def test_mgmt_vrf_tacacs():
tacacs_params = st.get_service_info(vars.D1, "tacacs")
if not set_aaa_authentication_properties(vars.D1, 'failthrough', 'enable'):
st.report_fail("authentication failthrough config fail")
set_tacacs_server(vars.D1,
'add',
tacacs_params.hosts[0].ip,
tacacs_params.hosts[0].tcp_port,
tacacs_params.hosts[0].timeout,
tacacs_params.hosts[0].passkey,
tacacs_params.hosts[0].auth_type,
tacacs_params.hosts[0].priority,
use_mgmt_vrf=True)
if not verify_tacacs_server(
vars.D1, tacacs_params.hosts[0].ip,
tacacs_params.hosts[0].tcp_port, tacacs_params.hosts[0].timeout,
tacacs_params.hosts[0].passkey, tacacs_params.hosts[0].auth_type,
tacacs_params.hosts[0].priority):
st.report_fail("Tacacs_server_configs_are_not_successful",
tacacs_params.hosts[0].ip)
set_aaa_authentication_properties(vars.D1, 'login', 'tacacs+ local')
ip_addr = get_ifconfig_inet(vars.D1, 'eth0')
if not ip_addr:
st.report_fail('ip_verification_fail')
if not poll_wait(connect_to_device, 10, ip_addr[0], mgmt_vrf.tacusername,
mgmt_vrf.tacpassword, mgmt_vrf.protocol,
mgmt_vrf.ssh_port):
tacacs_cleanup(vars.D1, tacacs_params)
st.report_fail("mgmt_vrf_tacacs", "failed")
tacacs_cleanup(vars.D1, tacacs_params)
st.report_pass("mgmt_vrf_tacacs", "successful")
def tacacs_config_verify():
st.log("verifying whether configuring tacacs server is successful or not - FtOpSoScTaCm004")
tacacs_params = st.get_service_info(vars.D1, "tacacs")
if not sconf_obj.verify_running_config(vars.D1, "TACPLUS_SERVER", tacacs_params.hosts[0].ip, "priority", "1"):
st.report_fail("running_config_failed", vars.D1, "TACPLUS_SERVER", tacacs_params.hosts[0].ip, "priority","1")
else:
st.log("tacacs server configuration is successful")
def test_ft_tacacs_modify_server_parameters():
"""
Author: Karthik Kumar Goud Battula([email protected])
This Testcase covers the below scenarios
Scenario-1: Verify device behavior when TACACS+ application parameters (valid and invalid) are modified while traffic is running.
Scenario-2: Verify that the key and timeout options default to global but may be specified to unique values on a per Server basis.
Scenario-3: Verify that the NAS will stop communicating with the current server is the server is down after the duration of the configured server timeout or the default timeout value
Scenario-4: Verify that Taccacs server key can be configured with more that 4 special characters
"""
invalid_l4_port = '59'
invalid_pass_key = "key123"
invalid_timeout = '10'
invalid_ip_addr = '10.10.10.1'
tacacs_params = st.get_service_info(vars.D1, "tacacs")
tacacs_obj.set_tacacs_server(vars.D1, 'delete', tacacs_params.hosts[1].ip)
tacacs_obj.set_tacacs_properties(vars.D1, 'passkey', 'secretstring')
st.log("Configuring global tacacs server key with special characters")
tacacs_obj.set_tacacs_properties(vars.D1, 'passkey', data.passkey)
st.log(
"Check client authentication by modifing ip address,timeout,passkey")
tacacs_obj.set_tacacs_server(vars.D1, 'add', invalid_ip_addr,
invalid_l4_port, invalid_timeout,
invalid_pass_key, data.auth_type,
data.priority_server2)
st.log(
"Trying to SSH to the device when TACACS+ server is configured with invalid parameters"
)
if ssh_obj.connect_to_device(data.ip_address, data.username, data.password,
data.protocol, data.ssh_port):
st.log(
"Deleting the TACACS+ server which is invalid for failed scenario")
tacacs_obj.set_tacacs_server(vars.D1, 'delete', invalid_ip_addr)
st.report_fail("Login_to_DUT_via_SSH_is_failed")
st.log("Deleting the TACACS+ server which is invalid")
tacacs_obj.set_tacacs_server(vars.D1, 'delete', invalid_ip_addr)
st.log("Creating valid TACACS+ server")
tacacs_obj.set_tacacs_server(vars.D1, 'add', data.tacacs_ser_ip_1,
data.tcp_port, data.timeout, data.passkey,
data.auth_type, data.priority)
st.wait(2, "sync the tacacs server after config changes")
st.log(
"Trying to SSH to the device with TACACS+ server which is configured with the valid parameters"
)
if not ssh_obj.connect_to_device(data.ip_address, data.username,
data.password, data.protocol,
data.ssh_port):
debug_info("test_ft_tacacs_modify_server_parameters",
data.tacacs_ser_ip_1)
st.report_fail("Login_to_DUT_via_SSH_is_failed")
st.report_pass("test_case_passed")
def tacacs_module_hooks(request):
# add things at the start of this module
global vars
vars = st.ensure_min_topology("D1")
tacacs_params = st.get_service_info(vars.D1, "tacacs")
st.log("Getting IP address of the device")
data.clear()
data.hosts = ensure_service_params(vars.D1, "tacacs", "hosts")
data.tacacs_ser_ip_1 = ensure_service_params(vars.D1, "tacacs", "hosts", 0, "ip")
data.tcp_port = ensure_service_params(vars.D1, "tacacs", "hosts", 0, "tcp_port")
data.passkey = ensure_service_params(vars.D1, "tacacs", "hosts", 0, "passkey")
data.priority = ensure_service_params(vars.D1, "tacacs", "hosts", 0, "priority")
data.timeout = ensure_service_params(vars.D1, "tacacs", "hosts", 0, "timeout")
data.auth_type = ensure_service_params(vars.D1, "tacacs", "hosts", 0, "auth_type")
data.tacacs_ser_ip_2 = ensure_service_params(vars.D1, "tacacs", "hosts", 1, "ip")
data.priority_server2 = ensure_service_params(vars.D1, "tacacs", "hosts", 1, "priority")
data.time_out = '10'
data.username = '******'
data.password = '******'
data.protocol = 'ssh'
data.ssh_port = '22'
data.login_type = "tacacs+"
data.failthrough_mode = 'enable'
data.local_username = '******'
data.local_password = '******'
data.local_password2 = 'broadcom'
data.username1 = 'test'
data.password1 = 'test'
data.rw_user = {'username': data.username, 'password': data.password, 'mode': 'rw'}
data.ro_username = ensure_service_params(vars.D1, "radius", "ro_user", "username")
ensure_device_ipaddress()
st.log("Configuring authentication login parameter as tacacs+ and local")
tacacs_obj.set_aaa_authentication_properties(vars.D1, 'login', 'tacacs+ local')
tacacs_obj.set_tacacs_server(vars.D1, 'add', data.tacacs_ser_ip_1, data.tcp_port, data.timeout, data.passkey,
data.auth_type, data.priority)
yield
config_default_tacacs_properties(vars.D1)
st.log("Deleting all TACACS+ servers from the device")
for i in range(0, 8):
tacacs_obj.set_tacacs_server(vars.D1, 'delete', tacacs_params.hosts[i].ip)
st.log("Making AAA parameters to default")
tacacs_obj.set_aaa_authentication_properties(vars.D1, 'login', 'default')
tacacs_obj.set_aaa_authentication_properties(vars.D1, 'failthrough', 'default')
clear_vlan_configuration([vars.D1])
def security_warm_reboot_module_hooks(request):
# add things at the start of this module
init_vars()
initialize_variables()
get_parms()
st.log("Checking whether the platform supports warm-reboot")
if not data.platform.lower() in data.constants['WARM_REBOOT_SUPPORTED_PLATFORMS']:
st.report_unsupported('test_case_unsupported')
st.log("configuring tacacs server")
tacacs_config()
st.log("Verifying tacacs server details in running-config before warm-reboot")
tacacs_config_verify()
yield
# add things at the end of this module"
#Below step will clear the TACACS+ server config from the device
tacacs_params = st.get_service_info(vars.D1, "tacacs")
tacacs_obj.set_tacacs_server(vars.D1, 'delete', tacacs_params.hosts[0].ip)
def test_ft_tacacs_maximum_servers():
"""
Author: Karthik Kumar Goud Battula([email protected])
This testcase covers the below scenarios
Scenario-1: Verify that more than one TACACS server can be configured on the NAS, upto the maximum number of servers that are allowed.
Scenario-2: Verify that TACACS+ servers with IPv4 and IPv6 address can be added at the same time.
Scenario-3: Verify that Maximum number of TACACS IPv4 servers can be configured on DUT.
Scenario-4: Verify that Maximum number of TACACS IPv6 servers can be configured on DUT.
Scenario-5: Verify the Save and Reload Functionality for TACACS IPv6 feature.
"""
tacacs_params = st.get_service_info(vars.D1, "tacacs")
for i in range(2, 8):
ip_addr = ensure_service_params(vars.D1, "tacacs", "hosts", i, "ip")
priority = ensure_service_params(vars.D1, "tacacs", "hosts", i, "priority")
tacacs_obj.set_tacacs_server(vars.D1, 'add', ip_addr, data.tcp_port,
data.timeout, data.passkey,
data.auth_type, priority)
if not tacacs_obj.verify_tacacs_details(vars.D1, tacacs_params.hosts):
st.report_fail("Tacacs_server_configs_are_not_successful", tacacs_params.hosts)
st.report_pass("test_case_passed")
def tacacs_config():
st.log("configuring tacacs server")
tacacs_params = st.get_service_info(vars.D1, "tacacs")
tacacs_obj.set_tacacs_server(vars.D1, 'add', tacacs_params.hosts[0].ip, tacacs_params.hosts[0].tcp_port,
tacacs_params.hosts[0].timeout, tacacs_params.hosts[0].passkey,
tacacs_params.hosts[0].auth_type, tacacs_params.hosts[0].priority)
def ensure_service_params(dut, *argv):
"""
Author : Prudvi Mangadu ([email protected])
:param dut:
:param argv: Service Name, follower by keys or list index.
:return:
How to use?:
# Importing module:
import utilities.utils as utils_obj
# Below API call will check and get the tftp ip addresses from "sonic_services.yaml".
# Also it first check weather "tftp" service is present in "sonic_services.yaml" or not ,
# if present then checks for "ip" and return the ip addresses.
# If any of "tftp" or "ip" no present in "sonic_services.yaml" file, then test case aborted and
# moved to the "NES" state " saying "Test case Not Executed(s) - Required service parameters
# is not defined " tftp->ip."
tftp_ip = utils_obj.ensure_service_params(dut,"tftp","ip")
tftp_path = utils_obj.ensure_service_params(dut,"tftp","path")
tacacs_first_server = utils_obj.ensure_service_params(dut, "tacacs", "hosts",0,"ip")
tacacs_first_username = utils_obj.ensure_service_params(dut, "tacacs", "hosts",0,"username")
tacacs_first_password = utils_obj.ensure_service_params(dut, "tacacs", "hosts",0,"password")
tacacs_second_server = utils_obj.ensure_service_params(dut, "tacacs", "hosts",1,"ip")
tacacs_second_username = utils_obj.ensure_service_params(dut, "tacacs", "hosts",1,"username")
tacacs_second_password = utils_obj.ensure_service_params(dut, "tacacs", "hosts",1,"password")
"""
if not argv:
st.error("Provide atleast one service to ensure")
return None
service_string = ' -> '.join([str(e) for e in argv])
st.log("Ensure service parameter(s) - {}".format(service_string))
output = st.get_service_info(dut, argv[0])
if not output:
st.error("'{}' is not specified in services/default.".format(argv[0]))
st.report_env_fail("test_case_not_executed_s_service", service_string)
for each in argv[1:]:
try:
output = output[each]
except KeyError as e1:
st.log(e1)
st.error(
"Inside key '{}' : parameter {} is not specified in services/default."
.format(argv[0], e1))
st.report_env_fail("test_case_not_executed_s_service",
service_string)
except IndexError as e2:
st.log(e2)
st.error(
"Inside Key '{}' : list index '{}' is not specified in services/default."
.format(argv[0], each))
st.report_env_fail("test_case_not_executed_s_service",
service_string)
except Exception as e3:
st.log(e3)
st.error("Service or Parm '{}' not found.".format(each))
st.report_env_fail("test_case_not_executed_s_service",
service_string)
st.log("Return : {}".format(output))
return output
def global_vars():
global data
data = SpyTestDict()
data.device_ip = st.get_mgmt_ip(vars.D1)
data.ansible_params = st.get_service_info(vars.D1, "ansible")
data.ansible_hosts = data.ansible_params.hosts
