From 85d302117814642356a76828f28d21e75e5dbc25 Mon Sep 17 00:00:00 2001 From: dipchauh <159579776+dipchauh@users.noreply.github.com> Date: Wed, 24 Apr 2024 12:35:55 -0400 Subject: [PATCH] Authz fixes (#2877) "This code is a Contribution to the OpenConfig Feature Profiles project ("Work") made under the Google Software Grant and Corporate Contributor License Agreement ("CLA") and governed by the Apache License 2.0. No other rights or licenses in or to any of Nokia's intellectual property are granted for any other purpose. This code is provided on an "as is" basis without any warranties of any kind." --- .../gnsi/authz/tests/authz/authz1_4_test.go | 49 ++++++++++--------- internal/security/gnxi/rpcexec.go | 2 +- 2 files changed, 26 insertions(+), 25 deletions(-) diff --git a/feature/security/gnsi/authz/tests/authz/authz1_4_test.go b/feature/security/gnsi/authz/tests/authz/authz1_4_test.go index 579a8c7710e..ec6f2008aa6 100644 --- a/feature/security/gnsi/authz/tests/authz/authz1_4_test.go +++ b/feature/security/gnsi/authz/tests/authz/authz1_4_test.go @@ -206,7 +206,7 @@ func TestAuthz1(t *testing.T) { // Pre-Test Section _, policyBefore := authz.Get(t, dut) t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t)) - defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) + defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) // Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate newpolicy, ok := policyMap["policy-everyone-can-gnmi-not-gribi"] @@ -229,7 +229,7 @@ func TestAuthz1(t *testing.T) { // Pre-Test Section _, policyBefore := authz.Get(t, dut) t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t)) - defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) + defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) // Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate newpolicy, ok := policyMap["policy-everyone-can-gribi-not-gnmi"] @@ -252,7 +252,7 @@ func TestAuthz1(t *testing.T) { dut := ondatra.DUT(t, "dut") _, policyBefore := authz.Get(t, dut) t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t)) - defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) + defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) // Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate - 1 newpolicy, ok := policyMap["policy-gribi-get"] @@ -274,7 +274,7 @@ func TestAuthz1(t *testing.T) { } newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC}) // Rotate the policy. - newpolicy.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) + newpolicy.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) // Verification of Policy for read-only to deny gRIBI Get and allow gNMI Get t.Run("Verification of Policy for read-only to deny gRIBI Get and allow gNMI Get", func(t *testing.T) { @@ -287,7 +287,7 @@ func TestAuthz1(t *testing.T) { // Pre-Test Section _, policyBefore := authz.Get(t, dut) t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t)) - defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) + defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) // Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate newpolicy, ok := policyMap["policy-normal-1"] @@ -313,7 +313,7 @@ func TestAuthz2(t *testing.T) { // Pre-Test Section _, policyBefore := authz.Get(t, dut) t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t)) - defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) + defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) // Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate newpolicy, ok := policyMap["policy-everyone-can-gnmi-not-gribi"] @@ -334,7 +334,7 @@ func TestAuthz2(t *testing.T) { autzRotateReq := &authzpb.RotateAuthzRequest_UploadRequest{ UploadRequest: &authzpb.UploadRequest{ Version: fmt.Sprintf("v0.%v", (time.Now().UnixNano())), - CreatedOn: uint64(time.Now().UnixMilli()), + CreatedOn: uint64(time.Now().Unix()), Policy: string(jsonPolicy), }, } @@ -348,9 +348,9 @@ func TestAuthz2(t *testing.T) { t.Fatalf("Error while receiving rotate request reply (client 1) %v", err) } // Rotate Request 2 - Before Finalizing the Request 1 - newpolicy, ok = policyMap["policy-everyone-can-gnmi-not-gribi"] + newpolicy, ok = policyMap["policy-everyone-can-gribi-not-gnmi"] if !ok { - t.Fatal("Policy policy-everyone-can-gnmi-not-gribi is not loaded from policy json file") + t.Fatal("Policy policy-everyone-can-gribi-not-gnmi is not loaded from policy json file") } newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC}) jsonPolicy, err = newpolicy.Marshal() @@ -365,7 +365,7 @@ func TestAuthz2(t *testing.T) { autzRotateReq = &authzpb.RotateAuthzRequest_UploadRequest{ UploadRequest: &authzpb.UploadRequest{ Version: fmt.Sprintf("v0.%v", (time.Now().UnixNano())), - CreatedOn: uint64(time.Now().UnixMilli()), + CreatedOn: uint64(time.Now().Unix()), Policy: string(jsonPolicy), }, } @@ -390,7 +390,7 @@ func TestAuthz2(t *testing.T) { // Pre-Test Section _, policyBefore := authz.Get(t, dut) t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t)) - defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) + defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) // Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate newpolicy, ok := policyMap["policy-gribi-get"] @@ -399,7 +399,7 @@ func TestAuthz2(t *testing.T) { } newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC}) // Rotate the policy. - newpolicy.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) + newpolicy.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) // Verification of Policy for read_only to allow gRIBI Get and to deny gNMI Get t.Run("Verification of Policy for read_only to allow gRIBI Get and to deny gNMI Get", func(t *testing.T) { @@ -425,7 +425,7 @@ func TestAuthz2(t *testing.T) { autzRotateReq := &authzpb.RotateAuthzRequest_UploadRequest{ UploadRequest: &authzpb.UploadRequest{ Version: fmt.Sprintf("v0.%v", (time.Now().UnixNano())), - CreatedOn: uint64(time.Now().UnixMilli()), + CreatedOn: uint64(time.Now().Unix()), Policy: string(jsonPolicy), }, } @@ -459,7 +459,7 @@ func TestAuthz2(t *testing.T) { // Pre-Test Section _, policyBefore := authz.Get(t, dut) t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t)) - defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) + defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) // Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate newpolicy, ok := policyMap["policy-gribi-get"] @@ -468,7 +468,7 @@ func TestAuthz2(t *testing.T) { } newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC}) // Rotate the policy. - newpolicy.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) + newpolicy.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) // Verification of Policy for read_only to allow gRIBI Get and to deny gNMI Get t.Run("Verification of Policy for read_only to allow gRIBI Get and to deny gNMI Get", func(t *testing.T) { @@ -495,7 +495,7 @@ func TestAuthz2(t *testing.T) { autzRotateReq := &authzpb.RotateAuthzRequest_UploadRequest{ UploadRequest: &authzpb.UploadRequest{ Version: fmt.Sprintf("v0.%v", (time.Now().UnixNano())), - CreatedOn: uint64(time.Now().UnixMilli()), + CreatedOn: uint64(time.Now().Unix()), Policy: string(jsonPolicy), }, } @@ -527,7 +527,7 @@ func TestAuthz2(t *testing.T) { // Pre-Test Section _, policyBefore := authz.Get(t, dut) t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t)) - defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) + defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) // Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate newpolicy, ok := policyMap["policy-gribi-get"] @@ -537,7 +537,7 @@ func TestAuthz2(t *testing.T) { newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC}) // Rotate the policy. prevVersion := fmt.Sprintf("v0.%v", (time.Now().UnixNano())) - newpolicy.Rotate(t, dut, uint64(time.Now().UnixMilli()), prevVersion, false) + newpolicy.Rotate(t, dut, uint64(time.Now().Unix()), prevVersion, false) newpolicy, ok = policyMap["policy-gnmi-get"] if !ok { @@ -556,7 +556,7 @@ func TestAuthz2(t *testing.T) { autzRotateReq := &authzpb.RotateAuthzRequest_UploadRequest{ UploadRequest: &authzpb.UploadRequest{ Version: prevVersion, - CreatedOn: uint64(time.Now().UnixMilli()), + CreatedOn: uint64(time.Now().Unix()), Policy: string(jsonPolicy), }, } @@ -576,7 +576,7 @@ func TestAuthz2(t *testing.T) { }) t.Logf("Preforming Rotate with the same version with force overwrite\n") - newpolicy.Rotate(t, dut, uint64(time.Now().UnixMilli()), prevVersion, true) + newpolicy.Rotate(t, dut, uint64(time.Now().Unix()), prevVersion, true) // Verification of Policy for read_only to allow gRIBI Get and to deny gNMI Get t.Run("Verification of Policy for read_only to allow gRIBI Get and to deny gNMI Get after rotate wth force overwrite", func(t *testing.T) { authz.Verify(t, dut, spiffeCertReadOnly, gnxi.RPCs.GribiGet, &authz.ExceptDeny{}, &authz.HardVerify{}) @@ -593,7 +593,7 @@ func TestAuthz3(t *testing.T) { setUpBaseline(t, dut) _, policyBefore := authz.Get(t, dut) t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t)) - defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) + defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) // Fetch the Desired Authorization Policy object. newpolicy, ok := policyMap["policy-gribi-get"] @@ -603,7 +603,7 @@ func TestAuthz3(t *testing.T) { // Attach base Admin Policy // Rotate the policy. newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC}) - expCreatedOn := uint64(time.Now().UnixMilli()) + expCreatedOn := uint64(time.Now().Unix()) expVersion := fmt.Sprintf("v0.%v", (time.Now().UnixNano())) newpolicy.Rotate(t, dut, expCreatedOn, expVersion, false) t.Logf("New Rotated Authz Policy is %s", newpolicy.PrettyPrint(t)) @@ -635,9 +635,10 @@ func TestAuthz3(t *testing.T) { func TestAuthz4(t *testing.T) { // Pre-Test Section dut := ondatra.DUT(t, "dut") + setUpBaseline(t, dut) _, policyBefore := authz.Get(t, dut) t.Logf("Authz Policy of the Device %s before the Reboot Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t)) - defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) + defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false) // Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate newpolicy, ok := policyMap["policy-normal-1"] @@ -645,7 +646,7 @@ func TestAuthz4(t *testing.T) { t.Fatal("Policy policy-normal-1 is not loaded from policy json file") } newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC}) - expCreatedOn := uint64(time.Now().UnixMilli()) + expCreatedOn := uint64(time.Now().Unix()) expVersion := fmt.Sprintf("v0.%v", (time.Now().UnixNano())) t.Logf("New Authz Policy is %s", newpolicy.PrettyPrint(t)) newpolicy.Rotate(t, dut, expCreatedOn, expVersion, false) diff --git a/internal/security/gnxi/rpcexec.go b/internal/security/gnxi/rpcexec.go index 9cf326f7fd5..f91274b8633 100644 --- a/internal/security/gnxi/rpcexec.go +++ b/internal/security/gnxi/rpcexec.go @@ -507,7 +507,7 @@ func GnsiAuthzRotate(ctx context.Context, dut *ondatra.DUTDevice, opts []grpc.Di } _, err = gnsiCStream.Recv() // invalid policy is expected since the empty policy is not allowed - if strings.Contains(err.Error(), "invalid policy") { + if strings.Contains(err.Error(), "invalid policy") || status.Code(err) == codes.InvalidArgument { return nil } return err