Add California-SB237 feature. Requires to change default user password (sonic-net#12678)

andriydnvd · web-flow · commit c1dd94f3689a · 2023-02-23T15:36:37.000-08:00
#### Why I did it Add support of California-SB237 conformance. https://github.com/sonic-net/SONiC/tree/master/doc/California-SB237 #### How I did it Expire user passwords during build #### How to verify it Enable build flag and check if default user is prompted for a new password
diff --git a/Makefile.work b/Makefile.work
@@ -499,6 +499,7 @@ SONIC_BUILD_INSTRUCTION :=  $(MAKE) \
                            MDEBUG=$(MDEBUG) \
                            PASSWORD=$(PASSWORD) \
                            USERNAME=$(USERNAME) \
+			   CHANGE_DEFAULT_PASSWORD=$(CHANGE_DEFAULT_PASSWORD) \
                            SONIC_BUILD_JOBS=$(SONIC_BUILD_JOBS) \
                            SONIC_USE_DOCKER_BUILDKIT=$(SONIC_USE_DOCKER_BUILDKIT) \
                            VS_PREPARE_MEM=$(VS_PREPARE_MEM) \
diff --git a/build_debian.sh b/build_debian.sh
@@ -684,6 +684,16 @@ sudo LANG=C chroot $FILESYSTEM_ROOT umount /proc || true
 ## Prepare empty directory to trigger mount move in initramfs-tools/mount_loop_root, implemented by patching
 sudo mkdir $FILESYSTEM_ROOT/host
 
+
+if [[ "$CHANGE_DEFAULT_PASSWORD" == "y" ]]; then
+    ## Expire default password for exitsing users that can do login
+    default_users=$(cat $FILESYSTEM_ROOT/etc/passwd | grep "/home"|  grep ":/bin/bash\|:/bin/sh" | awk -F ":" '{print $1}' 2> /dev/null)
+    for user in $default_users
+    do
+        sudo LANG=C chroot $FILESYSTEM_ROOT passwd -e ${user}
+    done
+fi
+
 ## Compress most file system into squashfs file
 sudo rm -f $ONIE_INSTALLER_PAYLOAD $FILESYSTEM_SQUASHFS
 ## Output the file system total size for diag purpose
diff --git a/check_install.py b/check_install.py
@@ -11,6 +11,7 @@ def main():
     parser = argparse.ArgumentParser(description='test_login cmdline parser')
     parser.add_argument('-u', default="admin", help='login user name')
     parser.add_argument('-P', default="YourPaSsWoRd", help='login password')
+    parser.add_argument('-N', default="Test@2022", help='new password')
     parser.add_argument('-p', type=int, default=9000, help='local port')
 
     args = parser.parse_args()
@@ -20,6 +21,7 @@ def main():
     cmd_prompt = "{}@sonic:~\$ $".format(args.u)
     grub_selection = "The highlighted entry will be executed"
     firsttime_prompt = 'firsttime_exit'
+    passwd_change_prompt = ['Current password:', 'New password:', 'Retype new password:']
 
     i = 0
     while True:
@@ -36,7 +38,6 @@ def main():
     # select default SONiC Image
     p.expect(grub_selection)
     p.sendline()
-
     # bootup sonic image
     while True:
         i = p.expect([login_prompt, passwd_prompt, firsttime_prompt, cmd_prompt])
@@ -46,6 +47,30 @@ def main():
         elif i == 1:
             # send password
             p.sendline(args.P)
+            # Check for password change prompt
+            try:
+                p.expect('Current password:', timeout=2)
+            except pexpect.TIMEOUT:
+                break
+            else:
+                # send old password for password prompt
+                p.sendline(args.P)
+                p.expect(passwd_change_prompt[1])
+                # send new password
+                p.sendline(args.N)
+                p.expect(passwd_change_prompt[2])
+                # retype new password
+                p.sendline(args.N)
+                time.sleep(1)
+                # Restore default password
+                p.sendline('passwd {}'.format(args.u))
+                p.expect(passwd_change_prompt[0])
+                p.sendline(args.N)
+                p.expect(passwd_change_prompt[1])
+                p.sendline(args.P)
+                p.expect(passwd_change_prompt[2])
+                p.sendline(args.P)
+                break
         elif i == 2:
             # fix a login timeout issue, caused by the login_prompt message mixed with the output message of the rc.local
             time.sleep(1)
diff --git a/rules/config b/rules/config
@@ -39,6 +39,9 @@ DEFAULT_BUILD_LOG_TIMESTAMP = none
 # Comment next line to disable:
 # SONIC_CONFIG_ENABLE_COLORS = y
 
+# CHANGE_DEFAULT_PASSWORD - enforce default user/users to change password on 1st login
+CHANGE_DEFAULT_PASSWORD ?= n
+
 # DEFAULT_USERNAME - default username for installer build
 DEFAULT_USERNAME = admin
 
diff --git a/slave.mk b/slave.mk
@@ -376,6 +376,7 @@ $(info "USE_NATIVE_DOCKERD_FOR_BUILD"    : "$(SONIC_CONFIG_USE_NATIVE_DOCKERD_FO
 $(info "SONIC_USE_DOCKER_BUILDKIT"       : "$(SONIC_USE_DOCKER_BUILDKIT)")
 $(info "USERNAME"                        : "$(USERNAME)")
 $(info "PASSWORD"                        : "$(PASSWORD)")
+$(info "CHANGE_DEFAULT_PASSWORD"         : "$(CHANGE_DEFAULT_PASSWORD)")
 $(info "ENABLE_DHCP_GRAPH_SERVICE"       : "$(ENABLE_DHCP_GRAPH_SERVICE)")
 $(info "SHUTDOWN_BGP_ON_START"           : "$(SHUTDOWN_BGP_ON_START)")
 $(info "ENABLE_PFCWD_ON_START"           : "$(ENABLE_PFCWD_ON_START)")
@@ -1430,6 +1431,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
 		DEBUG_SRC_ARCHIVE_FILE="$(DBG_SRC_ARCHIVE_FILE)" \
 		USERNAME="$(USERNAME)" \
 		PASSWORD="$(PASSWORD)" \
+		CHANGE_DEFAULT_PASSWORD="$(CHANGE_DEFAULT_PASSWORD)" \
 		TARGET_MACHINE=$(dep_machine) \
 		IMAGE_TYPE=$($*_IMAGE_TYPE) \
 		TARGET_PATH=$(TARGET_PATH) \
