TACACSPLUS_PASSKEY_ENCRYPTION support Part - I

[nmoray]

• What I did
  Added a support of TACACS passkey encryption feature.
  Ref. : HLD
  This PR comprises the encryption logic.

• How I did it
  Implemented the feature by following HLD

• How to verify it
  `1. Configured TACACS passkey:
  root@sonic:/# config tacacs passkey

2. Verified whether passkey is encrypted:
   root@sonic:/# show runningconfiguration all | grep passkey
   "passkey": "U2FsdGVkX19kFwDeP3IhgqbLJeed3pXtazJ73FtmD3I="

3. Verified /etc/pam.d/common-auth-sonic file to validate if the passkey is decrypted correctly [Referred while ssh'ing into the device]
   root@sonic:~# cat /etc/pam.d/common-auth-sonic | grep secret
   auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=:49 secret=<pass_in_plaintext> login=login timeout=5 try_first_pass
   auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=:49 secret=<pass_in_plaintext> login=login timeout=5 try_first_pass

4. Verified passkey is hidden in show tacacs output
   root@sonic:~# show tacacs
   TACPLUS global auth_type pap (default)
   TACPLUS global timeout 5 (default)
   TACPLUS global passkey configured Yes

5. Verified user able to login into device with TACACS credentials`

• Related PR(s)
  PR#81

[madhupalu]

What is this hardcoded SALT? as you choose to use shadow file for SALT, what is the significance of it? shouldn't this value differ per device?

[nmoray]

It is random hash and will be fixed on all the devices unless and util an explicit admin password is configured. This a fail-safe mechanism to ensure that the encryption / decryption succeeds even if there is no admin password configured on a device.
If configured, the code will use the salt from a shadow file (from admin user credentials).

[madhupalu]

what scenarios do you anticipate no salt from shadow file?

[nmoray]

When there is no admin password configured.

[madhupalu]

@nmoray please take care of unit test coverage for PR to be approved.

[liuh-80]

@nmoray , please fix coverage issue by add new test case:

@azure-pipelines-wrapper
coverage.Azure.sonic-utilities.Python3 — Pull Request Coverage

Total: 44 lines
Missing: 39 lines
Coverage: 11%
Threshold: 80%

[nmoray]

@nmoray , please fix coverage issue by add new test case:

@azure-pipelines-wrapper coverage.Azure.sonic-utilities.Python3 — Pull Request Coverage

Total: 44 lines Missing: 39 lines Coverage: 11% Threshold: 80%

@liuh-80 can you please give me some pointers for better understanding of this AUT infra. Like, how to write a new testcase.

[liuh-80]

@nmoray , please fix coverage issue by add new test case:
@azure-pipelines-wrapper coverage.Azure.sonic-utilities.Python3 — Pull Request Coverage
Total: 44 lines Missing: 39 lines Coverage: 11% Threshold: 80%

@liuh-80 can you please give me some pointers for better understanding of this AUT infra. Like, how to write a new testcase.

You can find existing test case and add new test case here: https://github.com/sonic-net/sonic-utilities/blob/master/tests/aaa_test.py

[zhangyanzhao]

Reviewers, if you are ok with this PR, please help to approve it. Thanks.

[madhupalu]

I am good with the changes