From 6224d672ba1ff82dbba681fe665fa0d12c58f875 Mon Sep 17 00:00:00 2001
From: jingwenxie <jingwenxie@microsoft.com>
Date: Tue, 27 Feb 2024 09:34:32 +0800
Subject: [PATCH] [yang] Restrict AAA authorization with TACPLUS passkey
 (#18155)

### Why I did it
Command cannot be executed when tacacs+ in AAA authorization is set and passkey in TACPLUs is not set. There should be such restriction in YANG model definition.
##### Work item tracking
- Microsoft ADO **(number only)**: 26898399

#### How I did it
Add restirction
#### How to verify it
unit test
---
 .../tests/yang_model_tests/tests/aaa.json     |  4 ++++
 .../yang_model_tests/tests_config/aaa.json    | 19 +++++++++++++++++++
 .../yang-models/sonic-system-aaa.yang         |  8 ++++++++
 3 files changed, 31 insertions(+)

diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json b/src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json
index 972b404b8..e1cf51385 100644
--- a/src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json
+++ b/src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json
@@ -18,6 +18,10 @@
     "AAA_AUTHORIZATION_TEST": {
         "desc": "Configure an authorization type in AAA table."
     },
+    "AAA_AUTHORIZATION_TEST_TACACS_WITHOUT_TACPLUS": {
+        "desc": "Configure tacacs in authorization type in AAA table without TACPLUS table.",
+        "eStr": ["Authorization with 'tacacs+' is not allowed when passkey not exists."]
+    },
     "AAA_ACCOUNTING_TEST": {
         "desc": "Configure an accounting type in AAA table."
     }
diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json
index fbf63f994..0be9b4b1f 100644
--- a/src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json
+++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json
@@ -46,6 +46,25 @@
     },
 
     "AAA_AUTHORIZATION_TEST": {
+        "sonic-system-aaa:sonic-system-aaa": {
+            "sonic-system-aaa:AAA": {
+                "AAA_LIST": [{
+                        "type": "authorization",
+                        "login": "tacacs+"
+                }]
+            }
+        },
+        "sonic-system-tacacs:sonic-system-tacacs": {
+            "sonic-system-tacacs:TACPLUS": {
+                "global": {
+                        "timeout": 5,
+                        "passkey": "aabb"
+                }
+            }
+        }
+    },
+
+    "AAA_AUTHORIZATION_TEST_TACACS_WITHOUT_TACPLUS": {
         "sonic-system-aaa:sonic-system-aaa": {
             "sonic-system-aaa:AAA": {
                 "AAA_LIST": [{
diff --git a/src/sonic-yang-models/yang-models/sonic-system-aaa.yang b/src/sonic-yang-models/yang-models/sonic-system-aaa.yang
index 08d5f6f94..1b1a8c493 100644
--- a/src/sonic-yang-models/yang-models/sonic-system-aaa.yang
+++ b/src/sonic-yang-models/yang-models/sonic-system-aaa.yang
@@ -7,6 +7,10 @@ module sonic-system-aaa {
         prefix stypes;
     }
 
+    import sonic-system-tacacs{
+        prefix tacacs;
+    }
+
     revision 2021-10-12 {
         description "Add AAA authorization/accounting support.";
     }
@@ -39,6 +43,10 @@ module sonic-system-aaa {
                     default "local";
                 }
 
+                must 'not(./type = "authorization" and contains(./login, "tacacs+") and not(/tacacs:sonic-system-tacacs/tacacs:TACPLUS/tacacs:global/tacacs:passkey))' {
+                    error-message "Authorization with 'tacacs+' is not allowed when passkey not exists.";
+                }
+
                 leaf failthrough {
                     type stypes:boolean_type;
                     description "When set to true, authentication is attempted on next configured server/local in the list upon failure.";