-
Notifications
You must be signed in to change notification settings - Fork 714
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TACACS+] Add TACACS per-command accounting test case. #4674
Merged
liuh-80
merged 49 commits into
sonic-net:master
from
liuh-80:dev/liuh/tacacs_accounting_ut
Jan 4, 2022
Merged
Changes from 42 commits
Commits
Show all changes
49 commits
Select commit
Hold shift + click to select a range
57d4421
tacacs test: fixed UT failed when first connect to test VM.
liuh-80 4279a3a
Fix by disable warning.
liuh-80 fb9f62a
Merge branch 'Azure:master' into master
liuh-80 211e93d
Check-in first UT
7f751c5
Add new UT, and improve code.
liuh-80 153cde2
Add UT for per-command authorization.
liuh-80 0b50e9e
Revert not necessary change.
liuh-80 4eb808e
Inprove UTs by PR comments.
liuh-80 0cd1db6
Revert unnecessary code change.
liuh-80 129d82b
Fix comments
liuh-80 e4f7b33
Add tacacs accounting UTs.
liuh-80 14c8b53
Improve accounting UT.
liuh-80 f269677
Fix UT code issue.
liuh-80 1944cb0
Merge branch 'dev/liuh/tacacs_ut' into dev/liuh/tacacs_accounting_ut
liuh-80 6485c33
Add accounting UT to kvmtest.sh
liuh-80 18cf166
Skip tacacs authorization UT on older version.
liuh-80 97d4352
Merge branch 'dev/liuh/tacacs_ut' into dev/liuh/tacacs_accounting_ut
liuh-80 7baada4
Ignore UT on older version.
liuh-80 fe814f5
Fix code bug in UT.
liuh-80 2480e50
Fix code by PR comments.
liuh-80 59f3330
Merge branch 'dev/liuh/tacacs_ut' into dev/liuh/tacacs_accounting_ut
liuh-80 67e099e
Fix PR comments.
liuh-80 f31428c
Fix UT error
liuh-80 121b712
Merge branch 'dev/liuh/tacacs_ut' into dev/liuh/tacacs_accounting_ut
liuh-80 86c788c
Fix the UT break by LD version change issue.
liuh-80 8db587c
Merge branch 'dev/liuh/tacacs_ut' into dev/liuh/tacacs_accounting_ut
liuh-80 a239b20
Fix syntax error.
liuh-80 a49ca4e
Merge branch 'dev/liuh/tacacs_ut' into dev/liuh/tacacs_accounting_ut
liuh-80 efb5262
Improve code by PR comments.
liuh-80 6e4361f
Merge branch 'Azure:master' into master
liuh-80 4f3e2a0
Merge remote-tracking branch 'origin' into dev/liuh/tacacs_accounting_ut
liuh-80 e761d48
Fix UT issue.
liuh-80 9ba3ce1
Fix PR comments.
liuh-80 67542d3
Improve code
liuh-80 00b97bd
Merge branch 'Azure:master' into master
liuh-80 89f04d4
Merge remote-tracking branch 'origin' into dev/liuh/tacacs_accounting_ut
liuh-80 240afed
Add tacacs authorization UTs back.
liuh-80 a8278af
Skip per-command authorization&accounting config in older versions.
liuh-80 89c2d7c
Fix the permission lost issue.
liuh-80 c39d22c
Merge branch 'Azure:master' into master
liuh-80 968c3fb
Merge remote-tracking branch 'origin' into dev/liuh/tacacs_accounting_ut
liuh-80 ce05a85
Fix the tacacs server config not cleanup when UT break issue.
liuh-80 e477dff
Improve code by PR comments
liuh-80 4f634af
Fix return bool type not iterable issue
liuh-80 159d6af
Imporve code.
liuh-80 15832ce
Fix code by PR comments.
liuh-80 cf047cc
Merge branch 'Azure:master' into master
liuh-80 8e87c6d
Merge remote-tracking branch 'origin' into dev/liuh/tacacs_accounting_ut
liuh-80 b440fac
Fix the kvmtest.sh permission issue caused by fix merge conflict.
liuh-80 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,220 @@ | ||
import crypt | ||
import paramiko | ||
import pytest | ||
|
||
from .test_authorization import ssh_connect_remote, ssh_run_command, per_command_check_skip_versions, remove_all_tacacs_server | ||
from .utils import stop_tacacs_server, start_tacacs_server | ||
from tests.common.errors import RunAnsibleModuleFail | ||
from tests.common.helpers.assertions import pytest_assert | ||
from tests.common.utilities import skip_release | ||
|
||
pytestmark = [ | ||
pytest.mark.disable_loganalyzer, | ||
pytest.mark.topology('any'), | ||
pytest.mark.device_type('vs') | ||
liuh-80 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
] | ||
|
||
logger = logging.getLogger(__name__) | ||
|
||
def cleanup_tacacs_log(ptfhost, rw_user_client): | ||
try: | ||
ptfhost.command('rm /var/log/tac_plus.acct') | ||
except RunAnsibleModuleFail: | ||
logger.info("/var/log/tac_plus.acct does not exist.") | ||
|
||
res = ptfhost.command('touch /var/log/tac_plus.acct') | ||
logger.info(res["stdout_lines"]) | ||
|
||
ssh_run_command(rw_user_client, 'sudo truncate -s 0 /var/log/syslog') | ||
|
||
def check_tacacs_server_log_exist(ptfhost, duthost, creds_all_duts, command): | ||
username = creds_all_duts[duthost]['tacacs_rw_user'] | ||
""" | ||
Find logs run by tacacs_rw_user from tac_plus.acct: | ||
Find logs match following format: "tacacs_rw_user ... cmd=command" | ||
Print matched logs with /P command. | ||
""" | ||
sed_command = "sed -nE '/ {0} .* cmd=.*{1}/P' /var/log/tac_plus.acct".format(username, command) | ||
liuh-80 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
res = ptfhost.command(sed_command) | ||
logger.info(sed_command) | ||
logger.info(res["stdout_lines"]) | ||
pytest_assert(len(res["stdout_lines"]) > 0) | ||
|
||
def check_tacacs_server_no_other_user_log(ptfhost, duthost, creds_all_duts): | ||
username = creds_all_duts[duthost]['tacacs_rw_user'] | ||
""" | ||
Find logs not run by tacacs_rw_user from tac_plus.acct: | ||
Remove all tacacs_rw_user's log with /D command. | ||
Print logs not removed by /D command, which are not run by tacacs_rw_user. | ||
""" | ||
sed_command = "sed -nE '/ {0} /D;/.*/P' /var/log/tac_plus.acct".format(username) | ||
res = ptfhost.command(sed_command) | ||
logger.info(sed_command) | ||
logger.info(res["stdout_lines"]) | ||
pytest_assert(len(res["stdout_lines"]) == 0) | ||
|
||
def check_local_log_exist(rw_user_client, duthost, creds_all_duts, command): | ||
username = creds_all_duts[duthost]['tacacs_rw_user'] | ||
""" | ||
Find logs run by tacacs_rw_user from syslog: | ||
Find logs match following format: "INFO audisp-tacplus: Accounting: user: tacacs_rw_user,.*, command: .*command," | ||
Print matched logs with /P command. | ||
""" | ||
sed_command = "sudo sed -nE '/INFO audisp-tacplus: Accounting: user: {0},.*, command: .*{1},/P' /var/log/syslog".format(username, command) | ||
exit_code, stdout, stderr = ssh_run_command(rw_user_client, sed_command) | ||
pytest_assert(exit_code == 0) | ||
logger.info(sed_command) | ||
logger.info(stdout) | ||
pytest_assert(len(stdout) > 0) | ||
|
||
def check_local_no_other_user_log(rw_user_client, duthost, creds_all_duts): | ||
username = creds_all_duts[duthost]['tacacs_rw_user'] | ||
""" | ||
Find logs not run by tacacs_rw_user from syslog: | ||
Remove all tacacs_rw_user's log with /D command, which will match following format: "INFO audisp-tacplus: Accounting: user: tacacs_rw_user" | ||
Find all other user's log, which will match following format: "INFO audisp-tacplus: Accounting: user:" | ||
Print matched logs with /P command, which are not run by tacacs_rw_user. | ||
""" | ||
sed_command = "sudo sed -nE '/INFO audisp-tacplus: Accounting: user: {0},/D;/INFO audisp-tacplus: Accounting: user:/P' /var/log/syslog".format(username) | ||
exit_code, stdout, stderr = ssh_run_command(rw_user_client, sed_command) | ||
pytest_assert(exit_code == 0) | ||
logger.info(sed_command) | ||
logger.info(stdout) | ||
pytest_assert(len(stdout) == 0) | ||
|
||
@pytest.fixture | ||
def rw_user_client(duthosts, enum_rand_one_per_hwsku_hostname, creds_all_duts): | ||
duthost = duthosts[enum_rand_one_per_hwsku_hostname] | ||
dutip = duthost.host.options['inventory_manager'].get_host(duthost.hostname).vars['ansible_host'] | ||
ssh_client = ssh_connect_remote(dutip, creds_all_duts[duthost]['tacacs_rw_user'], | ||
creds_all_duts[duthost]['tacacs_rw_user_passwd']) | ||
yield ssh_client | ||
ssh_client.close() | ||
|
||
@pytest.fixture(scope="module", autouse=True) | ||
def check_image_version(duthost): | ||
"""Skips this test if the SONiC image installed on DUT is older than 202112 | ||
Args: | ||
duthost: Hostname of DUT. | ||
Returns: | ||
None. | ||
""" | ||
skip_release(duthost, per_command_check_skip_versions) | ||
|
||
def test_accounting_tacacs_only(localhost, ptfhost, duthosts, enum_rand_one_per_hwsku_hostname, creds_all_duts, check_tacacs, rw_user_client): | ||
duthost = duthosts[enum_rand_one_per_hwsku_hostname] | ||
duthost.shell("sudo config aaa accounting tacacs+") | ||
cleanup_tacacs_log(ptfhost, rw_user_client) | ||
|
||
ssh_run_command(rw_user_client, "grep") | ||
|
||
# Verify TACACS+ server side have user command record. | ||
check_tacacs_server_log_exist(ptfhost, duthost, creds_all_duts, "grep") | ||
# Verify TACACS+ server side not have any command record which not run by user. | ||
check_tacacs_server_no_other_user_log(ptfhost, duthost, creds_all_duts) | ||
|
||
|
||
def test_accounting_tacacs_only_all_tacacs_server_down(localhost, ptfhost, duthosts, enum_rand_one_per_hwsku_hostname, creds_all_duts, check_tacacs, rw_user_client): | ||
duthost = duthosts[enum_rand_one_per_hwsku_hostname] | ||
duthost.shell("sudo config aaa accounting tacacs+") | ||
cleanup_tacacs_log(ptfhost, rw_user_client) | ||
|
||
""" | ||
when user login server are accessible. | ||
user run some command in whitelist and server are accessible. | ||
""" | ||
ssh_run_command(rw_user_client, "grep") | ||
|
||
# Verify TACACS+ server side have user command record. | ||
check_tacacs_server_log_exist(ptfhost, duthost, creds_all_duts, "grep") | ||
# Verify TACACS+ server side not have any command record which not run by user. | ||
check_tacacs_server_no_other_user_log(ptfhost, duthost, creds_all_duts) | ||
|
||
cleanup_tacacs_log(ptfhost, rw_user_client) | ||
|
||
# Shutdown tacacs server | ||
stop_tacacs_server(ptfhost) | ||
|
||
""" | ||
then all server not accessible, and run some command | ||
Verify local user still can run command without any issue. | ||
""" | ||
ssh_run_command(rw_user_client, "grep") | ||
|
||
# Cleanup UT. | ||
start_tacacs_server(ptfhost) | ||
|
||
def test_accounting_tacacs_only_some_tacacs_server_down(localhost, ptfhost, duthosts, enum_rand_one_per_hwsku_hostname, creds_all_duts, check_tacacs, rw_user_client): | ||
""" | ||
Setup multiple tacacs server for this UT. | ||
Tacacs server 127.0.0.1 not accessible. | ||
""" | ||
invalid_tacacs_server_ip = "127.0.0.1" | ||
duthost = duthosts[enum_rand_one_per_hwsku_hostname] | ||
tacacs_server_ip = ptfhost.host.options['inventory_manager'].get_host(ptfhost.hostname).vars['ansible_host'] | ||
config_facts = duthost.config_facts(host=duthost.hostname, source="running")['ansible_facts'] | ||
duthost.shell("sudo config tacacs timeout 1") | ||
remove_all_tacacs_server(duthost) | ||
duthost.shell("sudo config tacacs add %s" % invalid_tacacs_server_ip) | ||
duthost.shell("sudo config tacacs add %s" % tacacs_server_ip) | ||
duthost.shell("sudo config aaa accounting tacacs+") | ||
|
||
cleanup_tacacs_log(ptfhost, rw_user_client) | ||
|
||
ssh_run_command(rw_user_client, "grep") | ||
|
||
# Verify TACACS+ server side have user command record. | ||
check_tacacs_server_log_exist(ptfhost, duthost, creds_all_duts, "grep") | ||
# Verify TACACS+ server side not have any command record which not run by user. | ||
check_tacacs_server_no_other_user_log(ptfhost, duthost, creds_all_duts) | ||
|
||
# Cleanup | ||
duthost.shell("sudo config tacacs delete %s" % invalid_tacacs_server_ip) | ||
|
||
def test_accounting_local_only(localhost, ptfhost, duthosts, enum_rand_one_per_hwsku_hostname, creds_all_duts, check_tacacs, rw_user_client): | ||
duthost = duthosts[enum_rand_one_per_hwsku_hostname] | ||
duthost.shell("sudo config aaa accounting local") | ||
cleanup_tacacs_log(ptfhost, rw_user_client) | ||
|
||
ssh_run_command(rw_user_client, "grep") | ||
|
||
# Verify syslog have user command record. | ||
check_local_log_exist(rw_user_client, duthost, creds_all_duts, "grep") | ||
# Verify syslog not have any command record which not run by user. | ||
check_local_no_other_user_log(rw_user_client, duthost, creds_all_duts) | ||
|
||
def test_accounting_tacacs_and_local(localhost, ptfhost, duthosts, enum_rand_one_per_hwsku_hostname, creds_all_duts, check_tacacs, rw_user_client): | ||
duthost = duthosts[enum_rand_one_per_hwsku_hostname] | ||
duthost.shell('sudo config aaa accounting "tacacs+ local"') | ||
cleanup_tacacs_log(ptfhost, rw_user_client) | ||
|
||
ssh_run_command(rw_user_client, "grep") | ||
|
||
# Verify TACACS+ server and syslog have user command record. | ||
check_tacacs_server_log_exist(ptfhost, duthost, creds_all_duts, "grep") | ||
check_local_log_exist(rw_user_client, duthost, creds_all_duts, "grep") | ||
# Verify TACACS+ server and syslog not have any command record which not run by user. | ||
check_tacacs_server_no_other_user_log(ptfhost, duthost, creds_all_duts) | ||
check_local_no_other_user_log(rw_user_client, duthost, creds_all_duts) | ||
|
||
def test_accounting_tacacs_and_local_all_tacacs_server_down(localhost, ptfhost, duthosts, enum_rand_one_per_hwsku_hostname, creds_all_duts, check_tacacs, rw_user_client): | ||
duthost = duthosts[enum_rand_one_per_hwsku_hostname] | ||
duthost.shell('sudo config aaa accounting "tacacs+ local"') | ||
cleanup_tacacs_log(ptfhost, rw_user_client) | ||
|
||
# Shutdown tacacs server | ||
stop_tacacs_server(ptfhost) | ||
|
||
""" | ||
After all server not accessible, run some command | ||
Verify local user still can run command without any issue. | ||
""" | ||
ssh_run_command(rw_user_client, "grep") | ||
|
||
# Verify syslog have user command record. | ||
check_local_log_exist(rw_user_client, duthost, creds_all_duts, "grep") | ||
# Verify syslog not have any command record which not run by user. | ||
check_local_no_other_user_log(rw_user_client, duthost, creds_all_duts) | ||
|
||
# Cleanup UT. | ||
start_tacacs_server(ptfhost) |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The function body is similar to
skip_release
. Could you reuse code between the 2 functions? #Closed