From b097208ad029773950d3a78a42064606ed11f2c8 Mon Sep 17 00:00:00 2001 From: chunangli Date: Thu, 23 Mar 2023 13:55:25 +0800 Subject: [PATCH 1/2] Use wait_until to execute show aaa cmd, instead of sleep Signed-off-by: Chun'ang Li --- tests/tacacs/test_authorization.py | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/tests/tacacs/test_authorization.py b/tests/tacacs/test_authorization.py index f3ee23c912b..b5336958155 100644 --- a/tests/tacacs/test_authorization.py +++ b/tests/tacacs/test_authorization.py @@ -2,11 +2,12 @@ import paramiko import time import pytest +from _pytest.outcomes import Failed from tests.tacacs.utils import stop_tacacs_server, start_tacacs_server from tests.tacacs.utils import per_command_check_skip_versions, remove_all_tacacs_server, get_ld_path from tests.common.helpers.assertions import pytest_assert -from tests.common.utilities import skip_release +from tests.common.utilities import skip_release, wait_until pytestmark = [ pytest.mark.disable_loganalyzer, @@ -113,15 +114,26 @@ def setup_authorization_tacacs_local(duthosts, enum_rand_one_per_hwsku_hostname) duthost.shell("sudo config aaa authorization local") # Default authorization method is local +def verify_show_aaa(remote_user_client): + exit_code, stdout, stderr = ssh_run_command(remote_user_client, "show aaa") + if exit_code != 0: + return False + + try: + check_ssh_output(stdout, 'AAA authentication') + return True + except Failed: + return False + + def check_authorization_tacacs_only(duthosts, enum_rand_one_per_hwsku_hostname, tacacs_creds, remote_user_client): duthost = duthosts[enum_rand_one_per_hwsku_hostname] """ Verify TACACS+ user run command in server side whitelist: If command have local permission, user can run command. """ - exit_code, stdout, stderr = ssh_run_command(remote_user_client, "show aaa") - pytest_assert(exit_code == 0) - check_ssh_output(stdout, 'AAA authentication') + succeeded = wait_until(10, 1, 0, verify_show_aaa, remote_user_client) + pytest_assert(succeeded) exit_code, stdout, stderr = ssh_run_command(remote_user_client, "config aaa") pytest_assert(exit_code == 1) From 229ca82f4c5fc5d32a24b64c4c40ed7e7d4b2c48 Mon Sep 17 00:00:00 2001 From: chunangli Date: Thu, 23 Mar 2023 14:07:42 +0800 Subject: [PATCH 2/2] remove sleep, move comments Signed-off-by: Chun'ang Li --- tests/tacacs/test_authorization.py | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/tests/tacacs/test_authorization.py b/tests/tacacs/test_authorization.py index b5336958155..86f1b2322db 100644 --- a/tests/tacacs/test_authorization.py +++ b/tests/tacacs/test_authorization.py @@ -132,6 +132,9 @@ def check_authorization_tacacs_only(duthosts, enum_rand_one_per_hwsku_hostname, Verify TACACS+ user run command in server side whitelist: If command have local permission, user can run command. """ + # The "config tacacs add" commands will trigger hostcfgd to regenerate tacacs config. + # If we immediately run "show aaa" command, the client may still be using the first invalid tacacs server. + # The second valid tacacs may not take effect yet. Wait some time for the valid tacacs server to take effect. succeeded = wait_until(10, 1, 0, verify_show_aaa, remote_user_client) pytest_assert(succeeded) @@ -175,11 +178,6 @@ def test_authorization_tacacs_only_some_server_down( duthost.shell("sudo config tacacs add %s" % invalid_tacacs_server_ip) duthost.shell("sudo config tacacs add %s" % tacacs_server_ip) - # The above "config tacacs add" commands will trigger hostcfgd to regenerate tacacs config. - # If we immediately run "show aaa" command, the client may still be using the first invalid tacacs server. - # The second valid tacacs may not take effect yet. Wait some time for the valid tacacs server to take effect. - time.sleep(2) - """ Verify TACACS+ user run command in server side whitelist: If command have local permission, user can run command.