Create base netconf-server image. 62/119062/1
authorBartosz Gardziejewski <bartosz.gardziejewski@nokia.com>
Tue, 9 Mar 2021 07:09:45 +0000 (08:09 +0100)
committerBartosz Gardziejewski <bartosz.gardziejewski@nokia.com>
Wed, 10 Mar 2021 13:01:29 +0000 (14:01 +0100)
Signed-off-by: Bartosz Gardziejewski <bartosz.gardziejewski@nokia.com>
Change-Id: Ie19dd81608f56a4bc7f3b732cda8eed87136bd26
Issue-ID: INT-1869

16 files changed:
.gitignore [new file with mode: 0644]
Changelog.md [new file with mode: 0644]
Dockerfile [new file with mode: 0644]
README.md [new file with mode: 0644]
docker-compose.yml [new file with mode: 0644]
models/pnf-simulator.yang [new file with mode: 0644]
pom.xml [new file with mode: 0644]
scripts/generate-certificates.sh [new file with mode: 0755]
scripts/install-all-module-from-directory.sh [new file with mode: 0755]
scripts/install-tls-with-custom-certificates.sh [new file with mode: 0755]
scripts/set-up-netopeer.sh [new file with mode: 0755]
scripts/tls/set-up-tls-certificates.py [new file with mode: 0755]
scripts/tls/tls_keystore.xml [new file with mode: 0644]
scripts/tls/tls_listen.xml [new file with mode: 0644]
scripts/tls/tls_truststore.xml [new file with mode: 0644]
version.properties [new file with mode: 0644]

diff --git a/.gitignore b/.gitignore
new file mode 100644 (file)
index 0000000..a092a60
--- /dev/null
@@ -0,0 +1,5 @@
+**/*.iml
+**/.idea
+**/target
+**/logs
+**/venv
diff --git a/Changelog.md b/Changelog.md
new file mode 100644 (file)
index 0000000..8b5f791
--- /dev/null
@@ -0,0 +1,7 @@
+# Change Log
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/)
+and this project adheres to [Semantic Versioning](http://semver.org/).
+
+## [1.0.0] - 10/03/2021
diff --git a/Dockerfile b/Dockerfile
new file mode 100644 (file)
index 0000000..000e15e
--- /dev/null
@@ -0,0 +1,10 @@
+FROM docker.io/sysrepo/sysrepo-netopeer2:latest
+COPY ./models /resources/models
+COPY ./scripts ./scripts
+
+ENV ENABLE_TLS=false
+
+RUN mkdir -p /resources/certs && \
+    ./scripts/generate-certificates.sh /resources/certs
+
+ENTRYPOINT ["./scripts/set-up-netopeer.sh", "/resources/models", "/resources/certs"]
diff --git a/README.md b/README.md
new file mode 100644 (file)
index 0000000..23aac6c
--- /dev/null
+++ b/README.md
@@ -0,0 +1,81 @@
+# Netconf Server
+This server uses sysrepo to simulate network configuration.
+It is base od sysrepo-netopeer2 image.
+
+## User guide
+### starting server
+In order to start server use docker-compose located in root catalog:
+```shell
+  docker-compose up -d
+```
+or run image using docker:
+```shell
+  docker run -it -p 830:830 -p 6513:6513 onap/org.onap.integration.simulators.netconf-server:latest
+```
+
+### using server
+Server allows:
+ - installing custom configuration models on start up.
+ - changing configuration of that modules on runtime.
+
+Config can be changed with use of **SSH, be default expose on port 830**
+and **TLS, be default exposed on port 6513**.
+- SSH works "out of the box" with a username and password *netconf*.
+- **TLS is disabled be default**, 
+  in order to enable it, set environment variable `ENABLE_TLS=true`.
+  More about TLS in ***TLS*** section. 
+
+### custom models
+new models are loaded on the image start up from catalog `/resources/models`.
+Be default this directory contains `pnf-simulator.yang` model.
+In order to load custom models on start up,
+volume with models, should be mounted to `/resources/models` directory.
+It can be done in docker-compose, by putting 
+`./path/to/cusom/models:/resources/models` in *volumes* section.
+
+### TLS
+TLS in disabled be default with environment variable `ENABLE_TLS` set to false.
+In order to enable TLS, that environment variable need to be set to `true` 
+**on container start up**.
+It can be done in docker-compose, 
+by putting `ENABLE_TLS=true` in *environment* section.
+
+#### Custom certificate
+When TLS is enabled server will use auto generated certificates, be default.
+That certificates are generated during image build and 
+are located in `/resources/certs` directory.
+Certificates are loaded during image start up.
+**In order to use custom certs**
+volume with certificates needs to be mounted to `/resources/certs` directory.
+In this volume following files are required, **named accordingly**:
+- **ca.crt** - CA/Root certificate
+- **client.crt** - client certificate
+- **server.crt** - server certificate
+- **server.key** - server private key
+- **server_pub.key** -  server public key
+
+
+## Development guide 
+### building image
+In order to build image mvn command can be run:
+```shell
+  mvn clean install -p docker 
+```
+
+### image building process
+To build image, Dockerfile is used.
+During an image building:
+ - catalog `scripts` is copied to image home directory.
+   That catalog contains all scripts needed for
+   installing initial models and configuring TLS.
+ - catalog `models`  is copied to image directory `/resources/models`.
+   That catalog contains default models 
+   that will be installed on image start up.
+ - default certificates and keys for TLS are generated and 
+   stored in `/resources/certs` directory.
+ - set-up-netopeer script is set to be run on image start up.
+
+### change log
+This project contains `Changeloge.md` file.
+Please update this file when change is made,
+according to the guidelines.
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644 (file)
index 0000000..d9afeac
--- /dev/null
@@ -0,0 +1,12 @@
+version: '3'
+
+services:
+
+  netconf-server:
+    container_name: netconf-server
+    image: onap/org.onap.integration.simulators.netconf-server:latest
+    environment:
+     - ENABLE_TLS=true
+    ports:
+     - "830:830"
+     - "6513:6513"
diff --git a/models/pnf-simulator.yang b/models/pnf-simulator.yang
new file mode 100644 (file)
index 0000000..ba11585
--- /dev/null
@@ -0,0 +1,9 @@
+module pnf-simulator {
+  namespace "http://onap.org/pnf-simulator";
+  prefix config;
+  container config {
+    config true;
+    leaf itemValue1 {type uint32;}
+    leaf itemValue2 {type uint32;}
+  }
+}
diff --git a/pom.xml b/pom.xml
new file mode 100644 (file)
index 0000000..37271bb
--- /dev/null
+++ b/pom.xml
@@ -0,0 +1,106 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ============LICENSE_START=======================================================
+  Simulator
+  ================================================================================
+  Copyright (C) 2021 Nokia. All rights reserved.
+  ================================================================================
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  ============LICENSE_END=========================================================
+  -->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.onap.oparent</groupId>
+        <artifactId>oparent</artifactId>
+        <version>3.2.0</version>
+    </parent>
+
+    <groupId>org.onap.integration.simulators.nf-simulator.netconf-server</groupId>
+    <artifactId>netconfserver</artifactId>
+    <version>1.0.0-SNAPSHOT</version>
+    <name>netconfserver</name>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <maven.build.timestamp.format>yyyyMMdd'T'HHmmss</maven.build.timestamp.format>
+
+        <skipDockerPush>true</skipDockerPush>
+        <docker.registry>nexus3.onap.org:10003</docker.registry>
+        <docker-maven-plugin.version>0.31.0</docker-maven-plugin.version>
+        <docker.image.tag>latest</docker.image.tag>
+        <docker-image.namespace>onap</docker-image.namespace>
+        <docker-image.name.prefix>org.onap.integration.simulators</docker-image.name.prefix>
+    </properties>
+
+    <profiles>
+        <profile>
+            <id>docker</id>
+            <activation>
+                <activeByDefault>false</activeByDefault>
+            </activation>
+            <properties>
+                <os.detected.name>linux</os.detected.name>
+                <os.detected.arch>x86_64</os.detected.arch>
+                <os.detected.classifier>${os.detected.name}-${os.detected.arch}</os.detected.classifier>
+            </properties>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>io.fabric8</groupId>
+                        <artifactId>docker-maven-plugin</artifactId>
+                        <version>${docker-maven-plugin.version}</version>
+                        <executions>
+                            <execution>
+                                <id>docker-build-image</id>
+                                <phase>package</phase>
+                                <goals>
+                                    <goal>build</goal>
+                                </goals>
+                            </execution>
+                            <execution>
+                                <id>docker-push-image</id>
+                                <phase>deploy</phase>
+                                <goals>
+                                    <goal>push</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                        <configuration>
+                            <skipPush>${skipDockerPush}</skipPush>
+                            <verbose>true</verbose>
+                            <imagePullPolicy>IfNotPresent</imagePullPolicy>
+                            <images>
+                                <image>
+                                    <name>${docker-image.namespace}/${docker-image.name.prefix}.${project.artifactId}</name>
+                                    <registry>${docker.registry}</registry>
+                                    <build>
+                                        <contextDir>${project.basedir}</contextDir>
+                                        <dockerFile>${project.basedir}/Dockerfile</dockerFile>
+                                        <tags>
+                                            <tag>${project.version}-STAGE-${maven.build.timestamp}Z</tag>
+                                        </tags>
+                                    </build>
+                                </image>
+                            </images>
+                        </configuration>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
+
+</project>
diff --git a/scripts/generate-certificates.sh b/scripts/generate-certificates.sh
new file mode 100755 (executable)
index 0000000..1c05172
--- /dev/null
@@ -0,0 +1,43 @@
+#!/bin/sh
+###
+# ============LICENSE_START=======================================================
+# Netconf-server
+# ================================================================================
+# Copyright (C) 2021 Nokia. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+###
+
+## Set up certs path
+cert_path="."
+if [ "$#" -eq 1 ]; then
+  cert_path=$1
+fi
+cd $cert_path
+
+## Generate self-signed CA cert and key
+openssl req -nodes -newkey rsa:2048 -keyout ca.key -out ca.csr -subj "/C=US/O=ONAP/OU=OSAAF/CN=CA.NETCONF/"
+openssl x509 -req -in ca.csr -signkey ca.key -days 730 -out ca.crt
+rm ca.csr
+
+## Generate Server cert and key
+openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/C=US/O=ONAP/OU=OSAAF/CN=CA.NETCONF.SERVER/"
+openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 730 -sha256
+openssl x509 -pubkey -noout -in server.crt  > server_pub.key
+rm server.csrsrl
+
+## Generate Client cert and key
+openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj "/C=US/O=ONAP/OU=OSAAF/CN=CA.NETCONF.CLIENT/"
+openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 730 -sha256
+rm client.csr
diff --git a/scripts/install-all-module-from-directory.sh b/scripts/install-all-module-from-directory.sh
new file mode 100755 (executable)
index 0000000..6644715
--- /dev/null
@@ -0,0 +1,37 @@
+#!/bin/bash
+###
+# ============LICENSE_START=======================================================
+# Netconf-server
+# ================================================================================
+# Copyright (C) 2021 Nokia. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+###
+
+if [ "$#" -eq 1 ]; then
+
+  ## Get all files from given directory with extension .yang
+  FILES=$1/*.yang
+
+  ## Install all module from selected yang files
+  for f in $FILES
+  do
+    echo "Installing module $f"
+    sysrepoctl -a -i $f
+    cat $f
+  done
+
+else
+    echo "Missing argument: path to file with YANG models."
+fi
diff --git a/scripts/install-tls-with-custom-certificates.sh b/scripts/install-tls-with-custom-certificates.sh
new file mode 100755 (executable)
index 0000000..545d01b
--- /dev/null
@@ -0,0 +1,37 @@
+#!/bin/bash
+###
+# ============LICENSE_START=======================================================
+# Netconf-server
+# ================================================================================
+# Copyright (C) 2021 Nokia. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+###
+
+if [ "$#" -eq 2 ]; then
+
+  ## Set up custom certificates
+  python $1/set-up-tls-certificates.py $2 \
+           ca.crt server.crt server.key server_pub.key client.crt \
+           $1/tls_keystore.xml $1/tls_truststore.xml $1/tls_listen.xml
+
+  ## Configure and start TLS listener
+  sysrepocfg --edit=$1/tls_keystore.xml --format=xml --datastore=running --module=ietf-keystore
+  sysrepocfg --edit=$1/tls_truststore.xml --format=xml --datastore=running --module=ietf-truststore
+  sysrepocfg --edit=$1/tls_listen.xml --format=xml --datastore=running --module=ietf-netconf-server
+  sysrepocfg --copy-from=running --datastore=startup
+
+else
+  echo "Missing arguments: first argument should be path to file with tls scripts and/ore second argument should be path to file with certificates for TLS."
+fi
diff --git a/scripts/set-up-netopeer.sh b/scripts/set-up-netopeer.sh
new file mode 100755 (executable)
index 0000000..f6308d0
--- /dev/null
@@ -0,0 +1,46 @@
+#!/bin/bash
+###
+# ============LICENSE_START=======================================================
+# Netconf-server
+# ================================================================================
+# Copyright (C) 2021 Nokia. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+###
+
+if [ "$#" -ge 1 ]; then
+
+  ## Set up variable
+  SCRIPTS_DIR=$PWD/"$(dirname $0)"
+  enable_tls=${ENABLE_TLS:-false}
+
+  ## Install all modules from given directory
+  $SCRIPTS_DIR/install-all-module-from-directory.sh $1
+
+  ## If TLS is enabled start initializing certificates
+  if [[ "$enable_tls" == "true" ]]; then
+    if [ "$#" -ge 2 ]; then
+      echo "initializing TLS"
+      $SCRIPTS_DIR/install-tls-with-custom-certificates.sh  $SCRIPTS_DIR/tls $2
+    else
+      echo "Missing second argument: path to file with certificates for TLS."
+    fi
+  fi
+
+  ## Run sysrepo supervisor
+  /usr/bin/supervisord -c /etc/supervisord.conf
+
+else
+  echo "Missing first argument: path to file with YANG models."
+fi
diff --git a/scripts/tls/set-up-tls-certificates.py b/scripts/tls/set-up-tls-certificates.py
new file mode 100755 (executable)
index 0000000..16934b5
--- /dev/null
@@ -0,0 +1,242 @@
+#!/usr/bin/env python
+###
+# ============LICENSE_START=======================================================
+# Netconf-server
+# ================================================================================
+# Copyright (C) 2021 Nokia. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+###
+
+import os
+import sys
+import logging
+
+logging.basicConfig()
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
+# Placeholders definition - this needs to match placeholders in
+# tls_keystore.xml, tls_truststore.xml and tls_listen.xml
+# Server certification
+SERVER_KEY_NAME = "SERVER_KEY_NAME"
+SERVER_CERT_NAME = "SERVER_CERT_NAME"
+SERVER_CERTIFICATE_HERE = "SERVER_CERTIFICATE_HERE"
+SERVER_KEY_HERE = "SERVER_KEY_HERE"
+SERVER_PUB_KEY_HERE = "SERVER_PUB_KEY_HERE"
+# CA certification
+CA_CERT_NAME = "CA_CERT_NAME"
+CA_CERTIFICATE_HERE = "CA_CERTIFICATE_HERE"
+# Client certification
+CLIENT_CERT_NAME = "CLIENT_CERT_NAME"
+CLIENT_CERTIFICATE_HERE = "CLIENT_CERTIFICATE_HERE"
+CLIENT_FINGERPRINT_HERE = "CLIENT_FINGERPRINT_HERE"
+
+
+class FileHelper(object):
+    @classmethod
+    def get_file_contents(cls, filename):
+        with open(filename, "r") as f:
+            return f.read()
+
+    @classmethod
+    def write_file_contents(cls, filename, data):
+        with open(filename, "w+") as f:
+            f.write(data)
+
+
+class CertHelper(object):
+    @classmethod
+    def get_pem_content_stripped(cls, pem_dir, pem_filename):
+        cmd = "cat {}/{} | grep -v '^-'".format(pem_dir, pem_filename)
+        content = CertHelper.system(cmd)
+        return content
+
+    @classmethod
+    def get_cert_fingerprint(cls, directory, cert_filename):
+        cmd = "openssl x509 -fingerprint -noout -in {}/{} | sed -e " \
+              "'s/SHA1 Fingerprint//; s/=//; s/=//p'" \
+            .format(directory, cert_filename)
+        fingerprint = CertHelper.system(cmd)
+        return fingerprint
+
+    @classmethod
+    def print_keystore_info(cls, server_cert):
+        logger.info("Will use server certificate: " + server_cert)
+
+    @classmethod
+    def print_truststore_info(cls, ca_cert):
+        logger.info("Will use CA certificate: " + ca_cert)
+
+    @classmethod
+    def print_listener_info(cls, ca_fingerprint):
+        logger.info("CA certificate fingerprint: " + ca_fingerprint)
+
+    @classmethod
+    def system(cls, cmd):
+        return os.popen(cmd).read().replace("\n", "")
+
+
+class CertificationData(object):
+
+    def __init__(self,
+                 cert_dir, ca_cert_filename,
+                 server_cert_filename, server_key_filename, server_pub_key_filename,
+                 client_cert_filename,
+                 tls_keystore_xml_file, tls_truststore_xml_file, tls_listen_xml_file
+                 ):
+        self.cert_dir = cert_dir
+        self.ca_cert_filename = ca_cert_filename
+        self.server_cert_filename = server_cert_filename
+        self.server_key_filename = server_key_filename
+        self.server_pub_key_filename = server_pub_key_filename
+        self.client_cert_filename = client_cert_filename
+        self.tls_keystore_xml_file = tls_keystore_xml_file
+        self.tls_truststore_xml_file = tls_truststore_xml_file
+        self.tls_listen_xml_file = tls_listen_xml_file
+
+
+class TlsConfigurationPatcher(object):
+
+    def __init__(self, certification_data):
+        self.certification_data = certification_data
+
+    def patch_configuration(self):
+        server_cert_name, server_key_name, ca_cert_name, client_cert_name = self.__load_names()
+        server_cert, server_key, server_pub_key = self.__load_server_data()
+        client_cert, client_fingerprint = self.__load_client_data()
+        ca_cert = self.__load_ca_data()
+
+        self.__set_up_keystore(server_cert_name, server_key_name, server_cert, server_key, server_pub_key)
+        self.__set_up_truststore(ca_cert_name, client_cert_name, ca_cert, client_cert)
+        self.__set_up_listener(server_cert_name, server_key_name, ca_cert_name, client_cert_name, client_fingerprint)
+
+    def __load_names(self):
+        server_cert_name = self.certification_data.server_cert_filename.replace(".crt", "")
+        server_key_name = self.certification_data.server_key_filename.replace(".key", "")
+        ca_cert_name = self.certification_data.ca_cert_filename.replace(".crt", "")
+        client_cert_name = self.certification_data.client_cert_filename.replace(".crt", "")
+        return server_cert_name, server_key_name, ca_cert_name, client_cert_name
+
+    def __load_server_data(self):
+        server_cert = CertHelper.get_pem_content_stripped(
+            self.certification_data.cert_dir, self.certification_data.server_cert_filename)
+        server_key = CertHelper.get_pem_content_stripped(
+            self.certification_data.cert_dir, self.certification_data.server_key_filename)
+        server_pub_key = CertHelper.get_pem_content_stripped(
+            self.certification_data.cert_dir, self.certification_data.server_pub_key_filename)
+        return server_cert, server_key, server_pub_key
+
+    def __load_client_data(self):
+        client_cert = CertHelper.get_pem_content_stripped(
+            self.certification_data.cert_dir, self.certification_data.client_cert_filename)
+        client_fingerprint = CertHelper.get_cert_fingerprint(
+            self.certification_data.cert_dir, self.certification_data.client_cert_filename)
+        return client_cert, client_fingerprint
+
+    def __load_ca_data(self):
+        ca_cert = CertHelper.get_pem_content_stripped(
+            self.certification_data.cert_dir, self.certification_data.ca_cert_filename)
+        return ca_cert
+
+    def __set_up_keystore(self,
+                          server_cert_name, server_key_name,
+                          server_cert, server_key, server_pub_key):
+        CertHelper.print_keystore_info(server_cert)
+
+        # path tls configuration xml file for keystore
+        data_srv = FileHelper.get_file_contents(self.certification_data.tls_keystore_xml_file)
+        patched_srv = self.__patch_keystore_configuration(
+            data_srv, server_key_name, server_cert_name, server_cert, server_key, server_pub_key)
+        FileHelper.write_file_contents(self.certification_data.tls_keystore_xml_file, patched_srv)
+
+    def __set_up_truststore(self,
+                            ca_cert_name, client_cert_name,
+                            ca_cert, client_cert):
+        CertHelper.print_truststore_info(ca_cert)
+
+        # path tls configuration xml file for truststore
+        data_srv = FileHelper.get_file_contents(self.certification_data.tls_truststore_xml_file)
+        patched_srv = self.__patch_truststore_configuration(
+            data_srv, ca_cert_name, client_cert_name, ca_cert, client_cert)
+        FileHelper.write_file_contents(self.certification_data.tls_truststore_xml_file, patched_srv)
+
+    def __set_up_listener(self,
+                          server_cert_name, server_key_name, ca_cert_name, client_cert_name,
+                          client_fingerprint):
+        CertHelper.print_listener_info(client_fingerprint)
+
+        # path tls configuration xml file for listener
+        data_srv = FileHelper.get_file_contents(self.certification_data.tls_listen_xml_file)
+        patched_srv = self.__patch_listener_configuration(
+            data_srv, ca_cert_name, client_cert_name, server_key_name, server_cert_name, client_fingerprint)
+        FileHelper.write_file_contents(self.certification_data.tls_listen_xml_file, patched_srv)
+
+    @classmethod
+    def __patch_keystore_configuration(cls, data,
+                                       server_key_name, server_cert_name,
+                                       server_cert, server_key, server_pub_key):
+        data = data.replace(SERVER_KEY_NAME, server_key_name)
+        data = data.replace(SERVER_CERT_NAME, server_cert_name)
+        data = data.replace(SERVER_CERTIFICATE_HERE, server_cert)
+        data = data.replace(SERVER_KEY_HERE, server_key)
+        data = data.replace(SERVER_PUB_KEY_HERE, server_pub_key)
+        return data
+
+    @classmethod
+    def __patch_truststore_configuration(cls, data,
+                                         ca_cert_name, client_cert_name,
+                                         ca_cert, client_cert):
+        data = data.replace(CA_CERT_NAME, ca_cert_name)
+        data = data.replace(CLIENT_CERT_NAME, client_cert_name)
+        data = data.replace(CLIENT_CERTIFICATE_HERE, client_cert)
+        data = data.replace(CA_CERTIFICATE_HERE, ca_cert)
+        return data
+
+    @classmethod
+    def __patch_listener_configuration(cls, data,
+                                       ca_cert_name, client_cert_name, server_key_name, server_cert_name,
+                                       client_fingerprint):
+        data = data.replace(CA_CERT_NAME, ca_cert_name)
+        data = data.replace(CLIENT_CERT_NAME, client_cert_name)
+        data = data.replace(SERVER_KEY_NAME, server_key_name)
+        data = data.replace(SERVER_CERT_NAME, server_cert_name)
+        data = data.replace(CLIENT_FINGERPRINT_HERE, client_fingerprint)
+        return data
+
+
+def main():
+    if len(sys.argv) == 10:
+
+        certification_data = CertificationData(
+            sys.argv[1],
+            sys.argv[2], sys.argv[3], sys.argv[4],
+            sys.argv[5],
+            sys.argv[6],
+            sys.argv[7], sys.argv[8], sys.argv[9],
+        )
+        configuration_loader = TlsConfigurationPatcher(certification_data)
+        configuration_loader.patch_configuration()
+        logger.info("XML files patched successfully")
+
+    else:
+        logger.error("Usage: %s <cert_dir> <ca_cert_filename> <server_cert_filename> "
+                     "<server_key_filename> <server_public_key_filename> <client_cert_filename>"
+                     "<load_keystore_xml_full_path> <load_truststore_xml_full_path> <tls_listen_full_path>"
+                     % sys.argv[0])
+        return 1
+
+
+if __name__ == '__main__':
+    main()
diff --git a/scripts/tls/tls_keystore.xml b/scripts/tls/tls_keystore.xml
new file mode 100644 (file)
index 0000000..01e00a8
--- /dev/null
@@ -0,0 +1,36 @@
+<!--
+ ============LICENSE_START=======================================================
+ Netconf-server
+ ================================================================================
+ Copyright (C) 2021 Nokia. All rights reserved.
+ ================================================================================
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ ============LICENSE_END=========================================================
+-->
+
+<keystore xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore">
+  <asymmetric-keys>
+    <asymmetric-key>
+      <name>SERVER_KEY_NAME</name>
+      <algorithm>rsa2048</algorithm>
+      <public-key>SERVER_PUB_KEY_HERE</public-key>
+      <private-key>SERVER_KEY_HERE</private-key>
+      <certificates>
+        <certificate>
+          <name>SERVER_CERT_NAME</name>
+          <cert>SERVER_CERTIFICATE_HERE</cert>
+        </certificate>
+      </certificates>
+    </asymmetric-key>
+  </asymmetric-keys>
+</keystore>
diff --git a/scripts/tls/tls_listen.xml b/scripts/tls/tls_listen.xml
new file mode 100644 (file)
index 0000000..3d583e8
--- /dev/null
@@ -0,0 +1,58 @@
+<!--
+ ============LICENSE_START=======================================================
+ Netconf-server
+ ================================================================================
+ Copyright (C) 2021 Nokia. All rights reserved.
+ ================================================================================
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ ============LICENSE_END=========================================================
+-->
+
+<netconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server">
+  <listen>
+    <endpoint>
+      <name>default-tls</name>
+      <tls>
+        <tcp-server-parameters>
+          <local-address>0.0.0.0</local-address>
+          <keepalives>
+            <idle-time>1</idle-time>
+            <max-probes>10</max-probes>
+            <probe-interval>5</probe-interval>
+          </keepalives>
+        </tcp-server-parameters>
+        <tls-server-parameters>
+          <server-identity>
+            <keystore-reference>
+              <asymmetric-key>SERVER_KEY_NAME</asymmetric-key>
+              <certificate>SERVER_CERT_NAME</certificate>
+            </keystore-reference>
+          </server-identity>
+          <client-authentication>
+            <required/>
+            <ca-certs>CA_CERT_NAME</ca-certs>
+            <client-certs>CLIENT_CERT_NAME</client-certs>
+            <cert-maps>
+              <cert-to-name>
+                <id>1</id>
+                <fingerprint>02:CLIENT_FINGERPRINT_HERE</fingerprint>
+                <map-type xmlns:x509c2n="urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name">x509c2n:specified</map-type>
+                <name>tls-test</name>
+              </cert-to-name>
+            </cert-maps>
+          </client-authentication>
+        </tls-server-parameters>
+      </tls>
+    </endpoint>
+  </listen>
+</netconf-server>
diff --git a/scripts/tls/tls_truststore.xml b/scripts/tls/tls_truststore.xml
new file mode 100644 (file)
index 0000000..80c877d
--- /dev/null
@@ -0,0 +1,36 @@
+<!--
+ ============LICENSE_START=======================================================
+ Netconf-server
+ ================================================================================
+ Copyright (C) 2021 Nokia. All rights reserved.
+ ================================================================================
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ ============LICENSE_END=========================================================
+-->
+
+<truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore">
+  <certificates>
+    <name>CLIENT_CERT_NAME</name>
+    <certificate>
+      <name>client_cert</name>
+      <cert>CLIENT_CERTIFICATE_HERE</cert>
+    </certificate>
+  </certificates>
+  <certificates>
+    <name>CA_CERT_NAME</name>
+    <certificate>
+      <name>ca_cert</name>
+      <cert>CA_CERTIFICATE_HERE</cert>
+    </certificate>
+  </certificates>
+</truststore>
diff --git a/version.properties b/version.properties
new file mode 100644 (file)
index 0000000..2ddebb3
--- /dev/null
@@ -0,0 +1,6 @@
+major=1
+minor=0
+patch=0
+base_version=${major}.${minor}.${patch}
+release_version=${base_version}
+snapshot_version=${base_version}-SNAPSHOT