Merge branch 'OCF182-certs-generation' into 'staging'

     echo "install dependencies"

     echo "install dependencies"

     apk add --no-cache jq openssl

     apk add --no-cache jq openssl

     # Establecer las variables de entorno de Vault

     # Set Vault environment variables

     export VAULT_ADDR='http://vault-internal:8200'

     export VAULT_ADDR='http://vault-internal:8200'

     vault secrets enable pki

     vault secrets enable pki

     echo "# Generar una CA en Vault #"

     echo "# Generate a CA in Vault #"

     vault secrets tune -max-lease-ttl=87600h pki

     vault secrets tune -max-lease-ttl=87600h pki

     vault write -field=certificate pki/root/generate/internal \

     vault write -field=certificate pki/root/generate/internal \

          common_name="capif" \

          common_name="capif" \

          issuer_name="root-2023" \

          issuer_name="root-2026" \

          ttl=87600h > root_2023_ca.crt

          ttl=87600h > root_2026_ca.crt

     echo "# check root_2023_ca.crt #"

     echo "# check root_2026_ca.crt #"

     cat root_2023_ca.crt

     cat root_2026_ca.crt

     vault write pki/config/urls \

     vault write pki/config/urls \

          issuing_certificates="$VAULT_ADDR/v1/pki/ca" \

          issuing_certificates="$VAULT_ADDR/v1/pki/ca" \

          crl_distribution_points="$VAULT_ADDR/v1/pki/crl"

          crl_distribution_points="$VAULT_ADDR/v1/pki/crl"

     # # Generar una CA intermedia en Vault

     # # Generate an intermediate CA in Vault

     vault secrets enable -path=pki_int pki

     vault secrets enable -path=pki_int pki

     vault secrets tune -max-lease-ttl=43800h pki_int

     vault secrets tune -max-lease-ttl=43800h pki_int

     echo "### content pki_intermediate.csr ###"

     echo "### content pki_intermediate.csr ###"

     cat pki_intermediate.csr

     cat pki_intermediate.csr

     # Firmar la CA intermedia con la CA raíz

     # Sign the intermediate CA with the root CA

     vault write -format=json pki/root/sign-intermediate \

     vault write -format=json pki/root/sign-intermediate \

          issuer_ref="root-2023" \

          issuer_ref="root-2026" \

          csr=@pki_intermediate.csr \

          csr=@pki_intermediate.csr \

          format=pem_bundle ttl="43800h" \

          format=pem_bundle ttl="43800h" \

          | jq -r '.data.certificate' > capif_intermediate.cert.pem

          | jq -r '.data.certificate' > capif_intermediate.cert.pem

     # Configurar la CA intermedia en Vault

     # Configure the intermediate AC in Vault

     vault write pki_int/intermediate/set-signed certificate=@capif_intermediate.cert.pem

     vault write pki_int/intermediate/set-signed certificate=@capif_intermediate.cert.pem

     #Crear rol en Vault

     # Create a role in Vault

     vault write pki_int/roles/my-ca use_csr_common_name=false require_cn=false allowed_domains="*" allow_any_name=true allow_bare_domains=true allow_glob_domains=true allow_subdomains=true max_ttl=4300h ttl=4300h

     vault write pki_int/roles/my-ca use_csr_common_name=false require_cn=false allowed_domains="*" allow_any_name=true allow_bare_domains=true allow_glob_domains=true allow_subdomains=true max_ttl=4300h ttl=4300h

     # Emitir un certificado firmado por la CA intermedia

     # Issue a certificate signed by the intermediary CA

     # vault write -format=json pki_int/issue/my-ca \

     # vault write -format=json pki_int/issue/my-ca \

     #   common_name="nginx.mon.svc.cluster.local" \

     #   common_name="nginx.mon.svc.cluster.local" \

     #   format=pem_bundle ttl="438h" \

     #   format=pem_bundle ttl="438h" \

     #   | jq -r '.data.private_key as $private_key | .data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$private_key, $issuing_ca, $certificate]' > cert_data.json

     #   | jq -r '.data.private_key as $private_key | .data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$private_key, $issuing_ca, $certificate]' > cert_data.json

     #Create CSR

     ############################################################

     openssl genrsa -out ./server.key 2048

     # 4) CA BUNDLE (KV v2)

     ############################################################

     cat > ./foo.cnf <<EOF

     [ req ]

     distinguished_name = req_distinguished_name

     req_extensions = v3_req

     [ req_distinguished_name ]

     countryName = \$ENV::COUNTRY

     countryName_default = \$ENV::COUNTRY

     stateOrProvinceName = \$ENV::STATE

     stateOrProvinceName_default = \$ENV::STATE

     localityName = \$ENV::LOCALITY

     localityName_default = \$ENV::LOCALITY

     organizationName = \$ENV::ORGNAME

     organizationName_default = \$ENV::ORGNAME

     organizationalUnitName  = \$ENV::ORGUNIT

     organizationalUnitName_default  = \$ENV::ORGUNIT

     commonName = capif

     commonName_max  = 64

     emailAddress = Email Address

     emailAddress_max = 64

     emailAddress_default = \$ENV::EMAIL

     [ v3_req ]

     subjectAltName = @alt_names

     [alt_names]

     DNS.1 = \$ENV::DOMAIN1

     DNS.2 = \$ENV::DOMAIN2

     DNS.3 = \$ENV::DOMAIN3

     EOF

     export COUNTRY=ES                # 2 letter country-code

     export STATE=Madrid            # state or province name

     export LOCALITY=Madrid        # Locality Name (e.g. city)

     export ORGNAME="Telefonica I+D" # Organization Name (eg, company)

     export ORGUNIT=Innovation                  # Organizational Unit Name (eg. section)

     export COMMONNAME="nginx.mon.svc.cluster.local"

     export EMAIL=inno@tid.es    # certificate's email address

     # optional extra details

     CHALLENGE=""                # challenge password

     COMPANY=""                  # company name

     # DAYS="-days 365"

     # create the certificate request

     openssl req -new $DAYS -batch -key ./server.key -out ./server.csr -config ./foo.cnf -extensions v3_req

     echo "### verify the Subject Alternative Name (SAN) ###"

     openssl req -text -noout -verify -in ./server.csr | grep 'DNS'

     #cat <<__EOF__ | openssl req -new $DAYS -nodes -keyout client.key -out client.csr

     #cat <<__EOF__ | openssl req -new $DAYS -key ./server.key -out ./server.csr

     #$COUNTRY

     #$STATE

     #$LOCALITY

     #$ORGNAME

     #$ORGUNIT

     #$COMMONNAME

     #$EMAIL

     #$CHALLENGE

     #$COMPANY

     #__EOF__

     # vault write -format=json pki_int/issue/my-ca \

     #   csr=@server.csr \

     #   format=pem_bundle ttl="438h" \

     #   | jq -r '.data.private_key as $private_key | .data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$private_key, $issuing_ca, $certificate]' > cert_data.json

     vault write -format=json pki_int/sign/my-ca  format=pem_bundle ttl="43000h" csr=@server.csr | jq -r '.data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$issuing_ca, $certificate]' > cert_data.json

     jq -r '.[0]' cert_data.json > root_ca.crt.pem

     echo "### content root_ca.crt.pem ###"

     cat root_ca.crt.pem

     echo "### content server_certificate.crt.pem ###"

     jq -r '.[1]' cert_data.json > server_certificate.crt.pem

     openssl x509 -pubkey -noout -in server_certificate.crt.pem  > server_certificate_pub.pem

     #vault kv put secret/ca ca=@root_helm.pem root_2023_ca.crt

     #cat root_2023_ca.crt root_2023_ca.crt > ca.crt

     cat > certificados_concatenados.crt << EOF

     $(cat "root_2023_ca.crt")

     $(cat "root_ca.crt.pem")

     EOF

     echo "### content of root_2023_ca.crt ###"

     cat root_2023_ca.crt

     echo "### content of root_ca.crt.pem ###"

     cat root_ca.crt.pem

     echo "### content of certificados_concatenados.crt ###"

     cat certificados_concatenados.crt

     # vault kv put secret/ca ca=@root_2023_ca.crt

     echo "### enable secrets kv ###"

     echo "### enable secrets kv ###"

     vault secrets enable -path=secret -version=2 kv

     vault secrets enable -path=secret -version=2 kv

     vault kv put secret/ca ca=@certificados_concatenados.crt

     # Store CA bundle at secret/ca (same as docker script)

     vault kv put secret/ca ca=@capif_intermediate.cert.pem

     vault kv put secret/server_cert cert=@server_certificate.crt.pem

     vault kv put secret/server_cert/pub pub_key=@server_certificate_pub.pem

     echo "[INFO] CA bundle stored at secret/ca"

     vault kv put secret/server_cert/private key=@server.key

     #POLICY_NAME="my-policy"

     #POLICY_NAME="my-policy"

     #POLICY_FILE="my-policy.hcl"

     #POLICY_FILE="my-policy.hcl"

     #TOKEN_ID="read-ca-token"

     #TOKEN_ID="read-ca-token"

     # Crear la política en Vault

     # Create the policy in Vault

     #echo "path \"secret/data/ca\" {

     #echo "path \"secret/data/ca\" {

     #  capabilities = [\"read\"]

     #  capabilities = [\"read\"]

     #}" > "$POLICY_FILE"

     #}" > "$POLICY_FILE"

     #vault policy write "$POLICY_NAME" "$POLICY_FILE"

     #vault policy write "$POLICY_NAME" "$POLICY_FILE"

     # Generar un nuevo token y asignar la política

     # Generate a new token and assign the policy

     #TOKEN=$(vault token create -id="$TOKEN_ID" -policy="$POLICY_NAME" -format=json | jq -r '.auth.client_token')

     #TOKEN=$(vault token create -id="$TOKEN_ID" -policy="$POLICY_NAME" -format=json | jq -r '.auth.client_token')

     #echo "Token generado:"

     #echo "Token generado:"

from opentelemetry.trace.propagation.tracecontext import \

from opentelemetry.trace.propagation.tracecontext import \

    TraceContextTextMapPropagator

    TraceContextTextMapPropagator

from cryptography import x509

from cryptography.hazmat.backends import default_backend

from cryptography.hazmat.primitives import serialization

NAME = "Invoker-Service"

NAME = "Invoker-Service"

# Setting log level

# Setting log level

with open("/usr/src/app/api_invoker_management/pubkey.pem", "rb") as pub_file:

with open("/usr/src/app/api_invoker_management/pubkey.pem", "rb") as pub_file:

            pub_data = pub_file.read()

            pub_data = pub_file.read()

# with open("/usr/src/app/api_invoker_management/pubkey.pem", "rb") as f:

#     pem_data = f.read()

# # Extract the first certificate from the PEM (even if it comes in a bundle)

# cert = x509.load_pem_x509_certificate(pem_data, default_backend())

# # Extract the public key

# public_key = cert.public_key()

# # Convert the public key to PEM (which JWT needs)

# pub_data = public_key.public_bytes(

#     encoding=serialization.Encoding.PEM,

#     format=serialization.PublicFormat.SubjectPublicKeyInfo,

# )

app = connexion.App(__name__, specification_dir='openapi/')

app = connexion.App(__name__, specification_dir='openapi/')

app.app.json_encoder = encoder.CustomJSONEncoder

app.app.json_encoder = encoder.CustomJSONEncoder

app.add_api('openapi.yaml',

app.add_api('openapi.yaml',

# Attempt counter

# Attempt counter

ATTEMPT=0

ATTEMPT=0

HELPER_URL="http://helper:8080/helper/api/getCcfId"

ATTEMPT_CCFID=0

CCF_ID=""

while [ $ATTEMPT -lt $MAX_RETRIES ]; do

while [ $ATTEMPT -lt $MAX_RETRIES ]; do

    # Increment ATTEMPT using eval

    # Increment ATTEMPT using eval

    eval "ATTEMPT=\$((ATTEMPT + 1))"

    eval "ATTEMPT=\$((ATTEMPT + 1))"

    echo "Attempt $ATTEMPT of $MAX_RETRIES"

    echo "Attempt $ATTEMPT of $MAX_RETRIES"

    # Get CCF_ID from helper

    echo "[STEP] Fetching CCF_ID from Helper: $HELPER_URL"

    while [ $ATTEMPT_CCFID -lt $MAX_RETRIES ]; do

        ATTEMPT_CCFID=$((ATTEMPT_CCFID + 1))

        echo "[INFO] Attempt $ATTEMPT_CCFID/$MAX_RETRIES – GET $HELPER_URL"

        RAW=$(curl -sS --fail --connect-timeout 5 --max-time 10 "$HELPER_URL" || true)

        CCF_ID=$(echo "$RAW" | jq -r '.ccf_id // empty' 2>/dev/null)

        if [ -n "$CCF_ID" ]; then

            echo "[INFO] Got CCF_ID=$CCF_ID"

            break

        fi

        echo "[WARN] Helper not ready or invalid response. Retrying in ${RETRY_DELAY}s..."

        sleep $RETRY_DELAY

    done

    if [ -z "$CCF_ID" ]; then

        echo "[ERROR] Unable to retrieve CCF_ID from Helper after $MAX_RETRIES attempts"

        exit 1

    fi

    # Make the request to Vault and store the response in a variable

    # Make the request to Vault and store the response in a variable

    RESPONSE=$(curl -s -k --connect-timeout 5 --max-time 10 \

    RESPONSE=$(curl -s -k --connect-timeout 5 --max-time 10 \

        --header "X-Vault-Token: $VAULT_TOKEN" \

        --header "X-Vault-Token: $VAULT_TOKEN" \

        --request GET "$VAULT_ADDR/v1/secret/data/server_cert/pub" | jq -r '.data.data.pub_key')

        --request GET "$VAULT_ADDR/v1/secret/data/capif/${CCF_ID}/nginx" | jq -r '.data.data.server_pub')

    echo "$RESPONSE"

    echo "$RESPONSE"

from opentelemetry.trace.propagation.tracecontext import \

from opentelemetry.trace.propagation.tracecontext import \

    TraceContextTextMapPropagator

    TraceContextTextMapPropagator

from cryptography import x509

from cryptography.hazmat.backends import default_backend

from cryptography.hazmat.primitives import serialization

from .config import Config

from .config import Config

NAME = "Provider-Service"

NAME = "Provider-Service"

with open("/usr/src/app/api_provider_management/pubkey.pem", "rb") as pub_file:

with open("/usr/src/app/api_provider_management/pubkey.pem", "rb") as pub_file:

        pub_data = pub_file.read()

        pub_data = pub_file.read()

# with open("/usr/src/app/api_provider_management/pubkey.pem", "rb") as f:

#     pem_data = f.read()

# # Extract the first certificate from the PEM (even if it comes in a bundle)

# cert = x509.load_pem_x509_certificate(pem_data, default_backend())

# # Extract the public key

# public_key = cert.public_key()

# # Convert the public key to PEM (which JWT needs)

# pub_data = public_key.public_bytes(

#     encoding=serialization.Encoding.PEM,

#     format=serialization.PublicFormat.SubjectPublicKeyInfo,

# )

app = connexion.App(__name__, specification_dir='openapi/')

app = connexion.App(__name__, specification_dir='openapi/')

app.app.json_encoder = api_provider_management.encoder.CustomJSONEncoder

app.app.json_encoder = api_provider_management.encoder.CustomJSONEncoder

app.add_api('openapi.yaml',

app.add_api('openapi.yaml',

# Attempt counter

# Attempt counter

ATTEMPT=0

ATTEMPT=0

HELPER_URL="http://helper:8080/helper/api/getCcfId"

ATTEMPT_CCFID=0

CCF_ID=""

while [ $ATTEMPT -lt $MAX_RETRIES ]; do

while [ $ATTEMPT -lt $MAX_RETRIES ]; do

    # Increment ATTEMPT using eval

    # Increment ATTEMPT using eval

    eval "ATTEMPT=\$((ATTEMPT + 1))"

    eval "ATTEMPT=\$((ATTEMPT + 1))"

    echo "Attempt $ATTEMPT of $MAX_RETRIES"

    echo "Attempt $ATTEMPT of $MAX_RETRIES"

    # Get CCF_ID from helper

    echo "[STEP] Fetching CCF_ID from Helper: $HELPER_URL"

    while [ $ATTEMPT_CCFID -lt $MAX_RETRIES ]; do

        ATTEMPT_CCFID=$((ATTEMPT_CCFID + 1))

        echo "[INFO] Attempt $ATTEMPT_CCFID/$MAX_RETRIES – GET $HELPER_URL"

        RAW=$(curl -sS --fail --connect-timeout 5 --max-time 10 "$HELPER_URL" || true)

        CCF_ID=$(echo "$RAW" | jq -r '.ccf_id // empty' 2>/dev/null)

        if [ -n "$CCF_ID" ]; then

            echo "[INFO] Got CCF_ID=$CCF_ID"

            break

        fi

        echo "[WARN] Helper not ready or invalid response. Retrying in ${RETRY_DELAY}s..."

        sleep $RETRY_DELAY

    done

    if [ -z "$CCF_ID" ]; then

        echo "[ERROR] Unable to retrieve CCF_ID from Helper after $MAX_RETRIES attempts"

        exit 1

    fi

    # Make the request to Vault and store the response in a variable

    # Make the request to Vault and store the response in a variable

    RESPONSE=$(curl -s -k --connect-timeout 5 --max-time 10 \

    RESPONSE=$(curl -s -k --connect-timeout 5 --max-time 10 \

        --header "X-Vault-Token: $VAULT_TOKEN" \

        --header "X-Vault-Token: $VAULT_TOKEN" \

        --request GET "$VAULT_ADDR/v1/secret/data/server_cert/pub" | jq -r '.data.data.pub_key')

        --request GET "$VAULT_ADDR/v1/secret/data/capif/${CCF_ID}/nginx" | jq -r '.data.data.server_pub')

    echo "$RESPONSE"

    echo "$RESPONSE"