ganeshragnarayanan · September 19, 2016 00:15
diff --git a/Tacacs+ source interface support UT b/Tacacs+ source interface support UT
 Topology
 =========

 #
 # +-------+                  
 # |       |     +---v---+    
 # |  hs1  <----->  sw1  |
 # |       |     +-------+    
 # +-------+                  
 #

 # Links
 sw1:if01 -- h1:if01

 Configuration
 ==============

 sh run
 Current configuration:
 !
 !Version OpenSwitch 0.4.0 (Build: genericx86-64-ops-0.4.0-feature/tacacs_plus-20160918005417-dev)
 !Schema version 0.1.8
 !
 tacacs-server host 10.0.0.35 timeout 15 key tac_test
 aaa authentication login default group tacacs_plus
 !
 !
 !
 !
 vlan 1
    no shutdown
 interface 1 
    no shutdown
    ip address 10.0.10.2/8
    ip address 12.0.12.2/8 secondary
    ipv6 address 2000::1/120
 interface 2 
    no shutdown
    ip address 20.0.0.1/8
    ipv6 address 2001::1/120
 interface loopback 1
    ip address 13.0.13.2/8
 dhcp-server
    range host2 start-ip-address 20.0.0.1 end-ip-address 20.0.0.100 
    range host1 start-ip-address 10.0.0.1 end-ip-address 10.0.0.100 


 Using Management IP
 ===================
 ip source-interface all address 172.17.0.2

 cat /etc/pam.d/common-auth-access
 [...]
 auth	[success=1 default=ignore]	/usr/lib/security/libpam_tacplus.so	debug server=10.0.0.35 secret=tac_test login=pap timeout=15 
 [...]

 SSH - fails
 SSH - passes when a tacacs_server is reachable via mgmt interface

 Using Loopback IP
 ===================
 ip source-interface all address 13.0.13.2

 auth	[success=1 default=ignore]	/usr/lib/security/libpam_tacplus.so	debug server=10.0.0.35 
 secret=testing123-1 login=pap timeout=15 src_namespace=nonet dstn_namespace=swns source_ip=13.0.13.2 

 SSH - succeeds

 Using Interface 1 IP
 =====================
 ip source-interface all address  10.0.10.2

 auth	[success=1 default=ignore]	/usr/lib/security/libpam_tacplus.so	debug server=10.0.0.35
 secret=tac_test login=pap timeout=15 src_namespace=nonet dstn_namespace=swns source_ip=10.0.10.2 

 SSH - succeeds

 Using Loopback Interface Name
 ==============================
 ip source-interface all interface loopback1

 auth	[success=1 default=ignore]	/usr/lib/security/libpam_tacplus.so	debug server=10.0.0.35
 secret=tac_test login=pap timeout=15 src_namespace=nonet dstn_namespace=swns source_ip=13.0.13.2 
 
 Sun Sep 18 23:27:39 2016 [70]: pap-login query for 'user1' ssh from 13.0.13.2 accepted
 Sun Sep 18 23:27:49 2016 [57]: session.peerip is 10.0.10.2
 Sun Sep 18 23:27:49 2016 [71]: connect from 10.0.10.2 [10.0.10.2]
 Sun Sep 18 23:27:49 2016 [71]: authorization query for 'user1' ssh from 10.0.10.2 accepted

 SSH - succeeds

 Using 1 Interface Name
 =======================
 ip source-interface all interface 1
 auth	[success=1 default=ignore]	/usr/lib/security/libpam_tacplus.so	debug server=10.0.0.35
 secret=tac_test login=pap timeout=15 src_namespace=nonet dstn_namespace=swns source_ip=10.0.10.2 
 #

 SSH - succeeds

 No IP Source Interface Configuration
 ==========================================
 no ip source-interface all 
 auth	[success=1 default=ignore]	/usr/lib/security/libpam_tacplus.so	debug server=10.0.0.35 secret=tac_test login=pap timeout=15 

 SSH - fails
 SSH - passes when a tacacs_server is reachable via mgmt interface

 Using a non-existent ip address
 ================================
 ip source-interface all address 14.1.1.1 
 auth	[success=1 default=ignore]	/usr/lib/security/libpam_tacplus.so	debug server=10.0.0.35 secret=tac_test login=pap timeout=15 
 #

 SSH - fails

 Using an interface that is shut
 ================================
 ip source-interface all interface 1

 int 1
 shut

 auth	[success=1 default=ignore]	/usr/lib/security/libpam_tacplus.so	debug server=10.0.0.35 
 secret=tac_test login=pap timeout=15 src_namespace=nonet dstn_namespace=swns source_ip=10.0.10.2 

 SSH - fails

 int 1
 no shut

 SSH - passes
	Topology
	=========

	#
	# +-------+
	# \| \| +---v---+
	# \| hs1 <-----> sw1 \|
	# \| \| +-------+
	# +-------+
	#

	# Links
	sw1:if01 -- h1:if01

	Configuration
	==============

	sh run
	Current configuration:
	!
	!Version OpenSwitch 0.4.0 (Build: genericx86-64-ops-0.4.0-feature/tacacs_plus-20160918005417-dev)
	!Schema version 0.1.8
	!
	tacacs-server host 10.0.0.35 timeout 15 key tac_test
	aaa authentication login default group tacacs_plus
	!
	!
	!
	!
	vlan 1
	no shutdown
	interface 1
	no shutdown
	ip address 10.0.10.2/8
	ip address 12.0.12.2/8 secondary
	ipv6 address 2000::1/120
	interface 2
	no shutdown
	ip address 20.0.0.1/8
	ipv6 address 2001::1/120
	interface loopback 1
	ip address 13.0.13.2/8
	dhcp-server
	range host2 start-ip-address 20.0.0.1 end-ip-address 20.0.0.100
	range host1 start-ip-address 10.0.0.1 end-ip-address 10.0.0.100


	Using Management IP
	===================
	ip source-interface all address 172.17.0.2

	cat /etc/pam.d/common-auth-access
	[...]
	auth [success=1 default=ignore] /usr/lib/security/libpam_tacplus.so debug server=10.0.0.35 secret=tac_test login=pap timeout=15
	[...]

	SSH - fails
	SSH - passes when a tacacs_server is reachable via mgmt interface

	Using Loopback IP
	===================
	ip source-interface all address 13.0.13.2

	auth [success=1 default=ignore] /usr/lib/security/libpam_tacplus.so debug server=10.0.0.35
	secret=testing123-1 login=pap timeout=15 src_namespace=nonet dstn_namespace=swns source_ip=13.0.13.2

	SSH - succeeds

	Using Interface 1 IP
	=====================
	ip source-interface all address 10.0.10.2

	auth [success=1 default=ignore] /usr/lib/security/libpam_tacplus.so debug server=10.0.0.35
	secret=tac_test login=pap timeout=15 src_namespace=nonet dstn_namespace=swns source_ip=10.0.10.2

	SSH - succeeds

	Using Loopback Interface Name
	==============================
	ip source-interface all interface loopback1

	auth [success=1 default=ignore] /usr/lib/security/libpam_tacplus.so debug server=10.0.0.35
	secret=tac_test login=pap timeout=15 src_namespace=nonet dstn_namespace=swns source_ip=13.0.13.2

	Sun Sep 18 23:27:39 2016 [70]: pap-login query for 'user1' ssh from 13.0.13.2 accepted
	Sun Sep 18 23:27:49 2016 [57]: session.peerip is 10.0.10.2
	Sun Sep 18 23:27:49 2016 [71]: connect from 10.0.10.2 [10.0.10.2]
	Sun Sep 18 23:27:49 2016 [71]: authorization query for 'user1' ssh from 10.0.10.2 accepted

	SSH - succeeds

	Using 1 Interface Name
	=======================
	ip source-interface all interface 1
	auth [success=1 default=ignore] /usr/lib/security/libpam_tacplus.so debug server=10.0.0.35
	secret=tac_test login=pap timeout=15 src_namespace=nonet dstn_namespace=swns source_ip=10.0.10.2
	#

	SSH - succeeds

	No IP Source Interface Configuration
	==========================================
	no ip source-interface all
	auth [success=1 default=ignore] /usr/lib/security/libpam_tacplus.so debug server=10.0.0.35 secret=tac_test login=pap timeout=15

	SSH - fails
	SSH - passes when a tacacs_server is reachable via mgmt interface

	Using a non-existent ip address
	================================
	ip source-interface all address 14.1.1.1
	auth [success=1 default=ignore] /usr/lib/security/libpam_tacplus.so debug server=10.0.0.35 secret=tac_test login=pap timeout=15
	#

	SSH - fails

	Using an interface that is shut
	================================
	ip source-interface all interface 1

	int 1
	shut

	auth [success=1 default=ignore] /usr/lib/security/libpam_tacplus.so debug server=10.0.0.35
	secret=tac_test login=pap timeout=15 src_namespace=nonet dstn_namespace=swns source_ip=10.0.10.2

	SSH - fails

	int 1
	no shut

	SSH - passes