diff --git a/tests/gnmi/helper.py b/tests/gnmi/helper.py index e7584b38f4b..f6e056c89b9 100644 --- a/tests/gnmi/helper.py +++ b/tests/gnmi/helper.py @@ -55,6 +55,15 @@ def verify_tcp_port(localhost, ip, port): logger.info("TCP: " + res['stdout'] + res['stderr']) +def add_gnmi_client_common_name(duthost, cname): + duthost.shell('sudo sonic-db-cli CONFIG_DB hset "GNMI_CLIENT_CERT|{}" "role" "role1"'.format(cname), + module_ignore_errors=True) + + +def del_gnmi_client_common_name(duthost, cname): + duthost.shell('sudo sonic-db-cli CONFIG_DB del "GNMI_CLIENT_CERT|{}"'.format(cname), module_ignore_errors=True) + + def apply_cert_config(duthost): env = GNMIEnvironment(duthost, GNMIEnvironment.GNMI_MODE) # Stop all running program @@ -74,8 +83,14 @@ def apply_cert_config(duthost): dut_command = "docker exec %s bash -c " % env.gnmi_container dut_command += "\"/usr/bin/nohup /usr/sbin/%s -logtostderr --port %s " % (env.gnmi_process, env.gnmi_port) dut_command += "--server_crt /etc/sonic/telemetry/gnmiserver.crt --server_key /etc/sonic/telemetry/gnmiserver.key " + dut_command += "--config_table_name GNMI_CLIENT_CERT " + dut_command += "--client_auth cert " dut_command += "--ca_crt /etc/sonic/telemetry/gnmiCA.pem -gnmi_native_write=true -v=10 >/root/gnmi.log 2>&1 &\"" duthost.shell(dut_command) + + # Setup gnmi client cert common name + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic") + time.sleep(GNMI_SERVER_START_WAIT_TIME) dut_command = "sudo netstat -nap | grep %d" % env.gnmi_port output = duthost.shell(dut_command, module_ignore_errors=True) @@ -101,6 +116,9 @@ def recover_cert_config(duthost): 'systemctl restart %s' % (env.gnmi_container) ] duthost.shell_cmds(cmds=cmds) + + # Remove gnmi client cert common name + del_gnmi_client_common_name(duthost, "test.client.gnmi.sonic") assert wait_until(60, 3, 0, check_gnmi_status, duthost), "GNMI service failed to start" diff --git a/tests/gnmi/test_gnmi.py b/tests/gnmi/test_gnmi.py index 37380f10361..c2203ace33e 100644 --- a/tests/gnmi/test_gnmi.py +++ b/tests/gnmi/test_gnmi.py @@ -1,7 +1,7 @@ import pytest import logging -from .helper import gnmi_capabilities +from .helper import gnmi_capabilities, gnmi_set, add_gnmi_client_common_name, del_gnmi_client_common_name logger = logging.getLogger(__name__) @@ -20,3 +20,45 @@ def test_gnmi_capabilities(duthosts, rand_one_dut_hostname, localhost): assert ret == 0, msg assert "sonic-db" in msg, msg assert "JSON_IETF" in msg, msg + + +@pytest.fixture(scope="function") +def setup_invalid_client_cert_cname(duthosts, rand_one_dut_hostname): + duthost = duthosts[rand_one_dut_hostname] + del_gnmi_client_common_name(duthost, "test.client.gnmi.sonic") + add_gnmi_client_common_name(duthost, "invalid.cname") + + keys = duthost.shell('sudo sonic-db-cli CONFIG_DB keys GNMI*')["stdout_lines"] + logger.debug("GNMI client cert keys: {}".format(keys)) + + yield + + del_gnmi_client_common_name(duthost, "invalid.cname") + add_gnmi_client_common_name(duthost, "test.client.gnmi.sonic") + + +def test_gnmi_authorize_failed_with_invalid_cname(duthosts, + rand_one_dut_hostname, + ptfhost, + setup_invalid_client_cert_cname): + ''' + Verify GNMI native write, incremental config for configDB + GNMI set request with invalid path + ''' + duthost = duthosts[rand_one_dut_hostname] + + file_name = "vnet.txt" + text = "{\"Vnet1\": {\"vni\": \"1000\", \"guid\": \"559c6ce8-26ab-4193-b946-ccc6e8f930b2\"}}" + with open(file_name, 'w') as file: + file.write(text) + ptfhost.copy(src=file_name, dest='/root') + # Add DASH_VNET_TABLE + update_list = ["/sonic-db:APPL_DB/localhost/DASH_VNET_TABLE:@/root/%s" % (file_name)] + msg = "" + try: + gnmi_set(duthost, ptfhost, [], update_list, []) + except Exception as e: + logger.info("Failed to set: " + str(e)) + msg = str(e) + + assert "Unauthenticated" in msg