module openconfig-aaa {
  yang-version 1;
  namespace "http://openconfig.net/yang/aaa";
  prefix oc-aaa;

  import openconfig-extensions {
    prefix oc-ext;
  }
  import openconfig-inet-types {
    prefix oc-inet;
  }
  import openconfig-yang-types {
    prefix oc-yang;
  }
  import openconfig-aaa-types {
    prefix oc-aaa-types;
  }


  include "openconfig-aaa-tacacs";

  include "openconfig-aaa-radius";

  organization
    "OpenConfig working group";
  contact
    "OpenConfig working group
     www.openconfig.net";
  description
    "This module defines configuration and operational state data
     related to authorization, authentication, and accounting (AAA)
     management.

     Portions of this model reuse data definitions or structure from
     RFC 7317 - A YANG Data Model for System Management";

  revision 2020-07-30 {
    description
      "Add secret-key-hashed for TACACS and RADIUS.";
    reference
      "0.5.0";
  }
  revision 2019-10-28 {
    description
      "Fix bug in when statement path";
    reference
      "0.4.3";
  }
  revision 2019-08-20 {
    description
      "Fix identity prefixes and when statement paths";
    reference
      "0.4.2";
  }
  revision 2018-11-21 {
    description
      "Add OpenConfig module metadata extensions.";
    reference
      "0.4.1";
  }
  revision 2018-04-12 {
    description
      "Add when conditions, correct identities";
    reference
      "0.4.0";
  }
  revision 2017-09-18 {
    description
      "Updated to use OpenConfig types modules";
    reference
      "0.3.0";
  }
  revision 2017-07-06 {
    description
      "Move to oc-inet types, add IETF attribution, add RADIUS
       counters, changed password leaf names to indicate hashed";
    reference
      "0.2.0";
  }
  revision 2017-01-29 {
    description
      "Initial public release";
    reference
      "0.1.0";
  }

  oc-ext:openconfig-version "0.5.0";
  oc-ext:regexp-posix;
  oc-ext:catalog-organization "openconfig";
  oc-ext:origin "openconfig";

  grouping aaa-servergroup-common-config {
    description
      "Configuration data for AAA server groups";
    leaf name {
      type string;
      description
        "Name for the server group";
    }
    leaf type {
      type identityref {
        base oc-aaa-types:AAA_SERVER_TYPE;
      }
      description
        "AAA server type -- all servers in the group must be of this
         type";
    }
  }

  grouping aaa-servergroup-common-state {
    description
      "Operational state data for AAA server groups";
  }

  grouping aaa-servergroup-common-top {
    description
      "Top-level grouping for AAA server groups";
    container server-groups {
      description
        "Enclosing container for AAA server groups";
      list server-group {
        key "name";
        description
          "List of AAA server groups.  All servers in a group
           must have the same type as indicated by the server
           type.";
        leaf name {
          type leafref {
            path "../config/name";
          }
          description
            "Reference to configured name of the server group";
        }
        container config {
          description
            "Configuration data for each server group";
          uses aaa-servergroup-common-config;
        }
        container state {
          config false;
          description
            "Operational state data for each server group";
          uses aaa-servergroup-common-config;
          uses aaa-servergroup-common-state;
        }
        uses aaa-server-top;
      }
    }
  }

  grouping aaa-server-config {
    description
      "Common configuration data for AAA servers";
    leaf name {
      type string;
      description
        "Name assigned to the server";
    }
    leaf address {
      type oc-inet:ip-address;
      description
        "Address of the authentication server";
    }
    leaf timeout {
      type uint16;
      units "seconds";
      description
        "Set the timeout in seconds on responses from the AAA
         server";
    }
  }

  grouping aaa-server-state {
    description
      "Common operational state data for AAA servers";
    leaf connection-opens {
      type oc-yang:counter64;
      description
        "Number of new connection requests sent to the server, e.g.
         socket open";
    }
    leaf connection-closes {
      type oc-yang:counter64;
      description
        "Number of connection close requests sent to the server, e.g.
         socket close";
    }
    leaf connection-aborts {
      type oc-yang:counter64;
      description
        "Number of aborted connections to the server.  These do
         not include connections that are close gracefully.";
    }
    leaf connection-failures {
      type oc-yang:counter64;
      description
        "Number of connection failures to the server";
    }
    leaf connection-timeouts {
      type oc-yang:counter64;
      description
        "Number of connection timeouts to the server";
    }
    leaf messages-sent {
      type oc-yang:counter64;
      description
        "Number of messages sent to the server";
    }
    leaf messages-received {
      type oc-yang:counter64;
      description
        "Number of messages received by the server";
    }
    leaf errors-received {
      type oc-yang:counter64;
      description
        "Number of error messages received from the server";
    }
  }

  grouping aaa-server-top {
    description
      "Top-level grouping for list of AAA servers";
    container servers {
      description
        "Enclosing container the list of servers";
      list server {
        key "address";
        description
          "List of AAA servers";
        leaf address {
          type leafref {
            path "../config/address";
          }
          description
            "Reference to the configured address of the AAA server";
        }
        container config {
          description
            "Configuration data ";
          uses aaa-server-config;
        }
        container state {
          config false;
          description
            "Operational state data ";
          uses aaa-server-config;
          uses aaa-server-state;
        }
        uses aaa-tacacs-server-top {
          when "../../config/type = 'oc-aaa:TACACS'";
        }
        uses aaa-radius-server-top {
          when "../../config/type = 'oc-aaa:RADIUS'";
        }
      }
    }
  }

  grouping aaa-admin-config {
    description
      "Configuration data for the system built-in
       administrator / root user account";
    leaf admin-password {
      oc-ext:openconfig-hashed-value;
      type string;
      description
        "The admin/root password, supplied as a cleartext string.
         The system should hash and only store the password as a
         hashed value.";
    }
    leaf admin-password-hashed {
      type oc-aaa-types:crypt-password-type;
      description
        "The admin/root password, supplied as a hashed value
         using the notation described in the definition of the
         crypt-password-type.";
    }
  }

  grouping aaa-admin-state {
    description
      "Operational state data for the root user";
    leaf admin-username {
      type string;
      description
        "Name of the administrator user account, e.g., admin, root,
         etc.";
    }
  }

  grouping aaa-authentication-admin-top {
    description
      "Top-level grouping for root user configuration and state
       data";
    container admin-user {
      description
        "Top-level container for the system root or admin user
         configuration and operational state";
      container config {
        description
          "Configuration data for the root user account";
        uses aaa-admin-config;
      }
      container state {
        config false;
        description
          "Operational state data for the root user account";
        uses aaa-admin-config;
        uses aaa-admin-state;
      }
    }
  }

  grouping aaa-authentication-user-config {
    description
      "Configuration data for local users";
    leaf username {
      type string;
      description
        "Assigned username for this user";
    }
    leaf password {
      oc-ext:openconfig-hashed-value;
      type string;
      description
        "The user password, supplied as cleartext.  The system
         must hash the value and only store the hashed value.";
    }
    leaf password-hashed {
      type oc-aaa-types:crypt-password-type;
      description
        "The user password, supplied as a hashed value
         using the notation described in the definition of the
         crypt-password-type.";
    }
    leaf ssh-key {
      type string;
      description
        "SSH public key for the user (RSA or DSA)";
    }
    leaf role {
      type union {
        type string;
        type identityref {
          base oc-aaa-types:SYSTEM_DEFINED_ROLES;
        }
      }
      description
        "Role assigned to the user.  The role may be supplied
         as a string or a role defined by the SYSTEM_DEFINED_ROLES
         identity.";
    }
  }

  grouping aaa-authentication-user-state {
    description
      "Operational state data for local users";
  }

  grouping aaa-authentication-user-top {
    description
      "Top-level grouping for local users";
    container users {
      description
        "Enclosing container list of local users";
      list user {
        key "username";
        description
          "List of local users on the system";
        leaf username {
          type leafref {
            path "../config/username";
          }
          description
            "References the configured username for the user";
        }
        container config {
          description
            "Configuration data for local users";
          uses aaa-authentication-user-config;
        }
        container state {
          config false;
          description
            "Operational state data for local users";
          uses aaa-authentication-user-config;
          uses aaa-authentication-user-state;
        }
      }
    }
  }

  grouping aaa-accounting-methods-common {
    description
      "Common definitions for accounting methods";
    leaf-list accounting-method {
      type union {
        type identityref {
          base oc-aaa-types:AAA_METHOD_TYPE;
        }
        type string;
      }
      ordered-by user;
      description
        "An ordered list of methods used for AAA accounting for this
         event type.  The method is defined by the destination for
         accounting data, which may be specified as the group of
         all TACACS+/RADIUS servers, a defined server group, or
         the local system.";
    }
  }

  grouping aaa-accounting-events-config {
    description
      "Configuration data for AAA accounting events";
    leaf event-type {
      type identityref {
        base oc-aaa-types:AAA_ACCOUNTING_EVENT_TYPE;
      }
      description
        "The type of activity to record at the AAA accounting
         server";
    }
    leaf record {
      type enumeration {
        enum "START_STOP" {
          description
            "Send START record to the accounting server at the
             beginning of the activity, and STOP record at the
             end of the activity.";
        }
        enum "STOP" {
          description
            "Send STOP record to the accounting server when the
             user activity completes";
        }
      }
      description
        "Type of record to send to the accounting server for this
         activity type";
    }
  }

  grouping aaa-accounting-events-state {
    description
      "Operational state data for accounting events";
  }

  grouping aaa-accounting-events-top {
    description
      "Top-level grouping for accounting events";
    container events {
      description
        "Enclosing container for defining handling of events
         for accounting";
      list event {
        key "event-type";
        description
          "List of events subject to accounting";
        leaf event-type {
          type leafref {
            path "../config/event-type";
          }
          description
            "Reference to the event-type being logged at the
             accounting server";
        }
        container config {
          description
            "Configuration data for accounting events";
          uses aaa-accounting-events-config;
        }
        container state {
          config false;
          description
            "Operational state data for accounting events";
          uses aaa-accounting-events-config;
          uses aaa-accounting-events-state;
        }
      }
    }
  }

  grouping aaa-accounting-config {
    description
      "Configuration data for event accounting";
    uses aaa-accounting-methods-common;
  }

  grouping aaa-accounting-state {
    description
      "Operational state data for event accounting services";
  }

  grouping aaa-accounting-top {
    description
      "Top-level grouping for user activity accounting";
    container accounting {
      description
        "Top-level container for AAA accounting";
      container config {
        description
          "Configuration data for user activity accounting.";
        uses aaa-accounting-config;
      }
      container state {
        config false;
        description
          "Operational state data for user accounting.";
        uses aaa-accounting-config;
        uses aaa-accounting-state;
      }
      uses aaa-accounting-events-top;
    }
  }

  grouping aaa-authorization-methods-config {
    description
      "Common definitions for authorization methods for global
       and per-event type";
    leaf-list authorization-method {
      type union {
        type identityref {
          base oc-aaa-types:AAA_METHOD_TYPE;
        }
        type string;
      }
      ordered-by user;
      description
        "Ordered list of methods for authorizing commands.  The first
         method that provides a response (positive or negative) should
         be used.  The list may contain a well-defined method such
         as the set of all TACACS or RADIUS servers, or the name of
         a defined AAA server group.  The system must validate
         that the named server group exists.";
    }
  }

  grouping aaa-authorization-events-config {
    description
      "Configuration data for AAA authorization events";
    leaf event-type {
      type identityref {
        base oc-aaa-types:AAA_AUTHORIZATION_EVENT_TYPE;
      }
      description
        "The type of event to record at the AAA authorization
         server";
    }
  }

  grouping aaa-authorization-events-state {
    description
      "Operational state data for AAA authorization events";
  }

  grouping aaa-authorization-events-top {
    description
      "Top-level grouping for authorization events";
    container events {
      description
        "Enclosing container for the set of events subject
         to authorization";
      list event {
        key "event-type";
        description
          "List of events subject to AAA authorization";
        leaf event-type {
          type leafref {
            path "../config/event-type";
          }
          description
            "Reference to the event-type list key";
        }
        container config {
          description
            "Configuration data for each authorized event";
          uses aaa-authorization-events-config;
        }
        container state {
          config false;
          description
            "Operational state data for each authorized activity";
          uses aaa-authorization-events-config;
          uses aaa-authorization-events-state;
        }
      }
    }
  }

  grouping aaa-authorization-config {
    description
      "Configuration data for AAA authorization";
    uses aaa-authorization-methods-config;
  }

  grouping aaa-authorization-state {
    description
      "Operational state data for AAA authorization";
  }

  grouping aaa-authorization-top {
    description
      "Top-level grouping for AAA authorization";
    container authorization {
      description
        "Top-level container for AAA authorization configuration
         and operational state data";
      container config {
        description
          "Configuration data for authorization based on AAA
           methods";
        uses aaa-authorization-config;
      }
      container state {
        config false;
        description
          "Operational state data for authorization based on AAA";
        uses aaa-authorization-config;
        uses aaa-authorization-state;
      }
      uses aaa-authorization-events-top;
    }
  }

  grouping aaa-authentication-config {
    description
      "Configuration data for global authentication";
    leaf-list authentication-method {
      type union {
        type identityref {
          base oc-aaa-types:AAA_METHOD_TYPE;
        }
        type string;
      }
      ordered-by user;
      description
        "Ordered list of authentication methods for users.  This
         can be either a reference to a server group, or a well-
         defined designation in the AAA_METHOD_TYPE identity.  If
         authentication fails with one method, the next defined
         method is tried -- failure of all methods results in the
         user being denied access.";
    }
  }

  grouping aaa-authentication-state {
    description
      "Operational state data for global authentication";
  }

  grouping aaa-authentication-top {
    description
      "Top-level grouping for top-level authentication";
    container authentication {
      description
        "Top-level container for global authentication data";
      container config {
        description
          "Configuration data for global authentication services";
        uses aaa-authentication-config;
      }
      container state {
        config false;
        description
          "Operational state data for global authentication
           services";
        uses aaa-authentication-config;
        uses aaa-authentication-state;
      }
      uses aaa-authentication-admin-top;
      uses aaa-authentication-user-top;
    }
  }

  grouping aaa-config {
    description
      "Configuration data for top level AAA";
  }

  grouping aaa-state {
    description
      "Operational state data for top level AAA";
  }

  grouping aaa-top {
    description
      "Top-level grouping for AAA services";
    container aaa {
      description
        "Top-level container for AAA services";
      container config {
        description
          "Configuration data for top level AAA services";
        uses aaa-config;
      }
      container state {
        config false;
        description
          "Operational state data for top level AAA services ";
        uses aaa-config;
        uses aaa-state;
      }
      uses aaa-authentication-top;
      uses aaa-authorization-top;
      uses aaa-accounting-top;
      uses aaa-servergroup-common-top;
    }
  }
}