Adding support of common security cipher module for encryption and decryption of a passkey #17201
Conversation
madhupalu
left a comment
madhupalu
left a comment
There was a problem hiding this comment.
Changes looks good me except few minor comments. please address it.
|
@venkatmahalingam I have added the AUT too. Can you please approve the PR now? This is an independent module. It doesn't have any impact on any other functionalities. Thus we can merge this into master. I will work on other PRs parallelly to integrate this module into TACACS feature. |
|
@venkatmahalingam Once this PR is merged, build will get pass of both the following PRs. PR: TACACS passkey encryption Part - I |
venkatmahalingam
left a comment
venkatmahalingam
left a comment
There was a problem hiding this comment.
Please address the outstanding comments.
@venkatmahalingam I have replied to the comments. IMO, Flexible design is a good approach. Why to restrict user to go on a certain path only. He / she should have multiple options. |
@nmoray @venkatmahalingam giving multiple option is good but also customers who migrates from other well known NOS to SONiC will be using one master key. To accommodate those customers , Can you include one master key option as well. |
@avinothcgl Using one master key for all the feature is still possible with the current implementation. Just keep same master key for all in cipher_pass file. For instance, One more advantage of this design is, same security_cipher module can be extended to other applications as well which need to make use of encryption / decryption. That application can have it's own master_key which will be different from TACPLUS, RADIUS and LDAP. |
|
@venkatmahalingam @avinothcgl @venkatmahalingam shouldn't it be enough to solve the migration use case? please suggest to move forward with this PR? For instance, One more advantage of this design is, same security_cipher module can be extended to other applications as well which need to make use of encryption / decryption. That application can have it's own master_key which will be different from TACPLUS, RADIUS and LDAP. |
|
Reviewers, if you are ok with this PR, please help to approve it. Thanks. |
|
@venkatmahalingam As requested, updated the class name as "master_key_mgr". |
|
This is a great feature! In addition to the TACPLUS PRs already proposed, I would also recommend that the RADIUS keys (partially implemented per this PR) and SNMPv3 user passwords/privs also have the ability to be encrypted to align with industry security standards. If a new issue needs to be opened for tracking of RADIUS/SNMPv3 components let me know and I can submit them. |
Thanks @brholmes1. IMO, let's first merge the initial infra. Later, we can easily extend the support for other modules. For tracking purpose, please open the new issues in the community. |
|
@lguohan Can you please help in approving / merging this PR. |
|
Folks please help in merging the PR if there are no more comments. It is open from more than 6 months now. Please help in merging the PR. |
| if not os.path.exists(self._file_path): | ||
| with open(self._file_path, 'w') as file: | ||
| file.writelines("#Auto generated file for storing the encryption passwords\n") | ||
| file.writelines("TACPLUS : \nRADIUS : \nLDAP :\n") |
There was a problem hiding this comment.
It's probably worth generating this file from the features in _feature_list. that way if we want to add a new feature we just add a list entry instead of having to make changes here.
| return data[key] | ||
| return False | ||
|
|
||
| def del_cipher_pass(self): |
There was a problem hiding this comment.
Looking at how this is used in later commits, I think this is incorrect. We should not be removing the entire file, but instead just changing/deleting the entry. If I have both TACACS and RADIUS configured and i remove the passkey for one of them, I still want the other one to work.
There was a problem hiding this comment.
I will update the method.
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines will not run the associated pipelines, because the pull request was updated after the run command was issued. Review the pull request again and issue a new run command. |
|
@qiluo-msft @anders-nexthop I have addressed the comments. |
|
/azp run Azure.sonic-buildimage |
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
@anders-nexthop you mean just rebase the
@anders-nexthop I just rebased my remote branch and re-pushed it. Let's see if it makes any difference. |
@qiluo-msft The checks are still failing. Please let us know what needs to be done to fix these failures. |
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
@qiluo-msft Please re-approve the PR. I pushed one more commit for removing commented code. |
|
@qiluo-msft can you please re-approve and merge the PR. All the checks have been passed now. |
…cryption of a passkey (sonic-net#17201) Why I did it This module is created to handle the passkey encryption, decryption and the cipher storage. It's a common module which will be used for feature like TACACS, RADIUS, LDAP etc. This implementation is aligned with HLD How I did it This module will expose following APIs. Passkey encryption for a given feature Passkey decryption for a given feature Check whether encryption feature is enabled for a given feature How to verify it Cipher / password used for the encryption: root@sonic:/tmp# cat /etc/cipher_pass #Auto generated file for storing the encryption passwords TACPLUS : TEST1 RADIUS : TEST2 LDAP : TEST3 Is encryption enabled for TACACS: False Encrypted passkey for Feature: TACPLUS - U2FsdGVkX1/frdwl4GGD7bTKyzLi+lr2K76v0IECzkQ= Passkey post decryption:TACPLUS - passkey1 Encrypted passkey for Feature: RADIUS - U2FsdGVkX1/fdiBo3RWWxIIPFJYCy1CF/ZQeLt8N96Q= Passkey post decryption: RADIUS - passkey2 Encrypted passkey for Feature: LDAP - U2FsdGVkX1/o0UkHtWgOjr46UzLQRhXKAHngctey9TE= Passkey post decryption: LDAP - passkey3
| } | ||
|
|
||
| leaf key_encrypt { | ||
| type boolean; |
There was a problem hiding this comment.
Sure. I will raise a new PR to accomodate this change.
| default 5; | ||
| } | ||
|
|
||
| leaf key_encrypt { |
There was a problem hiding this comment.
Mix tabs with spaces, please reformat this "leaf key_encrypt" section.
There was a problem hiding this comment.
You mean, replace the tabs with spaces for the entire leaf section?
There was a problem hiding this comment.
@qiluo-msft The link that you shared is not accessible.
There was a problem hiding this comment.
I removed the link. Yes, I mean to replace the tabs with spaces for the entire leaf section
There was a problem hiding this comment.
Sure, will do as a part of new PR.
|
|
||
| def __init__(self): | ||
| if not self._initialized: | ||
| self._file_path = "/etc/cipher_pass" |
There was a problem hiding this comment.
@qiluo-msft As per https://github.com/sonic-net/SONiC/blob/master/doc/ztp/SONiC-config-setup.md#222-config-migration
the backup and restore of cipher_pass file will automatically be taken care, right?
There was a problem hiding this comment.
Thanks for the link! The file "/etc/cipher_pass" is outside the folder of config migration design, could you check again?
There was a problem hiding this comment.
oh yes. Okay then, I will create another PR to add pre-hook and post-hook scripts to backup and restore the cipher_pass file during the up-gradation. Is that okay? Or just change the location to "/etc/sonic"?
10 participants
Why I did it
This module is created to handle the passkey encryption, decryption and the cipher storage. It's a common module which will be used for feature like TACACS, RADIUS, LDAP etc.
This implementation is aligned with HLD
How I did it
This module will expose following APIs.
How to verify it
`
Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
Master
Link to config_db schema for YANG module changes
Schema
Related PRs:
Part I
Part II