diff --git a/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml b/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml index 366db52995..61c019f942 100644 --- a/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml +++ b/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml @@ -1126,6 +1126,10 @@ gnmi/test_gnmi_configdb.py::test_gnmi_configdb_full_01: conditions: - "https://github.com/sonic-net/sonic-mgmt/issues/17436" +gnmi/test_gnoi_killprocess.py::test_gnoi_killprocess_restart: + skip: + reason: "Test noisy due to restart issue not relevant to GNOI. Disabling them to rewrite." + gnmi/test_gnoi_killprocess.py::test_gnoi_killprocess_then_restart: skip: reason: "Test noisy due to restart issue not relevant to GNOI. Disabling them to rewrite." diff --git a/tests/gnmi/helper.py b/tests/gnmi/helper.py index 3bfde6ae53..a2d3fa1272 100644 --- a/tests/gnmi/helper.py +++ b/tests/gnmi/helper.py @@ -65,9 +65,9 @@ def verify_tcp_port(localhost, ip, port): logger.info("TCP: " + res['stdout'] + res['stderr']) -def add_gnmi_client_common_name(duthost, cname): - duthost.shell('sudo sonic-db-cli CONFIG_DB hset "GNMI_CLIENT_CERT|{}" "role" "role1"'.format(cname), - module_ignore_errors=True) +def add_gnmi_client_common_name(duthost, cname, role="gnmi_readwrite"): + command = 'sudo sonic-db-cli CONFIG_DB hset "GNMI_CLIENT_CERT|{}" "role@" "{}"'.format(cname, role) + duthost.shell(command, module_ignore_errors=True) def del_gnmi_client_common_name(duthost, cname): @@ -100,8 +100,9 @@ def apply_cert_config(duthost): duthost.shell(dut_command) # Setup gnmi client cert common name - add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic") - add_gnmi_client_common_name(duthost, "test.client.revoked.gnmi.sonic") + role = "gnmi_readwrite,gnmi_config_db_readwrite,gnmi_appl_db_readwrite,gnmi_dpu_appl_db_readwrite,gnoi_readwrite" + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic", role) + add_gnmi_client_common_name(duthost, "test.client.revoked.gnmi.sonic", role) time.sleep(GNMI_SERVER_START_WAIT_TIME) dut_command = "sudo netstat -nap | grep %d" % env.gnmi_port diff --git a/tests/gnmi/test_gnmi.py b/tests/gnmi/test_gnmi.py index eaabe42fcb..270b561d47 100644 --- a/tests/gnmi/test_gnmi.py +++ b/tests/gnmi/test_gnmi.py @@ -3,8 +3,10 @@ from .helper import gnmi_capabilities, gnmi_set, add_gnmi_client_common_name, del_gnmi_client_common_name, dump_gnmi_log from tests.common.utilities import wait_until +from tests.common.plugins.allure_wrapper import allure_step_wrapper as allure logger = logging.getLogger(__name__) +allure.logger = logger pytestmark = [ pytest.mark.topology('any'), @@ -23,6 +25,47 @@ def test_gnmi_capabilities(duthosts, rand_one_dut_hostname, localhost): assert "JSON_IETF" in msg, msg +def test_gnmi_capabilities_authenticate(duthosts, rand_one_dut_hostname, localhost): + ''' + Verify GNMI capabilities with different roles + ''' + duthost = duthosts[rand_one_dut_hostname] + + with allure.step("Verify GNMI capabilities with noaccess role"): + role = "gnmi_noaccess" + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic", role) + ret, msg = gnmi_capabilities(duthost, localhost) + assert ret != 0, msg + assert role in msg, msg + + with allure.step("Verify GNMI capabilities with readonly role"): + role = "gnmi_readonly" + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic", role) + ret, msg = gnmi_capabilities(duthost, localhost) + assert ret == 0, msg + assert "sonic-db" in msg, msg + assert "JSON_IETF" in msg, msg + + with allure.step("Verify GNMI capabilities with readwrite role"): + role = "gnmi_readwrite" + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic", role) + ret, msg = gnmi_capabilities(duthost, localhost) + assert ret == 0, msg + assert "sonic-db" in msg, msg + assert "JSON_IETF" in msg, msg + + with allure.step("Verify GNMI capabilities with empty role"): + role = "" + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic", role) + ret, msg = gnmi_capabilities(duthost, localhost) + assert ret == 0, msg + assert "sonic-db" in msg, msg + assert "JSON_IETF" in msg, msg + + # Restore default role + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic") + + @pytest.fixture(scope="function") def setup_invalid_client_cert_cname(duthosts, rand_one_dut_hostname): duthost = duthosts[rand_one_dut_hostname] diff --git a/tests/gnmi/test_gnmi_configdb.py b/tests/gnmi/test_gnmi_configdb.py index 8a1f902e14..327e5fb1f7 100644 --- a/tests/gnmi/test_gnmi_configdb.py +++ b/tests/gnmi/test_gnmi_configdb.py @@ -8,12 +8,15 @@ from .helper import gnmi_set, gnmi_get, gnoi_reboot from .helper import gnmi_subscribe_polling from .helper import gnmi_subscribe_streaming_sample, gnmi_subscribe_streaming_onchange +from .helper import add_gnmi_client_common_name from tests.common.helpers.assertions import pytest_assert from tests.common.utilities import wait_until from tests.common.platform.processes_utils import wait_critical_processes from tests.common.platform.interface_utils import check_interface_status_of_up_ports +from tests.common.plugins.allure_wrapper import allure_step_wrapper as allure logger = logging.getLogger(__name__) +allure.logger = logger pytestmark = [ pytest.mark.topology('any'), @@ -304,3 +307,142 @@ def test_gnmi_configdb_full_01(duthosts, rand_one_dut_hostname, ptfhost): duthost.shell("config interface startup %s" % interface) # Wait for BGP neighbor to be up wait_bgp_neighbor(duthost) + + +def test_gnmi_configdb_set_authenticate(duthosts, rand_one_dut_hostname, ptfhost): + ''' + Verify GNMI native write with authentication + ''' + duthost = duthosts[rand_one_dut_hostname] + file_name = "cloud.txt" + text = "\"Public\"" + with open(file_name, 'w') as file: + file.write(text) + ptfhost.copy(src=file_name, dest='/root') + update_list = ["/sonic-db:CONFIG_DB/localhost/DEVICE_METADATA/localhost/cloudtype:@/root/%s" % (file_name)] + + with allure.step("Verify GNMI set with noaccess role"): + role = "gnmi_config_db_noaccess" + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic", role) + try: + gnmi_set(duthost, ptfhost, [], update_list, []) + except Exception as e: + logger.info("Failed to set: " + str(e)) + assert role in str(e), str(e) + + with allure.step("Verify GNMI set with readwrite role"): + role = "gnmi_config_db_readwrite" + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic", role) + try: + gnmi_set(duthost, ptfhost, [], update_list, []) + except Exception as e: + logger.info("Failed to set: " + str(e)) + pytest.fail("Set request failed: " + str(e)) + + with allure.step("Verify GNMI set with readonly role"): + role = "gnmi_config_db_readonly" + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic", role) + try: + gnmi_set(duthost, ptfhost, [], update_list, []) + except Exception as e: + logger.info("Failed to set: " + str(e)) + assert role in str(e), str(e) + + with allure.step("Verify GNMI set with empty role"): + role = "" + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic", role) + try: + gnmi_set(duthost, ptfhost, [], update_list, []) + except Exception as e: + logger.info("Failed to set: " + str(e)) + assert "write access" in str(e), str(e) + + # Restore default role + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic") + + +def test_gnmi_configdb_get_authenticate(duthosts, rand_one_dut_hostname, ptfhost): + ''' + Verify GNMI native read with authentication + ''' + duthost = duthosts[rand_one_dut_hostname] + path_list = ["/sonic-db:CONFIG_DB/localhost/DEVICE_METADATA/localhost"] + + with allure.step("Verify GNMI get with noaccess role"): + role = "gnmi_config_db_noaccess" + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic", role) + try: + gnmi_get(duthost, ptfhost, path_list) + except Exception as e: + logger.info("Failed to get: " + str(e)) + assert role in str(e), str(e) + + with allure.step("Verify GNMI get with readwrite role"): + role = "gnmi_config_db_readwrite" + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic", role) + try: + gnmi_get(duthost, ptfhost, path_list) + except Exception as e: + logger.info("Failed to get: " + str(e)) + pytest.fail("Get request failed: " + str(e)) + + with allure.step("Verify GNMI get with readonly role"): + role = "gnmi_config_db_readonly" + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic", role) + try: + gnmi_get(duthost, ptfhost, path_list) + except Exception as e: + logger.info("Failed to get: " + str(e)) + pytest.fail("Get request failed: " + str(e)) + + with allure.step("Verify GNMI get with empty role"): + role = "" + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic", role) + try: + gnmi_get(duthost, ptfhost, path_list) + except Exception as e: + logger.info("Failed to get: " + str(e)) + pytest.fail("Get request failed: " + str(e)) + + # Restore default role + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic") + + +def test_gnmi_configdb_subscribe_authenticate(duthosts, rand_one_dut_hostname, ptfhost): + ''' + Verify GNMI native read with authentication + ''' + duthost = duthosts[rand_one_dut_hostname] + path_list = ["/sonic-db:CONFIG_DB/localhost/DEVICE_METADATA/localhost"] + + with allure.step("Verify GNMI subscribe with noaccess role"): + role = "gnmi_config_db_noaccess" + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic", role) + output, _ = gnmi_subscribe_streaming_sample(duthost, ptfhost, path_list, 0, 1) + logger.info("GNMI subscribe output: " + output) + assert "GRPC error" in output, output + assert role in output, output + + with allure.step("Verify GNMI subscribe with readwrite role"): + role = "gnmi_config_db_readwrite" + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic", role) + output, _ = gnmi_subscribe_streaming_sample(duthost, ptfhost, path_list, 0, 1) + assert "GRPC error" not in output, output + assert "cloudtype" in output, output + + with allure.step("Verify GNMI subscribe with readonly role"): + role = "gnmi_config_db_readonly" + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic", role) + output, _ = gnmi_subscribe_streaming_sample(duthost, ptfhost, path_list, 0, 1) + assert "GRPC error" not in output, output + assert "cloudtype" in output, output + + with allure.step("Verify GNMI subscribe with empty role"): + role = "" + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic", role) + output, _ = gnmi_subscribe_streaming_sample(duthost, ptfhost, path_list, 0, 1) + assert "GRPC error" not in output, output + assert "cloudtype" in output, output + + # Restore default role + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic")