#!/bin/bash
-# This script is run when starting aaf_config Container.
+#########
+# ============LICENSE_START====================================================
+# org.onap.aaf
+# ===========================================================================
+# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+# ===========================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END====================================================
+#
+# This script is run when starting client Container.
# It needs to cover the cases where the initial data doesn't exist, and when it has already been configured (don't overwrite)
#
-JAVA=/usr/bin/java
+
+#
+# error handling. REQUIRED: if this script fails, it must give non-zero exit value
+#
+# We exit non-zero with an explanation echod to standard
+# out in some situations, like bad input or failed keygen.
+# We exit non-zero without explanation in other situations
+# like command not found, or file access perms error.
+#
+# exit without explaining to stdout if some error
+set -e
+
+[ -z "$JAVA_HOME" ] && { echo FAILURE: JAVA_HOME is not set; exit 1;}
+JAVA=${JAVA_HOME}/bin/java
+
+[ -e ${JAVA_HOME} ] || { echo FAILURE: java home does not exist: ${JAVA_HOME}; exit 1;}
+[ -e ${JAVA} ] || { echo FAILURE: java executable does not exist: ${JAVA}; exit 1;}
+
AAF_INTERFACE_VERSION=2.1
# Extract Name, Domain and NS from FQI
+[ -z "$APP_FQI" ] && { echo FAILURE: APP_FQI is not set; exit 1; }
+
FQIA=($(echo ${APP_FQI} | tr '@' '\n'))
FQI_SHORT=${FQIA[0]}
FQI_DOMAIN=${FQIA[1]}
+[ -z "$FQI_SHORT" ] && { echo FAILURE: malformed APP_FQI, should be like email form: name@domain; exit 1; }
+[ -z "$FQI_DOMAIN" ] && { echo FAILURE: malformed APP_FQI, should be like email form: name@domain; exit 1; }
+
# Reverse DOMAIN for NS
FQIA_E=($(echo ${FQI_DOMAIN} | tr '.' '\n'))
for (( i=( ${#FQIA_E[@]} -1 ); i>0; i-- )); do
NS=${NS}${FQIA_E[i]}'.'
done
NS=${NS}${FQIA_E[0]}
+CONFIG=${CONFIG:-"/opt/app/aaf_config"}
+
+# perhaps AAF HOME? (root of aaf installation)
+OSAAF=${OSAAF:-"/opt/app/osaaf"}
+
+# this is the 'place' operation's destination
+LOCAL=${LOCAL:-"$OSAAF/local"}
+DOT_AAF=${DOT_AAF:-"${HOME}/.aaf"}
+SSO="$DOT_AAF/sso.props"
+
+# for *backup files
+backupDir=${BACKUP_DIR:-${LOCAL}}
+
+if [ -e "$CONFIG" ]; then
+ CONFIG_BIN="$CONFIG/bin"
+else
+ CONFIG_BIN="."
+fi
+
+AGENT_JAR="$CONFIG_BIN/aaf-cadi-aaf-*-full.jar"
+JAVA_AGENT="$JAVA -Dcadi_loglevel=DEBUG -Dcadi_etc_dir=${LOCAL} -Dcadi_log_dir=${LOCAL} -jar $AGENT_JAR "
+
+function backup() {
+ # any backup files?
+ if stat -t *.backup > /dev/null 2>&1; then
+ # move them somewhere else?
+ if [ "${backupDir}" != "${LOCAL}" ]; then
+ mkdir -p ${backupDir}
+ mv -f ${LOCAL}/*.backup ${backupDir}
+ fi
+ fi
+}
# Setup SSO info for Deploy ID
function sso_encrypt() {
- $JAVA -cp /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar org.onap.aaf.cadi.CmdLine digest ${1} ~/.aaf/keyfile
+ $JAVA_AGENT cadi digest ${1} $DOT_AAF/keyfile || {
+ echo agent fails to digest password
+ exit 1
+ }
}
-if [ ! -e " ~/.aaf/keyfile" ]; then
- mkdir -p ~/.aaf
- SSO=~/.aaf/sso.props
- $JAVA -cp /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar org.onap.aaf.cadi.CmdLine keygen ~/.aaf/keyfile
- chmod 400 ~/.aaf/keyfile
- echo cadi_latitude=${LATITUDE} > ${SSO}
- echo cadi_longitude=${LONGITUDE} >> ${SSO}
- echo aaf_id=${DEPLOY_FQI} >> ${SSO}
+# Setup Bash, first time only, Agent only
+if [ ! -f "$HOME/.bashrc" ] || [ -z "$(grep agent $HOME/.bashrc)" ]; then
+ echo "alias agent='$CONFIG_BIN/agent.sh agent \$*'" >> $HOME/.bashrc
+ chmod a+x $CONFIG_BIN/agent.sh
+ . $HOME/.bashrc
+fi
+
+if [ ! -e "$DOT_AAF/truststoreONAPall.jks" ]; then
+ mkdir -p $DOT_AAF
+ base64 -d $CONFIG/cert/truststoreONAPall.jks.b64 > $DOT_AAF/truststoreONAPall.jks
+fi
+
+# Create Deployer Info, located at /root/.aaf
+if [ ! -e "$DOT_AAF/keyfile" ]; then
+
+ $JAVA_AGENT cadi keygen $DOT_AAF/keyfile || {
+ echo "Cannot create $DOT_AAF/keyfile"
+ exit 1
+ }
+
+ chmod 400 $DOT_AAF/keyfile
+
+fi
+
+if [ ! -e "${SSO}" ]; then
+ echo Creating and adding content to ${SSO}
+ echo "cadi_keyfile=$DOT_AAF/keyfile" > ${SSO}
+
+ # Add Deployer Creds to Root's SSO
+ DEPLOY_FQI="${DEPLOY_FQI:=$app_id}"
+ echo "aaf_id=${DEPLOY_FQI}" >> ${SSO}
if [ ! "${DEPLOY_PASSWORD}" = "" ]; then
echo aaf_password=enc:$(sso_encrypt ${DEPLOY_PASSWORD}) >> ${SSO}
fi
- echo aaf_locate_url=https://${AAF_FQDN}:8095 >> ${SSO}
- echo aaf_url=https://AAF_LOCATE_URL/AAF_NS.service:${AAF_INTERFACE_VERSION} >> ${SSO}
- echo cadi_truststore=$(ls /opt/app/aaf_config/public/*trust*) >> ${SSO}
- echo cadi_truststore_password=enc:$(sso_encrypt changeit) >> ${SSO}
+
+ # Cover case where using app.props
+ aaf_locator_container_ns=${aaf_locator_container_ns:=$CONTAINER_NS}
+ if [ "$aaf_locator_container" = "docker" ]; then
+ echo "aaf_locate_url=https://aaf-locate:8095" >> ${SSO}
+ echo "aaf_url_cm=https://aaf-cm:8150" >> ${SSO}
+ echo "aaf_url=https://aaf-service:8100" >> ${SSO}
+ else
+ echo "aaf_locate_url=https://${aaf_locator_fqdn}:8095" >> ${SSO}
+ echo "aaf_url_cm=https://AAF_LOCATE_URL/%CNS.%NS.cm:2.1" >> ${SSO}
+ echo "aaf_url=https://AAF_LOCATE_URL/%CNS.%NS.service:2.1" >> ${SSO}
+ fi
+
+ echo "cadi_truststore=$DOT_AAF/truststoreONAPall.jks" >> ${SSO}
+ echo "cadi_truststore_password=changeit" >> ${SSO}
+ echo "cadi_latitude=${LATITUDE}" >> ${SSO}
+ echo "cadi_longitude=${LONGITUDE}" >> ${SSO}
+ echo "hostname=${aaf_locator_fqdn}" >> ${SSO}
+
+ # Push in all AAF and CADI properties to SSO
+ for E in $(env); do
+ if [ "${E:0:4}" = "aaf_" ] || [ "${E:0:5}" = "cadi_" ]; then
+ # Use Deployer ID in ${SSO}
+ if [ "app_id" != "${E%=*}" ]; then
+ S="${E/_helm/.helm}"
+ S="${S/_oom/.oom}"
+ echo "$S" >> ${SSO}
+ fi
+ fi
+ done
+
+ . ${SSO}
+ echo "Caller Properties Initialized"
+ echo "cat SSO"
+ cat ${SSO}
+fi
+
+# Check for local dir
+if [ -d $LOCAL ]; then
+ echo "$LOCAL exists"
+else
+ mkdir -p $LOCAL
+ echo "Created $LOCAL"
+fi
+
+cd $LOCAL
+echo "Existing files in $LOCAL"
+ls -l
+
+# Should we refresh the client version??
+if [ "${VERSION}" != "$(cat ${LOCAL}/VERSION 2> /dev/null)" ]; then
+ echo "Clean up directory ${LOCAL}"
+ rm -Rf ${LOCAL}/*
+
+ echo "${VERSION}" > $LOCAL/VERSION
+ cp $AGENT_JAR $LOCAL
+ echo "#!/bin/bash" > $LOCAL/agent
+ echo 'java -jar aaf-cadi-aaf-*-full.jar $*' >> $LOCAL/agent
+ echo "#!/bin/bash" > $LOCAL/cadi
+ echo 'java -jar aaf-cadi-aaf-*-full.jar cadi $*' >> $LOCAL/cadi
+ chmod 755 $LOCAL/agent $LOCAL/cadi
fi
+echo "Namespace is ${NS}"
+
# Only initialize once, automatically...
-if [ ! -e /opt/app/osaaf/local/${NS}.props ]; then
- for D in bin logs; do
- rsync -avzh --exclude=.gitignore /opt/app/aaf_config/$D/* /opt/app/osaaf/$D
- done
+if [ ! -f $LOCAL/${NS}.props ]; then
+ [ -z "$APP_FQDN" ] && { echo FAILURE: APP_FQDN is not set; exit 1; }
+
+ echo "#### Create Configuration files "
+ > $LOCAL/$NS
+ $JAVA_AGENT config $APP_FQI $APP_FQDN --nopasswd || {
+ echo Cannot create config files
+ exit 1
+ }
+ cat $LOCAL/$NS.props
+
+ echo
+ echo "#### Certificate Authorization Artifact"
+ # TMP=$(mktemp)
+ TMP=$LOCAL/agent.log
+
- # setup Configs
- $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar config $APP_FQI \
- cadi_etc_dir=/opt/app/osaaf/local
+ $JAVA_AGENT read ${APP_FQI} ${APP_FQDN} | tee $TMP ; [ ${PIPESTATUS[0]} -eq 0 ] || {
+ echo Cannot read artificate;
+ exit 1;
+ }
- # Place Certificates
- $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar place ${APP_FQI} ${APP_FQDN}
- # Validate
- $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar validate \
- cadi_prop_files=/opt/app/osaaf/local/${NS}.props
+ if [ -n "$(grep 'Namespace:' $TMP)" ]; then
+ echo "#### Place Certificates (by deployer)"
+ $JAVA_AGENT place $APP_FQI $APP_FQDN || {
+ echo Failed to obtain new certificate
+ exit 1
+
+ }
+
+ if [ -z "$(grep cadi_alias ${LOCAL}/$NS.cred.props)" ]; then
+ echo "FAILED to get Certificate, cadi_alias is not defined."
+ exit 1
+ else
+ echo "Obtained Certificates"
+ echo "#### Validate Configuration and Certificate with live call"
+ $JAVA_AGENT validate cadi_prop_files=${NS}.props || {
+ echo Failed to validate new certificate
+ exit 1
+ }
+ fi
+ else
+ echo "#### Certificate Authorization Artifact must be valid to continue"
+ fi
+ rm $TMP
+else
+ INITIALIZED="true"
fi
-# Now run a command
-CMD=$2
-if [ ! "$CMD" = "" ]; then
- shift
+if [ -z "$*" ]; then
+ echo "Initialization complete"
+else
+ # Now run a command
+ CMD=$1
shift
case "$CMD" in
ls)
echo ls requested
- find /opt/app/osaaf -depth
+ find ${OSAAF} -depth
;;
cat)
if [ "$1" = "" ]; then
fi
fi
;;
- update)
- for D in bin logs; do
- rsync -uh --exclude=.gitignore /opt/app/aaf_config/$D/* /opt/app/osaaf/$D
- done
+ read)
+ echo "## Read Artifacts"
+ $JAVA_AGENT read $APP_FQI $APP_FQDN cadi_prop_files=${SSO} cadi_loglevel=INFO || {
+ echo Command faile, cannot read artifacts
+ exit 1
+ }
+ ;;
+ showpass)
+ echo "## Show Passwords"
+ $JAVA_AGENT showpass $APP_FQI $APP_FQDN cadi_prop_files=${SSO} cadi_loglevel=ERROR || {
+ echo Failure showing password
+ exit 1
+ }
+ ;;
+ check)
+ echo "## Check Certificate"
+ echo "$JAVA_AGENT check $APP_FQI $APP_FQDN cadi_prop_files=${LOCAL}/${NS}.props"
+ # inspects and repots on certificate validation and renewal date
+ $JAVA_AGENT check $APP_FQI $APP_FQDN cadi_prop_files=${LOCAL}/${NS}.props || {
+ echo Checking certificate fails.
+ exit 1
+ }
;;
validate)
echo "## validate requested"
- $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar validate cadi_prop_files=/opt/app/osaaf/local/${NS}.props
+ # attempt to send request to aaf; authenticate with this local certificate
+ $JAVA_AGENT validate $APP_FQI $APP_FQDN || {
+ echo Validation fails.
+ exit 1
+ }
+ ;;
+ place)
+ echo "## Renew Certificate"
+ $JAVA_AGENT place $APP_FQI $APP_FQDN cadi_prop_files=${SSO} || {
+ echo Placing certificate fails.
+ exit 1
+ }
+ ;;
+ renew)
+ echo "## Renew Certificate"
+ $JAVA_AGENT place $APP_FQI $APP_FQDN || {
+ echo Failure renewing certificate
+ exit 1
+ }
;;
bash)
- if [ ! -e ~/.bash_aliases ]; then
- echo "alias cadi='$JAVA -cp /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar org.onap.aaf.cadi.CmdLine \$*'" >~/.bash_aliases
- echo "alias agent='$JAVA -cp /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar org.onap.aaf.cadi.configure.Agent \$*'" >>~/.bash_aliases
- fi
shift
- cd /opt/app/osaaf/local || exit
- /bin/bash "$@"
+ cd $LOCAL || exit
+ exec bash "$@"
;;
setProp)
- cd /opt/app/osaaf/local || exit
+ cd $LOCAL || exit
FILES=$(grep -l "$1" ./*.props)
- if [ "$FILES" = "" ]; then
- FILES="$3"
+ if [ -z "$FILES" ]; then
+ if [ -z "$3" ]; then
+ FILES=${NS}.props
+ else
+ FILES="$3"
+ fi
ADD=Y
fi
for F in $FILES; do
- echo "Changing $1 in $F"
if [ "$ADD" = "Y" ]; then
- echo $2 >> $F
+ echo "Changing $1 to $F"
+ echo "$1=$2" >> $F
else
- sed -i.backup -e "s/\\(${1}.*=\\).*/\\1${2}/" $F
+ echo "Changing $1 in $F"
+ sed -i.backup -e "s/\\(${1}.*=\\).*/\\1${2}/" $F
fi
cat $F
done
;;
encrypt)
- cd /opt/app/osaaf/local || exit
+ cd $LOCAL || exit
echo $1
FILES=$(grep -l "$1" ./*.props)
if [ "$FILES" = "" ]; then
- FILES=/opt/app/osaaf/local/${NS}.cred.props
+ FILES=$LOCAL/${NS}.cred.props
ADD=Y
fi
for F in $FILES; do
else
ORIG_PW="$2"
fi
- PWD=$("$JAVA" -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar cadi digest "$ORIG_PW" /opt/app/osaaf/local/${NS}.keyfile)
+ PWD=$($JAVA_CADI digest "$ORIG_PW" $LOCAL/${NS}.keyfile)
if [ "$ADD" = "Y" ]; then
echo "$1=enc:$PWD" >> $F
else
done
;;
taillog)
- sh /opt/app/osaaf/logs/taillog
+ sh ${OSAAF}/logs/taillog
+ ;;
+ testConnectivity|testconnectivity)
+ echo "--- Test Connectivity ---"
+ $JAVA -cp $AGENT_JAR org.onap.aaf.cadi.aaf.TestConnectivity $LOCAL/${NS}.props || {
+ echo Failure while testing connectivity
+ exit 1
+ }
;;
--help | -?)
case "$1" in
;;
cadi)
echo "--- cadi Tool Comands ---"
- $JAVA -Dcadi_prop_files=/opt/app/osaaf/local/${NS}.props -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar cadi | tail -n +6
+ $JAVA_CADI
;;
agent)
echo "--- agent Tool Comands ---"
- $JAVA -Dcadi_prop_files=/opt/app/osaaf/local/${NS}.props -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar
+ $JAVA_AGENT
+ ;;
+ aafcli)
+ echo "--- aafcli Tool Comands ---"
+ $JAVA_AAFCLI
;;
esac
echo ""
;;
+ ### Possible Dublin
+ # sample)
+ # echo "--- run Sample Servlet App ---"
+ # $JAVA -Dcadi_prop_files=$LOCAL/${NS}.props -cp $AGENT_JAR:$CONFIG_BIN/aaf-cadi-servlet-sample-*-sample.jar org.onap.aaf.sample.cadi.jetty.JettyStandalone ${NS}.props
+ # ;;
*)
- $JAVA -Dcadi_prop_files=/opt/app/osaaf/local/${NS}.props -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar "$CMD" "$@"
+ $JAVA_AGENT "$CMD" "$@"
;;
esac
fi
+
+backup
Code Review / aaf / authz.git / blobdiff