def test_ft_rbac_ro_tacacs_cred_ssh():
'''
Author: Sai Durga (pchvsai.durga@broadcom,com)
FtOpSoScRBACFn008 Verify that non-admin tacacs user doesn?t have all permissions except show (get) commands when SSH to the system with username/password.
'''
if not st.exec_ssh(vars.D1, data.ro_username, data.password, ['show vlan config']):
st.report_fail("cmd_not_executed")
if not st.exec_ssh(vars.D1, data.ro_username, data.password, ['sudo config vlan add 1000']):
st.report_fail("admin_user_root_privilege", "non", "got")
st.report_pass("admin_user_root_privilege", "non", "doesnot got")
def ssh_call(dut, remote_dut=None, **kwargs):
"""
Call to test SSH session using diff users w.r.t RBAC.
Author : Prudvi Mangadu ([email protected])
:param dut:
:param remote_dut:
:param kwargs:
:return:
"""
st.log('Performing SSH call using - {}'.format(kwargs))
for each in ['login_type', 'username', 'password', 'mode']:
if not kwargs.get(each):
st.error("Mandatory argument is not found - {}".format(each))
return False
dut_ip = st.get_mgmt_ip(dut)
result = {'show': True, 'config': True}
result2 = True
username = kwargs.get('username')
password = kwargs.get('password')
login_type = kwargs.get('login_type')
mode = kwargs.get('mode')
if login_type == 'cred':
ssh_out = st.exec_ssh(dut, username, password,
['show vlan config', 'sudo config vlan add 100\n{}'.format(password)])
st.log(ssh_out)
elif login_type == 'pubkey':
show_out = st.exec_ssh_remote_dut(remote_dut, dut_ip, username, password, 'show vlan config')
config_out = st.exec_ssh_remote_dut(remote_dut, dut_ip, username, password,
'sudo config vlan add 100\n{}'.format(password))
ssh_out = show_out + "\n" + config_out
else:
st.error("Invalid 'login_type' used = {}".format(login_type))
return False
if not ssh_out:
st.report_fail('rbac_call_fail', "SSH", mode, login_type)
if 'Sorry, user {} is not allowed to execute'.format(username) in ssh_out or \
"no askpass program specified" in ssh_out:
result['config'] = False
if 'VID' not in ssh_out:
result['show'] = False
st.log(result)
msg = 'Failed to execute show command using ssh session with mode- {mode}, type- {login_type}'
if mode == 'rw' and not all(result.values()):
st.error(msg.format(**kwargs))
result2 = False
if mode == 'ro' and not (result['show'] and not result['config']):
st.error(msg.format(**kwargs))
result2 = False
if not result2:
st.report_fail('rbac_test_status', 'Fail', mode, 'SSH', login_type, result)
st.report_pass('rbac_test_status', 'Pass', mode, 'SSH', login_type, result)
def ssh_module_prolog():
enable_ssh(vars.D1)
st.log('connecting to device with username={},password={}'.format(
ssh_data.usr_default, ssh_data.pwd_default[0]))
ssh_data.pwd_final = ssh_data.pwd_default[0]
if not st.exec_ssh(vars.D1, ssh_data.usr_default, ssh_data.pwd_default[0],
ssh_data.commands_to_verify):
ssh_data.pwd_final = ssh_data.pwd_default[1]
st.log(
'Retry - connecting to device with username={},password={}'.format(
ssh_data.usr_default, ssh_data.pwd_default[1]))
if not st.exec_ssh(vars.D1, ssh_data.usr_default,
ssh_data.pwd_default[1],
ssh_data.commands_to_verify):
st.log("SSH connection failed with default Credentials.")
st.report_fail("ssh_failed")
st.banner("--> Detected device default password = {}".format(
ssh_data.pwd_final))
def test_ft_ssh_service_disable():
"""
Author : Prudvi Mangadu ([email protected])
"""
disable_ssh(vars.D1)
st.log('connecting to device with username={},password={}'.format(
ssh_data.usr_default, ssh_data.pwd_final))
output = st.exec_ssh(vars.D1, ssh_data.usr_default, ssh_data.pwd_final,
ssh_data.commands_to_verify)
enable_ssh(vars.D1)
if output:
st.error("SSH connection Success even when disabled the SSH service.")
st.report_fail("test_case_failed")
else:
st.report_pass("test_case_passed")
def default_user_password_finder(dut, username, password_list):
"""
To Find default user password.
Author : Prudvi Mangadu ([email protected])
:param dut:
:param username:
:param password_list:
:return:
"""
st.log(" # Finding default user password.")
for each_pass in make_list(password_list):
st.log('Trying SSH connection to device with username={},password={}'.format(username, each_pass))
if st.exec_ssh(dut, username, each_pass, ['show system status']):
st.log("Detected password = {}".format(each_pass))
return each_pass
def test_ft_ssh_add_user_verify():
"""
Author : Prudvi Mangadu ([email protected])
"""
user_ssh = 0
acl_sshv4 = 0
acl_sshv6 = 0
acl_snmp = 0
if not snmp_config(config='add'): acl_snmp = +1
ipaddress = st.get_mgmt_ip(vars.D1)
if not ipaddress:
st.report_env_fail("ip_verification_fail")
snmp_cmd = "snmpget -Oqv -v 2c -c {} {} {}".format(ssh_data.ro_community,
ipaddress,
ssh_data.oid_sysName)
out = config_nondefault_user()
if not out: user_ssh = +1
st.log("connecting to device with username={},password={}".format(
ssh_data.usr_default, ssh_data.pwd_final))
if not st.exec_ssh(vars.D1, ssh_data.usr_default, ssh_data.pwd_final,
ssh_data.commands_to_verify):
st.error('Cannot SSH into Device with default credentials')
user_ssh = +1
st.log('connecting to device with username={},password={}'.format(
ssh_data.usr_non_default, ssh_data.pwd_non_default))
if not st.exec_ssh(vars.D1, ssh_data.usr_non_default,
ssh_data.pwd_non_default, ssh_data.commands_to_verify):
st.error('Cannot SSH into Device with non-default credentials')
user_ssh = +1
output = verify_ssh_connection(vars.D2, ssh_data.ipv4_address_D1D2P2,
ssh_data.usr_default, ssh_data.pwd_final)
if not output:
user_ssh = +1
IPAddr = ensure_service_params(vars.D1, "snmptrap", "ip") + "/32"
change_acl_rules(acl_data.acl_json_config_control_plane, "SNMP_SSH|RULE_1",
"SRC_IP", IPAddr)
change_acl_rules(acl_data.acl_json_config_control_plane, "SNMP_SSH|RULE_2",
"SRC_IP", IPAddr)
change_acl_rules(acl_data.acl_json_config_control_plane, "SNMP_SSH|RULE_3",
"SRC_IP", ssh_data.ipv4_network)
change_acl_rules(acl_data.acl_json_config_control_plane,
"V6_SSH_ONLY|RULE_1", "SRC_IPV6",
ssh_data.ipv6_network_D1)
acl_config = acl_data.acl_json_config_control_plane
st.log("ACL_DATA: {}".format(acl_config))
acl_obj.apply_acl_config(vars.D1, acl_config)
acl_obj.show_acl_table(vars.D1)
acl_obj.show_acl_rule(vars.D1)
if not poll_wait(acl_obj.verify_acl_table_rule, 5, vars.D1, "SNMP_SSH",
"RULE_1"):
st.error("Failed to create ACL rule '{}' ".format("SNMP_SSH"))
acl_snmp = +1
if not poll_wait(acl_obj.verify_acl_table_rule, 5, vars.D1, "SNMP_SSH",
"RULE_2"):
st.error("Failed to create ACL rule '{}' ".format("SNMP_SSH"))
acl_sshv4 = +1
if not poll_wait(acl_obj.verify_acl_table_rule, 5, vars.D1, "V6_SSH_ONLY",
"RULE_1"):
st.error("Failed to create ACL rule '{}' ".format("V6_SSH_ONLY"))
acl_sshv6 = +1
hostname = get_hostname(vars.D1)
st.log("HOSTNAME: {}".format(hostname))
snmp_out = execute_command(ssh_conn_obj, snmp_cmd)
if hostname not in snmp_out:
st.error("SNMP walk operation is failed")
acl_snmp = +1
st.log("connecting to device with default username={},password={}".format(
ssh_data.usr_default, ssh_data.pwd_final))
output = verify_ssh_connection(vars.D2, ssh_data.ipv4_address_D1D2P2,
ssh_data.usr_default, ssh_data.pwd_final)
if output: acl_sshv4 = +1
output = verify_ssh_connection(vars.D2, ssh_data.ipv6_address_D1D2P2,
ssh_data.usr_default, ssh_data.pwd_final)
if output: acl_sshv6 = +1
output = verify_ssh_connection(vars.D2, ssh_data.ipv4_address_D1D2P1,
ssh_data.usr_default, ssh_data.pwd_final)
if not output: acl_sshv4 = +1
output = verify_ssh_connection(vars.D2, ssh_data.ipv6_address_D1D2P1,
ssh_data.usr_default, ssh_data.pwd_final)
if not output: acl_sshv6 = +1
st.log(
"connecting to device with non default username={},password={}".format(
ssh_data.usr_non_default, ssh_data.pwd_non_default))
output = verify_ssh_connection(vars.D2, ssh_data.ipv4_address_D1D2P1,
ssh_data.usr_non_default,
ssh_data.pwd_non_default)
if not output: acl_sshv4 = +1
output = verify_ssh_connection(vars.D2, ssh_data.ipv6_address_D1D2P1,
ssh_data.usr_non_default,
ssh_data.pwd_non_default)
if not output: acl_sshv6 = +1
config_save(vars.D1)
st.log('rebooting the device.')
st.reboot(vars.D1, 'fast')
acl_obj.show_acl_table(vars.D1)
acl_obj.show_acl_rule(vars.D1)
if not poll_wait(acl_obj.verify_acl_table_rule, 5, vars.D1, "SNMP_SSH",
"RULE_2"):
st.log("Failed to create ACL rule '{}' ".format("SSH_SSH"))
acl_sshv4 = +1
if not poll_wait(acl_obj.verify_acl_table_rule, 5, vars.D1, "V6_SSH_ONLY",
"RULE_1"):
st.log("Failed to create ACL rule '{}' ".format("V6_SSH_ONLY"))
acl_sshv4 = +1
if not poll_wait(acl_obj.verify_acl_table_rule, 5, vars.D1, "SNMP_SSH",
"RULE_1"):
st.error("Failed to create ACL rule '{}' ".format("SNMP_SSH"))
acl_snmp = +1
ipaddress = st.get_mgmt_ip(vars.D1)
if not ipaddress or not ip_obj.ping(vars.D1, IPAddr.strip('/32')):
st.error(
"Ping to SNMP server or getting ip address to the dut is failed after reload"
)
acl_obj.acl_delete(vars.D1)
config_nondefault_user(config='remove')
st.report_fail("ip_verification_fail")
snmp_cmd = "snmpget -Oqv -v 2c -c {} {} {}".format(ssh_data.ro_community,
ipaddress,
ssh_data.oid_sysName)
hostname = get_hostname(vars.D1)
snmp_out = execute_command(ssh_conn_obj, snmp_cmd)
if hostname not in snmp_out:
st.error("SNMP walk operation is failed after reload")
acl_snmp = +1
st.log('Verifying SNMP ACL with invalid source address')
change_acl_rules(acl_data.acl_json_config_control_plane, "SNMP_SSH|RULE_1",
"SRC_IP", "2.2.2.0/24")
acl_config = acl_data.acl_json_config_control_plane
acl_obj.acl_delete(vars.D1)
acl_obj.apply_acl_config(vars.D1, acl_config)
st.wait(3, "Waiting to apply acl rules")
snmp_out = execute_command(ssh_conn_obj, snmp_cmd)
if "Timeout" not in snmp_out: acl_snmp = +1
st.log("connecting to device with default username={},password={}".format(
ssh_data.usr_default, ssh_data.pwd_final))
output = verify_ssh_connection(vars.D2, ssh_data.ipv4_address_D1D2P2,
ssh_data.usr_default, ssh_data.pwd_final)
if output: acl_sshv4 = +1
output = verify_ssh_connection(vars.D2, ssh_data.ipv6_address_D1D2P2,
ssh_data.usr_default, ssh_data.pwd_final)
if output: acl_sshv6 = +1
output = verify_ssh_connection(vars.D2, ssh_data.ipv4_address_D1D2P1,
ssh_data.usr_default, ssh_data.pwd_final)
if not output: acl_sshv4 = +1
output = verify_ssh_connection(vars.D2, ssh_data.ipv6_address_D1D2P1,
ssh_data.usr_default, ssh_data.pwd_final)
if not output: acl_sshv6 = +1
if acl_sshv4:
st.report_tc_fail("test_ft_controlplane_acl_service_sshv4",
"ssh_failed",
"with control plane ACL service SSHv4 after reboot")
else:
st.report_tc_pass("test_ft_controlplane_acl_service_sshv4",
"ssh_failed",
"with control plane ACL service SSHv4 after reboot")
if acl_sshv6:
st.report_tc_fail("test_ft_controlplane_acl_service_sshv6",
"ssh_failed",
"with control plane ACL service SSHv6 after reboot")
else:
st.report_tc_pass("test_ft_controlplane_acl_service_sshv6",
"ssh_failed",
"with control plane ACL service SSHv6 after reboot")
if acl_snmp:
st.report_tc_fail("test_ft_controlplane_acl_service_snmp",
"snmp_output_failed",
"with control plane ACL service SNMP after reboot")
else:
st.report_tc_pass("test_ft_controlplane_acl_service_snmp",
"snmp_output_failed",
"with control plane ACL service SNMP after reboot")
acl_obj.acl_delete(vars.D1)
if acl_sshv4 or acl_sshv6 or acl_snmp:
st.generate_tech_support(vars.D1,
"controlplane_acl_services_after_reboot")
st.log('Verifying SSH connection after removing control plane ACLs')
st.log("connecting to device with username={},password={}".format(
ssh_data.usr_default, ssh_data.pwd_final))
if not st.exec_ssh(vars.D1, ssh_data.usr_default, ssh_data.pwd_final,
ssh_data.commands_to_verify):
st.error(
'Cannot SSH into Device with default credentials after reboot')
user_ssh = +1
st.log('connecting to device with username={},password={}'.format(
ssh_data.usr_non_default, ssh_data.pwd_non_default))
if not st.exec_ssh(vars.D1, ssh_data.usr_non_default,
ssh_data.pwd_non_default, ssh_data.commands_to_verify):
st.error(
'Cannot SSH into Device with non-default credentials after reboot')
user_ssh = +1
config_nondefault_user(config='remove')
if (user_ssh or acl_snmp or acl_sshv4 or acl_sshv6):
st.report_fail("test_case_failed")
st.report_pass("test_case_passed")