Add log for authentication and add unit test. #12

Signed-off-by: Gang Lv [email protected]

Why I did it
We need to enhance authentication and authorization for sonic-gnmi, and the first step is to add log.

How I did it
Add log for auth user and roles.

How to verify it
Run unit test.

Author: ganglyu

gnmi_server/server.go

@@ -202,6 +202,7 @@ func authenticate(UserAuth AuthTypes, ctx context.Context) (context.Context, err
 	if !success {
 		return ctx, status.Error(codes.Unauthenticated, "Unauthenticated")
 	}
+	log.V(5).Infof("authenticate user %v, roles %v", rc.Auth.User, rc.Auth.Roles)
 
 	return ctx, nil
 }

gnmi_server/server_test.go

@@ -16,6 +16,7 @@ import (
 	"io/ioutil"
 	"os"
 	"os/exec"
+	"os/user"
 	"reflect"
 	"testing"
 	"time"
@@ -42,6 +43,7 @@ import (
 	gclient "github.com/jipanyang/gnmi/client/gnmi"
 	"github.com/jipanyang/gnxi/utils/xpath"
 	gnoi_system_pb "github.com/openconfig/gnoi/system"
+	"github.com/agiledragon/gomonkey"
 )
 
 var clientTypes = []string{gclient.Type}
@@ -104,6 +106,25 @@ func createServer(t *testing.T, port int64) *Server {
 	return s
 }
 
+func createAuthServer(t *testing.T, port int64) *Server {
+	certificate, err := testcert.NewCert()
+	if err != nil {
+		t.Errorf("could not load server key pair: %s", err)
+	}
+	tlsCfg := &tls.Config{
+		ClientAuth:   tls.RequestClientCert,
+		Certificates: []tls.Certificate{certificate},
+	}
+
+	opts := []grpc.ServerOption{grpc.Creds(credentials.NewTLS(tlsCfg))}
+	cfg := &Config{Port: port, UserAuth: AuthTypes{"password": true, "cert": true, "jwt": true}}
+	s, err := NewServer(cfg, opts)
+	if err != nil {
+		t.Errorf("Failed to create gNMI server: %v", err)
+	}
+	return s
+}
+
 // runTestGet requests a path from the server by Get grpc call, and compares if
 // the return code and response value are expected.
 func runTestGet(t *testing.T, ctx context.Context, gClient pb.GNMIClient, pathTarget string,
@@ -2509,8 +2530,57 @@ func TestBulkSet(t *testing.T) {
 		if !ok {
 			t.Fatal("got a non-grpc error from grpc call")
 		}
+	})
+}
+
+type loginCreds struct {
+    Username, Password string
+}
 
+func (c *loginCreds) GetRequestMetadata(context.Context, ...string) (map[string]string, error) {
+    return map[string]string{
+        "username": c.Username,
+        "password": c.Password,
+    }, nil
+}
+
+func (c *loginCreds) RequireTransportSecurity() bool {
+    return true
+}
+
+func TestAuthCapabilities(t *testing.T) {
+	mock1 := gomonkey.ApplyFunc(UserPwAuth, func(username string, passwd string) (bool, error) {
+		return true, nil
 	})
+	defer mock1.Reset()
+
+	s := createAuthServer(t, 8089)
+	go runServer(t, s)
+
+	currentUser, _ := user.Current()
+	tlsConfig := &tls.Config{InsecureSkipVerify: true}
+	cred := &loginCreds{Username: currentUser.Username, Password: "dummy"}
+	opts := []grpc.DialOption{grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), grpc.WithPerRPCCredentials(cred)}
+
+	targetAddr := "127.0.0.1:8089"
+	conn, err := grpc.Dial(targetAddr, opts...)
+	if err != nil {
+		t.Fatalf("Dialing to %q failed: %v", targetAddr, err)
+	}
+	defer conn.Close()
+
+	gClient := pb.NewGNMIClient(conn)
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	var req pb.CapabilityRequest
+	resp, err := gClient.Capabilities(ctx, &req)
+	if err != nil {
+		t.Fatalf("Failed to get Capabilities: %v", err)
+	}
+	if len(resp.SupportedModels) == 0 {
+		t.Fatalf("No Supported Models found!")
+	}
 
 }
 

go.mod

@@ -5,6 +5,7 @@ go 1.12
 require (
 	github.com/Azure/sonic-mgmt-common v0.0.0-00010101000000-000000000000
 	github.com/Workiva/go-datastructures v1.0.50
+	github.com/agiledragon/gomonkey v2.0.2+incompatible
 	github.com/c9s/goprocinfo v0.0.0-20191125144613-4acdd056c72d
 	github.com/dgrijalva/jwt-go v3.2.1-0.20210802184156-9742bd7fca1c+incompatible
 	github.com/go-redis/redis v6.15.6+incompatible