From e42ff97507adf865f49b45e71caf0cc88766ffd9 Mon Sep 17 00:00:00 2001
From: Hua Liu <58683130+liuh-80@users.noreply.github.com>
Date: Thu, 22 Aug 2024 08:05:45 +0800
Subject: [PATCH] Add GNMI client cert cname check support. (#18709)

Add GNMI client cert cname list to yang model.

#### Why I did it
Allow gnmi service authentication client cert by cname.

### How I did it
Add GNMI client cert cname list to yang model.

#### How to verify it
Pass all UT.

### Description for the changelog
Add GNMI client cert cname list to yang model.
---
 dockers/docker-sonic-gnmi/gnmi-native.sh      |  2 ++
 dockers/docker-sonic-telemetry/telemetry.sh   |  3 +++
 .../tests/files/sample_config_db.json         |  8 ++++++
 .../tests/yang_model_tests/tests/gnmi.json    |  7 +++++
 .../yang_model_tests/tests_config/gnmi.json   | 27 +++++++++++++++++++
 .../yang-models/sonic-gnmi.yang               | 21 +++++++++++++++
 6 files changed, 68 insertions(+)

diff --git a/dockers/docker-sonic-gnmi/gnmi-native.sh b/dockers/docker-sonic-gnmi/gnmi-native.sh
index ea5b88f44e3f..8c7766a00f7b 100755
--- a/dockers/docker-sonic-gnmi/gnmi-native.sh
+++ b/dockers/docker-sonic-gnmi/gnmi-native.sh
@@ -33,6 +33,8 @@ if [ -n "$CERTS" ]; then
     if [ ! -z $CA_CRT ]; then
         TELEMETRY_ARGS+=" --ca_crt $CA_CRT"
     fi
+
+    TELEMETRY_ARGS+=" --config_table_name GNMI_CLIENT_CERT"
 elif [ -n "$X509" ]; then
     SERVER_CRT=$(echo $X509 | jq -r '.server_crt')
     SERVER_KEY=$(echo $X509 | jq -r '.server_key')
diff --git a/dockers/docker-sonic-telemetry/telemetry.sh b/dockers/docker-sonic-telemetry/telemetry.sh
index dadd226b8d80..547c522b684c 100755
--- a/dockers/docker-sonic-telemetry/telemetry.sh
+++ b/dockers/docker-sonic-telemetry/telemetry.sh
@@ -34,6 +34,9 @@ if [ -n "$CERTS" ]; then
     if [ ! -z $CA_CRT ]; then
         TELEMETRY_ARGS+=" --ca_crt $CA_CRT"
     fi
+
+    # Reuse GNMI_CLIENT_CERT for telemetry service
+    TELEMETRY_ARGS+=" --config_table_name GNMI_CLIENT_CERT"
 elif [ -n "$X509" ]; then
     SERVER_CRT=$(echo $X509 | jq -r '.server_crt')
     SERVER_KEY=$(echo $X509 | jq -r '.server_key')
diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json
index 4a743fda6bf1..fcf9a25030e9 100644
--- a/src/sonic-yang-models/tests/files/sample_config_db.json
+++ b/src/sonic-yang-models/tests/files/sample_config_db.json
@@ -1263,6 +1263,14 @@
                 "port": "50052"
             }
         },
+        "GNMI_CLIENT_CERT": {
+            "testcert1": {
+                "role": "RW"
+            },
+            "testcert2": {
+                "role": "RO"
+            }
+        },
         "TUNNEL": {
             "MuxTunnel0": {
                 "dscp_mode": "uniform",
diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/gnmi.json b/src/sonic-yang-models/tests/yang_model_tests/tests/gnmi.json
index 5938290f8a96..10956d2bbf33 100644
--- a/src/sonic-yang-models/tests/yang_model_tests/tests/gnmi.json
+++ b/src/sonic-yang-models/tests/yang_model_tests/tests/gnmi.json
@@ -13,5 +13,12 @@
     },
     "GNMI_TABLE_WITH_VALID_CONFIG": {
         "desc": "TABLE WITH VALID CONFIG."
+    },
+    "GNMI_CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE": {
+        "desc": "CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE failure.",
+        "eStrKey": "Mandatory"
+    },
+    "GNMI_CLIENT_CERT_LIST_TABLE_WITH_VALID_CONFIG": {
+        "desc": "TABLE WITH VALID CONFIG."
     }
 }
diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json
index db121ae3944c..ea83bc90d041 100644
--- a/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json
+++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json
@@ -62,5 +62,32 @@
                 }
             }
         }
+    },
+    "GNMI_CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE": {
+        "sonic-gnmi:sonic-gnmi": {
+            "sonic-gnmi:GNMI_CLIENT_CERT": {
+                "GNMI_CLIENT_CERT_LIST": [
+                {
+                    "cert_cname": "testcert1"
+                }
+                ]
+            }
+        }
+    },
+    "GNMI_CLIENT_CERT_LIST_TABLE_WITH_VALID_CONFIG": {
+        "sonic-gnmi:sonic-gnmi": {
+            "sonic-gnmi:GNMI_CLIENT_CERT": {
+                "GNMI_CLIENT_CERT_LIST": [
+                {
+                    "cert_cname": "testcert1",
+                    "role": "RW"
+                },
+                {
+                    "cert_cname": "testcert2",
+                    "role": "RO"
+                }
+                ]
+            }
+        }
     }
 }
diff --git a/src/sonic-yang-models/yang-models/sonic-gnmi.yang b/src/sonic-yang-models/yang-models/sonic-gnmi.yang
index 1d6b228266b8..b27ab84938b5 100644
--- a/src/sonic-yang-models/yang-models/sonic-gnmi.yang
+++ b/src/sonic-yang-models/yang-models/sonic-gnmi.yang
@@ -72,7 +72,28 @@ module sonic-gnmi {
                 }
 
             }
+        }
+
+        container GNMI_CLIENT_CERT {
+            description "GNMI client cert list";
 
+            list GNMI_CLIENT_CERT_LIST {
+                max-elements 8;
+                key "cert_cname";
+
+                leaf cert_cname {
+                    type string;
+                    description
+                        "client cert common name";
+                }
+
+                leaf role {
+                    type string;
+                    mandatory true;
+                    description
+                        "role of client cert common name";
+                }
+            }
         }
     }
 }