X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=installation%2Fsdnc%2Fsrc%2Fmain%2Fscripts%2FinstallCerts.py;h=ecbf0a227efedc805e132861529568694cb1f29c;hb=9055ad0c6c50b1432102803cc331bfe8d964dc92;hp=1cc7454631ef806bc81160d5e825c156089188ae;hpb=3c7bf5bfc3703c4aaf0b713f24b658ce483b56cf;p=sdnc%2Foam.git diff --git a/installation/sdnc/src/main/scripts/installCerts.py b/installation/sdnc/src/main/scripts/installCerts.py index 1cc74546..ecbf0a22 100644 --- a/installation/sdnc/src/main/scripts/installCerts.py +++ b/installation/sdnc/src/main/scripts/installCerts.py @@ -1,6 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019 Nordix Foundation. # ================================================================================ +# extended by highstreet technologies GmbH (c) 2020 +# ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -20,32 +22,70 @@ # coding=utf-8 import os -import httplib +import re +import http.client import base64 import time import zipfile import shutil +import subprocess +import logging + +odl_home = os.environ['ODL_HOME'] +log_directory = odl_home + '/data/log/' +log_file = log_directory + 'installCerts.log' +with open(os.path.join('/opt/opendaylight/data/log', 'installCerts.log'), 'w') as fp: + pass +log_format = "%(asctime)s - %(name)s - %(levelname)s - %(message)s" +if not os.path.exists(log_directory): + os.makedirs(log_directory) +logging.basicConfig(filename=log_file,level=logging.DEBUG,filemode='w',format=log_format) +print ('Start cert provisioning. Log file: ' + log_file); Path = "/tmp" +if "ODL_CERT_DIR" in os.environ: + Path = os.environ['ODL_CERT_DIR'] zipFileList = [] username = os.environ['ODL_ADMIN_USERNAME'] password = os.environ['ODL_ADMIN_PASSWORD'] -timeOut=1000 -interval=30 -time=0 - -postKeystore= "/restconf/operations/netconf-keystore:add-keystore-entry" -postPrivateKey= "/restconf/operations/netconf-keystore:add-private-key" -postTrustedCertificate= "/restconf/operations/netconf-keystore:add-trusted-certificate" - - -headers = {'Authorization':'Basic %s' % base64.b64encode(username + ":" + password), +newpassword = os.environ.get('ODL_ADMIN_NEWPASSWORD') +TIMEOUT=1000 +INTERVAL=30 +timePassed=0 + +postKeystore= "/rests/operations/netconf-keystore:add-keystore-entry" +postPrivateKey= "/rests/operations/netconf-keystore:add-private-key" +postTrustedCertificate= "/rests/operations/netconf-keystore:add-trusted-certificate" + +truststore_pass_file = Path + '/truststore.pass' +truststore_file = Path + '/truststore.jks' + +keystore_pass_file = Path + '/keystore.pass' +keystore_file = Path + '/keystore.jks' + +jks_files = [truststore_pass_file, keystore_pass_file, keystore_file, truststore_file] + +envOdlFeaturesBoot='ODL_FEATURES_BOOT' +# Strategy sli-api is default +certreadyCmd="POST" +certreadyUrl="/rests/operations/SLI-API:healthcheck" + +if "SDNRWT" in os.environ: + sdnrWt = os.environ['SDNRWT'] + if sdnrWt == "true": + certreadyCmd="GET" + certreadyUrl="/rests/data/network-topology:network-topology" +logging.info('ODL ready strategy with command %s and url %s', certreadyCmd, certreadyUrl) + +odl_port = 8181 +cred_string = username + ":" + password +headers = {'Authorization':'Basic %s' % base64.b64encode(cred_string.encode()).decode(), 'X-FromAppId': 'csit-sdnc', 'X-TransactionId': 'csit-sdnc', 'Accept':"application/json", - 'Content-type':"application/json"} + 'Content-type':"application/yang-data+json"} def readFile(folder, file): key = open(Path + "/" + folder + "/" + file, "r") @@ -58,7 +98,7 @@ def readTrustedCertificate(folder, file): listCert = list() caPem = "" startCa = False - key = open(Path + "/" + folder + "/" + file, "r") + key = open(folder + "/" + file, "r") lines = key.readlines() for line in lines: if not "BEGIN CERTIFICATE" in line and not "END CERTIFICATE" in line and startCa: @@ -72,7 +112,7 @@ def readTrustedCertificate(folder, file): return listCert def makeKeystoreKey(clientKey, count): - odl_private_key="ODL_private_key_%d" %count + odl_private_key = "ODL_private_key_%d" %count json_keystore_key='{{\"input\": {{ \"key-credential\": {{\"key-id\": \"{odl_private_key}\", \"private-key\" : ' \ '\"{clientKey}\",\"passphrase\" : \"\"}}}}}}'.format( @@ -81,14 +121,12 @@ def makeKeystoreKey(clientKey, count): return json_keystore_key - - def makePrivateKey(clientKey, clientCrt, certList, count): caPem = "" - for cert in certList: - caPem += '\"%s\",' % cert - - caPem = caPem.rsplit(',', 1)[0] + if certList: + for cert in certList: + caPem += '\"%s\",' % cert + caPem = caPem.rsplit(',', 1)[0] odl_private_key="ODL_private_key_%d" %count json_private_key='{{\"input\": {{ \"private-key\":{{\"name\": \"{odl_private_key}\", \"data\" : ' \ @@ -121,9 +159,9 @@ def makeRestconfPost(conn, json_file, apiCall): res = conn.getresponse() res.read() if res.status != 200: - print "Error here, response back wasnt 200: Response was : %d , %s" % (res.status, res.reason) + logging.error("Error here, response back wasnt 200: Response was : %d , %s" % (res.status, res.reason)) else: - print res.status, res.reason + logging.debug("Response :%s Reason :%s ",res.status, res.reason) def extractZipFiles(zipFileList, count): for zipFolder in zipFileList: @@ -133,60 +171,194 @@ def extractZipFiles(zipFileList, count): processFiles(folder, count) def processFiles(folder, count): - conn = httplib.HTTPConnection("localhost",8181) + logging.info('Process folder: %d %s', count, folder) for file in os.listdir(Path + "/" + folder): if os.path.isfile(Path + "/" + folder + "/" + file.strip()): if ".key" in file: clientKey = readFile(folder, file.strip()) elif "trustedCertificate" in file: - certList = readTrustedCertificate(folder, file.strip()) + certList = readTrustedCertificate(Path + "/" + folder, file.strip()) elif ".crt" in file: clientCrt = readFile(folder, file.strip()) else: - print "Could not find file %s" % file.strip() + logging.error("Could not find file %s" % file.strip()) shutil.rmtree(Path + "/" + folder) - json_keystore_key = makeKeystoreKey(clientKey, count) - json_private_key = makePrivateKey(clientKey, clientCrt, certList, count) - json_trusted_cert = makeTrustedCertificate(certList, count) + post_content(clientKey, clientCrt, certList, count) - makeRestconfPost(conn, json_keystore_key, postKeystore) - makeRestconfPost(conn, json_private_key, postPrivateKey) - makeRestconfPost(conn, json_trusted_cert, postTrustedCertificate) +def post_content(clientKey, clientCrt, certList, count): + logging.info('Post content: %d', count) + conn = http.client.HTTPConnection("localhost",odl_port) -def makeHealthcheckCall(headers, time): - conn = httplib.HTTPConnection("localhost",8181) - req = conn.request("POST", "/restconf/operations/SLI-API:healthcheck",headers=headers) - res = conn.getresponse() - res.read() - if res.status == 200: - print ("Healthcheck Passed in %d seconds." %time) - else: - print ("Sleep: %d seconds before testing if Healtcheck worked. Total wait time up now is: %d seconds. Timeout is: %d seconds" %(interval, time, timeOut)) - return res.status + if clientKey: + json_keystore_key = makeKeystoreKey(clientKey, count) + logging.debug("Posting private key in to ODL keystore") + makeRestconfPost(conn, json_keystore_key, postKeystore) + + if certList: + json_trusted_cert = makeTrustedCertificate(certList, count) + logging.debug("Posting trusted cert list in to ODL") + makeRestconfPost(conn, json_trusted_cert, postTrustedCertificate) + if clientKey and clientCrt and certList: + json_private_key = makePrivateKey(clientKey, clientCrt, certList, count) + logging.debug("Posting the cert in to ODL") + makeRestconfPost(conn, json_private_key, postPrivateKey) -def timeIncrement(time): - time.sleep(interval) - time = time + interval - return time -def healthcheck(time): +def makeHealthcheckCall(headers, timePassed): + connected = False # WAIT 10 minutes maximum and test every 30 seconds if HealthCheck API is returning 200 - while time < timeOut: + while timePassed < TIMEOUT: try: - status = makeHealthcheckCall(headers, time) - #if status == 200: - connected = True - break + conn = http.client.HTTPConnection("localhost",odl_port) + req = conn.request(certreadyCmd, certreadyUrl,headers=headers) + res = conn.getresponse() + res.read() + httpStatus = res.status + if httpStatus == 200: + logging.debug("Healthcheck Passed in %d seconds." %timePassed) + connected = True + break + else: + logging.debug("Sleep: %d seconds before testing if Healthcheck worked. Total wait time up now is: %d seconds. Timeout is: %d seconds. Problem code was: %d" %(INTERVAL, timePassed, TIMEOUT, httpStatus)) except: - print ("Sleep: %d seconds before testing if Healthcheck worked. Total wait time up now is: %d seconds. Timeout is: %d seconds" %(interval, time, timeOut)) - - time = timeIncrement(time) - - if time > timeOut: - print ("TIME OUT: Healthcheck not passed in %d seconds... Could cause problems for testing activities..." %timeOut) - + logging.error("Cannot execute REST call. Sleep: %d seconds before testing if Healthcheck worked. Total wait time up now is: %d seconds. Timeout is: %d seconds." %(INTERVAL, timePassed, TIMEOUT)) + timePassed = timeIncrement(timePassed) + + if timePassed > TIMEOUT: + logging.error("TIME OUT: Healthcheck not passed in %d seconds... Could cause problems for testing activities..." %TIMEOUT) + + return connected + + +def timeIncrement(timePassed): + time.sleep(INTERVAL) + timePassed = timePassed + INTERVAL + return timePassed + + +def get_pass(file_name): + try: + with open(file_name, 'r') as file_obj: + password = file_obj.read().strip() + return "'{}'".format(password) + except Exception as e: + logging.error("Error occurred while fetching password : %s", e) + exit() + +def cleanup(): + for file in os.listdir(Path): + if os.path.isfile(Path + '/' + file): + logging.debug("Cleaning up the file %s", Path + '/'+ file) + os.remove(Path + '/'+ file) + + +def jks_to_p12(file, password): + """Converts jks format into p12""" + try: + certList = [] + key = None + cert = None + if (file.endswith('.jks')): + p12_file = file.replace('.jks', '.p12') + jks_cmd = 'keytool -importkeystore -srckeystore {src_file} -destkeystore {dest_file} -srcstoretype JKS -srcstorepass {src_pass} -deststoretype PKCS12 -deststorepass {dest_pass}'.format(src_file=file, dest_file=p12_file, src_pass=password, dest_pass=password) + logging.debug("Converting %s into p12 format", file) + os.system(jks_cmd) + file = p12_file + return file + except Exception as e: + logging.error("Error occurred while converting jks to p12 format : %s", e) + + +def make_cert_chain(cert_chain, pattern): + cert_list = [] + if cert_chain: + matches = re.findall(pattern, cert_chain, re.DOTALL | re.MULTILINE) + for cert in matches: + cert_list.append(cert.strip()) + return cert_list + else: + logging.debug(" Certificate Chain empty: %s " % cert_chain) + + +def process_jks_files(count): + ca_cert_list = [] + logging.info("Processing JKS files found in %s directory " % Path) + try: + if all([os.path.isfile(f) for f in jks_files]): + keystore_pass = get_pass(keystore_pass_file) + keystore_file_p12 = jks_to_p12(keystore_file, keystore_pass) + + client_key_cmd = 'openssl pkcs12 -in {src_file} -nocerts -nodes -passin pass:{src_pass}'.format( + src_file=keystore_file_p12, src_pass=keystore_pass) + client_crt_cmd = 'openssl pkcs12 -in {src_file} -clcerts -nokeys -passin pass:{src_pass}'.format( + src_file=keystore_file_p12, src_pass=keystore_pass) + + truststore_pass = get_pass(truststore_pass_file) + truststore_p12 = jks_to_p12(truststore_file, truststore_pass) + + trust_cert_cmd = 'openssl pkcs12 -in {src_file} -cacerts -nokeys -passin pass:{src_pass} '.format( + src_file=truststore_p12, src_pass=truststore_pass) + + key_pattern = r'(?<=-----BEGIN PRIVATE KEY-----).*?(?=-----END PRIVATE KEY-----)' + client_key = subprocess.check_output(client_key_cmd, shell=True) + if client_key: + client_key = make_cert_chain(client_key, key_pattern)[0] + logging.debug("Key Ok") + + cert_pattern = r'(?<=-----BEGIN CERTIFICATE-----).*?(?=-----END CERTIFICATE-----)' + client_cert = subprocess.check_output(client_crt_cmd, shell=True) + if client_cert: + client_cert = make_cert_chain(client_cert, cert_pattern)[0] + logging.debug("Client Cert Ok") + + ca_cert = subprocess.check_output(trust_cert_cmd, shell=True) + if ca_cert: + ca_cert_list = make_cert_chain(ca_cert, cert_pattern) + logging.debug("CA Cert Ok") + + if client_key and client_cert and ca_cert: + post_content(client_key, client_cert, ca_cert_list, count) + else: + logging.debug("No JKS files found in %s directory" % Path) + except subprocess.CalledProcessError as err: + print("CalledProcessError Execution of OpenSSL command failed: %s" % err) + except Exception as e: + logging.error("UnExpected Error while processing JKS files at {0}, Caused by: {1}".format(Path, e)) + +def replaceAdminPassword(username, password, newpassword): + if newpassword is None: + logging.info('Not to replace password for user %s', username) + else: + logging.info('Replace password for user %s', username) + try: + jsondata = '{\"password\": \"{newpassword}\"}'.format(newpassword=newpassword) + url = '/auth/v1/users/{username}@sdn'.format(username=username) + loggin.info("Url %s data $s", url, jsondata) + conn = http.client.HTTPConnection("localhost",odl_port) + req = conn.request("PUT", url, jsondata, headers=headers) + res = conn.getresponse() + res.read() + httpStatus = res.status + if httpStatus == 200: + logging.debug("New password provided successfully for user %s", username) + else: + logging.debug("Password change was not possible. Problem code was: %d", httpStatus) + except: + logging.error("Cannot execute REST call to set password.") + + +def readCertProperties(): + ''' + This function searches for manually copied zip file + containing certificates. This is required as part + of backward compatibility. + If not foud, it searches for jks certificates. + ''' + connected = makeHealthcheckCall(headers, timePassed) + logging.info('Connected status: %s', connected) if connected: + replaceAdminPassword(username, password, newpassword) count = 0 if os.path.isfile(Path + "/certs.properties"): with open(Path + "/certs.properties", "r") as f: @@ -198,9 +370,10 @@ def healthcheck(time): count += 1 del zipFileList[:] else: - print "Error: File not found in path entered" - else: - print "This was a problem here, Healthcheck never passed, please check is your instance up and running." + logging.debug("No certs.properties/zip files exist at: " + Path) + logging.info("Processing any available jks/p12 files under cert directory") + process_jks_files(count) -healthcheck(time) +readCertProperties() +logging.info('Cert installation ending')