Define authn policy enforcement test and add test certs and policy #1929
Conversation
|
secret trick, benson is an approver here. |
| * `testdata/leaf_key.pem`: private key for `leaf_cert.pem` | ||
| * `testdata/root_cert.pem`: trust bundle | ||
| * `testdata/policy_1.pb`: authentication policy that client certificates are tested against | ||
| * `loas3_disable_realm_consistency_check`: Server flag set according to [Tests](#tests) below. |
There was a problem hiding this comment.
nit: remove internal terminology loas3?
| ## Authentication Policy Enforcement | ||
|
|
||
| Test device enforcement of | ||
| [`gnsi.certz.v1.AuthenticationPolicy`](https://github.com/openconfig/gnsi/blob/main/certz/certz.proto) |
There was a problem hiding this comment.
@danielywong can you help provide a link to the doc/spec about the schema of the policy? Thanks.
| * `testdata/leaf_key.pem`: private key for `leaf_cert.pem` | ||
| * `testdata/bad_leaf_cert_1.pem`: client certificate issued by unauthorized issuer | ||
| * `testdata/bad_leaf_key_1.pem`: private key for `bad_leaf_cert_1.pem` | ||
| * `testdata/bad_leaf_cert_2.pem`: client certificate containing inconsistent trust domains |
There was a problem hiding this comment.
@danielywong Sorry, what is the definition of "trust domains" here? (e.g. which certificate attributes we are comparing?)
| * `testdata/bad_leaf_key_1.pem`: private key for `bad_leaf_cert_1.pem` | ||
| * `testdata/bad_leaf_cert_2.pem`: client certificate containing inconsistent trust domains | ||
| * `testdata/bad_leaf_key_2.pem`: private key for `bad_leaf_cert_2.pem` | ||
| * `testdata/bad_leaf_cert_3.pem`: client certificate containing inconsistent realm |
There was a problem hiding this comment.
@danielywong, regarding "inconsistent realm", can you help clarify what exact cert attributes are comparing? Thanks.
| All DUT services should also be configured with Authorization Policy that will grant | ||
| access to the clients' identities as minted in their certificates. | ||
|
|
||
| ### Tests {#tests} |
There was a problem hiding this comment.
nit: Certz-6.1 (#1563 defined Certz-1.x ----> Certz 5.x)
|
this got lost maybe? |
There was a problem hiding this comment.
@danielywong can you help merge with existing feature.textproto file? Thanks. (only a few lines additions, should be straightforward).
There was a problem hiding this comment.
@danielywong here is the existing file structure, https://github.com/openconfig/featureprofiles/tree/main/feature/security/gnsi/certz.
Can you help rename yours? Thanks. Basically:
- Create a new folder with name, say
authority_policy, and move your README.md there. - Move everything in your
testdatato the existingtest_data.
|
@danielywong just 2 comments about the file structure and I think we are good to merge, can you help address them?Thanks. |
No description provided.