From 1b82d6635f4187d2905906eafe41a881aa183cd0 Mon Sep 17 00:00:00 2001
From: Manoel Benedito Neto <Manoel.BeneditoNeto@windriver.com>
Date: Fri, 19 Apr 2024 17:16:20 -0300
Subject: [PATCH] WIP for IPsec config sm-service

Change-Id: I45f06ad41f3240d4149a688cef130cd7c9ae7019
Signed-off-by: Manoel Benedito Neto <Manoel.BeneditoNeto@windriver.com>
(cherry picked from commit baf23037428879297127ff5c19d92465b2396735)
---
 sysinv/ipsec-auth/debian/deb_folder/rules |   1 +
 sysinv/ipsec-auth/files/ipsec-config      | 222 ++++++++++++++++++++++
 2 files changed, 223 insertions(+)
 create mode 100644 sysinv/ipsec-auth/files/ipsec-config

diff --git a/sysinv/ipsec-auth/debian/deb_folder/rules b/sysinv/ipsec-auth/debian/deb_folder/rules
index 7a66deb313..27854cab32 100755
--- a/sysinv/ipsec-auth/debian/deb_folder/rules
+++ b/sysinv/ipsec-auth/debian/deb_folder/rules
@@ -4,6 +4,7 @@ ROOT := $(CURDIR)/debian/tmp
 %:
 	dh $@
 override_dh_install:
+	install -m 755 -p -D ipsec-config ${ROOT}/usr/lib/ocf/resource.d/platform/ipsec-config
 	install -m 644 -p -D ipsec-server.service ${ROOT}/lib/systemd/system/ipsec-server.service
 	install -m 644 -p -D ipsec-auth.syslog ${ROOT}/etc/syslog-ng/conf.d/ipsec-auth.conf
 	install -m 644 -p -D ipsec-auth.logrotate ${ROOT}/etc/logrotate.d/ipsec-auth.conf
diff --git a/sysinv/ipsec-auth/files/ipsec-config b/sysinv/ipsec-auth/files/ipsec-config
new file mode 100644
index 0000000000..4a5016d410
--- /dev/null
+++ b/sysinv/ipsec-auth/files/ipsec-config
@@ -0,0 +1,222 @@
+#!/bin/sh
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+#
+# Support: www.windriver.com
+#
+#######################################################################
+# Initialization:
+
+: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
+. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
+
+binname="ipsec-config"
+SWANCTL_CONF_FILE=/etc/swanctl/swanctl.conf
+SWANCTL_ACTIVE_CONF_FILE=/etc/swanctl/swanctl_active.conf
+SWANCTL_STANDBY_CONF_FILE=/etc/swanctl/swanctl_standby.conf
+
+#######################################################################
+
+# Fill in some defaults if no values are specified
+OCF_RESKEY_binary_default=${binname}
+OCF_RESKEY_dbg_default="false"
+
+: ${OCF_RESKEY_binary=${OCF_RESKEY_binary_default}}
+: ${OCF_RESKEY_dbg=${OCF_RESKEY_dbg_default}}
+
+#######################################################################
+
+usage() {
+    cat <<UEND
+
+usage: $0 (start|stop|status|monitor|meta-data)
+
+$0 manages the Platform's System IPsec Config (ipsec-config) process as an HA resource
+
+   The 'start' .....  operation creates a symlink between swanctl_active.conf and swanctl.conf files.
+   The 'stop' ......  operation creates a symlink between swanctl_standby.conf and swanctl.conf files.
+   The 'status' ....  operation checks the status of the ipsec-config service.
+   The 'monitor' .... operation indicates the in-service status of the ipsec-config service.
+   The 'meta-data' .. operation reports the ipsec-config's meta-data information.
+
+UEND
+}
+
+#######################################################################
+
+meta_data() {
+
+cat <<END
+<?xml version="1.0"?>
+<!DOCTYPE resource-agent SYSTEM "ra-api-1.dtd">
+<resource-agent name="ipsec-config">
+<version>1.0</version>
+
+<longdesc lang="en">
+This 'ipsec-config' is an OCF Compliant Resource Agent that performs start, stop
+and in-service monitoring of the IPsec Config Process. The main goal of IPsec Config
+is to manage different swanctl connections on controller nodes.
+</longdesc>
+
+<shortdesc lang="en">
+Manages the IPsec Config (ipsec-config) process
+</shortdesc>
+
+<actions>
+<action name="start"        timeout="10s" />
+<action name="stop"         timeout="10s" />
+<action name="status"       timeout="10s" />
+<action name="monitor"      timeout="10s" interval="10m" />
+<action name="meta-data"    timeout="10s" />
+</actions>
+</resource-agent>
+END
+   return ${OCF_SUCCESS}
+}
+
+ipsec_config_status() {
+    local rc
+
+    rc=$(/usr/bin/readlink $SWANCTL_CONF_FILE)
+    if [ "$rc" = "$SWANCTL_ACTIVE_CONF_FILE"  ]; then
+        ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) is active."
+        return $OCF_SUCCESS
+    elif [ "$rc" = "$SWANCTL_STANDBY_CONF_FILE"  ]; then
+        ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) is not running."
+        return $OCF_NOT_RUNNING
+    fi
+
+    ocf_log err "IPsec Config Service (${OCF_RESKEY_binary}) is on failure (rc=${rc})"
+    return $OCF_ERR_GENERIC
+}
+
+update_ipsec_config() {
+    local action="$1"
+
+    # When the service starts after the controller becomes active,
+    # symlink the active version of the configuration file to swanctl.conf,
+    # reload the configuration and terminate existing SAs so that new ones
+    # obedient to the updated config are created.
+    # When the service stops after the controller becomes standby,
+    # symlink the standby version of the configuration file to swanctl.conf,
+    # reload the configuration and terminate existing SAs so that new ones
+    # obedient to the updated config are created.
+    case ${action} in
+        start)  ln -sf $SWANCTL_ACTIVE_CONF_FILE $SWANCTL_CONF_FILE
+                ;;
+        stop)   ln -sf $SWANCTL_STANDBY_CONF_FILE $SWANCTL_CONF_FILE
+                ;;
+    esac
+
+    /usr/sbin/swanctl --load-conns
+    if [ $? -ne 0 ] ; then
+        ocf_log err "Failed to load IPsec swanctl configuration"
+        return $OCF_ERR_GENERIC
+    fi
+
+    /usr/sbin/swanctl --terminate --ike system-nodes
+    if [ $? -ne 0 ] ; then
+        ocf_log warn "Failed to terminate existing IPsec connections"
+    fi
+
+    return $OCF_SUCCESS
+}
+
+ipsec_config_start () {
+    local rc
+
+    ipsec_config_status
+    rc=$?
+    if [ $rc -eq ${OCF_SUCCESS} ] ; then
+        return ${OCF_SUCCESS}
+    elif [ $rc -eq ${OCF_ERR_GENERIC} ] ; then
+        return ${OCF_ERR_GENERIC}
+    fi
+
+    update_ipsec_config start
+    rc=$?
+    # Record success or failure and return status
+    if [ $rc -eq $OCF_SUCCESS ] ; then
+        ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) started"
+    else
+        ocf_log err "IPsec Config Service (${OCF_RESKEY_binary}) failed to start (rc=${rc})"
+    fi
+
+    return ${rc}
+}
+
+ipsec_config_stop () {
+    local rc
+
+    ipsec_config_status
+    rc=$?
+    if [ $rc -eq ${OCF_NOT_RUNNING} ] ; then
+        return ${OCF_SUCCESS}
+    elif [ $rc -eq ${OCF_ERR_GENERIC} ] ; then
+        return ${OCF_ERR_GENERIC}
+    fi
+
+    update_ipsec_config stop
+    rc=$?
+    if [ $rc -eq $OCF_SUCCESS ] ; then
+        ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) stopped"
+    else
+        ocf_log err "IPsec Config Service (${OCF_RESKEY_binary}) stopped with an error (rc=${rc})"
+    fi
+
+    return ${rc}
+}
+
+ipsec_config_monitor () {
+    local rc
+
+    ipsec_config_status
+    rc=$?
+    if [ $rc -eq $OCF_ERR_GENERIC ]; then
+        return $rc
+    fi
+
+    floating_ip=$(grep controller-platform-nfs /etc/hosts | awk -F ' ' '{print $1}' | tr -d '\n')
+    node_addr=$(ip addr | grep "$floating_ip/")
+    node_conn=$(/usr/sbin/swanctl --list-conns | grep "$floating_ip/")
+    if [ -n "$node_addr" ] && [ -n "$node_conn" ] || [ -z "$node_addr" ] && [ -z "$node_conn" ]
+    then
+        ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) monitor succeeded"
+        return $OCF_SUCCESS
+    fi
+
+    ocf_log err "IPsec Config Service (${OCF_RESKEY_binary}) monitor exited with an error"
+    return $OCF_ERR_GENERIC
+
+}
+
+case ${__OCF_ACTION} in
+    meta-data)   meta_data
+                 exit ${OCF_SUCCESS}
+                 ;;
+    usage|help)  usage
+                 exit ${OCF_SUCCESS}
+                 ;;
+esac
+
+if [ ${OCF_RESKEY_dbg} = "true" ] ; then
+    ocf_log info "${binname}:${__OCF_ACTION} action"
+fi
+
+case ${__OCF_ACTION} in
+
+    start)        ipsec_config_start
+                  ;;
+    stop)         ipsec_config_stop
+                  ;;
+    status)       ipsec_config_status
+                  ;;
+    monitor)      ipsec_config_monitor
+                  ;;
+    *)            usage
+                  exit ${OCF_ERR_UNIMPLEMENTED}
+                  ;;
+esac