Skip to content

Commit

Permalink
Add UT for tacacs stop send request after first service reject user. (#…
Browse files Browse the repository at this point in the history
…8345)

### Description of PR
Add UT for tacacs stop send request after first service reject user.

Summary:
Add UT for tacacs stop send request after first service reject user.
New UT is for code change in sonic-net/sonic-buildimage#14249

### Type of change

- [ ] Bug fix
- [ ] Testbed and Framework(new/improvement)
- [x] Test case(new/improvement)


### Back port request
- [ ] 201911
- [ ] 202012
- [ ] 202205

### Approach
#### What is the motivation for this PR?
Add new UT to test and protect 'TACACS stop send request after first service reject user' feature.

#### How did you do it?
Add second tacacs server IP address, and login with invalid account, then validate TACACS stop send request after first TACACS server reject user login.

#### How did you verify/test it?
Manually test new UT.
Pass PR validation.

#### Any platform specific information?
No

#### Supported testbed topology if it's a new test case?
Any

### Documentation
<!--
(If it's a new feature, new test case)
Did you update documentation/Wiki relevant to your implementation?
Link to the wiki page?
-->
  • Loading branch information
liuh-80 authored Jun 5, 2023
1 parent 907c5ad commit 7390991
Showing 1 changed file with 41 additions and 0 deletions.
41 changes: 41 additions & 0 deletions tests/tacacs/test_authorization.py
Original file line number Diff line number Diff line change
Expand Up @@ -417,3 +417,44 @@ def test_backward_compatibility_disable_authorization(

# cleanup
start_tacacs_server(ptfhost)


def test_stop_request_next_server_after_reject(
duthosts, enum_rand_one_per_hwsku_hostname,
tacacs_creds, ptfhost, check_tacacs, remote_user_client, local_user_client):
duthost = duthosts[enum_rand_one_per_hwsku_hostname]

# not ignore on version >= 202305
skip_versions = ["201811", "201911", "202012", "202106", "202111", "202205", "202211"]
skip_release(duthost, skip_versions)

# Use ptfhost ipv6 address as second ip address
ptfhost_vars = ptfhost.host.options['inventory_manager'].get_host(ptfhost.hostname).vars
if 'ansible_hostv6' not in ptfhost_vars:
pytest.skip("Skip UT. ptf ansible_hostv6 not configured.")
tacacs_server_ipv6 = ptfhost_vars['ansible_hostv6']

# Setup second tacacs server
duthost.shell("sudo config tacacs add {}".format(tacacs_server_ipv6))
duthost.shell("sudo config tacacs timeout 1")

# Clean tacacs log
res = ptfhost.command(r'truncate -s 0 /var/log/tac_plus.log')

# Login with invalied user, the first tacacs server will reject user login
dutip = duthost.mgmt_ip
check_ssh_connect_remote_failed(
dutip,
"invalid_user",
"invalid_password"
)

# Server side should only have 1 login request log:
# After first tacacs server reject user login, tacacs will not try to connect to second server.
res = ptfhost.command(r"sed -n 's/\(exec authorization request for invalid_user\)/\1/p' /var/log/tac_plus.log")
logger.warning(res["stdout_lines"])
pytest_assert(len(res["stdout_lines"]) == 1)

# Remove second server IP
duthost.shell("sudo config tacacs delete %s" % tacacs_server_ipv6)
duthost.shell("sudo config tacacs timeout 5")

0 comments on commit 7390991

Please sign in to comment.