featureprofiles icon indicating copy to clipboard operation
featureprofiles copied to clipboard
verified publisher icon openconfig

Fixed issue with credz.SSHWithPassword

Open swatisp98 opened this issue 3 months ago • 4 comments

============================================================ Why credz.SSHWithPassword can fail (DialSSH unimplemented):

credz.SSHWithPassword is a helper in our test infra that wraps SSH access through the Ondatra/binding layer. It does not necessarily call Go's native ssh.Dial ? instead it asks the ondatra binding to provide an SSH connection.

============ Root cause:

Direct ssh.Dial: Always attempts a TCP connection to the given host:port. credz.SSHWithPassword: An abstraction that requires the DUT binding to implement SSH access ? it can be unimplemented for some KNE devices, causing immediate failure.

==================== Recommended action:

Implement a simple fallback: Call credz.SSHWithPassword first (preferred), and if it returns an error (especially DialSSH unimplemented), fall back to ssh.Dial(sshAddr, ...)

swatisp98 avatar Oct 01 '25 11:10 swatisp98

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

google-cla[bot] avatar Oct 01 '25 11:10 google-cla[bot]

Pull Request Functional Test Report for #4664 / c21696cd786dfe0e2bc41df8edd60555f0573f75

Virtual Devices

Device Test Test Documentation Job Raw Log
Arista cEOS status
 SEC-3.1: Authentication
Cisco 8000E status
 SEC-3.1: Authentication
Cisco XRd status
 SEC-3.1: Authentication
Juniper ncPTX status
 SEC-3.1: Authentication
Nokia SR Linux status
 SEC-3.1: Authentication
Openconfig Lemming status
 SEC-3.1: Authentication

Hardware Devices

Device Test Test Documentation Raw Log
Arista 7808 status
 SEC-3.1: Authentication
Cisco 8808 status
 SEC-3.1: Authentication
Juniper PTX10008 status
 SEC-3.1: Authentication
Nokia 7250 IXR-10e status
 SEC-3.1: Authentication

Help

OpenConfigBot avatar Oct 01 '25 11:10 OpenConfigBot

Pull Request Test Coverage Report for Build 19284587007

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 10.411%
Totals Coverage Status
Change from base Build 19262752002: 0.0%
Covered Lines: 2224
Relevant Lines: 21361
💛 - Coveralls

coveralls avatar Oct 01 '25 11:10 coveralls

I believe this fallback option must be implemented for credentialz tests too for it to pass on KNE devices cc: @ram-mac

dipchauh avatar Nov 06 '25 22:11 dipchauh

@dipchauh @ram-mac

Other tests using this function are:

password_console_login_test.go ssh_password_login_disallowed_test.go

These do not have KNE profiles yet, once required profiles are created, will be implementing fallback mechanism for those as well

swatisp98 avatar Nov 10 '25 04:11 swatisp98

@dipchauh @ram-mac

Other tests using this function are:

password_console_login_test.go ssh_password_login_disallowed_test.go

These do not have KNE profiles yet, once required profiles are created, will be implementing fallback mechanism for those as well

I think this PR migrated Credz tests, too: https://github.com/openconfig/featureprofiles/pull/4511. Though I'm not quite sure what "KNE profiles" are, but I'm assuming it's safe to say that these tests are expected to fail for KNE platforms in it's current status?

In terms of "KNE Profiles" would that be replicating the same test with the fallback behavior under /path/to/kne_test/*_test.go or implementing an alternative ssh abstraction on KNE?

MarcCharlebois avatar Nov 10 '25 19:11 MarcCharlebois

@swatisp98 - The test is failing with these changes. Below is the error that throws up. Will pass on the logs to Lavanya (@lvaish05). Please take a look.

DUT does not support Service function: no match found in &{0x3c504d501ac0 0x3c504c0caac0 0x3c504c0caae0 0x3c504d9620c0} (type: *coverage.covDUT)

ram-mac avatar Nov 11 '25 11:11 ram-mac

@ram-mac Could you please attach complete fail logs:

If the error is due to unsupported Service function on the device, code will be modified to resolve dut name field (as in case of acctz and credz )

Sample code below:

'''

if err := binding.DUTAs(dut.RawAPIs().BindingDUT(), &servDUT); err != nil { t.Logf("DUT does not support Service function: %v", err) dialTarget := fmt.Sprintf("%s:%d", dut.Name(), defaultSSHPort) resolvedTarget, err := net.ResolveTCPAddr("tcp", dialTarget) if err != nil { t.Fatalf("Failed resolving ssh target %s", dialTarget) target := resolvedTarget.String() t.Logf("Target for ssh service: %s", target) } }

''' Could you please check and let us know if the test works with these changes.

swatipai30101998 avatar Nov 18 '25 10:11 swatipai30101998

@ram-mac

Can you please share complete fail logs, want to check where it's failing

swatipai30101998 avatar Nov 19 '25 08:11 swatipai30101998

@ram-mac

Can you please share complete fail logs, want to check where it's failing @swatipai30101998 - I have shared the log with @lvaish05.

ram-mac avatar Nov 24 '25 05:11 ram-mac

@ram-mac

Since this is being tested on hardware and not a KNE device Can you please share how does your binding and testbed files look like:

swatipai30101998 avatar Dec 09 '25 06:12 swatipai30101998

@ram-mac

Script is specific for KNE device qualification. It's not for hardware, Can you please qualify on KNE and let us know the results

path: feature/security/aaa/kne_tests/tls_authentication_over_grpc_test/tls_authentication_over_grpc_test.go

swatipai30101998 avatar Dec 10 '25 05:12 swatipai30101998