Allowing wildcard client cert CNs for restapi. (#25450)

mramezani95 · FengPan-Frank · commit 5abd831b9af2 · 2026-03-06T04:40:06.000Z
Why I did it sonic-net/sonic-restapi#168 and sonic-net/sonic-restapi#175 add support for wildcard CN matching in sonic-gnmi. The pattern for client_crt_cname in restapi's YANG model needs to be updated accordingly (to allow for wildcard CNs). Work item tracking Microsoft ADO (number only): 36744821 How I did it Modified the YANG model pattern for client_crt_cname so that each CN can start with *.. Signed-off-by: Feng Pan <fenpan@microsoft.com>
diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/restapi.json b/src/sonic-yang-models/tests/yang_model_tests/tests/restapi.json
@@ -7,10 +7,48 @@
         "desc": "RESTAPI TABLE_WITH_INCORRECT_CLIENT failure.",
         "eStrKey": "Pattern"
     },
-    "RESTAPI_TABLE_WITH_VALID_CONFIG": {
-        "desc": "RESTAPI TABLE WITH VALID CONFIG."
+    "RESTAPI_TABLE_WITH_INCORRECT_WILDCARD_CLIENT_1": {
+        "desc": "RESTAPI TABLE_WITH_INCORRECT_WILDCARD_CLIENT_1 failure.",
+        "eStrKey": "Pattern"
+    },
+    "RESTAPI_TABLE_WITH_INCORRECT_WILDCARD_CLIENT_2": {
+        "desc": "RESTAPI TABLE_WITH_INCORRECT_WILDCARD_CLIENT_2 failure.",
+        "eStrKey": "Pattern"
+    },
+    "RESTAPI_TABLE_WITH_INCORRECT_WILDCARD_CLIENT_3": {
+        "desc": "RESTAPI TABLE_WITH_INCORRECT_WILDCARD_CLIENT_3 failure.",
+        "eStrKey": "Pattern"
+    },
+    "RESTAPI_TABLE_WITH_INCORRECT_WILDCARD_CLIENT_4": {
+        "desc": "RESTAPI TABLE_WITH_INCORRECT_WILDCARD_CLIENT_4 failure.",
+        "eStrKey": "Pattern"
+    },
+    "RESTAPI_TABLE_WITH_INCORRECT_WILDCARD_CLIENT_5": {
+        "desc": "RESTAPI TABLE_WITH_INCORRECT_WILDCARD_CLIENT_5 failure.",
+        "eStrKey": "Pattern"
+    },
+    "RESTAPI_TABLE_WITH_VALID_CONFIG_1": {
+        "desc": "RESTAPI TABLE WITH VALID CONFIG (1)."
+    },
+    "RESTAPI_TABLE_WITH_VALID_CONFIG_2": {
+        "desc": "RESTAPI TABLE WITH VALID CONFIG (2)."
+    },
+    "RESTAPI_TABLE_WITH_VALID_CONFIG_3": {
+        "desc": "RESTAPI TABLE WITH VALID CONFIG (3)."
+    },
+    "RESTAPI_TABLE_WITH_MULTIPLE_CERTS_1": {
+        "desc": "RESTAPI TABLE WITH MULTIPLE CERTS (1)."
+    },
+    "RESTAPI_TABLE_WITH_MULTIPLE_CERTS_2": {
+        "desc": "RESTAPI TABLE WITH MULTIPLE CERTS (2)."
+    },
+    "RESTAPI_TABLE_WITH_MULTIPLE_CERTS_3": {
+        "desc": "RESTAPI TABLE WITH MULTIPLE CERTS (3)."
+    },
+    "RESTAPI_TABLE_WITH_MULTIPLE_CERTS_4": {
+        "desc": "RESTAPI TABLE WITH MULTIPLE CERTS (4)."
     },
-    "RESTAPI_TABLE_WITH_MULTIPLE_CERTS": {
-        "desc": "RESTAPI TABLE WITH MULTIPLE CERTS."
+    "RESTAPI_TABLE_WITH_MULTIPLE_CERTS_5": {
+        "desc": "RESTAPI TABLE WITH MULTIPLE CERTS (5)."
     }
 }
diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/restapi.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/restapi.json
@@ -23,7 +23,67 @@
             }
         }
     },
-    "RESTAPI_TABLE_WITH_VALID_CONFIG": {
+    "RESTAPI_TABLE_WITH_INCORRECT_WILDCARD_CLIENT_1": {
+        "sonic-restapi:sonic-restapi": {
+            "sonic-restapi:RESTAPI": {
+                "certs": {
+                    "ca_crt": "/etc/sonic/credentials/ame_root.pem",
+                    "server_crt": "/etc/sonic/credentials/restapiserver.crt",
+                    "server_key": "/etc/sonic/credentials/restapiserver.key",
+                    "client_crt_cname": "*client.sonic.net"
+                }
+            }
+        }
+    },
+    "RESTAPI_TABLE_WITH_INCORRECT_WILDCARD_CLIENT_2": {
+        "sonic-restapi:sonic-restapi": {
+            "sonic-restapi:RESTAPI": {
+                "certs": {
+                    "ca_crt": "/etc/sonic/credentials/ame_root.pem",
+                    "server_crt": "/etc/sonic/credentials/restapiserver.crt",
+                    "server_key": "/etc/sonic/credentials/restapiserver.key",
+                    "client_crt_cname": "*.*.client.sonic.net"
+                }
+            }
+        }
+    },
+    "RESTAPI_TABLE_WITH_INCORRECT_WILDCARD_CLIENT_3": {
+        "sonic-restapi:sonic-restapi": {
+            "sonic-restapi:RESTAPI": {
+                "certs": {
+                    "ca_crt": "/etc/sonic/credentials/ame_root.pem",
+                    "server_crt": "/etc/sonic/credentials/restapiserver.crt",
+                    "server_key": "/etc/sonic/credentials/restapiserver.key",
+                    "client_crt_cname": "client.*.sonic.net"
+                }
+            }
+        }
+    },
+    "RESTAPI_TABLE_WITH_INCORRECT_WILDCARD_CLIENT_4": {
+        "sonic-restapi:sonic-restapi": {
+            "sonic-restapi:RESTAPI": {
+                "certs": {
+                    "ca_crt": "/etc/sonic/credentials/ame_root.pem",
+                    "server_crt": "/etc/sonic/credentials/restapiserver.crt",
+                    "server_key": "/etc/sonic/credentials/restapiserver.key",
+                    "client_crt_cname": "client.sonic.net.*"
+                }
+            }
+        }
+    },
+    "RESTAPI_TABLE_WITH_INCORRECT_WILDCARD_CLIENT_5": {
+        "sonic-restapi:sonic-restapi": {
+            "sonic-restapi:RESTAPI": {
+                "certs": {
+                    "ca_crt": "/etc/sonic/credentials/ame_root.pem",
+                    "server_crt": "/etc/sonic/credentials/restapiserver.crt",
+                    "server_key": "/etc/sonic/credentials/restapiserver.key",
+                    "client_crt_cname": "cli*ent.sonic.net"
+                }
+            }
+        }
+    },
+    "RESTAPI_TABLE_WITH_VALID_CONFIG_1": {
         "sonic-restapi:sonic-restapi": {
             "sonic-restapi:RESTAPI": {
                 "certs": {
@@ -35,7 +95,31 @@
             }
         }
     },
-    "RESTAPI_TABLE_WITH_MULTIPLE_CERTS": {
+    "RESTAPI_TABLE_WITH_VALID_CONFIG_2": {
+        "sonic-restapi:sonic-restapi": {
+            "sonic-restapi:RESTAPI": {
+                "certs": {
+                    "ca_crt": "/etc/sonic/credentials/ame_root.pem",
+                    "server_crt": "/etc/sonic/credentials/restapiserver.crt",
+                    "server_key": "/etc/sonic/credentials/restapiserver.key",
+                    "client_crt_cname": "*.client.sonic.net"
+                }
+            }
+        }
+    },
+    "RESTAPI_TABLE_WITH_VALID_CONFIG_3": {
+        "sonic-restapi:sonic-restapi": {
+            "sonic-restapi:RESTAPI": {
+                "certs": {
+                    "ca_crt": "/etc/sonic/credentials/ame_root.pem",
+                    "server_crt": "/etc/sonic/credentials/restapiserver.crt",
+                    "server_key": "/etc/sonic/credentials/restapiserver.key",
+                    "client_crt_cname": "*.net"
+                }
+            }
+        }
+    },
+    "RESTAPI_TABLE_WITH_MULTIPLE_CERTS_1": {
         "sonic-restapi:sonic-restapi": {
             "sonic-restapi:RESTAPI": {
                 "certs": {
@@ -46,5 +130,53 @@
                 }
             }
         }
+    },
+    "RESTAPI_TABLE_WITH_MULTIPLE_CERTS_2": {
+        "sonic-restapi:sonic-restapi": {
+            "sonic-restapi:RESTAPI": {
+                "certs": {
+                    "ca_crt": "/etc/sonic/credentials/ame_root.pem",
+                    "server_crt": "/etc/sonic/credentials/restapiserver.crt",
+                    "server_key": "/etc/sonic/credentials/restapiserver.key",
+                    "client_crt_cname": "*.client.sonic.net,clientds.prod.net"
+                }
+            }
+        }
+    },
+    "RESTAPI_TABLE_WITH_MULTIPLE_CERTS_3": {
+        "sonic-restapi:sonic-restapi": {
+            "sonic-restapi:RESTAPI": {
+                "certs": {
+                    "ca_crt": "/etc/sonic/credentials/ame_root.pem",
+                    "server_crt": "/etc/sonic/credentials/restapiserver.crt",
+                    "server_key": "/etc/sonic/credentials/restapiserver.key",
+                    "client_crt_cname": "client.sonic.net,*.clientds.prod.net"
+                }
+            }
+        }
+    },
+    "RESTAPI_TABLE_WITH_MULTIPLE_CERTS_4": {
+        "sonic-restapi:sonic-restapi": {
+            "sonic-restapi:RESTAPI": {
+                "certs": {
+                    "ca_crt": "/etc/sonic/credentials/ame_root.pem",
+                    "server_crt": "/etc/sonic/credentials/restapiserver.crt",
+                    "server_key": "/etc/sonic/credentials/restapiserver.key",
+                    "client_crt_cname": "*.client.sonic.net,*.com"
+                }
+            }
+        }
+    },
+    "RESTAPI_TABLE_WITH_MULTIPLE_CERTS_5": {
+        "sonic-restapi:sonic-restapi": {
+            "sonic-restapi:RESTAPI": {
+                "certs": {
+                    "ca_crt": "/etc/sonic/credentials/ame_root.pem",
+                    "server_crt": "/etc/sonic/credentials/restapiserver.crt",
+                    "server_key": "/etc/sonic/credentials/restapiserver.key",
+                    "client_crt_cname": "*.client.sonic.net,test.client.sonic.io,*.com"
+                }
+            }
+        }
     }
 }
diff --git a/src/sonic-yang-models/yang-models/sonic-restapi.yang b/src/sonic-yang-models/yang-models/sonic-restapi.yang
@@ -45,7 +45,7 @@ module sonic-restapi {
 
                 leaf client_crt_cname {
                     type string {
-                        pattern '([a-zA-Z0-9_\-\.]+,)*([a-zA-Z0-9_\-\.]+)';
+                        pattern '((\*\.)?[a-zA-Z0-9_\-\.]+,)*((\*\.)?[a-zA-Z0-9_\-\.]+)';
                     }
                     description "Client cert name.";
                 }

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ module sonic-restapi {`
`45`	`45`
`46`	`46`	`leaf client_crt_cname {`
`47`	`47`	`type string {`
`48`		`- pattern '([a-zA-Z0-9_\-\.]+,)*([a-zA-Z0-9_\-\.]+)';`
	`48`	`+ pattern '((\\.)?[a-zA-Z0-9_\-\.]+,)((\*\.)?[a-zA-Z0-9_\-\.]+)';`
`49`	`49`	`}`
`50`	`50`	`description "Client cert name.";`
`51`	`51`	`}`