Migrate AAA table per-command authorization in db_migrator (#3296)

liuh-80 · web-flow · commit 61d0ec98baf5 · 2024-05-15T09:58:48.000+08:00
Migrate AAA table per-command authorization in db_migrator

#### Why I did it
    per-command AAA need enable in warm-upgrade case

#### How I did it
    Add code to migrate per-command aunthorization

#### How to verify it
    Pass all test case.
    Add new test case.

#### Which release branch to backport (provide reason below if selected)
    N/A

#### Description for the changelog
    Migrate AAA table per-command authorization in db_migrator

#### A picture of a cute animal (not mandatory but encouraged)
diff --git a/scripts/db_migrator.py b/scripts/db_migrator.py
@@ -840,6 +840,22 @@ def migrate_aaa(self):
             self.configDB.set_entry("AAA", "accounting", accounting_new)
             log.log_info('Migrate AAA accounting: {}'.format(accounting_new))
 
+        # setup per-command authorization
+        tacplus_config = self.configDB.get_entry('TACPLUS', 'global')
+        if 'passkey' in tacplus_config and '' != tacplus_config.get('passkey'):
+            authorization = self.configDB.get_entry('AAA', 'authorization')
+            if not authorization:
+                authorization_new = aaa_new.get("authorization")
+                self.configDB.set_entry("AAA", "authorization", authorization_new)
+                log.log_info('Migrate AAA authorization: {}'.format(authorization_new))
+        else:
+            # If no passkey, setup per-command authorization will block remote user command
+            log.log_info('TACACS passkey does not exist, disable per-command authorization.')
+            authorization_key = "AAA|authorization"
+            keys = self.configDB.keys(self.configDB.CONFIG_DB, authorization_key)
+            if keys:
+                self.configDB.delete(self.configDB.CONFIG_DB, authorization_key)
+
     def version_unknown(self):
         """
         version_unknown tracks all SONiC versions that doesn't have a version
diff --git a/tests/db_migrator_input/config_db/per_command_aaa_enable_expected.json b/tests/db_migrator_input/config_db/per_command_aaa_enable_expected.json
@@ -5,6 +5,9 @@
     "AAA|authentication": {
         "login": "tacacs+"
     },
+    "AAA|authorization": {
+        "login": "tacacs+"
+    },
     "TACPLUS|global": {
         "auth_type": "login",
         "passkey": "testpasskey"
diff --git a/tests/db_migrator_input/config_db/per_command_aaa_no_authentication_expected.json b/tests/db_migrator_input/config_db/per_command_aaa_no_authentication_expected.json
@@ -5,6 +5,9 @@
     "AAA|authentication": {
         "login": "tacacs+"
     },
+    "AAA|authorization": {
+        "login": "tacacs+"
+    },
     "TACPLUS|global": {
         "auth_type": "login",
         "passkey": "testpasskey"
diff --git a/tests/db_migrator_input/config_db/per_command_aaa_no_passkey.json b/tests/db_migrator_input/config_db/per_command_aaa_no_passkey.json
@@ -2,6 +2,9 @@
     "AAA|authentication": {
         "login": "tacacs+"
     },
+    "AAA|authorization": {
+        "login": "tacacs+"
+    },
     "TACPLUS|global": {
         "auth_type": "login"
     }
diff --git a/tests/db_migrator_input/config_db/per_command_aaa_no_tacplus_expected.json b/tests/db_migrator_input/config_db/per_command_aaa_no_tacplus_expected.json
@@ -5,6 +5,9 @@
     "AAA|authentication": {
         "login": "tacacs+"
     },
+    "AAA|authorization": {
+        "login": "tacacs+"
+    },
     "TACPLUS|global": {
         "auth_type": "login",
         "passkey": "testpasskey"
