From 106c38d391cb245030cfbf8cd356c88da360c7e5 Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Thu, 22 Aug 2024 08:05:45 +0800 Subject: [PATCH] Add GNMI client cert cname check support. (#18709) Add GNMI client cert cname list to yang model. #### Why I did it Allow gnmi service authentication client cert by cname. ### How I did it Add GNMI client cert cname list to yang model. #### How to verify it Pass all UT. ### Description for the changelog Add GNMI client cert cname list to yang model. --- dockers/docker-sonic-gnmi/gnmi-native.sh | 2 ++ dockers/docker-sonic-telemetry/telemetry.sh | 3 +++ .../tests/files/sample_config_db.json | 8 ++++++ .../tests/yang_model_tests/tests/gnmi.json | 7 +++++ .../yang_model_tests/tests_config/gnmi.json | 27 +++++++++++++++++++ .../yang-models/sonic-gnmi.yang | 21 +++++++++++++++ 6 files changed, 68 insertions(+) diff --git a/dockers/docker-sonic-gnmi/gnmi-native.sh b/dockers/docker-sonic-gnmi/gnmi-native.sh index d9bab2700e4b..e9f15810a226 100755 --- a/dockers/docker-sonic-gnmi/gnmi-native.sh +++ b/dockers/docker-sonic-gnmi/gnmi-native.sh @@ -33,6 +33,8 @@ if [ -n "$CERTS" ]; then if [ ! -z $CA_CRT ]; then TELEMETRY_ARGS+=" --ca_crt $CA_CRT" fi + + TELEMETRY_ARGS+=" --config_table_name GNMI_CLIENT_CERT" elif [ -n "$X509" ]; then SERVER_CRT=$(echo $X509 | jq -r '.server_crt') SERVER_KEY=$(echo $X509 | jq -r '.server_key') diff --git a/dockers/docker-sonic-telemetry/telemetry.sh b/dockers/docker-sonic-telemetry/telemetry.sh index 061046d2594f..d1c9216d4195 100755 --- a/dockers/docker-sonic-telemetry/telemetry.sh +++ b/dockers/docker-sonic-telemetry/telemetry.sh @@ -34,6 +34,9 @@ if [ -n "$CERTS" ]; then if [ ! -z $CA_CRT ]; then TELEMETRY_ARGS+=" --ca_crt $CA_CRT" fi + + # Reuse GNMI_CLIENT_CERT for telemetry service + TELEMETRY_ARGS+=" --config_table_name GNMI_CLIENT_CERT" elif [ -n "$X509" ]; then SERVER_CRT=$(echo $X509 | jq -r '.server_crt') SERVER_KEY=$(echo $X509 | jq -r '.server_key') diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json index 534a0d986480..05f64029b69a 100644 --- a/src/sonic-yang-models/tests/files/sample_config_db.json +++ b/src/sonic-yang-models/tests/files/sample_config_db.json @@ -1329,6 +1329,14 @@ "port": "50052" } }, + "GNMI_CLIENT_CERT": { + "testcert1": { + "role": "RW" + }, + "testcert2": { + "role": "RO" + } + }, "TUNNEL": { "MuxTunnel0": { "dscp_mode": "uniform", diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/gnmi.json b/src/sonic-yang-models/tests/yang_model_tests/tests/gnmi.json index 0d99fe09779e..56f855eac9a3 100644 --- a/src/sonic-yang-models/tests/yang_model_tests/tests/gnmi.json +++ b/src/sonic-yang-models/tests/yang_model_tests/tests/gnmi.json @@ -17,5 +17,12 @@ }, "GNMI_TABLE_WITH_VALID_CONFIG": { "desc": "TABLE WITH VALID CONFIG." + }, + "GNMI_CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE": { + "desc": "CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE failure.", + "eStrKey": "Mandatory" + }, + "GNMI_CLIENT_CERT_LIST_TABLE_WITH_VALID_CONFIG": { + "desc": "TABLE WITH VALID CONFIG." } } diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json index 62b09a2d5b01..cdad6fe31f53 100644 --- a/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json @@ -80,5 +80,32 @@ } } } + }, + "GNMI_CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE": { + "sonic-gnmi:sonic-gnmi": { + "sonic-gnmi:GNMI_CLIENT_CERT": { + "GNMI_CLIENT_CERT_LIST": [ + { + "cert_cname": "testcert1" + } + ] + } + } + }, + "GNMI_CLIENT_CERT_LIST_TABLE_WITH_VALID_CONFIG": { + "sonic-gnmi:sonic-gnmi": { + "sonic-gnmi:GNMI_CLIENT_CERT": { + "GNMI_CLIENT_CERT_LIST": [ + { + "cert_cname": "testcert1", + "role": "RW" + }, + { + "cert_cname": "testcert2", + "role": "RO" + } + ] + } + } } } diff --git a/src/sonic-yang-models/yang-models/sonic-gnmi.yang b/src/sonic-yang-models/yang-models/sonic-gnmi.yang index eb573e3ffe77..f7c4fef33c53 100644 --- a/src/sonic-yang-models/yang-models/sonic-gnmi.yang +++ b/src/sonic-yang-models/yang-models/sonic-gnmi.yang @@ -77,7 +77,28 @@ module sonic-gnmi { } } + } + + container GNMI_CLIENT_CERT { + description "GNMI client cert list"; + list GNMI_CLIENT_CERT_LIST { + max-elements 8; + key "cert_cname"; + + leaf cert_cname { + type string; + description + "client cert common name"; + } + + leaf role { + type string; + mandatory true; + description + "role of client cert common name"; + } + } } } }