From 886500ac784543921840423ae9ab5d3df3f106e0 Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Sat, 23 Nov 2024 06:24:15 +0800 Subject: [PATCH] Add cert revocation list support to GNMI service. (#19536) Add GNMI CRL support. Why I did it Allow gnmi service revoke client cert with CRL How I did it Add GNMI CRL config to yang model. How to verify it Pass all UT. Verified with new sonic-mgmt test case. --- dockers/docker-sonic-gnmi/gnmi-native.sh | 12 +++++++++++ dockers/docker-sonic-telemetry/telemetry.sh | 12 +++++++++++ .../tests/files/sample_config_db.json | 8 ++++++-- .../yang_model_tests/tests_config/gnmi.json | 20 ++++++++++++++----- .../tests_config/telemetry.json | 20 ++++++++++++++----- .../yang-models/sonic-gnmi.yang | 9 +++++++++ .../yang-models/sonic-telemetry.yang | 9 +++++++++ 7 files changed, 78 insertions(+), 12 deletions(-) diff --git a/dockers/docker-sonic-gnmi/gnmi-native.sh b/dockers/docker-sonic-gnmi/gnmi-native.sh index 1756ea1dba53..8dae895d89df 100755 --- a/dockers/docker-sonic-gnmi/gnmi-native.sh +++ b/dockers/docker-sonic-gnmi/gnmi-native.sh @@ -76,6 +76,18 @@ else TELEMETRY_ARGS+=" -v=2" fi +if [ -nz "$GNMI" ]; then + ENABLE_CRL=$(echo $GNMI | jq -r '.enable_crl') + if [ $ENABLE_CRL == "true" ]; then + TELEMETRY_ARGS+=" --enable_crl" + fi + + CRL_EXPIRE_DURATION=$(echo $GNMI | jq -r '.crl_expire_duration') + if [ -n $CRL_EXPIRE_DURATION ]; then + TELEMETRY_ARGS+=" --crl_expire_duration $CRL_EXPIRE_DURATION" + fi +fi + # Enable ZMQ for SmartSwitch LOCALHOST_SUBTYPE=`sonic-db-cli CONFIG_DB hget "DEVICE_METADATA|localhost" "subtype"` if [[ x"${LOCALHOST_SUBTYPE}" == x"SmartSwitch" ]]; then diff --git a/dockers/docker-sonic-telemetry/telemetry.sh b/dockers/docker-sonic-telemetry/telemetry.sh index d1c9216d4195..29ea00ea5ce0 100755 --- a/dockers/docker-sonic-telemetry/telemetry.sh +++ b/dockers/docker-sonic-telemetry/telemetry.sh @@ -74,6 +74,18 @@ else TELEMETRY_ARGS+=" -v=2" fi +if [ -nz "$GNMI" ]; then + ENABLE_CRL=$(echo $GNMI | jq -r '.enable_crl') + if [ $ENABLE_CRL == "true" ]; then + TELEMETRY_ARGS+=" --enable_crl" + fi + + CRL_EXPIRE_DURATION=$(echo $GNMI | jq -r '.crl_expire_duration') + if [ -n $CRL_EXPIRE_DURATION ]; then + TELEMETRY_ARGS+=" --crl_expire_duration $CRL_EXPIRE_DURATION" + fi +fi + # gNMI save-on-set behavior is disabled by default. # Save-on-set can be turned on by setting the "TELEMETRY|gnmi|save_on_set" # to "true". diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json index 93283acee587..cc446ab378e8 100644 --- a/src/sonic-yang-models/tests/files/sample_config_db.json +++ b/src/sonic-yang-models/tests/files/sample_config_db.json @@ -1331,7 +1331,9 @@ "gnmi": { "client_auth": "true", "log_level": "2", - "port": "50051" + "port": "50051", + "enable_crl": "false", + "crl_expire_duration": "86400" } }, "TELEMETRY_CLIENT": { @@ -1368,7 +1370,9 @@ "gnmi": { "client_auth": "true", "log_level": "2", - "port": "50052" + "port": "50052", + "enable_crl": "false", + "crl_expire_duration": "86400" } }, "GNMI_CLIENT_CERT": { diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json index cdad6fe31f53..0c8327a8991a 100644 --- a/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json @@ -10,7 +10,9 @@ "gnmi": { "client_auth": "true", "log_level": "2", - "port": "50052" + "port": "50052", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } @@ -26,7 +28,9 @@ "gnmi": { "client_auth": "up", "log_level": "2", - "port": "50052" + "port": "50052", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } @@ -42,7 +46,9 @@ "gnmi": { "client_auth": "true", "log_level": "2", - "port": "abc" + "port": "abc", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } @@ -59,7 +65,9 @@ "client_auth": "true", "log_level": "2", "port": "50051", - "save_on_set": "wrong" + "save_on_set": "wrong", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } @@ -76,7 +84,9 @@ "client_auth": "true", "log_level": "2", "port": "50052", - "save_on_set": "false" + "save_on_set": "false", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/telemetry.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/telemetry.json index 18e708262e74..2d3bd08f5d20 100644 --- a/src/sonic-yang-models/tests/yang_model_tests/tests_config/telemetry.json +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/telemetry.json @@ -10,7 +10,9 @@ "gnmi": { "client_auth": "true", "log_level": "2", - "port": "50051" + "port": "50051", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } @@ -26,7 +28,9 @@ "gnmi": { "client_auth": "up", "log_level": "2", - "port": "50051" + "port": "50051", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } @@ -42,7 +46,9 @@ "gnmi": { "client_auth": "true", "log_level": "2", - "port": "abc" + "port": "abc", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } @@ -59,7 +65,9 @@ "client_auth": "true", "log_level": "2", "port": "50051", - "save_on_set": "wrong" + "save_on_set": "wrong", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } @@ -76,7 +84,9 @@ "client_auth": "true", "log_level": "2", "port": "50051", - "save_on_set": "false" + "save_on_set": "false", + "enable_crl": "true", + "crl_expire_duration": "86400" } } } diff --git a/src/sonic-yang-models/yang-models/sonic-gnmi.yang b/src/sonic-yang-models/yang-models/sonic-gnmi.yang index f7c4fef33c53..d33ea35083dd 100644 --- a/src/sonic-yang-models/yang-models/sonic-gnmi.yang +++ b/src/sonic-yang-models/yang-models/sonic-gnmi.yang @@ -76,6 +76,15 @@ module sonic-gnmi { description "Flag for enabling save on set."; } + leaf enable_crl { + type boolean; + description "Flag for enable certificate revocation list."; + } + + leaf crl_expire_duration { + type uint32; + description "Certificate revocation list cache expire duration."; + } } } diff --git a/src/sonic-yang-models/yang-models/sonic-telemetry.yang b/src/sonic-yang-models/yang-models/sonic-telemetry.yang index 5cbdf2bd9330..239f23666dda 100644 --- a/src/sonic-yang-models/yang-models/sonic-telemetry.yang +++ b/src/sonic-yang-models/yang-models/sonic-telemetry.yang @@ -76,6 +76,15 @@ module sonic-telemetry { description "Flag for enabling save on set."; } + leaf enable_crl { + type boolean; + description "Flag for enable certificate revocation list."; + } + + leaf crl_expire_duration { + type uint32; + description "Certificate revocation list cache expire duration."; + } } }