Changing the wildcard matching logic for client cert common names#175
Merged
qiluo-msft merged 3 commits intosonic-net:masterfrom Jan 15, 2026
Merged
Conversation
Signed-off-by: Mahdi Ramezani <mramezani@microsoft.com>
There was a problem hiding this comment.
Pull request overview
This PR refines the wildcard matching logic for client certificate Common Names (CNs) during authentication. The changes restrict wildcard patterns to be more secure and predictable by requiring that wildcard patterns start with *. (not just *) and only match single-level subdomains.
Changes:
- Modified wildcard CN validation to reject patterns starting with
*that don't follow the*.format (e.g.,*test.sonicis no longer valid) - Updated wildcard matching to only match single-level subdomains by comparing dot counts between the pattern and client CN
- Refactored the loop structure to validate wildcard patterns once per trusted CN rather than per certificate-CN pair
- Updated test cases to validate the new single-level subdomain matching behavior and rejection of invalid wildcard patterns
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| go-server-server/go/auth.go | Implements stricter wildcard pattern validation and single-level subdomain matching logic |
| test/test_restapi.py | Updates test cases to verify new wildcard matching behavior, including rejection of multi-level subdomains and invalid wildcard patterns |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Mahdi Ramezani <mramezani@microsoft.com>
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
qiluo-msft
reviewed
Jan 14, 2026
| continue; | ||
| } | ||
| for _, peercert := range r.TLS.PeerCertificates { | ||
| commonName := peercert.Subject.CommonName |
qiluo-msft
reviewed
Jan 14, 2026
qiluo-msft
reviewed
Jan 14, 2026
…ew unit tests. Signed-off-by: Mahdi Ramezani <mramezani@microsoft.com>
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
prsunny
reviewed
Jan 15, 2026
| is_wildcard := false | ||
| domain := name | ||
| if strings.HasPrefix(name, "*.") { | ||
| if len(name) < 3 { |
Collaborator
There was a problem hiding this comment.
can you add a comment above the check?
Contributor
Author
There was a problem hiding this comment.
This is to make sure that *. is not a valid trusted CN.
prsunny
reviewed
Jan 15, 2026
Collaborator
prsunny
left a comment
prsunny
left a comment
There was a problem hiding this comment.
lgtm, @qiluo-msft could you review/approve?
qiluo-msft
approved these changes
Jan 15, 2026
|
Cherry-pick PR to 202505: #178 |
|
Cherry-pick PR to 202511: #179 |
mssonicbld
added
Included in 202511 Branch
and removed
Created PR to 202511 Branch
Created PR to 202505 Branch
labels
12 tasks
prsunny
pushed a commit
to sonic-net/sonic-mgmt
that referenced
this pull request
Feb 3, 2026
Description of PR Adding some restapi sonic-mgmt tests to verify the Common Name (CN) matching logic during client cert authentication. Summary: Microsoft ADO ID: 36622838 This PR adds some test cases to verify the CN matching logic during client cert authentication with the restapi service. The CN matching logic was changed in sonic-net/sonic-restapi#175 to support wildcard matching.
mssonicbld
pushed a commit
to mssonicbld/sonic-mgmt
that referenced
this pull request
Feb 3, 2026
Description of PR Adding some restapi sonic-mgmt tests to verify the Common Name (CN) matching logic during client cert authentication. Summary: Microsoft ADO ID: 36622838 This PR adds some test cases to verify the CN matching logic during client cert authentication with the restapi service. The CN matching logic was changed in sonic-net/sonic-restapi#175 to support wildcard matching.
Merged
12 tasks
vmittal-msft
pushed a commit
to sonic-net/sonic-mgmt
that referenced
this pull request
Feb 3, 2026
Description of PR Adding some restapi sonic-mgmt tests to verify the Common Name (CN) matching logic during client cert authentication. Summary: Microsoft ADO ID: 36622838 This PR adds some test cases to verify the CN matching logic during client cert authentication with the restapi service. The CN matching logic was changed in sonic-net/sonic-restapi#175 to support wildcard matching. Co-authored-by: mramezani95 <mramezani@microsoft.com>
abhishek-nexthop
pushed a commit
to nexthop-ai/sonic-mgmt
that referenced
this pull request
Feb 6, 2026
Description of PR Adding some restapi sonic-mgmt tests to verify the Common Name (CN) matching logic during client cert authentication. Summary: Microsoft ADO ID: 36622838 This PR adds some test cases to verify the CN matching logic during client cert authentication with the restapi service. The CN matching logic was changed in sonic-net/sonic-restapi#175 to support wildcard matching.
Anirudh-nokia
pushed a commit
to Anirudh-nokia/sonic-mgmt-fork
that referenced
this pull request
Feb 6, 2026
Description of PR Adding some restapi sonic-mgmt tests to verify the Common Name (CN) matching logic during client cert authentication. Summary: Microsoft ADO ID: 36622838 This PR adds some test cases to verify the CN matching logic during client cert authentication with the restapi service. The CN matching logic was changed in sonic-net/sonic-restapi#175 to support wildcard matching. Signed-off-by: ayya <anirudh.ayya@nokia.com>
7 tasks
lakshmi-nexthop
pushed a commit
to lakshmi-nexthop/sonic-mgmt
that referenced
this pull request
Feb 11, 2026
…nic-net#22233) Description of PR Adding some restapi sonic-mgmt tests to verify the Common Name (CN) matching logic during client cert authentication. Summary: Microsoft ADO ID: 36622838 This PR adds some test cases to verify the CN matching logic during client cert authentication with the restapi service. The CN matching logic was changed in sonic-net/sonic-restapi#175 to support wildcard matching. Co-authored-by: mramezani95 <mramezani@microsoft.com> Signed-off-by: Lakshmi Yarramaneni <lakshmi@nexthop.ai>
nnelluri-cisco
pushed a commit
to nnelluri-cisco/sonic-mgmt
that referenced
this pull request
Feb 12, 2026
Description of PR Adding some restapi sonic-mgmt tests to verify the Common Name (CN) matching logic during client cert authentication. Summary: Microsoft ADO ID: 36622838 This PR adds some test cases to verify the CN matching logic during client cert authentication with the restapi service. The CN matching logic was changed in sonic-net/sonic-restapi#175 to support wildcard matching. Signed-off-by: nnelluri-cisco <nnelluri@cisco.com>
qiluo-msft
pushed a commit
to sonic-net/sonic-buildimage
that referenced
this pull request
Feb 12, 2026
Why I did it sonic-net/sonic-restapi#168 and sonic-net/sonic-restapi#175 add support for wildcard CN matching in sonic-gnmi. The pattern for client_crt_cname in restapi's YANG model needs to be updated accordingly (to allow for wildcard CNs). Work item tracking Microsoft ADO (number only): 36744821 How I did it Modified the YANG model pattern for client_crt_cname so that each CN can start with *..
mssonicbld
added a commit
to mssonicbld/sonic-buildimage
that referenced
this pull request
Feb 12, 2026
<!--
Please make sure you've read and understood our contributing guidelines:
https://github.com/Azure/SONiC/blob/gh-pages/CONTRIBUTING.md
** Make sure all your commits include a signature generated with `git commit -s` **
If this is a bug fix, make sure your description includes "fixes #xxxx", or
"closes #xxxx" or "resolves #xxxx"
Please provide the following information:
-->
#### Why I did it
sonic-net/sonic-restapi#168 and sonic-net/sonic-restapi#175 add support for wildcard CN matching in sonic-gnmi. The pattern for `client_crt_cname` in restapi's YANG model needs to be updated accordingly (to allow for wildcard CNs).
##### Work item tracking
- Microsoft ADO **(number only)**: 36744821
#### How I did it
Modified the YANG model pattern for `client_crt_cname` so that each CN can start with `*.`.
#### How to verify it
Run the updated restapi YANG tests.
<!--
If PR needs to be backported, then the PR must be tested against the base branch and the earliest backport release branch and provide tested image version on these two branches. For example, if the PR is requested for master, 202211 and 202012, then the requester needs to provide test results on master and 202012.
-->
#### Which release branch to backport (provide reason below if selected)
<!--
- Note we only backport fixes to a release branch, *not* features!
- Please also provide a reason for the backporting below.
- e.g.
- [x] 202006
-->
- [ ] 202305
- [ ] 202311
- [ ] 202405
- [x] 202411
- [x] 202505
- [x] 202511
#### Tested branch (Please provide the tested image version)
<!--
- Please provide tested image version
- e.g.
- [x] 20201231.100
-->
- [x] master <!-- image version 1 -->
#### Description for the changelog
<!--
Write a short (one line) summary that describes the changes in this
pull request for inclusion in the changelog:
-->
Updating restapi's YANG model to allow wildcard CNs in the `client_crt_cname` field.
<!--
Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
-->
#### Link to config_db schema for YANG module changes
<!--
Provide a link to config_db schema for the table for which YANG model
is defined
Link should point to correct section on https://github.com/Azure/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md
-->
https://github.com/sonic-net/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md#restapi
7 tasks
mssonicbld
added a commit
to mssonicbld/sonic-buildimage
that referenced
this pull request
Feb 12, 2026
<!--
Please make sure you've read and understood our contributing guidelines:
https://github.com/Azure/SONiC/blob/gh-pages/CONTRIBUTING.md
** Make sure all your commits include a signature generated with `git commit -s` **
If this is a bug fix, make sure your description includes "fixes #xxxx", or
"closes #xxxx" or "resolves #xxxx"
Please provide the following information:
-->
#### Why I did it
sonic-net/sonic-restapi#168 and sonic-net/sonic-restapi#175 add support for wildcard CN matching in sonic-gnmi. The pattern for `client_crt_cname` in restapi's YANG model needs to be updated accordingly (to allow for wildcard CNs).
##### Work item tracking
- Microsoft ADO **(number only)**: 36744821
#### How I did it
Modified the YANG model pattern for `client_crt_cname` so that each CN can start with `*.`.
#### How to verify it
Run the updated restapi YANG tests.
<!--
If PR needs to be backported, then the PR must be tested against the base branch and the earliest backport release branch and provide tested image version on these two branches. For example, if the PR is requested for master, 202211 and 202012, then the requester needs to provide test results on master and 202012.
-->
#### Which release branch to backport (provide reason below if selected)
<!--
- Note we only backport fixes to a release branch, *not* features!
- Please also provide a reason for the backporting below.
- e.g.
- [x] 202006
-->
- [ ] 202305
- [ ] 202311
- [ ] 202405
- [x] 202411
- [x] 202505
- [x] 202511
#### Tested branch (Please provide the tested image version)
<!--
- Please provide tested image version
- e.g.
- [x] 20201231.100
-->
- [x] master <!-- image version 1 -->
#### Description for the changelog
<!--
Write a short (one line) summary that describes the changes in this
pull request for inclusion in the changelog:
-->
Updating restapi's YANG model to allow wildcard CNs in the `client_crt_cname` field.
<!--
Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
-->
#### Link to config_db schema for YANG module changes
<!--
Provide a link to config_db schema for the table for which YANG model
is defined
Link should point to correct section on https://github.com/Azure/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md
-->
https://github.com/sonic-net/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md#restapi
7 tasks
anilal-amd
pushed a commit
to anilal-amd/anilal-forked-sonic-mgmt
that referenced
this pull request
Feb 19, 2026
Description of PR Adding some restapi sonic-mgmt tests to verify the Common Name (CN) matching logic during client cert authentication. Summary: Microsoft ADO ID: 36622838 This PR adds some test cases to verify the CN matching logic during client cert authentication with the restapi service. The CN matching logic was changed in sonic-net/sonic-restapi#175 to support wildcard matching. Signed-off-by: Zhuohui Tan <zhuohui.tan@amd.com>
FengPan-Frank
pushed a commit
to FengPan-Frank/sonic-buildimage
that referenced
this pull request
Mar 6, 2026
Why I did it sonic-net/sonic-restapi#168 and sonic-net/sonic-restapi#175 add support for wildcard CN matching in sonic-gnmi. The pattern for client_crt_cname in restapi's YANG model needs to be updated accordingly (to allow for wildcard CNs). Work item tracking Microsoft ADO (number only): 36744821 How I did it Modified the YANG model pattern for client_crt_cname so that each CN can start with *.. Signed-off-by: Feng Pan <fenpan@microsoft.com>
ravaliyel
pushed a commit
to ravaliyel/sonic-mgmt
that referenced
this pull request
Mar 12, 2026
Description of PR Adding some restapi sonic-mgmt tests to verify the Common Name (CN) matching logic during client cert authentication. Summary: Microsoft ADO ID: 36622838 This PR adds some test cases to verify the CN matching logic during client cert authentication with the restapi service. The CN matching logic was changed in sonic-net/sonic-restapi#175 to support wildcard matching. Signed-off-by: Ravali Yeluri (WIPRO LIMITED) <v-ryeluri@microsoft.com>
vmittal-msft
pushed a commit
to sonic-net/sonic-buildimage
that referenced
this pull request
Mar 16, 2026
<!--
Please make sure you've read and understood our contributing guidelines:
https://github.com/Azure/SONiC/blob/gh-pages/CONTRIBUTING.md
** Make sure all your commits include a signature generated with `git commit -s` **
If this is a bug fix, make sure your description includes "fixes #xxxx", or
"closes #xxxx" or "resolves #xxxx"
Please provide the following information:
-->
#### Why I did it
sonic-net/sonic-restapi#168 and sonic-net/sonic-restapi#175 add support for wildcard CN matching in sonic-gnmi. The pattern for `client_crt_cname` in restapi's YANG model needs to be updated accordingly (to allow for wildcard CNs).
##### Work item tracking
- Microsoft ADO **(number only)**: 36744821
#### How I did it
Modified the YANG model pattern for `client_crt_cname` so that each CN can start with `*.`.
#### How to verify it
Run the updated restapi YANG tests.
<!--
If PR needs to be backported, then the PR must be tested against the base branch and the earliest backport release branch and provide tested image version on these two branches. For example, if the PR is requested for master, 202211 and 202012, then the requester needs to provide test results on master and 202012.
-->
#### Which release branch to backport (provide reason below if selected)
<!--
- Note we only backport fixes to a release branch, *not* features!
- Please also provide a reason for the backporting below.
- e.g.
- [x] 202006
-->
- [ ] 202305
- [ ] 202311
- [ ] 202405
- [x] 202411
- [x] 202505
- [x] 202511
#### Tested branch (Please provide the tested image version)
<!--
- Please provide tested image version
- e.g.
- [x] 20201231.100
-->
- [x] master <!-- image version 1 -->
#### Description for the changelog
<!--
Write a short (one line) summary that describes the changes in this
pull request for inclusion in the changelog:
-->
Updating restapi's YANG model to allow wildcard CNs in the `client_crt_cname` field.
<!--
Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
-->
#### Link to config_db schema for YANG module changes
<!--
Provide a link to config_db schema for the table for which YANG model
is defined
Link should point to correct section on https://github.com/Azure/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md
-->
https://github.com/sonic-net/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md#restapi
abhishek-nexthop
pushed a commit
to nexthop-ai/sonic-mgmt
that referenced
this pull request
Mar 17, 2026
Description of PR Adding some restapi sonic-mgmt tests to verify the Common Name (CN) matching logic during client cert authentication. Summary: Microsoft ADO ID: 36622838 This PR adds some test cases to verify the CN matching logic during client cert authentication with the restapi service. The CN matching logic was changed in sonic-net/sonic-restapi#175 to support wildcard matching. Signed-off-by: Abhishek <abhishek@nexthop.ai>
dprital
pushed a commit
to sonic-net/sonic-buildimage
that referenced
this pull request
Mar 19, 2026
Why I did it sonic-net/sonic-restapi#168 and sonic-net/sonic-restapi#175 add support for wildcard CN matching in sonic-gnmi. The pattern for client_crt_cname in restapi's YANG model needs to be updated accordingly (to allow for wildcard CNs). Work item tracking Microsoft ADO (number only): 36744821 How I did it Modified the YANG model pattern for client_crt_cname so that each CN can start with *.. Signed-off-by: dprital <drorp@nvidia.com>
venu-nexthop
pushed a commit
to venu-nexthop/sonic-mgmt
that referenced
this pull request
Mar 19, 2026
Description of PR Adding some restapi sonic-mgmt tests to verify the Common Name (CN) matching logic during client cert authentication. Summary: Microsoft ADO ID: 36622838 This PR adds some test cases to verify the CN matching logic during client cert authentication with the restapi service. The CN matching logic was changed in sonic-net/sonic-restapi#175 to support wildcard matching.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Microsoft ADO ID: 36341347
PR #168 added support for wildcard matching between client cert CNs and trusted CNs. This PR changes the wildcard matching logic based on a discussion with @qiluo-msft and @prsunny.
Changes:
*but not*.(e.g.,*example.sonic) are no longer valid. These patterns are skipped during the matching.*.is not a valid trusted CN and will be skipped if present.*must match one or more characters. For example,*.example.sonicwill not match.example.sonic.Note 1: Comparison is always case sensitive, but
*can match both upper and lower case characters. For example,*.example.sonicmatchesTEST.example.sonic, but it does not matchTEST.EXAMPLE.SONIC.Note 2: Multi-level subdomain matching is allowed for wildcard patterns. For example,
*.example.sonicmatchestest.example.sonic,sub.test.example.sonic,one.sub.test.example.sonic, and so on.