From 85e82c15aefb5fdd4577f0caca432109255d1596 Mon Sep 17 00:00:00 2001
From: Hua Liu <58683130+liuh-80@users.noreply.github.com>
Date: Sun, 4 Jun 2023 22:17:35 -0700
Subject: [PATCH] Add UT for tacacs stop send request after first service
 reject user. (#8345)

### Description of PR
Add UT for tacacs stop send request after first service reject user.

Summary:
Add UT for tacacs stop send request after first service reject user.
New UT is for code change in https://github.com/sonic-net/sonic-buildimage/pull/14249

### Type of change

- [ ] Bug fix
- [ ] Testbed and Framework(new/improvement)
- [x] Test case(new/improvement)


### Back port request
- [ ] 201911
- [ ] 202012
- [ ] 202205

### Approach
#### What is the motivation for this PR?
Add new UT to test and protect 'TACACS stop send request after first service reject user' feature.

#### How did you do it?
Add second tacacs server IP address, and login with invalid account, then validate TACACS stop send request after first TACACS server reject user login.

#### How did you verify/test it?
Manually test new UT.
Pass PR validation.

#### Any platform specific information?
No

#### Supported testbed topology if it's a new test case?
Any

### Documentation
<!--
(If it's a new feature, new test case)
Did you update documentation/Wiki relevant to your implementation?
Link to the wiki page?
-->
---
 tests/tacacs/test_authorization.py | 41 ++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/tests/tacacs/test_authorization.py b/tests/tacacs/test_authorization.py
index 1683cf4c533..8ceda738105 100644
--- a/tests/tacacs/test_authorization.py
+++ b/tests/tacacs/test_authorization.py
@@ -417,3 +417,44 @@ def test_backward_compatibility_disable_authorization(
 
     # cleanup
     start_tacacs_server(ptfhost)
+
+
+def test_stop_request_next_server_after_reject(
+        duthosts, enum_rand_one_per_hwsku_hostname,
+        tacacs_creds, ptfhost, check_tacacs, remote_user_client, local_user_client):
+    duthost = duthosts[enum_rand_one_per_hwsku_hostname]
+
+    # not ignore on version >= 202305
+    skip_versions = ["201811", "201911", "202012", "202106", "202111", "202205", "202211"]
+    skip_release(duthost, skip_versions)
+
+    # Use ptfhost ipv6 address as second ip address
+    ptfhost_vars = ptfhost.host.options['inventory_manager'].get_host(ptfhost.hostname).vars
+    if 'ansible_hostv6' not in ptfhost_vars:
+        pytest.skip("Skip UT. ptf ansible_hostv6 not configured.")
+    tacacs_server_ipv6 = ptfhost_vars['ansible_hostv6']
+
+    # Setup second tacacs server
+    duthost.shell("sudo config tacacs add {}".format(tacacs_server_ipv6))
+    duthost.shell("sudo config tacacs timeout 1")
+
+    # Clean tacacs log
+    res = ptfhost.command(r'truncate -s 0  /var/log/tac_plus.log')
+
+    # Login with invalied user, the first tacacs server will reject user login
+    dutip = duthost.mgmt_ip
+    check_ssh_connect_remote_failed(
+        dutip,
+        "invalid_user",
+        "invalid_password"
+    )
+
+    # Server side should only have 1 login request log:
+    #       After first tacacs server reject user login, tacacs will not try to connect to second server.
+    res = ptfhost.command(r"sed -n 's/\(exec authorization request for invalid_user\)/\1/p'  /var/log/tac_plus.log")
+    logger.warning(res["stdout_lines"])
+    pytest_assert(len(res["stdout_lines"]) == 1)
+
+    # Remove second server IP
+    duthost.shell("sudo config tacacs delete %s" % tacacs_server_ipv6)
+    duthost.shell("sudo config tacacs timeout 5")