AV-183030: Nsxt tool fix 22.1.4 (#2717)

* AV-183030: Nsxt tool fix 22.1.4 * Resolved review comments 4 * AV-183030: added some debug points * AV-183030: added some debug points in nsxt util * Nsxt cipher conversion -22.1.4 (cherry picked from commit 945c743) * Changes in cipher conversion (cherry picked from commit 63d4ca7) * minor fix in ssl profile * fix in client-ssl * Added unsupported cipher in dict * RSA cipher mapping * Added status succesful with unsupported cipher --------- Co-authored-by: Megha Agarwal <Megha Agarwal>
vmware · Jul 10, 2023 · 81a51d0 · 81a51d0
1 parent 5165d78
commit 81a51d0
Show file tree

Hide file tree

Showing 6 changed files with 131 additions and 32 deletions.
diff --git a/python/avi/migrationtools/nsxt_converter/ciphers_dict.json b/python/avi/migrationtools/nsxt_converter/ciphers_dict.json
@@ -0,0 +1,52 @@
+{
+    "supported_ciphers_in_nsxt":
+[
+"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+"TLS_RSA_WITH_AES_128_GCM_SHA256",
+"TLS_RSA_WITH_AES_128_CBC_SHA256",
+"TLS_RSA_WITH_AES_128_CBC_SHA",
+"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+"TLS_RSA_WITH_AES_256_CBC_SHA",
+"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+"TLS_RSA_WITH_AES_256_CBC_SHA256",
+"TLS_RSA_WITH_AES_256_GCM_SHA384",
+"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
+"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
+"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
+"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
+"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
+"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
+"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
+"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"
+],
+    "openssl_unsupported_ciphers":
+[
+"ECDH-ECDSA-AES256-SHA",
+"ECDH-RSA-AES256-SHA",
+"DES-CBC3-SHA",
+"ECDH-ECDSA-AES128-SHA",
+"ECDH-ECDSA-AES128-SHA256",
+"ECDH-ECDSA-AES128-GCM-SHA256",
+"ECDH-ECDSA-AES256-SHA384",
+"ECDH-ECDSA-AES256-GCM-SHA384",
+"ECDH-RSA-AES128-SHA",
+"ECDH-RSA-AES128-SHA256",
+"ECDH-RSA-AES128-GCM-SHA256",
+"ECDH-RSA-AES256-SHA384",
+"ECDH-RSA-AES256-GCM-SHA384"
+]
+}
diff --git a/python/avi/migrationtools/nsxt_converter/conversion_util.py b/python/avi/migrationtools/nsxt_converter/conversion_util.py
@@ -5,7 +5,7 @@
 import logging
 import os
 from functools import reduce
-
+import json
 import pandas
 import re
 import random
@@ -67,7 +67,8 @@ def add_conv_status(self, nsxt_type, nsxt_sub_type, nsxt_id, conv_status,
             'Skipped settings': str(conv_status.get('skipped', '')),
             'Indirect mapping': str(conv_status.get('indirect', '')),
             'Not Applicable': str(conv_status.get('na_list', '')),
-            'Avi Object': str(avi_object)
+            'Avi Object': str(avi_object),
+            'Needs Review' : str(need_review)
         }
         csv_writer_dict_list.append(row)
 
@@ -189,11 +190,11 @@ def write_status_report_and_pivot_table_in_xlsx(
                           'Skipped settings', 'Indirect mapping',
                           'Not Applicable', 'Complexity Level',
                           'VS Reference', 'Overall skipped settings',
-                          'Avi Object']
+                          'Avi Object','Needs Review']
         else:
             fieldnames = ['NsxT type', 'NsxT SubType', 'NsxT ID', 'Status',
                           'Skipped settings', 'Indirect mapping',
-                          'Not Applicable', 'Complexity Level', 'Avi Object']
+                          'Not Applicable', 'Complexity Level', 'Avi Object','Needs Review']
 
         # xlsx workbook
         report_path = output_dir + os.path.sep + "%s-ConversionStatus.xlsx" % \
@@ -1386,3 +1387,14 @@ def remove_dup_of(self,avi_config):
         self.remove_dup_key(avi_config["PKIProfile"])
         self.remove_dup_key(avi_config["ApplicationPersistenceProfile"])
         self.remove_dup_key(avi_config["HealthMonitor"])
+
+    def get_supported_n_unsupported_ciphers_dict(self):
+        cipher_dict_path=os.getcwd()+"/ciphers_dict.json"
+        sup_ciphers=[]
+        unsup_ciphers=[]
+        if os.path.exists(cipher_dict_path):
+            with open(cipher_dict_path) as ci_path:
+                ci_dict=json.load(ci_path)
+                sup_ciphers=ci_dict.get("supported_ciphers_in_nsxt")
+                unsup_ciphers=ci_dict.get("openssl_unsupported_ciphers")
+        return sup_ciphers,unsup_ciphers
diff --git a/python/avi/migrationtools/nsxt_converter/nsxt_config_converter.py b/python/avi/migrationtools/nsxt_converter/nsxt_config_converter.py
@@ -106,11 +106,11 @@ def convert(nsx_lb_config, input_path, output_path, tenant, prefix,
     try:
          conv_utils.add_complete_conv_status(
              output_path, avi_config_dict, "nsxt-report", vs_level_status)
-     except Exception as e:
-         msg = "Error in writing excel sheet for converted configuration."
-         LOG.error(msg)
-         print("\033[91m" + msg + " Message: ", str(e) + "\033[0m")
-         sys.exit(1)
+    except Exception as e:
+        msg = "Error in writing excel sheet for converted configuration."
+        LOG.error(msg)
+        print("\033[91m" + msg + " Message: ", str(e) + "\033[0m")
+        sys.exit(1)
 
     for key in avi_config_dict:
         if key != 'META':

diff --git a/python/avi/migrationtools/nsxt_converter/nsxt_util.py b/python/avi/migrationtools/nsxt_converter/nsxt_util.py
@@ -125,10 +125,11 @@ def get_object_segments(vs_id, obj_ip):
     if not vs:
         LOG.debug("virtual service not found with id %s " % vs_id)
         return None
-    cloud = vs.get("cloud")
+    cloud = vs.get("Cloud")
+
     if cloud == "Cloud Not Found":
         LOG.debug("cloud is not configured for vs %s " % vs_id)
-        return None
+       # return None
 
     segments = []
     if vs.get("Segments"):
@@ -145,13 +146,14 @@ def get_object_segments(vs_id, obj_ip):
                         seg_name=seg_name,
                         subnets=subnet))
     else:
-        LOG.debug("segmnets are not configured  for vs %s " % vs_id )
+        LOG.debug("segmnets are not configured  for vs %s with  loadbalancer %s  " % (vs_id , vs.get("lb_name")))
         return None
 
     if segments:
         LOG.debug("segments found for vs %s with attached pool server ip %s are %s" %(vs_id,obj_ip,segments))
         return segments
 
+    LOG.debug("Member ip %s not falling in segment range  %s " % (obj_ip,vs.get("Segments")))
     return None
 
 
@@ -542,13 +544,13 @@ def get_lb_services_details(self):
 
             else:
                 segment_list = self.nsx_api_client.infra.Segments.list().to_dict().get('results', [])
-
                 is_tier_linked_segment_found = False
 
                 for seg in segment_list:
                     if seg.get("connectivity_path"):
                         gateway_name = get_name_and_entity(seg["connectivity_path"])[-1]
                         if gateway_name == tier:
+                            is_tier_linked_segment_found=True
                             tz_path = seg.get("transport_zone_path")
                             tz_id = get_name_and_entity(tz_path)[-1]
                             dhcp_present = False
@@ -582,20 +584,22 @@ def get_lb_services_details(self):
                                     "subnet": subnets}
                                 lb_details.append(segments)
 
+                if not is_tier_linked_segment_found:
+                    lb_skip_reason = "Skipping because NSX Load Balancer has no segments "\
+                                           "or service interfaces configured"
+                    self.lb_services[lb["id"]] = {
+                         "lb_name": lb["id"],
+                         "lb_skip_reason": lb_skip_reason
+                     }
+                    LOG.debug("Lb skipped : %s reason %s" %(lb["id"],lb_skip_reason))
+                    continue
+
             if not is_cloud_configured:
 
                 warning_mesg="cloud is not configured for load balancer %s with id %s " % (lb["display_name"],lb["id"])
                 LOG.debug(warning_mesg)
-                lb_details=[]
 
 
-                if not is_tier_linked_segment_found:
-                     self.lb_services[lb["id"]] = {
-                         "lb_name": lb["id"],
-                         "lb_skip_reason": "Skipping because NSX Load Balancer has no segments "
-                                           "or service interfaces configured"
-                     }
-                     continue
             self.lb_services[lb["id"]] = {
                 "lb_name": lb["id"],
                 "Network": network,

diff --git a/python/avi/migrationtools/nsxt_converter/pools_converter.py b/python/avi/migrationtools/nsxt_converter/pools_converter.py
@@ -501,6 +501,8 @@ def check_pool_member_ip_ranges(self, vs_list, pool_count, lb_list, pool_members
         is_member_ip_in_range=False
         for member in pool_members_list:
             for vs_id in vs_list:
+                LOG.debug("Checking pool member ip  %s falling in range or not  , pool %s attached with vip %s " % (member.get("ip_address"),
+                                                                                                                pool_name,vs_id))
                 if vs_id in pool_segment_list.keys():
                     pool_skip = False
                     is_member_ip_in_range=True
@@ -511,6 +513,7 @@ def check_pool_member_ip_ranges(self, vs_list, pool_count, lb_list, pool_members
                     continue
                 pool_segment = get_object_segments(vs_id,
                                                    member.get("ip_address"))
+
                 if pool_segment:
                     pool_skip = False
                     is_member_ip_in_range = True

diff --git a/python/avi/migrationtools/nsxt_converter/ssl_profile_converter.py b/python/avi/migrationtools/nsxt_converter/ssl_profile_converter.py
@@ -3,12 +3,14 @@
 
 import logging
 import os
-
+import json
 from avi.migrationtools.avi_migration_utils import update_count, MigrationUtil
 from avi.migrationtools.nsxt_converter.conversion_util import NsxtConvUtil
 import avi.migrationtools.nsxt_converter.converter_constants as final
 import avi.migrationtools.nsxt_converter.converter_constants as conv_const
 
+
+
 LOG = logging.getLogger(__name__)
 
 conv_utils = NsxtConvUtil()
@@ -31,6 +33,7 @@ def __init__(self, nsxt_profile_attributes, object_merge_check, merge_object_map
         self.merge_object_mapping = merge_object_mapping
         self.sys_dict = sys_dict
         self.ssl_profile_count = 0
+        self.sup_ciphers,self.unsup_ciphers=conv_utils.get_supported_n_unsupported_ciphers_dict()
 
     def convert(self, alb_config, nsx_lb_config, prefix, tenant):
         alb_config["SSLProfile"] = []
@@ -77,7 +80,7 @@ def convert(self, alb_config, nsx_lb_config, prefix, tenant):
                         alb_ssl['ssl_session_timeout'] = lb_ssl['session_cache_timeout']
 
                     if lb_ssl.get("ciphers"):
-                        converted_ciphers = self.convert_ciphers_to_valid_format(":".join(lb_ssl['ciphers']))
+                        converted_ciphers,unsup_cipher_from_cipher_str = self.convert_ciphers(":".join(lb_ssl['ciphers']))
                         alb_ssl['accepted_ciphers'] = converted_ciphers
 
                     if lb_ssl.get("protocols"):
@@ -103,9 +106,11 @@ def convert(self, alb_config, nsx_lb_config, prefix, tenant):
                         id=lb_ssl["id"],
                         name=name,
                         resource_type=lb_ssl['resource_type'],
-                        alb_ssl=alb_ssl
+                        alb_ssl=alb_ssl,
+                        unsup_cipher=unsup_cipher_from_cipher_str
 
                     )
+
                     converted_alb_ssl.append(val)
 
                     msg = "SSLProfile conversion started..."
@@ -133,14 +138,19 @@ def convert(self, alb_config, nsx_lb_config, prefix, tenant):
                 ssl_id = converted_alb_ssl[index]['id']
                 alb_mig_ssl = converted_alb_ssl[index]['alb_ssl']
                 resource_type = converted_alb_ssl[index]['resource_type']
+                unsup_ciphers=converted_alb_ssl[index]["unsup_cipher"]
+                if conv_status["status"]=="SUCCESSFUL" and unsup_ciphers:
+                    conv_status["status"]="SUCCESSFUL WITH UNSUPPORTED CIPHERS"
+                if unsup_ciphers:
+                    unsup_ciphers={'Unsupported ciphers':unsup_ciphers}
                 if self.object_merge_check:
                     alb_mig_ssl = [pp for pp in alb_config['SSLProfile'] if
                                    pp.get('name') == self.merge_object_mapping['ssl_profile'].get(name)]
                     conv_utils.add_conv_status('sslprofile', resource_type, name, conv_status,
-                                               [{'ssl_profile': alb_mig_ssl[0]}])
+                                               [{'ssl_profile': alb_mig_ssl[0]}],unsup_ciphers)
                 else:
                     conv_utils.add_conv_status('sslprofile', resource_type, name, conv_status,
-                                               [{'ssl_profile': alb_mig_ssl}])
+                                               [{'ssl_profile': alb_mig_ssl}],unsup_ciphers)
                 if len(conv_status['skipped']) > 0:
                     LOG.debug(
                         '[SSL-PROFILE] Skipped Attribute {}:{}'.format(name,
@@ -181,7 +191,7 @@ def convert(self, alb_config, nsx_lb_config, prefix, tenant):
                     )
                     ssl_profile_list[lb_ssl['id']] = name
                     if lb_ssl.get("ciphers"):
-                        converted_ciphers = self.convert_ciphers_to_valid_format(":".join(lb_ssl['ciphers']))
+                        converted_ciphers,unsup_cipher_from_cipher_str = self.convert_ciphers(":".join(lb_ssl['ciphers']))
                         alb_ssl['accepted_ciphers'] = converted_ciphers
 
                     if lb_ssl.get("protocols"):
@@ -205,9 +215,11 @@ def convert(self, alb_config, nsx_lb_config, prefix, tenant):
                         id=lb_ssl["id"],
                         name=name,
                         resource_type=lb_ssl['resource_type'],
-                        alb_ssl=alb_ssl
+                        alb_ssl=alb_ssl,
+                        unsup_cipher=unsup_cipher_from_cipher_str
 
                     )
+
                     converted_alb_ssl.append(val)
 
                     msg = "SSLProfile conversion started..."
@@ -235,14 +247,19 @@ def convert(self, alb_config, nsx_lb_config, prefix, tenant):
                 ssl_id = converted_alb_ssl[index]['id']
                 alb_mig_ssl = converted_alb_ssl[index]['alb_ssl']
                 resource_type = converted_alb_ssl[index]['resource_type']
+                unsup_ciphers=converted_alb_ssl[index]["unsup_cipher"]
+                if conv_status["status"]=="SUCCESSFUL" and unsup_ciphers:
+                    conv_status["status"]="SUCCESSFUL WITH UNSUPPORTED CIPHERS"
+                if unsup_ciphers:
+                    unsup_ciphers={'Unsupported ciphers':unsup_ciphers}
                 if self.object_merge_check:
                     alb_mig_ssl = [pp for pp in alb_config['SSLProfile'] if
                                    pp.get('name') == self.merge_object_mapping['ssl_profile'].get(name)]
                     conv_utils.add_conv_status('sslprofile', resource_type, name, conv_status,
-                                               [{'ssl_profile': alb_mig_ssl[0]}])
+                                               [{'ssl_profile': alb_mig_ssl[0]}],unsup_ciphers)
                 else:
                     conv_utils.add_conv_status('sslprofile', resource_type, name, conv_status,
-                                               [{'ssl_profile': alb_mig_ssl}])
+                                               [{'ssl_profile': alb_mig_ssl}],unsup_ciphers)
                 if len(conv_status['skipped']) > 0:
                     LOG.debug(
                         '[SSL-PROFILE] Skipped Attribute {}:{}'.format(name,
@@ -265,9 +282,20 @@ def convert_protocols(self, protocols, alb_ssl):
             )
             alb_ssl['accepted_versions'].append(acc_version)
 
-    def convert_ciphers_to_valid_format(self, cipher_str):
+    def convert_ciphers(self, cipher_str):
+        '''
+        This method will remove all the unsupported ciphers from cipher string
+        e.g cipher_str := TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        '''
+        cipher_str = cipher_str.replace('TLS_RSA_', '')
         cipher_str = cipher_str.replace('TLS_', '')
+        cipher_str=cipher_str.replace('CBC_','')
         cipher_str = cipher_str.replace('_', '-')
         cipher_str = cipher_str.replace('WITH-AES-128', 'AES128')
         cipher_str = cipher_str.replace('WITH-AES-256', 'AES256')
-        return cipher_str
+        unsup_cipher_from_cipher_str=[cipher for cipher in cipher_str.split(":") if cipher in  self.unsup_ciphers]
+        sup_cipher= [cipher for cipher in cipher_str.split(":") if cipher not in unsup_cipher_from_cipher_str]
+        sup_cipher_str=":".join(sup_cipher)
+        return sup_cipher_str,unsup_cipher_from_cipher_str
+
+