2 * Copyright (c) 2023 PANTHEON.tech, s.r.o. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.netconf.topology.spi;
10 import static java.util.Objects.requireNonNull;
12 import com.google.common.base.Strings;
13 import java.io.IOException;
14 import java.io.StringReader;
15 import java.security.KeyPair;
16 import java.util.List;
17 import javax.inject.Inject;
18 import javax.inject.Singleton;
19 import org.opendaylight.aaa.encrypt.AAAEncryptionService;
20 import org.opendaylight.aaa.encrypt.PKIUtil;
21 import org.opendaylight.netconf.client.conf.NetconfClientConfiguration.NetconfClientProtocol;
22 import org.opendaylight.netconf.client.conf.NetconfClientConfigurationBuilder;
23 import org.opendaylight.netconf.client.mdsal.api.CredentialProvider;
24 import org.opendaylight.netconf.client.mdsal.api.SslHandlerFactoryProvider;
25 import org.opendaylight.netconf.shaded.sshd.client.auth.pubkey.UserAuthPublicKeyFactory;
26 import org.opendaylight.netconf.shaded.sshd.common.keyprovider.KeyIdentityProvider;
27 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.password.grouping.password.type.CleartextPasswordBuilder;
28 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.netconf.client.rev230417.netconf.client.initiate.stack.grouping.transport.ssh.ssh.SshClientParametersBuilder;
29 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.netconf.client.rev230417.netconf.client.initiate.stack.grouping.transport.ssh.ssh.TcpClientParametersBuilder;
30 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.ClientIdentity;
31 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.ClientIdentityBuilder;
32 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.client.identity.PasswordBuilder;
33 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev231025.connection.parameters.Protocol.Name;
34 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev231025.credentials.Credentials;
35 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev231025.credentials.credentials.KeyAuth;
36 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev231025.credentials.credentials.LoginPw;
37 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev231025.credentials.credentials.LoginPwUnencrypted;
38 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.node.topology.rev221225.NetconfNode;
39 import org.opendaylight.yang.gen.v1.urn.tbd.params.xml.ns.yang.network.topology.rev131021.NodeId;
40 import org.osgi.service.component.annotations.Activate;
41 import org.osgi.service.component.annotations.Component;
42 import org.osgi.service.component.annotations.Reference;
45 * Default implementation of NetconfClientConfigurationBuildFactory.
49 public final class NetconfClientConfigurationBuilderFactoryImpl implements NetconfClientConfigurationBuilderFactory {
50 private final SslHandlerFactoryProvider sslHandlerFactoryProvider;
51 private final AAAEncryptionService encryptionService;
52 private final CredentialProvider credentialProvider;
56 public NetconfClientConfigurationBuilderFactoryImpl(
57 @Reference final AAAEncryptionService encryptionService,
58 @Reference final CredentialProvider credentialProvider,
59 @Reference final SslHandlerFactoryProvider sslHandlerFactoryProvider) {
60 this.encryptionService = requireNonNull(encryptionService);
61 this.credentialProvider = requireNonNull(credentialProvider);
62 this.sslHandlerFactoryProvider = requireNonNull(sslHandlerFactoryProvider);
66 public NetconfClientConfigurationBuilder createClientConfigurationBuilder(final NodeId nodeId,
67 final NetconfNode node) {
68 final var builder = NetconfClientConfigurationBuilder.create();
69 final var protocol = node.getProtocol();
70 if (node.requireTcpOnly()) {
71 builder.withProtocol(NetconfClientProtocol.TCP);
72 } else if (protocol == null || protocol.getName() == Name.SSH) {
73 builder.withProtocol(NetconfClientProtocol.SSH);
74 setSshParametersFromCredentials(builder, node.getCredentials());
75 } else if (protocol.getName() == Name.TLS) {
76 builder.withProtocol(NetconfClientProtocol.TLS).withSslHandlerFactory(
77 channel -> sslHandlerFactoryProvider.getSslHandlerFactory(protocol.getSpecification())
80 throw new IllegalArgumentException("Unsupported protocol type: " + protocol.getName());
83 final var helloCapabilities = node.getOdlHelloMessageCapabilities();
84 if (helloCapabilities != null) {
85 builder.withOdlHelloCapabilities(List.copyOf(helloCapabilities.requireCapability()));
89 .withName(nodeId.getValue())
90 .withTcpParameters(new TcpClientParametersBuilder()
91 .setRemoteAddress(node.requireHost())
92 .setRemotePort(node.requirePort()).build())
93 .withConnectionTimeoutMillis(node.requireConnectionTimeoutMillis().toJava());
96 private void setSshParametersFromCredentials(final NetconfClientConfigurationBuilder confBuilder,
97 final Credentials credentials) {
98 final var sshParamsBuilder = new SshClientParametersBuilder();
99 if (credentials instanceof LoginPwUnencrypted unencrypted) {
100 final var loginPassword = unencrypted.getLoginPasswordUnencrypted();
101 sshParamsBuilder.setClientIdentity(loginPasswordIdentity(
102 loginPassword.getUsername(), loginPassword.getPassword()));
103 } else if (credentials instanceof LoginPw loginPw) {
104 final var loginPassword = loginPw.getLoginPassword();
105 sshParamsBuilder.setClientIdentity(loginPasswordIdentity(
106 loginPassword.getUsername(), encryptionService.decrypt(loginPassword.getPassword())));
107 } else if (credentials instanceof KeyAuth keyAuth) {
108 final var keyBased = keyAuth.getKeyBased();
109 sshParamsBuilder.setClientIdentity(new ClientIdentityBuilder().setUsername(keyBased.getUsername()).build());
110 confBuilder.withSshConfigurator(factoryMgr -> {
111 final var keyPair = getKeyPair(keyBased.getKeyId());
112 factoryMgr.setKeyIdentityProvider(KeyIdentityProvider.wrapKeyPairs(keyPair));
113 final var factory = new UserAuthPublicKeyFactory();
114 factory.setSignatureFactories(factoryMgr.getSignatureFactories());
115 factoryMgr.setUserAuthFactories(List.of(factory));
118 throw new IllegalArgumentException("Unsupported credential type: " + credentials.getClass());
120 confBuilder.withSshParameters(sshParamsBuilder.build());
123 private static ClientIdentity loginPasswordIdentity(final String username, final String password) {
124 return new ClientIdentityBuilder()
125 .setUsername(requireNonNull(username, "username is undefined"))
126 .setPassword(new PasswordBuilder()
127 .setPasswordType(new CleartextPasswordBuilder()
128 .setCleartextPassword(requireNonNull(password, "password is undefined"))
134 private KeyPair getKeyPair(final String keyId) {
135 // public key retrieval logic taken from DatastoreBackedPublicKeyAuth
136 final var dsKeypair = credentialProvider.credentialForId(keyId);
137 if (dsKeypair == null) {
138 throw new IllegalArgumentException("No keypair found with keyId=" + keyId);
140 final var passPhrase = Strings.isNullOrEmpty(dsKeypair.getPassphrase()) ? "" : dsKeypair.getPassphrase();
142 return new PKIUtil().decodePrivateKey(
143 new StringReader(encryptionService.decrypt(dsKeypair.getPrivateKey()).replace("\\n", "\n")),
144 encryptionService.decrypt(passPhrase));
145 } catch (IOException e) {
146 throw new IllegalStateException("Could not decode private key with keyId=" + keyId, e);
Code Review / netconf.git / blob