From 4fd5d52900a1b92590ee1e3450be5b6a43c41d6b Mon Sep 17 00:00:00 2001
From: Ryan Shea <115602+sourcequench@users.noreply.github.com>
Date: Sun, 22 Sep 2024 17:11:00 -0400
Subject: [PATCH] Adding GLOME featureprofile tests (#3429)

* Adding cases for GLOME.

* GLOME additions.

* Adding glome test case.
---
 .../security/gnsi/credentialz/tests/README.md | 38 ++++++++++++++++++-
 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/feature/security/gnsi/credentialz/tests/README.md b/feature/security/gnsi/credentialz/tests/README.md
index 5a6e51e3d13..08442078f8d 100644
--- a/feature/security/gnsi/credentialz/tests/README.md
+++ b/feature/security/gnsi/credentialz/tests/README.md
@@ -63,6 +63,19 @@ stream.Send(
 )
 ```
 
+### Configure and enable GLOME
+
+```
+stream.Send(
+    RotateHostParametersRequest {
+        enabled: true,
+        key: "4242424242424242424242424242424242424242424242",
+        key_version: 4,
+        url_prefix: "https://example.invalid",
+    }
+)
+```
+
 ### Populate Authorized Principals
 
 ```
@@ -204,7 +217,7 @@ and
 * Create a ssh CA keypair with `ssh-keygen -f /tmp/ca`.
 * Fetch the ssh server's host public key.
 * Sign the public key from the previous step into a host certificate using the
-  CA key `ssh-keygen -s /tmp/ca -I dut -h -n dut.test.com -V +52w
+  CA key `ssh-keygen -s /tmp/ca -I dut -h -n dut.example.invalid -V +52w
   /location/of/host/public_key.pub`
 * Add the certificate to the server (see RotateHostParameters,
   AuthenticationArtifacts, certificate)
@@ -281,6 +294,28 @@ and
   * Ensure that access rejects telemetry counter is incremented
     `/oc-sys:system/oc-sys:ssh-server/oc-sys:state:counters:access-rejects`
 
+### Credentialz-6, GLOME Configuration
+
+#### Setup
+* Create a glome key with `glome` following [these
+  instructions](https://github.com/google/glome?tab=readme-ov-file#getting-started).
+* Send a RotateHostParameters GlomeRequest message, with key, key_version, and
+  prefix_url.
+
+#### Pass case
+* Attempt a console connection.
+  * Prompt must include a GLOME challenge.
+  * Use the `glome` binary along with your generated key to generate an
+    authorization code.
+  * Use the authorization code at the console prompt.
+  * Authorization must succeed.
+  * Ensure telemetry values for version and enabled match what was set in Setup.
+
+#### Fail case
+* Attempt a console connection.
+  * Enter `fake-authorization-code` in the prompt.
+  * Authentication must fail.
+=======
 ## OpenConfig Path and RPC Coverage
 
 The below yaml defines the OC paths intended to be covered by this test.  OC paths used for test setup are not listed here.
@@ -292,4 +327,3 @@ rpcs:
   gnsi:
     credentialz.v1.Credentialz.RotateAccountCredentials:
 ```
-