Skip to content

Commit

Permalink
Authz fixes (openconfig#2877)
Browse files Browse the repository at this point in the history
"This code is a Contribution to the OpenConfig Feature Profiles project ("Work") made under the Google Software Grant and Corporate Contributor License Agreement ("CLA") and governed by the Apache License 2.0. No other rights or licenses in or to any of Nokia's intellectual property are granted for any other purpose. This code is provided on an "as is" basis without any warranties of any kind."
  • Loading branch information
dipchauh authored and bkreddy143 committed Jul 17, 2024
1 parent 4cd4140 commit e94f7f7
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 25 deletions.
49 changes: 25 additions & 24 deletions feature/security/gnsi/authz/tests/authz/authz1_4_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -206,7 +206,7 @@ func TestAuthz1(t *testing.T) {
// Pre-Test Section
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate
newpolicy, ok := policyMap["policy-everyone-can-gnmi-not-gribi"]
Expand All @@ -229,7 +229,7 @@ func TestAuthz1(t *testing.T) {
// Pre-Test Section
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate
newpolicy, ok := policyMap["policy-everyone-can-gribi-not-gnmi"]
Expand All @@ -252,7 +252,7 @@ func TestAuthz1(t *testing.T) {
dut := ondatra.DUT(t, "dut")
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate - 1
newpolicy, ok := policyMap["policy-gribi-get"]
Expand All @@ -274,7 +274,7 @@ func TestAuthz1(t *testing.T) {
}
newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC})
// Rotate the policy.
newpolicy.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
newpolicy.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Verification of Policy for read-only to deny gRIBI Get and allow gNMI Get
t.Run("Verification of Policy for read-only to deny gRIBI Get and allow gNMI Get", func(t *testing.T) {
Expand All @@ -287,7 +287,7 @@ func TestAuthz1(t *testing.T) {
// Pre-Test Section
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate
newpolicy, ok := policyMap["policy-normal-1"]
Expand All @@ -313,7 +313,7 @@ func TestAuthz2(t *testing.T) {
// Pre-Test Section
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate
newpolicy, ok := policyMap["policy-everyone-can-gnmi-not-gribi"]
Expand All @@ -334,7 +334,7 @@ func TestAuthz2(t *testing.T) {
autzRotateReq := &authzpb.RotateAuthzRequest_UploadRequest{
UploadRequest: &authzpb.UploadRequest{
Version: fmt.Sprintf("v0.%v", (time.Now().UnixNano())),
CreatedOn: uint64(time.Now().UnixMilli()),
CreatedOn: uint64(time.Now().Unix()),
Policy: string(jsonPolicy),
},
}
Expand All @@ -348,9 +348,9 @@ func TestAuthz2(t *testing.T) {
t.Fatalf("Error while receiving rotate request reply (client 1) %v", err)
}
// Rotate Request 2 - Before Finalizing the Request 1
newpolicy, ok = policyMap["policy-everyone-can-gnmi-not-gribi"]
newpolicy, ok = policyMap["policy-everyone-can-gribi-not-gnmi"]
if !ok {
t.Fatal("Policy policy-everyone-can-gnmi-not-gribi is not loaded from policy json file")
t.Fatal("Policy policy-everyone-can-gribi-not-gnmi is not loaded from policy json file")
}
newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC})
jsonPolicy, err = newpolicy.Marshal()
Expand All @@ -365,7 +365,7 @@ func TestAuthz2(t *testing.T) {
autzRotateReq = &authzpb.RotateAuthzRequest_UploadRequest{
UploadRequest: &authzpb.UploadRequest{
Version: fmt.Sprintf("v0.%v", (time.Now().UnixNano())),
CreatedOn: uint64(time.Now().UnixMilli()),
CreatedOn: uint64(time.Now().Unix()),
Policy: string(jsonPolicy),
},
}
Expand All @@ -390,7 +390,7 @@ func TestAuthz2(t *testing.T) {
// Pre-Test Section
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate
newpolicy, ok := policyMap["policy-gribi-get"]
Expand All @@ -399,7 +399,7 @@ func TestAuthz2(t *testing.T) {
}
newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC})
// Rotate the policy.
newpolicy.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
newpolicy.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Verification of Policy for read_only to allow gRIBI Get and to deny gNMI Get
t.Run("Verification of Policy for read_only to allow gRIBI Get and to deny gNMI Get", func(t *testing.T) {
Expand All @@ -425,7 +425,7 @@ func TestAuthz2(t *testing.T) {
autzRotateReq := &authzpb.RotateAuthzRequest_UploadRequest{
UploadRequest: &authzpb.UploadRequest{
Version: fmt.Sprintf("v0.%v", (time.Now().UnixNano())),
CreatedOn: uint64(time.Now().UnixMilli()),
CreatedOn: uint64(time.Now().Unix()),
Policy: string(jsonPolicy),
},
}
Expand Down Expand Up @@ -459,7 +459,7 @@ func TestAuthz2(t *testing.T) {
// Pre-Test Section
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate
newpolicy, ok := policyMap["policy-gribi-get"]
Expand All @@ -468,7 +468,7 @@ func TestAuthz2(t *testing.T) {
}
newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC})
// Rotate the policy.
newpolicy.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
newpolicy.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Verification of Policy for read_only to allow gRIBI Get and to deny gNMI Get
t.Run("Verification of Policy for read_only to allow gRIBI Get and to deny gNMI Get", func(t *testing.T) {
Expand All @@ -495,7 +495,7 @@ func TestAuthz2(t *testing.T) {
autzRotateReq := &authzpb.RotateAuthzRequest_UploadRequest{
UploadRequest: &authzpb.UploadRequest{
Version: fmt.Sprintf("v0.%v", (time.Now().UnixNano())),
CreatedOn: uint64(time.Now().UnixMilli()),
CreatedOn: uint64(time.Now().Unix()),
Policy: string(jsonPolicy),
},
}
Expand Down Expand Up @@ -527,7 +527,7 @@ func TestAuthz2(t *testing.T) {
// Pre-Test Section
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate
newpolicy, ok := policyMap["policy-gribi-get"]
Expand All @@ -537,7 +537,7 @@ func TestAuthz2(t *testing.T) {
newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC})
// Rotate the policy.
prevVersion := fmt.Sprintf("v0.%v", (time.Now().UnixNano()))
newpolicy.Rotate(t, dut, uint64(time.Now().UnixMilli()), prevVersion, false)
newpolicy.Rotate(t, dut, uint64(time.Now().Unix()), prevVersion, false)

newpolicy, ok = policyMap["policy-gnmi-get"]
if !ok {
Expand All @@ -556,7 +556,7 @@ func TestAuthz2(t *testing.T) {
autzRotateReq := &authzpb.RotateAuthzRequest_UploadRequest{
UploadRequest: &authzpb.UploadRequest{
Version: prevVersion,
CreatedOn: uint64(time.Now().UnixMilli()),
CreatedOn: uint64(time.Now().Unix()),
Policy: string(jsonPolicy),
},
}
Expand All @@ -576,7 +576,7 @@ func TestAuthz2(t *testing.T) {
})

t.Logf("Preforming Rotate with the same version with force overwrite\n")
newpolicy.Rotate(t, dut, uint64(time.Now().UnixMilli()), prevVersion, true)
newpolicy.Rotate(t, dut, uint64(time.Now().Unix()), prevVersion, true)
// Verification of Policy for read_only to allow gRIBI Get and to deny gNMI Get
t.Run("Verification of Policy for read_only to allow gRIBI Get and to deny gNMI Get after rotate wth force overwrite", func(t *testing.T) {
authz.Verify(t, dut, spiffeCertReadOnly, gnxi.RPCs.GribiGet, &authz.ExceptDeny{}, &authz.HardVerify{})
Expand All @@ -593,7 +593,7 @@ func TestAuthz3(t *testing.T) {
setUpBaseline(t, dut)
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy object.
newpolicy, ok := policyMap["policy-gribi-get"]
Expand All @@ -603,7 +603,7 @@ func TestAuthz3(t *testing.T) {
// Attach base Admin Policy
// Rotate the policy.
newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC})
expCreatedOn := uint64(time.Now().UnixMilli())
expCreatedOn := uint64(time.Now().Unix())
expVersion := fmt.Sprintf("v0.%v", (time.Now().UnixNano()))
newpolicy.Rotate(t, dut, expCreatedOn, expVersion, false)
t.Logf("New Rotated Authz Policy is %s", newpolicy.PrettyPrint(t))
Expand Down Expand Up @@ -635,17 +635,18 @@ func TestAuthz3(t *testing.T) {
func TestAuthz4(t *testing.T) {
// Pre-Test Section
dut := ondatra.DUT(t, "dut")
setUpBaseline(t, dut)
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Reboot Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate
newpolicy, ok := policyMap["policy-normal-1"]
if !ok {
t.Fatal("Policy policy-normal-1 is not loaded from policy json file")
}
newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC})
expCreatedOn := uint64(time.Now().UnixMilli())
expCreatedOn := uint64(time.Now().Unix())
expVersion := fmt.Sprintf("v0.%v", (time.Now().UnixNano()))
t.Logf("New Authz Policy is %s", newpolicy.PrettyPrint(t))
newpolicy.Rotate(t, dut, expCreatedOn, expVersion, false)
Expand Down
2 changes: 1 addition & 1 deletion internal/security/gnxi/rpcexec.go
Original file line number Diff line number Diff line change
Expand Up @@ -507,7 +507,7 @@ func GnsiAuthzRotate(ctx context.Context, dut *ondatra.DUTDevice, opts []grpc.Di
}
_, err = gnsiCStream.Recv()
// invalid policy is expected since the empty policy is not allowed
if strings.Contains(err.Error(), "invalid policy") {
if strings.Contains(err.Error(), "invalid policy") || status.Code(err) == codes.InvalidArgument {
return nil
}
return err
Expand Down

0 comments on commit e94f7f7

Please sign in to comment.