From 8b2d72031cd7fda90b61c86a9ea265d2adc85005 Mon Sep 17 00:00:00 2001 From: Divya N3 Date: Wed, 8 Jan 2025 19:15:18 +0530 Subject: [PATCH 1/7] Define 'mfa' model for the Dell Enterprise SONiC collection --- .../mfa/deleted_example_01.txt | 76 +++++++++++ .../mfa/deleted_example_02.txt | 60 +++++++++ .../mfa/merged_example_01.txt | 75 +++++++++++ .../mfa/overridden_example_01.txt | 33 +++++ .../mfa/replaced_example_01.txt | 35 +++++ models/enterprise_sonic/mfa/sonic_mfa.yml | 125 ++++++++++++++++++ 6 files changed, 404 insertions(+) create mode 100644 models/enterprise_sonic/mfa/deleted_example_01.txt create mode 100644 models/enterprise_sonic/mfa/deleted_example_02.txt create mode 100644 models/enterprise_sonic/mfa/merged_example_01.txt create mode 100644 models/enterprise_sonic/mfa/overridden_example_01.txt create mode 100644 models/enterprise_sonic/mfa/replaced_example_01.txt create mode 100644 models/enterprise_sonic/mfa/sonic_mfa.yml diff --git a/models/enterprise_sonic/mfa/deleted_example_01.txt b/models/enterprise_sonic/mfa/deleted_example_01.txt new file mode 100644 index 00000000..0f99d73d --- /dev/null +++ b/models/enterprise_sonic/mfa/deleted_example_01.txt @@ -0,0 +1,76 @@ +# Using deleted +# +# Before state: +# ------------- +# +# sonic# show running-configuration mfa +# mfa key-seed U2FsdGVkX1/caD7u0ZGRnb981G2DKyML/Gvyfexsurg= encrypted +# mfa client-secret U2FsdGVkX1+WlquxtZRbsgQhfS1lQBFbJKflxGAp6S3u+Ox5Hi+O16NmprjMVb3HQn1pNSgaaa0Cz1MHeTfDWhFR0WqdENbLU2PqkiRDHv0iVfl72xNPzhnGeO01kAu0 encrypted +# mfa security-profile mSecurityProfile +# mfa rsa-server security-profile rSecProfile +# mfa rsa-server host rsaserver.che-lab.it client-id sonicdevtest.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted +# +# sonic# show mfa +# --------------------------------------------------------- +# Multi-factor Authentication Information +# --------------------------------------------------------- +# MFA Authentication : None +# Console Exempted : None +# MFA Service Security Profile : mSecurityProfile +# RSA SecurID Security Profile : rSecProfile +# +# sonic# show mfa rsa-servers +# ------------------------------------------------------------------------------------------------------------ +# HOST PORT CONNECTION_TIMEOUT READ_TIMEOUT CLIENT_ID +# ------------------------------------------------------------------------------------------------------------ +# rsaserver.che-lab.it 5555 20 120 sonicdevtest.che-lab.it +# +# sonic# show running-configuration | grep "cac-piv" +# aaa cac-piv cert-user common-name +# aaa cac-piv cert-user-match 10digit-username +# aaa cac-piv security-profile cSecurityProfile +# sonic# + + +- name: Delete specified mfa configuration + dellemc.enterprise_sonic.sonic_mfa: + config: + mfa_global: + key_seed: 'U2FsdGVkX1/caD7u0ZGRnb981G2DKyML/Gvyfexsurg=' + client_secret: 'U2FsdGVkX1+WlquxtZRbsgQhfS1lQBFbJKflxGAp6S3u+Ox5Hi+O16NmprjMVb3HQn1pNSgaaa0Cz1MHeTfDWhFR0WqdENbLU2PqkiRDHv0iVfl72xNPzhnGeO01kAu0' + rsa_global: + rsa_security_profile: 'rSecProfile' + rsa_servers: + hostname: 'rsaserver.che-lab.it' + server_port: 5555 + client_id: 'sonicdevtest.che-lab.it' + client_key: 'U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot' + connection_timeout: 20 + read_timeout: 120 + cac_piv_global: + cacpiv_security_profile: 'cSecurityProfile' + cert_username_field: 'common-name' + state: deleted + + +# After state: +# ------------ +# +# sonic# show running-configuration mfa +# mfa security-profile mSecurityProfile +# +# sonic# show mfa +# --------------------------------------------------------- +# Multi-factor Authentication Information +# --------------------------------------------------------- +# MFA Authentication : None +# Console Exempted : None +# MFA Service Security Profile : mSecurityProfile +# RSA SecurID Security Profile : None +# +# sonic# show mfa rsa-servers +# sonic# +# +# sonic# show running-configuration | grep "cac-piv" +# aaa cac-piv cert-user-match 10digit-username +# sonic# diff --git a/models/enterprise_sonic/mfa/deleted_example_02.txt b/models/enterprise_sonic/mfa/deleted_example_02.txt new file mode 100644 index 00000000..504bb8da --- /dev/null +++ b/models/enterprise_sonic/mfa/deleted_example_02.txt @@ -0,0 +1,60 @@ +# Using deleted +# +# Before state: +# ------------- +# +# sonic# show running-configuration mfa +# mfa key-seed U2FsdGVkX1/caD7u0ZGRnb981G2DKyML/Gvyfexsurg= encrypted +# mfa client-secret U2FsdGVkX1+WlquxtZRbsgQhfS1lQBFbJKflxGAp6S3u+Ox5Hi+O16NmprjMVb3HQn1pNSgaaa0Cz1MHeTfDWhFR0WqdENbLU2PqkiRDHv0iVfl72xNPzhnGeO01kAu0 encrypted +# mfa security-profile mSecurityProfile +# mfa rsa-server security-profile rSecProfile +# mfa rsa-server host rsaserver.che-lab.it client-id sonicdevtest.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted +# +# sonic# show mfa +# --------------------------------------------------------- +# Multi-factor Authentication Information +# --------------------------------------------------------- +# MFA Authentication : None +# Console Exempted : None +# MFA Service Security Profile : mSecurityProfile +# RSA SecurID Security Profile : rSecProfile +# +# sonic# show mfa rsa-servers +# ------------------------------------------------------------------------------------------------------------ +# HOST PORT CONNECTION_TIMEOUT READ_TIMEOUT CLIENT_ID +# ------------------------------------------------------------------------------------------------------------ +# rsaserver.che-lab.it 5555 20 120 sonicdevtest.che-lab.it +# +# sonic# show running-configuration | grep "cac-piv" +# aaa cac-piv cert-user common-name +# aaa cac-piv cert-user-match 10digit-username +# aaa cac-piv security-profile cSecurityProfile +# sonic# + + +- name: Delete all mfa configurations + dellemc.enterprise_sonic.sonic_mfa: + config: + state: deleted + + +# After state: +# ------------ +# +# sonic# show running-configuration mfa +# sonic# +# +# sonic# show mfa +# --------------------------------------------------------- +# Multi-factor Authentication Information +# --------------------------------------------------------- +# MFA Authentication : None +# Console Exempted : None +# MFA Service Security Profile : None +# RSA SecurID Security Profile : None +# +# sonic# show mfa rsa-servers +# sonic# +# +# sonic# show running-configuration | grep "cac-piv" +# sonic# diff --git a/models/enterprise_sonic/mfa/merged_example_01.txt b/models/enterprise_sonic/mfa/merged_example_01.txt new file mode 100644 index 00000000..0a42f5ec --- /dev/null +++ b/models/enterprise_sonic/mfa/merged_example_01.txt @@ -0,0 +1,75 @@ +# Using merged +# +# Before State: +# ------------- +# +# sonic# show running-configuration mfa +# sonic# +# +# sonic# show mfa +# --------------------------------------------------------- +# Multi-factor Authentication Information +# --------------------------------------------------------- +# MFA Authentication : None +# Console Exempted : None +# MFA Service Security Profile : None +# RSA SecurID Security Profile : None +# +# sonic# show mfa rsa-servers +# sonic# +# +# sonic# show running-configuration | grep "cac-piv" +# sonic# + + - name: Merge provided MFA configurations + dellemc.enterprise_sonic.sonic_mfa: + config: + mfa_global: + mfa_security_profile: 'mSecurityProfile' + key_seed: 'sonic' + client_secret: 'U2FsdGVkX18mPdwkM1z24i7lxMtqNZR9p2q3aa6YXR16OfDxQXCR9z9I0lQZpVjE!' + rsa_global: + rsa_security_profile: 'rSecProfile' + rsa_servers: + hostname: 'rsaserver.che-lab.it' + server_port: 5555 + client_id: 'sonicdevtest.che-lab.it' + client_key: 'aplr05825jshusp80699scuv62u5l3lu63wxf66b0y883w92677ac0c9m0lwv6o8' + connection_timeout: 20 + read_timeout: 120 + cac_piv_global: + cacpiv_security_profile: 'cSecurityProfile' + cert_username_field: 'user-principal-name' + cert_username_match: '10digit-username' + state: merged + +# After State: +# ------------ +# +# sonic# show running-configuration mfa +# mfa key-seed U2FsdGVkX1/caD7u0ZGRnb981G2DKyML/Gvyfexsurg= encrypted +# mfa client-secret U2FsdGVkX1+WlquxtZRbsgQhfS1lQBFbJKflxGAp6S3u+Ox5Hi+O16NmprjMVb3HQn1pNSgaaa0Cz1MHeTfDWhFR0WqdENbLU2PqkiRDHv0iVfl72xNPzhnGeO01kAu0 encrypted +# mfa security-profile mSecurityProfile +# mfa rsa-server security-profile rSecProfile +# mfa rsa-server host rsaserver.che-lab.it client-id sonicdevtest.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted +# +# sonic# show mfa +# --------------------------------------------------------- +# Multi-factor Authentication Information +# --------------------------------------------------------- +# MFA Authentication : None +# Console Exempted : None +# MFA Service Security Profile : mSecurityProfile +# RSA SecurID Security Profile : rSecProfile +# +# sonic# show mfa rsa-servers +# ------------------------------------------------------------------------------------------------------------ +# HOST PORT CONNECTION_TIMEOUT READ_TIMEOUT CLIENT_ID +# ------------------------------------------------------------------------------------------------------------ +# rsaserver.che-lab.it 5555 20 120 sonicdevtest.che-lab.it +# +# sonic# show running-configuration | grep "cac-piv" +# aaa cac-piv cert-user user-principal-name +# aaa cac-piv cert-user-match 10digit-username +# aaa cac-piv security-profile cSecurityProfile +# sonic# diff --git a/models/enterprise_sonic/mfa/overridden_example_01.txt b/models/enterprise_sonic/mfa/overridden_example_01.txt new file mode 100644 index 00000000..8ff33048 --- /dev/null +++ b/models/enterprise_sonic/mfa/overridden_example_01.txt @@ -0,0 +1,33 @@ +# Using overridden +# +# Before state: +# ------------- +# +# sonic# show mfa rsa-servers +# ------------------------------------------------------------------------------------------------------------ +# HOST PORT CONNECTION_TIMEOUT READ_TIMEOUT CLIENT_ID +# ------------------------------------------------------------------------------------------------------------ +# rsaserver.che-lab.it 5555 20 120 sonicdevtest.che-lab.it +# sonicrsaserver.che-lab.it 5555 29 125 sonic.che-lab.it +# +- name: Override device configuration of mfa rsa-servers with provided configuration + dellemc.enterprise_sonic.sonic_mfa: + config: + rsa_servers: + - hostname: 'rsaserver.che-lab.it' + server_port: 5555 + client_id: 'sonicdevtest.che-lab.it' + client_key: 'aplr05825jshusp80699scuv62u5l3lu63wxf66b0y883w92677ac0c9m0lwv6o8' + connection_timeout: 29 + read_timeout: 149 + state: overriden + +# After state: +# ------------ +# +# sonic# show mfa rsa-servers +# ------------------------------------------------------------------------------------------------------------ +# HOST PORT CONNECTION_TIMEOUT READ_TIMEOUT CLIENT_ID +# ------------------------------------------------------------------------------------------------------------ +# rsaserver.che-lab.it 5555 29 149 sonicdevtest.che-lab.it + diff --git a/models/enterprise_sonic/mfa/replaced_example_01.txt b/models/enterprise_sonic/mfa/replaced_example_01.txt new file mode 100644 index 00000000..6bd8e0f4 --- /dev/null +++ b/models/enterprise_sonic/mfa/replaced_example_01.txt @@ -0,0 +1,35 @@ +# Using replaced +# +# Before state: +# ------------- +# +# sonic# show mfa rsa-servers +# ------------------------------------------------------------------------------------------------------------ +# HOST PORT CONNECTION_TIMEOUT READ_TIMEOUT CLIENT_ID +# ------------------------------------------------------------------------------------------------------------ +# rsaserver.che-lab.it 5555 20 120 sonicdevtest.che-lab.it +# sonicrsaserver.che-lab.it 5555 29 125 sonic.che-lab.it +# + +- name: Replace specified mfa rsa-server configuration + dellemc.enterprise_sonic.sonic_mfa: + config: + rsa_servers: + - hostname: 'rsaserver.che-lab.it' + server_port: 5555 + client_id: 'sonicdevtest.che-lab.it' + client_key: 'aplr05825jshusp80699scuv62u5l3lu63wxf66b0y883w92677ac0c9m0lwv6o8' + connection_timeout: 29 + read_timeout: 149 + state: replaced + +# After state: +# ------------ +# +# sonic# show mfa rsa-servers +# ------------------------------------------------------------------------------------------------------------ +# HOST PORT CONNECTION_TIMEOUT READ_TIMEOUT CLIENT_ID +# ------------------------------------------------------------------------------------------------------------ +# rsaserver.che-lab.it 5555 29 149 sonicdevtest.che-lab.it +# sonicrsaserver.che-lab.it 5555 29 125 sonic.che-lab.it + diff --git a/models/enterprise_sonic/mfa/sonic_mfa.yml b/models/enterprise_sonic/mfa/sonic_mfa.yml new file mode 100644 index 00000000..68ad2733 --- /dev/null +++ b/models/enterprise_sonic/mfa/sonic_mfa.yml @@ -0,0 +1,125 @@ +--- +GENERATOR_VERSION: '1.0' + +ANSIBLE_METADATA: | + { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community', + 'license': 'Apache 2.0' + } +NETWORK_OS: sonic +RESOURCE: mfa +COPYRIGHT: Copyright 2025 Dell Inc. or its subsidiaries. All Rights Reserved + +DOCUMENTATION: | + module: sonic_mfa + version_added: '' + short_description: Manage Multi-factor authentication (MFA) configurations on SONiC + description: + - This module provides configuration management of MFA + parameters for devices running SONiC. + author: 'Divya Narendran (@Divya-N3)' + options: + config: + description: + - Specifies MFA configurations. + type: dict + suboptions: + mfa_global: + description: + - MFA Global configuration + type: dict + suboptions: + key_seed: + description: + - Encrypted seed for generating secure key in MFA service + type: str + mfa_security_profile: + description: + - Security profile contains the certificate for MFA service + type: str + client_secret: + description: + - Encrypted password used in basic authorization header for MFA REST API + type: str + rsa_global: + description: + - RSA Global configuration + type: dict + suboptions: + rsa_security_profile: + description: + - Security profile with CA-cert for validating RSA SecurID server + type: str + rsa_servers: + description: + - RSA Server configuration + type: list + elements: dict + suboptions: + hostname: + description: + - RSA server's hostname or IP address + type: str + required: True + server_port: + description: + - Port number of the RSA SecurID server + - Range 1025-49151 + type: int + client_id: + description: + - Unique identifier of the system as a client of SecurID service, assigned by SecurID service + type: str + client_key: + description: + - Encrypted Key associated with the client-id, assigned by SecurID service + type: str + connection_timeout: + description: + - Timeout in seconds for connection to the SecurID server + - Range 1-30 + type: int + read_timeout: + description: + - Timeout in seconds to read from the SecurID server + - Range 1-150 + type: int + cac_piv_global: + description: + - CAC-PIV Global configuration + type: dict + suboptions: + cacpiv_security_profile: + description: + - Configures security profile for SSH client user cert + type: str + cert_username_field: + description: + - Certificate field that represents username for matching with SSH login username + type: str + cert_username_match: + description: + - Match option to parse the username from respective certificate field + type: str + state: + description: + - The state of the configuration after module completion. + - C(merged) - Merges provided MFA configuration with on-device configuration. + - C(replaced) - Replaces on-device MFA configuration with provided configuration. + - C(overridden) - Overrides all on-device MFA configurations with the provided configuration. + - C(deleted) - Deletes on-device MFA configuration. + type: str + choices: + - merged + - deleted + - replaced + - overridden + default: merged +EXAMPLES: + - deleted_example_01.txt + - deleted_example_02.txt + - merged_example_01.txt + - replaced_example_01.txt + - overridden_example_01.txt From 8aa2b08e51dbf577922b47f12f89ed127a0513b9 Mon Sep 17 00:00:00 2001 From: Divya N3 Date: Sun, 19 Jan 2025 11:46:41 +0530 Subject: [PATCH 2/7] Changes to mfa model --- .../mfa/deleted_example_01.txt | 38 +++++++++---------- .../mfa/deleted_example_02.txt | 8 ++-- .../mfa/overridden_example_01.txt | 25 ++++++------ .../mfa/replaced_example_01.txt | 24 ++++++------ models/enterprise_sonic/mfa/sonic_mfa.yml | 16 +++++++- 5 files changed, 64 insertions(+), 47 deletions(-) diff --git a/models/enterprise_sonic/mfa/deleted_example_01.txt b/models/enterprise_sonic/mfa/deleted_example_01.txt index 0f99d73d..0afc3a89 100644 --- a/models/enterprise_sonic/mfa/deleted_example_01.txt +++ b/models/enterprise_sonic/mfa/deleted_example_01.txt @@ -32,25 +32,25 @@ # sonic# -- name: Delete specified mfa configuration - dellemc.enterprise_sonic.sonic_mfa: - config: - mfa_global: - key_seed: 'U2FsdGVkX1/caD7u0ZGRnb981G2DKyML/Gvyfexsurg=' - client_secret: 'U2FsdGVkX1+WlquxtZRbsgQhfS1lQBFbJKflxGAp6S3u+Ox5Hi+O16NmprjMVb3HQn1pNSgaaa0Cz1MHeTfDWhFR0WqdENbLU2PqkiRDHv0iVfl72xNPzhnGeO01kAu0' - rsa_global: - rsa_security_profile: 'rSecProfile' - rsa_servers: - hostname: 'rsaserver.che-lab.it' - server_port: 5555 - client_id: 'sonicdevtest.che-lab.it' - client_key: 'U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot' - connection_timeout: 20 - read_timeout: 120 - cac_piv_global: - cacpiv_security_profile: 'cSecurityProfile' - cert_username_field: 'common-name' - state: deleted + - name: Delete specified mfa configuration + dellemc.enterprise_sonic.sonic_mfa: + config: + mfa_global: + key_seed: 'U2FsdGVkX1/caD7u0ZGRnb981G2DKyML/Gvyfexsurg=' + client_secret: 'U2FsdGVkX1+WlquxtZRbsgQhfS1lQBFbJKflxGAp6S3u+Ox5Hi+O16NmprjMVb3HQn1pNSgaaa0Cz1MHeTfDWhFR0WqdENbLU2PqkiRDHv0iVfl72xNPzhnGeO01kAu0' + rsa_global: + rsa_security_profile: 'rSecProfile' + rsa_servers: + hostname: 'rsaserver.che-lab.it' + server_port: 5555 + client_id: 'sonicdevtest.che-lab.it' + client_key: 'U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot' + connection_timeout: 20 + read_timeout: 120 + cac_piv_global: + cacpiv_security_profile: 'cSecurityProfile' + cert_username_field: 'common-name' + state: deleted # After state: diff --git a/models/enterprise_sonic/mfa/deleted_example_02.txt b/models/enterprise_sonic/mfa/deleted_example_02.txt index 504bb8da..95945166 100644 --- a/models/enterprise_sonic/mfa/deleted_example_02.txt +++ b/models/enterprise_sonic/mfa/deleted_example_02.txt @@ -32,10 +32,10 @@ # sonic# -- name: Delete all mfa configurations - dellemc.enterprise_sonic.sonic_mfa: - config: - state: deleted + - name: Delete all mfa configurations + dellemc.enterprise_sonic.sonic_mfa: + config: + state: deleted # After state: diff --git a/models/enterprise_sonic/mfa/overridden_example_01.txt b/models/enterprise_sonic/mfa/overridden_example_01.txt index 8ff33048..21fcf452 100644 --- a/models/enterprise_sonic/mfa/overridden_example_01.txt +++ b/models/enterprise_sonic/mfa/overridden_example_01.txt @@ -10,17 +10,20 @@ # rsaserver.che-lab.it 5555 20 120 sonicdevtest.che-lab.it # sonicrsaserver.che-lab.it 5555 29 125 sonic.che-lab.it # -- name: Override device configuration of mfa rsa-servers with provided configuration - dellemc.enterprise_sonic.sonic_mfa: - config: - rsa_servers: - - hostname: 'rsaserver.che-lab.it' - server_port: 5555 - client_id: 'sonicdevtest.che-lab.it' - client_key: 'aplr05825jshusp80699scuv62u5l3lu63wxf66b0y883w92677ac0c9m0lwv6o8' - connection_timeout: 29 - read_timeout: 149 - state: overriden + + + - name: Override device configuration of mfa rsa-servers with provided configuration + dellemc.enterprise_sonic.sonic_mfa: + config: + rsa_servers: + - hostname: 'rsaserver.che-lab.it' + server_port: 5555 + client_id: 'sonicdevtest.che-lab.it' + client_key: 'aplr05825jshusp80699scuv62u5l3lu63wxf66b0y883w92677ac0c9m0lwv6o8' + connection_timeout: 29 + read_timeout: 149 + state: overriden + # After state: # ------------ diff --git a/models/enterprise_sonic/mfa/replaced_example_01.txt b/models/enterprise_sonic/mfa/replaced_example_01.txt index 6bd8e0f4..12bbe937 100644 --- a/models/enterprise_sonic/mfa/replaced_example_01.txt +++ b/models/enterprise_sonic/mfa/replaced_example_01.txt @@ -11,17 +11,19 @@ # sonicrsaserver.che-lab.it 5555 29 125 sonic.che-lab.it # -- name: Replace specified mfa rsa-server configuration - dellemc.enterprise_sonic.sonic_mfa: - config: - rsa_servers: - - hostname: 'rsaserver.che-lab.it' - server_port: 5555 - client_id: 'sonicdevtest.che-lab.it' - client_key: 'aplr05825jshusp80699scuv62u5l3lu63wxf66b0y883w92677ac0c9m0lwv6o8' - connection_timeout: 29 - read_timeout: 149 - state: replaced + + - name: Replace specified mfa rsa-server configuration + dellemc.enterprise_sonic.sonic_mfa: + config: + rsa_servers: + - hostname: 'rsaserver.che-lab.it' + server_port: 5555 + client_id: 'sonicdevtest.che-lab.it' + client_key: 'aplr05825jshusp80699scuv62u5l3lu63wxf66b0y883w92677ac0c9m0lwv6o8' + connection_timeout: 29 + read_timeout: 149 + state: replaced + # After state: # ------------ diff --git a/models/enterprise_sonic/mfa/sonic_mfa.yml b/models/enterprise_sonic/mfa/sonic_mfa.yml index 68ad2733..e5ff1368 100644 --- a/models/enterprise_sonic/mfa/sonic_mfa.yml +++ b/models/enterprise_sonic/mfa/sonic_mfa.yml @@ -35,6 +35,10 @@ DOCUMENTATION: | description: - Encrypted seed for generating secure key in MFA service type: str + key_seed_encrypted: + description: + - Indicates whether the seed is plain text or encrypted + type: bool mfa_security_profile: description: - Security profile contains the certificate for MFA service @@ -43,6 +47,10 @@ DOCUMENTATION: | description: - Encrypted password used in basic authorization header for MFA REST API type: str + client_secret_encrypted: + description: + - Indicates whether the client-secret is plain text or encrypted + type: bool rsa_global: description: - RSA Global configuration @@ -76,6 +84,10 @@ DOCUMENTATION: | description: - Encrypted Key associated with the client-id, assigned by SecurID service type: str + client_key_encrypted: + description: + - Indicates whether the client-key is plain text or encrypted + type: bool connection_timeout: description: - Timeout in seconds for connection to the SecurID server @@ -93,11 +105,11 @@ DOCUMENTATION: | suboptions: cacpiv_security_profile: description: - - Configures security profile for SSH client user cert + - Security profile for SSH access with CAC-PIV type: str cert_username_field: description: - - Certificate field that represents username for matching with SSH login username + - SSH user certificate field for matching with SSH login username type: str cert_username_match: description: From fad38e8f0521c3040d8f2c15b4b4eb5afa6d910f Mon Sep 17 00:00:00 2001 From: Divya N3 Date: Mon, 27 Jan 2025 11:32:35 +0530 Subject: [PATCH 3/7] Added encrypt values --- models/enterprise_sonic/mfa/deleted_example_01.txt | 3 +++ models/enterprise_sonic/mfa/merged_example_01.txt | 3 +++ models/enterprise_sonic/mfa/overridden_example_01.txt | 1 + models/enterprise_sonic/mfa/replaced_example_01.txt | 1 + models/enterprise_sonic/mfa/sonic_mfa.yml | 2 ++ 5 files changed, 10 insertions(+) diff --git a/models/enterprise_sonic/mfa/deleted_example_01.txt b/models/enterprise_sonic/mfa/deleted_example_01.txt index 0afc3a89..8e032e95 100644 --- a/models/enterprise_sonic/mfa/deleted_example_01.txt +++ b/models/enterprise_sonic/mfa/deleted_example_01.txt @@ -37,7 +37,9 @@ config: mfa_global: key_seed: 'U2FsdGVkX1/caD7u0ZGRnb981G2DKyML/Gvyfexsurg=' + key_seed_encrypted: true client_secret: 'U2FsdGVkX1+WlquxtZRbsgQhfS1lQBFbJKflxGAp6S3u+Ox5Hi+O16NmprjMVb3HQn1pNSgaaa0Cz1MHeTfDWhFR0WqdENbLU2PqkiRDHv0iVfl72xNPzhnGeO01kAu0' + client_secret_encrypted: true rsa_global: rsa_security_profile: 'rSecProfile' rsa_servers: @@ -45,6 +47,7 @@ server_port: 5555 client_id: 'sonicdevtest.che-lab.it' client_key: 'U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot' + client_key_encrypted: true connection_timeout: 20 read_timeout: 120 cac_piv_global: diff --git a/models/enterprise_sonic/mfa/merged_example_01.txt b/models/enterprise_sonic/mfa/merged_example_01.txt index 0a42f5ec..a1a56ae0 100644 --- a/models/enterprise_sonic/mfa/merged_example_01.txt +++ b/models/enterprise_sonic/mfa/merged_example_01.txt @@ -27,7 +27,9 @@ mfa_global: mfa_security_profile: 'mSecurityProfile' key_seed: 'sonic' + key_seed_encrypted: true client_secret: 'U2FsdGVkX18mPdwkM1z24i7lxMtqNZR9p2q3aa6YXR16OfDxQXCR9z9I0lQZpVjE!' + client_secret_encrypted: true rsa_global: rsa_security_profile: 'rSecProfile' rsa_servers: @@ -35,6 +37,7 @@ server_port: 5555 client_id: 'sonicdevtest.che-lab.it' client_key: 'aplr05825jshusp80699scuv62u5l3lu63wxf66b0y883w92677ac0c9m0lwv6o8' + client_key_encrypted: true connection_timeout: 20 read_timeout: 120 cac_piv_global: diff --git a/models/enterprise_sonic/mfa/overridden_example_01.txt b/models/enterprise_sonic/mfa/overridden_example_01.txt index 21fcf452..9be9d182 100644 --- a/models/enterprise_sonic/mfa/overridden_example_01.txt +++ b/models/enterprise_sonic/mfa/overridden_example_01.txt @@ -20,6 +20,7 @@ server_port: 5555 client_id: 'sonicdevtest.che-lab.it' client_key: 'aplr05825jshusp80699scuv62u5l3lu63wxf66b0y883w92677ac0c9m0lwv6o8' + client_key_encrypted: true connection_timeout: 29 read_timeout: 149 state: overriden diff --git a/models/enterprise_sonic/mfa/replaced_example_01.txt b/models/enterprise_sonic/mfa/replaced_example_01.txt index 12bbe937..a79afc6b 100644 --- a/models/enterprise_sonic/mfa/replaced_example_01.txt +++ b/models/enterprise_sonic/mfa/replaced_example_01.txt @@ -20,6 +20,7 @@ server_port: 5555 client_id: 'sonicdevtest.che-lab.it' client_key: 'aplr05825jshusp80699scuv62u5l3lu63wxf66b0y883w92677ac0c9m0lwv6o8' + client_key_encrypted: true connection_timeout: 29 read_timeout: 149 state: replaced diff --git a/models/enterprise_sonic/mfa/sonic_mfa.yml b/models/enterprise_sonic/mfa/sonic_mfa.yml index e5ff1368..f658b5fb 100644 --- a/models/enterprise_sonic/mfa/sonic_mfa.yml +++ b/models/enterprise_sonic/mfa/sonic_mfa.yml @@ -19,6 +19,8 @@ DOCUMENTATION: | description: - This module provides configuration management of MFA parameters for devices running SONiC. + - Pre-configured host cert is required for MFA security profile, and + ca-cert for RSA/CAC-PIV security profiles. author: 'Divya Narendran (@Divya-N3)' options: config: From 03ec71350b73086a432afc180f93cedff328c59b Mon Sep 17 00:00:00 2001 From: Divya N3 Date: Wed, 29 Jan 2025 13:12:53 +0530 Subject: [PATCH 4/7] Addressing review comments --- .../mfa/deleted_example_01.txt | 31 +------- .../mfa/deleted_example_02.txt | 27 ------- .../mfa/merged_example_01.txt | 36 ++------- .../mfa/replaced_example_01.txt | 17 +---- models/enterprise_sonic/mfa/sonic_mfa.yml | 75 +++++++++++-------- 5 files changed, 56 insertions(+), 130 deletions(-) diff --git a/models/enterprise_sonic/mfa/deleted_example_01.txt b/models/enterprise_sonic/mfa/deleted_example_01.txt index 8e032e95..e6538c85 100644 --- a/models/enterprise_sonic/mfa/deleted_example_01.txt +++ b/models/enterprise_sonic/mfa/deleted_example_01.txt @@ -10,21 +10,6 @@ # mfa rsa-server security-profile rSecProfile # mfa rsa-server host rsaserver.che-lab.it client-id sonicdevtest.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted # -# sonic# show mfa -# --------------------------------------------------------- -# Multi-factor Authentication Information -# --------------------------------------------------------- -# MFA Authentication : None -# Console Exempted : None -# MFA Service Security Profile : mSecurityProfile -# RSA SecurID Security Profile : rSecProfile -# -# sonic# show mfa rsa-servers -# ------------------------------------------------------------------------------------------------------------ -# HOST PORT CONNECTION_TIMEOUT READ_TIMEOUT CLIENT_ID -# ------------------------------------------------------------------------------------------------------------ -# rsaserver.che-lab.it 5555 20 120 sonicdevtest.che-lab.it -# # sonic# show running-configuration | grep "cac-piv" # aaa cac-piv cert-user common-name # aaa cac-piv cert-user-match 10digit-username @@ -41,7 +26,7 @@ client_secret: 'U2FsdGVkX1+WlquxtZRbsgQhfS1lQBFbJKflxGAp6S3u+Ox5Hi+O16NmprjMVb3HQn1pNSgaaa0Cz1MHeTfDWhFR0WqdENbLU2PqkiRDHv0iVfl72xNPzhnGeO01kAu0' client_secret_encrypted: true rsa_global: - rsa_security_profile: 'rSecProfile' + security_profile: 'rSecProfile' rsa_servers: hostname: 'rsaserver.che-lab.it' server_port: 5555 @@ -51,7 +36,7 @@ connection_timeout: 20 read_timeout: 120 cac_piv_global: - cacpiv_security_profile: 'cSecurityProfile' + security_profile: 'cSecurityProfile' cert_username_field: 'common-name' state: deleted @@ -62,18 +47,6 @@ # sonic# show running-configuration mfa # mfa security-profile mSecurityProfile # -# sonic# show mfa -# --------------------------------------------------------- -# Multi-factor Authentication Information -# --------------------------------------------------------- -# MFA Authentication : None -# Console Exempted : None -# MFA Service Security Profile : mSecurityProfile -# RSA SecurID Security Profile : None -# -# sonic# show mfa rsa-servers -# sonic# -# # sonic# show running-configuration | grep "cac-piv" # aaa cac-piv cert-user-match 10digit-username # sonic# diff --git a/models/enterprise_sonic/mfa/deleted_example_02.txt b/models/enterprise_sonic/mfa/deleted_example_02.txt index 95945166..744c9a55 100644 --- a/models/enterprise_sonic/mfa/deleted_example_02.txt +++ b/models/enterprise_sonic/mfa/deleted_example_02.txt @@ -10,21 +10,6 @@ # mfa rsa-server security-profile rSecProfile # mfa rsa-server host rsaserver.che-lab.it client-id sonicdevtest.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted # -# sonic# show mfa -# --------------------------------------------------------- -# Multi-factor Authentication Information -# --------------------------------------------------------- -# MFA Authentication : None -# Console Exempted : None -# MFA Service Security Profile : mSecurityProfile -# RSA SecurID Security Profile : rSecProfile -# -# sonic# show mfa rsa-servers -# ------------------------------------------------------------------------------------------------------------ -# HOST PORT CONNECTION_TIMEOUT READ_TIMEOUT CLIENT_ID -# ------------------------------------------------------------------------------------------------------------ -# rsaserver.che-lab.it 5555 20 120 sonicdevtest.che-lab.it -# # sonic# show running-configuration | grep "cac-piv" # aaa cac-piv cert-user common-name # aaa cac-piv cert-user-match 10digit-username @@ -44,17 +29,5 @@ # sonic# show running-configuration mfa # sonic# # -# sonic# show mfa -# --------------------------------------------------------- -# Multi-factor Authentication Information -# --------------------------------------------------------- -# MFA Authentication : None -# Console Exempted : None -# MFA Service Security Profile : None -# RSA SecurID Security Profile : None -# -# sonic# show mfa rsa-servers -# sonic# -# # sonic# show running-configuration | grep "cac-piv" # sonic# diff --git a/models/enterprise_sonic/mfa/merged_example_01.txt b/models/enterprise_sonic/mfa/merged_example_01.txt index a1a56ae0..42ccc57f 100644 --- a/models/enterprise_sonic/mfa/merged_example_01.txt +++ b/models/enterprise_sonic/mfa/merged_example_01.txt @@ -6,32 +6,21 @@ # sonic# show running-configuration mfa # sonic# # -# sonic# show mfa -# --------------------------------------------------------- -# Multi-factor Authentication Information -# --------------------------------------------------------- -# MFA Authentication : None -# Console Exempted : None -# MFA Service Security Profile : None -# RSA SecurID Security Profile : None -# -# sonic# show mfa rsa-servers -# sonic# -# # sonic# show running-configuration | grep "cac-piv" # sonic# + - name: Merge provided MFA configurations dellemc.enterprise_sonic.sonic_mfa: config: mfa_global: - mfa_security_profile: 'mSecurityProfile' + security_profile: 'mSecurityProfile' key_seed: 'sonic' key_seed_encrypted: true client_secret: 'U2FsdGVkX18mPdwkM1z24i7lxMtqNZR9p2q3aa6YXR16OfDxQXCR9z9I0lQZpVjE!' client_secret_encrypted: true rsa_global: - rsa_security_profile: 'rSecProfile' + security_profile: 'rSecProfile' rsa_servers: hostname: 'rsaserver.che-lab.it' server_port: 5555 @@ -41,11 +30,12 @@ connection_timeout: 20 read_timeout: 120 cac_piv_global: - cacpiv_security_profile: 'cSecurityProfile' + security_profile: 'cSecurityProfile' cert_username_field: 'user-principal-name' cert_username_match: '10digit-username' state: merged + # After State: # ------------ # @@ -56,23 +46,7 @@ # mfa rsa-server security-profile rSecProfile # mfa rsa-server host rsaserver.che-lab.it client-id sonicdevtest.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted # -# sonic# show mfa -# --------------------------------------------------------- -# Multi-factor Authentication Information -# --------------------------------------------------------- -# MFA Authentication : None -# Console Exempted : None -# MFA Service Security Profile : mSecurityProfile -# RSA SecurID Security Profile : rSecProfile -# -# sonic# show mfa rsa-servers -# ------------------------------------------------------------------------------------------------------------ -# HOST PORT CONNECTION_TIMEOUT READ_TIMEOUT CLIENT_ID -# ------------------------------------------------------------------------------------------------------------ -# rsaserver.che-lab.it 5555 20 120 sonicdevtest.che-lab.it -# # sonic# show running-configuration | grep "cac-piv" # aaa cac-piv cert-user user-principal-name # aaa cac-piv cert-user-match 10digit-username # aaa cac-piv security-profile cSecurityProfile -# sonic# diff --git a/models/enterprise_sonic/mfa/replaced_example_01.txt b/models/enterprise_sonic/mfa/replaced_example_01.txt index a79afc6b..30936515 100644 --- a/models/enterprise_sonic/mfa/replaced_example_01.txt +++ b/models/enterprise_sonic/mfa/replaced_example_01.txt @@ -3,13 +3,8 @@ # Before state: # ------------- # -# sonic# show mfa rsa-servers -# ------------------------------------------------------------------------------------------------------------ -# HOST PORT CONNECTION_TIMEOUT READ_TIMEOUT CLIENT_ID -# ------------------------------------------------------------------------------------------------------------ -# rsaserver.che-lab.it 5555 20 120 sonicdevtest.che-lab.it -# sonicrsaserver.che-lab.it 5555 29 125 sonic.che-lab.it -# +# sonic# show running-configuration mfa +# mfa rsa-server host rsaserver.che-lab.it client-id sonicdevtest.che-lab.it client-key U2FsdGVkX1+xnsxfUrqCvBQg0KkPUm11R8Vpn2cXLHCWzL59k3Jm4/OrRiMOemPJccnEa8sMuynOAaySpHkaMOePtpedW0aApp+qicIF2Hz32LR4vB07b7OSx7OaEZBj encrypted - name: Replace specified mfa rsa-server configuration @@ -29,10 +24,6 @@ # After state: # ------------ # -# sonic# show mfa rsa-servers -# ------------------------------------------------------------------------------------------------------------ -# HOST PORT CONNECTION_TIMEOUT READ_TIMEOUT CLIENT_ID -# ------------------------------------------------------------------------------------------------------------ -# rsaserver.che-lab.it 5555 29 149 sonicdevtest.che-lab.it -# sonicrsaserver.che-lab.it 5555 29 125 sonic.che-lab.it +# sonic# show running-configuration mfa +# mfa rsa-server host rsaserver.che-lab.it client-id sonicdevtest.che-lab.it client-key U2FsdGVkX1/b1Tjka6pWv1BjwGd1I8cfjXxBIIJ6ZK/JaZpGgPbNAnw6WmdstRWJz49A+bymj6gJfkGjbzlWQhGCGi4VofPStOdNktqDcIyk33AaDkO+awkzyi7HRxcB encrypted connection-timeout 29 read-timeout 149 diff --git a/models/enterprise_sonic/mfa/sonic_mfa.yml b/models/enterprise_sonic/mfa/sonic_mfa.yml index f658b5fb..39a368d3 100644 --- a/models/enterprise_sonic/mfa/sonic_mfa.yml +++ b/models/enterprise_sonic/mfa/sonic_mfa.yml @@ -15,7 +15,7 @@ COPYRIGHT: Copyright 2025 Dell Inc. or its subsidiaries. All Rights Reserved DOCUMENTATION: | module: sonic_mfa version_added: '' - short_description: Manage Multi-factor authentication (MFA) configurations on SONiC + short_description: Manage Multi-factor authentication (MFA) configurations on SONiC. description: - This module provides configuration management of MFA parameters for devices running SONiC. @@ -30,110 +30,125 @@ DOCUMENTATION: | suboptions: mfa_global: description: - - MFA Global configuration + - MFA Global configuration. type: dict suboptions: key_seed: description: - - Encrypted seed for generating secure key in MFA service + - Seed for generating secure key in MFA service. + - Plain text seed i.e. I(key_seed_encrypted=false) will be stored in encrypted format in + running-config, so idempotency will not be maintained and hence the task output will + always be I(changed=true). type: str key_seed_encrypted: description: - - Indicates whether the seed is plain text or encrypted + - Indicates whether I(key_seed) is plain text or encrypted. type: bool - mfa_security_profile: + security_profile: description: - - Security profile contains the certificate for MFA service + - Security profile contains the certificate for MFA service. type: str client_secret: description: - - Encrypted password used in basic authorization header for MFA REST API + - Password used in basic authorization header for MFA REST API. + - Plain text password i.e. I(client_secret_encrypted=false) will be stored in encrypted + format in running-config, so idempotency will not be maintained and hence the task + output will always be I(changed=true). type: str client_secret_encrypted: description: - - Indicates whether the client-secret is plain text or encrypted + - Indicates whether I(client_secret) is plain text or encrypted. type: bool rsa_global: description: - - RSA Global configuration + - RSA Global configuration. type: dict suboptions: - rsa_security_profile: + security_profile: description: - - Security profile with CA-cert for validating RSA SecurID server + - Security profile with CA-cert for validating RSA SecurID server. type: str rsa_servers: description: - - RSA Server configuration + - RSA Server configuration. type: list elements: dict suboptions: hostname: description: - - RSA server's hostname or IP address + - RSA server's hostname or IP address. type: str required: True server_port: description: - - Port number of the RSA SecurID server - - Range 1025-49151 + - Port number of the RSA SecurID server. + - Range 1025-49151. type: int client_id: description: - - Unique identifier of the system as a client of SecurID service, assigned by SecurID service + - Unique identifier of the system as a client of SecurID service, assigned by SecurID service. type: str client_key: description: - - Encrypted Key associated with the client-id, assigned by SecurID service + - Key associated with the client-id, assigned by SecurID service. + - Plain text key i.e. I(client_key_encrypted=false) will be stored in encrypted format + in running-config, so idempotency will not be maintained and hence the task output + will always be I(changed=true). type: str client_key_encrypted: description: - - Indicates whether the client-key is plain text or encrypted + - Indicates whether I(client_key) is plain text or encrypted. type: bool connection_timeout: description: - - Timeout in seconds for connection to the SecurID server - - Range 1-30 + - Timeout in seconds for connection to the SecurID server. + - Range 1-30. type: int read_timeout: description: - - Timeout in seconds to read from the SecurID server - - Range 1-150 + - Timeout in seconds to read from the SecurID server. + - Range 1-150. type: int cac_piv_global: description: - - CAC-PIV Global configuration + - CAC-PIV Global configuration. type: dict suboptions: - cacpiv_security_profile: + security_profile: description: - - Security profile for SSH access with CAC-PIV + - Security profile for SSH access with CAC-PIV. type: str cert_username_field: description: - - SSH user certificate field for matching with SSH login username + - SSH user certificate field for matching with SSH login username. type: str + choices: + - common-name + - common-name-or-user-principal-name + - user-principal-name cert_username_match: description: - - Match option to parse the username from respective certificate field + - Match option to parse the username from respective certificate field. type: str + choices: + - 10digit-username + - first-name + - username-as-is + - username-without-domain state: description: - The state of the configuration after module completion. - C(merged) - Merges provided MFA configuration with on-device configuration. - C(replaced) - Replaces on-device MFA configuration with provided configuration. - - C(overridden) - Overrides all on-device MFA configurations with the provided configuration. - C(deleted) - Deletes on-device MFA configuration. type: str choices: - merged - deleted - replaced - - overridden default: merged EXAMPLES: - deleted_example_01.txt - deleted_example_02.txt - merged_example_01.txt - replaced_example_01.txt - - overridden_example_01.txt From 1d8834f18ab4cacdbf0283b4863d0a5bcc103b68 Mon Sep 17 00:00:00 2001 From: Divya N3 Date: Wed, 29 Jan 2025 13:19:02 +0530 Subject: [PATCH 5/7] removed overriden example --- .../mfa/overridden_example_01.txt | 37 ------------------- 1 file changed, 37 deletions(-) delete mode 100644 models/enterprise_sonic/mfa/overridden_example_01.txt diff --git a/models/enterprise_sonic/mfa/overridden_example_01.txt b/models/enterprise_sonic/mfa/overridden_example_01.txt deleted file mode 100644 index 9be9d182..00000000 --- a/models/enterprise_sonic/mfa/overridden_example_01.txt +++ /dev/null @@ -1,37 +0,0 @@ -# Using overridden -# -# Before state: -# ------------- -# -# sonic# show mfa rsa-servers -# ------------------------------------------------------------------------------------------------------------ -# HOST PORT CONNECTION_TIMEOUT READ_TIMEOUT CLIENT_ID -# ------------------------------------------------------------------------------------------------------------ -# rsaserver.che-lab.it 5555 20 120 sonicdevtest.che-lab.it -# sonicrsaserver.che-lab.it 5555 29 125 sonic.che-lab.it -# - - - - name: Override device configuration of mfa rsa-servers with provided configuration - dellemc.enterprise_sonic.sonic_mfa: - config: - rsa_servers: - - hostname: 'rsaserver.che-lab.it' - server_port: 5555 - client_id: 'sonicdevtest.che-lab.it' - client_key: 'aplr05825jshusp80699scuv62u5l3lu63wxf66b0y883w92677ac0c9m0lwv6o8' - client_key_encrypted: true - connection_timeout: 29 - read_timeout: 149 - state: overriden - - -# After state: -# ------------ -# -# sonic# show mfa rsa-servers -# ------------------------------------------------------------------------------------------------------------ -# HOST PORT CONNECTION_TIMEOUT READ_TIMEOUT CLIENT_ID -# ------------------------------------------------------------------------------------------------------------ -# rsaserver.che-lab.it 5555 29 149 sonicdevtest.che-lab.it - From 5fb13f929d210f8e9d1c7a66c58cbf267fdbfeb3 Mon Sep 17 00:00:00 2001 From: Divya N3 Date: Wed, 29 Jan 2025 16:15:28 +0530 Subject: [PATCH 6/7] Example for overriden --- .../mfa/overridden_example_01.txt | 32 +++++++++++++++++++ models/enterprise_sonic/mfa/sonic_mfa.yml | 3 ++ 2 files changed, 35 insertions(+) create mode 100644 models/enterprise_sonic/mfa/overridden_example_01.txt diff --git a/models/enterprise_sonic/mfa/overridden_example_01.txt b/models/enterprise_sonic/mfa/overridden_example_01.txt new file mode 100644 index 00000000..a198dc18 --- /dev/null +++ b/models/enterprise_sonic/mfa/overridden_example_01.txt @@ -0,0 +1,32 @@ +# Using overridden +# +# Before state: +# ------------- +# +# sonic# show running-configuration mfa +# mfa key-seed U2FsdGVkX1/caD7u0ZGRnb981G2DKyML/Gvyfexsurg= encrypted +# mfa client-secret U2FsdGVkX1+WlquxtZRbsgQhfS1lQBFbJKflxGAp6S3u+Ox5Hi+O16NmprjMVb3HQn1pNSgaaa0Cz1MHeTfDWhFR0WqdENbLU2PqkiRDHv0iVfl72xNPzhnGeO01kAu0 encrypted +# mfa security-profile mSecurityProfile +# mfa rsa-server security-profile rSecProfile +# mfa rsa-server host sonicrsaserver.che-lab.it client-id sonic.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted +# +# sonic# show running-configuration | grep "cac-piv" +# aaa cac-piv cert-user user-principal-name +# aaa cac-piv cert-user-match 10digit-username +# aaa cac-piv security-profile cSecurityProfile + + + - name: Override device configuration of mfa with provided configuration + dellemc.enterprise_sonic.sonic_mfa: + config: + cac_piv_global: + cert_username_match: 'first-name' + state: overriden + + +# After state: +# ------------ +# +# sonic# show running-configuration | grep "cac-piv" +# aaa cac-piv cert-user-match first-name + diff --git a/models/enterprise_sonic/mfa/sonic_mfa.yml b/models/enterprise_sonic/mfa/sonic_mfa.yml index 39a368d3..7d1e32ad 100644 --- a/models/enterprise_sonic/mfa/sonic_mfa.yml +++ b/models/enterprise_sonic/mfa/sonic_mfa.yml @@ -140,15 +140,18 @@ DOCUMENTATION: | - The state of the configuration after module completion. - C(merged) - Merges provided MFA configuration with on-device configuration. - C(replaced) - Replaces on-device MFA configuration with provided configuration. + - C(overridden) - Overrides all on-device MFA configurations with the provided configuration. - C(deleted) - Deletes on-device MFA configuration. type: str choices: - merged - deleted - replaced + - overridden default: merged EXAMPLES: - deleted_example_01.txt - deleted_example_02.txt - merged_example_01.txt - replaced_example_01.txt + - overridden_example_01.txt From 6eab8cb7da2d9f7e62af3172130d59e861259231 Mon Sep 17 00:00:00 2001 From: Divya N3 Date: Fri, 31 Jan 2025 12:14:25 +0530 Subject: [PATCH 7/7] Addressing review comments --- models/enterprise_sonic/mfa/deleted_example_01.txt | 8 ++++---- models/enterprise_sonic/mfa/deleted_example_02.txt | 2 +- models/enterprise_sonic/mfa/merged_example_01.txt | 8 ++++---- models/enterprise_sonic/mfa/overridden_example_01.txt | 4 ++-- models/enterprise_sonic/mfa/replaced_example_01.txt | 9 +++++---- 5 files changed, 16 insertions(+), 15 deletions(-) diff --git a/models/enterprise_sonic/mfa/deleted_example_01.txt b/models/enterprise_sonic/mfa/deleted_example_01.txt index e6538c85..417826fe 100644 --- a/models/enterprise_sonic/mfa/deleted_example_01.txt +++ b/models/enterprise_sonic/mfa/deleted_example_01.txt @@ -8,7 +8,7 @@ # mfa client-secret U2FsdGVkX1+WlquxtZRbsgQhfS1lQBFbJKflxGAp6S3u+Ox5Hi+O16NmprjMVb3HQn1pNSgaaa0Cz1MHeTfDWhFR0WqdENbLU2PqkiRDHv0iVfl72xNPzhnGeO01kAu0 encrypted # mfa security-profile mSecurityProfile # mfa rsa-server security-profile rSecProfile -# mfa rsa-server host rsaserver.che-lab.it client-id sonicdevtest.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted +# mfa rsa-server host rsaserver.che-lab.it port 1030 client-id sonicdevtest.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted connection-timeout 29 read-timeout 149 # # sonic# show running-configuration | grep "cac-piv" # aaa cac-piv cert-user common-name @@ -29,12 +29,12 @@ security_profile: 'rSecProfile' rsa_servers: hostname: 'rsaserver.che-lab.it' - server_port: 5555 + server_port: 1030 client_id: 'sonicdevtest.che-lab.it' client_key: 'U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot' client_key_encrypted: true - connection_timeout: 20 - read_timeout: 120 + connection_timeout: 29 + read_timeout: 149 cac_piv_global: security_profile: 'cSecurityProfile' cert_username_field: 'common-name' diff --git a/models/enterprise_sonic/mfa/deleted_example_02.txt b/models/enterprise_sonic/mfa/deleted_example_02.txt index 744c9a55..a705e0ff 100644 --- a/models/enterprise_sonic/mfa/deleted_example_02.txt +++ b/models/enterprise_sonic/mfa/deleted_example_02.txt @@ -8,7 +8,7 @@ # mfa client-secret U2FsdGVkX1+WlquxtZRbsgQhfS1lQBFbJKflxGAp6S3u+Ox5Hi+O16NmprjMVb3HQn1pNSgaaa0Cz1MHeTfDWhFR0WqdENbLU2PqkiRDHv0iVfl72xNPzhnGeO01kAu0 encrypted # mfa security-profile mSecurityProfile # mfa rsa-server security-profile rSecProfile -# mfa rsa-server host rsaserver.che-lab.it client-id sonicdevtest.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted +# mfa rsa-server host rsaserver.che-lab.it port 1030 client-id sonicdevtest.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted connection-timeout 29 read-timeout 149 # # sonic# show running-configuration | grep "cac-piv" # aaa cac-piv cert-user common-name diff --git a/models/enterprise_sonic/mfa/merged_example_01.txt b/models/enterprise_sonic/mfa/merged_example_01.txt index 42ccc57f..24842c65 100644 --- a/models/enterprise_sonic/mfa/merged_example_01.txt +++ b/models/enterprise_sonic/mfa/merged_example_01.txt @@ -23,12 +23,12 @@ security_profile: 'rSecProfile' rsa_servers: hostname: 'rsaserver.che-lab.it' - server_port: 5555 + server_port: 1030 client_id: 'sonicdevtest.che-lab.it' client_key: 'aplr05825jshusp80699scuv62u5l3lu63wxf66b0y883w92677ac0c9m0lwv6o8' client_key_encrypted: true - connection_timeout: 20 - read_timeout: 120 + connection_timeout: 29 + read_timeout: 149 cac_piv_global: security_profile: 'cSecurityProfile' cert_username_field: 'user-principal-name' @@ -44,7 +44,7 @@ # mfa client-secret U2FsdGVkX1+WlquxtZRbsgQhfS1lQBFbJKflxGAp6S3u+Ox5Hi+O16NmprjMVb3HQn1pNSgaaa0Cz1MHeTfDWhFR0WqdENbLU2PqkiRDHv0iVfl72xNPzhnGeO01kAu0 encrypted # mfa security-profile mSecurityProfile # mfa rsa-server security-profile rSecProfile -# mfa rsa-server host rsaserver.che-lab.it client-id sonicdevtest.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted +# mfa rsa-server host rsaserver.che-lab.it port 1030 client-id sonicdevtest.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted connection-timeout 29 read-timeout 149 # # sonic# show running-configuration | grep "cac-piv" # aaa cac-piv cert-user user-principal-name diff --git a/models/enterprise_sonic/mfa/overridden_example_01.txt b/models/enterprise_sonic/mfa/overridden_example_01.txt index a198dc18..f03cd118 100644 --- a/models/enterprise_sonic/mfa/overridden_example_01.txt +++ b/models/enterprise_sonic/mfa/overridden_example_01.txt @@ -8,7 +8,7 @@ # mfa client-secret U2FsdGVkX1+WlquxtZRbsgQhfS1lQBFbJKflxGAp6S3u+Ox5Hi+O16NmprjMVb3HQn1pNSgaaa0Cz1MHeTfDWhFR0WqdENbLU2PqkiRDHv0iVfl72xNPzhnGeO01kAu0 encrypted # mfa security-profile mSecurityProfile # mfa rsa-server security-profile rSecProfile -# mfa rsa-server host sonicrsaserver.che-lab.it client-id sonic.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted +# mfa rsa-server host sonicrsaserver.che-lab.it port 1030 client-id sonic.che-lab.it client-key U2FsdGVkX18QFJoB9dp8GJN92eP79FGOZDLgQakBmAasGYX77p6PtiiAfS/nGoOb2uEocUkryc+BLLYsg+Wz0gO+c1QsIbIhXk5Pt+aECoVgoFQ9QpxO9od9cTik+3Ot encrypted connection-timeout 29 read-timeout 149 # # sonic# show running-configuration | grep "cac-piv" # aaa cac-piv cert-user user-principal-name @@ -21,7 +21,7 @@ config: cac_piv_global: cert_username_match: 'first-name' - state: overriden + state: overridden # After state: diff --git a/models/enterprise_sonic/mfa/replaced_example_01.txt b/models/enterprise_sonic/mfa/replaced_example_01.txt index 30936515..31bdefde 100644 --- a/models/enterprise_sonic/mfa/replaced_example_01.txt +++ b/models/enterprise_sonic/mfa/replaced_example_01.txt @@ -4,7 +4,8 @@ # ------------- # # sonic# show running-configuration mfa -# mfa rsa-server host rsaserver.che-lab.it client-id sonicdevtest.che-lab.it client-key U2FsdGVkX1+xnsxfUrqCvBQg0KkPUm11R8Vpn2cXLHCWzL59k3Jm4/OrRiMOemPJccnEa8sMuynOAaySpHkaMOePtpedW0aApp+qicIF2Hz32LR4vB07b7OSx7OaEZBj encrypted +# mfa key-seed U2FsdGVkX1/caD7u0ZGRnb981G2DKyML/Gvyfexsurg= encrypted +# mfa rsa-server host rsaserver.che-lab.it port 1030 client-id sonicdevtest.che-lab.it client-key U2FsdGVkX1+xnsxfUrqCvBQg0KkPUm11R8Vpn2cXLHCWzL59k3Jm4/OrRiMOemPJccnEa8sMuynOAaySpHkaMOePtpedW0aApp+qicIF2Hz32LR4vB07b7OSx7OaEZBj encrypted connection-timeout 16 read-timeout 129 - name: Replace specified mfa rsa-server configuration @@ -12,7 +13,7 @@ config: rsa_servers: - hostname: 'rsaserver.che-lab.it' - server_port: 5555 + server_port: 1050 client_id: 'sonicdevtest.che-lab.it' client_key: 'aplr05825jshusp80699scuv62u5l3lu63wxf66b0y883w92677ac0c9m0lwv6o8' client_key_encrypted: true @@ -25,5 +26,5 @@ # ------------ # # sonic# show running-configuration mfa -# mfa rsa-server host rsaserver.che-lab.it client-id sonicdevtest.che-lab.it client-key U2FsdGVkX1/b1Tjka6pWv1BjwGd1I8cfjXxBIIJ6ZK/JaZpGgPbNAnw6WmdstRWJz49A+bymj6gJfkGjbzlWQhGCGi4VofPStOdNktqDcIyk33AaDkO+awkzyi7HRxcB encrypted connection-timeout 29 read-timeout 149 - +# mfa key-seed U2FsdGVkX1/caD7u0ZGRnb981G2DKyML/Gvyfexsurg= encrypted +# mfa rsa-server host rsaserver.che-lab.it port 1050 client-id sonicdevtest.che-lab.it client-key U2FsdGVkX1/b1Tjka6pWv1BjwGd1I8cfjXxBIIJ6ZK/JaZpGgPbNAnw6WmdstRWJz49A+bymj6gJfkGjbzlWQhGCGi4VofPStOdNktqDcIyk33AaDkO+awkzyi7HRxcB encrypted connection-timeout 29 read-timeout 149