X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fsample%2Fbin%2Fclient.sh;h=00818c995ecd72b0a2ae29c85bea6f1b9d5b7e5e;hb=HEAD;hp=2c73614279ee7c125f1a4b945592163fd43d48c2;hpb=32cdd553a8668e6d03a9cf5b11b360d35a63c87f;p=aaf%2Fauthz.git diff --git a/auth/sample/bin/client.sh b/auth/sample/bin/client.sh old mode 100644 new mode 100755 index 2c736142..00818c99 --- a/auth/sample/bin/client.sh +++ b/auth/sample/bin/client.sh @@ -1,71 +1,263 @@ #!/bin/bash -# This script is run when starting aaf_config Container. +######### +# ============LICENSE_START==================================================== +# org.onap.aaf +# =========================================================================== +# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. +# =========================================================================== +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END==================================================== +# +# This script is run when starting client Container. # It needs to cover the cases where the initial data doesn't exist, and when it has already been configured (don't overwrite) # -JAVA=/usr/bin/java + +# +# error handling. REQUIRED: if this script fails, it must give non-zero exit value +# +# We exit non-zero with an explanation echod to standard +# out in some situations, like bad input or failed keygen. +# We exit non-zero without explanation in other situations +# like command not found, or file access perms error. +# +# exit without explaining to stdout if some error +set -e + +[ -z "$JAVA_HOME" ] && { echo FAILURE: JAVA_HOME is not set; exit 1;} +JAVA=${JAVA_HOME}/bin/java + +[ -e ${JAVA_HOME} ] || { echo FAILURE: java home does not exist: ${JAVA_HOME}; exit 1;} +[ -e ${JAVA} ] || { echo FAILURE: java executable does not exist: ${JAVA}; exit 1;} + AAF_INTERFACE_VERSION=2.1 # Extract Name, Domain and NS from FQI +[ -z "$APP_FQI" ] && { echo FAILURE: APP_FQI is not set; exit 1; } + FQIA=($(echo ${APP_FQI} | tr '@' '\n')) FQI_SHORT=${FQIA[0]} FQI_DOMAIN=${FQIA[1]} +[ -z "$FQI_SHORT" ] && { echo FAILURE: malformed APP_FQI, should be like email form: name@domain; exit 1; } +[ -z "$FQI_DOMAIN" ] && { echo FAILURE: malformed APP_FQI, should be like email form: name@domain; exit 1; } + # Reverse DOMAIN for NS FQIA_E=($(echo ${FQI_DOMAIN} | tr '.' '\n')) for (( i=( ${#FQIA_E[@]} -1 ); i>0; i-- )); do NS=${NS}${FQIA_E[i]}'.' done NS=${NS}${FQIA_E[0]} +CONFIG=${CONFIG:-"/opt/app/aaf_config"} + +# perhaps AAF HOME? (root of aaf installation) +OSAAF=${OSAAF:-"/opt/app/osaaf"} + +# this is the 'place' operation's destination +LOCAL=${LOCAL:-"$OSAAF/local"} +DOT_AAF=${DOT_AAF:-"${HOME}/.aaf"} +SSO="$DOT_AAF/sso.props" + +# for *backup files +backupDir=${BACKUP_DIR:-${LOCAL}} + +if [ -e "$CONFIG" ]; then + CONFIG_BIN="$CONFIG/bin" +else + CONFIG_BIN="." +fi + +AGENT_JAR="$CONFIG_BIN/aaf-cadi-aaf-*-full.jar" +JAVA_AGENT="$JAVA -Dcadi_loglevel=DEBUG -Dcadi_etc_dir=${LOCAL} -Dcadi_log_dir=${LOCAL} -jar $AGENT_JAR " + +function backup() { + # any backup files? + if stat -t *.backup > /dev/null 2>&1; then + # move them somewhere else? + if [ "${backupDir}" != "${LOCAL}" ]; then + mkdir -p ${backupDir} + mv -f ${LOCAL}/*.backup ${backupDir} + fi + fi +} # Setup SSO info for Deploy ID function sso_encrypt() { - $JAVA -cp /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar org.onap.aaf.cadi.CmdLine digest ${1} ~/.aaf/keyfile + $JAVA_AGENT cadi digest ${1} $DOT_AAF/keyfile || { + echo agent fails to digest password + exit 1 + } } -if [ ! -e " ~/.aaf/keyfile" ]; then - mkdir -p ~/.aaf - SSO=~/.aaf/sso.props - $JAVA -cp /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar org.onap.aaf.cadi.CmdLine keygen ~/.aaf/keyfile - chmod 400 ~/.aaf/keyfile - echo cadi_latitude=${LATITUDE} > ${SSO} - echo cadi_longitude=${LONGITUDE} >> ${SSO} - echo aaf_id=${DEPLOY_FQI} >> ${SSO} +# Setup Bash, first time only, Agent only +if [ ! -f "$HOME/.bashrc" ] || [ -z "$(grep agent $HOME/.bashrc)" ]; then + echo "alias agent='$CONFIG_BIN/agent.sh agent \$*'" >> $HOME/.bashrc + chmod a+x $CONFIG_BIN/agent.sh + . $HOME/.bashrc +fi + +if [ ! -e "$DOT_AAF/truststoreONAPall.jks" ]; then + mkdir -p $DOT_AAF + base64 -d $CONFIG/cert/truststoreONAPall.jks.b64 > $DOT_AAF/truststoreONAPall.jks +fi + +# Create Deployer Info, located at /root/.aaf +if [ ! -e "$DOT_AAF/keyfile" ]; then + + $JAVA_AGENT cadi keygen $DOT_AAF/keyfile || { + echo "Cannot create $DOT_AAF/keyfile" + exit 1 + } + + chmod 400 $DOT_AAF/keyfile + +fi + +if [ ! -e "${SSO}" ]; then + echo Creating and adding content to ${SSO} + echo "cadi_keyfile=$DOT_AAF/keyfile" > ${SSO} + + # Add Deployer Creds to Root's SSO + DEPLOY_FQI="${DEPLOY_FQI:=$app_id}" + echo "aaf_id=${DEPLOY_FQI}" >> ${SSO} if [ ! "${DEPLOY_PASSWORD}" = "" ]; then echo aaf_password=enc:$(sso_encrypt ${DEPLOY_PASSWORD}) >> ${SSO} fi - echo aaf_locate_url=https://${AAF_FQDN}:8095 >> ${SSO} - echo aaf_url=https://AAF_LOCATE_URL/AAF_NS.service:${AAF_INTERFACE_VERSION} >> ${SSO} - echo cadi_truststore=$(ls /opt/app/aaf_config/public/*trust*) >> ${SSO} - echo cadi_truststore_password=enc:$(sso_encrypt changeit) >> ${SSO} + + # Cover case where using app.props + aaf_locator_container_ns=${aaf_locator_container_ns:=$CONTAINER_NS} + if [ "$aaf_locator_container" = "docker" ]; then + echo "aaf_locate_url=https://aaf-locate:8095" >> ${SSO} + echo "aaf_url_cm=https://aaf-cm:8150" >> ${SSO} + echo "aaf_url=https://aaf-service:8100" >> ${SSO} + else + echo "aaf_locate_url=https://${aaf_locator_fqdn}:8095" >> ${SSO} + echo "aaf_url_cm=https://AAF_LOCATE_URL/%CNS.%NS.cm:2.1" >> ${SSO} + echo "aaf_url=https://AAF_LOCATE_URL/%CNS.%NS.service:2.1" >> ${SSO} + fi + + echo "cadi_truststore=$DOT_AAF/truststoreONAPall.jks" >> ${SSO} + echo "cadi_truststore_password=changeit" >> ${SSO} + echo "cadi_latitude=${LATITUDE}" >> ${SSO} + echo "cadi_longitude=${LONGITUDE}" >> ${SSO} + echo "hostname=${aaf_locator_fqdn}" >> ${SSO} + + # Push in all AAF and CADI properties to SSO + for E in $(env); do + if [ "${E:0:4}" = "aaf_" ] || [ "${E:0:5}" = "cadi_" ]; then + # Use Deployer ID in ${SSO} + if [ "app_id" != "${E%=*}" ]; then + S="${E/_helm/.helm}" + S="${S/_oom/.oom}" + echo "$S" >> ${SSO} + fi + fi + done + + . ${SSO} + echo "Caller Properties Initialized" + echo "cat SSO" + cat ${SSO} +fi + +# Check for local dir +if [ -d $LOCAL ]; then + echo "$LOCAL exists" +else + mkdir -p $LOCAL + echo "Created $LOCAL" +fi + +cd $LOCAL +echo "Existing files in $LOCAL" +ls -l + +# Should we refresh the client version?? +if [ "${VERSION}" != "$(cat ${LOCAL}/VERSION 2> /dev/null)" ]; then + echo "Clean up directory ${LOCAL}" + rm -Rf ${LOCAL}/* + + echo "${VERSION}" > $LOCAL/VERSION + cp $AGENT_JAR $LOCAL + echo "#!/bin/bash" > $LOCAL/agent + echo 'java -jar aaf-cadi-aaf-*-full.jar $*' >> $LOCAL/agent + echo "#!/bin/bash" > $LOCAL/cadi + echo 'java -jar aaf-cadi-aaf-*-full.jar cadi $*' >> $LOCAL/cadi + chmod 755 $LOCAL/agent $LOCAL/cadi fi +echo "Namespace is ${NS}" + # Only initialize once, automatically... -if [ ! -e /opt/app/osaaf/local/${NS}.props ]; then - for D in bin logs; do - rsync -avzh --exclude=.gitignore /opt/app/aaf_config/$D/* /opt/app/osaaf/$D - done +if [ ! -f $LOCAL/${NS}.props ]; then + [ -z "$APP_FQDN" ] && { echo FAILURE: APP_FQDN is not set; exit 1; } + + echo "#### Create Configuration files " + > $LOCAL/$NS + $JAVA_AGENT config $APP_FQI $APP_FQDN --nopasswd || { + echo Cannot create config files + exit 1 + } + cat $LOCAL/$NS.props + + echo + echo "#### Certificate Authorization Artifact" + # TMP=$(mktemp) + TMP=$LOCAL/agent.log + - # setup Configs - $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar config $APP_FQI \ - cadi_etc_dir=/opt/app/osaaf/local + $JAVA_AGENT read ${APP_FQI} ${APP_FQDN} | tee $TMP ; [ ${PIPESTATUS[0]} -eq 0 ] || { + echo Cannot read artificate; + exit 1; + } - # Place Certificates - $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar place ${APP_FQI} ${APP_FQDN} - # Validate - $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar validate \ - cadi_prop_files=/opt/app/osaaf/local/${NS}.props + if [ -n "$(grep 'Namespace:' $TMP)" ]; then + echo "#### Place Certificates (by deployer)" + $JAVA_AGENT place $APP_FQI $APP_FQDN || { + echo Failed to obtain new certificate + exit 1 + + } + + if [ -z "$(grep cadi_alias ${LOCAL}/$NS.cred.props)" ]; then + echo "FAILED to get Certificate, cadi_alias is not defined." + exit 1 + else + echo "Obtained Certificates" + echo "#### Validate Configuration and Certificate with live call" + $JAVA_AGENT validate cadi_prop_files=${NS}.props || { + echo Failed to validate new certificate + exit 1 + } + fi + else + echo "#### Certificate Authorization Artifact must be valid to continue" + fi + rm $TMP +else + INITIALIZED="true" fi -# Now run a command -CMD=$2 -if [ ! "$CMD" = "" ]; then - shift +if [ -z "$*" ]; then + echo "Initialization complete" +else + # Now run a command + CMD=$1 shift case "$CMD" in ls) echo ls requested - find /opt/app/osaaf -depth + find ${OSAAF} -depth ;; cat) if [ "$1" = "" ]; then @@ -82,47 +274,84 @@ if [ ! "$CMD" = "" ]; then fi fi ;; - update) - for D in bin logs; do - rsync -uh --exclude=.gitignore /opt/app/aaf_config/$D/* /opt/app/osaaf/$D - done + read) + echo "## Read Artifacts" + $JAVA_AGENT read $APP_FQI $APP_FQDN cadi_prop_files=${SSO} cadi_loglevel=INFO || { + echo Command faile, cannot read artifacts + exit 1 + } + ;; + showpass) + echo "## Show Passwords" + $JAVA_AGENT showpass $APP_FQI $APP_FQDN cadi_prop_files=${SSO} cadi_loglevel=ERROR || { + echo Failure showing password + exit 1 + } + ;; + check) + echo "## Check Certificate" + echo "$JAVA_AGENT check $APP_FQI $APP_FQDN cadi_prop_files=${LOCAL}/${NS}.props" + # inspects and repots on certificate validation and renewal date + $JAVA_AGENT check $APP_FQI $APP_FQDN cadi_prop_files=${LOCAL}/${NS}.props || { + echo Checking certificate fails. + exit 1 + } ;; validate) echo "## validate requested" - $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar validate cadi_prop_files=/opt/app/osaaf/local/${NS}.props + # attempt to send request to aaf; authenticate with this local certificate + $JAVA_AGENT validate $APP_FQI $APP_FQDN || { + echo Validation fails. + exit 1 + } + ;; + place) + echo "## Renew Certificate" + $JAVA_AGENT place $APP_FQI $APP_FQDN cadi_prop_files=${SSO} || { + echo Placing certificate fails. + exit 1 + } + ;; + renew) + echo "## Renew Certificate" + $JAVA_AGENT place $APP_FQI $APP_FQDN || { + echo Failure renewing certificate + exit 1 + } ;; bash) - if [ ! -e ~/.bash_aliases ]; then - echo "alias cadi='$JAVA -cp /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar org.onap.aaf.cadi.CmdLine \$*'" >~/.bash_aliases - echo "alias agent='$JAVA -cp /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar org.onap.aaf.cadi.configure.Agent \$*'" >>~/.bash_aliases - fi shift - cd /opt/app/osaaf/local || exit - /bin/bash "$@" + cd $LOCAL || exit + exec bash "$@" ;; setProp) - cd /opt/app/osaaf/local || exit + cd $LOCAL || exit FILES=$(grep -l "$1" ./*.props) - if [ "$FILES" = "" ]; then - FILES="$3" + if [ -z "$FILES" ]; then + if [ -z "$3" ]; then + FILES=${NS}.props + else + FILES="$3" + fi ADD=Y fi for F in $FILES; do - echo "Changing $1 in $F" if [ "$ADD" = "Y" ]; then - echo $2 >> $F + echo "Changing $1 to $F" + echo "$1=$2" >> $F else - sed -i.backup -e "s/\\(${1}.*=\\).*/\\1${2}/" $F + echo "Changing $1 in $F" + sed -i.backup -e "s/\\(${1}.*=\\).*/\\1${2}/" $F fi cat $F done ;; encrypt) - cd /opt/app/osaaf/local || exit + cd $LOCAL || exit echo $1 FILES=$(grep -l "$1" ./*.props) if [ "$FILES" = "" ]; then - FILES=/opt/app/osaaf/local/${NS}.cred.props + FILES=$LOCAL/${NS}.cred.props ADD=Y fi for F in $FILES; do @@ -137,7 +366,7 @@ if [ ! "$CMD" = "" ]; then else ORIG_PW="$2" fi - PWD=$("$JAVA" -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar cadi digest "$ORIG_PW" /opt/app/osaaf/local/${NS}.keyfile) + PWD=$($JAVA_CADI digest "$ORIG_PW" $LOCAL/${NS}.keyfile) if [ "$ADD" = "Y" ]; then echo "$1=enc:$PWD" >> $F else @@ -147,7 +376,14 @@ if [ ! "$CMD" = "" ]; then done ;; taillog) - sh /opt/app/osaaf/logs/taillog + sh ${OSAAF}/logs/taillog + ;; + testConnectivity|testconnectivity) + echo "--- Test Connectivity ---" + $JAVA -cp $AGENT_JAR org.onap.aaf.cadi.aaf.TestConnectivity $LOCAL/${NS}.props || { + echo Failure while testing connectivity + exit 1 + } ;; --help | -?) case "$1" in @@ -167,17 +403,28 @@ if [ ! "$CMD" = "" ]; then ;; cadi) echo "--- cadi Tool Comands ---" - $JAVA -Dcadi_prop_files=/opt/app/osaaf/local/${NS}.props -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar cadi | tail -n +6 + $JAVA_CADI ;; agent) echo "--- agent Tool Comands ---" - $JAVA -Dcadi_prop_files=/opt/app/osaaf/local/${NS}.props -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar + $JAVA_AGENT + ;; + aafcli) + echo "--- aafcli Tool Comands ---" + $JAVA_AAFCLI ;; esac echo "" ;; + ### Possible Dublin + # sample) + # echo "--- run Sample Servlet App ---" + # $JAVA -Dcadi_prop_files=$LOCAL/${NS}.props -cp $AGENT_JAR:$CONFIG_BIN/aaf-cadi-servlet-sample-*-sample.jar org.onap.aaf.sample.cadi.jetty.JettyStandalone ${NS}.props + # ;; *) - $JAVA -Dcadi_prop_files=/opt/app/osaaf/local/${NS}.props -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar "$CMD" "$@" + $JAVA_AGENT "$CMD" "$@" ;; esac fi + +backup