[yang] Restrict AAA authorization with TACPLUS passkey (sonic-net#18155)

wen587 · web-flow · commit 6224d672ba1f · 2024-02-26T17:34:32.000-08:00
### Why I did it
Command cannot be executed when tacacs+ in AAA authorization is set and passkey in TACPLUs is not set. There should be such restriction in YANG model definition.
##### Work item tracking
- Microsoft ADO **(number only)**: 26898399

#### How I did it
Add restirction
#### How to verify it
unit test
diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json b/src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json
@@ -18,6 +18,10 @@
     "AAA_AUTHORIZATION_TEST": {
         "desc": "Configure an authorization type in AAA table."
     },
+    "AAA_AUTHORIZATION_TEST_TACACS_WITHOUT_TACPLUS": {
+        "desc": "Configure tacacs in authorization type in AAA table without TACPLUS table.",
+        "eStr": ["Authorization with 'tacacs+' is not allowed when passkey not exists."]
+    },
     "AAA_ACCOUNTING_TEST": {
         "desc": "Configure an accounting type in AAA table."
     }
diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json
@@ -46,6 +46,25 @@
     },
 
     "AAA_AUTHORIZATION_TEST": {
+        "sonic-system-aaa:sonic-system-aaa": {
+            "sonic-system-aaa:AAA": {
+                "AAA_LIST": [{
+                        "type": "authorization",
+                        "login": "tacacs+"
+                }]
+            }
+        },
+        "sonic-system-tacacs:sonic-system-tacacs": {
+            "sonic-system-tacacs:TACPLUS": {
+                "global": {
+                        "timeout": 5,
+                        "passkey": "aabb"
+                }
+            }
+        }
+    },
+
+    "AAA_AUTHORIZATION_TEST_TACACS_WITHOUT_TACPLUS": {
         "sonic-system-aaa:sonic-system-aaa": {
             "sonic-system-aaa:AAA": {
                 "AAA_LIST": [{
diff --git a/src/sonic-yang-models/yang-models/sonic-system-aaa.yang b/src/sonic-yang-models/yang-models/sonic-system-aaa.yang
@@ -7,6 +7,10 @@ module sonic-system-aaa {
         prefix stypes;
     }
 
+    import sonic-system-tacacs{
+        prefix tacacs;
+    }
+
     revision 2021-10-12 {
         description "Add AAA authorization/accounting support.";
     }
@@ -39,6 +43,10 @@ module sonic-system-aaa {
                     default "local";
                 }
 
+                must 'not(./type = "authorization" and contains(./login, "tacacs+") and not(/tacacs:sonic-system-tacacs/tacacs:TACPLUS/tacacs:global/tacacs:passkey))' {
+                    error-message "Authorization with 'tacacs+' is not allowed when passkey not exists.";
+                }
+
                 leaf failthrough {
                     type stypes:boolean_type;
                     description "When set to true, authentication is attempted on next configured server/local in the list upon failure.";

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,10 @@ module sonic-system-aaa {`
`7`	`7`	`prefix stypes;`
`8`	`8`	`}`
`9`	`9`
	`10`	`+ import sonic-system-tacacs{`
	`11`	`+ prefix tacacs;`
	`12`	`+ }`
	`13`	`+`
`10`	`14`	`revision 2021-10-12 {`
`11`	`15`	`description "Add AAA authorization/accounting support.";`
`12`	`16`	`}`
`@@ -39,6 +43,10 @@ module sonic-system-aaa {`
`39`	`43`	`default "local";`
`40`	`44`	`}`
`41`	`45`
	`46`	`+ must 'not(./type = "authorization" and contains(./login, "tacacs+") and not(/tacacs:sonic-system-tacacs/tacacs:TACPLUS/tacacs:global/tacacs:passkey))' {`
	`47`	`+ error-message "Authorization with 'tacacs+' is not allowed when passkey not exists.";`
	`48`	`+ }`
	`49`	`+`
`42`	`50`	`leaf failthrough {`
`43`	`51`	`type stypes:boolean_type;`
`44`	`52`	`description "When set to true, authentication is attempted on next configured server/local in the list upon failure.";`