cisco_node_utils 0.9.0

data/tests/test_tacacs_server.rb

@@ -0,0 +1,388 @@
+# Copyright (c) 2014-2015 Cisco and/or its affiliates.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require File.expand_path("../ciscotest", __FILE__)
+require File.expand_path("../../lib/cisco_node_utils/tacacs_server", __FILE__)
+
+class TestTacacsServer < CiscoTestCase
+  def get_tacacsserver_feature
+    s = @device.cmd("show run all | no-more")
+    cmd = "feature tacacs+"
+    line = /#{cmd}/.match(s)
+  end
+
+  # Helper routine to get the tacacs config. Ideally we should be able
+  # to use 'sh run tacacs all' but that does not work for 'directed-request'
+  # why 'sh run aaa all' is used.
+  def get_tacacsserver_match_line(name)
+    s = @device.cmd("show run tacacs all | no-more ; show run aaa all | no-more")
+    cmd = "tacacs-server"
+    pattern = (/#{cmd} #{name}/)
+    line = pattern.match(s)
+  end
+
+  def get_match_line(name)
+    s = @device.cmd("show run all | no-more")
+    line = /#{name}/.match(s)
+  end
+
+  def test_tacacsserver_create_valid
+    tacacs = TacacsServer.new
+    line = get_tacacsserver_feature
+    refute_nil(line, "Error: Tacacs feature not set")
+    tacacs.destroy
+  end
+
+  def test_tacacsserver_get_encryption_type
+    s = @device.cmd("conf t ; no feature tacacs+ ; feature tacacs+ ; end")
+    node.cache_flush
+    encryption_type = TACACS_SERVER_ENC_UNKNOWN
+    # Get encryption password when not configured
+    tacacs = TacacsServer.new
+    assert_equal(encryption_type,
+                 tacacs.encryption_type,
+                 "Error: Tacacs Server, encryption type incorrect")
+    tacacs.destroy
+
+    # Get encryption password when configured
+    encryption_type = TACACS_SERVER_ENC_NONE
+    # This one is needed since the 'sh run' will always display the type
+    # differently than the used encryption config type.
+    sh_run_encryption_type = TACACS_SERVER_ENC_CISCO_TYPE_7
+    s = @device.cmd("configure terminal")
+    s = @device.cmd("feature tacacs+")
+    s = @device.cmd("tacacs-server key #{encryption_type} TEST")
+    s = @device.cmd("end")
+    node.cache_flush
+
+    tacacs = TacacsServer.new
+    assert_equal(sh_run_encryption_type,
+                 tacacs.encryption_type,
+                 "Error: Tacacs Server, encryption type incorrect")
+
+    encryption_type = TACACS_SERVER_ENC_CISCO_TYPE_7
+    s = @device.cmd("configure terminal")
+    s = @device.cmd("tacacs-server key #{encryption_type} TEST")
+    s = @device.cmd("end")
+    node.cache_flush
+
+    assert_equal(sh_run_encryption_type,
+                 tacacs.encryption_type,
+                 "Error: Tacacs Server, encryption type incorrect")
+    tacacs.destroy
+  end
+
+  def test_tacacsserver_get_default_encryption
+    # Ruby can use defines, but only they're not initialized from an enum
+    assert_equal(TACACS_SERVER_ENC_NONE,
+                 TacacsServer.default_encryption_type,
+                 "Error: Tacacs Server, default encryption incorrect")
+  end
+
+  def test_tacacsserver_get_encryption_password
+    # Get encryption password when not configured
+    s = @device.cmd("conf t ; no feature tacacs+ ; end")
+    node.cache_flush
+    tacacs = TacacsServer.new
+    assert_equal(node.config_get_default("tacacs_server", "encryption_password"),
+                 tacacs.encryption_password,
+                 "Error: Tacacs Server, encryption password incorrect")
+    tacacs.destroy
+
+    # Get encryption password when configured
+    sh_run_encryption_password = "WAWY"
+    encryption_type = TACACS_SERVER_ENC_NONE
+    # This one is needed since the 'sh run' will always display the password
+    # differently than the used encryption config type.
+    s = @device.cmd("configure terminal")
+    s = @device.cmd("feature tacacs+")
+    s = @device.cmd("tacacs-server key #{encryption_type} TEST")
+    s = @device.cmd("end")
+    # Flush the cache since we've modified the device
+    node.cache_flush
+    tacacs = TacacsServer.new
+    assert_equal(sh_run_encryption_password,
+                 tacacs.encryption_password,
+                 "Error: Tacacs Server, encryption password incorrect")
+    tacacs.destroy
+  end
+
+  def test_tacacsserver_get_default_encryption_password
+    assert_equal(node.config_get_default("tacacs_server", "encryption_password"),
+                 TacacsServer.default_encryption_password,
+                 "Error: Tacacs Server, default encryption password incorrect")
+  end
+
+  def test_tacacsserver_key_set
+    enc_type = TACACS_SERVER_ENC_NONE
+    # This one is needed since the 'sh run' will always display the type
+    # differently than the used encryption config type.
+    sh_run_encryption_type = TACACS_SERVER_ENC_CISCO_TYPE_7
+    password = "TEST_NEW"
+
+    tacacs = TacacsServer.new
+    tacacs.encryption_key_set(enc_type, password)
+    # Get the password from the running config since its encoded
+    line = get_tacacsserver_match_line("key\s#{sh_run_encryption_type}\s\".*\"")
+    refute_nil(line, "Error: Tacacs Server, key not configured")
+    # Extract encrypted password, and git rid of the "" around the pasword
+    md = line.to_s
+    encrypted_password = md.to_s.split(" ").last.tr('\"', '')
+    # Extract encryption type
+    md = /tacacs-server\skey\s\d/.match(line.to_s)
+    encrypted_type = md.to_s.split(" ").last.to_i
+    assert_equal(encrypted_type, tacacs.encryption_type,
+                 "Error: Tacacs Server, encryption type incorrect")
+    assert_equal(encrypted_password, tacacs.encryption_password,
+                 "Error: Tacacs Server, encryption password incorrect")
+    tacacs.destroy
+  end
+
+  def test_tacacsserver_key_unconfigure
+    s = @device.cmd("conf t ; no feature tacacs+ ; end")
+    node.cache_flush
+    enc_type = TACACS_SERVER_ENC_NONE
+    # This one is needed since the 'sh run' will always display the type
+    # differently than the used encryption config type.
+    sh_run_encryption_type = TACACS_SERVER_ENC_CISCO_TYPE_7
+    password = "TEST_NEW"
+
+    tacacs = TacacsServer.new
+    tacacs.encryption_key_set(enc_type, password)
+    line = get_tacacsserver_match_line("key\s#{sh_run_encryption_type}\s\".*\"")
+    refute_nil(line, "Error: Tacacs Server, key not configured")
+
+    enc_type = TACACS_SERVER_ENC_UNKNOWN
+    password = ""
+    tacacs.encryption_key_set(enc_type, password)
+    line = get_tacacsserver_match_line("key\s#{sh_run_encryption_type}\s\".*\"")
+    assert_nil(line, "Error: Tacacs Server, key configured")
+    tacacs.destroy
+  end
+
+  def test_tacacsserver_get_timeout
+    tacacs = TacacsServer.new
+    timeout = node.config_get_default("tacacs_server", "timeout")
+    assert_equal(timeout, tacacs.timeout,
+                 "Error: Tacacs Server, timeout not default")
+
+    timeout = 35
+    s = @device.cmd("configure terminal")
+    s = @device.cmd("tacacs-server timeout #{timeout}")
+    s = @device.cmd("end")
+    # Flush the cache since we've modified the device
+    node.cache_flush
+    assert_equal(timeout, tacacs.timeout,
+                 "Error: Tacacs Server, timeout not configured")
+    tacacs.destroy
+  end
+
+  def test_tacacsserver_get_default_timeout
+    assert_equal(node.config_get_default("tacacs_server", "timeout"),
+                 TacacsServer.default_timeout,
+                 "Error: Tacacs Server, default timeout incorrect")
+  end
+
+  def test_tacacsserver_set_timeout
+    timeout = 45
+
+    tacacs = TacacsServer.new
+    tacacs.timeout = timeout
+    line = get_tacacsserver_match_line("timeout\s.*")
+    # Extract timeout
+    md = /tacacs-server\stimeout\s\d*/.match(line.to_s)
+    sh_run_timeout = md.to_s.split(" ").last.to_i
+    # Need a better way to extract the timeout
+    refute_nil(line, "Error: Tacacs Server, timeout not configured")
+    assert_equal(sh_run_timeout, tacacs.timeout,
+                 "Error: Tacacs Server, timeout value incorrect")
+
+    # Invalid case
+    timeout = 80
+    assert_raises(Cisco::CliError) do
+      tacacs.timeout = timeout
+    end
+    tacacs.destroy
+  end
+
+  def test_tacacsserver_get_deadtime
+    tacacs = TacacsServer.new
+    deadtime = node.config_get_default("tacacs_server", "deadtime")
+    assert_equal(deadtime, tacacs.deadtime,
+                 "Error: Tacacs Server, deadtime not default")
+
+    deadtime = 850
+    s = @device.cmd("configure terminal")
+    s = @device.cmd("tacacs-server deadtime #{deadtime}")
+    s = @device.cmd("end")
+    # Flush the cache since we've modified the device
+    node.cache_flush
+    assert_equal(deadtime, tacacs.deadtime,
+                 "Error: Tacacs Server, deadtime not configured")
+    tacacs.destroy
+  end
+
+  def test_tacacsserver_get_default_deadtime
+    assert_equal(node.config_get_default("tacacs_server", "deadtime"),
+                 TacacsServer.default_deadtime,
+                 "Error: Tacacs Server, default deadtime incorrect")
+  end
+
+  def test_tacacsserver_set_deadtime
+    deadtime = 1250
+
+    tacacs = TacacsServer.new
+    tacacs.deadtime = deadtime
+    line = get_tacacsserver_match_line("deadtime\s.*")
+    # Extract deadtime
+    md = /tacacs-server\sdeadtime\s\d*/.match(line.to_s)
+    sh_run_deadtime = md.to_s.split(" ").last.to_i
+    refute_nil(line, "Error: Tacacs Server, deadtime not configured")
+    assert_equal(sh_run_deadtime, tacacs.deadtime,
+                 "Error: Tacacs Server, deadtime incorrect")
+    # Invalid case
+    deadtime = 2450
+    assert_raises(Cisco::CliError) do
+      tacacs.deadtime = deadtime
+    end
+    tacacs.destroy
+  end
+
+  def test_tacacsserver_get_directed_request
+    s = @device.cmd("conf t ; feature tacacs ; tacacs-server directed-request ; end")
+    # Flush the cache since we've modified the device
+    node.cache_flush
+    tacacs = TacacsServer.new
+    assert(tacacs.directed_request?,
+           "Error: Tacacs Server, directed-request not set")
+
+    s = @device.cmd("conf t ; no tacacs-server directed-request ; end")
+    node.cache_flush
+    refute(tacacs.directed_request?,
+           "Error: Tacacs Server, directed-request set")
+    tacacs.destroy
+  end
+
+  def test_tacacsserver_get_default_directed_request
+    assert_equal(node.config_get_default("tacacs_server", "directed_request"),
+                 TacacsServer.default_directed_request,
+                 "Error: Tacacs Server, default directed-request incorrect")
+  end
+
+  def test_tacacsserver_set_directed_request
+    s = @device.cmd("conf t ; feature tacacs ; tacacs-server directed-request ; end")
+    state = true
+    tacacs = TacacsServer.new
+    tacacs.directed_request = state
+    line = get_tacacsserver_match_line("directed-request")
+    refute_nil(line, "Error: Tacacs Server, directed-request not configured")
+    assert(tacacs.directed_request?,
+           "Error: Tacacs Server, directed-request not set")
+
+    # Turn it off
+    s = @device.cmd("conf t ; no tacacs-server directed-request ; end")
+    node.cache_flush
+    refute(tacacs.directed_request?,
+           "Error: Tacacs Server, directed-request set")
+
+    # Turn it back on then go to default
+    s = @device.cmd("conf t ; no tacacs-server directed-request ; end")
+    state = node.config_get_default("tacacs_server", "directed_request")
+    tacacs.directed_request = state
+    line = get_match_line("no tacacs-server directed-request")
+    refute_nil(line,
+               "Error: Tacacs Server, default directed-request not configured")
+
+    # Extract the state of directed-request
+    sh_run_directed_request = line.to_s.split(" ").first
+    assert_equal("no", sh_run_directed_request,
+                 "Error: Tacacs Server, directed-request not unconfigured")
+
+    refute(tacacs.directed_request?,
+           "Error: Tacacs Server, directed-request set")
+
+    # Invalid case
+    state = "TEST"
+    assert_raises(TypeError) do
+      tacacs.directed_request = state
+    end
+    tacacs.destroy
+  end
+
+  def test_tacacsserver_get_source_interface
+    s = @device.cmd("configure terminal")
+    s = @device.cmd("no ip tacacs source-interface")
+    s = @device.cmd("end")
+    tacacs = TacacsServer.new
+    intf = node.config_get_default("tacacs_server", "source_interface")
+    assert_equal(intf, tacacs.source_interface,
+                 "Error: Tacacs Server, source-interface set")
+
+    intf = "Ethernet1/1"
+    s = @device.cmd("configure terminal")
+    s = @device.cmd("ip tacacs source-interface #{intf}")
+    s = @device.cmd("end")
+    # Flush the cache since we've modified the device
+    node.cache_flush
+    assert_equal(intf, tacacs.source_interface,
+                 "Error: Tacacs Server, source-interface not correct")
+    tacacs.destroy
+  end
+
+  def test_tacacsserver_get_default_source_interface
+    assert_equal(node.config_get_default("tacacs_server", "source_interface"),
+                 TacacsServer.default_source_interface,
+                 "Error: Tacacs Server, default source-interface incorrect")
+  end
+
+  def test_tacacsserver_set_source_interface
+    s = @device.cmd("conf t ; feature tacacs+ ; no ip tacacs source-int ; end")
+    node.cache_flush
+    intf = node.config_get_default("tacacs_server", "source_interface")
+    tacacs = TacacsServer.new
+    assert_equal(intf, tacacs.source_interface,
+                 "Error: Tacacs Server, source-interface set")
+
+    intf = "Ethernet1/1"
+    tacacs.source_interface = intf
+    line = get_match_line("ip tacacs source-interface #{intf}")
+    # Extract source-interface
+    sh_run_source_interface = line.to_s.split(" ").last
+    refute_nil(line, "Error: Tacacs Server, source-interface not configured")
+    assert_equal(sh_run_source_interface, tacacs.source_interface,
+                 "Error: Tacacs Server, source-interface not correct")
+
+    # Now bring it back to default
+    intf = node.config_get_default("tacacs_server", "source_interface")
+    tacacs.source_interface = intf
+    line = get_match_line("no ip tacacs source-interface")
+    refute_nil(line, "Error: Tacacs Server, source-interface not default")
+
+    # Invalid case
+    state = true
+    assert_raises(TypeError) do
+      tacacs.source_interface = state
+    end
+    tacacs.destroy
+  end
+
+  def test_tacacsserver_destroy
+    tacacs = TacacsServer.new
+    line = get_tacacsserver_feature
+    refute_nil(line, "Error: Tacacs feature not set")
+    tacacs.destroy
+    line = get_tacacsserver_feature
+    assert_nil(line, "Error: Tacacs feature still present")
+  end
+end

data/tests/test_tacacs_server_host.rb

@@ -0,0 +1,391 @@
+# Copyright (c) 2014-2015 Cisco and/or its affiliates.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require File.expand_path("../ciscotest", __FILE__)
+require File.expand_path("../../lib/cisco_node_utils/tacacs_server_host", __FILE__)
+
+include Cisco
+
+DEFAULT_TACACS_SERVER_HOST_PORT = 49
+DEFAULT_TACACS_SERVER_HOST_TIMEOUT = 0
+DEFAULT_TACACS_SERVER_HOST_ENCRYPTION_PASSWORD = ""
+
+class TestTacacsServerHost < CiscoTestCase
+  def get_tacacsserverhost_match_line(host_name)
+    s = @device.cmd("show run all | no-more")
+    cmd = "tacacs-server host"
+    pattern = /#{cmd}\s(#{host_name})(.*)/
+    pattern.match(s)
+  end
+
+  def test_tacacsserverhost_collection_empty
+    hosts = TacacsServerHost.hosts
+    hosts.each { |name, host| host.destroy }
+    hosts = TacacsServerHost.hosts
+
+    assert_empty(hosts, "Error: Tacacs Host collection is not empty")
+  end
+
+  def test_tacacsserverhost_collection
+    hosts_hash = {}
+    hosts_hash["testhost1"] = 1138
+    hosts_hash["testhost2"] = DEFAULT_TACACS_SERVER_HOST_PORT
+
+    hosts_hash.each { |name, port|
+      host = TacacsServerHost.new(name)
+      host.port = port
+    }
+
+    hosts = TacacsServerHost.hosts
+    refute_empty(hosts, "Error: Tacacs Host collection is empty")
+    hosts_hash.each { |name, port|
+      # host must have been created to be found in the list
+      assert(hosts.include?(name),
+             "Error: Tacacs Host #{name} not in collection")
+      # port numbers differentiate the hosts
+      assert_equal(port, hosts[name].port,
+                   "Error: Tacacs Host #{name} port mismatch")
+    }
+
+    hosts_hash.each { |name, host| hosts[name].destroy }
+  end
+
+  def test_tacacsserverhost_create_server_nil
+    assert_raises(TypeError) do
+      host = TacacsServerHost.new(nil)
+    end
+  end
+
+  def test_tacacsserverhost_create_name_zero_length
+    assert_raises(ArgumentError) do
+      host = TacacsServerHost.new("")
+    end
+  end
+
+  def test_tacacsserverhost_create_valid
+    host = TacacsServerHost.new("testhost")
+    line = get_tacacsserverhost_match_line("testhost")
+    refute_nil(line, "Error: Tacacs Host not created")
+    host.destroy
+  end
+
+  def test_tacacsserverhost_destroy
+    host_name = "testhost"
+    host = TacacsServerHost.new(host_name)
+    line = get_tacacsserverhost_match_line(host_name)
+    refute_nil(line, "Error: Tacacs Host not created")
+    host.destroy
+
+    line = get_tacacsserverhost_match_line(host_name)
+    assert_nil(line, "Error: Tacacs Host still present")
+  end
+
+  def test_tacacsserverhost_get_name
+    host_name = "testhost"
+    host = TacacsServerHost.new(host_name)
+    line = get_tacacsserverhost_match_line(host_name)
+    refute_nil(line, "Error: Tacacs Host not found")
+    assert_equal(host_name, line.captures[0],
+                 "Error: #{host_name} name mismatch")
+    assert_equal(host_name, host.name,
+                 "Error: #{host_name} name get value mismatch")
+    host.destroy
+  end
+
+  def test_tacacsserverhost_get_name_preconfigured
+    host_name = "testhost"
+
+    s = @device.cmd("configure terminal")
+    s = @device.cmd("tacacs-server host #{host_name}")
+    s = @device.cmd("end")
+    node.cache_flush
+
+    line = get_tacacsserverhost_match_line(host_name)
+    hosts = TacacsServerHost.hosts()
+
+    refute_nil(line, "Error: Tacacs Host not found")
+    assert_equal(host_name, line.captures[0],
+                 "Error: #{host_name} name mismatch")
+    refute_nil(hosts[host_name], "Error: #{host_name} not retrieved.")
+    assert_equal(host_name, hosts[host_name].name,
+                 "Error: #{host_name} name get value mismatch")
+
+    hosts.each { |name, host| host.destroy }
+  end
+
+  def test_tacacsserverhost_get_name_formats
+    host_name = "testhost.example.com"
+    host_ip = "192.168.1.1"
+
+    s = @device.cmd("configure terminal")
+    s = @device.cmd("tacacs-server host #{host_name}")
+    s = @device.cmd("tacacs-server host #{host_ip}")
+    s = @device.cmd("end")
+    node.cache_flush
+
+    line_name = get_tacacsserverhost_match_line(host_name)
+    line_ip = get_tacacsserverhost_match_line(host_ip)
+    hosts = TacacsServerHost.hosts
+
+    refute_nil(line_name, "Error: Tacacs Host not found")
+    assert_equal(host_name, line_name.captures[0],
+                 "Error: #{host_name} name mismatch")
+    refute_nil(hosts[host_name], "Error: #{host_name} not retrieved.")
+    assert_equal(host_name, hosts[host_name].name,
+                 "Error: #{host_name} name get value mismatch")
+
+    refute_nil(line_ip, "Error: Tacacs Host not found")
+    assert_equal(host_ip, line_ip.captures[0],
+                 "Error: #{host_ip} name mismatch")
+    refute_nil(hosts[host_ip], "Error: #{host_ip} not retrieved.")
+    assert_equal(host_ip, hosts[host_ip].name,
+                 "Error: #{host_ip} name get value mismatch")
+
+    hosts.each { |name, host| host.destroy }
+  end
+
+  def test_tacacsserverhost_get_port
+    host_name = "testhost"
+    host = TacacsServerHost.new(host_name)
+
+    # not previously configured
+    port = DEFAULT_TACACS_SERVER_HOST_PORT
+    assert_equal(port, host.port, "Error: Tacacs Host port incorrect")
+
+    # when configured
+    port = 1138
+    s = @device.cmd("configure terminal")
+    s = @device.cmd("tacacs-server host #{host_name} port #{port}")
+    s = @device.cmd("end")
+    node.cache_flush
+    assert_equal(port, host.port, "Error: Tacacs Host port incorrect")
+
+    host.destroy
+  end
+
+  def test_tacacsserverhost_get_default_port
+    host = TacacsServerHost.new("testhost")
+
+    port = DEFAULT_TACACS_SERVER_HOST_PORT
+    assert_equal(port, TacacsServerHost.default_port,
+                 "Error: Tacacs Host default port incorrect")
+    host.destroy
+  end
+
+  def test_tacacsserverhost_set_port
+    host_name = "testhost"
+    host = TacacsServerHost.new(host_name)
+
+    port = 1138
+    host.port = port
+    line = get_tacacsserverhost_match_line(host_name)
+    refute_nil(line, "Error: Tacacs Host not found")
+    md = /port\s(\d*)/.match(line.captures[1])
+    refute_nil(md, "Error: Tacacs Host port not found")
+    assert_equal(port, md.captures[0].to_i, "Error: Tacacs Host port mismatch")
+    assert_equal(port, host.port, "Error: Tacacs Host port incorrect")
+
+    host.destroy
+  end
+
+  def test_tacacsserverhost_get_timeout
+    # Cleanup first
+    s = @device.cmd("show run | i 'tacacs.*timeout'")[/^tacacs.*timeout.*$/]
+    if s
+      s = @device.cmd("conf t ; no #{s} ; end")
+      # puts "s is >#{s}<"
+      node.cache_flush
+    end
+
+    host_name = "testhost"
+    host = TacacsServerHost.new(host_name)
+
+    # not previously configured
+    timeout = DEFAULT_TACACS_SERVER_HOST_TIMEOUT
+    assert_equal(timeout, host.timeout, "Error: Tacacs Host timeout incorrect")
+
+    # when configured
+    timeout = 30
+    s = @device.cmd("configure terminal")
+    s = @device.cmd("tacacs-server host #{host_name} timeout #{timeout}")
+    s = @device.cmd("end")
+    node.cache_flush
+    assert_equal(timeout, host.timeout, "Error: Tacacs Host timeout incorrect")
+
+    host.destroy
+  end
+
+  def test_tacacsserverhost_get_default_timeout
+    host = TacacsServerHost.new("testhost")
+
+    timeout = DEFAULT_TACACS_SERVER_HOST_TIMEOUT
+    assert_equal(timeout, TacacsServerHost.default_timeout,
+                 "Error: Tacacs Host default timeout incorrect")
+    host.destroy
+  end
+
+  def test_tacacsserverhost_set_timeout
+    host_name = "testhost"
+    host = TacacsServerHost.new(host_name)
+
+    timeout = 30
+    host.timeout = timeout
+    line = get_tacacsserverhost_match_line(host_name)
+    refute_nil(line, "Error: Tacacs Host not found")
+    md = /timeout\s(\d*)/.match(line.captures[1])
+    refute_nil(md, "Error: Tacacs Host timeout not found")
+    assert_equal(timeout, md.captures[0].to_i,
+                 "Error: Tacacs Host timeout mismatch")
+    assert_equal(timeout, host.timeout, "Error: Tacacs Host timeout incorrect")
+
+    host.destroy
+  end
+
+  def test_tacacsserverhost_unset_timeout
+    host_name = "testhost"
+    host = TacacsServerHost.new(host_name)
+
+    timeout = DEFAULT_TACACS_SERVER_HOST_TIMEOUT
+    host.timeout = timeout
+    line = get_tacacsserverhost_match_line(host_name)
+    refute_nil(line, "Error: Tacacs Host not found")
+    md = /timeout\s(\d*)/.match(line.captures[1])
+    assert_nil(md, "Error: Tacacs Host timeout found")
+    assert_equal(timeout, host.timeout, "Error: Tacacs Host timeout incorrect")
+
+    host.destroy
+  end
+
+  def test_tacacsserverhost_get_encryption_type
+    host_name = "testhost"
+    host = TacacsServerHost.new(host_name)
+
+    # when not configured
+    enctype = TACACS_SERVER_ENC_UNKNOWN
+
+    assert_equal(enctype, host.encryption_type,
+                 "Error: Tacacs Host encryption type incorrect")
+
+    # when configured
+    enctype = TACACS_SERVER_ENC_NONE
+    sh_run_enctype = TACACS_SERVER_ENC_CISCO_TYPE_7
+    s = @device.cmd("configure terminal")
+    s = @device.cmd("tacacs-server host #{host_name} key #{enctype} TEST")
+    s = @device.cmd("end")
+    node.cache_flush
+    assert_equal(sh_run_enctype, host.encryption_type,
+                 "Error: Tacacs Host encryption type incorrect")
+    host.destroy
+  end
+
+  def test_tacacsserverhost_get_default_encryption_type
+    host = TacacsServerHost.new("testhost")
+
+    assert_equal(TACACS_SERVER_ENC_NONE,
+                 TacacsServerHost.default_encryption_type,
+                 "Error: Tacacs Host default encryption type incorrect")
+    host.destroy
+  end
+
+  def test_tacacsserverhost_get_encryption_password
+    host_name = "testhost"
+    host = TacacsServerHost.new(host_name)
+
+    # when not configured
+    pass = DEFAULT_TACACS_SERVER_HOST_ENCRYPTION_PASSWORD
+    assert_equal(pass, host.encryption_password,
+                 "Error: Tacacs Host encryption password incorrect")
+
+    # when configured
+    pass = "TEST"
+    sh_run_pass = "WAWY"
+    s = @device.cmd("configure terminal")
+    s = @device.cmd("tacacs-server host #{host_name} key 0 #{pass}")
+    s = @device.cmd("end")
+    node.cache_flush
+    assert_equal(sh_run_pass, host.encryption_password,
+                 "Error: Tacacs Host encryption password incorrect")
+    host.destroy
+  end
+
+  def test_tacacsserverhost_get_default_encryption_password
+    host = TacacsServerHost.new("testhost")
+
+    assert_equal("", TacacsServerHost.default_encryption_password,
+                 "Error: Tacacs Host default encryption password incorrect")
+    host.destroy
+  end
+
+  def test_tacacsserverhost_set_key
+    host_name = "testhost"
+    host = TacacsServerHost.new(host_name)
+
+    enctype = TACACS_SERVER_ENC_NONE
+    sh_run_enctype = TACACS_SERVER_ENC_CISCO_TYPE_7
+    pass = "TEST"
+    sh_run_pass = "WAWY"
+    host.encryption_key_set(enctype, pass)
+
+    line = get_tacacsserverhost_match_line(host_name)
+    refute_nil(line, "Error: Tacacs Host not found")
+    md = /key\s(\d*)\s(\S*)/.match(line.captures[1])
+    refute_nil(md, "Error: Tacacs Host encryption not found")
+    assert_equal(sh_run_enctype, md.captures[0].to_i,
+                 "Error: Tacacs Host encryption type mismatch")
+    assert_equal(sh_run_enctype, host.encryption_type,
+                 "Error: Tacacs Host encryption type incorrect")
+    # remove quotes surrounding the encrypted password
+    pass_no_quotes = md.captures[1].gsub(/(?:^\")|(?:\"$)/, '')
+    assert_equal(sh_run_pass, pass_no_quotes,
+                 "Error: Tacacs Host encryption password mismatch")
+    assert_equal(sh_run_pass, host.encryption_password,
+                 "Error: Tacacs Host encryption password incorrect")
+
+    host.destroy
+  end
+
+  def test_tacacsserverhost_unset_key
+    # Cleanup first
+    s = @device.cmd("show run | i 'tacacs.*host'")[/^tacacs.*host.*$/]
+    if s
+      s = @device.cmd("conf t ; no #{s} ; end")
+      # puts "s is >#{s}<"
+      node.cache_flush
+    end
+
+    host_name = "testhost"
+    host = TacacsServerHost.new(host_name)
+
+    # First configure key value. Whether that can be passed
+    # will be decided by test_tacacsserverhost_set_key
+    enctype = TACACS_SERVER_ENC_NONE
+    pass = "TEST"
+    host.encryption_key_set(enctype, pass)
+
+    # Now unconfigure the key and verify
+    enctype = TACACS_SERVER_ENC_UNKNOWN
+    pass = DEFAULT_TACACS_SERVER_HOST_ENCRYPTION_PASSWORD
+    host.encryption_key_set(enctype, pass)
+
+    line = get_tacacsserverhost_match_line(host_name)
+    refute_nil(line, "Error: Tacacs Host not found")
+    md = /key\s(\d*)\s(\S*)/.match(line.captures[1])
+    assert_nil(md, "Error: Tacacs Host encryption found")
+    assert_equal(enctype, host.encryption_type,
+                 "Error: Tacacs Host encryption type incorrect")
+    assert_equal(pass, host.encryption_password,
+                 "Error: Tacacs Host encryption password incorrect")
+    host.destroy
+  end
+end