Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[YANG] Add support for Password Hardening #10322

Merged
merged 19 commits into from
May 29, 2022
Merged

[YANG] Add support for Password Hardening #10322

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
d6e62e8
add password hardening yang model, yang test, init_cfg.json.j2 files
davidpil2002 Mar 8, 2022
f844b43
fix comments from P.R: add 3 YANG test, add YANG sample
davidpil2002 Mar 20, 2022
0d143f1
Merge branch 'master' into dev-password-hardening-yang-model
davidpil2002 Mar 22, 2022
a8cfb45
Add Password Hardening documentation to the YANG Configuration.md file
davidpil2002 Mar 22, 2022
7f6b284
remove white spaces
davidpil2002 Mar 22, 2022
b0a6f5c
fix Yang model test, replace PASSWORD table name to PASSW_HARDENING
davidpil2002 Apr 4, 2022
7b42206
fix yang test config typo true instead True
davidpil2002 Apr 4, 2022
9a68dd1
Password Hardening Yang model, fix typo
davidpil2002 Apr 6, 2022
90ed1ad
Passw Hardening Fix Yang test PASSWORD_BAD_EXPIRATION
davidpil2002 Apr 6, 2022
a978ef1
Passw Hardening fix Yang test expiration warning & len-min cases
davidpil2002 Apr 6, 2022
5e17f03
Passw Hardening - fix Table name PASSWORD
davidpil2002 Apr 6, 2022
6d222f7
add sonic-passwh.yang to setup.py file
davidpil2002 Apr 7, 2022
69190ef
Passw hardening, fix typo in sample_config_db.json
davidpil2002 Apr 7, 2022
b2404e1
Password Hardening Yang test - fix typo in sample_config_db.json file
davidpil2002 Apr 7, 2022
668d7ea
Password Hardening Yang test - fix typo in init_cfg.json.j2 file
davidpil2002 Apr 7, 2022
72f4446
Merge branch 'master' into dev-password-hardening-yang-model
davidpil2002 May 3, 2022
3ad5476
fix revision date in sonic-passwh.yang file
davidpil2002 May 3, 2022
4d3cf3b
Merge branch 'master' into dev-password-hardening-yang-model
davidpil2002 May 15, 2022
a6f7227
[password-hardening]Add state feature disabled as default in yang model
davidpil2002 May 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion files/build_templates/init_cfg.json.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,20 @@
"state" : "disabled", {% endif %}
"rate_limit_interval" : "600"
}{%if not loop.last %},{% endif -%}
{% endfor %}
{% endfor %}
},
"PASSW_HARDENING": {
"POLICIES":{
"state": "disabled",
"expiration": "180",
"expiration_warning": "15",
"history_cnt": "10",
"len_min": "8",
"reject_user_passw_match": "true",
"lower_class": "true",
"upper_class": "true",
"digits_class": "true",
"special_class": "true"
}
}
}
35 changes: 35 additions & 0 deletions src/sonic-yang-models/doc/Configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ Table of Contents
* [VLAN_MEMBER](#vlan_member)
* [Virtual router](#virtual-router)
* [WRED_PROFILE](#wred_profile)
* [PASSWORD_HARDENING](#password_hardening)
* [For Developers](#for-developers)
* [Generating Application Config by Jinja2 Template](#generating-application-config-by-jinja2-template)
* [Incremental Configuration by Subscribing to ConfigDB](#incremental-configuration-by-subscribing-to-configdb)
Expand Down Expand Up @@ -1467,6 +1468,40 @@ The packet action could be:
}
}
```
### PASSWORD_HARDENING

Password Hardening, a user password is the key credential used in order to verify the user accessing the switch and acts as the first line of defense in regards to securing the switch. PASSWORD_HARDENING - support the enforce strong policies.

- state - Enable/Disable password hardening feature
- len_min - The minimum length of the PW should be subject to a user change.
- expiration - PW Age Change Once a PW change takes place - the DB record for said PW is updated with the new PW value and a fresh new age (=0).
- expiration_warning - The switch will provide a warning for PW change before and (this is to allow a sufficient warning for upgrading the PW which might be relevant to numerous switches).
- history_cnt - remember last passwords, and reject to use the old passw
- reject_user_passw_match - reject to set same username and passw
- PW classes - are the type of characters the user is required to enter when setting/updating a PW.
There are 4 classes
- lower_class - Small characters - a-z
- upper_class - Big characters - A-Z
- digits_class -Numbers - 0-9
- special_class - Special Characters `~!@#$%^&*()-_+=|[{}];:',<.>/? and white space
```
{
"PASSW_HARDENING": {
"POLICIES": {
"state": "disabled",
"expiration": "180",
"expiration_warning": "15",
"history_cnt": "10",
"len_min": "8",
"reject_user_passw_match": "true",
"lower_class": "true",
"upper_class": "true",
"digits_class": "true",
"special_class": "true"
}
}
}
```

### BREAKOUT_CFG

Expand Down
1 change: 1 addition & 0 deletions src/sonic-yang-models/setup.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,7 @@ def run(self):
'./yang-models/sonic-ntp.yang',
'./yang-models/sonic-nat.yang',
'./yang-models/sonic-nvgre-tunnel.yang',
'./yang-models/sonic-passwh.yang',
'./yang-models/sonic-pbh.yang',
'./yang-models/sonic-port.yang',
'./yang-models/sonic-policer.yang',
Expand Down
16 changes: 15 additions & 1 deletion src/sonic-yang-models/tests/files/sample_config_db.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1658,9 +1658,23 @@
"vlan_id": "111",
"vsid": "5000"
}
}
},


"PASSW_HARDENING": {
"POLICIES": {
"state": "enabled",
"expiration": "180",
"expiration_warning": "15",
"history_cnt": "10",
"len_min": "8",
"reject_user_passw_match": "true",
"digits_class": "true",
"lower_class": "true",
"special_class": "true",
"upper_class": "true"
}
}
},
"SAMPLE_CONFIG_DB_UNKNOWN": {
"UNKNOWN_TABLE": {
Expand Down
32 changes: 32 additions & 0 deletions src/sonic-yang-models/tests/yang_model_tests/tests/password_hardening.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{
"PASSWORD_TABLE": {
"desc": "Configure policer with all default fields."
},
"PASSWORD_ENABLE_FEATURE_WITH_POLICIES": {
"desc": "Configure password policies and enabled feature."
},
"PASSWORD_BAD_ENABLE_FEATURE": {
"desc": "Configure password policies enabled feature with a wrong value.",
"eStrKey" : "InvalidValue"
},
"PASSWORD_BAD_DIGIT": {
"desc": "Configure password Digit Class policy with invalid value",
"eStrKey" : "InvalidValue"
},
"PASSWORD_BAD_HISTORY_CNT": {
"desc": "Configure password history_cnt with out of range value",
"eStrKey" : "InvalidValue"
},
"PASSWORD_BAD_LEN_MIN": {
"desc": "Configure password len-min with out of range value",
"eStrKey" : "Pattern"
},
"PASSWORD_BAD_EXPIRATION": {
"desc": "Configure password expiration with out of range value",
"eStrKey" : "Pattern"
},
"PASSWORD_BAD_EXPIRATION_WARN": {
"desc": "Configure password expiration-warning with out of range value",
"eStrKey" : "Pattern"
}
}
146 changes: 146 additions & 0 deletions src/sonic-yang-models/tests/yang_model_tests/tests_config/password_hardening.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,146 @@
{
"PASSWORD_TABLE": {
"sonic-passwh:sonic-passwh": {
"sonic-passwh:PASSW_HARDENING": {
"POLICIES":{
"state": "disabled",
"expiration": "180",
"expiration_warning": "15",
"history_cnt": "10",
"len_min": "8",
"reject_user_passw_match": true,
"lower_class": true,
"upper_class": true,
"digits_class": true,
"special_class": true
}
}
}
},
"PASSWORD_ENABLE_FEATURE_WITH_POLICIES": {
"sonic-passwh:sonic-passwh": {
"sonic-passwh:PASSW_HARDENING": {
"POLICIES":{
"state": "enabled",
"expiration": "180",
"expiration_warning": "15",
"history_cnt": "10",
"len_min": "8",
"reject_user_passw_match": true,
"lower_class": true,
"upper_class": true,
"digits_class": true,
"special_class": true
}
}
}
},
"PASSWORD_BAD_ENABLE_FEATURE": {
"sonic-passwh:sonic-passwh": {
"sonic-passwh:PASSW_HARDENING": {
"POLICIES":{
"state": "33",
"expiration": "180",
"expiration_warning": "15",
"history_cnt": "10",
"len_min": "8",
"reject_user_passw_match": true,
"lower_class": true,
"upper_class": true,
"digits_class": true,
"special_class": true
}
}
}
},
"PASSWORD_BAD_DIGIT": {
"sonic-passwh:sonic-passwh": {
"sonic-passwh:PASSW_HARDENING": {
"POLICIES":{
"state": "disabled",
"expiration": "180",
"expiration_warning": "15",
"history_cnt": "10",
"len_min": "8",
"reject_user_passw_match": true,
"lower_class": true,
"upper_class": true,
"digits_class": "1",
"special_class": true
}
}
}
},
"PASSWORD_BAD_HISTORY_CNT": {
"sonic-passwh:sonic-passwh": {
"sonic-passwh:PASSW_HARDENING": {
"POLICIES":{
"state": "enabled",
"expiration": "180",
"expiration_warning": "15",
"history_cnt": "300",
"len_min": "8",
"reject_user_passw_match": true,
"lower_class": true,
"upper_class": true,
"digits_class": true,
"special_class": true
}
}
}
},
"PASSWORD_BAD_LEN_MIN": {
"sonic-passwh:sonic-passwh": {
"sonic-passwh:PASSW_HARDENING": {
"POLICIES":{
"state": "enabled",
"expiration": "180",
"expiration_warning": "15",
"history_cnt": "50",
"len_min": "50",
"reject_user_passw_match": true,
"lower_class": true,
"upper_class": true,
"digits_class": true,
"special_class": true
}
}
}
},
"PASSWORD_BAD_EXPIRATION": {
"sonic-passwh:sonic-passwh": {
"sonic-passwh:PASSW_HARDENING": {
"POLICIES":{
"state": "enabled",
"expiration": "400",
"expiration_warning": "15",
"history_cnt": "50",
"len_min": "8",
"reject_user_passw_match": true,
"lower_class": true,
"upper_class": true,
"digits_class": true,
"special_class": true
}
}
}
},
"PASSWORD_BAD_EXPIRATION_WARN": {
"sonic-passwh:sonic-passwh": {
"sonic-passwh:PASSW_HARDENING": {
"POLICIES":{
"state": "enabled",
"expiration": "180",
"expiration_warning": "40",
"history_cnt": "10",
"len_min": "8",
"reject_user_passw_match": true,
"lower_class": true,
"upper_class": true,
"digits_class": true,
"special_class": true
}
}
}
}
}
75 changes: 75 additions & 0 deletions src/sonic-yang-models/yang-models/sonic-passwh.yang
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
module sonic-passwh {
yang-version 1.1;
namespace "http://github.com/Azure/sonic-passwh";
prefix password;

description "PASSWORD HARDENING YANG Module for SONiC OS";

revision 2021-10-12 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please fix the revision date

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

description "First Revision";
}

container sonic-passwh {

typedef feature_state {
type enumeration {
enum enabled;
enum disabled;
}
}

container PASSW_HARDENING {
description "PASSWORD HARDENING part of config_db.json";
container POLICIES {
leaf state {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The feature will set to disable by default, so maybe add default values to yang model?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dgsudharsan I removed the default because I understand from you that it is not necessary anymore,
can you confirm?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liuh-80 In the yang subgroup meeting it is decided not to have default in yang model but rather handle it in application. The reason is having default will push it to config_db and currently there is no way to differentiate between user configuration from default configuration.

Copy link
Collaborator

@qiluo-msft qiluo-msft May 12, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have the same concern. We should add default value (disable) into yang model.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

description "state of the feature";
type feature_state;
}
leaf expiration {
description "expiration time (days unit)";
type uint16 {
range 1..365;
}
}
leaf expiration_warning {
description "expiration warning time (days unit)";
type uint8 {
range 1..30;
}
}
leaf history_cnt {
description "num of old password that the system will recorded";
type uint8 {
range 1..100;
}
}
leaf len_min {
description "password min length";
type uint8 {
range 1..32;
}
}
leaf reject_user_passw_match{
description "username password match";
type boolean;
}
leaf lower_class{
description "password lower chars policy";
type boolean;
}
leaf upper_class{
description "password upper chars policy";
type boolean;
}
leaf digits_class{
description "password digits chars policy";
type boolean;
}
leaf special_class{
description "password special chars policy";
type boolean;
}
}/*container policies */
} /* container PASSWH */
}/* container sonic-passwh */
}/* end of module sonic-passwh */