[TACACS+] Add Bash TACACS+ plugin for per-command authorization. (son…

…ic-net#8715) This pull request add a bash plugin for TACACS+ per-command authorization #### Why I did it 1. To support TACACS per command authorization, we check user command before execute it. 2. Fix libtacsupport.so can't parse tacplus_nss.conf correctly issue: Support debug=on setting. Support put server address and secret in same row. 3. Fix the parse_config_file method not reset server list before parse config file issue. #### How I did it The bash plugin will be called before every user command, and check user command with remote TACACS+ server for per-command authorization. #### How to verify it UT with CUnit cover all code in this plugin. Also pass all current UT. #### Which release branch to backport (provide reason below if selected) N/A #### Description for the changelog Add Bash TACACS+ plugin. #### A picture of a cute animal (not mandatory but encouraged)
adyeung · Nov 13, 2021 · ff09b8b · ff09b8b
1 parent 6451733
commit ff09b8b
Show file tree

Hide file tree

Showing 20 changed files with 1,260 additions and 27 deletions.
diff --git a/ThirdPartyLicenses.txt b/ThirdPartyLicenses.txt
@@ -1170,3 +1170,33 @@ Microsoft is offering you a license to use the following components, to the exte
  *   See the License for the specific language governing permissions and
  *   limitations under the License.
  */
+
+ 5. src/tacacs/bash/bash_tacplus based on https://github.com/daveolson53/tacplus-auth project using GNU GENERAL PUBLIC LICENSE Version 2
+
+/*   Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+ *   Upstream-Name: tacplus-auth
+ *   Source: https://github.com/daveolson53/tacplus-auth
+ *   
+ *   Files: *
+ *   Copyright: 2016 Cumulus Networks, Inc.  All rights reserved.,
+ *              2010 Pawel Krawczyk <[email protected]> and Jeroen Nijhof <[email protected]>.
+ *   License: GPL-2+
+ *   
+ *   License: GPL-2+
+ *    This program is free software; you can redistribute it and/or modify
+ *    it under the terms of the GNU General Public License as published by
+ *    the Free Software Foundation; either version 2 of the License, or
+ *    (at your option) any later version.
+ *    .
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    GNU General Public License for more details.
+ *    .
+ *    You should have received a copy of the GNU General Public License along
+ *    with this program; if not, write to the Free Software Foundation, Inc.,
+ *    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *    .
+ *    On Debian systems, the full copy of the GPL-2 license can be found in
+ *    /usr/share/common-licenses/GPL-2
+ */
diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2
@@ -225,7 +225,7 @@ sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/sonic-utilities-data_*.deb || \
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
 
 # Install customized bash version to patch bash plugin support.
-sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/bash_*.deb || \
+sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/bash_*.deb || \
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
 
 # sonic-utilities-data installs bash-completion as a dependency. However, it is disabled by default
@@ -274,6 +274,9 @@ sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libpam-tacplus_*.deb || \
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
 sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libnss-tacplus_*.deb || \
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
+# Install bash-tacplus
+sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/bash-tacplus_*.deb || \
+    sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
 # Disable tacplus by default
 sudo LANG=C chroot $FILESYSTEM_ROOT pam-auth-update --remove tacplus
 sudo sed -i -e '/^passwd/s/ tacplus//' $FILESYSTEM_ROOT/etc/nsswitch.conf

diff --git a/rules/tacacs.dep b/rules/tacacs.dep
@@ -21,3 +21,15 @@ $(LIBNSS_TACPLUS)_CACHE_MODE  := GIT_CONTENT_SHA
 $(LIBNSS_TACPLUS)_DEP_FLAGS   := $(SONIC_COMMON_FLAGS_LIST)
 $(LIBNSS_TACPLUS)_DEP_FILES   := $(DEP_FILES)
 
+
+
+
+SPATH       := $($(BASH_TACPLUS)_SRC_PATH)
+DEP_FILES   := $(SONIC_COMMON_FILES_LIST) rules/tacacs.mk rules/tacacs.dep   
+DEP_FILES   += $(SONIC_COMMON_BASE_FILES_LIST)
+DEP_FILES   += $(shell git ls-files $(SPATH))
+
+$(BASH_TACPLUS)_CACHE_MODE  := GIT_CONTENT_SHA 
+$(BASH_TACPLUS)_DEP_FLAGS   := $(SONIC_COMMON_FLAGS_LIST)
+$(BASH_TACPLUS)_DEP_FILES   := $(DEP_FILES)
+
diff --git a/rules/tacacs.mk b/rules/tacacs.mk
@@ -29,6 +29,19 @@ $(LIBNSS_TACPLUS)_RDEPENDS += $(LIBTAC2)
 $(LIBNSS_TACPLUS)_SRC_PATH = $(SRC_PATH)/tacacs/nss
 SONIC_MAKE_DEBS += $(LIBNSS_TACPLUS)
 
+
+# bash-tacplus packages
+BASH_TACPLUS_VERSION = 1.0.0
+
+export BASH_TACPLUS_VERSION
+
+BASH_TACPLUS = bash-tacplus_$(BASH_TACPLUS_VERSION)_$(CONFIGURED_ARCH).deb
+$(BASH_TACPLUS)_DEPENDS += $(LIBTAC_DEV)
+$(BASH_TACPLUS)_RDEPENDS += $(LIBTAC2)
+$(BASH_TACPLUS)_SRC_PATH = $(SRC_PATH)/tacacs/bash_tacplus
+SONIC_DPKG_DEBS += $(BASH_TACPLUS)
+
+
 # The .c, .cpp, .h & .hpp files under src/{$DBG_SRC_ARCHIVE list}
 # are archived into debug one image to facilitate debugging.
 #

diff --git a/slave.mk b/slave.mk
@@ -943,7 +943,8 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
                 $(PYTHON3_SWSSCOMMON) \
                 $(SONIC_UTILITIES_DATA) \
                 $(SONIC_HOST_SERVICES_DATA) \
-                $(BASH)) \
+                $(BASH) \
+                $(BASH_TACPLUS)) \
         $$(addprefix $(TARGET_PATH)/,$$($$*_DOCKERS)) \
         $$(addprefix $(TARGET_PATH)/,$$(SONIC_PACKAGES_LOCAL)) \
         $$(addprefix $(FILES_PATH)/,$$($$*_FILES)) \

diff --git a/src/tacacs/.gitignore b/src/tacacs/.gitignore
@@ -1,5 +1,6 @@
 *
 !.gitignore
+!bash_tacplus/*
 nsm/*
 !nsm/Makefile
 !nsm/*.patch

diff --git a/src/tacacs/bash_tacplus/Makefile.am b/src/tacacs/bash_tacplus/Makefile.am
@@ -0,0 +1,27 @@
+###########################################################################
+##
+## File:        ./Makefile.am
+## Versions:    $Id: Makefile.am,v 1.0 2021/08/24 12:04:29 [email protected] Exp $
+## Created:     2021/08/24
+##
+###########################################################################
+
+ACLOCAL_AMFLAGS = -I config
+AUTOMAKE_OPTIONS = subdir-objects
+
+moduledir = @plugindir@
+module_LTLIBRARIES = bash_tacplus.la
+bash_tacplus_la_SOURCES = bash_tacplus.h \
+bash_tacplus.c
+bash_tacplus_la_CFLAGS = $(AM_CFLAGS) -I $(top_srcdir)/libtac/include
+bash_tacplus_la_LDFLAGS = -module -avoid-version
+
+EXTRA_DIST = bash_tacplus.spec
+
+MAINTAINERCLEANFILES = Makefile.in config.h.in configure aclocal.m4 \
+                       config/config.guess  config/config.sub  config/depcomp \
+                       config/install-sh config/ltmain.sh config/missing
+
+pkgconfigdir = $(libdir)/pkgconfig
+
+SUBDIRS = unittest