clientCrt, certList, count)
- makeRestconfPost(conn, json_keystore_key, postKeystore)
- makeRestconfPost(conn, json_private_key, postPrivateKey)
- makeRestconfPost(conn, json_trusted_cert, postTrustedCertificate)
+def post_content(clientKey, clientCrt, certList, count):
+ logging.info('Post content: %d', count)
+ conn = http.client.HTTPConnection("localhost",odl_port)
-def makeHealthcheckCall(headers):
- conn = httplib.HTTPConnection("localhost",8181)
- req = conn.request("POST", "/restconf/operations/SLI-API:healthcheck",headers=headers)
- res = conn.getresponse()
- res.read()
- if res.status == 200:
- print ("Healthcheck Passed in %d seconds." %TIME)
- else:
- print ("Sleep: %d seconds before testing if Healtcheck worked. Total wait time up now is: %d seconds. Timeout is: %d seconds" %(INTERVAL, TIME, TIME_OUT))
- return res.status
+ if clientKey:
+ json_keystore_key = makeKeystoreKey(clientKey, count)
+ logging.debug("Posting private key in to ODL keystore")
+ makeRestconfPost(conn, json_keystore_key, postKeystore)
+ if certList:
+ json_trusted_cert = makeTrustedCertificate(certList, count)
+ logging.debug("Posting trusted cert list in to ODL")
+ makeRestconfPost(conn, json_trusted_cert, postTrustedCertificate)
-def timeIncrement(TIME):
- time.sleep(INTERVAL)
- TIME = TIME + INTERVAL
- return TIME
+ if clientKey and clientCrt and certList:
+ json_private_key = makePrivateKey(clientKey, clientCrt, certList, count)
+ logging.debug("Posting the cert in to ODL")
+ makeRestconfPost(conn, json_private_key, postPrivateKey)
-def healthcheck(TIME):
+
+def makeHealthcheckCall(headers, timePassed):
+ connected = False
# WAIT 10 minutes maximum and test every 30 seconds if HealthCheck API is returning 200
- while TIME < TIME_OUT:
+ while timePassed < TIMEOUT:
try:
- status = makeHealthcheckCall(headers)
- if status == 200:
+ conn = http.client.HTTPConnection("localhost",odl_port)
+ req = conn.request(certreadyCmd, certreadyUrl,headers=headers)
+ res = conn.getresponse()
+ res.read()
+ httpStatus = res.status
+ if httpStatus == 200:
+ logging.debug("Healthcheck Passed in %d seconds." %timePassed)
connected = True
break
+ else:
+ logging.debug("Sleep: %d seconds before testing if Healthcheck worked. Total wait time up now is: %d seconds. Timeout is: %d seconds. Problem code was: %d" %(INTERVAL, timePassed, TIMEOUT, httpStatus))
except:
- print ("Sleep: %d seconds before testing if Healthcheck worked. Total wait time up now is: %d seconds. Timeout is: %d seconds" %(INTERVAL, TIME, TIME_OUT))
+ logging.error("Cannot execute REST call. Sleep: %d seconds before testing if Healthcheck worked. Total wait time up now is: %d seconds. Timeout is: %d seconds." %(INTERVAL, timePassed, TIMEOUT))
+ timePassed = timeIncrement(timePassed)
+
+ if timePassed > TIMEOUT:
+ logging.error("TIME OUT: Healthcheck not passed in %d seconds... Could cause problems for testing activities..." %TIMEOUT)
- TIME = timeIncrement(TIME)
+ return connected
- if TIME > TIME_OUT:
- print ("TIME OUT: Healthcheck not passed in %d seconds... Could cause problems for testing activities..." %TIME_OUT)
+def timeIncrement(timePassed):
+ time.sleep(INTERVAL)
+ timePassed = timePassed + INTERVAL
+ return timePassed
+
+
+def get_pass(file_name):
+ try:
+ with open(file_name, 'r') as file_obj:
+ password = file_obj.read().strip()
+ return "'{}'".format(password)
+ except Exception as e:
+ logging.error("Error occurred while fetching password : %s", e)
+ exit()
+
+def cleanup():
+ for file in os.listdir(Path):
+ if os.path.isfile(Path + '/' + file):
+ logging.debug("Cleaning up the file %s", Path + '/'+ file)
+ os.remove(Path + '/'+ file)
+
+
+def jks_to_p12(file, password):
+ """Converts jks format into p12"""
+ try:
+ certList = []
+ key = None
+ cert = None
+ if (file.endswith('.jks')):
+ p12_file = file.replace('.jks', '.p12')
+ jks_cmd = 'keytool -importkeystore -srckeystore {src_file} -destkeystore {dest_file} -srcstoretype JKS -srcstorepass {src_pass} -deststoretype PKCS12 -deststorepass {dest_pass}'.format(src_file=file, dest_file=p12_file, src_pass=password, dest_pass=password)
+ logging.debug("Converting %s into p12 format", file)
+ os.system(jks_cmd)
+ file = p12_file
+ return file
+ except Exception as e:
+ logging.error("Error occurred while converting jks to p12 format : %s", e)
+
+
+def make_cert_chain(cert_chain, pattern):
+ cert_list = []
+ if cert_chain:
+ cert_chain = cert_chain.decode('utf-8')
+ matches = re.findall(pattern, cert_chain, re.DOTALL | re.MULTILINE)
+ for cert in matches:
+ cert_list.append(cert.strip())
+ return cert_list
+ else:
+ logging.debug(" Certificate Chain empty: %s " % cert_chain)
+
+
+def process_jks_files(count):
+ ca_cert_list = []
+ logging.info("Processing JKS files found in %s directory " % Path)
+ try:
+ if all([os.path.isfile(f) for f in jks_files]):
+ keystore_pass = get_pass(keystore_pass_file)
+ keystore_file_p12 = jks_to_p12(keystore_file, keystore_pass)
+
+ client_key_cmd = 'openssl pkcs12 -in {src_file} -nocerts -nodes -passin pass:{src_pass}'.format(
+ src_file=keystore_file_p12, src_pass=keystore_pass)
+ client_crt_cmd = 'openssl pkcs12 -in {src_file} -clcerts -nokeys -passin pass:{src_pass}'.format(
+ src_file=keystore_file_p12, src_pass=keystore_pass)
+
+ truststore_pass = get_pass(truststore_pass_file)
+ truststore_p12 = jks_to_p12(truststore_file, truststore_pass)
+
+ trust_cert_cmd = 'openssl pkcs12 -in {src_file} -cacerts -nokeys -passin pass:{src_pass} '.format(
+ src_file=truststore_p12, src_pass=truststore_pass)
+
+ key_pattern = r'(?<=-----BEGIN PRIVATE KEY-----).*?(?=-----END PRIVATE KEY-----)'
+ client_key = subprocess.check_output(client_key_cmd, shell=True)
+ if client_key:
+ client_key = make_cert_chain(client_key, key_pattern)[0]
+ logging.debug("Key Ok")
+
+ cert_pattern = r'(?<=-----BEGIN CERTIFICATE-----).*?(?=-----END CERTIFICATE-----)'
+ client_cert = subprocess.check_output(client_crt_cmd, shell=True)
+ if client_cert:
+ client_cert = make_cert_chain(client_cert, cert_pattern)[0]
+ logging.debug("Client Cert Ok")
+
+ ca_cert = subprocess.check_output(trust_cert_cmd, shell=True)
+ if ca_cert:
+ ca_cert_list = make_cert_chain(ca_cert, cert_pattern)
+ logging.debug("CA Cert Ok")
+
+ if client_key and client_cert and ca_cert:
+ post_content(client_key, client_cert, ca_cert_list, count)
+ else:
+ logging.debug("No JKS files found in %s directory" % Path)
+ except subprocess.CalledProcessError as err:
+ print("CalledProcessError Execution of OpenSSL command failed: %s" % err)
+ except Exception as e:
+ logging.error("UnExpected Error while processing JKS files at {0}, Caused by: {1}".format(Path, e))
+
+def replaceAdminPassword(username, password, newpassword):
+ if newpassword is None:
+ logging.info('Not to replace password for user %s', username)
+ else:
+ logging.info('Replace password for user %s', username)
+ try:
+ jsondata = '{\"password\": \"{newpassword}\"}'.format(newpassword=newpassword)
+ url = '/auth/v1/users/{username}@sdn'.format(username=username)
+ loggin.info("Url %s data $s", url, jsondata)
+ conn = http.client.HTTPConnection("localhost",odl_port)
+ req = conn.request("PUT", url, jsondata, headers=headers)
+ res = conn.getresponse()
+ res.read()
+ httpStatus = res.status
+ if httpStatus == 200:
+ logging.debug("New password provided successfully for user %s", username)
+ else:
+ logging.debug("Password change was not possible. Problem code was: %d", httpStatus)
+ except:
+ logging.error("Cannot execute REST call to set password.")
+
+
+def readCertProperties():
+ '''
+ This function searches for manually copied zip file
+ containing certificates. This is required as part
+ of backward compatibility.
+ If not foud, it searches for jks certificates.
+ '''
+ connected = makeHealthcheckCall(headers, timePassed)
+ logging.info('Connected status: %s', connected)
if connected:
+ replaceAdminPassword(username, password, newpassword)
count = 0
if os.path.isfile(Path + "/certs.properties"):
with open(Path + "/certs.properties", "r") as f:
count += 1
del zipFileList[:]
else:
- print "Error: File not found in path entered"
- else:
- print "This was a problem here, Healthcheck never passed, please check is your instance up and running."
+ logging.debug("No certs.properties/zip files exist at: " + Path)
+ logging.info("Processing any available jks/p12 files under cert directory")
+ process_jks_files(count)
-healthcheck(TIME)
+readCertProperties()
+logging.info('Cert installation ending')