Introduce initial TC-RR-1.1

- TC-RR-1.1 is a critical test to validate multi-fabric behavior is stable and actually works. The test, broadly, validates most of the minimas of the core elements of the spec, including ACL entries, certificate sizes, number of CASE sessions and subscriptions, number of paths, etc. Issue project-chip#21736 - This PR introduces the core test and all associated minor changes to infrastructure to make it work. - Still TODO: - More extensive cert size maximization (closer to 400 TLV bytes) - Add controller and commissionee CAT tags (test is 95% equivalent to test plan, but a couple ACL fields differ because of this, in ways that don't detract from proving what needs proving - Validation that local/peer session IDs have not changed. This is not technically needed with the SDK as-is based on the methodology but it would future-proof the test against some future optimizations that may change subscription behavior in a way that the test would not validate CASE sessions remain. - Clean-up more after the test, so that a factory reset before/after is not needed. Testing done: - Passes on Linux against all-clusters, all-clusters-minimal and lighting app, with both minimal mdns and Avahi. - Passes on some other platforms (not named here) To run within SDK (from scratch: the build steps can be skipped thereafter): - In one terminal: - Build chip-lighting-app linux - `clear && rm -f kvs1 && out/debug/standalone/chip-lighting-app --discriminator 1234 --KVS kvs1 --trace_decode 1` - In another terminal: - Build - `rm -rf out/python*` - `scripts/build_python.sh -m platform -i separate` - Run - `source ./out/python_env/bin/activate` - `python3 src/python_testing/TC_RR_1_1.py --commissioning-method on-network --long-discriminator 1234 --passcode 20202021` - Add `--bool-arg skip_user_label_cluster_steps:true` to the end of the command line if your DUT has broken UserLabel clusters (but if you have those, fix them :)
tcarmelveilleux · Aug 19, 2022 · 1460e73 · 1460e73
1 parent c1f1c8b
commit 1460e73
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 10 deletions.
diff --git a/src/controller/ExampleOperationalCredentialsIssuer.cpp b/src/controller/ExampleOperationalCredentialsIssuer.cpp
@@ -146,8 +146,8 @@ CHIP_ERROR IssueX509Cert(uint32_t now, uint32_t validity, ChipDN issuerDn, ChipD
 
             ReturnErrorOnFailure(ConvertX509CertToChipCert(paddedDerSpan, paddedTlvSpan));
 
-            // TODO: REMOVE
-            printf("   TLV: %d DER: %d\n", (int)paddedTlvSpan.size(), (int)paddedDerSpan.size());
+            ChipLogProgress(Controller, "Generated maximized certificate with %u DER bytes, %u TLV bytes",
+                            static_cast<unsigned>(paddedDerSpan.size()), static_cast<unsigned>(paddedTlvSpan.size()));
             if (paddedDerSpan.size() <= kMaxDERCertLength && paddedTlvSpan.size() <= kMaxCHIPCertLength)
             {
                 return CopySpanToMutableSpan(paddedDerSpan, outX509Cert);

diff --git a/src/controller/python/OpCredsBinding.cpp b/src/controller/python/OpCredsBinding.cpp
@@ -415,7 +415,6 @@ ChipError::StorageType pychip_OpCreds_SetMaximallyLargeCertsUsed(OpCredsContext
     return CHIP_NO_ERROR.AsInteger();
 }
 
-
 void pychip_OpCreds_FreeDelegate(OpCredsContext * context)
 {
     Platform::Delete(context);

diff --git a/src/controller/python/chip/CertificateAuthority.py b/src/controller/python/chip/CertificateAuthority.py
@@ -200,7 +200,6 @@ def maximizeCertChains(self, enabled: bool):
 
         self._maximizeCertChains = enabled
 
-
     def __del__(self):
         self.Shutdown()
 

diff --git a/src/python_testing/TC_RR_1_1.py b/src/python_testing/TC_RR_1_1.py
@@ -311,10 +311,18 @@ async def test_TC_RR_1_1(self):
         if sub_test_failed:
             asserts.fail("Failed step 7 !")
 
-        # Step 8: TODO: Validate sessions have not changed by doing a read on NodeLabel from all clients
+        # Step 8: Validate sessions have not changed by doing a read on NodeLabel from all clients
+        logging.info("Step 8: Read back NodeLabel directly from all clients")
+        for sub_idx, client in enumerate(client_list):
+            logging.info("Reading NodeLabel (%d/%d) from controller node %s" % (sub_idx + 1, len(client_list), client.name))
 
-        # Step 9: Fill user label list
+            label_readback = await self.read_single_attribute(client, node_id=self.dut_node_id, endpoint=0, attribute=Clusters.Basic.Attributes.NodeLabel)
+            asserts.assert_equal(label_readback, AFTER_LABEL)
 
+            # TODO: Compare before/after session IDs. Requires more native changes, and the
+            #       subcription method above is actually good enough we think.
+
+        # Step 9: Fill user label list
         if has_user_labels and not skip_user_label_cluster_steps:
             await self.fill_user_label_list(dev_ctrl, self.dut_node_id)
         else:
@@ -421,4 +429,4 @@ def build_acl(self, fabric_number, client_by_name, num_controllers_per_fabric):
 
 
 if __name__ == "__main__":
-    default_matter_test_main()
+    default_matter_test_main(maximize_cert_chains=True)
diff --git a/src/python_testing/matter_testing_support.py b/src/python_testing/matter_testing_support.py
@@ -133,6 +133,7 @@ class MatterTestConfig:
     discriminator: int = None
     setup_passcode: int = None
     commissionee_ip_address_just_for_testing: str = None
+    maximize_cert_chains: bool = False
 
     qr_code_content: str = None
     manual_code: str = None
@@ -186,8 +187,8 @@ def _init_stack(self, already_initialized: bool, **kwargs):
         if (len(self._certificate_authority_manager.activeCaList) == 0):
             self._logger.warn(
                 "Didn't find any CertificateAuthorities in storage -- creating a new CertificateAuthority + FabricAdmin...")
-            ca = self._certificate_authority_manager.NewCertificateAuthority(caIndex = self._config.root_of_trust_index)
-            ca.maximizeCertChains = True
+            ca = self._certificate_authority_manager.NewCertificateAuthority(caIndex=self._config.root_of_trust_index)
+            ca.maximizeCertChains = self._config.maximize_cert_chains
             ca.NewFabricAdmin(vendorId=0xFFF1, fabricId=self._config.fabric_id)
         elif (len(self._certificate_authority_manager.activeCaList[0].adminList) == 0):
             self._logger.warn("Didn't find any FabricAdmins in storage -- creating a new one...")
@@ -666,7 +667,7 @@ def _commission_device(self) -> bool:
             raise ValueError("Invalid commissioning method %s!" % conf.commissioning_method)
 
 
-def default_matter_test_main(argv=None):
+def default_matter_test_main(argv=None, **kwargs):
     """Execute the test class in a test module.
     This is the default entry point for running a test script file directly.
     In this case, only one test class in a test script is allowed.
@@ -692,6 +693,13 @@ def default_matter_test_main(argv=None):
     if len(matter_test_config.tests) > 0:
         tests = matter_test_config.tests
 
+    # This is required in case we need any testing with maximized certificate chains.
+    # We need *all* issuers from the start, even for default controller, to use
+    # maximized chains, before MatterStackState init, others some stale certs
+    # may not chain properly.
+    if "maximize_cert_chains" in kwargs:
+        matter_test_config.maximize_cert_chains = kwargs["maximize_cert_chains"]
+
     stack = MatterStackState(matter_test_config)
     test_config.user_params["matter_stack"] = stash_globally(stack)