*** Settings *** Documentation Test suite for Securing RESTCONF communication. ... Note this suite requires PycURLLibrary to handle client certificates. While Requests library is able ... to handle server certificates well, it lacks capabilities to deal with client certificates. ... TODO: Investigate the possibility to incorporate this into TemplatedRequests Suite Setup Init Suite Suite Teardown Cleanup Suite Library OperatingSystem Library RequestsLibrary Library PycURLLibrary Library SSHLibrary Resource ../../../libraries/ClusterManagement.robot Resource ../../../variables/Variables.robot Resource ../../../libraries/Utils.robot Resource ../../../libraries/KarafKeywords.robot Resource ../../../libraries/SSHKeywordsKeywords.robot *** Variables *** ${RESTCONF_MONITORING_URI} /restconf/operational/ietf-restconf-monitoring:restconf-state ${RESTCONF_MONITORING_URL} https://${ODL_SYSTEM_IP}:${RESTCONFPORT_TLS}${RESTCONF_MONITORING_URI} *** Test Cases *** Basic Unsecure Restconf Request [Documentation] Tests a basic HTTP request, just to ensure that system is working fine with normal, unsecure reqs Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS} ${resp} RequestsLibrary.Get Request session ${RESTCONF_MONITORING_URI} Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code} Delete All Sessions TLS on Restconf without Server Cert [Documentation] Tests an HTTPS request towards secure port with ODL secure config deactivated PycURLLibrary.Set Url ${RESTCONF_MONITORING_URL} PycURLLibrary.Add Header "Content-Type:application/json" PycURLLibrary.Add Header Authorization:Basic YWRtaW46YWRtaW4= PycURLLibrary.Request Method GET Run Keyword And Expect Error error: (7, 'Failed *${RESTCONFPORT_TLS}* Connection refused') PycURLLibrary.Perform PycURLLibrary.Log Response Activate TLS and Generate Server Certificate [Documentation] Generates a server certificate, self-signed and activates ODL secure configuration. Generate Server Self-Signed Certificate Enable TLS in ODL # Check ODL was restarted properly Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS} ${resp} RequestsLibrary.Get Request session ${RESTCONF_MONITORING_URI} Delete All Sessions Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code} TLS on Restconf with Server Cert (Self-signed) (insecure) [Documentation] Tests HTTPS request. Server certificate is self-signed, thus communication is insecure PycURLLibrary.Set Url ${RESTCONF_MONITORING_URL} PycURLLibrary.Add Header "Content-Type:application/json" PycURLLibrary.Add Header Authorization:Basic YWRtaW46YWRtaW4= PycURLLibrary.Request Method GET PycURLLibrary.Perform PycURLLibrary.Log Response PycURLLibrary.Response Status Should Contain 200 ${resp} PycURLLibrary.Response Should Contain ${resp} "restconf-state":{"capabilities":{"capability":["urn:ietf:params:restconf:capability:depth Activate Client Authentication and Generate Client Certificate [Documentation] Generates a client certificate and imports it into ODL truststore. ... Changes ODL config to require client authentication Generate Client Self-Signed Certificate Enable Client TLS Authentication in ODL # Check ODL was restarted properly Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS} ${resp} RequestsLibrary.Get Request session ${RESTCONF_MONITORING_URI} Delete All Sessions Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code} TLS on Restconf with Server & Client Certs (Self-signed) [Documentation] Test HTTPS request with ODL TLS config and client authentication by using certificate PycURLLibrary.Set Url ${RESTCONF_MONITORING_URL} PycURLLibrary.Add Header "Content-Type:application/json" PycURLLibrary.Add Header Authorization:Basic YWRtaW46YWRtaW4= PycURLLibrary.Client Certificate File ${USER_HOME}/clientcert.pem PycURLLibrary.Private Key File ${USER_HOME}/clientkey.pem PycURLLibrary.Request Method GET PycURLLibrary.Perform PycURLLibrary.Log Response PycURLLibrary.Response Status Should Contain 200 ${resp} PycURLLibrary.Response Should Contain ${resp} "restconf-state":{"capabilities":{"capability":["urn:ietf:params:restconf:capability:depth TLS on Restconf with Server & Client Certs (CA signed) [Documentation] Tests HTTPS request with ODL TLS config and client authentication by using CA signed certificates [Tags] exclude Restconf HTTPS/TLS Jolokia with server and client certificates CA signed [Documentation] Tests HTTPS request with ODL TLS config and client authentication by using CA signed certificates for Jolokia [Tags] exclude *** Keywords *** Log Certificates in Keystore [Documentation] Shows content of keystore ${output} Run Command On Remote System ${ODL_SYSTEM_IP} ${JAVA_HOME}/bin/keytool -list -storepass 123456 -keystore ${KEYSTORE_PATH} log ${output} Clean Up Certificates In Server [Documentation] Cleans keystore content (only for private keys and trusted certificates) Log Certificates in Keystore Run Command On Remote System ${ODL_SYSTEM_IP} ${JAVA_HOME}/bin/keytool -list -keystore ${KEYSTORE_PATH} -storepass 123456|egrep -e "(trustedCertEntry|PrivateKeyEntry)"|cut -d"," -f1|xargs -I[] ${JAVA_HOME}/bin/keytool -delete -alias [] -keystore ${KEYSTORE_PATH} -storepass 123456 Log Certificates in Keystore Generate Server Self-Signed Certificate [Documentation] Generates a self-signed certificate, stores it into keystore and restarts jetty to load changes ${KEYSTORE_DIR}= Split Path ${KEYSTORE_PATH} Run Command On Remote System ${ODL_SYSTEM_IP} mkdir -p ${KEYSTORE_DIR[0]} Log Certificates in Keystore # Generate with openssl Run Command On Remote System ${ODL_SYSTEM_IP} openssl req -x509 -newkey rsa:4096 -passout pass:myPass -keyout serverkey.pem -out servercert.pem -days 365 -subj "/C=ES/ST=Madrid/L=Madrid/O=OpenDayLight/OU=AAA/CN=OpenDayLight/emailAddress=unknown@unknown.com" # Convert to pkcs12 (including public and private key together) Run Command On Remote System ${ODL_SYSTEM_IP} openssl pkcs12 -export -in servercert.pem -inkey serverkey.pem -out server.p12 -name odl -passin pass:myPass -passout pass:myPass # Import Certifcate into keystore Run Command On Remote System ${ODL_SYSTEM_IP} ${JAVA_HOME}/bin/keytool -importkeystore -deststorepass 123456 -destkeypass myPass -destkeystore ${KEYSTORE_PATH} -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass myPass -alias odl Log Certificates in Keystore Restart Jetty Generate Client Self-Signed Certificate [Documentation] Generates a client self-signed certificate, stores it into the keystore (as trusted cert) and ... restarts jettty to load changes ${KEYSTORE_DIR}= Split Path ${KEYSTORE_PATH} Run Command On Remote System ${ODL_SYSTEM_IP} mkdir -p ${KEYSTORE_DIR[0]} Log Certificates in Keystore # Generate with openssl # Note -nodes is used to avoid passphrase in private key. Also -passout pass:myPass is skipped. This is due to a # limitation in pycurl library that does not support key pem files with passphrase in automatic mode (it asks for it) Run openssl req -x509 -newkey rsa:4096 -nodes -keyout ${USER_HOME}/clientkey.pem -out ${USER_HOME}/clientcert.pem -days 365 -subj "/C=ES/ST=Madrid/L=Madrid/O=OpenDayLight/OU=AAA/CN=MiguelAngelMunoz/emailAddress=myemail@unknown.com" # Import client's cert as trusted Copy File To Remote System ${ODL_SYSTEM_IP} ${USER_HOME}/clientcert.pem . Run Command On Remote System ${ODL_SYSTEM_IP} ${JAVA_HOME}/bin/keytool -import -trustcacerts -file clientcert.pem -keystore ${KEYSTORE_PATH} -storepass 123456 -noprompt Log Certificates in Keystore Restart Jetty Disable TLS in ODL [Documentation] Remove TLS configuration in custom.properties Run Command On Remote System ${ODL_SYSTEM_IP} sed -i '/org.osgi.service.http.secure.enabled=/d' ${CUSTOMPROP} Run Command On Remote System ${ODL_SYSTEM_IP} sed -i '/org.ops4j.pax.web.ssl.keystore=/d' ${CUSTOMPROP} Run Command On Remote System ${ODL_SYSTEM_IP} sed -i '/org.ops4j.pax.web.ssl.password=/d' ${CUSTOMPROP} Run Command On Remote System ${ODL_SYSTEM_IP} sed -i '/org.ops4j.pax.web.ssl.keypassword=/d' ${CUSTOMPROP} Run Command On Remote System ${ODL_SYSTEM_IP} sed -i '/org.ops4j.pax.web.ssl.clientauthneeded=/d' ${CUSTOMPROP} Restart Karaf Enable TLS in ODL [Documentation] Add new secure configuration in custom.properties Run Command On Remote System ${ODL_SYSTEM_IP} echo "org.osgi.service.http.secure.enabled=true">> ${CUSTOMPROP} Run Command On Remote System ${ODL_SYSTEM_IP} echo "org.ops4j.pax.web.ssl.keystore=${KEYSTORE_RELATIVE_PATH}">> ${CUSTOMPROP} Run Command On Remote System ${ODL_SYSTEM_IP} echo "org.ops4j.pax.web.ssl.password=myPass">> ${CUSTOMPROP} Run Command On Remote System ${ODL_SYSTEM_IP} echo "org.ops4j.pax.web.ssl.keypassword=123456">> ${CUSTOMPROP} Restart Karaf Enable Client TLS Authentication in ODL [Documentation] Add custom.properties configuration to enable client auth Run Command On Remote System ${ODL_SYSTEM_IP} echo "org.ops4j.pax.web.ssl.clientauthneeded=true">> ${CUSTOMPROP} Restart Karaf Init Suite [Documentation] Cleans TLS configuration and restart Karaf system to reload ClusterManagement_Setup Clean Up Certificates In Server Disable TLS in ODL Cleanup Suite [Documentation] Deletes pending sessions in case there were any Delete All Sessions