fixed TACACS Local Accounting tests#6354
Merged
ZhaohuiS merged 1 commit intosonic-net:masterfrom Sep 27, 2022
Merged
Conversation
…ting log about a command executed by TACACS user
Contributor
Author
|
@ZhaohuiS please review |
Azarack
pushed a commit
to Azarack/sonic-mgmt
that referenced
this pull request
Oct 17, 2022
…ting log about a command executed by TACACS user (sonic-net#6354) TACACS Local Accounting tests check if the commands executed by TACACS users are logged locally in DUT. The tests execute a grep command using a TACACS user and then check presence of the corresponding accounting log in syslog using sed utility. The code fragment demonstrating it: ssh_run_command(rw_user_client, "grep") # Verify syslog have user command record. check_local_log_exist(rw_user_client, tacacs_creds, "grep") The issue is that check_local_log_exist calls sed to query for accounting logs and this query command itself is logged too so tests pass even when the initial command is not logged. Currently the test catches this log: INFO audisp-tacplus: Audisp-tacplus: Accounting: user: test_rwuser, tty: (none), host: mytestbed-1-dut, command: /usr/bin/bash -c sudo sed -nE '/INFO audisp-tacplus: Accounting: user: test_rwuser,.*, command: .*grep,/P' /var/log/syslog, type: 2, task ID: 29318\n" instead of: INFO audisp-tacplus: Audisp-tacplus: Accounting: user: test_rwuser, tty: (none), host: mytestbed-1-dut, command: /usr/bin/grep, type: 2, task ID: 13871 The consequences of the issue are: the tests do not check accounting log entries to adhere to an expected pattern Since sed command happens to be logged too, tests match the search pattern used in sed command itself, instead of matching a separate accounting log adheres to an expected pattern. The matched fragment is made bold below: INFO audisp-tacplus: Audisp-tacplus: Accounting: user: test_rwuser, tty: (none), host: mytestbed-1-dut, command: /usr/bin/bash -c sudo sed -nE '/INFO audisp-tacplus: Accounting: user: test_rwuser,.*, command: .*grep,/P' /var/log/syslog, type: 2, task ID: 29318\n" tests may fail occasionally when some small logging delays take place the scenarios documented by test code become confusing since the actual accounting log being matched is different than that's intended by tests. Expected to match an accounting log for grep command but matched a log for log query command itself.
allen-xf
pushed a commit
to allen-xf/sonic-mgmt
that referenced
this pull request
Oct 28, 2022
…ting log about a command executed by TACACS user (sonic-net#6354) TACACS Local Accounting tests check if the commands executed by TACACS users are logged locally in DUT. The tests execute a grep command using a TACACS user and then check presence of the corresponding accounting log in syslog using sed utility. The code fragment demonstrating it: ssh_run_command(rw_user_client, "grep") # Verify syslog have user command record. check_local_log_exist(rw_user_client, tacacs_creds, "grep") The issue is that check_local_log_exist calls sed to query for accounting logs and this query command itself is logged too so tests pass even when the initial command is not logged. Currently the test catches this log: INFO audisp-tacplus: Audisp-tacplus: Accounting: user: test_rwuser, tty: (none), host: mytestbed-1-dut, command: /usr/bin/bash -c sudo sed -nE '/INFO audisp-tacplus: Accounting: user: test_rwuser,.*, command: .*grep,/P' /var/log/syslog, type: 2, task ID: 29318\n" instead of: INFO audisp-tacplus: Audisp-tacplus: Accounting: user: test_rwuser, tty: (none), host: mytestbed-1-dut, command: /usr/bin/grep, type: 2, task ID: 13871 The consequences of the issue are: the tests do not check accounting log entries to adhere to an expected pattern Since sed command happens to be logged too, tests match the search pattern used in sed command itself, instead of matching a separate accounting log adheres to an expected pattern. The matched fragment is made bold below: INFO audisp-tacplus: Audisp-tacplus: Accounting: user: test_rwuser, tty: (none), host: mytestbed-1-dut, command: /usr/bin/bash -c sudo sed -nE '/INFO audisp-tacplus: Accounting: user: test_rwuser,.*, command: .*grep,/P' /var/log/syslog, type: 2, task ID: 29318\n" tests may fail occasionally when some small logging delays take place the scenarios documented by test code become confusing since the actual accounting log being matched is different than that's intended by tests. Expected to match an accounting log for grep command but matched a log for log query command itself.
wangxin
pushed a commit
that referenced
this pull request
Feb 23, 2023
…ting log about a command executed by TACACS user (#6354) TACACS Local Accounting tests check if the commands executed by TACACS users are logged locally in DUT. The tests execute a grep command using a TACACS user and then check presence of the corresponding accounting log in syslog using sed utility. The code fragment demonstrating it: ssh_run_command(rw_user_client, "grep") # Verify syslog have user command record. check_local_log_exist(rw_user_client, tacacs_creds, "grep") The issue is that check_local_log_exist calls sed to query for accounting logs and this query command itself is logged too so tests pass even when the initial command is not logged. Currently the test catches this log: INFO audisp-tacplus: Audisp-tacplus: Accounting: user: test_rwuser, tty: (none), host: mytestbed-1-dut, command: /usr/bin/bash -c sudo sed -nE '/INFO audisp-tacplus: Accounting: user: test_rwuser,.*, command: .*grep,/P' /var/log/syslog, type: 2, task ID: 29318\n" instead of: INFO audisp-tacplus: Audisp-tacplus: Accounting: user: test_rwuser, tty: (none), host: mytestbed-1-dut, command: /usr/bin/grep, type: 2, task ID: 13871 The consequences of the issue are: the tests do not check accounting log entries to adhere to an expected pattern Since sed command happens to be logged too, tests match the search pattern used in sed command itself, instead of matching a separate accounting log adheres to an expected pattern. The matched fragment is made bold below: INFO audisp-tacplus: Audisp-tacplus: Accounting: user: test_rwuser, tty: (none), host: mytestbed-1-dut, command: /usr/bin/bash -c sudo sed -nE '/INFO audisp-tacplus: Accounting: user: test_rwuser,.*, command: .*grep,/P' /var/log/syslog, type: 2, task ID: 29318\n" tests may fail occasionally when some small logging delays take place the scenarios documented by test code become confusing since the actual accounting log being matched is different than that's intended by tests. Expected to match an accounting log for grep command but matched a log for log query command itself.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of PR
Summary: fixed TACACS Local Accounting tests
Fixes # (issue)
TACACS Local Accounting tests check if the commands executed by TACACS users are logged locally in DUT.
The tests execute a
grepcommand using a TACACS user and then check presence of the corresponding accounting log in syslog usingsedutility. The code fragment demonstrating it:The issue is that
check_local_log_existcallssedto query for accounting logs and this query command itself is logged too so tests pass even when the initial command is not logged.Currently the test catches this log:
instead of:
The consequences of the issue are:
Since
sedcommand happens to be logged too, tests match the search pattern used in sed command itself, instead of matching a separate accounting log adheres to an expected pattern. The matched fragment is made bold below:INFO audisp-tacplus: Audisp-tacplus: Accounting: user: test_rwuser, tty: (none), host: mytestbed-1-dut, command: /usr/bin/bash -c sudo sed -nE '/INFO audisp-tacplus: Accounting: user: test_rwuser,.*, command: .*grep,/P' /var/log/syslog, type: 2, task ID: 29318\n"
grepcommand but matched a log for log query command itself.Type of change
Back port request
Approach
What is the motivation for this PR?
Avoid unexpected test fails; make tests to check what the code intends to check.
How did you do it?
How did you verify/test it?
Any platform specific information?
Supported testbed topology if it's a new test case?
Documentation