feat: add tacacs-plus server for playground

packages/playground/package.json

@@ -7,7 +7,9 @@
   "keywords": [],
   "scripts": {
     "lint": "eslint .",
-    "start": "esno src/index"
+    "start": "esno src/index",
+    "up:server": "docker compose -f server/docker-compose.yaml up -d",
+    "down:server": "docker compose -f server/docker-compose.yaml down"
   },
   "dependencies": {
     "@noction/tacacs-plus": "workspace:",

packages/playground/server/docker-compose.yaml

@@ -0,0 +1,12 @@
+version: '3.8'
+
+services:
+  tacacs-plus:
+    container_name: tacacs-plus
+    image: openswitch/tacacs_server:latest
+    ports:
+      - 49:49
+    restart: always
+    command: tac_plus -G -d 24 -C /etc/tacacs/tac_plus.conf -l /dev/stdout
+    volumes:
+      - ./tac_plus.conf:/etc/tacacs/tac_plus.conf

packages/playground/server/tac_plus.conf

@@ -0,0 +1,176 @@
+# key = "tac_test"
+
+# Set where to send accounting records
+default authentication = file /etc/passwd
+accounting syslog;
+accounting file = /var/log/tac_plus/tac_plus.acct
+
+# ACL for network_admin group
+
+acl = network_admin {
+        # allow access from all sources
+        permit = .*
+        # implicit deny (ie: anything else)
+}
+
+# ACL for sys_admin group
+
+acl = sys_admin {
+        # allow access from 10.10.10.250 only
+        permit = .*
+        # permit = ^10\.10\.10\.2$
+        # implicit deny (ie: anything else)
+}
+
+# network_admin group, full access to network devices
+
+        group = network_admin {
+        default service = permit
+        acl = network_admin
+        service = exec {
+         priv-lvl = 15
+        }
+}
+# sys_admin group, only has read access to the network devices and can change the access vlan on an interface
+
+        group = sys_admin {
+        default service = deny
+        expires = "Jan 1 2015"
+        acl = sys_admin
+        service = exec {
+         priv-lvl = 15
+        }
+        cmd = enable {
+                permit .*
+        }
+        cmd = show {
+                permit .*
+        }
+        cmd = exit {
+                permit .*
+        }
+        cmd = configure {
+                permit .*
+        }
+        cmd = interface {
+                permit Ethernet.*
+                permit FastEthernet.*
+                permit GigabitEthernet.*
+        }
+        cmd =  switchport  {
+                permit "access vlan.*"
+                permit "trunk encapsulation.*"
+                permit "mode.*"
+                permit "trunk allowed vlan.*"
+        }
+        cmd = description {
+                permit .*
+        }
+}
+
+#user1
+user = user1 {
+        default service = permit
+        pap = cleartext user1
+        service = exec {
+         priv-lvl = 15
+         security-role = security-admin
+        }
+}
+
+#user2
+user = user2 {
+        pap = cleartext user2
+        service = exec {
+         priv-lvl = 15
+        }
+}
+
+user = user_tac1 {
+        default service = permit
+        pap = cleartext tac
+        service = exec {
+         priv-lvl = 15
+         security-role = security-admin
+        }
+}
+#user2
+user = user_tac2 {
+        pap = cleartext tac
+        service = exec {
+         priv-lvl = 15
+        }
+}
+
+user = user_command {
+        pap = cleartext com
+        service = exec {
+         priv-lvl = 15
+        }
+}
+
+
+#user3
+user = user3 {
+        chap = cleartext user3
+        service = exec {
+         priv-lvl = 15
+        }
+}
+
+#user4
+user = user4 {
+        chap = cleartext user4
+}
+
+# User jonathanm using DES password and enable passwords
+
+user = jonathanm {
+        member = network_admin
+        login = des 6/1aYAL9zcCe.
+        enable = des dBFJQefS4S4Jw
+}
+
+# User bob authenticating from the system /etc/passwd and the default enable password
+
+user = bob {
+        login = file /etc/passwd
+        member = sys_admin
+        service = exec {
+         priv-lvl = 11
+        }
+}
+
+user = root {
+        member = network_admin
+}
+
+user = netop {
+        login = file /etc/passwd
+        member = network_admin
+}
+
+user = admin {
+        pap = cleartext admin
+        member = network_admin
+}
+
+user = sorin {
+        login = cleartext topcik
+
+        service = nfa {
+                role = manager
+                car = audi
+        }
+}
+
+user = cristi {
+        login = cleartext f30
+
+        service = nfa {
+                role = pussykiller
+                car = bmw
+                chubby = yes
+        }
+}
+

packages/playground/src/index.ts

@@ -19,30 +19,42 @@ const client = new Client({
 })
 
 ;(async () => {
-  try {
-    const res = await client.authenticateASCII({
-      username: 'lwvemike',
-      password: 'test123',
-      privLvl: PRIVILEGE_LEVELS.TAC_PLUS_PRIV_LVL_ROOT,
-    })
-
-    // eslint-disable-next-line no-console
-    console.log(res)
-  }
-  catch (err) {
-    // eslint-disable-next-line no-console
-    console.log(err)
+  const CREDENTIALS: Record<'username' | 'password', string> = {
+    username: 'cristi',
+    password: 'f30',
   }
 
-  // try {
-  //   const res = await client.authorize({
-  //     username: 'lwvemike',
-  //     services: ['nfa'],
-  //   })
+  const SERVICE = 'authorization' as 'authorization' | 'authentication'
+
+  if (SERVICE === 'authentication') {
+    try {
+      const res = await client.authenticateASCII({
+        username: CREDENTIALS.username,
+        password: CREDENTIALS.password,
+        privLvl: PRIVILEGE_LEVELS.TAC_PLUS_PRIV_LVL_ROOT,
+      })
 
-  //   console.log(res)
-  // }
-  // catch (err) {
-  //   console.log(err)
-  // }
+      // eslint-disable-next-line no-console
+      console.log(res)
+    }
+    catch (err) {
+      // eslint-disable-next-line no-console
+      console.log(err)
+    }
+  }
+  else if (SERVICE === 'authorization') {
+    try {
+      const res = await client.authorize({
+        username: CREDENTIALS.username,
+        services: ['nfa'],
+      })
+
+      // eslint-disable-next-line no-console
+      console.log(res)
+    }
+    catch (err) {
+      // eslint-disable-next-line no-console
+      console.log(err)
+    }
+  }
 })()