sonic-net · qiluo-msft · Jul 11, 2023 · Nov 5, 2021 · Jul 4, 2023 · Jul 6, 2023
diff --git a/src/sonic-host-services-data/templates/tacplus_nss.conf.j2 b/src/sonic-host-services-data/templates/tacplus_nss.conf.j2
@@ -7,6 +7,34 @@
 debug=on
 {% endif %}
 
+# local_accounting - If you want to local accounting, set it
+# Default: None
+# local_accounting
+{% if local_accounting %}
+local_accounting
+{% endif %}
+
+# tacacs_accounting - If you want to tacacs+ accounting, set it
+# Default: None
+# tacacs_accounting
+{% if tacacs_accounting %}
+tacacs_accounting
+{% endif %}
+
+# local_authorization - If you want to local authorization, set it
+# Default: None
+# local_authorization
+{% if local_authorization %}
+local_authorization
+{% endif %}
+
+# tacacs_authorization - If you want to tacacs+ authorization, set it
+# Default: None
+# tacacs_authorization
+{% if tacacs_authorization %}
+tacacs_authorization
+{% endif %}
+
 # src_ip - set source address of TACACS+ protocol packets
 # Default: None (auto source ip address)
 # src_ip=2.2.2.2

diff --git a/src/sonic-host-services/pytest.ini b/src/sonic-host-services/pytest.ini
@@ -1,2 +1,2 @@
 [pytest]
-addopts = --cov=scripts --cov-report html --cov-report term --cov-report xml --ignore=tests/hostcfgd/test_vectors.py --ignore=tests/caclmgrd/test_dhcp_vectors.py
+addopts = --cov=scripts --cov-report html --cov-report term --cov-report xml --ignore=tests/hostcfgd/test*_vectors.py  --ignore=tests/caclmgrd/test_dhcp_vectors.py
diff --git a/src/sonic-host-services/scripts/hostcfgd b/src/sonic-host-services/scripts/hostcfgd
@@ -161,15 +161,23 @@ class Iptables(object):
 
 class AaaCfg(object):
     def __init__(self):
-        self.auth_default = {
+        self.authentication_default = {
             'login': 'local',
         }
+        self.authorization_default = {
+            'login': 'local',
+        }
+        self.accounting_default = {
+            'login': 'disable',
+        }
         self.tacplus_global_default = {
             'auth_type': TACPLUS_SERVER_AUTH_TYPE_DEFAULT,
             'timeout': TACPLUS_SERVER_TIMEOUT_DEFAULT,
             'passkey': TACPLUS_SERVER_PASSKEY_DEFAULT
         }
-        self.auth = {}
+        self.authentication = {}
+        self.authorization = {}
+        self.accounting = {}
         self.tacplus_global = {}
         self.tacplus_servers = {}
         self.debug = False
@@ -186,11 +194,15 @@ class AaaCfg(object):
 
     def aaa_update(self, key, data, modify_conf=True):
         if key == 'authentication':
-            self.auth = data
+            self.authentication = data
             if 'failthrough' in data:
-                self.auth['failthrough'] = is_true(data['failthrough'])
+                self.authentication['failthrough'] = is_true(data['failthrough'])
             if 'debug' in data:
                 self.debug = is_true(data['debug'])
+        if key == 'authorization':
+            self.authorization = data
+        if key == 'accounting':
+            self.accounting = data
         if modify_conf:
             self.modify_conf_file()
 
@@ -231,8 +243,12 @@ class AaaCfg(object):
         self.check_file_not_empty(filename)
 
     def modify_conf_file(self):
-        auth = self.auth_default.copy()
-        auth.update(self.auth)
+        authentication = self.authentication_default.copy()
+        authentication.update(self.authentication)
+        authorization = self.authorization_default.copy()
+        authorization.update(self.authorization)
+        accounting = self.accounting_default.copy()
+        accounting.update(self.accounting)
         tacplus_global = self.tacplus_global_default.copy()
         tacplus_global.update(self.tacplus_global)
         if 'src_ip' in tacplus_global:
@@ -253,7 +269,7 @@ class AaaCfg(object):
         env = jinja2.Environment(loader=jinja2.FileSystemLoader('/'), trim_blocks=True)
         env.filters['sub'] = sub
         template = env.get_template(template_file)
-        pam_conf = template.render(auth=auth, src_ip=src_ip, servers=servers_conf)
+        pam_conf = template.render(auth=authentication, src_ip=src_ip, servers=servers_conf)
         with open(PAM_AUTH_CONF, 'w') as f:
             f.write(pam_conf)
 
@@ -266,17 +282,40 @@ class AaaCfg(object):
             self.modify_single_file('/etc/pam.d/login', [ "'/^@include/s/common-auth-sonic$/common-auth/'" ])
 
         # Add tacplus in nsswitch.conf if TACACS+ enable
-        if 'tacacs+' in auth['login']:
+        if 'tacacs+' in authentication['login']:
             if os.path.isfile(NSS_CONF):
                 self.modify_single_file(NSS_CONF, [ "'/tacplus/b'", "'/^passwd/s/compat/tacplus &/'", "'/^passwd/s/files/tacplus &/'" ])
         else:
             if os.path.isfile(NSS_CONF):
                 self.modify_single_file(NSS_CONF, [ "'/^passwd/s/tacplus //g'" ])
 
+        # Add tacplus authorization configration in nsswitch.conf
+        tacacs_authorization_conf = None
+        local_authorization_conf = None
+        if 'tacacs+' in authorization['login']:
+            tacacs_authorization_conf = "on"
+        if 'local' in authorization['login']:
+            local_authorization_conf = "on"
+
+        # Add tacplus accounting configration in nsswitch.conf
+        tacacs_accounting_conf = None
+        local_accounting_conf = None
+        if 'tacacs+' in accounting['login']:
+            tacacs_accounting_conf = "on"
+        if 'local' in accounting['login']:
+            local_accounting_conf = "on"
+
         # Set tacacs+ server in nss-tacplus conf
         template_file = os.path.abspath(NSS_TACPLUS_CONF_TEMPLATE)
         template = env.get_template(template_file)
-        nss_tacplus_conf = template.render(debug=self.debug, src_ip=src_ip, servers=servers_conf)
+        nss_tacplus_conf = template.render(
+                                        debug=self.debug,
+                                        src_ip=src_ip,
+                                        servers=servers_conf,
+                                        local_accounting=local_accounting_conf,
+                                        tacacs_accounting=tacacs_accounting_conf,
+                                        local_authorization=local_authorization_conf,
+                                        tacacs_authorization=tacacs_authorization_conf)
         with open(NSS_TACPLUS_CONF, 'w') as f:
             f.write(nss_tacplus_conf)
 

diff --git a/src/sonic-host-services/tests/hostcfgd/hostcfgd_tacacs_test.py b/src/sonic-host-services/tests/hostcfgd/hostcfgd_tacacs_test.py
@@ -0,0 +1,110 @@
+import importlib.machinery
+import importlib.util
+import filecmp
+import shutil
+import os
+import sys
+import subprocess
+from swsscommon import swsscommon
+
+from parameterized import parameterized
+from unittest import TestCase, mock
+from tests.hostcfgd.test_tacacs_vectors import HOSTCFGD_TEST_TACACS_VECTOR
+from tests.common.mock_configdb import MockConfigDb, MockSubscriberStateTable
+from tests.common.mock_configdb import MockSelect, MockDBConnector
+
+test_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+modules_path = os.path.dirname(test_path)
+scripts_path = os.path.join(modules_path, "scripts")
+src_path = os.path.dirname(modules_path)
+templates_path = os.path.join(src_path, "sonic-host-services-data/templates")
+output_path = os.path.join(test_path, "hostcfgd/output")
+sample_output_path = os.path.join(test_path, "hostcfgd/sample_output")
+sys.path.insert(0, modules_path)
+
+# Load the file under test
+hostcfgd_path = os.path.join(scripts_path, 'hostcfgd')
+loader = importlib.machinery.SourceFileLoader('hostcfgd', hostcfgd_path)
+spec = importlib.util.spec_from_loader(loader.name, loader)
+hostcfgd = importlib.util.module_from_spec(spec)
+loader.exec_module(hostcfgd)
+sys.modules['hostcfgd'] = hostcfgd
+
+# Mock swsscommon classes
+hostcfgd.ConfigDBConnector = MockConfigDb
+hostcfgd.SubscriberStateTable = MockSubscriberStateTable
+hostcfgd.Select = MockSelect
+hostcfgd.DBConnector = MockDBConnector
+
+class TestHostcfgdTACACS(TestCase):
+    """
+        Test hostcfd daemon - TACACS
+    """
+    def run_diff(self, file1, file2):
+        return subprocess.check_output('diff -uR {} {} || true'.format(file1, file2), shell=True)
+
+    """
+        Check different config 
+    """
+    def check_config(self, test_name, test_data, config_name):
+        t_path = templates_path
+        op_path = output_path + "/" + test_name + "_" + config_name
+        sop_path = sample_output_path + "/" +  test_name + "_" + config_name
+
+        hostcfgd.PAM_AUTH_CONF_TEMPLATE = t_path + "/common-auth-sonic.j2"
+        hostcfgd.NSS_TACPLUS_CONF_TEMPLATE = t_path + "/tacplus_nss.conf.j2"
+        hostcfgd.PAM_AUTH_CONF = op_path + "/common-auth-sonic"
+        hostcfgd.NSS_TACPLUS_CONF = op_path + "/tacplus_nss.conf"
+        hostcfgd.NSS_CONF = op_path + "/nsswitch.conf"
+
+        shutil.rmtree( op_path, ignore_errors=True)
+        os.mkdir( op_path)
+
+        MockConfigDb.set_config_db(test_data[config_name])
+        host_config_daemon = hostcfgd.HostConfigDaemon()
+
+        aaa = host_config_daemon.config_db.get_table('AAA')
+
+        try:
+            tacacs_global = host_config_daemon.config_db.get_table('TACPLUS')
+        except:
+            tacacs_global = []
+        try:
+            tacacs_server = \
+                host_config_daemon.config_db.get_table('TACPLUS_SERVER')
+        except:
+            tacacs_server = []
+
+        host_config_daemon.aaacfg.load(aaa,tacacs_global,tacacs_server)
+        dcmp = filecmp.dircmp(sop_path, op_path)
+        diff_output = ""
+        for name in dcmp.diff_files:
+            diff_output += \
+                "Diff: file: {} expected: {} output: {}\n".format(\
+                    name, dcmp.left, dcmp.right)
+            diff_output += self.run_diff( dcmp.left + "/" + name,\
+                dcmp.right + "/" + name)
+        self.assertTrue(len(diff_output) == 0, diff_output)
+
+
+    @parameterized.expand(HOSTCFGD_TEST_TACACS_VECTOR)
+    def test_hostcfgd_tacacs(self, test_name, test_data):
+        """
+            Test TACACS hostcfd daemon initialization
+
+            Args:
+                test_name(str): test name
+                test_data(dict): test data which contains initial Config Db tables, and expected results
+
+            Returns:
+                None
+        """
+        os.mkdir(output_path)
+        # test local config
+        self.check_config(test_name, test_data, "config_db_local")
+        # test remote config
+        self.check_config(test_name, test_data, "config_db_tacacs")
+        # test local + tacacs config
+        self.check_config(test_name, test_data, "config_db_local_and_tacacs")
+        # test disable accounting
+        self.check_config(test_name, test_data, "config_db_disable_accounting")
diff --git a/src/sonic-host-services/tests/hostcfgd/sample_output/LOCAL/tacplus_nss.conf b/src/sonic-host-services/tests/hostcfgd/sample_output/LOCAL/tacplus_nss.conf
@@ -0,0 +1,40 @@
+# Configuration for libnss-tacplus
+
+# debug - If you want to open debug log, set it on
+# Default: off
+# debug=on
+debug=on
+
+# local_accounting - If you want to local accounting, set it
+# Default: None
+# local_accounting
+
+# tacacs_accounting - If you want to tacacs+ accounting, set it
+# Default: None
+# tacacs_accounting
+
+# local_authorization - If you want to local authorization, set it
+# Default: None
+# local_authorization
+local_authorization
+
+# tacacs_authorization - If you want to tacacs+ authorization, set it
+# Default: None
+# tacacs_authorization
+
+# src_ip - set source address of TACACS+ protocol packets
+# Default: None (auto source ip address)
+# src_ip=2.2.2.2
+
+# server - set ip address, tcp port, secret string and timeout for TACACS+ servers
+# Default: None (no TACACS+ server)
+# server=1.1.1.1:49,secret=test,timeout=3
+
+# user_priv - set the map between TACACS+ user privilege and local user's passwd
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash
+
+# many_to_one - create one local user for many TACACS+ users which has the same privilege
+# Default: many_to_one=n
+# many_to_one=y
diff --git a/src/sonic-host-services/tests/hostcfgd/sample_output/RADIUS/tacplus_nss.conf b/src/sonic-host-services/tests/hostcfgd/sample_output/RADIUS/tacplus_nss.conf
@@ -0,0 +1,40 @@
+# Configuration for libnss-tacplus
+
+# debug - If you want to open debug log, set it on
+# Default: off
+# debug=on
+debug=on
+
+# local_accounting - If you want to local accounting, set it
+# Default: None
+# local_accounting
+
+# tacacs_accounting - If you want to tacacs+ accounting, set it
+# Default: None
+# tacacs_accounting
+
+# local_authorization - If you want to local authorization, set it
+# Default: None
+# local_authorization
+local_authorization
+
+# tacacs_authorization - If you want to tacacs+ authorization, set it
+# Default: None
+# tacacs_authorization
+
+# src_ip - set source address of TACACS+ protocol packets
+# Default: None (auto source ip address)
+# src_ip=2.2.2.2
+
+# server - set ip address, tcp port, secret string and timeout for TACACS+ servers
+# Default: None (no TACACS+ server)
+# server=1.1.1.1:49,secret=test,timeout=3
+
+# user_priv - set the map between TACACS+ user privilege and local user's passwd
+# Default:
+# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash
+# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash
+
+# many_to_one - create one local user for many TACACS+ users which has the same privilege
+# Default: many_to_one=n
+# many_to_one=y
diff --git a/...rvices/tests/hostcfgd/sample_output/TACACS_config_db_disable_accounting/common-auth-sonic b/...rvices/tests/hostcfgd/sample_output/TACACS_config_db_disable_accounting/common-auth-sonic
@@ -0,0 +1,21 @@
+#THIS IS AN AUTO-GENERATED FILE
+#
+# /etc/pam.d/common-auth- authentication settings common to all services
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# here are the per-package modules (the "Primary" block)
+
+auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
+
+#
+# here's the fallback if no module succeeds
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth    required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)