Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authz fixes #2877

Merged
merged 3 commits into from
Apr 24, 2024
Merged

Authz fixes #2877

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
034d632
Authz fixes
dipchauh Apr 3, 2024
ded1506
Merge branch 'main' of github.com:openconfig/featureprofiles into authz
dipchauh Apr 16, 2024
acdc6d9
Merge branch 'main' of github.com:openconfig/featureprofiles into authz
dipchauh Apr 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 25 additions & 24 deletions feature/security/gnsi/authz/tests/authz/authz1_4_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,7 +206,7 @@ func TestAuthz1(t *testing.T) {
// Pre-Test Section
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate
newpolicy, ok := policyMap["policy-everyone-can-gnmi-not-gribi"]
Expand All @@ -229,7 +229,7 @@ func TestAuthz1(t *testing.T) {
// Pre-Test Section
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate
newpolicy, ok := policyMap["policy-everyone-can-gribi-not-gnmi"]
Expand All @@ -252,7 +252,7 @@ func TestAuthz1(t *testing.T) {
dut := ondatra.DUT(t, "dut")
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate - 1
newpolicy, ok := policyMap["policy-gribi-get"]
Expand All @@ -274,7 +274,7 @@ func TestAuthz1(t *testing.T) {
}
newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC})
// Rotate the policy.
newpolicy.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
newpolicy.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Verification of Policy for read-only to deny gRIBI Get and allow gNMI Get
t.Run("Verification of Policy for read-only to deny gRIBI Get and allow gNMI Get", func(t *testing.T) {
Expand All @@ -287,7 +287,7 @@ func TestAuthz1(t *testing.T) {
// Pre-Test Section
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate
newpolicy, ok := policyMap["policy-normal-1"]
Expand All @@ -313,7 +313,7 @@ func TestAuthz2(t *testing.T) {
// Pre-Test Section
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate
newpolicy, ok := policyMap["policy-everyone-can-gnmi-not-gribi"]
Expand All @@ -334,7 +334,7 @@ func TestAuthz2(t *testing.T) {
autzRotateReq := &authzpb.RotateAuthzRequest_UploadRequest{
UploadRequest: &authzpb.UploadRequest{
Version: fmt.Sprintf("v0.%v", (time.Now().UnixNano())),
CreatedOn: uint64(time.Now().UnixMilli()),
CreatedOn: uint64(time.Now().Unix()),
Policy: string(jsonPolicy),
},
}
Expand All @@ -348,9 +348,9 @@ func TestAuthz2(t *testing.T) {
t.Fatalf("Error while receiving rotate request reply (client 1) %v", err)
}
// Rotate Request 2 - Before Finalizing the Request 1
newpolicy, ok = policyMap["policy-everyone-can-gnmi-not-gribi"]
newpolicy, ok = policyMap["policy-everyone-can-gribi-not-gnmi"]
if !ok {
t.Fatal("Policy policy-everyone-can-gnmi-not-gribi is not loaded from policy json file")
t.Fatal("Policy policy-everyone-can-gribi-not-gnmi is not loaded from policy json file")
}
newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC})
jsonPolicy, err = newpolicy.Marshal()
Expand All @@ -365,7 +365,7 @@ func TestAuthz2(t *testing.T) {
autzRotateReq = &authzpb.RotateAuthzRequest_UploadRequest{
UploadRequest: &authzpb.UploadRequest{
Version: fmt.Sprintf("v0.%v", (time.Now().UnixNano())),
CreatedOn: uint64(time.Now().UnixMilli()),
CreatedOn: uint64(time.Now().Unix()),
Policy: string(jsonPolicy),
},
}
Expand All @@ -390,7 +390,7 @@ func TestAuthz2(t *testing.T) {
// Pre-Test Section
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate
newpolicy, ok := policyMap["policy-gribi-get"]
Expand All @@ -399,7 +399,7 @@ func TestAuthz2(t *testing.T) {
}
newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC})
// Rotate the policy.
newpolicy.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
newpolicy.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Verification of Policy for read_only to allow gRIBI Get and to deny gNMI Get
t.Run("Verification of Policy for read_only to allow gRIBI Get and to deny gNMI Get", func(t *testing.T) {
Expand All @@ -425,7 +425,7 @@ func TestAuthz2(t *testing.T) {
autzRotateReq := &authzpb.RotateAuthzRequest_UploadRequest{
UploadRequest: &authzpb.UploadRequest{
Version: fmt.Sprintf("v0.%v", (time.Now().UnixNano())),
CreatedOn: uint64(time.Now().UnixMilli()),
CreatedOn: uint64(time.Now().Unix()),
Policy: string(jsonPolicy),
},
}
Expand Down Expand Up @@ -459,7 +459,7 @@ func TestAuthz2(t *testing.T) {
// Pre-Test Section
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate
newpolicy, ok := policyMap["policy-gribi-get"]
Expand All @@ -468,7 +468,7 @@ func TestAuthz2(t *testing.T) {
}
newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC})
// Rotate the policy.
newpolicy.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
newpolicy.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Verification of Policy for read_only to allow gRIBI Get and to deny gNMI Get
t.Run("Verification of Policy for read_only to allow gRIBI Get and to deny gNMI Get", func(t *testing.T) {
Expand All @@ -495,7 +495,7 @@ func TestAuthz2(t *testing.T) {
autzRotateReq := &authzpb.RotateAuthzRequest_UploadRequest{
UploadRequest: &authzpb.UploadRequest{
Version: fmt.Sprintf("v0.%v", (time.Now().UnixNano())),
CreatedOn: uint64(time.Now().UnixMilli()),
CreatedOn: uint64(time.Now().Unix()),
Policy: string(jsonPolicy),
},
}
Expand Down Expand Up @@ -527,7 +527,7 @@ func TestAuthz2(t *testing.T) {
// Pre-Test Section
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate
newpolicy, ok := policyMap["policy-gribi-get"]
Expand All @@ -537,7 +537,7 @@ func TestAuthz2(t *testing.T) {
newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC})
// Rotate the policy.
prevVersion := fmt.Sprintf("v0.%v", (time.Now().UnixNano()))
newpolicy.Rotate(t, dut, uint64(time.Now().UnixMilli()), prevVersion, false)
newpolicy.Rotate(t, dut, uint64(time.Now().Unix()), prevVersion, false)

newpolicy, ok = policyMap["policy-gnmi-get"]
if !ok {
Expand All @@ -556,7 +556,7 @@ func TestAuthz2(t *testing.T) {
autzRotateReq := &authzpb.RotateAuthzRequest_UploadRequest{
UploadRequest: &authzpb.UploadRequest{
Version: prevVersion,
CreatedOn: uint64(time.Now().UnixMilli()),
CreatedOn: uint64(time.Now().Unix()),
Policy: string(jsonPolicy),
},
}
Expand All @@ -576,7 +576,7 @@ func TestAuthz2(t *testing.T) {
})

t.Logf("Preforming Rotate with the same version with force overwrite\n")
newpolicy.Rotate(t, dut, uint64(time.Now().UnixMilli()), prevVersion, true)
newpolicy.Rotate(t, dut, uint64(time.Now().Unix()), prevVersion, true)
// Verification of Policy for read_only to allow gRIBI Get and to deny gNMI Get
t.Run("Verification of Policy for read_only to allow gRIBI Get and to deny gNMI Get after rotate wth force overwrite", func(t *testing.T) {
authz.Verify(t, dut, spiffeCertReadOnly, gnxi.RPCs.GribiGet, &authz.ExceptDeny{}, &authz.HardVerify{})
Expand All @@ -593,7 +593,7 @@ func TestAuthz3(t *testing.T) {
setUpBaseline(t, dut)
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy object.
newpolicy, ok := policyMap["policy-gribi-get"]
Expand All @@ -603,7 +603,7 @@ func TestAuthz3(t *testing.T) {
// Attach base Admin Policy
// Rotate the policy.
newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC})
expCreatedOn := uint64(time.Now().UnixMilli())
expCreatedOn := uint64(time.Now().Unix())
expVersion := fmt.Sprintf("v0.%v", (time.Now().UnixNano()))
newpolicy.Rotate(t, dut, expCreatedOn, expVersion, false)
t.Logf("New Rotated Authz Policy is %s", newpolicy.PrettyPrint(t))
Expand Down Expand Up @@ -635,17 +635,18 @@ func TestAuthz3(t *testing.T) {
func TestAuthz4(t *testing.T) {
// Pre-Test Section
dut := ondatra.DUT(t, "dut")
setUpBaseline(t, dut)
_, policyBefore := authz.Get(t, dut)
t.Logf("Authz Policy of the Device %s before the Reboot Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
defer policyBefore.Rotate(t, dut, uint64(time.Now().UnixMilli()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)

// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate
newpolicy, ok := policyMap["policy-normal-1"]
if !ok {
t.Fatal("Policy policy-normal-1 is not loaded from policy json file")
}
newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC})
expCreatedOn := uint64(time.Now().UnixMilli())
expCreatedOn := uint64(time.Now().Unix())
expVersion := fmt.Sprintf("v0.%v", (time.Now().UnixNano()))
t.Logf("New Authz Policy is %s", newpolicy.PrettyPrint(t))
newpolicy.Rotate(t, dut, expCreatedOn, expVersion, false)
Expand Down
2 changes: 1 addition & 1 deletion internal/security/gnxi/rpcexec.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -507,7 +507,7 @@ func GnsiAuthzRotate(ctx context.Context, dut *ondatra.DUTDevice, opts []grpc.Di
}
_, err = gnsiCStream.Recv()
// invalid policy is expected since the empty policy is not allowed
if strings.Contains(err.Error(), "invalid policy") {
if strings.Contains(err.Error(), "invalid policy") || status.Code(err) == codes.InvalidArgument {
return nil
}
return err
Expand Down
Loading