root@bcace149278a:/auto/mtrswgwork/vadymh/sonic-mgmt-new/tests# py.test tacacs/test_ro_user.py --inventory "../ansible/inventory, ../ansible/veos" --host-pattern r-tigris-13-t0 --module-path ../ansible/library/ --testbed r-tigris-13-t0 --testbed_file ../ansible/testbed.csv --skip_sanity --log-cli-level info /usr/local/lib/python2.7/dist-packages/ansible/parsing/vault/__init__.py:44: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release. from cryptography.exceptions import InvalidSignature ==================================================================================== test session starts ==================================================================================== platform linux2 -- Python 2.7.17, pytest-4.6.5, py-1.10.0, pluggy-0.13.1 ansible: 2.8.12 rootdir: /auto/mtrswgwork/vadymh/sonic-mgmt-new/tests, inifile: pytest.ini plugins: metadata-1.11.0, forked-1.3.0, repeat-0.9.1, xdist-1.28.0, html-1.22.1, ansible-2.2.2 collected 4 items tacacs/test_ro_user.py::test_ro_user -------------------------------------------------------------------------------------- live log setup --------------------------------------------------------------------------------------- 16:03:30 INFO __init__.py:set_default:49: Completeness level not set during test execution. Setting to default level: CompletenessLevel.basic 16:03:30 INFO __init__.py:check_test_completeness:139: Test has no defined levels. Continue without test completeness checks 16:03:30 INFO facts_cache.py:read:89: Load cache file "/auto/mtrswgwork/vadymh/sonic-mgmt-new/tests/_cache/r-tigris-13-t0/tbinfo.pickle" failed with exception: IOError(2, 'No such file or directory') 16:03:39 INFO facts_cache.py:write:110: Create cache dir /auto/mtrswgwork/vadymh/sonic-mgmt-new/tests/_cache/r-tigris-13-t0 16:03:39 INFO facts_cache.py:write:116: Cached facts "r-tigris-13-t0.tbinfo" to /auto/mtrswgwork/vadymh/sonic-mgmt-new/tests/_cache/r-tigris-13-t0/tbinfo.pickle 16:03:46 INFO conftest.py:generate_params_dut_hostname:723: DUTs in testbed 'r-tigris-13-t0' are: ['r-tigris-13'] 16:03:46 INFO conftest.py:creds:394: dut r-tigris-13 belongs to groups [u'lab', u'leaf_topo_1', u'sonic', u'sonic_latest', 'fanout'] 16:03:46 INFO conftest.py:creds:406: skip empty var file ../ansible/group_vars/all/corefile_uploader.yml 16:03:46 INFO conftest.py:creds:406: skip empty var file ../ansible/group_vars/all/env.yml 16:03:52 INFO __init__.py:sanity_check:103: Prepare pre-test sanity check 16:03:52 INFO __init__.py:sanity_check:113: Found marker: m.name=disable_loganalyzer, m.args=(), m.kwargs={} 16:03:52 INFO __init__.py:sanity_check:113: Found marker: m.name=topology, m.args=('any',), m.kwargs={} 16:03:52 INFO __init__.py:sanity_check:113: Found marker: m.name=device_type, m.args=('vs',), m.kwargs={} 16:03:52 INFO __init__.py:sanity_check:137: Skip sanity check according to command line argument or configuration of test script. 16:04:06 INFO __init__.py:loganalyzer:17: Log analyzer is disabled PASSED [ 25%] tacacs/test_ro_user.py::test_ro_user_ipv6 -------------------------------------------------------------------------------------- live log setup --------------------------------------------------------------------------------------- 16:04:06 INFO __init__.py:set_default:49: Completeness level not set during test execution. Setting to default level: CompletenessLevel.basic 16:04:06 INFO __init__.py:check_test_completeness:139: Test has no defined levels. Continue without test completeness checks SKIPPED [ 50%] tacacs/test_ro_user.py::test_ro_user_allowed_command -------------------------------------------------------------------------------------- live log setup --------------------------------------------------------------------------------------- 16:04:06 INFO __init__.py:set_default:49: Completeness level not set during test execution. Setting to default level: CompletenessLevel.basic 16:04:06 INFO __init__.py:check_test_completeness:139: Test has no defined levels. Continue without test completeness checks 16:04:06 INFO __init__.py:loganalyzer:17: Log analyzer is disabled --------------------------------------------------------------------------------------- live log call --------------------------------------------------------------------------------------- 16:04:07 INFO test_ro_user.py:ssh_remote_allow_run:23: check command "sudo cat /var/log/syslog" rc=0 16:04:09 INFO test_ro_user.py:ssh_remote_allow_run:23: check command "sudo cat /var/log/syslog.1" rc=0 16:04:09 INFO test_ro_user.py:ssh_remote_allow_run:23: check command "sudo cat /var/log/syslog.2.gz" rc=0 16:04:10 INFO test_ro_user.py:ssh_remote_allow_run:23: check command "sudo brctl show" rc=0 16:04:11 INFO test_ro_user.py:ssh_remote_allow_run:23: check command "sudo docker exec snmp cat /etc/snmp/snmpd.conf" rc=0 16:04:12 INFO test_ro_user.py:ssh_remote_allow_run:23: check command "sudo docker images --format "table {% raw %}{{.Repository}}\t{{.Tag}}\t{{.ID}}\t{{.Size}}{% endraw %}"" rc=0 16:04:12 INFO test_ro_user.py:ssh_remote_allow_run:23: check command "sudo docker ps" rc=0 16:04:13 INFO test_ro_user.py:ssh_remote_allow_run:23: check command "sudo docker ps -a" rc=0 16:04:14 INFO test_ro_user.py:ssh_remote_allow_run:23: check command "sudo lldpctl" rc=0 16:04:15 INFO test_ro_user.py:ssh_remote_allow_run:23: check command ""sudo vtysh -c 'show ip bgp su'"" rc=0 16:04:16 INFO test_ro_user.py:ssh_remote_allow_run:23: check command ""sudo vtysh -n 0 -c 'show ip bgp su'"" rc=0 16:04:17 INFO test_ro_user.py:ssh_remote_allow_run:23: check command "sudo decode-syseeprom" rc=0 16:06:55 INFO test_ro_user.py:ssh_remote_allow_run:23: check command "sudo generate_dump" rc=0 16:06:57 INFO test_ro_user.py:ssh_remote_allow_run:23: check command "sudo lldpshow" rc=0 16:06:58 INFO test_ro_user.py:ssh_remote_allow_run:23: check command "sudo pcieutil check" rc=0 16:06:59 INFO test_ro_user.py:ssh_remote_allow_run:23: check command "sudo ip netns identify 1" rc=0 16:07:00 INFO test_ro_user.py:ssh_remote_allow_run:23: check command "sudo ipintutil" rc=1 FAILED [ 75%] tacacs/test_ro_user.py::test_ro_user_banned_command -------------------------------------------------------------------------------------- live log setup --------------------------------------------------------------------------------------- 16:07:00 INFO __init__.py:set_default:49: Completeness level not set during test execution. Setting to default level: CompletenessLevel.basic 16:07:00 INFO __init__.py:check_test_completeness:139: Test has no defined levels. Continue without test completeness checks 16:07:00 INFO __init__.py:loganalyzer:17: Log analyzer is disabled --------------------------------------------------------------------------------------- live log call --------------------------------------------------------------------------------------- 16:07:01 INFO test_ro_user.py:ssh_remote_ban_run:29: check command "sudo shutdown" rc=1 16:07:02 INFO test_ro_user.py:ssh_remote_ban_run:29: check command "sudo config" rc=1 PASSED [100%] ========================================================================================= FAILURES ========================================================================================== _______________________________________________________________________________ test_ro_user_allowed_command ________________________________________________________________________________ localhost = , duthosts = , rand_one_dut_hostname = 'r-tigris-13' creds = {'ansible_become_pass': 'YourPaSsWoRd', 'ansible_ssh_pass': 'password', 'ansible_ssh_user': 'user', 'bgp_slb_passive_range': '10.255.0.0/25', ...}, test_tacacs = None def test_ro_user_allowed_command(localhost, duthosts, rand_one_dut_hostname, creds, test_tacacs): duthost = duthosts[rand_one_dut_hostname] dutip = duthost.host.options['inventory_manager'].get_host(duthost.hostname).vars['ansible_host'] # Run as readonly use the commands allowed by sudoers file # TODO: some commands need further preparation, will enable when runable directly # TODO: `tail -F` will not exit, not posssible to test here # Note: the quagga command could only run on image with quagga commands_direct = [ 'sudo cat /var/log/syslog', 'sudo cat /var/log/syslog.1', 'sudo cat /var/log/syslog.2.gz', 'sudo brctl show', 'sudo docker exec snmp cat /etc/snmp/snmpd.conf', # 'sudo docker exec bgp cat /etc/quagga/bgpd.conf', 'sudo docker images --format "table {% raw %}{{.Repository}}\\t{{.Tag}}\\t{{.ID}}\\t{{.Size}}{% endraw %}"', 'sudo docker ps', 'sudo docker ps -a', 'sudo lldpctl', # 'sudo sensors', # 'sudo tail -F /var/log/syslog', '"sudo vtysh -c \'show ip bgp su\'"', '"sudo vtysh -n 0 -c \'show ip bgp su\'"', 'sudo decode-syseeprom', 'sudo generate_dump', 'sudo lldpshow', 'sudo pcieutil check', # 'sudo psuutil *', # 'sudo sfputil show *', 'sudo ip netns identify 1', 'sudo ipintutil', 'sudo ipintutil -a ipv6', 'sudo ipintutil -n asic0 -d all', 'sudo ipintutil -n asic0 -d all -a ipv6' ] # Run as readonly use the commands allowed indirectly based on sudoers file commands_indirect = [ 'show version', 'show interface status', 'show interface portchannel', 'show ip bgp summary', 'show ip interface', 'show ipv6 interface', 'show lldp table' ] for command in commands_direct + commands_indirect: allowed = ssh_remote_allow_run(localhost, dutip, creds['tacacs_ro_user'], creds['tacacs_ro_user_passwd'], command) > pytest_assert(allowed, "command '{}' not authorized".format(command)) E Failed: command 'sudo ipintutil' not authorized tacacs/test_ro_user.py:101: Failed ------------------------------------------------------------------------------------ Captured log setup ------------------------------------------------------------------------------------- INFO root:__init__.py:49 Completeness level not set during test execution. Setting to default level: CompletenessLevel.basic INFO root:__init__.py:139 Test has no defined levels. Continue without test completeness checks INFO root:__init__.py:17 Log analyzer is disabled ------------------------------------------------------------------------------------- Captured log call ------------------------------------------------------------------------------------- INFO tests.tacacs.test_ro_user:test_ro_user.py:23 check command "sudo cat /var/log/syslog" rc=0 INFO tests.tacacs.test_ro_user:test_ro_user.py:23 check command "sudo cat /var/log/syslog.1" rc=0 INFO tests.tacacs.test_ro_user:test_ro_user.py:23 check command "sudo cat /var/log/syslog.2.gz" rc=0 INFO tests.tacacs.test_ro_user:test_ro_user.py:23 check command "sudo brctl show" rc=0 INFO tests.tacacs.test_ro_user:test_ro_user.py:23 check command "sudo docker exec snmp cat /etc/snmp/snmpd.conf" rc=0 INFO tests.tacacs.test_ro_user:test_ro_user.py:23 check command "sudo docker images --format "table {% raw %}{{.Repository}}\t{{.Tag}}\t{{.ID}}\t{{.Size}}{% endraw %}"" rc=0 INFO tests.tacacs.test_ro_user:test_ro_user.py:23 check command "sudo docker ps" rc=0 INFO tests.tacacs.test_ro_user:test_ro_user.py:23 check command "sudo docker ps -a" rc=0 INFO tests.tacacs.test_ro_user:test_ro_user.py:23 check command "sudo lldpctl" rc=0 INFO tests.tacacs.test_ro_user:test_ro_user.py:23 check command ""sudo vtysh -c 'show ip bgp su'"" rc=0 INFO tests.tacacs.test_ro_user:test_ro_user.py:23 check command ""sudo vtysh -n 0 -c 'show ip bgp su'"" rc=0 INFO tests.tacacs.test_ro_user:test_ro_user.py:23 check command "sudo decode-syseeprom" rc=0 INFO tests.tacacs.test_ro_user:test_ro_user.py:23 check command "sudo generate_dump" rc=0 INFO tests.tacacs.test_ro_user:test_ro_user.py:23 check command "sudo lldpshow" rc=0 INFO tests.tacacs.test_ro_user:test_ro_user.py:23 check command "sudo pcieutil check" rc=0 INFO tests.tacacs.test_ro_user:test_ro_user.py:23 check command "sudo ip netns identify 1" rc=0 INFO tests.tacacs.test_ro_user:test_ro_user.py:23 check command "sudo ipintutil" rc=1 ===================================================================================== warnings summary ====================================================================================== /usr/local/lib/python2.7/dist-packages/_pytest/config/__init__.py:538 /usr/local/lib/python2.7/dist-packages/_pytest/config/__init__.py:538: PytestAssertRewriteWarning: Module already imported so cannot be rewritten: tests.common.dualtor self.import_plugin(import_spec) -- Docs: https://docs.pytest.org/en/latest/warnings.html ================================================================ 1 failed, 2 passed, 1 skipped, 1 warnings in 219.70 seconds ================================================================