Add gnmi client cname authorize test case (sonic-net#13133)

liuh-80 · mssonicbld · commit 761894d9c055 · 2024-11-21T17:28:12.000Z
Add gnmi client cname authorize test case 

#### Why I did it
GNMI add client cert cname validation feature, to protect this feature, add this test case.

### How I did it
Create cert with cname and validate GNMI service can accept/reject cert with cert cname config.

#### How to verify it
Pass all test case.

### Description for the changelog
Add gnmi client cname authorize test case.
diff --git a/tests/gnmi/helper.py b/tests/gnmi/helper.py
@@ -55,6 +55,15 @@ def verify_tcp_port(localhost, ip, port):
     logger.info("TCP: " + res['stdout'] + res['stderr'])
 
 
+def add_gnmi_client_common_name(duthost, cname):
+    duthost.shell('sudo sonic-db-cli CONFIG_DB hset "GNMI_CLIENT_CERT|{}" "role" "role1"'.format(cname),
+                  module_ignore_errors=True)
+
+
+def del_gnmi_client_common_name(duthost, cname):
+    duthost.shell('sudo sonic-db-cli CONFIG_DB del "GNMI_CLIENT_CERT|{}"'.format(cname), module_ignore_errors=True)
+
+
 def apply_cert_config(duthost):
     env = GNMIEnvironment(duthost, GNMIEnvironment.GNMI_MODE)
     # Stop all running program
@@ -74,8 +83,14 @@ def apply_cert_config(duthost):
     dut_command = "docker exec %s bash -c " % env.gnmi_container
     dut_command += "\"/usr/bin/nohup /usr/sbin/%s -logtostderr --port %s " % (env.gnmi_process, env.gnmi_port)
     dut_command += "--server_crt /etc/sonic/telemetry/gnmiserver.crt --server_key /etc/sonic/telemetry/gnmiserver.key "
+    dut_command += "--config_table_name GNMI_CLIENT_CERT "
+    dut_command += "--client_auth cert "
     dut_command += "--ca_crt /etc/sonic/telemetry/gnmiCA.pem -gnmi_native_write=true -v=10 >/root/gnmi.log 2>&1 &\""
     duthost.shell(dut_command)
+
+    # Setup gnmi client cert common name
+    add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic")
+
     time.sleep(GNMI_SERVER_START_WAIT_TIME)
     dut_command = "sudo netstat -nap | grep %d" % env.gnmi_port
     output = duthost.shell(dut_command, module_ignore_errors=True)
@@ -101,6 +116,9 @@ def recover_cert_config(duthost):
         'systemctl restart %s' % (env.gnmi_container)
     ]
     duthost.shell_cmds(cmds=cmds)
+
+    # Remove gnmi client cert common name
+    del_gnmi_client_common_name(duthost, "test.client.gnmi.sonic")
     assert wait_until(60, 3, 0, check_gnmi_status, duthost), "GNMI service failed to start"
 
 
diff --git a/tests/gnmi/test_gnmi.py b/tests/gnmi/test_gnmi.py
@@ -1,7 +1,7 @@
 import pytest
 import logging
 
-from .helper import gnmi_capabilities
+from .helper import gnmi_capabilities, gnmi_set, add_gnmi_client_common_name, del_gnmi_client_common_name
 
 logger = logging.getLogger(__name__)
 
@@ -20,3 +20,45 @@ def test_gnmi_capabilities(duthosts, rand_one_dut_hostname, localhost):
     assert ret == 0, msg
     assert "sonic-db" in msg, msg
     assert "JSON_IETF" in msg, msg
+
+
+@pytest.fixture(scope="function")
+def setup_invalid_client_cert_cname(duthosts, rand_one_dut_hostname):
+    duthost = duthosts[rand_one_dut_hostname]
+    del_gnmi_client_common_name(duthost, "test.client.gnmi.sonic")
+    add_gnmi_client_common_name(duthost, "invalid.cname")
+
+    keys = duthost.shell('sudo sonic-db-cli CONFIG_DB keys GNMI*')["stdout_lines"]
+    logger.debug("GNMI client cert keys: {}".format(keys))
+
+    yield
+
+    del_gnmi_client_common_name(duthost, "invalid.cname")
+    add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic")
+
+
+def test_gnmi_authorize_failed_with_invalid_cname(duthosts,
+                                                  rand_one_dut_hostname,
+                                                  ptfhost,
+                                                  setup_invalid_client_cert_cname):
+    '''
+    Verify GNMI native write, incremental config for configDB
+    GNMI set request with invalid path
+    '''
+    duthost = duthosts[rand_one_dut_hostname]
+
+    file_name = "vnet.txt"
+    text = "{\"Vnet1\": {\"vni\": \"1000\", \"guid\": \"559c6ce8-26ab-4193-b946-ccc6e8f930b2\"}}"
+    with open(file_name, 'w') as file:
+        file.write(text)
+    ptfhost.copy(src=file_name, dest='/root')
+    # Add DASH_VNET_TABLE
+    update_list = ["/sonic-db:APPL_DB/localhost/DASH_VNET_TABLE:@/root/%s" % (file_name)]
+    msg = ""
+    try:
+        gnmi_set(duthost, ptfhost, [], update_list, [])
+    except Exception as e:
+        logger.info("Failed to set: " + str(e))
+        msg = str(e)
+
+    assert "Unauthenticated" in msg
