diff --git a/src/sonic-yang-models/setup.py b/src/sonic-yang-models/setup.py index 41787b6f3..16f3b3e36 100644 --- a/src/sonic-yang-models/setup.py +++ b/src/sonic-yang-models/setup.py @@ -64,6 +64,8 @@ setup( './yang-models/sonic-route-common.yang', './yang-models/sonic-route-map.yang', './yang-models/sonic-routing-policy-sets.yang', + './yang-models/sonic-system-aaa.yang', + './yang-models/sonic-system-tacacs.yang', './yang-models/sonic-types.yang', './yang-models/sonic-versions.yang', './yang-models/sonic-vlan.yang', diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json index 5d1312564..2693c5c22 100644 --- a/src/sonic-yang-models/tests/files/sample_config_db.json +++ b/src/sonic-yang-models/tests/files/sample_config_db.json @@ -792,6 +792,22 @@ "polling_interval": "0" } }, + "AAA": { + "authentication": { + "login": "local" + } + }, + "TACPLUS": { + "global": { + "auth_type": "pap", + "timeout": "5" + } + }, + "TACPLUS_SERVER": { + "192.168.1.1": { + "timeout": "10" + } + }, "NAT_BINDINGS": { "bind1": { @@ -899,4 +915,5 @@ "Error": "This Table is for testing, This Table does not have YANG models." } } + } diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json b/src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json new file mode 100644 index 000000000..5316c83e7 --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json @@ -0,0 +1,13 @@ +{ + "AAA_TEST": { + "desc": "Configure an authentication type in AAA table." + }, + "AAA_TEST_WRONG_TYPE": { + "desc": "Configure a wrong type in AAA table.", + "eStrKey": "InvalidValue" + }, + "AAA_TEST_WRONG_FAILTHROUGH": { + "desc": "Configure a wrong failthrough in AAA table.", + "eStrKey": "InvalidValue" + } +} diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/tacacs.json b/src/sonic-yang-models/tests/yang_model_tests/tests/tacacs.json new file mode 100644 index 000000000..5236aab59 --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests/tacacs.json @@ -0,0 +1,32 @@ +{ + "TACPLUS_TEST": { + "desc": "Tacplus global configuration in TACPLUS table." + }, + "TACPLUS_INVALID_TIMEOUT_TEST": { + "desc": "Tacplus global configuration with invalid timeout value in TACPLUS table.", + "eStr": "TACACS timeout must be 1..60" + }, + "TACPLUS_NOT_PRESENT_SRC_INTF_TEST": { + "desc": "Tacplus global configuration with a non existent port in TACPLUS table.", + "eStrKey": "InvalidValue" + }, + "TACPLUS_SERVER_TEST" : { + "desc": "Tacplus server configuration in TACPLUS_SERVER table." + }, + "TACPLUS_SERVER_INVALID_PRIORITY_TEST": { + "desc": "Tacplus server configuration with invalid priority value in TACPLUS_SERVER table.", + "eStr": "TACACS server priority must be 1..64" + }, + "TACPLUS_SERVER_INVALID_TIMEOUT_TEST" : { + "desc": "Tacplus server configuration with invalid timeout value in TACPLUS_SERVER table.", + "eStr": "TACACS server timeout must be 1..60" + }, + "TACPLUS_SERVER_INVALID_AUTH_TYPE_TEST" : { + "desc": "Tacplus server configuration with invalid auth type in TACPLUS_SERVER table.", + "eStrKey": "InvalidValue" + }, + "TACPLUS_SERVER_INVALID_VRF_TEST" : { + "desc": "Tacplus server configuration with invalid VRF in TACPLUS_SERVER table.", + "eStr": "Invalid VRF name" + } +} diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json new file mode 100644 index 000000000..1b79b26ac --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json @@ -0,0 +1,35 @@ +{ + "AAA_TEST": { + "sonic-system-aaa:sonic-system-aaa": { + "sonic-system-aaa:AAA": { + "AAA_LIST": [{ + "type": "authentication", + "login": "tacacs+,local", + "failthrough": "true", + "debug": "true" + }] + } + } + }, + + "AAA_TEST_WRONG_TYPE": { + "sonic-system-aaa:sonic-system-aaa": { + "sonic-system-aaa:AAA": { + "AAA_LIST": [{ + "type": "authorization" + }] + } + } + }, + + "AAA_TEST_WRONG_FAILTHROUGH": { + "sonic-system-aaa:sonic-system-aaa": { + "sonic-system-aaa:AAA": { + "AAA_LIST": [{ + "type": "authentication", + "failthrough": "enable" + }] + } + } + } +} diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/tacacs.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/tacacs.json new file mode 100644 index 000000000..290813121 --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/tacacs.json @@ -0,0 +1,131 @@ +{ + "TACPLUS_TEST": { + "sonic-port:sonic-port": { + "sonic-port:PORT": { + "PORT_LIST": [ + { + "admin_status": "up", + "alias": "eth8", + "description": "Ethernet8", + "lanes": "65", + "mtu": 9000, + "name": "Ethernet0", + "speed": 25000 + } + ] + } + }, + + "sonic-system-tacacs:sonic-system-tacacs": { + "sonic-system-tacacs:TACPLUS": { + "global": { + "auth_type": "chap", + "timeout": 5, + "passkey": "dellsonic", + "src_intf": "Ethernet0" + } + } + } + }, + + "TACPLUS_INVALID_TIMEOUT_TEST": { + "sonic-system-tacacs:sonic-system-tacacs": { + "sonic-system-tacacs:TACPLUS": { + "global": { + "auth_type": "chap", + "timeout": 70 + } + } + } + }, + + "TACPLUS_NOT_PRESENT_SRC_INTF_TEST": { + "sonic-system-tacacs:sonic-system-tacacs": { + "sonic-system-tacacs:TACPLUS": { + "global": { + "auth_type": "chap", + "timeout": 5, + "passkey": "dellsonic", + "src_intf": "Ethernet0" + } + } + } + }, + + "TACPLUS_SERVER_TEST": { + "sonic-system-tacacs:sonic-system-tacacs": { + "sonic-system-tacacs:TACPLUS_SERVER": { + "TACPLUS_SERVER_LIST": [ + { + "ipaddress": "192.168.1.1", + "priority": 5, + "tcp_port": 50, + "timeout": 10, + "auth_type": "chap", + "passkey": "dellsonic", + "vrf": "default" + }, + { + "ipaddress": "tacserver1", + "priority": 2, + "tcp_port": 51, + "timeout": 15, + "auth_type": "pap", + "passkey": "dellsonic1", + "vrf": "mgmt" + } + ] + } + } + }, + + "TACPLUS_SERVER_INVALID_PRIORITY_TEST": { + "sonic-system-tacacs:sonic-system-tacacs": { + "sonic-system-tacacs:TACPLUS_SERVER": { + "TACPLUS_SERVER_LIST": [ + { + "ipaddress": "192.168.1.1", + "priority": 70 + } + ] + } + } + }, + "TACPLUS_SERVER_INVALID_TIMEOUT_TEST": { + "sonic-system-tacacs:sonic-system-tacacs": { + "sonic-system-tacacs:TACPLUS_SERVER": { + "TACPLUS_SERVER_LIST": [ + { + "ipaddress": "192.168.1.1", + "timeout": 70 + } + ] + } + } + }, + "TACPLUS_SERVER_INVALID_AUTH_TYPE_TEST": { + "sonic-system-tacacs:sonic-system-tacacs": { + "sonic-system-tacacs:TACPLUS_SERVER": { + "TACPLUS_SERVER_LIST": [ + { + "ipaddress": "192.168.1.1", + "auth_type": "123" + } + ] + } + } + }, + "TACPLUS_SERVER_INVALID_VRF_TEST": { + "sonic-system-tacacs:sonic-system-tacacs": { + "sonic-system-tacacs:TACPLUS_SERVER": { + "TACPLUS_SERVER_LIST": [ + { + "ipaddress": "192.168.1.1", + "vrf": "Vrf1" + } + ] + } + } + } + +} diff --git a/src/sonic-yang-models/yang-models/sonic-system-aaa.yang b/src/sonic-yang-models/yang-models/sonic-system-aaa.yang new file mode 100644 index 000000000..eb6a8b06c --- /dev/null +++ b/src/sonic-yang-models/yang-models/sonic-system-aaa.yang @@ -0,0 +1,44 @@ +module sonic-system-aaa { + namespace "http://github.com/Azure/sonic-system-aaa"; + prefix ssys; + yang-version 1.1; + + revision 2021-04-15 { + description "Initial revision."; + } + + container sonic-system-aaa { + container AAA { + list AAA_LIST { + key "type"; + + leaf type { + type enumeration { + enum authentication; + } + description "AAA type authentication"; + } + + leaf login { + type string; + description "AAA authentication methods - local/tacacs+"; + default "local"; + } + + leaf failthrough { + type boolean; + description "When set to true, authentication is attempted on next configured server/local in the list upon failure."; + default false; + } + + leaf debug { + type boolean; + description "Enable/disable AAA debugging"; + default false; + } + + } + } + } +} + diff --git a/src/sonic-yang-models/yang-models/sonic-system-tacacs.yang b/src/sonic-yang-models/yang-models/sonic-system-tacacs.yang new file mode 100644 index 000000000..f82340b0e --- /dev/null +++ b/src/sonic-yang-models/yang-models/sonic-system-tacacs.yang @@ -0,0 +1,172 @@ +module sonic-system-tacacs { + namespace "http://github.com/Azure/sonic-system-tacacs"; + prefix ssys; + yang-version 1.1; + + import ietf-inet-types { + prefix inet; + } + + import sonic-port { + prefix port; + } + + import sonic-portchannel { + prefix lag; + } + + /* + import sonic-vlan { + prefix vlan; + } + */ + + import sonic-loopback-interface { + prefix loopback; + } + + import sonic-interface { + prefix interface; + } + + import sonic-mgmt_port { + prefix mgmt-port; + } + + revision 2021-04-15 { + description "Initial revision."; + } + + typedef auth_type_enumeration { + type enumeration { + enum pap; + enum chap; + enum mschap; + enum login; + } + } + + container sonic-system-tacacs { + + container TACPLUS_SERVER { + list TACPLUS_SERVER_LIST { + max-elements 8; + key "ipaddress"; + + leaf ipaddress { + type inet:host; + description + "TACACS+ server's Domain name or IP address (IPv4 or IPv6)"; + } + + leaf priority { + default 1; + type uint8 { + range "1..64" { + error-message "TACACS server priority must be 1..64"; + } + } + description "Server priority"; + } + + leaf tcp_port { + type inet:port-number; + default 49; + description "TCP port to communite with TACACS+ server"; + } + + leaf timeout { + default 5; + type uint16 { + range "1..60" { + error-message "TACACS server timeout must be 1..60"; + } + } + description "TACACS+ server timeout"; + } + + leaf auth_type { + type auth_type_enumeration; + default pap; + description "Authentication type"; + } + + leaf passkey { + type string { + length "1..65"; + pattern "[^ #,]*" { + error-message 'TACACS shared secret (Valid chars are ASCII printable except SPACE, "#", and ",")'; + } + } + } + + leaf vrf { + type string { + pattern "mgmt|default" { + error-message "Error: Invalid VRF name"; + } + } + description + "VRF name"; + } + } + } + + + container TACPLUS { + + container global { + + leaf auth_type { + type auth_type_enumeration; + default pap; + } + + leaf timeout { + type uint16 { + range "1..60" { + error-message "TACACS timeout must be 1..60"; + } + } + default 5; + } + + leaf passkey { + type string { + length "1..65"; + pattern "[^ #,]*" { + error-message 'TACACS shared secret (Valid chars are ASCII printable except SPACE, "#", and ",")'; + } + } + description "Shared secret used for encrypting the communication"; + } + + leaf src_intf { + type union { + type leafref { + path "/port:sonic-port/port:PORT/port:PORT_LIST/port:name"; + } + type leafref { + path "/lag:sonic-portchannel/lag:PORTCHANNEL/lag:PORTCHANNEL_LIST/lag:name"; + } + /* + type leafref { + path "/vlan:sonic-vlan/vlan:VLAN/vlan:VLAN_LIST/vlan:name"; + } + */ + type string { + pattern 'Vlan([0-9]{1,3}|[1-3][0-9]{3}|[4][0][0-8][0-9]|[4][0][9][0-4])'; + } + type leafref { + path "/loopback:sonic-loopback-interface/loopback:LOOPBACK_INTERFACE/loopback:LOOPBACK_INTERFACE_LIST/loopback:name"; + } + type leafref { + path "/mgmt-port:sonic-mgmt_port/mgmt-port:MGMT_PORT/mgmt-port:MGMT_PORT_LIST/mgmt-port:name"; + } + } + description "Source IP to use from source interface for TACACS+ server communication."; + } + } + } + } +}