From ab0930313b34aa37819b4a5a325ed8b2f633e028 Mon Sep 17 00:00:00 2001 From: davidpil2002 <91657985+davidpil2002@users.noreply.github.com> Date: Sun, 29 May 2022 13:54:51 +0300 Subject: [PATCH] [YANG] Add support for Password Hardening (#10322) - Why I did it Yang Model about password hardening feature, the sonic CLI of this feature was autogenerated from this Yang model - How I did it Create new Yang model in src/sonic-yang-models/yang-models/sonic-passwh.yang. - How to verify it There are unitests(yang test) in this P.R covering all the passwords policies with good and bad values cases. Or is possible manually using the config/show password commands that were autogenerated from this Yang model. (this CLI code added in sonic-utilities) --- files/build_templates/init_cfg.json.j2 | 14 ++ src/sonic-yang-models/doc/Configuration.md | 35 +++++ src/sonic-yang-models/setup.py | 1 + .../tests/files/sample_config_db.json | 15 ++ .../tests/password_hardening.json | 32 ++++ .../tests_config/password_hardening.json | 146 ++++++++++++++++++ .../yang-models/sonic-passwh.yang | 76 +++++++++ 7 files changed, 319 insertions(+) create mode 100644 src/sonic-yang-models/tests/yang_model_tests/tests/password_hardening.json create mode 100644 src/sonic-yang-models/tests/yang_model_tests/tests_config/password_hardening.json create mode 100755 src/sonic-yang-models/yang-models/sonic-passwh.yang diff --git a/files/build_templates/init_cfg.json.j2 b/files/build_templates/init_cfg.json.j2 index 5d44b0a64b..a197c22a90 100644 --- a/files/build_templates/init_cfg.json.j2 +++ b/files/build_templates/init_cfg.json.j2 @@ -91,5 +91,19 @@ "rate_limit_interval" : "600" }{%if not loop.last %},{% endif -%} {% endfor %} + }, + "PASSW_HARDENING": { + "POLICIES":{ + "state": "disabled", + "expiration": "180", + "expiration_warning": "15", + "history_cnt": "10", + "len_min": "8", + "reject_user_passw_match": "true", + "lower_class": "true", + "upper_class": "true", + "digits_class": "true", + "special_class": "true" + } } } diff --git a/src/sonic-yang-models/doc/Configuration.md b/src/sonic-yang-models/doc/Configuration.md index 47ccb2a3e4..3d5bf91db5 100644 --- a/src/sonic-yang-models/doc/Configuration.md +++ b/src/sonic-yang-models/doc/Configuration.md @@ -51,6 +51,7 @@ Table of Contents * [VLAN_MEMBER](#vlan_member) * [Virtual router](#virtual-router) * [WRED_PROFILE](#wred_profile) + * [PASSWORD_HARDENING](#password_hardening) * [For Developers](#for-developers) * [Generating Application Config by Jinja2 Template](#generating-application-config-by-jinja2-template) * [Incremental Configuration by Subscribing to ConfigDB](#incremental-configuration-by-subscribing-to-configdb) @@ -1506,6 +1507,40 @@ The packet action could be: } } ``` +### PASSWORD_HARDENING + +Password Hardening, a user password is the key credential used in order to verify the user accessing the switch and acts as the first line of defense in regards to securing the switch. PASSWORD_HARDENING - support the enforce strong policies. + +- state - Enable/Disable password hardening feature +- len_min - The minimum length of the PW should be subject to a user change. +- expiration - PW Age Change Once a PW change takes place - the DB record for said PW is updated with the new PW value and a fresh new age (=0). +- expiration_warning - The switch will provide a warning for PW change before and (this is to allow a sufficient warning for upgrading the PW which might be relevant to numerous switches). +- history_cnt - remember last passwords, and reject to use the old passw +- reject_user_passw_match - reject to set same username and passw +- PW classes - are the type of characters the user is required to enter when setting/updating a PW. +There are 4 classes + - lower_class - Small characters - a-z + - upper_class - Big characters - A-Z + - digits_class -Numbers - 0-9 + - special_class - Special Characters `~!@#$%^&*()-_+=|[{}];:',<.>/? and white space +``` +{ +"PASSW_HARDENING": { + "POLICIES": { + "state": "disabled", + "expiration": "180", + "expiration_warning": "15", + "history_cnt": "10", + "len_min": "8", + "reject_user_passw_match": "true", + "lower_class": "true", + "upper_class": "true", + "digits_class": "true", + "special_class": "true" + } + } +} +``` ### BREAKOUT_CFG diff --git a/src/sonic-yang-models/setup.py b/src/sonic-yang-models/setup.py index 52cf020f44..3dfdde1cef 100644 --- a/src/sonic-yang-models/setup.py +++ b/src/sonic-yang-models/setup.py @@ -114,6 +114,7 @@ setup( './yang-models/sonic-ntp.yang', './yang-models/sonic-nat.yang', './yang-models/sonic-nvgre-tunnel.yang', + './yang-models/sonic-passwh.yang', './yang-models/sonic-pbh.yang', './yang-models/sonic-port.yang', './yang-models/sonic-policer.yang', diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json index d6a4e8f2a9..9be6d29e89 100644 --- a/src/sonic-yang-models/tests/files/sample_config_db.json +++ b/src/sonic-yang-models/tests/files/sample_config_db.json @@ -1792,6 +1792,21 @@ } }, + "PASSW_HARDENING": { + "POLICIES": { + "state": "enabled", + "expiration": "180", + "expiration_warning": "15", + "history_cnt": "10", + "len_min": "8", + "reject_user_passw_match": "true", + "digits_class": "true", + "lower_class": "true", + "special_class": "true", + "upper_class": "true" + } + }, + "MACSEC_PROFILE": { "test": { "priority": "64", diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/password_hardening.json b/src/sonic-yang-models/tests/yang_model_tests/tests/password_hardening.json new file mode 100644 index 0000000000..4bcde92849 --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests/password_hardening.json @@ -0,0 +1,32 @@ +{ + "PASSWORD_TABLE": { + "desc": "Configure policer with all default fields." + }, + "PASSWORD_ENABLE_FEATURE_WITH_POLICIES": { + "desc": "Configure password policies and enabled feature." + }, + "PASSWORD_BAD_ENABLE_FEATURE": { + "desc": "Configure password policies enabled feature with a wrong value.", + "eStrKey" : "InvalidValue" + }, + "PASSWORD_BAD_DIGIT": { + "desc": "Configure password Digit Class policy with invalid value", + "eStrKey" : "InvalidValue" + }, + "PASSWORD_BAD_HISTORY_CNT": { + "desc": "Configure password history_cnt with out of range value", + "eStrKey" : "InvalidValue" + }, + "PASSWORD_BAD_LEN_MIN": { + "desc": "Configure password len-min with out of range value", + "eStrKey" : "Pattern" + }, + "PASSWORD_BAD_EXPIRATION": { + "desc": "Configure password expiration with out of range value", + "eStrKey" : "Pattern" + }, + "PASSWORD_BAD_EXPIRATION_WARN": { + "desc": "Configure password expiration-warning with out of range value", + "eStrKey" : "Pattern" + } +} \ No newline at end of file diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/password_hardening.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/password_hardening.json new file mode 100644 index 0000000000..0b7eb5a3cb --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/password_hardening.json @@ -0,0 +1,146 @@ +{ + "PASSWORD_TABLE": { + "sonic-passwh:sonic-passwh": { + "sonic-passwh:PASSW_HARDENING": { + "POLICIES":{ + "state": "disabled", + "expiration": "180", + "expiration_warning": "15", + "history_cnt": "10", + "len_min": "8", + "reject_user_passw_match": true, + "lower_class": true, + "upper_class": true, + "digits_class": true, + "special_class": true + } + } + } + }, + "PASSWORD_ENABLE_FEATURE_WITH_POLICIES": { + "sonic-passwh:sonic-passwh": { + "sonic-passwh:PASSW_HARDENING": { + "POLICIES":{ + "state": "enabled", + "expiration": "180", + "expiration_warning": "15", + "history_cnt": "10", + "len_min": "8", + "reject_user_passw_match": true, + "lower_class": true, + "upper_class": true, + "digits_class": true, + "special_class": true + } + } + } + }, + "PASSWORD_BAD_ENABLE_FEATURE": { + "sonic-passwh:sonic-passwh": { + "sonic-passwh:PASSW_HARDENING": { + "POLICIES":{ + "state": "33", + "expiration": "180", + "expiration_warning": "15", + "history_cnt": "10", + "len_min": "8", + "reject_user_passw_match": true, + "lower_class": true, + "upper_class": true, + "digits_class": true, + "special_class": true + } + } + } + }, + "PASSWORD_BAD_DIGIT": { + "sonic-passwh:sonic-passwh": { + "sonic-passwh:PASSW_HARDENING": { + "POLICIES":{ + "state": "disabled", + "expiration": "180", + "expiration_warning": "15", + "history_cnt": "10", + "len_min": "8", + "reject_user_passw_match": true, + "lower_class": true, + "upper_class": true, + "digits_class": "1", + "special_class": true + } + } + } + }, + "PASSWORD_BAD_HISTORY_CNT": { + "sonic-passwh:sonic-passwh": { + "sonic-passwh:PASSW_HARDENING": { + "POLICIES":{ + "state": "enabled", + "expiration": "180", + "expiration_warning": "15", + "history_cnt": "300", + "len_min": "8", + "reject_user_passw_match": true, + "lower_class": true, + "upper_class": true, + "digits_class": true, + "special_class": true + } + } + } + }, + "PASSWORD_BAD_LEN_MIN": { + "sonic-passwh:sonic-passwh": { + "sonic-passwh:PASSW_HARDENING": { + "POLICIES":{ + "state": "enabled", + "expiration": "180", + "expiration_warning": "15", + "history_cnt": "50", + "len_min": "50", + "reject_user_passw_match": true, + "lower_class": true, + "upper_class": true, + "digits_class": true, + "special_class": true + } + } + } + }, + "PASSWORD_BAD_EXPIRATION": { + "sonic-passwh:sonic-passwh": { + "sonic-passwh:PASSW_HARDENING": { + "POLICIES":{ + "state": "enabled", + "expiration": "400", + "expiration_warning": "15", + "history_cnt": "50", + "len_min": "8", + "reject_user_passw_match": true, + "lower_class": true, + "upper_class": true, + "digits_class": true, + "special_class": true + } + } + } + }, + "PASSWORD_BAD_EXPIRATION_WARN": { + "sonic-passwh:sonic-passwh": { + "sonic-passwh:PASSW_HARDENING": { + "POLICIES":{ + "state": "enabled", + "expiration": "180", + "expiration_warning": "40", + "history_cnt": "10", + "len_min": "8", + "reject_user_passw_match": true, + "lower_class": true, + "upper_class": true, + "digits_class": true, + "special_class": true + } + } + } + } +} \ No newline at end of file diff --git a/src/sonic-yang-models/yang-models/sonic-passwh.yang b/src/sonic-yang-models/yang-models/sonic-passwh.yang new file mode 100755 index 0000000000..8814bc2e5a --- /dev/null +++ b/src/sonic-yang-models/yang-models/sonic-passwh.yang @@ -0,0 +1,76 @@ +module sonic-passwh { + yang-version 1.1; + namespace "http://github.com/Azure/sonic-passwh"; + prefix password; + + description "PASSWORD HARDENING YANG Module for SONiC OS"; + + revision 2022-05-03 { + description "First Revision"; + } + + container sonic-passwh { + + typedef feature_state { + type enumeration { + enum enabled; + enum disabled; + } + } + + container PASSW_HARDENING { + description "PASSWORD HARDENING part of config_db.json"; + container POLICIES { + leaf state { + description "state of the feature"; + type feature_state; + default "disabled"; + } + leaf expiration { + description "expiration time (days unit)"; + type uint16 { + range 1..365; + } + } + leaf expiration_warning { + description "expiration warning time (days unit)"; + type uint8 { + range 1..30; + } + } + leaf history_cnt { + description "num of old password that the system will recorded"; + type uint8 { + range 1..100; + } + } + leaf len_min { + description "password min length"; + type uint8 { + range 1..32; + } + } + leaf reject_user_passw_match{ + description "username password match"; + type boolean; + } + leaf lower_class{ + description "password lower chars policy"; + type boolean; + } + leaf upper_class{ + description "password upper chars policy"; + type boolean; + } + leaf digits_class{ + description "password digits chars policy"; + type boolean; + } + leaf special_class{ + description "password special chars policy"; + type boolean; + } + }/*container policies */ + } /* container PASSWH */ + }/* container sonic-passwh */ +}/* end of module sonic-passwh */