Adding support for wildcard CN matching during client cert authentication#168
Merged
prsunny merged 8 commits intosonic-net:masterfrom Jan 14, 2026
Merged
Conversation
…tion. Signed-off-by: Mahdi Ramezani <mramezani@microsoft.com>
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: Mahdi Ramezani <mramezani@microsoft.com>
…mezani95/sonic-restapi into mramezani/cert_cn_subdomain_matching
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: Mahdi Ramezani <mramezani@microsoft.com>
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
prsunny
previously approved these changes
Jan 13, 2026
Collaborator
|
@mramezani95 , can you also give the ADO number in description? |
There was a problem hiding this comment.
Pull request overview
This PR adds support for wildcard Common Name (CN) matching during client certificate authentication in the REST API server. The implementation allows the server to match client certificate CNs against trusted CNs that can now include wildcards (prefixed with *), while maintaining backward compatibility with exact matching.
Changes:
- Implemented wildcard CN matching logic in the authentication function with
*prefix support - Added comprehensive unit tests covering both exact matching and various wildcard matching scenarios
- Updated test infrastructure to support HTTPS client certificate testing with the
get_heartbeatendpoint
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| go-server-server/go/auth.go | Implements wildcard matching logic using string suffix checking; updates log messages |
| test/test_restapi.py | Adds ClientCert context manager and 13 test cases for exact and wildcard matching scenarios |
| test/restapi_client.py | Extends get method to support client certificate authentication; adds get_heartbeat helper method |
| supervisor/rest_api_test.conf | Configures trusted CNs for testing: test.client.restapi.sonic, *.example.sonic, *test.sonic |
| azurepipeline.yml | Exposes port 8081 for HTTPS testing |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: Mahdi Ramezani <mramezani@microsoft.com>
mramezani95
force-pushed
the
mramezani/cert_cn_subdomain_matching
branch
from
184e26f to
6457099
Compare
|
/azp run |
|
Cherry-pick PR to 202505: #176 |
|
Cherry-pick PR to 202511: #177 |
qiluo-msft
pushed a commit
that referenced
this pull request
Jan 15, 2026
Microsoft ADO ID: 36341347 PR #168 added support for wildcard matching between client cert CNs and trusted CNs. This PR changes the wildcard matching logic based on a discussion with @qiluo-msft and @prsunny. Changes: Wildcard patterns starting with * but not *. (e.g., *example.sonic) are no longer valid. These patterns are skipped during the matching. *. is not a valid trusted CN and will be skipped if present. * must match one or more characters. For example, *.example.sonic will not match .example.sonic. Note 1: Comparison is always case sensitive, but * can match both upper and lower case characters. For example, *.example.sonic matches TEST.example.sonic, but it does not match TEST.EXAMPLE.SONIC. Note 2: Multi-level subdomain matching is allowed for wildcard patterns. For example, *.example.sonic matches test.example.sonic, sub.test.example.sonic, one.sub.test.example.sonic, and so on.
mssonicbld
added a commit
to mssonicbld/sonic-restapi
that referenced
this pull request
Jan 15, 2026
Microsoft ADO ID: 36341347 PR sonic-net#168 added support for wildcard matching between client cert CNs and trusted CNs. This PR changes the wildcard matching logic based on a discussion with @qiluo-msft and @prsunny. Changes: 1. Wildcard patterns starting with `*` but not `*.` (e.g., `*example.sonic`) are no longer valid. These patterns are skipped during the matching. 2. `*.` is not a valid trusted CN and will be skipped if present. 3. `*` must match one or more characters. For example, `*.example.sonic` will not match `.example.sonic`. **Note 1:** Comparison is always case sensitive, but `*` can match both upper and lower case characters. For example, `*.example.sonic` matches `TEST.example.sonic`, but it does not match `TEST.EXAMPLE.SONIC`. **Note 2:** Multi-level subdomain matching is allowed for wildcard patterns. For example, `*.example.sonic` matches `test.example.sonic`, `sub.test.example.sonic`, `one.sub.test.example.sonic`, and so on.
mssonicbld
added a commit
to mssonicbld/sonic-restapi
that referenced
this pull request
Jan 15, 2026
Microsoft ADO ID: 36341347 PR sonic-net#168 added support for wildcard matching between client cert CNs and trusted CNs. This PR changes the wildcard matching logic based on a discussion with @qiluo-msft and @prsunny. Changes: 1. Wildcard patterns starting with `*` but not `*.` (e.g., `*example.sonic`) are no longer valid. These patterns are skipped during the matching. 2. `*.` is not a valid trusted CN and will be skipped if present. 3. `*` must match one or more characters. For example, `*.example.sonic` will not match `.example.sonic`. **Note 1:** Comparison is always case sensitive, but `*` can match both upper and lower case characters. For example, `*.example.sonic` matches `TEST.example.sonic`, but it does not match `TEST.EXAMPLE.SONIC`. **Note 2:** Multi-level subdomain matching is allowed for wildcard patterns. For example, `*.example.sonic` matches `test.example.sonic`, `sub.test.example.sonic`, `one.sub.test.example.sonic`, and so on.
mssonicbld
added a commit
that referenced
this pull request
Jan 16, 2026
Microsoft ADO ID: 36341347 PR #168 added support for wildcard matching between client cert CNs and trusted CNs. This PR changes the wildcard matching logic based on a discussion with @qiluo-msft and @prsunny. Changes: 1. Wildcard patterns starting with `*` but not `*.` (e.g., `*example.sonic`) are no longer valid. These patterns are skipped during the matching. 2. `*.` is not a valid trusted CN and will be skipped if present. 3. `*` must match one or more characters. For example, `*.example.sonic` will not match `.example.sonic`. **Note 1:** Comparison is always case sensitive, but `*` can match both upper and lower case characters. For example, `*.example.sonic` matches `TEST.example.sonic`, but it does not match `TEST.EXAMPLE.SONIC`. **Note 2:** Multi-level subdomain matching is allowed for wildcard patterns. For example, `*.example.sonic` matches `test.example.sonic`, `sub.test.example.sonic`, `one.sub.test.example.sonic`, and so on.
mssonicbld
added a commit
that referenced
this pull request
Jan 16, 2026
Microsoft ADO ID: 36341347 PR #168 added support for wildcard matching between client cert CNs and trusted CNs. This PR changes the wildcard matching logic based on a discussion with @qiluo-msft and @prsunny. Changes: 1. Wildcard patterns starting with `*` but not `*.` (e.g., `*example.sonic`) are no longer valid. These patterns are skipped during the matching. 2. `*.` is not a valid trusted CN and will be skipped if present. 3. `*` must match one or more characters. For example, `*.example.sonic` will not match `.example.sonic`. **Note 1:** Comparison is always case sensitive, but `*` can match both upper and lower case characters. For example, `*.example.sonic` matches `TEST.example.sonic`, but it does not match `TEST.EXAMPLE.SONIC`. **Note 2:** Multi-level subdomain matching is allowed for wildcard patterns. For example, `*.example.sonic` matches `test.example.sonic`, `sub.test.example.sonic`, `one.sub.test.example.sonic`, and so on.
7 tasks
qiluo-msft
pushed a commit
to sonic-net/sonic-buildimage
that referenced
this pull request
Feb 12, 2026
Why I did it sonic-net/sonic-restapi#168 and sonic-net/sonic-restapi#175 add support for wildcard CN matching in sonic-gnmi. The pattern for client_crt_cname in restapi's YANG model needs to be updated accordingly (to allow for wildcard CNs). Work item tracking Microsoft ADO (number only): 36744821 How I did it Modified the YANG model pattern for client_crt_cname so that each CN can start with *..
mssonicbld
added a commit
to mssonicbld/sonic-buildimage
that referenced
this pull request
Feb 12, 2026
<!--
Please make sure you've read and understood our contributing guidelines:
https://github.com/Azure/SONiC/blob/gh-pages/CONTRIBUTING.md
** Make sure all your commits include a signature generated with `git commit -s` **
If this is a bug fix, make sure your description includes "fixes #xxxx", or
"closes #xxxx" or "resolves #xxxx"
Please provide the following information:
-->
#### Why I did it
sonic-net/sonic-restapi#168 and sonic-net/sonic-restapi#175 add support for wildcard CN matching in sonic-gnmi. The pattern for `client_crt_cname` in restapi's YANG model needs to be updated accordingly (to allow for wildcard CNs).
##### Work item tracking
- Microsoft ADO **(number only)**: 36744821
#### How I did it
Modified the YANG model pattern for `client_crt_cname` so that each CN can start with `*.`.
#### How to verify it
Run the updated restapi YANG tests.
<!--
If PR needs to be backported, then the PR must be tested against the base branch and the earliest backport release branch and provide tested image version on these two branches. For example, if the PR is requested for master, 202211 and 202012, then the requester needs to provide test results on master and 202012.
-->
#### Which release branch to backport (provide reason below if selected)
<!--
- Note we only backport fixes to a release branch, *not* features!
- Please also provide a reason for the backporting below.
- e.g.
- [x] 202006
-->
- [ ] 202305
- [ ] 202311
- [ ] 202405
- [x] 202411
- [x] 202505
- [x] 202511
#### Tested branch (Please provide the tested image version)
<!--
- Please provide tested image version
- e.g.
- [x] 20201231.100
-->
- [x] master <!-- image version 1 -->
#### Description for the changelog
<!--
Write a short (one line) summary that describes the changes in this
pull request for inclusion in the changelog:
-->
Updating restapi's YANG model to allow wildcard CNs in the `client_crt_cname` field.
<!--
Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
-->
#### Link to config_db schema for YANG module changes
<!--
Provide a link to config_db schema for the table for which YANG model
is defined
Link should point to correct section on https://github.com/Azure/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md
-->
https://github.com/sonic-net/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md#restapi
7 tasks
mssonicbld
added a commit
to mssonicbld/sonic-buildimage
that referenced
this pull request
Feb 12, 2026
<!--
Please make sure you've read and understood our contributing guidelines:
https://github.com/Azure/SONiC/blob/gh-pages/CONTRIBUTING.md
** Make sure all your commits include a signature generated with `git commit -s` **
If this is a bug fix, make sure your description includes "fixes #xxxx", or
"closes #xxxx" or "resolves #xxxx"
Please provide the following information:
-->
#### Why I did it
sonic-net/sonic-restapi#168 and sonic-net/sonic-restapi#175 add support for wildcard CN matching in sonic-gnmi. The pattern for `client_crt_cname` in restapi's YANG model needs to be updated accordingly (to allow for wildcard CNs).
##### Work item tracking
- Microsoft ADO **(number only)**: 36744821
#### How I did it
Modified the YANG model pattern for `client_crt_cname` so that each CN can start with `*.`.
#### How to verify it
Run the updated restapi YANG tests.
<!--
If PR needs to be backported, then the PR must be tested against the base branch and the earliest backport release branch and provide tested image version on these two branches. For example, if the PR is requested for master, 202211 and 202012, then the requester needs to provide test results on master and 202012.
-->
#### Which release branch to backport (provide reason below if selected)
<!--
- Note we only backport fixes to a release branch, *not* features!
- Please also provide a reason for the backporting below.
- e.g.
- [x] 202006
-->
- [ ] 202305
- [ ] 202311
- [ ] 202405
- [x] 202411
- [x] 202505
- [x] 202511
#### Tested branch (Please provide the tested image version)
<!--
- Please provide tested image version
- e.g.
- [x] 20201231.100
-->
- [x] master <!-- image version 1 -->
#### Description for the changelog
<!--
Write a short (one line) summary that describes the changes in this
pull request for inclusion in the changelog:
-->
Updating restapi's YANG model to allow wildcard CNs in the `client_crt_cname` field.
<!--
Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
-->
#### Link to config_db schema for YANG module changes
<!--
Provide a link to config_db schema for the table for which YANG model
is defined
Link should point to correct section on https://github.com/Azure/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md
-->
https://github.com/sonic-net/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md#restapi
7 tasks
FengPan-Frank
pushed a commit
to FengPan-Frank/sonic-buildimage
that referenced
this pull request
Mar 6, 2026
Why I did it sonic-net/sonic-restapi#168 and sonic-net/sonic-restapi#175 add support for wildcard CN matching in sonic-gnmi. The pattern for client_crt_cname in restapi's YANG model needs to be updated accordingly (to allow for wildcard CNs). Work item tracking Microsoft ADO (number only): 36744821 How I did it Modified the YANG model pattern for client_crt_cname so that each CN can start with *.. Signed-off-by: Feng Pan <fenpan@microsoft.com>
vmittal-msft
pushed a commit
to sonic-net/sonic-buildimage
that referenced
this pull request
Mar 16, 2026
<!--
Please make sure you've read and understood our contributing guidelines:
https://github.com/Azure/SONiC/blob/gh-pages/CONTRIBUTING.md
** Make sure all your commits include a signature generated with `git commit -s` **
If this is a bug fix, make sure your description includes "fixes #xxxx", or
"closes #xxxx" or "resolves #xxxx"
Please provide the following information:
-->
#### Why I did it
sonic-net/sonic-restapi#168 and sonic-net/sonic-restapi#175 add support for wildcard CN matching in sonic-gnmi. The pattern for `client_crt_cname` in restapi's YANG model needs to be updated accordingly (to allow for wildcard CNs).
##### Work item tracking
- Microsoft ADO **(number only)**: 36744821
#### How I did it
Modified the YANG model pattern for `client_crt_cname` so that each CN can start with `*.`.
#### How to verify it
Run the updated restapi YANG tests.
<!--
If PR needs to be backported, then the PR must be tested against the base branch and the earliest backport release branch and provide tested image version on these two branches. For example, if the PR is requested for master, 202211 and 202012, then the requester needs to provide test results on master and 202012.
-->
#### Which release branch to backport (provide reason below if selected)
<!--
- Note we only backport fixes to a release branch, *not* features!
- Please also provide a reason for the backporting below.
- e.g.
- [x] 202006
-->
- [ ] 202305
- [ ] 202311
- [ ] 202405
- [x] 202411
- [x] 202505
- [x] 202511
#### Tested branch (Please provide the tested image version)
<!--
- Please provide tested image version
- e.g.
- [x] 20201231.100
-->
- [x] master <!-- image version 1 -->
#### Description for the changelog
<!--
Write a short (one line) summary that describes the changes in this
pull request for inclusion in the changelog:
-->
Updating restapi's YANG model to allow wildcard CNs in the `client_crt_cname` field.
<!--
Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
-->
#### Link to config_db schema for YANG module changes
<!--
Provide a link to config_db schema for the table for which YANG model
is defined
Link should point to correct section on https://github.com/Azure/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md
-->
https://github.com/sonic-net/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md#restapi
dprital
pushed a commit
to sonic-net/sonic-buildimage
that referenced
this pull request
Mar 19, 2026
Why I did it sonic-net/sonic-restapi#168 and sonic-net/sonic-restapi#175 add support for wildcard CN matching in sonic-gnmi. The pattern for client_crt_cname in restapi's YANG model needs to be updated accordingly (to allow for wildcard CNs). Work item tracking Microsoft ADO (number only): 36744821 How I did it Modified the YANG model pattern for client_crt_cname so that each CN can start with *.. Signed-off-by: dprital <drorp@nvidia.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Microsoft ADO ID: 36341347
This PR enables the restapi container (acting as a REST API server) to match Common Names (CNs) provided in the client certificate against trusted wildcard CNs during authentication.
Note 1: Exact matching is still supported.
Note 2:
*can only appear at the beginning of a trusted CN.Examples:
*.example.commatchesone.example.comandtwo.one.example.com, but it does not matchexample.comorexample.com.edu(wildcard matching).example.comonly matchesexample.com(exact matching).Unit tests are also included in this PR to verify the expected behavior. For unit tests, trusted CNs are
test.client.restapi.sonic,*.example.sonic, and*test.sonic. For each unit test, we generate a new client certificate and sign it with the self-signed certificate undercert/client/.