[YANG] Add support for Password Hardening (#10322)

davidpil2002 · web-flow · commit ab0930313b34 · 2022-05-29T13:54:51.000+03:00
- Why I did it
Yang Model about password hardening feature, the sonic CLI of this feature was autogenerated from this Yang model

- How I did it
Create new Yang model in src/sonic-yang-models/yang-models/sonic-passwh.yang.

- How to verify it
There are unitests(yang test) in this P.R covering all the passwords policies with good and bad values cases.
Or is possible manually using the config/show password commands that were autogenerated from this Yang model. (this CLI code added in sonic-utilities)
diff --git a/files/build_templates/init_cfg.json.j2 b/files/build_templates/init_cfg.json.j2
@@ -91,5 +91,19 @@
             "rate_limit_interval" : "600"
         }{%if not loop.last %},{% endif -%}
 {% endfor %}
+    },
+    "PASSW_HARDENING": {
+        "POLICIES":{
+            "state": "disabled",
+            "expiration": "180",
+            "expiration_warning": "15",
+            "history_cnt": "10",
+            "len_min": "8",
+            "reject_user_passw_match": "true",
+            "lower_class": "true",
+            "upper_class": "true",
+            "digits_class": "true",
+            "special_class": "true"
+        }
     }
 }
diff --git a/src/sonic-yang-models/doc/Configuration.md b/src/sonic-yang-models/doc/Configuration.md
@@ -51,6 +51,7 @@ Table of Contents
          * [VLAN_MEMBER](#vlan_member)  
          * [Virtual router](#virtual-router)  
          * [WRED_PROFILE](#wred_profile)  
+         * [PASSWORD_HARDENING](#password_hardening)
    * [For Developers](#for-developers)  
       * [Generating Application Config by Jinja2 Template](#generating-application-config-by-jinja2-template)
       * [Incremental Configuration by Subscribing to ConfigDB](#incremental-configuration-by-subscribing-to-configdb)
@@ -1506,6 +1507,40 @@ The packet action could be:
   }
 }
 ```
+### PASSWORD_HARDENING
+
+Password Hardening, a user password is the key credential used in order to verify the user accessing the switch and acts as the first line of defense in regards to securing the switch. PASSWORD_HARDENING - support the enforce strong policies.
+
+-   state - Enable/Disable password hardening feature
+-   len_min - The minimum length of the PW should be subject to a user change.
+-   expiration - PW Age Change Once a PW change takes place - the DB record for said PW is updated with the new PW value and a fresh new age (=0).
+-   expiration_warning - The switch will provide a warning for PW change before and (this is to allow a sufficient warning for upgrading the PW which might be relevant to numerous switches).
+-   history_cnt - remember last passwords, and reject to use the old passw
+-   reject_user_passw_match - reject to set same username and passw
+-   PW classes -  are the type of characters the user is required to enter when setting/updating a PW.
+There are 4 classes
+    -   lower_class - Small characters - a-z
+    -   upper_class - Big characters - A-Z
+    -   digits_class -Numbers - 0-9
+    -   special_class - Special Characters `~!@#$%^&*()-_+=|[{}];:',<.>/? and white space
+```
+{
+"PASSW_HARDENING": {
+    "POLICIES": {
+        "state": "disabled",
+        "expiration": "180",
+        "expiration_warning": "15",
+        "history_cnt": "10",
+        "len_min": "8",
+        "reject_user_passw_match": "true",
+        "lower_class": "true",
+        "upper_class": "true",
+        "digits_class": "true",
+        "special_class": "true"
+    }
+  }
+}
+```
 
 ### BREAKOUT_CFG
 
diff --git a/src/sonic-yang-models/setup.py b/src/sonic-yang-models/setup.py
@@ -114,6 +114,7 @@ def run(self):
                          './yang-models/sonic-ntp.yang',
                          './yang-models/sonic-nat.yang',
                          './yang-models/sonic-nvgre-tunnel.yang',
+                         './yang-models/sonic-passwh.yang',
                          './yang-models/sonic-pbh.yang',
                          './yang-models/sonic-port.yang',
                          './yang-models/sonic-policer.yang',
diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json
@@ -1792,6 +1792,21 @@
             }
         },
 
+        "PASSW_HARDENING": {
+            "POLICIES": {
+                "state": "enabled",
+                "expiration": "180",
+                "expiration_warning": "15",
+                "history_cnt": "10",
+                "len_min": "8",
+                "reject_user_passw_match": "true",
+                "digits_class": "true",
+                "lower_class": "true",
+                "special_class": "true",
+                "upper_class": "true"
+            }
+        },
+
         "MACSEC_PROFILE": {
             "test": {
                 "priority": "64",
diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/password_hardening.json b/src/sonic-yang-models/tests/yang_model_tests/tests/password_hardening.json
@@ -0,0 +1,32 @@
+{
+    "PASSWORD_TABLE": {
+        "desc": "Configure policer with all default fields."
+    },
+    "PASSWORD_ENABLE_FEATURE_WITH_POLICIES": {
+        "desc": "Configure password policies and enabled feature."
+    },
+    "PASSWORD_BAD_ENABLE_FEATURE": {
+        "desc": "Configure password policies enabled feature with a wrong value.",
+        "eStrKey" : "InvalidValue"
+    },
+    "PASSWORD_BAD_DIGIT": {
+        "desc": "Configure password Digit Class policy with invalid value",
+        "eStrKey" : "InvalidValue"
+    },
+    "PASSWORD_BAD_HISTORY_CNT": {
+        "desc": "Configure password history_cnt with out of range value",
+        "eStrKey" : "InvalidValue"
+    },
+    "PASSWORD_BAD_LEN_MIN": {
+        "desc": "Configure password len-min with out of range value",
+        "eStrKey" : "Pattern"
+    },
+    "PASSWORD_BAD_EXPIRATION": {
+        "desc": "Configure password expiration with out of range value",
+        "eStrKey" : "Pattern"
+    },
+    "PASSWORD_BAD_EXPIRATION_WARN": {
+        "desc": "Configure password expiration-warning with out of range value",
+        "eStrKey" : "Pattern"
+    }
+}
diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/password_hardening.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/password_hardening.json
@@ -0,0 +1,146 @@
+{
+    "PASSWORD_TABLE": {
+        "sonic-passwh:sonic-passwh": {
+            "sonic-passwh:PASSW_HARDENING": {
+                "POLICIES":{
+                    "state": "disabled",
+                    "expiration": "180",
+                    "expiration_warning": "15",
+                    "history_cnt": "10",
+                    "len_min": "8",
+                    "reject_user_passw_match": true,
+                    "lower_class": true,
+                    "upper_class": true,
+                    "digits_class": true,
+                    "special_class": true
+                }
+            }
+        }
+    },
+    "PASSWORD_ENABLE_FEATURE_WITH_POLICIES": {
+        "sonic-passwh:sonic-passwh": {
+            "sonic-passwh:PASSW_HARDENING": {
+                "POLICIES":{
+                    "state": "enabled",
+                    "expiration": "180",
+                    "expiration_warning": "15",
+                    "history_cnt": "10",
+                    "len_min": "8",
+                    "reject_user_passw_match": true,
+                    "lower_class": true,
+                    "upper_class": true,
+                    "digits_class": true,
+                    "special_class": true
+                }
+            }
+        }
+    },
+    "PASSWORD_BAD_ENABLE_FEATURE": {
+        "sonic-passwh:sonic-passwh": {
+            "sonic-passwh:PASSW_HARDENING": {
+                "POLICIES":{
+                    "state": "33",
+                    "expiration": "180",
+                    "expiration_warning": "15",
+                    "history_cnt": "10",
+                    "len_min": "8",
+                    "reject_user_passw_match": true,
+                    "lower_class": true,
+                    "upper_class": true,
+                    "digits_class": true,
+                    "special_class": true
+                }
+            }
+        }
+    },
+    "PASSWORD_BAD_DIGIT": {
+        "sonic-passwh:sonic-passwh": {
+            "sonic-passwh:PASSW_HARDENING": {
+                "POLICIES":{
+                    "state": "disabled",
+                    "expiration": "180",
+                    "expiration_warning": "15",
+                    "history_cnt": "10",
+                    "len_min": "8",
+                    "reject_user_passw_match": true,
+                    "lower_class": true,
+                    "upper_class": true,
+                    "digits_class": "1",
+                    "special_class": true
+                }
+            }
+        }
+    },
+    "PASSWORD_BAD_HISTORY_CNT": {
+        "sonic-passwh:sonic-passwh": {
+            "sonic-passwh:PASSW_HARDENING": {
+                "POLICIES":{
+                    "state": "enabled",
+                    "expiration": "180",
+                    "expiration_warning": "15",
+                    "history_cnt": "300",
+                    "len_min": "8",
+                    "reject_user_passw_match": true,
+                    "lower_class": true,
+                    "upper_class": true,
+                    "digits_class": true,
+                    "special_class": true
+                }
+            }
+        }
+    },
+    "PASSWORD_BAD_LEN_MIN": {
+        "sonic-passwh:sonic-passwh": {
+            "sonic-passwh:PASSW_HARDENING": {
+                "POLICIES":{
+                    "state": "enabled",
+                    "expiration": "180",
+                    "expiration_warning": "15",
+                    "history_cnt": "50",
+                    "len_min": "50",
+                    "reject_user_passw_match": true,
+                    "lower_class": true,
+                    "upper_class": true,
+                    "digits_class": true,
+                    "special_class": true
+                }
+            }
+        }
+    },
+    "PASSWORD_BAD_EXPIRATION": {
+        "sonic-passwh:sonic-passwh": {
+            "sonic-passwh:PASSW_HARDENING": {
+                "POLICIES":{
+                    "state": "enabled",
+                    "expiration": "400",
+                    "expiration_warning": "15",
+                    "history_cnt": "50",
+                    "len_min": "8",
+                    "reject_user_passw_match": true,
+                    "lower_class": true,
+                    "upper_class": true,
+                    "digits_class": true,
+                    "special_class": true
+                }
+            }
+        }
+    },
+    "PASSWORD_BAD_EXPIRATION_WARN": {
+        "sonic-passwh:sonic-passwh": {
+            "sonic-passwh:PASSW_HARDENING": {
+                "POLICIES":{
+                    "state": "enabled",
+                    "expiration": "180",
+                    "expiration_warning": "40",
+                    "history_cnt": "10",
+                    "len_min": "8",
+                    "reject_user_passw_match": true,
+                    "lower_class": true,
+                    "upper_class": true,
+                    "digits_class": true,
+                    "special_class": true
+                }
+            }
+        }
+    }
+}
diff --git a/src/sonic-yang-models/yang-models/sonic-passwh.yang b/src/sonic-yang-models/yang-models/sonic-passwh.yang
@@ -0,0 +1,76 @@
+module sonic-passwh {
+    yang-version 1.1;
+    namespace "http://github.com/Azure/sonic-passwh";
+    prefix password;
+
+    description "PASSWORD HARDENING YANG Module for SONiC OS";
+
+    revision 2022-05-03 {
+        description "First Revision";
+    }
+
+    container sonic-passwh {
+
+        typedef feature_state {
+            type enumeration {
+                enum enabled;
+                enum disabled;
+            }
+        }
+
+        container PASSW_HARDENING {
+            description "PASSWORD HARDENING part of config_db.json";
+            container POLICIES {
+                leaf state {
+                    description "state of the feature";
+                    type feature_state;
+                    default "disabled";
+                }
+                leaf expiration {
+                    description "expiration time (days unit)";
+                    type uint16 {
+                        range 1..365;
+                    }
+                }
+                leaf expiration_warning {
+                    description "expiration warning time (days unit)";
+                    type uint8 {
+                        range 1..30;
+                    }
+                }
+                leaf history_cnt {
+                    description "num of old password that the system will recorded";
+                    type uint8 {
+                        range 1..100;
+                    }
+                }
+                leaf len_min {
+                    description "password min length";
+                    type uint8 {
+                        range 1..32;
+                    }
+                }
+                leaf reject_user_passw_match{
+                    description "username password match";
+                    type boolean;
+                }
+                leaf lower_class{
+                    description "password lower chars policy";
+                    type boolean;
+                }
+                leaf upper_class{
+                    description "password upper chars policy";
+                    type boolean;
+                }
+                leaf digits_class{
+                    description "password digits chars policy";
+                    type boolean;
+                }
+                leaf special_class{
+                    description "password special chars policy";
+                    type boolean;
+                }
+            }/*container policies */
+        } /* container PASSWH  */
+    }/* container sonic-passwh */
+}/* end of module sonic-passwh */
