Skip to content

Commit ff09b8b

Browse files
liuh-80liuh-80
authored
[TACACS+] Add Bash TACACS+ plugin for per-command authorization. (sonic-net#8715)
This pull request add a bash plugin for TACACS+ per-command authorization #### Why I did it 1. To support TACACS per command authorization, we check user command before execute it. 2. Fix libtacsupport.so can't parse tacplus_nss.conf correctly issue: Support debug=on setting. Support put server address and secret in same row. 3. Fix the parse_config_file method not reset server list before parse config file issue. #### How I did it The bash plugin will be called before every user command, and check user command with remote TACACS+ server for per-command authorization. #### How to verify it UT with CUnit cover all code in this plugin. Also pass all current UT. #### Which release branch to backport (provide reason below if selected) N/A #### Description for the changelog Add Bash TACACS+ plugin. #### A picture of a cute animal (not mandatory but encouraged)
1 parent 6451733 commit ff09b8b

20 files changed

+1260
-27
lines changed

ThirdPartyLicenses.txt

+30
Original file line numberDiff line numberDiff line change
@@ -1170,3 +1170,33 @@ Microsoft is offering you a license to use the following components, to the exte
11701170
* See the License for the specific language governing permissions and
11711171
* limitations under the License.
11721172
*/
1173+
1174+
5. src/tacacs/bash/bash_tacplus based on https://github.com/daveolson53/tacplus-auth project using GNU GENERAL PUBLIC LICENSE Version 2
1175+
1176+
/* Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
1177+
* Upstream-Name: tacplus-auth
1178+
* Source: https://github.com/daveolson53/tacplus-auth
1179+
*
1180+
* Files: *
1181+
* Copyright: 2016 Cumulus Networks, Inc. All rights reserved.,
1182+
* 2010 Pawel Krawczyk <pawel.krawczyk@hush.com> and Jeroen Nijhof <jeroen@jeroennijhof.nl>.
1183+
* License: GPL-2+
1184+
*
1185+
* License: GPL-2+
1186+
* This program is free software; you can redistribute it and/or modify
1187+
* it under the terms of the GNU General Public License as published by
1188+
* the Free Software Foundation; either version 2 of the License, or
1189+
* (at your option) any later version.
1190+
* .
1191+
* This program is distributed in the hope that it will be useful,
1192+
* but WITHOUT ANY WARRANTY; without even the implied warranty of
1193+
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1194+
* GNU General Public License for more details.
1195+
* .
1196+
* You should have received a copy of the GNU General Public License along
1197+
* with this program; if not, write to the Free Software Foundation, Inc.,
1198+
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
1199+
* .
1200+
* On Debian systems, the full copy of the GPL-2 license can be found in
1201+
* /usr/share/common-licenses/GPL-2
1202+
*/

files/build_templates/sonic_debian_extension.j2

+4-1
Original file line numberDiff line numberDiff line change
@@ -225,7 +225,7 @@ sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/sonic-utilities-data_*.deb || \
225225
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
226226

227227
# Install customized bash version to patch bash plugin support.
228-
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/bash_*.deb || \
228+
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/bash_*.deb || \
229229
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
230230

231231
# sonic-utilities-data installs bash-completion as a dependency. However, it is disabled by default
@@ -274,6 +274,9 @@ sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libpam-tacplus_*.deb || \
274274
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
275275
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libnss-tacplus_*.deb || \
276276
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
277+
# Install bash-tacplus
278+
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/bash-tacplus_*.deb || \
279+
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
277280
# Disable tacplus by default
278281
sudo LANG=C chroot $FILESYSTEM_ROOT pam-auth-update --remove tacplus
279282
sudo sed -i -e '/^passwd/s/ tacplus//' $FILESYSTEM_ROOT/etc/nsswitch.conf

rules/tacacs.dep

+12
Original file line numberDiff line numberDiff line change
@@ -21,3 +21,15 @@ $(LIBNSS_TACPLUS)_CACHE_MODE := GIT_CONTENT_SHA
2121
$(LIBNSS_TACPLUS)_DEP_FLAGS := $(SONIC_COMMON_FLAGS_LIST)
2222
$(LIBNSS_TACPLUS)_DEP_FILES := $(DEP_FILES)
2323

24+
25+
26+
27+
SPATH := $($(BASH_TACPLUS)_SRC_PATH)
28+
DEP_FILES := $(SONIC_COMMON_FILES_LIST) rules/tacacs.mk rules/tacacs.dep
29+
DEP_FILES += $(SONIC_COMMON_BASE_FILES_LIST)
30+
DEP_FILES += $(shell git ls-files $(SPATH))
31+
32+
$(BASH_TACPLUS)_CACHE_MODE := GIT_CONTENT_SHA
33+
$(BASH_TACPLUS)_DEP_FLAGS := $(SONIC_COMMON_FLAGS_LIST)
34+
$(BASH_TACPLUS)_DEP_FILES := $(DEP_FILES)
35+

rules/tacacs.mk

+13
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,19 @@ $(LIBNSS_TACPLUS)_RDEPENDS += $(LIBTAC2)
2929
$(LIBNSS_TACPLUS)_SRC_PATH = $(SRC_PATH)/tacacs/nss
3030
SONIC_MAKE_DEBS += $(LIBNSS_TACPLUS)
3131

32+
33+
# bash-tacplus packages
34+
BASH_TACPLUS_VERSION = 1.0.0
35+
36+
export BASH_TACPLUS_VERSION
37+
38+
BASH_TACPLUS = bash-tacplus_$(BASH_TACPLUS_VERSION)_$(CONFIGURED_ARCH).deb
39+
$(BASH_TACPLUS)_DEPENDS += $(LIBTAC_DEV)
40+
$(BASH_TACPLUS)_RDEPENDS += $(LIBTAC2)
41+
$(BASH_TACPLUS)_SRC_PATH = $(SRC_PATH)/tacacs/bash_tacplus
42+
SONIC_DPKG_DEBS += $(BASH_TACPLUS)
43+
44+
3245
# The .c, .cpp, .h & .hpp files under src/{$DBG_SRC_ARCHIVE list}
3346
# are archived into debug one image to facilitate debugging.
3447
#

slave.mk

+2-1
Original file line numberDiff line numberDiff line change
@@ -943,7 +943,8 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
943943
$(PYTHON3_SWSSCOMMON) \
944944
$(SONIC_UTILITIES_DATA) \
945945
$(SONIC_HOST_SERVICES_DATA) \
946-
$(BASH)) \
946+
$(BASH) \
947+
$(BASH_TACPLUS)) \
947948
$$(addprefix $(TARGET_PATH)/,$$($$*_DOCKERS)) \
948949
$$(addprefix $(TARGET_PATH)/,$$(SONIC_PACKAGES_LOCAL)) \
949950
$$(addprefix $(FILES_PATH)/,$$($$*_FILES)) \

src/tacacs/.gitignore

+1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
*
22
!.gitignore
3+
!bash_tacplus/*
34
nsm/*
45
!nsm/Makefile
56
!nsm/*.patch

src/tacacs/bash_tacplus/Makefile.am

+27
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
###########################################################################
2+
##
3+
## File: ./Makefile.am
4+
## Versions: $Id: Makefile.am,v 1.0 2021/08/24 12:04:29 liuh@microsoft.com Exp $
5+
## Created: 2021/08/24
6+
##
7+
###########################################################################
8+
9+
ACLOCAL_AMFLAGS = -I config
10+
AUTOMAKE_OPTIONS = subdir-objects
11+
12+
moduledir = @plugindir@
13+
module_LTLIBRARIES = bash_tacplus.la
14+
bash_tacplus_la_SOURCES = bash_tacplus.h \
15+
bash_tacplus.c
16+
bash_tacplus_la_CFLAGS = $(AM_CFLAGS) -I $(top_srcdir)/libtac/include
17+
bash_tacplus_la_LDFLAGS = -module -avoid-version
18+
19+
EXTRA_DIST = bash_tacplus.spec
20+
21+
MAINTAINERCLEANFILES = Makefile.in config.h.in configure aclocal.m4 \
22+
config/config.guess config/config.sub config/depcomp \
23+
config/install-sh config/ltmain.sh config/missing
24+
25+
pkgconfigdir = $(libdir)/pkgconfig
26+
27+
SUBDIRS = unittest

0 commit comments

Comments
 (0)