commit 9e24775b2ff5c34960e3496d3c16aa3a9f5959ab
author schowdhury <schowdhury@radisys.com> Fri Jul 14 06:56:20 2017 -0700
committer khenaidoo Nursimulu <knursimu@ciena.com> Tue Jul 18 09:59:14 2017 -0700
tree 0bb3acc70bcab2b90cc69d79c195533b4d2cc000
parent be82927a6f18ad90268a2e67fd52a7ac9e6c9c8e

Code commit to Secure the gRPC Channel between PONSIM Adapter and PONSIM OLT.

Change-Id: I76b6573ef9c255cc9ae153ed0e3b04daa68958c7

docker/Dockerfile.voltha

diff --git a/docker/Dockerfile.voltha b/docker/Dockerfile.voltha
index f47f9c0..6f6ce6f 100644
--- a/docker/Dockerfile.voltha
+++ b/docker/Dockerfile.voltha
@@ -26,6 +26,7 @@
 ENV PYTHONPATH=/voltha
 COPY common /voltha/common
 COPY voltha /voltha/voltha
+COPY pki /voltha/pki
 
 # Exposing process and default entry point
 # EXPOSE 8000

ponsim/grpc_server.py

diff --git a/ponsim/grpc_server.py b/ponsim/grpc_server.py
index 7ed70d5..fb08346 100644
--- a/ponsim/grpc_server.py
+++ b/ponsim/grpc_server.py
@@ -15,6 +15,7 @@
 #
 import grpc
 import structlog
+import os
 from concurrent import futures
 
 from common.utils.grpc_utils import twisted_async
@@ -91,7 +92,23 @@
         add_PonSimServicer_to_server(handler, self.server)
         x_pon_handler = XPonHandler(self.thread_pool, self.x_pon_sim)
         add_XPonSimServicer_to_server(x_pon_handler, self.server)
-        self.server.add_insecure_port('[::]:%s' % self.port)
+
+        # read in key and certificate
+        try:
+           voltha_key = os.path.join(os.environ.get('VOLTHA_BASE'),"pki/voltha.key")
+           with open(voltha_key) as f:
+               private_key = f.read()
+
+           voltha_cert = os.path.join(os.environ.get('VOLTHA_BASE'),"pki/voltha.crt")
+           with open(voltha_cert) as f:
+               certificate_chain = f.read()
+        except Exception as e:
+           log.error('failed-to-read-cert-keys', reason=e)
+
+        # create server credentials
+        server_credentials = grpc.ssl_server_credentials(((private_key, certificate_chain,),))
+        self.server.add_secure_port('[::]:%s' % self.port, server_credentials)
+
         self.server.start()
         log.info('started')
 

voltha/adapters/ponsim_olt/ponsim_olt.py

diff --git a/voltha/adapters/ponsim_olt/ponsim_olt.py b/voltha/adapters/ponsim_olt/ponsim_olt.py
index 4c40cf7..f1940bf 100644
--- a/voltha/adapters/ponsim_olt/ponsim_olt.py
+++ b/voltha/adapters/ponsim_olt/ponsim_olt.py
@@ -230,7 +230,27 @@
     def get_channel(self):
         if self.channel is None:
             device = self.adapter_agent.get_device(self.device_id)
-            self.channel = grpc.insecure_channel(device.host_and_port)
+
+            # read in certificate
+            try:
+               with open('/voltha/pki/voltha-CA.pem') as f:
+                  trusted_certs = f.read()
+
+               with open('/voltha/pki/voltha.crt') as f:
+                  client_cert = f.read()
+
+               with open('/voltha/pki/voltha.key') as f:
+                  client_key = f.read()
+            except Exception as e:
+               log.error('failed-to-read-cert-keys', reason=e)
+
+            # create credentials
+            credentials = grpc.ssl_channel_credentials( root_certificates=trusted_certs, private_key=client_key, certificate_chain=client_cert)
+
+            # create channel using ssl credentials
+            my_server_host_override_string = "ABCD" # Server's CN Name, Ugly but no other Choice.
+            self.channel = grpc.secure_channel(device.host_and_port, credentials, options=(('grpc.ssl_target_name_override', my_server_host_override_string,),))
+
         return self.channel
 
     def _get_nni_port(self):