apps/netconf-topology/src/main/java/org/opendaylight/netconf/topology/spi/NetconfClientConfigurationBuilderFactoryImpl.java

   1 /*
   2  * Copyright (c) 2023 PANTHEON.tech, s.r.o. and others.  All rights reserved.
   3  *
   4  * This program and the accompanying materials are made available under the
   5  * terms of the Eclipse Public License v1.0 which accompanies this distribution,
   6  * and is available at http://www.eclipse.org/legal/epl-v10.html
   7  */
   8 package org.opendaylight.netconf.topology.spi;
   9
  10 import static java.util.Objects.requireNonNull;
  11
  12 import java.nio.charset.StandardCharsets;
  13 import java.security.GeneralSecurityException;
  14 import java.util.List;
  15 import javax.inject.Inject;
  16 import javax.inject.Singleton;
  17 import org.opendaylight.aaa.encrypt.AAAEncryptionService;
  18 import org.opendaylight.netconf.client.conf.NetconfClientConfiguration.NetconfClientProtocol;
  19 import org.opendaylight.netconf.client.conf.NetconfClientConfigurationBuilder;
  20 import org.opendaylight.netconf.client.mdsal.api.CredentialProvider;
  21 import org.opendaylight.netconf.client.mdsal.api.SslContextFactoryProvider;
  22 import org.opendaylight.netconf.shaded.sshd.client.ClientFactoryManager;
  23 import org.opendaylight.netconf.shaded.sshd.client.auth.pubkey.UserAuthPublicKeyFactory;
  24 import org.opendaylight.netconf.shaded.sshd.common.keyprovider.KeyIdentityProvider;
  25 import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException;
  26 import org.opendaylight.netconf.transport.ssh.ClientFactoryManagerConfigurator;
  27 import org.opendaylight.netconf.transport.tls.FixedSslHandlerFactory;
  28 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev240208.password.grouping.password.type.CleartextPasswordBuilder;
  29 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.netconf.client.rev240208.netconf.client.initiate.stack.grouping.transport.ssh.ssh.SshClientParametersBuilder;
  30 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.netconf.client.rev240208.netconf.client.initiate.stack.grouping.transport.ssh.ssh.TcpClientParametersBuilder;
  31 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev240208.ssh.client.grouping.ClientIdentity;
  32 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev240208.ssh.client.grouping.ClientIdentityBuilder;
  33 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev240208.ssh.client.grouping.client.identity.PasswordBuilder;
  34 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev240120.connection.parameters.Protocol.Name;
  35 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev240120.credentials.Credentials;
  36 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev240120.credentials.credentials.KeyAuth;
  37 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev240120.credentials.credentials.LoginPw;
  38 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev240120.credentials.credentials.LoginPwUnencrypted;
  39 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.node.topology.rev231121.NetconfNode;
  40 import org.opendaylight.yang.gen.v1.urn.tbd.params.xml.ns.yang.network.topology.rev131021.NodeId;
  41 import org.osgi.service.component.annotations.Activate;
  42 import org.osgi.service.component.annotations.Component;
  43 import org.osgi.service.component.annotations.Reference;
  44
  45 /**
  46  * Default implementation of NetconfClientConfigurationBuildFactory.
  47  */
  48 @Component
  49 @Singleton
  50 public final class NetconfClientConfigurationBuilderFactoryImpl implements NetconfClientConfigurationBuilderFactory {
  51     private final SslContextFactoryProvider sslContextFactoryProvider;
  52     private final AAAEncryptionService encryptionService;
  53     private final CredentialProvider credentialProvider;
  54
  55     @Inject
  56     @Activate
  57     public NetconfClientConfigurationBuilderFactoryImpl(
  58             @Reference final AAAEncryptionService encryptionService,
  59             @Reference final CredentialProvider credentialProvider,
  60             @Reference final SslContextFactoryProvider sslHandlerContextProvider) {
  61         this.encryptionService = requireNonNull(encryptionService);
  62         this.credentialProvider = requireNonNull(credentialProvider);
  63         sslContextFactoryProvider = requireNonNull(sslHandlerContextProvider);
  64     }
  65
  66     @Override
  67     public NetconfClientConfigurationBuilder createClientConfigurationBuilder(final NodeId nodeId,
  68             final NetconfNode node) {
  69         final var builder = NetconfClientConfigurationBuilder.create();
  70         final var protocol = node.getProtocol();
  71         if (node.requireTcpOnly()) {
  72             builder.withProtocol(NetconfClientProtocol.TCP);
  73         } else if (protocol == null || protocol.getName() == Name.SSH) {
  74             builder.withProtocol(NetconfClientProtocol.SSH);
  75             setSshParametersFromCredentials(builder, node.getCredentials());
  76         } else if (protocol.getName() == Name.TLS) {
  77             final var handlerFactory = sslContextFactoryProvider.getSslContextFactory(protocol.getSpecification());
  78             final var sslContext = handlerFactory.createSslContext();
  79             builder.withProtocol(NetconfClientProtocol.TLS)
  80                 .withSslHandlerFactory(new FixedSslHandlerFactory(sslContext));
  81         } else {
  82             throw new IllegalArgumentException("Unsupported protocol type: " + protocol.getName());
  83         }
  84
  85         final var helloCapabilities = node.getOdlHelloMessageCapabilities();
  86         if (helloCapabilities != null) {
  87             builder.withOdlHelloCapabilities(List.copyOf(helloCapabilities.requireCapability()));
  88         }
  89
  90         return builder
  91             .withName(nodeId.getValue())
  92             .withTcpParameters(new TcpClientParametersBuilder()
  93                 .setRemoteAddress(node.requireHost())
  94                 .setRemotePort(node.requirePort()).build())
  95             .withConnectionTimeoutMillis(node.requireConnectionTimeoutMillis().toJava());
  96     }
  97
  98     private void setSshParametersFromCredentials(final NetconfClientConfigurationBuilder confBuilder,
  99             final Credentials credentials) {
 100         final var sshParamsBuilder = new SshClientParametersBuilder();
 101         if (credentials instanceof LoginPwUnencrypted unencrypted) {
 102             final var loginPassword = unencrypted.getLoginPasswordUnencrypted();
 103             sshParamsBuilder.setClientIdentity(loginPasswordIdentity(
 104                 loginPassword.getUsername(), loginPassword.getPassword()));
 105         } else if (credentials instanceof LoginPw loginPw) {
 106             final var loginPassword = loginPw.getLoginPassword();
 107             final var username = loginPassword.getUsername();
 108
 109             final byte[] plainBytes;
 110             try {
 111                 plainBytes = encryptionService.decrypt(loginPassword.getPassword());
 112             } catch (GeneralSecurityException e) {
 113                 throw new IllegalStateException("Failed to decrypt password", e);
 114             }
 115
 116             sshParamsBuilder.setClientIdentity(loginPasswordIdentity(username,
 117                 new String(plainBytes, StandardCharsets.UTF_8)));
 118         } else if (credentials instanceof KeyAuth keyAuth) {
 119             final var keyBased = keyAuth.getKeyBased();
 120             sshParamsBuilder.setClientIdentity(new ClientIdentityBuilder().setUsername(keyBased.getUsername()).build());
 121             confBuilder.withSshConfigurator(new ClientFactoryManagerConfigurator() {
 122                 @Override
 123                 protected void configureClientFactoryManager(final ClientFactoryManager factoryManager)
 124                         throws UnsupportedConfigurationException {
 125                     final var keyId = keyBased.getKeyId();
 126                     final var keyPair = credentialProvider.credentialForId(keyId);
 127                     if (keyPair == null) {
 128                         throw new IllegalArgumentException("No keypair found with keyId=" + keyId);
 129                     }
 130                     factoryManager.setKeyIdentityProvider(KeyIdentityProvider.wrapKeyPairs(keyPair));
 131                     final var factory = new UserAuthPublicKeyFactory();
 132                     factory.setSignatureFactories(factoryManager.getSignatureFactories());
 133                     factoryManager.setUserAuthFactories(List.of(factory));
 134                 }
 135             });
 136         } else {
 137             throw new IllegalArgumentException("Unsupported credential type: " + credentials.getClass());
 138         }
 139         confBuilder.withSshParameters(sshParamsBuilder.build());
 140     }
 141
 142     private static ClientIdentity loginPasswordIdentity(final String username, final String password) {
 143         return new ClientIdentityBuilder()
 144             .setUsername(requireNonNull(username, "username is undefined"))
 145             .setPassword(new PasswordBuilder()
 146                 .setPasswordType(new CleartextPasswordBuilder()
 147                     .setCleartextPassword(requireNonNull(password, "password is undefined"))
 148                     .build())
 149                 .build())
 150             .build();
 151     }
 152 }