From 6b17a53a235beb7be84c27cf0685f93434c58d5e Mon Sep 17 00:00:00 2001 From: liuh-80 Date: Fri, 8 Nov 2024 05:53:45 +0000 Subject: [PATCH 1/2] Build image for test --- .gitmodules | 3 ++- src/sonic-gnmi | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitmodules b/.gitmodules index 9013bdb6702..9177c2a38e5 100644 --- a/.gitmodules +++ b/.gitmodules @@ -105,7 +105,8 @@ url = https://github.com/sonic-net/sonic-host-services [submodule "src/sonic-gnmi"] path = src/sonic-gnmi - url = https://github.com/sonic-net/sonic-gnmi.git + url = https://github.com/liuh-80/sonic-gnmi.git + branch = dev/liuh/cherry-pick-241-2405 [submodule "src/sonic-genl-packet"] path = src/sonic-genl-packet url = https://github.com/sonic-net/sonic-genl-packet diff --git a/src/sonic-gnmi b/src/sonic-gnmi index cb0a3798989..0388b1f8d78 160000 --- a/src/sonic-gnmi +++ b/src/sonic-gnmi @@ -1 +1 @@ -Subproject commit cb0a37989896ca5ca8779c0530e85dabf805a909 +Subproject commit 0388b1f8d78427726df28f6af747d936731d4ec3 From f13c1e1704ccb5bf878681bd3b354693ad12bb26 Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Thu, 22 Aug 2024 08:05:45 +0800 Subject: [PATCH 2/2] Add GNMI client cert cname check support. (#18709) Add GNMI client cert cname list to yang model. #### Why I did it Allow gnmi service authentication client cert by cname. ### How I did it Add GNMI client cert cname list to yang model. #### How to verify it Pass all UT. ### Description for the changelog Add GNMI client cert cname list to yang model. --- dockers/docker-sonic-gnmi/gnmi-native.sh | 2 ++ dockers/docker-sonic-telemetry/telemetry.sh | 3 +++ .../tests/files/sample_config_db.json | 8 ++++++ .../tests/yang_model_tests/tests/gnmi.json | 7 +++++ .../yang_model_tests/tests_config/gnmi.json | 27 +++++++++++++++++++ .../yang-models/sonic-gnmi.yang | 21 +++++++++++++++ 6 files changed, 68 insertions(+) diff --git a/dockers/docker-sonic-gnmi/gnmi-native.sh b/dockers/docker-sonic-gnmi/gnmi-native.sh index d9bab2700e4..e9f15810a22 100755 --- a/dockers/docker-sonic-gnmi/gnmi-native.sh +++ b/dockers/docker-sonic-gnmi/gnmi-native.sh @@ -33,6 +33,8 @@ if [ -n "$CERTS" ]; then if [ ! -z $CA_CRT ]; then TELEMETRY_ARGS+=" --ca_crt $CA_CRT" fi + + TELEMETRY_ARGS+=" --config_table_name GNMI_CLIENT_CERT" elif [ -n "$X509" ]; then SERVER_CRT=$(echo $X509 | jq -r '.server_crt') SERVER_KEY=$(echo $X509 | jq -r '.server_key') diff --git a/dockers/docker-sonic-telemetry/telemetry.sh b/dockers/docker-sonic-telemetry/telemetry.sh index 061046d2594..d1c9216d419 100755 --- a/dockers/docker-sonic-telemetry/telemetry.sh +++ b/dockers/docker-sonic-telemetry/telemetry.sh @@ -34,6 +34,9 @@ if [ -n "$CERTS" ]; then if [ ! -z $CA_CRT ]; then TELEMETRY_ARGS+=" --ca_crt $CA_CRT" fi + + # Reuse GNMI_CLIENT_CERT for telemetry service + TELEMETRY_ARGS+=" --config_table_name GNMI_CLIENT_CERT" elif [ -n "$X509" ]; then SERVER_CRT=$(echo $X509 | jq -r '.server_crt') SERVER_KEY=$(echo $X509 | jq -r '.server_key') diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json index 03ece49efc5..08e759b6cff 100644 --- a/src/sonic-yang-models/tests/files/sample_config_db.json +++ b/src/sonic-yang-models/tests/files/sample_config_db.json @@ -1329,6 +1329,14 @@ "port": "50052" } }, + "GNMI_CLIENT_CERT": { + "testcert1": { + "role": "RW" + }, + "testcert2": { + "role": "RO" + } + }, "TUNNEL": { "MuxTunnel0": { "dscp_mode": "uniform", diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/gnmi.json b/src/sonic-yang-models/tests/yang_model_tests/tests/gnmi.json index 5938290f8a9..10956d2bbf3 100644 --- a/src/sonic-yang-models/tests/yang_model_tests/tests/gnmi.json +++ b/src/sonic-yang-models/tests/yang_model_tests/tests/gnmi.json @@ -13,5 +13,12 @@ }, "GNMI_TABLE_WITH_VALID_CONFIG": { "desc": "TABLE WITH VALID CONFIG." + }, + "GNMI_CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE": { + "desc": "CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE failure.", + "eStrKey": "Mandatory" + }, + "GNMI_CLIENT_CERT_LIST_TABLE_WITH_VALID_CONFIG": { + "desc": "TABLE WITH VALID CONFIG." } } diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json index db121ae3944..ea83bc90d04 100644 --- a/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json @@ -62,5 +62,32 @@ } } } + }, + "GNMI_CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE": { + "sonic-gnmi:sonic-gnmi": { + "sonic-gnmi:GNMI_CLIENT_CERT": { + "GNMI_CLIENT_CERT_LIST": [ + { + "cert_cname": "testcert1" + } + ] + } + } + }, + "GNMI_CLIENT_CERT_LIST_TABLE_WITH_VALID_CONFIG": { + "sonic-gnmi:sonic-gnmi": { + "sonic-gnmi:GNMI_CLIENT_CERT": { + "GNMI_CLIENT_CERT_LIST": [ + { + "cert_cname": "testcert1", + "role": "RW" + }, + { + "cert_cname": "testcert2", + "role": "RO" + } + ] + } + } } } diff --git a/src/sonic-yang-models/yang-models/sonic-gnmi.yang b/src/sonic-yang-models/yang-models/sonic-gnmi.yang index 1d6b228266b..b27ab84938b 100644 --- a/src/sonic-yang-models/yang-models/sonic-gnmi.yang +++ b/src/sonic-yang-models/yang-models/sonic-gnmi.yang @@ -72,7 +72,28 @@ module sonic-gnmi { } } + } + + container GNMI_CLIENT_CERT { + description "GNMI client cert list"; + list GNMI_CLIENT_CERT_LIST { + max-elements 8; + key "cert_cname"; + + leaf cert_cname { + type string; + description + "client cert common name"; + } + + leaf role { + type string; + mandatory true; + description + "role of client cert common name"; + } + } } } }