Skip to content

Commit

Permalink
[YANG] Add support for Password Hardening (#10322)
Browse files Browse the repository at this point in the history 
- Why I did it
Yang Model about password hardening feature, the sonic CLI of this feature was autogenerated from this Yang model

- How I did it
Create new Yang model in src/sonic-yang-models/yang-models/sonic-passwh.yang.

- How to verify it
There are unitests(yang test) in this P.R covering all the passwords policies with good and bad values cases.
Or is possible manually using the config/show password commands that were autogenerated from this Yang model. (this CLI code added in sonic-utilities)
  • Loading branch information
@davidpil2002
davidpil2002 authored May 29, 2022
1 parent 29043ff commit ab09303
Show file tree
Hide file tree
Showing 7 changed files with 319 additions and 0 deletions.
14 changes: 14 additions & 0 deletions files/build_templates/init_cfg.json.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,5 +91,19 @@
"rate_limit_interval" : "600"
}{%if not loop.last %},{% endif -%}
{% endfor %}
},
"PASSW_HARDENING": {
"POLICIES":{
"state": "disabled",
"expiration": "180",
"expiration_warning": "15",
"history_cnt": "10",
"len_min": "8",
"reject_user_passw_match": "true",
"lower_class": "true",
"upper_class": "true",
"digits_class": "true",
"special_class": "true"
}
}
}
35 changes: 35 additions & 0 deletions src/sonic-yang-models/doc/Configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ Table of Contents
* [VLAN_MEMBER](#vlan_member)
* [Virtual router](#virtual-router)
* [WRED_PROFILE](#wred_profile)
* [PASSWORD_HARDENING](#password_hardening)
* [For Developers](#for-developers)
* [Generating Application Config by Jinja2 Template](#generating-application-config-by-jinja2-template)
* [Incremental Configuration by Subscribing to ConfigDB](#incremental-configuration-by-subscribing-to-configdb)
Expand Down Expand Up @@ -1506,6 +1507,40 @@ The packet action could be:
}
}
```
### PASSWORD_HARDENING

Password Hardening, a user password is the key credential used in order to verify the user accessing the switch and acts as the first line of defense in regards to securing the switch. PASSWORD_HARDENING - support the enforce strong policies.

- state - Enable/Disable password hardening feature
- len_min - The minimum length of the PW should be subject to a user change.
- expiration - PW Age Change Once a PW change takes place - the DB record for said PW is updated with the new PW value and a fresh new age (=0).
- expiration_warning - The switch will provide a warning for PW change before and (this is to allow a sufficient warning for upgrading the PW which might be relevant to numerous switches).
- history_cnt - remember last passwords, and reject to use the old passw
- reject_user_passw_match - reject to set same username and passw
- PW classes - are the type of characters the user is required to enter when setting/updating a PW.
There are 4 classes
- lower_class - Small characters - a-z
- upper_class - Big characters - A-Z
- digits_class -Numbers - 0-9
- special_class - Special Characters `~!@#$%^&*()-_+=|[{}];:',<.>/? and white space
```
{
"PASSW_HARDENING": {
"POLICIES": {
"state": "disabled",
"expiration": "180",
"expiration_warning": "15",
"history_cnt": "10",
"len_min": "8",
"reject_user_passw_match": "true",
"lower_class": "true",
"upper_class": "true",
"digits_class": "true",
"special_class": "true"
}
}
}
```

### BREAKOUT_CFG

Expand Down
1 change: 1 addition & 0 deletions src/sonic-yang-models/setup.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,7 @@ def run(self):
'./yang-models/sonic-ntp.yang',
'./yang-models/sonic-nat.yang',
'./yang-models/sonic-nvgre-tunnel.yang',
'./yang-models/sonic-passwh.yang',
'./yang-models/sonic-pbh.yang',
'./yang-models/sonic-port.yang',
'./yang-models/sonic-policer.yang',
Expand Down
15 changes: 15 additions & 0 deletions src/sonic-yang-models/tests/files/sample_config_db.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1792,6 +1792,21 @@
}
},

"PASSW_HARDENING": {
"POLICIES": {
"state": "enabled",
"expiration": "180",
"expiration_warning": "15",
"history_cnt": "10",
"len_min": "8",
"reject_user_passw_match": "true",
"digits_class": "true",
"lower_class": "true",
"special_class": "true",
"upper_class": "true"
}
},

"MACSEC_PROFILE": {
"test": {
"priority": "64",
Expand Down
32 changes: 32 additions & 0 deletions src/sonic-yang-models/tests/yang_model_tests/tests/password_hardening.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{
"PASSWORD_TABLE": {
"desc": "Configure policer with all default fields."
},
"PASSWORD_ENABLE_FEATURE_WITH_POLICIES": {
"desc": "Configure password policies and enabled feature."
},
"PASSWORD_BAD_ENABLE_FEATURE": {
"desc": "Configure password policies enabled feature with a wrong value.",
"eStrKey" : "InvalidValue"
},
"PASSWORD_BAD_DIGIT": {
"desc": "Configure password Digit Class policy with invalid value",
"eStrKey" : "InvalidValue"
},
"PASSWORD_BAD_HISTORY_CNT": {
"desc": "Configure password history_cnt with out of range value",
"eStrKey" : "InvalidValue"
},
"PASSWORD_BAD_LEN_MIN": {
"desc": "Configure password len-min with out of range value",
"eStrKey" : "Pattern"
},
"PASSWORD_BAD_EXPIRATION": {
"desc": "Configure password expiration with out of range value",
"eStrKey" : "Pattern"
},
"PASSWORD_BAD_EXPIRATION_WARN": {
"desc": "Configure password expiration-warning with out of range value",
"eStrKey" : "Pattern"
}
}
146 changes: 146 additions & 0 deletions src/sonic-yang-models/tests/yang_model_tests/tests_config/password_hardening.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,146 @@
{
"PASSWORD_TABLE": {
"sonic-passwh:sonic-passwh": {
"sonic-passwh:PASSW_HARDENING": {
"POLICIES":{
"state": "disabled",
"expiration": "180",
"expiration_warning": "15",
"history_cnt": "10",
"len_min": "8",
"reject_user_passw_match": true,
"lower_class": true,
"upper_class": true,
"digits_class": true,
"special_class": true
}
}
}
},
"PASSWORD_ENABLE_FEATURE_WITH_POLICIES": {
"sonic-passwh:sonic-passwh": {
"sonic-passwh:PASSW_HARDENING": {
"POLICIES":{
"state": "enabled",
"expiration": "180",
"expiration_warning": "15",
"history_cnt": "10",
"len_min": "8",
"reject_user_passw_match": true,
"lower_class": true,
"upper_class": true,
"digits_class": true,
"special_class": true
}
}
}
},
"PASSWORD_BAD_ENABLE_FEATURE": {
"sonic-passwh:sonic-passwh": {
"sonic-passwh:PASSW_HARDENING": {
"POLICIES":{
"state": "33",
"expiration": "180",
"expiration_warning": "15",
"history_cnt": "10",
"len_min": "8",
"reject_user_passw_match": true,
"lower_class": true,
"upper_class": true,
"digits_class": true,
"special_class": true
}
}
}
},
"PASSWORD_BAD_DIGIT": {
"sonic-passwh:sonic-passwh": {
"sonic-passwh:PASSW_HARDENING": {
"POLICIES":{
"state": "disabled",
"expiration": "180",
"expiration_warning": "15",
"history_cnt": "10",
"len_min": "8",
"reject_user_passw_match": true,
"lower_class": true,
"upper_class": true,
"digits_class": "1",
"special_class": true
}
}
}
},
"PASSWORD_BAD_HISTORY_CNT": {
"sonic-passwh:sonic-passwh": {
"sonic-passwh:PASSW_HARDENING": {
"POLICIES":{
"state": "enabled",
"expiration": "180",
"expiration_warning": "15",
"history_cnt": "300",
"len_min": "8",
"reject_user_passw_match": true,
"lower_class": true,
"upper_class": true,
"digits_class": true,
"special_class": true
}
}
}
},
"PASSWORD_BAD_LEN_MIN": {
"sonic-passwh:sonic-passwh": {
"sonic-passwh:PASSW_HARDENING": {
"POLICIES":{
"state": "enabled",
"expiration": "180",
"expiration_warning": "15",
"history_cnt": "50",
"len_min": "50",
"reject_user_passw_match": true,
"lower_class": true,
"upper_class": true,
"digits_class": true,
"special_class": true
}
}
}
},
"PASSWORD_BAD_EXPIRATION": {
"sonic-passwh:sonic-passwh": {
"sonic-passwh:PASSW_HARDENING": {
"POLICIES":{
"state": "enabled",
"expiration": "400",
"expiration_warning": "15",
"history_cnt": "50",
"len_min": "8",
"reject_user_passw_match": true,
"lower_class": true,
"upper_class": true,
"digits_class": true,
"special_class": true
}
}
}
},
"PASSWORD_BAD_EXPIRATION_WARN": {
"sonic-passwh:sonic-passwh": {
"sonic-passwh:PASSW_HARDENING": {
"POLICIES":{
"state": "enabled",
"expiration": "180",
"expiration_warning": "40",
"history_cnt": "10",
"len_min": "8",
"reject_user_passw_match": true,
"lower_class": true,
"upper_class": true,
"digits_class": true,
"special_class": true
}
}
}
}
}
76 changes: 76 additions & 0 deletions src/sonic-yang-models/yang-models/sonic-passwh.yang
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
module sonic-passwh {
yang-version 1.1;
namespace "http://github.com/Azure/sonic-passwh";
prefix password;

description "PASSWORD HARDENING YANG Module for SONiC OS";

revision 2022-05-03 {
description "First Revision";
}

container sonic-passwh {

typedef feature_state {
type enumeration {
enum enabled;
enum disabled;
}
}

container PASSW_HARDENING {
description "PASSWORD HARDENING part of config_db.json";
container POLICIES {
leaf state {
description "state of the feature";
type feature_state;
default "disabled";
}
leaf expiration {
description "expiration time (days unit)";
type uint16 {
range 1..365;
}
}
leaf expiration_warning {
description "expiration warning time (days unit)";
type uint8 {
range 1..30;
}
}
leaf history_cnt {
description "num of old password that the system will recorded";
type uint8 {
range 1..100;
}
}
leaf len_min {
description "password min length";
type uint8 {
range 1..32;
}
}
leaf reject_user_passw_match{
description "username password match";
type boolean;
}
leaf lower_class{
description "password lower chars policy";
type boolean;
}
leaf upper_class{
description "password upper chars policy";
type boolean;
}
leaf digits_class{
description "password digits chars policy";
type boolean;
}
leaf special_class{
description "password special chars policy";
type boolean;
}
}/*container policies */
} /* container PASSWH */
}/* container sonic-passwh */
}/* end of module sonic-passwh */

0 comments on commit ab09303

Please sign in to comment.