2 Documentation Test suite for Securing RESTCONF communication.
3 ... Note this suite requires PycURLLibrary to handle client certificates. While Requests library is able
4 ... to handle server certificates well, it lacks capabilities to deal with client certificates.
5 ... TODO: Investigate the possibility to incorporate this into TemplatedRequests
7 Suite Teardown Cleanup Suite
8 Library OperatingSystem
9 Library RequestsLibrary
12 Resource ../../../libraries/ClusterManagement.robot
13 Resource ../../../variables/Variables.robot
14 Resource ../../../libraries/Utils.robot
15 Resource ../../../libraries/KarafKeywords.robot
18 ${RESTCONF_MONITORING_URI} /restconf/operational/ietf-restconf-monitoring:restconf-state
19 ${RESTCONF_MONITORING_URL} https://${ODL_SYSTEM_IP}:${RESTCONFPORT_TLS}${RESTCONF_MONITORING_URI}
22 Basic Unsecure Restconf Request
23 [Documentation] Tests a basic HTTP request, just to ensure that system is working fine with normal, unsecure reqs
24 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS}
25 ${resp} RequestsLibrary.Get Request session ${RESTCONF_MONITORING_URI}
26 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
29 TLS on Restconf without Server Cert
30 [Documentation] Tests an HTTPS request towards secure port with ODL secure config deactivated
31 PycURLLibrary.Set Url ${RESTCONF_MONITORING_URL}
32 PycURLLibrary.Add Header "Content-Type:application/json"
33 PycURLLibrary.Add Header Authorization:Basic YWRtaW46YWRtaW4=
34 PycURLLibrary.Request Method GET
35 Run Keyword And Expect Error error: (7, 'Failed *${RESTCONFPORT_TLS}* Connection refused') PycURLLibrary.Perform
36 PycURLLibrary.Log Response
38 Activate TLS and Generate Server Certificate
39 [Documentation] Generates a server certificate, self-signed and activates ODL secure configuration.
40 Generate Server Self-Signed Certificate
42 # Check ODL was restarted properly
43 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS}
44 ${resp} RequestsLibrary.Get Request session ${RESTCONF_MONITORING_URI}
46 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
48 TLS on Restconf with Server Cert (Self-signed) (insecure)
49 [Documentation] Tests HTTPS request. Server certificate is self-signed, thus communication is insecure
50 PycURLLibrary.Set Url ${RESTCONF_MONITORING_URL}
51 PycURLLibrary.Add Header "Content-Type:application/json"
52 PycURLLibrary.Add Header Authorization:Basic YWRtaW46YWRtaW4=
53 PycURLLibrary.Request Method GET
55 PycURLLibrary.Log Response
56 PycURLLibrary.Response Status Should Contain 200
57 ${resp} PycURLLibrary.Response
58 Should Contain ${resp} "restconf-state":{"capabilities":{"capability":["urn:ietf:params:restconf:capability:depth
60 Activate Client Authentication and Generate Client Certificate
61 [Documentation] Generates a client certificate and imports it into ODL truststore.
62 ... Changes ODL config to require client authentication
63 Generate Client Self-Signed Certificate
64 Enable Client TLS Authentication in ODL
65 # Check ODL was restarted properly
66 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS}
67 ${resp} RequestsLibrary.Get Request session ${RESTCONF_MONITORING_URI}
69 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
71 TLS on Restconf with Server & Client Certs (Self-signed)
72 [Documentation] Test HTTPS request with ODL TLS config and client authentication by using certificate
73 PycURLLibrary.Set Url ${RESTCONF_MONITORING_URL}
74 PycURLLibrary.Add Header "Content-Type:application/json"
75 PycURLLibrary.Add Header Authorization:Basic YWRtaW46YWRtaW4=
76 PycURLLibrary.Client Certificate File ${USER_HOME}/clientcert.pem
77 PycURLLibrary.Private Key File ${USER_HOME}/clientkey.pem
78 PycURLLibrary.Request Method GET
80 PycURLLibrary.Log Response
81 PycURLLibrary.Response Status Should Contain 200
82 ${resp} PycURLLibrary.Response
83 Should Contain ${resp} "restconf-state":{"capabilities":{"capability":["urn:ietf:params:restconf:capability:depth
85 TLS on Restconf with Server & Client Certs (CA signed)
86 [Documentation] Tests HTTPS request with ODL TLS config and client authentication by using CA signed certificates
89 Restconf HTTPS/TLS Jolokia with server and client certificates CA signed
90 [Documentation] Tests HTTPS request with ODL TLS config and client authentication by using CA signed certificates for Jolokia
94 Log Certificates in Keystore
95 [Documentation] Shows content of keystore
96 ${output} Run Command On Remote System ${ODL_SYSTEM_IP} ${JAVA_HOME}/bin/keytool -list -storepass 123456 -keystore ${KEYSTORE_PATH}
99 Clean Up Certificates In Server
100 [Documentation] Cleans keystore content (only for private keys and trusted certificates)
101 Log Certificates in Keystore
102 Run Command On Remote System ${ODL_SYSTEM_IP} ${JAVA_HOME}/bin/keytool -list -keystore ${KEYSTORE_PATH} -storepass 123456|egrep -e "(trustedCertEntry|PrivateKeyEntry)"|cut -d"," -f1|xargs -I[] ${JAVA_HOME}/bin/keytool -delete -alias [] -keystore ${KEYSTORE_PATH} -storepass 123456
103 Log Certificates in Keystore
105 Generate Server Self-Signed Certificate
106 [Documentation] Generates a self-signed certificate, stores it into keystore and restarts jetty to load changes
107 ${KEYSTORE_DIR}= Split Path ${KEYSTORE_PATH}
108 Run Command On Remote System ${ODL_SYSTEM_IP} mkdir -p ${KEYSTORE_DIR[0]}
109 Log Certificates in Keystore
110 # Generate with openssl
111 Run Command On Remote System ${ODL_SYSTEM_IP} openssl req -x509 -newkey rsa:4096 -passout pass:myPass -keyout serverkey.pem -out servercert.pem -days 365 -subj "/C=ES/ST=Madrid/L=Madrid/O=OpenDayLight/OU=AAA/CN=OpenDayLight/emailAddress=unknown@unknown.com"
112 # Convert to pkcs12 (including public and private key together)
113 Run Command On Remote System ${ODL_SYSTEM_IP} openssl pkcs12 -export -in servercert.pem -inkey serverkey.pem -out server.p12 -name odl -passin pass:myPass -passout pass:myPass
114 # Import Certifcate into keystore
115 Run Command On Remote System ${ODL_SYSTEM_IP} ${JAVA_HOME}/bin/keytool -importkeystore -deststorepass 123456 -destkeypass myPass -destkeystore ${KEYSTORE_PATH} -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass myPass -alias odl
116 Log Certificates in Keystore
119 Generate Client Self-Signed Certificate
120 [Documentation] Generates a client self-signed certificate, stores it into the keystore (as trusted cert) and
121 ... restarts jettty to load changes
122 ${KEYSTORE_DIR}= Split Path ${KEYSTORE_PATH}
123 Run Command On Remote System ${ODL_SYSTEM_IP} mkdir -p ${KEYSTORE_DIR[0]}
124 Log Certificates in Keystore
125 # Generate with openssl
126 # Note -nodes is used to avoid passphrase in private key. Also -passout pass:myPass is skipped. This is due to a
127 # limitation in pycurl library that does not support key pem files with passphrase in automatic mode (it asks for it)
128 Run openssl req -x509 -newkey rsa:4096 -nodes -keyout ${USER_HOME}/clientkey.pem -out ${USER_HOME}/clientcert.pem -days 365 -subj "/C=ES/ST=Madrid/L=Madrid/O=OpenDayLight/OU=AAA/CN=MiguelAngelMunoz/emailAddress=myemail@unknown.com"
129 # Import client's cert as trusted
130 Copy File To Remote System ${ODL_SYSTEM_IP} ${USER_HOME}/clientcert.pem .
131 Run Command On Remote System ${ODL_SYSTEM_IP} ${JAVA_HOME}/bin/keytool -import -trustcacerts -file clientcert.pem -keystore ${KEYSTORE_PATH} -storepass 123456 -noprompt
132 Log Certificates in Keystore
136 [Documentation] Remove TLS configuration in custom.properties
137 Run Command On Remote System ${ODL_SYSTEM_IP} sed -i '/org.osgi.service.http.secure.enabled=/d' ${CUSTOMPROP}
138 Run Command On Remote System ${ODL_SYSTEM_IP} sed -i '/org.ops4j.pax.web.ssl.keystore=/d' ${CUSTOMPROP}
139 Run Command On Remote System ${ODL_SYSTEM_IP} sed -i '/org.ops4j.pax.web.ssl.password=/d' ${CUSTOMPROP}
140 Run Command On Remote System ${ODL_SYSTEM_IP} sed -i '/org.ops4j.pax.web.ssl.keypassword=/d' ${CUSTOMPROP}
141 Run Command On Remote System ${ODL_SYSTEM_IP} sed -i '/org.ops4j.pax.web.ssl.clientauthneeded=/d' ${CUSTOMPROP}
145 [Documentation] Add new secure configuration in custom.properties
146 Run Command On Remote System ${ODL_SYSTEM_IP} echo "org.osgi.service.http.secure.enabled=true">> ${CUSTOMPROP}
147 Run Command On Remote System ${ODL_SYSTEM_IP} echo "org.ops4j.pax.web.ssl.keystore=${KEYSTORE_RELATIVE_PATH}">> ${CUSTOMPROP}
148 Run Command On Remote System ${ODL_SYSTEM_IP} echo "org.ops4j.pax.web.ssl.password=myPass">> ${CUSTOMPROP}
149 Run Command On Remote System ${ODL_SYSTEM_IP} echo "org.ops4j.pax.web.ssl.keypassword=123456">> ${CUSTOMPROP}
152 Enable Client TLS Authentication in ODL
153 [Documentation] Add custom.properties configuration to enable client auth
154 Run Command On Remote System ${ODL_SYSTEM_IP} echo "org.ops4j.pax.web.ssl.clientauthneeded=true">> ${CUSTOMPROP}
158 [Documentation] Cleans TLS configuration and restart Karaf system to reload
159 ClusterManagement_Setup
160 Clean Up Certificates In Server
164 [Documentation] Deletes pending sessions in case there were any