Test RecordSubscribe for all (since epoch) records

• For each of the supported service types in gnsi.acctz.v1.GrpcService.GrpcServiceType:

  • Alternate connecting to the IPv4 and Ipv6 addresses of the DUT, recording the local and remote IP addresses and port numbers,
  • Call a few RPCs that will generate accounting records and that, by authorization configuration, should be permitted and a few that should be denied, and some that include arbitrary arguments (eg: interface description), pause for 1 second after the first RPC of this test to ensure its timestamp differs from subsequent RPCs.

• Establish gNSI connection to the DUT.

• Call gnsi.acctz.v1.Acctz.RecordSubscribe with RecordRequest.timestamp = 0; this might return records that preceded the beginning of this test.

• Verify that RecordResponse.history_istruncated is false.

• Verify that accurate accounting records are returned for the commands/RPCs that were run, both permitted and denied.

  • If start/stop accounting is supported, each connection's accounting should be preceded by a start (login) record for the service and the records associated with the RPCs sent during the connection should be followed by a logout record.
  • For each RecordResponse returned, check/confirm that:
    • session_info. :
      • .{layer4_proto, local_address, local_port, remote_address, remote_port}, ip_proto must match those recorded earlier
      • .channel_id = 0 for ssh and grpc.
      • .tty must be populated and correct, if applicable to the platform & access method, else omitted
      • .status must equal the operation, else UNSPECIFIED if there isn't a corresponding enumeration. It must equal ONCE for connections where each RPC/command is authenticated (eg: gRPC metadata authen). If the operation was not LOGIN, ONCE, or ENABLE, authen must be omitted, else it must be populated:
        • .authen.type must equal the authentication method used.
        • .authen.status must equal the status of the authentication operation. if FAIL or ERROR, cause should be populated, if SUCCESS, cause might be populated.
      • .user.identity must match the username used to authenticate to the DUT
      • .user.privilege_level must match the user’s privilege level, if applicable to the platform
    • timestamp is after (greater than) RecordRequest.timestamp
    • session_info.service_request must be a GrpcService.
    • grpc_service. :
      • .service_type must equal the service used
      • .rpc_name must equal the path of the RPC call made
      • .payloads must equal the payload of the RPC sent.
      • If any of the payloads is truncated, payload_istruncated must be true, else false.
    • for authorization:
      • .status must equal to the expected and actual authorization status for the RPC
      • if .status is PERMIT, .detail might be populated with additional information
      • if .status is DENY or ERROR, .detail should be populated with the reason

• task_ids might be populate with platform-specific information

The below yaml defines the OC paths intended to be covered by this test. OC paths used for test setup are not listed here.

TODO(OCRPC): Record may not be complete

paths:
    ### Prefix:
    # Accounting does not currently support any telemetry; see https://github.com/openconfig/gnsi/issues/97 where it might become /system/aaa/acctz/XXX
rpcs:
  gnsi:
    acctz.v1.Acctz.RecordSubscribe:
      "RecordRequest.timestamp=0": true
      "RecordResponse.service_request = GrpcService": true

vRX