def __init__(self, pol_archive_path, env_archive_path, config_path, cert_config_path=None, properties=None, passphrase="", confidentials=None): self.__cert_config = None self.__simulation_mode = False self.__update_cert_config = False self.__expiration_days = -1 self.__base_dirs = None self.__passphrase_in = passphrase self.__pol_archive = PolicyArchive(pol_archive_path) self.__env_archive = EnvironmentArchive(env_archive_path) self.__fed_archive = None try: self.__fed_archive = DeploymentArchive(self.__pol_archive, self.__env_archive, self.__passphrase_in) except TypeError: # backward compatibility for 7.5.3 self.__fed_archive = DeploymentArchive(self.__pol_archive, self.__env_archive) self.__config = EnvConfig(config_path, properties, confidentials) if cert_config_path is not None: self.__cert_config = CertConfig(cert_config_path, properties, confidentials) logging.info("Deployment archive configuration initialized") return
def _mergePolAndEnvToFed(): if os.path.exists(options.polFile) and os.path.exists(options.envFile): print("Merging POL and ENV to make a FED") stagingPol = PolicyArchive(options.polFile) stagingEnv = EnvironmentArchive(options.envFile) mergedArchive = DeploymentArchive(stagingPol, stagingEnv) outFile = os.path.join(os.path.dirname(options.polFile), "fed.fed") mergedArchive.writeToArchiveFile(outFile) options.fedFile = outFile
def _getProductAndFedVersion(): try: newArchive = DeploymentArchive(options.fedFile) es = EntityStoreAPI.wrap(newArchive.getEntityStore(), passphrases[ES_PASSPHRASE]) productKey = es.getProductKey() fedVersion = es.getVersion() es.close() return productKey, fedVersion except (Exception, Throwable), e: _fail("Error reading the FED: %s" % e)
def _getProductAndFedVersion(): try: if os.path.exists(options.fedFile): newArchive = DeploymentArchive(options.fedFile) es = EntityStoreAPI.wrap(newArchive.getEntityStore(), passphrases[ES_PASSPHRASE]) else: es = EntityStoreAPI.create( "file:///%s/conf/fed/PrimaryStore.xml" % DISTDIR, passphrases[ES_PASSPHRASE], {"strictImportSchema": "false"}) productKey = es.getProductKey() fedVersion = es.getVersion() es.close() return productKey, fedVersion except (Exception, Throwable), e: _fail("Error reading the FED: %s" % e)
def _setupApiManager(): if options.setupApimgr: try: # Add API Manager configuration to factory FED archive = DeploymentArchive(FACTORY_FED_FILE) config = ApiManagerConfig() config.adminPassword = "******" es, archive = config.loadAPIManagerConfiguration(archive) # Default Cassandra host is '${environment.CASS_HOST}'. This can be overridden # by comma-separated list of hosts in env variable APIMGR_CASS_HOSTS. cassHosts = os.environ.get("APIMGR_CASS_HOSTS", "${environment.CASS_HOST}").strip() if len(cassHosts) == 0: cassHosts = "${environment.CASS_HOST}" for i, s in enumerate(cassHosts.split(",")): cassHost = s.strip() print(" Adding Cassandra host with hostname '%s'" % cassHost) props = { "name": "casshost%s" % (i + 1), "host": "%s" % cassHost, "port": "9042" } parent = es.get("/[CassandraSettings]name=Cassandra Settings") es.addNewEntity(parent, "CassandraServer", props) # Enable API Manager metrics. Connection to metrics DB will be configured via # environment variables. print(" Enabling API Manager metrics") db = es.get( "/[DbConnectionGroup]name=Database Connections/[DbConnection]name=Default Database Connection" ) db.setStringField("url", "${environment.METRICS_DB_URL}") db.setStringField("username", "${environment.METRICS_DB_USERNAME}") db.setStringField("passwordType", "wildcard") db.setStringField("wildcardPassword", "${environment.METRICS_DB_PASS}") es.updateEntity(db) portalConfig = es.get("/[PortalConfiguration]name=Portal Config") portalConfig.setBooleanField("metricsStoringEnabled", True) portalConfig.setReferenceField( "dbConn", PortableESPK.toPortableKey(es.es, db.getPK())) es.updateEntity(portalConfig) archive.updateConfiguration(es.es) es.close() archive.writeToArchiveFile(FACTORY_FED_FILE) except (Exception, Throwable), e: _fail("Error configuring API Manager: %s" % e)
def __configure_certificates(self): if self.__cert_config is not None: # determine existing certificates logging.info("Determine existing certificates") cert_infos = self.__get_certificate_infos() self.__cert_config.set_cert_infos(cert_infos) self.__cert_config.update_config_file() # apply configured certificates logging.info("Configure certificates") certs = self.__cert_config.get_certificates() es = EntityStoreAPI.wrap(self.__fed_archive.getEntityStore(), self.__passphrase_in) cert_infos = [] cert = None for cert_ref in certs: file = self.__resolve_file_path(cert_ref.get_file()) logging.info("Process alias '%s' (%s): %s" % (cert_ref.get_alias(), cert_ref.get_type(), file)) if cert_ref.get_type() == "crt": cf = CertificateFactory.getInstance("X.509") if os.path.isfile(file): fis = FileInputStream(file) cert = cf.generateCertificate(fis) self.__add_or_replace_certificate( es, cert_ref.get_alias(), cert) else: if self.__simulation_mode: logging.warning( "[SIMULATION_MODE] Certificate file not found, certificate (CRT) ignored: alias=%s" % (cert_ref.get_alias())) continue else: raise ValueError( "Certificate file not found for alias '%s': %s" % (cert_ref.get_alias(), file)) elif cert_ref.get_type() == "p12": if os.path.isfile(file): key = self.__get_key_from_p12(file, cert_ref.get_password()) cert = self.__get_cert_from_p12( file, cert_ref.get_password()) self.__add_or_replace_certificate( es, cert_ref.get_alias(), cert, key) else: if self.__simulation_mode: logging.warning( "[SIMULATION_MODE] Certificate file not found, certificate (P12) ignored: alias=%s" % (cert_ref.get_alias())) continue else: raise ValueError( "Certificate file not found for alias '%s': %s" % (cert_ref.get_alias(), file)) elif cert_ref.get_type() == "empty": self.__remove_certificate(es, cert_ref.get_alias()) logging.info("Certificate removed: %s" % (cert_ref.get_alias())) continue else: raise ValueError("Unsupported certificate type: %s" % (cert_ref.get_type())) subject = cert.getSubjectDN().getName() not_after = cert.getNotAfter() cert_info = CertInfo(cert_ref.get_alias(), subject, not_after) logging.info( "Certificate (%s) added/replaced: %s [%s] - %s" % (cert_ref.get_type(), cert_info.get_alias(), cert_info.format_not_after(), cert_info.get_subject())) cert_infos.append(cert_info) if self.__update_cert_config: self.__cert_config.set_update_cert_infos(cert_infos) self.__cert_config.update_config_file() if self.__expiration_days >= 0: logging.info( "Checking for certificate expiration within %i days." % (self.__expiration_days)) has_expired = False for cert_info in cert_infos: expiration_days = cert_info.expiration_in_days() if self.__expiration_days > expiration_days: logging.error("Certificate '%s' expires in %i days!" % (cert_info.get_alias(), expiration_days)) has_expired = True if has_expired: raise ValueError( "At least one certificate expires in less than %i days; check log file!" % (self.__expiration_days)) if not self.__simulation_mode: DeploymentArchive.updateConfiguration(self.__fed_archive, es.es) logging.info("Certificates updated.") else: logging.info( "[SIMULATION_MODE] Certificates simulation succeeded.") return True
class FedConfigurator: def __init__(self, pol_archive_path, env_archive_path, config_path, cert_config_path=None, properties=None, passphrase="", confidentials=None): self.__cert_config = None self.__simulation_mode = False self.__update_cert_config = False self.__expiration_days = -1 self.__base_dirs = None self.__passphrase_in = passphrase self.__pol_archive = PolicyArchive(pol_archive_path) self.__env_archive = EnvironmentArchive(env_archive_path) self.__fed_archive = None try: self.__fed_archive = DeploymentArchive(self.__pol_archive, self.__env_archive, self.__passphrase_in) except TypeError: # backward compatibility for 7.5.3 self.__fed_archive = DeploymentArchive(self.__pol_archive, self.__env_archive) self.__config = EnvConfig(config_path, properties, confidentials) if cert_config_path is not None: self.__cert_config = CertConfig(cert_config_path, properties, confidentials) logging.info("Deployment archive configuration initialized") return def enable_cert_config_update(self): self.__update_cert_config = True def enable_simulation_mode(self): self.__simulation_mode = True def set_cert_expiration_days(self, days): self.__expiration_days = days def set_system_properties(self, sys_properties): self.__config.set_system_properties(sys_properties) def set_base_dirs(self, base_dirs): self.__base_dirs = base_dirs def configure(self, passphrase=""): succeeded = self.__configure_entities() if succeeded: succeeded = self.__configure_certificates() if not succeeded: logging.error("Configuration of certificates failed!") else: logging.error( "Configuration of entities failed; check JSON configuration for unconfigured entity fields!" ) if succeeded and self.__passphrase_in != passphrase: fed_api = DeploymentArchiveAPI(self.__fed_archive, self.__passphrase_in) changer = ChangeEncryptedFields(fed_api.entityStore) changer.execute(passphrase, self.__passphrase_in) fed_api.deploymentArchive.updateConfiguration(fed_api.entityStore) logging.info("Passphrase for output archives changed") return succeeded def __configure_entities(self): logging.info("Configure environmentalized entities") fed_api = DeploymentArchiveAPI(self.__fed_archive, self.__passphrase_in) env_settings = fed_api.envSettings.getEnvSettings() succeeded = True config = {} for env_entity in env_settings.getEnvironmentalizedEntities(): env_fields = env_entity.getEnvironmentalizedFields() for env_field in env_fields: field_value = self.__config.get_value(env_entity, env_field) if (field_value.key.type == "reference"): raise ValueError("Reference types are not supported for environmentalization: name=%s; index=%d; type=%s; entity=%s" \ % (field_value.key.name, field_value.key.index, field_value.key.type, field_value.key.short_hand_key)) if (field_value.value is not None): logging.info( "Configure field: name=%s; index=%d; type=%s; entity=%s" % (field_value.key.name, field_value.key.index, field_value.key.type, field_value.key.short_hand_key)) if not self.__simulation_mode: if field_value.key.short_hand_key not in config: config[field_value.key.short_hand_key] = [] if field_value.key.type == "integer": config[field_value.key.short_hand_key].append([ field_value.key.name, field_value.key.index, int(field_value.value) ]) else: config[field_value.key.short_hand_key].append([ field_value.key.name, field_value.key.index, str(field_value.value) ]) else: logging.error( "Unconfigured field: name=%s; index=%d; type=%s; entity=%s" % (field_value.key.name, field_value.key.index, field_value.key.type, field_value.key.short_hand_key)) succeeded = False if succeeded: if not self.__simulation_mode: fed_api.addEnvSettings(config) logging.info("Environmentalized fields updated.") else: logging.info( "[SIMULATION_MODE] Environmentalized fields simulation succeeded." ) self.__config.update_config_file() return succeeded def __resolve_file_path(self, file): """Searches the certificate file within all specified base directories. The first existing file will be returned. """ if file and self.__base_dirs: for base_dir in self.__base_dirs: f = os.path.join(base_dir, file) if os.path.isfile(f): return f return file def __get_certificate_infos(self): infos = [] es = EntityStoreAPI.wrap(self.__fed_archive.getEntityStore(), self.__passphrase_in) cert_entities = es.getAll( "/[Certificates]name=Certificate Store/[Certificate]**") cf = CertificateFactory.getInstance("X.509") for cert_entity in cert_entities: alias = cert_entity.getStringValue("dname") subject = None not_after = None content = cert_entity.getBinaryValue("content") if content: cert = cf.generateCertificate(ByteArrayInputStream(content)) subject = cert.getSubjectDN().getName() not_after = cert.getNotAfter() infos.append(CertInfo(alias, subject, not_after)) return infos def __get_key_from_p12(self, file, password=None): io = FileInputStream(file) pkcs12 = PKCS12(io) if password is not None: try: pkcs12.decrypt(String(password).toCharArray()) except: raise ValueError("Invalid passphrase for .p12 certificate!") return pkcs12.getKey() def __get_cert_from_p12(self, file, password=None): ks = KeyStore.getInstance("PKCS12") io = FileInputStream(file) if password is None: ks.load(io, None) else: ks.load(io, String(password).toCharArray()) io.close() for alias in ks.aliases(): if ks.isKeyEntry(alias): return ks.getCertificate(alias) return None def __add_or_replace_certificate(self, es, alias, cert, private_key=None): cert_store = es.get('/[Certificates]name=Certificate Store') # Get or create certificate entity cert_entity = es.getChild( cert_store, '[Certificate]dname=%s' % (es.escapeField(alias))) if cert_entity is None: cert_entity = es.createEntity("Certificate") cert_entity.setStringField("dname", alias) es.addEntity(cert_store, cert_entity) cert_entity = es.getChild( cert_store, '[Certificate]dname=%s' % (es.escapeField(alias))) # Set certificate content cert_entity.setBinaryValue("content", cert.getEncoded()) # Set or remove private key if private_key is not None: cert_entity.setStringField( "key", es.encryptBytes(private_key.getEncoded())) else: entity_private_key = cert_entity.getStringValue("key") if not entity_private_key: cert_entity.removeField("key") es.updateEntity(cert_entity) return def __remove_certificate(self, es, alias): # Get certificate entity cert_store = es.get('/[Certificates]name=Certificate Store') cert_entity = es.getChild( cert_store, '[Certificate]dname=%s' % (es.escapeField(alias))) if cert_entity: es.cutEntity(cert_entity) return def __configure_certificates(self): if self.__cert_config is not None: # determine existing certificates logging.info("Determine existing certificates") cert_infos = self.__get_certificate_infos() self.__cert_config.set_cert_infos(cert_infos) self.__cert_config.update_config_file() # apply configured certificates logging.info("Configure certificates") certs = self.__cert_config.get_certificates() es = EntityStoreAPI.wrap(self.__fed_archive.getEntityStore(), self.__passphrase_in) cert_infos = [] cert = None for cert_ref in certs: file = self.__resolve_file_path(cert_ref.get_file()) logging.info("Process alias '%s' (%s): %s" % (cert_ref.get_alias(), cert_ref.get_type(), file)) if cert_ref.get_type() == "crt": cf = CertificateFactory.getInstance("X.509") if os.path.isfile(file): fis = FileInputStream(file) cert = cf.generateCertificate(fis) self.__add_or_replace_certificate( es, cert_ref.get_alias(), cert) else: if self.__simulation_mode: logging.warning( "[SIMULATION_MODE] Certificate file not found, certificate (CRT) ignored: alias=%s" % (cert_ref.get_alias())) continue else: raise ValueError( "Certificate file not found for alias '%s': %s" % (cert_ref.get_alias(), file)) elif cert_ref.get_type() == "p12": if os.path.isfile(file): key = self.__get_key_from_p12(file, cert_ref.get_password()) cert = self.__get_cert_from_p12( file, cert_ref.get_password()) self.__add_or_replace_certificate( es, cert_ref.get_alias(), cert, key) else: if self.__simulation_mode: logging.warning( "[SIMULATION_MODE] Certificate file not found, certificate (P12) ignored: alias=%s" % (cert_ref.get_alias())) continue else: raise ValueError( "Certificate file not found for alias '%s': %s" % (cert_ref.get_alias(), file)) elif cert_ref.get_type() == "empty": self.__remove_certificate(es, cert_ref.get_alias()) logging.info("Certificate removed: %s" % (cert_ref.get_alias())) continue else: raise ValueError("Unsupported certificate type: %s" % (cert_ref.get_type())) subject = cert.getSubjectDN().getName() not_after = cert.getNotAfter() cert_info = CertInfo(cert_ref.get_alias(), subject, not_after) logging.info( "Certificate (%s) added/replaced: %s [%s] - %s" % (cert_ref.get_type(), cert_info.get_alias(), cert_info.format_not_after(), cert_info.get_subject())) cert_infos.append(cert_info) if self.__update_cert_config: self.__cert_config.set_update_cert_infos(cert_infos) self.__cert_config.update_config_file() if self.__expiration_days >= 0: logging.info( "Checking for certificate expiration within %i days." % (self.__expiration_days)) has_expired = False for cert_info in cert_infos: expiration_days = cert_info.expiration_in_days() if self.__expiration_days > expiration_days: logging.error("Certificate '%s' expires in %i days!" % (cert_info.get_alias(), expiration_days)) has_expired = True if has_expired: raise ValueError( "At least one certificate expires in less than %i days; check log file!" % (self.__expiration_days)) if not self.__simulation_mode: DeploymentArchive.updateConfiguration(self.__fed_archive, es.es) logging.info("Certificates updated.") else: logging.info( "[SIMULATION_MODE] Certificates simulation succeeded.") return True def get_unconfigured_fields(self): return self.__config.get_unconfigured_fields() def write_fed(self, fed_path): if "/" not in fed_path and "\\" not in fed_path: fed_path = "./" + fed_path self.__fed_archive.writeToArchiveFile(fed_path) logging.info("Deployment archive written to '%s'" % (fed_path)) return def write_env(self, env_path): if "/" not in env_path and "\\" not in env_path: env_path = "./" + env_path env_archive = EnvironmentArchive(self.__fed_archive) env_archive.writeToArchiveFile(env_path) logging.info("Environment archive written to '%s'" % (env_path)) return
from_envEntities = from_depArchiveAPI.getEnvSettings().getEnvSettings() # Generate environmentalized entities as dictionaries print;print "Get Source environmentalized settings..." fromEnvDict = getEnvSettingsDict(from_envEntities) print;print "Get Target environmentalized settings..." toEnvDict = getEnvSettingsDict(to_envEntities) # Generate the delta comparison between the environmentalized entities updateEnvEntities = {} compareEnvEntities(fromEnvDict, toEnvDict, to_ini, updateEnvEntities) # Merge the source policy package with the target environment package # to create a new target deployment package print;print "Merging Source Policy Package and Target Environment Package to create the Target Deployment Package..." mergedArchive = DeploymentArchive(fromPol, toEnv) to_depArchiveAPI = DeploymentArchiveAPI(mergedArchive, "") # Update the target deployment package with the changed environmentalized entities updateEnvSettings(updateEnvEntities, to_depArchiveAPI) # Check Basic HTTP Auth Passwords are environmentalized checkBasicProfile(to_depArchiveAPI.getEntityStoreAPI()) # Display the target environmentalized entities #displayEnvEntities(to_depArchiveAPI.getEnvSettings().getEnvSettings()) # Update Environment properties if options.save or options.deploy: print; print "Updating enviroment properties..." to_depArchiveAPI.updateEnvironmentProps(dict([(Archive.NAME_DEFAULT_PROPERTY, to_ini.get('Locations', 'env_name'))]))