Add GNMI client cert cname check support. (#18709)

liuh-80 · web-flow · commit 106c38d391cb · 2024-08-21T17:05:45.000-07:00
Add GNMI client cert cname list to yang model.

#### Why I did it
Allow gnmi service authentication client cert by cname.

### How I did it
Add GNMI client cert cname list to yang model.

#### How to verify it
Pass all UT.

### Description for the changelog
Add GNMI client cert cname list to yang model.
diff --git a/dockers/docker-sonic-gnmi/gnmi-native.sh b/dockers/docker-sonic-gnmi/gnmi-native.sh
@@ -33,6 +33,8 @@ if [ -n "$CERTS" ]; then
     if [ ! -z $CA_CRT ]; then
         TELEMETRY_ARGS+=" --ca_crt $CA_CRT"
     fi
+
+    TELEMETRY_ARGS+=" --config_table_name GNMI_CLIENT_CERT"
 elif [ -n "$X509" ]; then
     SERVER_CRT=$(echo $X509 | jq -r '.server_crt')
     SERVER_KEY=$(echo $X509 | jq -r '.server_key')
diff --git a/dockers/docker-sonic-telemetry/telemetry.sh b/dockers/docker-sonic-telemetry/telemetry.sh
@@ -34,6 +34,9 @@ if [ -n "$CERTS" ]; then
     if [ ! -z $CA_CRT ]; then
         TELEMETRY_ARGS+=" --ca_crt $CA_CRT"
     fi
+
+    # Reuse GNMI_CLIENT_CERT for telemetry service
+    TELEMETRY_ARGS+=" --config_table_name GNMI_CLIENT_CERT"
 elif [ -n "$X509" ]; then
     SERVER_CRT=$(echo $X509 | jq -r '.server_crt')
     SERVER_KEY=$(echo $X509 | jq -r '.server_key')
diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json
@@ -1329,6 +1329,14 @@
                 "port": "50052"
             }
         },
+        "GNMI_CLIENT_CERT": {
+            "testcert1": {
+                "role": "RW"
+            },
+            "testcert2": {
+                "role": "RO"
+            }
+        },
         "TUNNEL": {
             "MuxTunnel0": {
                 "dscp_mode": "uniform",
diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/gnmi.json b/src/sonic-yang-models/tests/yang_model_tests/tests/gnmi.json
@@ -17,5 +17,12 @@
     },
     "GNMI_TABLE_WITH_VALID_CONFIG": {
         "desc": "TABLE WITH VALID CONFIG."
+    },
+    "GNMI_CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE": {
+        "desc": "CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE failure.",
+        "eStrKey": "Mandatory"
+    },
+    "GNMI_CLIENT_CERT_LIST_TABLE_WITH_VALID_CONFIG": {
+        "desc": "TABLE WITH VALID CONFIG."
     }
 }
diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json
@@ -80,5 +80,32 @@
                 }
             }
         }
+    },
+    "GNMI_CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE": {
+        "sonic-gnmi:sonic-gnmi": {
+            "sonic-gnmi:GNMI_CLIENT_CERT": {
+                "GNMI_CLIENT_CERT_LIST": [
+                {
+                    "cert_cname": "testcert1"
+                }
+                ]
+            }
+        }
+    },
+    "GNMI_CLIENT_CERT_LIST_TABLE_WITH_VALID_CONFIG": {
+        "sonic-gnmi:sonic-gnmi": {
+            "sonic-gnmi:GNMI_CLIENT_CERT": {
+                "GNMI_CLIENT_CERT_LIST": [
+                {
+                    "cert_cname": "testcert1",
+                    "role": "RW"
+                },
+                {
+                    "cert_cname": "testcert2",
+                    "role": "RO"
+                }
+                ]
+            }
+        }
     }
 }
diff --git a/src/sonic-yang-models/yang-models/sonic-gnmi.yang b/src/sonic-yang-models/yang-models/sonic-gnmi.yang
@@ -77,7 +77,28 @@ module sonic-gnmi {
                 }
 
             }
+        }
+
+        container GNMI_CLIENT_CERT {
+            description "GNMI client cert list";
 
+            list GNMI_CLIENT_CERT_LIST {
+                max-elements 8;
+                key "cert_cname";
+
+                leaf cert_cname {
+                    type string;
+                    description
+                        "client cert common name";
+                }
+
+                leaf role {
+                    type string;
+                    mandatory true;
+                    description
+                        "role of client cert common name";
+                }
+            }
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -17,5 +17,12 @@`
`17`	`17`	`},`
`18`	`18`	`"GNMI_TABLE_WITH_VALID_CONFIG": {`
`19`	`19`	`"desc": "TABLE WITH VALID CONFIG."`
	`20`	`+ },`
	`21`	`+ "GNMI_CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE": {`
	`22`	`+ "desc": "CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE failure.",`
	`23`	`+ "eStrKey": "Mandatory"`
	`24`	`+ },`
	`25`	`+ "GNMI_CLIENT_CERT_LIST_TABLE_WITH_VALID_CONFIG": {`
	`26`	`+ "desc": "TABLE WITH VALID CONFIG."`
`20`	`27`	`}`
`21`	`28`	`}`
Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,28 @@ module sonic-gnmi {`
`77`	`77`	`}`
`78`	`78`
`79`	`79`	`}`
	`80`	`+ }`
	`81`	`+`
	`82`	`+ container GNMI_CLIENT_CERT {`
	`83`	`+ description "GNMI client cert list";`
`80`	`84`
	`85`	`+ list GNMI_CLIENT_CERT_LIST {`
	`86`	`+ max-elements 8;`
	`87`	`+ key "cert_cname";`
	`88`	`+`
	`89`	`+ leaf cert_cname {`
	`90`	`+ type string;`
	`91`	`+ description`
	`92`	`+ "client cert common name";`
	`93`	`+ }`
	`94`	`+`
	`95`	`+ leaf role {`
	`96`	`+ type string;`
	`97`	`+ mandatory true;`
	`98`	`+ description`
	`99`	`+ "role of client cert common name";`
	`100`	`+ }`
	`101`	`+ }`
`81`	`102`	`}`
`82`	`103`	`}`
`83`	`104`	`}`