From: MichaelMorris Date: Mon, 18 Sep 2023 08:18:44 +0000 (+0100) Subject: TLS sdc-be-init: truststore & keystore handling X-Git-Tag: 1.13.6~3 X-Git-Url: https://gerrit.onap.org/r/gitweb?p=sdc.git;a=commitdiff_plain;h=532abef3013434369b0d6a126b417db7b6134bd2 TLS sdc-be-init: truststore & keystore handling Issue-ID: SDC-4671 Change-Id: Iaa6e4810cb06cc44a393ca4fda561b24ec208711 Signed-off-by: MichaelMorris --- diff --git a/catalog-be/sdc-backend-init/Dockerfile b/catalog-be/sdc-backend-init/Dockerfile index 76e502ab16..4013733259 100644 --- a/catalog-be/sdc-backend-init/Dockerfile +++ b/catalog-be/sdc-backend-init/Dockerfile @@ -20,7 +20,7 @@ RUN apk update && \ curl-dev && \ # needed libcurl to install correctly \ python -m pip install --upgrade pip \ - pip install 'pycurl==7.44.1' && \ + pip install 'pycurl==7.44.1' && \ set -ex && \ gem update --system --no-document && \ gem install --no-update-sources public_suffix:4.0.7 multipart-post:2.2.0 etc:1.3.0 bundler:2.3.26 chef:13.8.5 berkshelf:6.3.1 io-console:0.4.6 webrick --no-document && \ diff --git a/catalog-be/sdc-backend-init/chef-repo/cookbooks/sdc-catalog-be-setup/recipes/1_create_consumer_and_user.rb b/catalog-be/sdc-backend-init/chef-repo/cookbooks/sdc-catalog-be-setup/recipes/1_create_consumer_and_user.rb index 3aabb0a10e..5de3453bf0 100644 --- a/catalog-be/sdc-backend-init/chef-repo/cookbooks/sdc-catalog-be-setup/recipes/1_create_consumer_and_user.rb +++ b/catalog-be/sdc-backend-init/chef-repo/cookbooks/sdc-catalog-be-setup/recipes/1_create_consumer_and_user.rb @@ -3,6 +3,16 @@ if node['disableHttp'] protocol = "https" https_flag = "--https" be_port = node['BE']['https_port'] + if node['BE-init']['tls_cert'] && node['BE-init']['tls_key'] + tls_key = "--tls_key " + node['BE-init']['tls_key'] + tls_cert = "--tls_cert " + node['BE-init']['tls_cert'] + if node['BE-init']['tls_password'] + tls_key_pw = "--tls_key_pw " + node['BE-init']['tls_password'] + end + end + if node['BE-init']['ca_cert'] + ca_cert = "--ca_cert " + node['BE-init']['ca_cert'] + end else protocol = "http" https_flag = "" @@ -29,10 +39,10 @@ if node['basic_auth'] end execute "executing-create_users" do - command "sdcuserinit -i #{node['Nodes']['BE']} -p #{be_port} #{basic_auth_config} #{user_conf_dir} #{https_flag}" + command "sdcuserinit -i #{node['Nodes']['BE']} -p #{be_port} #{basic_auth_config} #{user_conf_dir} #{https_flag} #{tls_cert} #{tls_key} #{tls_key_pw} #{ca_cert}" action :run end execute "executing-create_consumers" do - command "sdcconsumerinit -i #{node['Nodes']['BE']} -p #{be_port} #{basic_auth_config} #{https_flag}" + command "sdcconsumerinit -i #{node['Nodes']['BE']} -p #{be_port} #{basic_auth_config} #{https_flag} #{tls_cert} #{tls_key} #{tls_key_pw} #{ca_cert}" action :run end diff --git a/catalog-be/sdc-backend-init/chef-repo/cookbooks/sdc-catalog-be-setup/recipes/2_check_Backend.rb b/catalog-be/sdc-backend-init/chef-repo/cookbooks/sdc-catalog-be-setup/recipes/2_check_Backend.rb index 2e479e0848..72686111f5 100644 --- a/catalog-be/sdc-backend-init/chef-repo/cookbooks/sdc-catalog-be-setup/recipes/2_check_Backend.rb +++ b/catalog-be/sdc-backend-init/chef-repo/cookbooks/sdc-catalog-be-setup/recipes/2_check_Backend.rb @@ -3,6 +3,16 @@ if node['disableHttp'] protocol = "https" https_flag = "--https" be_port = node['BE']['https_port'] + if node['BE-init']['tls_cert'] && node['BE-init']['tls_key'] + tls_key = "--tls_key " + node['BE-init']['tls_key'] + tls_cert = "--tls_cert " + node['BE-init']['tls_cert'] + if node['BE-init']['tls_password'] + tls_key_pw = "--tls_key_pw " + node['BE-init']['tls_password'] + end + end + if node['BE-init']['ca_cert'] + ca_cert = "--ca_cert " + node['BE-init']['ca_cert'] + end else protocol = "http" https_flag = "" @@ -22,6 +32,6 @@ if node['basic_auth'] end execute "executing-check_backend_health" do - command "sdccheckbackend -i #{node['Nodes']['BE']} -p #{be_port} #{basic_auth_config} #{https_flag}" + command "sdccheckbackend -i #{node['Nodes']['BE']} -p #{be_port} #{basic_auth_config} #{https_flag} #{tls_cert} #{tls_key} #{tls_key_pw} #{ca_cert}" action :run -end \ No newline at end of file +end diff --git a/catalog-be/sdc-backend-init/chef-repo/cookbooks/sdc-catalog-be-setup/recipes/3_import_Normatives.rb b/catalog-be/sdc-backend-init/chef-repo/cookbooks/sdc-catalog-be-setup/recipes/3_import_Normatives.rb index be32e98f2b..cb36ffdc3d 100644 --- a/catalog-be/sdc-backend-init/chef-repo/cookbooks/sdc-catalog-be-setup/recipes/3_import_Normatives.rb +++ b/catalog-be/sdc-backend-init/chef-repo/cookbooks/sdc-catalog-be-setup/recipes/3_import_Normatives.rb @@ -5,6 +5,16 @@ if node['disableHttp'] protocol = "https" be_port = node['BE']['https_port'] param="-i #{be_ip} -p #{be_port} --https" + if node['BE-init']['tls_cert'] && node['BE-init']['tls_key'] + tls_key = "--tls_key " + node['BE-init']['tls_key'] + tls_cert = "--tls_cert " + node['BE-init']['tls_cert'] + if node['BE-init']['tls_password'] + tls_key_pw = "--tls_key_pw " + node['BE-init']['tls_password'] + end + end + if node['BE-init']['ca_cert'] + ca_cert = "--ca_cert " + node['BE-init']['ca_cert'] + end else protocol = "http" be_port = node['BE']['http_port'] @@ -27,7 +37,7 @@ cookbook_file "/var/tmp/normatives.tar.gz" do end execute "create-jetty-modules" do - command "set -ex && tar -xvf normatives.tar.gz && cd /var/tmp/normatives/import/tosca && sdcinit #{param} #{basic_auth_config} > #{ENV['ONAP_LOG']}/init.log" + command "set -ex && tar -xvf normatives.tar.gz && cd /var/tmp/normatives/import/tosca && sdcinit #{param} #{basic_auth_config} #{tls_cert} #{tls_key} #{tls_key_pw} #{ca_cert} > #{ENV['ONAP_LOG']}/init.log" cwd "/var/tmp/" action :run end diff --git a/catalog-be/src/main/resources/scripts/sdcBePy/common/healthCheck.py b/catalog-be/src/main/resources/scripts/sdcBePy/common/healthCheck.py index a0acc90d44..8d63ef3d98 100644 --- a/catalog-be/src/main/resources/scripts/sdcBePy/common/healthCheck.py +++ b/catalog-be/src/main/resources/scripts/sdcBePy/common/healthCheck.py @@ -12,9 +12,9 @@ from sdcBePy.common.sdcBeProxy import SdcBeProxy colors = BColors() -def check_backend(sdc_be_proxy=None, reply_append_count=1, be_host=None, be_port=None, header=None, scheme=None, debug=False): +def check_backend(sdc_be_proxy=None, reply_append_count=1, be_host=None, be_port=None, header=None, scheme=None, debug=False, ca_cert=None, tls_cert=None, tls_key=None, tls_key_pw=None): if sdc_be_proxy is None: - sdc_be_proxy = SdcBeProxy(be_host, be_port, header, scheme, debug=debug) + sdc_be_proxy = SdcBeProxy(be_host, be_port, header, scheme, tls_cert, tls_key, tls_key_pw, ca_cert, debug=debug) for i in range(1, reply_append_count + 1): if sdc_be_proxy.check_backend() == 200: @@ -28,9 +28,9 @@ def check_backend(sdc_be_proxy=None, reply_append_count=1, be_host=None, be_port return False -def run(be_host, be_port, header, protocol): +def run(be_host, be_port, header, protocol, tls_key, tls_cert, tls_key_pw, ca_cert): if not check_backend(reply_append_count=properties.retry_attempts, be_host=be_host, - be_port=be_port, header=header, scheme=protocol): + be_port=be_port, header=header, scheme=protocol, ca_cert=ca_cert, tls_cert=tls_cert, tls_key=tls_key, tls_key_pw=tls_key_pw): print('[ERROR]: ' + time.strftime('%Y/%m/%d %H:%M:%S') + colors.FAIL + ' Backend is DOWN :-(' + colors.END_C) sys.exit() @@ -42,11 +42,15 @@ def get_args(): parser.add_argument('-p', '--port', required=True) parser.add_argument('--header') parser.add_argument('--https', action='store_true') + parser.add_argument('--tls_key') + parser.add_argument('--tls_cert') + parser.add_argument('--tls_key_pw') + parser.add_argument('--ca_cert') args = parser.parse_args() init_properties(10, 10) - return [args.ip, args.port, args.header, 'https' if args.https else 'http'] + return [args.ip, args.port, args.header, 'https' if args.https else 'http', args.tls_key, args.tls_cert, args.tls_key_pw, args.ca_cert] def main(): diff --git a/catalog-be/src/main/resources/scripts/sdcBePy/common/normative/toscaElements.py b/catalog-be/src/main/resources/scripts/sdcBePy/common/normative/toscaElements.py index ef23e3ff6d..50f4be2ee6 100644 --- a/catalog-be/src/main/resources/scripts/sdcBePy/common/normative/toscaElements.py +++ b/catalog-be/src/main/resources/scripts/sdcBePy/common/normative/toscaElements.py @@ -9,11 +9,12 @@ from sdcBePy.common.errors import ResourceCreationError def process_and_create_normative_element(normative_element, - scheme=None, be_host=None, be_port=None, header=None, admin_user=None, sdc_be_proxy=None, + scheme=None, be_host=None, be_port=None, header=None, admin_user=None, + tls_cert=None, tls_key=None, tls_key_pw=None, ca_cert=None, sdc_be_proxy=None, model=None, debug=False, exit_on_success=False): if sdc_be_proxy is None: - sdc_be_proxy = SdcBeProxy(be_host, be_port, header, scheme, admin_user, debug=debug) + sdc_be_proxy = SdcBeProxy(be_host, be_port, header, scheme, tls_cert, tls_key, tls_key_pw, ca_cert, admin_user, debug=debug) file_dir, url_suffix, element_name, element_from_name, with_metadata = normative_element.get_parameters() _create_normative_element(sdc_be_proxy, diff --git a/catalog-be/src/main/resources/scripts/sdcBePy/common/normative/toscaTypes.py b/catalog-be/src/main/resources/scripts/sdcBePy/common/normative/toscaTypes.py index fecc88a320..83b4a913c5 100644 --- a/catalog-be/src/main/resources/scripts/sdcBePy/common/normative/toscaTypes.py +++ b/catalog-be/src/main/resources/scripts/sdcBePy/common/normative/toscaTypes.py @@ -9,13 +9,14 @@ from sdcBePy.common.sdcBeProxy import SdcBeProxy def process_and_create_normative_types(normative_type, - scheme=None, be_host=None, be_port=None, header=None, admin_user=None, + scheme=None, be_host=None, be_port=None, header=None, + tls_cert=None, tls_key=None, tls_key_pw=None, ca_cert=None, admin_user=None, sdc_be_proxy=None, update_version=False, debug=False, exit_on_success=False): if sdc_be_proxy is None: - sdc_be_proxy = SdcBeProxy(be_host, be_port, header, scheme, admin_user, debug=debug) + sdc_be_proxy = SdcBeProxy(be_host, be_port, header, scheme, tls_cert, tls_key, tls_key_pw, ca_cert, admin_user, debug=debug) file_dir, normative_type_list = normative_type.get_parameters() diff --git a/catalog-be/src/main/resources/scripts/sdcBePy/common/sdcBeProxy.py b/catalog-be/src/main/resources/scripts/sdcBePy/common/sdcBeProxy.py index ecd07264b4..2a1d310010 100755 --- a/catalog-be/src/main/resources/scripts/sdcBePy/common/sdcBeProxy.py +++ b/catalog-be/src/main/resources/scripts/sdcBePy/common/sdcBeProxy.py @@ -14,13 +14,13 @@ class SdcBeProxy: BODY_SEPARATOR = "\r\n\r\n" CHARTSET = 'UTF-8' - def __init__(self, be_ip, be_port, header, scheme, user_id="jh0003", + def __init__(self, be_ip, be_port, header, scheme, tls_cert, tls_key, tls_key_pw, ca_cert, user_id="jh0003", debug=False, connector=None): if not check_arguments_not_none(be_ip, be_port, scheme, user_id): raise AttributeError("The be_host, be_port, scheme or admin_user are missing") url = get_url(be_ip, be_port, scheme) self.con = connector if connector \ - else CurlConnector(url, user_id, header, protocol=scheme, debug=debug) + else CurlConnector(url, user_id, header, tls_cert, tls_key, tls_key_pw, ca_cert, protocol=scheme, debug=debug) def check_backend(self): return self.con.get('/sdc2/rest/v1/user/jh0003') @@ -75,9 +75,13 @@ class CurlConnector: CONTENT_TYPE_HEADER = "Content-Type: application/json" ACCEPT_HEADER = "Accept: application/json; charset=UTF-8" - def __init__(self, url, user_id_header, header, buffer=None, protocol="http", debug=False): + def __init__(self, url, user_id_header, header, tls_cert, tls_key, tls_key_pw, ca_cert, buffer=None, protocol="http", debug=False): self.__debug = debug self.__protocol = protocol + self.__tls_cert = tls_cert + self.__tls_key = tls_key + self.__tls_key_pw = tls_key_pw + self.__ca_cert = ca_cert self.c = self.__build_default_curl() self.user_header = "USER_ID: " + user_id_header @@ -172,6 +176,15 @@ class CurlConnector: if self.__protocol == 'https': curl.setopt(pycurl.SSL_VERIFYPEER, 0) curl.setopt(pycurl.SSL_VERIFYHOST, 0) + if self.__tls_cert is not None and self.__tls_key is not None: + curl.setopt(curl.SSLCERT, self.__tls_cert) + curl.setopt(curl.SSLKEY, self.__tls_key) + if self.__tls_key_pw is not None: + curl.setopt(curl.KEYPASSWD, self.__tls_key_pw) + if self.__ca_cert is not None: + curl.setopt(pycurl.SSL_VERIFYPEER, 1) + curl.setopt(pycurl.SSL_VERIFYHOST, 2) + curl.setopt(curl.CAINFO, self.__ca_cert) curl.setopt(pycurl.HEADER, True) return curl diff --git a/catalog-be/src/main/resources/scripts/sdcBePy/consumers/run.py b/catalog-be/src/main/resources/scripts/sdcBePy/consumers/run.py index 8ea1d1cf64..6f5cbe76d0 100644 --- a/catalog-be/src/main/resources/scripts/sdcBePy/consumers/run.py +++ b/catalog-be/src/main/resources/scripts/sdcBePy/consumers/run.py @@ -7,8 +7,8 @@ from sdcBePy.consumers.models.consumerCandidateList import get_consumers from sdcBePy.users.run import colors -def be_consumers_init(be_ip, be_port, header, protocol, consumer_candidate_list): - sdc_be_proxy = SdcBeProxy(be_ip, be_port, header, protocol) +def be_consumers_init(be_ip, be_port, header, protocol, tls_cert, tls_key, tls_key_pw, ca_cert, consumer_candidate_list): + sdc_be_proxy = SdcBeProxy(be_ip, be_port, header, protocol, tls_cert, tls_key, tls_key_pw, ca_cert) if check_backend(sdc_be_proxy, properties.retry_attempts): for consumer in consumer_candidate_list: if sdc_be_proxy.check_user(consumer.consumer_name) != 200: @@ -28,8 +28,8 @@ def be_consumers_init(be_ip, be_port, header, protocol, consumer_candidate_list) def main(): - be_ip, be_port, header, protocol = get_args() - be_consumers_init(be_ip, be_port, header, protocol, get_consumers()) + be_ip, be_port, header, protocol, tls_key, tls_cert, tls_key_pw, ca_cert = get_args() + be_consumers_init(be_ip, be_port, header, protocol, tls_cert, tls_key, tls_key_pw, ca_cert, get_consumers()) if __name__ == '__main__': diff --git a/catalog-be/src/main/resources/scripts/sdcBePy/tosca/imports/runGenericNormative.py b/catalog-be/src/main/resources/scripts/sdcBePy/tosca/imports/runGenericNormative.py index 424c0ca7c5..1353486bc2 100644 --- a/catalog-be/src/main/resources/scripts/sdcBePy/tosca/imports/runGenericNormative.py +++ b/catalog-be/src/main/resources/scripts/sdcBePy/tosca/imports/runGenericNormative.py @@ -20,12 +20,12 @@ def get_normative_prams(): def main(): - scheme, be_host, be_port, admin_user, _, debug = get_args() + scheme, be_host, be_port, admin_user, _, debug, tls_cert, tls_key, tls_key_pw, ca_cert = get_args() candidate = NormativeTypeCandidate(*get_normative_prams()) try: process_and_create_normative_types(candidate, - scheme, be_host, be_port, admin_user, + scheme, be_host, be_port, admin_user, tls_cert, tls_key, tls_key_pw, ca_cert, debug=debug, exit_on_success=True) except AttributeError: diff --git a/catalog-be/src/main/resources/scripts/sdcBePy/tosca/imports/runNormativeElement.py b/catalog-be/src/main/resources/scripts/sdcBePy/tosca/imports/runNormativeElement.py index ce5eca427a..81434a19cc 100644 --- a/catalog-be/src/main/resources/scripts/sdcBePy/tosca/imports/runNormativeElement.py +++ b/catalog-be/src/main/resources/scripts/sdcBePy/tosca/imports/runNormativeElement.py @@ -9,10 +9,10 @@ from sdcBePy.tosca.models.normativeElementsList import get_capability, get_data, def run(candidate): - scheme, be_host, be_port, header, admin_user, _, debug = get_args() + scheme, be_host, be_port, header, admin_user, _, debug, tls_cert, tls_key, tls_key_pw, ca_cert = get_args() try: process_and_create_normative_element(candidate, - scheme, be_host, be_port, header, admin_user, + scheme, be_host, be_port, header, admin_user, tls_cert, tls_key, tls_key_pw, ca_cert, debug=debug, exit_on_success=True) except AttributeError: diff --git a/catalog-be/src/main/resources/scripts/sdcBePy/tosca/imports/runNormativeType.py b/catalog-be/src/main/resources/scripts/sdcBePy/tosca/imports/runNormativeType.py index c2493b522d..b5e2f34928 100644 --- a/catalog-be/src/main/resources/scripts/sdcBePy/tosca/imports/runNormativeType.py +++ b/catalog-be/src/main/resources/scripts/sdcBePy/tosca/imports/runNormativeType.py @@ -8,13 +8,14 @@ from sdcBePy.tosca.models.normativeTypesList import get_normative, get_heat, get def run(candidate, exit_on_success=True): - scheme, be_host, be_port, admin_user, update_version, debug = get_args() + scheme, be_host, be_port, admin_user, update_version, debug, tls_cert, tls_key, tls_key_pw, ca_cert = get_args() try: process_and_create_normative_types(candidate, scheme, be_host, be_port, admin_user, + tls_cert, tls_key, tls_key_pw, ca_cert, update_version=update_version, debug=debug, exit_on_success=exit_on_success) diff --git a/catalog-be/src/main/resources/scripts/sdcBePy/tosca/main.py b/catalog-be/src/main/resources/scripts/sdcBePy/tosca/main.py index b3cf8828ca..edd6496970 100644 --- a/catalog-be/src/main/resources/scripts/sdcBePy/tosca/main.py +++ b/catalog-be/src/main/resources/scripts/sdcBePy/tosca/main.py @@ -33,18 +33,22 @@ def parse_param(): parser.add_argument('--https', action='store_true') parser.add_argument('--updateVersion', action='store_false') parser.add_argument('--debug', action='store_true') + parser.add_argument('--tls_cert') + parser.add_argument('--tls_key') + parser.add_argument('--tls_key_pw') + parser.add_argument('--ca_cert') args, _ = parser.parse_known_args() return [args.conf, 'https' if args.https else 'http', args.ip, args.port, args.header, args.adminUser, args.updateVersion, - args.debug] + args.debug, args.tls_cert, args.tls_key, args.tls_key_pw, args.ca_cert] def get_args(): print('Number of arguments:', len(sys.argv), 'arguments.') - conf_path, scheme, be_host, be_port, header, admin_user, update_version, debug = parse_param() + conf_path, scheme, be_host, be_port, header, admin_user, update_version, debug, tls_cert, tls_key, tls_key_pw, ca_cert = parse_param() defaults = load_be_config(conf_path) # Use defaults if param not provided by the user @@ -63,18 +67,18 @@ def get_args(): ', debug =', debug, ', update_version =', update_version) init_properties(defaults["retryTime"], defaults["retryAttempt"], defaults["resourceLen"]) - return scheme, be_host, be_port, header, admin_user, update_version, debug + return scheme, be_host, be_port, header, admin_user, update_version, debug, tls_cert, tls_key, tls_key_pw, ca_cert def parse_and_create_proxy(): - scheme, be_host, be_port, header, admin_user, update_version, debug = get_args() + scheme, be_host, be_port, header, admin_user, update_version, debug, tls_cert, tls_key, tls_key_pw, ca_cert = get_args() if debug is False: print('Disabling debug mode') logger.debugFlag = debug try: - sdc_be_proxy = SdcBeProxy(be_host, be_port, header, scheme, admin_user, debug=debug) + sdc_be_proxy = SdcBeProxy(be_host, be_port, header, scheme, tls_cert, tls_key, tls_key_pw, ca_cert, admin_user, debug=debug) except AttributeError: usage() sys.exit(3) diff --git a/catalog-be/src/main/resources/scripts/sdcBePy/users/run.py b/catalog-be/src/main/resources/scripts/sdcBePy/users/run.py index 2dbd941cc3..35b9be77a3 100755 --- a/catalog-be/src/main/resources/scripts/sdcBePy/users/run.py +++ b/catalog-be/src/main/resources/scripts/sdcBePy/users/run.py @@ -19,8 +19,8 @@ def load_users(conf_path): return json.load(f) -def be_user_init(be_ip, be_port, header, protocol, conf_path): - sdc_be_proxy = SdcBeProxy(be_ip, be_port, header, protocol) +def be_user_init(be_ip, be_port, header, protocol, conf_path, tls_cert, tls_key, tls_key_pw, ca_cert): + sdc_be_proxy = SdcBeProxy(be_ip, be_port, header, protocol, tls_cert, tls_key, tls_key_pw, ca_cert) if check_backend(sdc_be_proxy, properties.retry_attempts): users = load_users(conf_path) for user in users: @@ -53,11 +53,15 @@ def get_args(): parser.add_argument('--https', action='store_true') path = os.path.dirname(__file__) parser.add_argument('--conf', default=os.path.join(path, 'data', 'users.json')) + parser.add_argument('--tls_cert') + parser.add_argument('--tls_key') + parser.add_argument('--tls_key_pw') + parser.add_argument('--ca_cert') args = parser.parse_args() init_properties(10, 10) - return [args.ip, args.port, args.header, 'https' if args.https else 'http', args.conf] + return [args.ip, args.port, args.header, 'https' if args.https else 'http', args.conf, args.tls_cert, args.tls_key, args.tls_key_pw, args.ca_cert] def main():