Openstack credentials Encryption service

tunnel-as-a-service/emulated/charm.py

@@ -1,5 +1,5 @@
 import sys
-
+import os
 sys.path.append(".")
 from osm_ssh_proxy import SSHProxy
 import logging
@@ -22,16 +22,17 @@ def __init__(self,unit):
  "listen_port": "51820",
  "save_config": "true",
  "forward_interface": "wg0",
- "ssh-hostname": "10.0.12.107",
+ "ssh-hostname": "10.0.12.212",
  "username": "ubuntu",
- "password": "ubuntu",
+ "password": "password",
  "vsi_id": "1",
  }
 class Unit():
  def __init__(self):
  pass
  def is_leader(self):
  return True
+
 class Event():
  params = {}
  def __init__(self):
@@ -121,33 +122,35 @@ def delete_peer(self, event):
  def get_ip_routes(self, event):
  return self.wg_toolkit.network_mgmt.get_ip_routes(event)
 
- #Openstack management
- def set_credentials(self,event):
- return self.wg_toolkit.openstack_mgmt.set_credentials(event)
-
- def get_server_details(self,event):
- return self.wg_toolkit.openstack_mgmt.get_server_details(event)
 
- def get_server_ports(self,event):
- return self.wg_toolkit.openstack_mgmt.get_server_ports(event)
+ # Passwd Actions
+ def install_openstack_wrapper(self,event):
+ return self.wg_toolkit.pwdBase.install_openstack_wrapper(event)
+
+ def configure_key_gen(self,event):
+ return self.wg_toolkit.pwdBase.configure_key_gen(event)
+
+ def get_public_key(self,event):
+ return self.wg_toolkit.pwdBase.get_public_key(event)
+
+ def add_address_pair(self,event):
+ return self.wg_toolkit.pwdBase.add_address_pair(event)
 
- def add_address_pairs(self,event):
- return self.wg_toolkit.openstack_mgmt.add_address_pairs(event)
 
 
 if __name__ == "__main__":
- tunnel_charm = TunnelCharm("ubuntu", "ubuntu", "10.0.12.107")
+ tunnel_charm = TunnelCharm("ubuntu", "password", "10.0.12.212")
  # Install wireguard and start thee tunnel
  #tunnel_charm.install_wg_packages(None)
  #tunnel_charm.wireguard_version_check(None)
  #tunnel_charm.configuration_keygen(None)
  #tunnel_charm.wireguard_server_configuration(None)
  # Add Peer
- event = Event()
- event.add_param("peer_key", "U5H6wmmosBhVLLm1A1p/Hbx7M/hhtvpQ8D+20K0ORj0=")
- event.add_param("peer_endpoint", "155.44.99.111:51820")
- event.add_param("allowed_networks", "10.10.10.0/24,10.10.11.0/24")
- tunnel_charm.add_peer(event)
+ # event = Event()
+ # event.add_param("peer_key", "U5H6wmmosBhVLLm1A1p/Hbx7M/hhtvpQ8D+20K0ORj0=")
+ # event.add_param("peer_endpoint", "155.44.99.111:51820")
+ # event.add_param("allowed_networks", "10.10.10.0/24,10.10.11.0/24")
+ # tunnel_charm.add_peer(event)
  # Get VNF IPs
  #event = Event()
  #tunnel_charm.get_vnf_ip(event)
@@ -220,29 +223,28 @@ def add_address_pairs(self,event):
  #event = Event()
  #tunnel_charm.get_wireguard_base_info(event)
 
- #Set OpenStack Credentials
- # event = Event()
- # event.add_param("username",'')
- # event.add_param('password','')
- # event.add_param('user_domain_name','') 
- # event.add_param('domain_name','')
- # event.add_param('project_name','')
- # event.add_param('host','')
- # tunnel_charm.set_credentials(event)
-
- # Get Server Details
- # event = Event()
- # event.add_param('server_id','26f4aec2-2148-43b9-9d9f-56e0c1d1c2cd')
- # tunnel_charm.get_server_details(event)
-
- # Get Server Interfaces
- # event = Event()
- # event.add_param('server_id','26f4aec2-2148-43b9-9d9f-56e0c1d1c2cd')
- # tunnel_charm.get_server_ports(event)
+
+ # Configure key pair
+ event = Event()
+ tunnel_charm.install_openstack_wrapper(event)
+ #tunnel_charm.configure_key_gen(event)
+ event = Event()
+ tunnel_charm.get_public_key(event)
+ username = b''
+ password = b''
+ user_domain_name = b''
+ domain_name = b''
+ project_name = b''
+ host = b''
+ event = Event()
+ event.add_param("username",username)
+ event.add_param('password', password)
+ event.add_param('user_domain_name',user_domain_name) 
+ event.add_param('domain_name',domain_name)
+ event.add_param('project_name',project_name)
+ event.add_param('host',host)
+ event.add_param('server_id','8b3ca827-f6bf-4065-add5-0341f78a2928')
+ event.add_param('address_pairs',"10.100.100.0/24, 192.168.100.0/24")
+ tunnel_charm.add_address_pair(event)
 
- # Add Address Pairs
- # event = Event()
- # event.add_param('ports_id_list',['955989fe-9864-4216-9f3a-1ea8f4710ced'])
- # event.add_param('ip_address_list',['10.100.100.0/24','192.168.100.0/24'])
- # tunnel_charm.add_address_pairs(event)
 

tunnel-as-a-service/emulated/passbolt/constants.py

@@ -0,0 +1,5 @@
+PRIVATE_KEY_FILEPATH = "~/passkey"
+PUBLIC_KEY_FILEPATH = "{}.pub".format(PRIVATE_KEY_FILEPATH)
+PYTHON_PRIVATE_KEY_FILE_PATH = '../passkey'
+ARTIFACTORY_FILE = "https://artifactory.5gasp.eu/repository/5gasp-raw-public/netor/openstackutils.tar.gz"
+WRAPPER_DIR = 'openstackutils'

tunnel-as-a-service/emulated/passbolt/cryptography_helper.py

@@ -0,0 +1,84 @@
+import logging
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import rsa,padding
+from cryptography.hazmat.primitives.serialization import load_pem_private_key, load_pem_public_key, load_ssh_public_key
+import base64
+
+# Logger
+logging.basicConfig(
+ format="%(module)-15s:%(levelname)-10s| %(message)s",
+ level=logging.INFO
+)
+class CryptographyHelper:
+ def __init__(self) -> None:
+ self.public_key = None
+ self.private_key = None
+ self.digest='SHA-256'
+
+ def get_digest(self):
+ if self.digest == 'SHA-256':
+ return hashes.SHA256()
+
+
+ def load_private_key(self,key_path):
+
+ try:
+ self.private_key = load_pem_private_key(
+ open(key_path).read().encode('utf-8'),
+ password=None
+ )
+ except Exception as e:
+ logging.error(f"Could not load private key!: {e}")
+ return False
+ return isinstance(self.private_key,rsa.RSAPrivateKey)
+
+ def load_public_key(self,key_path,is_file=True):
+
+ try:
+ if is_file:
+ data = open(key_path).read()
+ else:
+ data = key_path
+ if(type(data)==str):
+ data= data.encode('utf-8')
+ self.public_key = load_pem_public_key(
+ data
+ )
+
+ except Exception as e:
+ logging.error(f"Could not load public key!: {e}")
+ return False
+
+ return isinstance(self.private_key,rsa.RSAPublicKey)
+
+ def encrypt_data(self,data):
+ if self.public_key:
+ ciphered_message = self.public_key.encrypt(
+ data.encode('utf-8'),
+ padding.OAEP(
+ mgf=padding.MGF1(algorithm=self.get_digest()),
+ algorithm=self.get_digest(),
+ label=None)
+ )
+ logging.info("Sucessfully encrypted message")
+ return base64.b64encode(ciphered_message)
+ logging.error("A public and private key must be loaded firstly")
+ return None
+
+ def decrypt_data(self,data):
+ data = base64.b64decode(data)
+ if self.private_key:
+ message = self.private_key.decrypt(
+ data,
+ padding.OAEP(
+ mgf=padding.MGF1(algorithm=self.get_digest()),
+ algorithm=self.get_digest(),
+ label=None)
+ ).decode()
+ logging.info("Sucessfully decrypted message")
+ return message
+ logging.error("A private key must be loaded firstly")
+ return None
+
+
+

tunnel-as-a-service/emulated/passbolt/openstackinterfaces.py

@@ -0,0 +1,133 @@
+import requests
+import os
+import datetime
+import dateutil.parser
+import logging
+import constants as Constants
+from cryptography_helper import CryptographyHelper
+import sys
+import argparse
+# Logger
+logging.basicConfig(
+ format="%(module)-15s:%(levelname)-10s| %(message)s",
+ level=logging.INFO
+)
+
+class OpenStackInterfaceManager:
+ def __init__(self) -> None:
+ self.user_domain_name = None
+ self.username = None
+ self.password = None
+ self.domain_name = None
+ self.projectname = None
+ self.host = None
+ self.auth_endpoint='/identity/v3/auth/tokens?nocatalog'
+ self.nova_endpoint='/compute/v2.1'
+ self.token = None
+ self.expire_time = None
+ self.cryptography = CryptographyHelper()
+ self.decrypt_and_set_variables()
+
+
+ def decrypt_and_set_variables(self):
+ logging.info("started decription")
+ self.cryptography.load_private_key(f'{Constants.PYTHON_PRIVATE_KEY_FILE_PATH}')
+ self.user_domain_name = self.cryptography.decrypt_data(os.getenv('OS_USER_DOMAIN_NAME'))
+ self.username = self.cryptography.decrypt_data(os.getenv('OS_USERNAME'))
+ self.password = self.cryptography.decrypt_data(os.getenv('OS_PASSWORD'))
+ self.domain_name = self.cryptography.decrypt_data(os.getenv('OS_PROJECT_DOMAIN_NAME'))
+ self.projectname = self.cryptography.decrypt_data(os.getenv('OS_PROJECT_NAME'))
+ self.host = self.cryptography.decrypt_data(os.getenv('OS_HOST'))
+
+ def require_auth(func, *args, **kwargs):
+ def wrapper(self, *args, **kwargs):
+ if self.has_expired():
+ logging.info("Token has expired. Authenticating again...")
+ self.authenticate()
+ return func(self, *args, **kwargs)
+ return wrapper
+
+ def has_expired(self):
+ if self.token and self.expire_time:
+ return self.expire_time<datetime.datetime.now(self.expire_time.tzinfo)
+ return True
+
+ def authenticate(self):
+ obj = { "auth": { "identity": { "methods": ["password"],
+ "password": {"user": {"domain": {"name": f"{self.user_domain_name}"},"name": f"{self.username}",
+ "password": f"{self.password}"} } }, "scope": { "project": { "domain": { "name": f"{self.domain_name}" },
+ "name": f"{self.projectname}" } } }}
+ r = requests.post(url=f'{self.host}{self.auth_endpoint}',json=obj,verify=False)
+ logging.info("Authentication Sucessful")
+ print(r.text)
+ self.token = r.headers['X-Subject-Token']
+ self.expire_time = dateutil.parser.parse(str(r.json()['token']['expires_at']))
+
+ @require_auth
+ def get_server_details(self,server_id='1594869a-21f8-42c9-8473-4766340cb57f'):
+ print(self.token)
+ servers = requests.get(url=f'{self.host}{self.nova_endpoint}/servers',headers={'X-Auth-Token': f'{self.token}'},verify=False)
+ servers_list = servers.json()['servers']
+ choosen_server = None
+ for server in servers_list:
+ if server['id'] == server_id:
+ choosen_server = server
+ logging.info(f"Retrieved Server details for instance with id {server_id}")
+ return choosen_server
+
+ @require_auth
+ def get_server_ports(self,_id='1594869a-21f8-42c9-8473-4766340cb57f'):
+ try:
+ servers = requests.get(url=f'{self.host}{self.nova_endpoint}/servers/{_id}/os-interface',headers={'X-Auth-Token': f'{self.token}'},verify=False)
+ if servers.status_code != 200:
+ logging.error(f"Could not find any server with id {_id}")
+ ports_id_list = [x['port_id'] for x in servers.json()['interfaceAttachments']]
+ logging.info(f"Retrieved all interfaces for server with id {_id}")
+ except Exception as e:
+ logging.error(f"Could not obtain server Interfaces. Reason: {e}")
+ return None
+ return ports_id_list
+
+ @require_auth
+ def add_address_pair(self,ports_id_list, ip_addresses):
+ lst_addresses = [ {'ip_address': x } for x in ip_addresses.split(',')]
+ obj={'port': {'allowed_address_pairs': lst_addresses }}
+ if self.host[-1] == '/':
+ self.host= self.host[:-1]
+
+ for port_id in ports_id_list:
+ try:
+ _ = requests.put(url=f'{self.host}:9696/v2.0/ports/{port_id}',headers={'X-Auth-Token': f'{self.token}'}, json=obj,verify=False)
+ logging.info(f"Added address pair for interface with id {port_id}")
+ except Exception as e:
+ logging.error(f"Could not add address pair. Reason: {e}")
+
+
+
+def usage():
+ print("Usage: python3 main.py\
+ \n\t-server_id <UUID of the server to add the address pairs:str>\
+ \n\t-ips <IP addresses pairs to be allowed:str>")
+
+arg_parser = argparse.ArgumentParser(
+ prog="OpenStackInterfaceManager",
+ usage=usage
+ )
+arg_parser.add_argument('-server_id',type=str, nargs=1,required=True)
+arg_parser.add_argument('-ips', nargs=1, default=['10.100.100.0/24, 192.168.100.0/24'])
+
+def check_arguments():
+ try:
+ args = arg_parser.parse_args()
+ except:
+ usage()
+ sys.exit(0)
+ return args
+
+
+if __name__ == '__main__':
+
+ args= check_arguments()
+ manager = OpenStackInterfaceManager()
+ ports_list = manager.get_server_ports(args.server_id[0])
+ manager.add_address_pair(ports_list, args.ips[0])