TACACSPLUS_PASSKEY_ENCRYPTION support Part - II

[nmoray]

• What I did
  Added a support of TACACS passkey encryption feature.
  Ref. : HLD
  This PR comprises the decryption logic.

• How I did it
  Implemented the feature by following HLD

• How to verify it
  `1. Configured TACACS passkey:
  root@sonic:/# config tacacs passkey

2. Verified whether passkey is encrypted:
   root@sonic:/# show runningconfiguration all | grep passkey
   "passkey": "U2FsdGVkX19kFwDeP3IhgqbLJeed3pXtazJ73FtmD3I="

3. Verified /etc/pam.d/common-auth-sonic file to validate if the passkey is decrypted correctly [Referred while ssh'ing into the device]
   root@sonic:~# cat /etc/pam.d/common-auth-sonic | grep secret
   auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=:49 secret=<pass_in_plaintext> login=login timeout=5 try_first_pass
   auth [success=done new_authtok_reqd=done default=ignore auth_err=die] pam_tacplus.so server=:49 secret=<pass_in_plaintext> login=login timeout=5 try_first_pass

4. Verified passkey is hidden in show tacacs output
   root@sonic:~# show tacacs
   TACPLUS global auth_type pap (default)
   TACPLUS global timeout 5 (default)
   TACPLUS global passkey configured Yes

5. Verified user able to login into device with TACACS credentials`

• Related PR(s)
  PR#3027

[madhupalu]

@nmoray
Please take care of code coverage?

Thanks

[liuh-80]

What will happen when OS upgrade from old version which not support this feature? the passkey not encrypt in old version, decrypt will failed here, code here need identify this.
#closed

another solution is add code to DB migrator, but that script is very complex.

[nmoray]

Yeah, you are right. Decrypt will fail if someone has either manually added the passkey in config_db or the device has old config where encrypted passkey was absent. So is it fine to add a check if the given server['passkey'] is the same as the one present in common-auth-sonic file (in plaintext). If so, skip decrypt_passkey() API and directly write the passkey in the same file in plaintext format only. Is it okay?

[liuh-80]

I noticed in the HLD: A DB migration script will be added for users to migrate existing config_db to convert tacacs passkey plaintext to encrypted.

So please also create the DB migration script PR.

[nmoray]

@liuh-80 As I mentioned in the HLD PR, we can achieve the backward compatibility without DB migration by simply following the logic stated above. Please share your thoughts on the same.

[liuh-80]

I think it's OK, please update code and HLD according to this design change.

[zhangyanzhao]

Reviewers, if you are ok with this PR, please help to approve it. Thanks.

[madhupalu]

I am good with the changes

[anders-nexthop]

this value depends on how 'key_encrypt' was set. It can also be 'true' instead of 'True' (it's actually more correct to use 'true'). there's an is_true() function you can use if you don't want to worry about which format you might get.

[anders-nexthop]

this will delete the whole file, probably not what we want. it should be enough just to remove the TACACS entry, or set the passkey to ""

[qiluo-msft]

Please resolve conflict, add testcases to coverage new code.

[nmoray]

Please resolve conflict, add testcases to coverage new code.

Yeah sure @qiluo-msft. I will do it. But unless and until sonic-net/sonic-buildimage#17201 PR is merged, build won't be success for this PR. So if possible please help in merging the dependent PR fist.

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[nmoray]

@anders-nexthop @qiluo-msft @madhupalu I have closed this PR due to several merge conflicts and created a new PR.