Skip to content

fix host_cert test for Arista #4768

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ram-mac merged 3 commits into from
Nov 1, 2025
Merged

fix host_cert test for Arista #4768

ram-mac merged 3 commits into from
Nov 1, 2025

Conversation

@ram-mac
Copy link
Contributor

@ram-mac ram-mac commented Oct 31, 2025

Fixed the host_certificate test by just adding the fqdn

@ram-mac ram-mac requested review from a team as code owners October 31, 2025 05:36
@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Oct 31, 2025

Summary of Changes

Hello @ram-mac, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a failure in the host certificate test specifically for Arista devices. The core change involves ensuring that the ssh-keyscan utility, used to retrieve host keys, correctly identifies the target device by incorporating its Fully Qualified Domain Name (FQDN). This modification ensures the test accurately reflects real-world network configurations and passes reliably.

Highlights

  • Test Fix: The host_certificate test for Arista devices has been fixed to ensure proper host key retrieval.
  • FQDN Integration: A Fully Qualified Domain Name (FQDN) is now explicitly used when retrieving host keys, addressing issues with device identification.
  • GetConfiguredHostKey Function Update: The GetConfiguredHostKey function has been updated to accept an FQDN parameter, which is then used to construct the target for the ssh-keyscan command.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@OpenConfigBot
Copy link

OpenConfigBot commented Oct 31, 2025
edited
Loading

Pull Request Functional Test Report for #4768 / 3a78502

Virtual Devices

Device Test Test Documentation Job Raw Log
Arista cEOS status
 Credentialz-3: Host Certificates
 c7a11884 Log
Cisco 8000E status
 Credentialz-3: Host Certificates
 e6fe02c4 Log
Cisco XRd status
 Credentialz-3: Host Certificates
 c65224e9 Log
Juniper ncPTX status
 Credentialz-3: Host Certificates
 feb9ac39 Log
Nokia SR Linux status
 Credentialz-3: Host Certificates
 10e60de7 Log
Openconfig Lemming status
 Credentialz-3: Host Certificates
 f90939c2 Log

Hardware Devices

Device Test Test Documentation Raw Log
Arista 7808 status
 Credentialz-3: Host Certificates
Cisco 8808 status
 Credentialz-3: Host Certificates
Juniper PTX10008 status
 Credentialz-3: Host Certificates
Nokia 7250 IXR-10e status
 Credentialz-3: Host Certificates

Help

gemini-code-assist[bot]
gemini-code-assist bot reviewed Oct 31, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request aims to fix a host certificate test for Arista devices by including the FQDN when scanning for the host key. The changes modify GetConfiguredHostKey to accept an FQDN and update the test to provide one. My review has identified a few areas for improvement. The new logic in GetConfiguredHostKey could be more robust when handling an empty FQDN. The test now hardcodes an FQDN, which impacts portability. Finally, there's a potential inconsistency between the hostname used in the test and the principal name embedded in the host certificate, which could make the test brittle. Details and suggestions are in the specific comments.

feature/gnsi/credentialz/tests/host_certificates/host_certificates_test.go Outdated
}
wantHostKey := strings.Trim(string(ssh.MarshalAuthorizedKey(cert.Key)), "\n")
gotHostKey := credz.GetConfiguredHostKey(t, dut, "ssh-ed25519")
gotHostKey := credz.GetConfiguredHostKey(t, dut, "ssh-ed25519", devFqdn)
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

There appears to be an inconsistency between the certificate principal and the hostname used for connection. The host certificate is created with the principal dut.test.com (hardcoded in credz.CreateHostCertificate), but GetConfiguredHostKey is called with an FQDN that results in connecting to <dut.Name()>.net.google.com. For a robust test of SSH certificate authentication, the connection hostname should match a principal in the certificate. This might be working due to ssh-keyscan not strictly validating the hostname, but it makes the test brittle. It would be better to use a consistent hostname for both creating the certificate and for ssh-keyscan.

internal/security/credz/credz.go
// keys.
func GetConfiguredHostKey(t *testing.T, dut *ondatra.DUTDevice, algo string) string {
func GetConfiguredHostKey(t *testing.T, dut *ondatra.DUTDevice, algo string, fqdn string) string {
dutTarget := fmt.Sprintf("%s.%s", dut.Name(), fqdn)
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The current logic fmt.Sprintf("%s.%s", dut.Name(), fqdn) will append a trailing dot to dut.Name() if fqdn is an empty string. This could lead to unexpected behavior or connection failures, and differs from the original behavior where just dut.Name() would be used. It would be more robust to only append the FQDN when it's provided.

For example, you could replace this line with logic like this:

dutTarget := dut.Name()
if fqdn != "" {
	dutTarget = fmt.Sprintf("%s.%s", dut.Name(), fqdn)
}

@coveralls
Copy link

coveralls commented Oct 31, 2025
edited
Loading

Pull Request Test Coverage Report for Build 18979385340

Details

  • 0 of 3 (0.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 11.082%
Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/security/credz/credz.go 0 3 0.0%
Totals Coverage Status
Change from base Build 18964170800: 0.0%
Covered Lines: 2224
Relevant Lines: 20069
💛 - Coveralls

singhavnish2516
singhavnish2516 approved these changes Oct 31, 2025
View reviewed changes
Copy link
Contributor

@singhavnish2516 singhavnish2516 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after the latest commit.

@singhavnish2516 singhavnish2516 self-assigned this Oct 31, 2025
@ram-mac ram-mac merged commit b4111ef into openconfig:main Nov 1, 2025
14 checks passed
goabhinav pushed a commit to goabhinav/featureprofiles that referenced this pull request Nov 12, 2025
@ram-mac @singhavnish2516 @goabhinav
fix host_cert test for Arista (openconfig#4768)
ff39e35 
* fix host_cert test for Arista

* added args

---------

Co-authored-by: Avnish Singh <singhavnish@google.com>
ElodinLaarz pushed a commit to ElodinLaarz/featureprofiles that referenced this pull request Nov 24, 2025
@ram-mac @singhavnish2516 @ElodinLaarz
fix host_cert test for Arista (openconfig#4768)
bd9188b 
* fix host_cert test for Arista

* added args

---------

Co-authored-by: Avnish Singh <singhavnish@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mihirpitale-googler mihirpitale-googler mihirpitale-googler approved these changes

@singhavnish2516 singhavnish2516 singhavnish2516 approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@singhavnish2516 singhavnish2516

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ram-mac @OpenConfigBot @coveralls @mihirpitale-googler @singhavnish2516