2 * Copyright (c) 2023 PANTHEON.tech, s.r.o. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.netconf.topology.spi;
10 import static java.util.Objects.requireNonNull;
12 import com.google.common.base.Strings;
13 import java.io.IOException;
14 import java.io.StringReader;
15 import java.security.KeyPair;
16 import java.util.List;
17 import javax.inject.Inject;
18 import javax.inject.Singleton;
19 import org.opendaylight.aaa.encrypt.AAAEncryptionService;
20 import org.opendaylight.aaa.encrypt.PKIUtil;
21 import org.opendaylight.netconf.client.conf.NetconfClientConfiguration.NetconfClientProtocol;
22 import org.opendaylight.netconf.client.conf.NetconfClientConfigurationBuilder;
23 import org.opendaylight.netconf.client.mdsal.api.CredentialProvider;
24 import org.opendaylight.netconf.client.mdsal.api.SslHandlerFactoryProvider;
25 import org.opendaylight.netconf.shaded.sshd.client.auth.pubkey.UserAuthPublicKeyFactory;
26 import org.opendaylight.netconf.shaded.sshd.common.keyprovider.KeyIdentityProvider;
27 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.password.grouping.password.type.CleartextPasswordBuilder;
28 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.netconf.client.rev230417.netconf.client.initiate.stack.grouping.transport.ssh.ssh.SshClientParametersBuilder;
29 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.netconf.client.rev230417.netconf.client.initiate.stack.grouping.transport.ssh.ssh.TcpClientParametersBuilder;
30 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.ClientIdentity;
31 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.ClientIdentityBuilder;
32 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.client.identity.PasswordBuilder;
33 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev231025.connection.parameters.Protocol.Name;
34 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev231025.credentials.Credentials;
35 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev231025.credentials.credentials.KeyAuth;
36 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev231025.credentials.credentials.LoginPw;
37 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev231025.credentials.credentials.LoginPwUnencrypted;
38 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.node.topology.rev221225.NetconfNode;
39 import org.opendaylight.yang.gen.v1.urn.tbd.params.xml.ns.yang.network.topology.rev131021.NodeId;
40 import org.osgi.service.component.annotations.Activate;
41 import org.osgi.service.component.annotations.Component;
42 import org.osgi.service.component.annotations.Reference;
45 * Default implementation of NetconfClientConfigurationBuildFactory.
47 @Component(service = NetconfClientConfigurationBuilderFactory.class, property = "type=default")
49 public final class NetconfClientConfigurationBuilderFactoryImpl implements NetconfClientConfigurationBuilderFactory {
50 private final SslHandlerFactoryProvider sslHandlerFactoryProvider;
51 private final AAAEncryptionService encryptionService;
52 private final CredentialProvider credentialProvider;
56 public NetconfClientConfigurationBuilderFactoryImpl(
57 @Reference final AAAEncryptionService encryptionService,
58 @Reference final CredentialProvider credentialProvider,
59 @Reference final SslHandlerFactoryProvider sslHandlerFactoryProvider) {
60 this.encryptionService = requireNonNull(encryptionService);
61 this.credentialProvider = requireNonNull(credentialProvider);
62 this.sslHandlerFactoryProvider = requireNonNull(sslHandlerFactoryProvider);
66 public NetconfClientConfigurationBuilder createClientConfigurationBuilder(final NodeId nodeId,
67 final NetconfNode node) {
68 final var builder = NetconfClientConfigurationBuilder.create();
69 final var protocol = node.getProtocol();
70 if (node.requireTcpOnly()) {
71 builder.withProtocol(NetconfClientProtocol.TCP);
72 } else if (protocol == null || protocol.getName() == Name.SSH) {
73 builder.withProtocol(NetconfClientProtocol.SSH);
74 setSshParametersFromCredentials(builder, node.getCredentials());
75 } else if (protocol.getName() == Name.TLS) {
76 builder.withProtocol(NetconfClientProtocol.TLS).withTransportSslHandlerFactory(channel -> {
77 final var sslHandlerBuilder =
78 sslHandlerFactoryProvider.getSslHandlerFactory(protocol.getSpecification());
79 return sslHandlerBuilder.createSslHandler();
82 throw new IllegalArgumentException("Unsupported protocol type: " + protocol.getName());
85 final var helloCapabilities = node.getOdlHelloMessageCapabilities();
86 if (helloCapabilities != null) {
87 builder.withOdlHelloCapabilities(List.copyOf(helloCapabilities.requireCapability()));
91 .withName(nodeId.getValue())
92 .withTcpParameters(new TcpClientParametersBuilder()
93 .setRemoteAddress(node.requireHost())
94 .setRemotePort(node.requirePort()).build())
95 .withConnectionTimeoutMillis(node.requireConnectionTimeoutMillis().toJava());
98 private void setSshParametersFromCredentials(final NetconfClientConfigurationBuilder confBuilder,
99 final Credentials credentials) {
100 final var sshParamsBuilder = new SshClientParametersBuilder();
101 if (credentials instanceof LoginPwUnencrypted unencrypted) {
102 final var loginPassword = unencrypted.getLoginPasswordUnencrypted();
103 sshParamsBuilder.setClientIdentity(loginPasswordIdentity(
104 loginPassword.getUsername(), loginPassword.getPassword()));
106 } else if (credentials instanceof LoginPw loginPw) {
107 final var loginPassword = loginPw.getLoginPassword();
108 sshParamsBuilder.setClientIdentity(loginPasswordIdentity(
109 loginPassword.getUsername(), encryptionService.decrypt(loginPassword.getPassword())));
111 } else if (credentials instanceof KeyAuth keyAuth) {
112 final var keyBased = keyAuth.getKeyBased();
113 sshParamsBuilder.setClientIdentity(new ClientIdentityBuilder().setUsername(keyBased.getUsername()).build());
114 confBuilder.withSshConfigurator(factoryMgr -> {
115 final var keyPair = getKeyPair(keyBased.getKeyId(), credentialProvider, encryptionService);
116 factoryMgr.setKeyIdentityProvider(KeyIdentityProvider.wrapKeyPairs(keyPair));
117 final var factory = new UserAuthPublicKeyFactory();
118 factory.setSignatureFactories(factoryMgr.getSignatureFactories());
119 factoryMgr.setUserAuthFactories(List.of(factory));
122 throw new IllegalArgumentException("Unsupported credential type: " + credentials.getClass());
124 confBuilder.withSshParameters(sshParamsBuilder.build());
127 private static ClientIdentity loginPasswordIdentity(final String username, final String password) {
128 requireNonNull(username, "username is undefined");
129 requireNonNull(password, "password is undefined");
130 return new ClientIdentityBuilder()
131 .setUsername(username)
132 .setPassword(new PasswordBuilder()
133 .setPasswordType(new CleartextPasswordBuilder().setCleartextPassword(password).build())
138 private static KeyPair getKeyPair(final String keyId,
139 final CredentialProvider credentialProvider, final AAAEncryptionService encryptionService) {
141 // public key retrieval logic taken from DatastoreBackedPublicKeyAuth
142 final var dsKeypair = credentialProvider.credentialForId(keyId);
143 if (dsKeypair == null) {
144 throw new IllegalArgumentException("No keypair found with keyId=" + keyId);
146 final var passPhrase = Strings.isNullOrEmpty(dsKeypair.getPassphrase()) ? "" : dsKeypair.getPassphrase();
148 return new PKIUtil().decodePrivateKey(
149 new StringReader(encryptionService.decrypt(dsKeypair.getPrivateKey()).replace("\\n", "\n")),
150 encryptionService.decrypt(passPhrase));
151 } catch (IOException e) {
152 throw new IllegalStateException("Could not decode private key with keyId=" + keyId, e);