Skip to content

Commit 761894d

Browse files
liuh-80mssonicbld
authored andcommitted
Add gnmi client cname authorize test case (sonic-net#13133)
Add gnmi client cname authorize test case #### Why I did it GNMI add client cert cname validation feature, to protect this feature, add this test case. ### How I did it Create cert with cname and validate GNMI service can accept/reject cert with cert cname config. #### How to verify it Pass all test case. ### Description for the changelog Add gnmi client cname authorize test case.
1 parent c2c5a46 commit 761894d

2 files changed

Lines changed: 61 additions & 1 deletion

File tree

tests/gnmi/helper.py

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,15 @@ def verify_tcp_port(localhost, ip, port):
5555
logger.info("TCP: " + res['stdout'] + res['stderr'])
5656

5757

58+
def add_gnmi_client_common_name(duthost, cname):
59+
duthost.shell('sudo sonic-db-cli CONFIG_DB hset "GNMI_CLIENT_CERT|{}" "role" "role1"'.format(cname),
60+
module_ignore_errors=True)
61+
62+
63+
def del_gnmi_client_common_name(duthost, cname):
64+
duthost.shell('sudo sonic-db-cli CONFIG_DB del "GNMI_CLIENT_CERT|{}"'.format(cname), module_ignore_errors=True)
65+
66+
5867
def apply_cert_config(duthost):
5968
env = GNMIEnvironment(duthost, GNMIEnvironment.GNMI_MODE)
6069
# Stop all running program
@@ -74,8 +83,14 @@ def apply_cert_config(duthost):
7483
dut_command = "docker exec %s bash -c " % env.gnmi_container
7584
dut_command += "\"/usr/bin/nohup /usr/sbin/%s -logtostderr --port %s " % (env.gnmi_process, env.gnmi_port)
7685
dut_command += "--server_crt /etc/sonic/telemetry/gnmiserver.crt --server_key /etc/sonic/telemetry/gnmiserver.key "
86+
dut_command += "--config_table_name GNMI_CLIENT_CERT "
87+
dut_command += "--client_auth cert "
7788
dut_command += "--ca_crt /etc/sonic/telemetry/gnmiCA.pem -gnmi_native_write=true -v=10 >/root/gnmi.log 2>&1 &\""
7889
duthost.shell(dut_command)
90+
91+
# Setup gnmi client cert common name
92+
add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic")
93+
7994
time.sleep(GNMI_SERVER_START_WAIT_TIME)
8095
dut_command = "sudo netstat -nap | grep %d" % env.gnmi_port
8196
output = duthost.shell(dut_command, module_ignore_errors=True)
@@ -101,6 +116,9 @@ def recover_cert_config(duthost):
101116
'systemctl restart %s' % (env.gnmi_container)
102117
]
103118
duthost.shell_cmds(cmds=cmds)
119+
120+
# Remove gnmi client cert common name
121+
del_gnmi_client_common_name(duthost, "test.client.gnmi.sonic")
104122
assert wait_until(60, 3, 0, check_gnmi_status, duthost), "GNMI service failed to start"
105123

106124

tests/gnmi/test_gnmi.py

Lines changed: 43 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
import pytest
22
import logging
33

4-
from .helper import gnmi_capabilities
4+
from .helper import gnmi_capabilities, gnmi_set, add_gnmi_client_common_name, del_gnmi_client_common_name
55

66
logger = logging.getLogger(__name__)
77

@@ -20,3 +20,45 @@ def test_gnmi_capabilities(duthosts, rand_one_dut_hostname, localhost):
2020
assert ret == 0, msg
2121
assert "sonic-db" in msg, msg
2222
assert "JSON_IETF" in msg, msg
23+
24+
25+
@pytest.fixture(scope="function")
26+
def setup_invalid_client_cert_cname(duthosts, rand_one_dut_hostname):
27+
duthost = duthosts[rand_one_dut_hostname]
28+
del_gnmi_client_common_name(duthost, "test.client.gnmi.sonic")
29+
add_gnmi_client_common_name(duthost, "invalid.cname")
30+
31+
keys = duthost.shell('sudo sonic-db-cli CONFIG_DB keys GNMI*')["stdout_lines"]
32+
logger.debug("GNMI client cert keys: {}".format(keys))
33+
34+
yield
35+
36+
del_gnmi_client_common_name(duthost, "invalid.cname")
37+
add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic")
38+
39+
40+
def test_gnmi_authorize_failed_with_invalid_cname(duthosts,
41+
rand_one_dut_hostname,
42+
ptfhost,
43+
setup_invalid_client_cert_cname):
44+
'''
45+
Verify GNMI native write, incremental config for configDB
46+
GNMI set request with invalid path
47+
'''
48+
duthost = duthosts[rand_one_dut_hostname]
49+
50+
file_name = "vnet.txt"
51+
text = "{\"Vnet1\": {\"vni\": \"1000\", \"guid\": \"559c6ce8-26ab-4193-b946-ccc6e8f930b2\"}}"
52+
with open(file_name, 'w') as file:
53+
file.write(text)
54+
ptfhost.copy(src=file_name, dest='/root')
55+
# Add DASH_VNET_TABLE
56+
update_list = ["/sonic-db:APPL_DB/localhost/DASH_VNET_TABLE:@/root/%s" % (file_name)]
57+
msg = ""
58+
try:
59+
gnmi_set(duthost, ptfhost, [], update_list, [])
60+
except Exception as e:
61+
logger.info("Failed to set: " + str(e))
62+
msg = str(e)
63+
64+
assert "Unauthenticated" in msg

0 commit comments

Comments
 (0)