Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[TACACS+] Add Bash TACACS+ plugin for per-command authorization. #8715

Merged
merged 24 commits into from
Nov 13, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
00e9867
[TACACS+]: Add TACACS support library and fix memory leak issue.
liuh-80 Aug 31, 2021
7dcf307
Add Bash TACACS+ plugin.
liuh-80 Sep 9, 2021
fff5f0c
Improve code.
liuh-80 Sep 9, 2021
dcc782b
Fix code according to discussion and PR comments.
liuh-80 Sep 10, 2021
d90e0c8
Fix PR comments
liuh-80 Sep 10, 2021
b53c4f8
Improve code by PR comments.
liuh-80 Sep 16, 2021
22cfd79
Fix make file
Sep 16, 2021
8d70ebb
Merge remote-tracking branch 'origin/master' into dev/liuh/bash_tacplus
liuh-80 Sep 17, 2021
db26d95
Build package with dpkg-buildpackage
liuh-80 Sep 18, 2021
829b0df
Merge remote-tracking branch 'origin' into dev/liuh/bash_tacplus
liuh-80 Oct 29, 2021
cc496f4
Improve bash plugin code.
liuh-80 Oct 29, 2021
a729bb6
Fix parse /etc/tacplus_nss.conf issue. also fix server list not clean…
liuh-80 Oct 29, 2021
3bcd3c4
Fix some missing change caused by git history cleanup for PR review.
liuh-80 Oct 29, 2021
00be3e2
Fix PR comments.
liuh-80 Nov 4, 2021
6a89731
Improve patch file.
liuh-80 Nov 4, 2021
60d70b2
Add post-install script to update bash config file.
liuh-80 Nov 5, 2021
36af0f9
Merge remote-tracking branch 'origin' into dev/liuh/bash_tacplus
liuh-80 Nov 5, 2021
1e24fe8
Fix the bash plugin not installed issue.
liuh-80 Nov 10, 2021
5376bb1
Fix bash tacacs plugin build rule.
liuh-80 Nov 10, 2021
29bef8d
Fix make file issue.
liuh-80 Nov 10, 2021
5c9cd95
Change bash_tacplus build rule to SONIC_DPKG_DEBS because no need to …
liuh-80 Nov 10, 2021
7f3366b
Update patch file according PR comments.
liuh-80 Nov 10, 2021
d4e9e0c
Fix patched version of bash not installed issue.
liuh-80 Nov 11, 2021
9cba880
Fix parse debug flag in config file issue.
liuh-80 Nov 12, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions ThirdPartyLicenses.txt
Original file line number Diff line number Diff line change
Expand Up @@ -1170,3 +1170,33 @@ Microsoft is offering you a license to use the following components, to the exte
* See the License for the specific language governing permissions and
* limitations under the License.
*/

5. src/tacacs/bash/bash_tacplus based on https://github.com/daveolson53/tacplus-auth project using GNU GENERAL PUBLIC LICENSE Version 2

/* Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
* Upstream-Name: tacplus-auth
* Source: https://github.com/daveolson53/tacplus-auth
*
* Files: *
* Copyright: 2016 Cumulus Networks, Inc. All rights reserved.,
* 2010 Pawel Krawczyk <pawel.krawczyk@hush.com> and Jeroen Nijhof <jeroen@jeroennijhof.nl>.
* License: GPL-2+
*
* License: GPL-2+
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
* .
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* .
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
* .
* On Debian systems, the full copy of the GPL-2 license can be found in
* /usr/share/common-licenses/GPL-2
*/
5 changes: 4 additions & 1 deletion files/build_templates/sonic_debian_extension.j2
Original file line number Diff line number Diff line change
Expand Up @@ -272,7 +272,7 @@ sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/sonic-utilities-data_*.deb || \
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f

# Install customized bash version to patch bash plugin support.
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/bash_*.deb || \
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/bash_*.deb || \
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f

# sonic-utilities-data installs bash-completion as a dependency. However, it is disabled by default
Expand Down Expand Up @@ -323,6 +323,9 @@ sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libpam-tacplus_*.deb || \
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libnss-tacplus_*.deb || \
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
# Install bash-tacplus
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/bash-tacplus_*.deb || \
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
# Disable tacplus by default
sudo LANG=C chroot $FILESYSTEM_ROOT pam-auth-update --remove tacplus
sudo sed -i -e '/^passwd/s/ tacplus//' $FILESYSTEM_ROOT/etc/nsswitch.conf
Expand Down
12 changes: 12 additions & 0 deletions rules/tacacs.dep
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,15 @@ $(LIBNSS_TACPLUS)_CACHE_MODE := GIT_CONTENT_SHA
$(LIBNSS_TACPLUS)_DEP_FLAGS := $(SONIC_COMMON_FLAGS_LIST)
$(LIBNSS_TACPLUS)_DEP_FILES := $(DEP_FILES)




SPATH := $($(BASH_TACPLUS)_SRC_PATH)
DEP_FILES := $(SONIC_COMMON_FILES_LIST) rules/tacacs.mk rules/tacacs.dep
DEP_FILES += $(SONIC_COMMON_BASE_FILES_LIST)
DEP_FILES += $(shell git ls-files $(SPATH))

$(BASH_TACPLUS)_CACHE_MODE := GIT_CONTENT_SHA
$(BASH_TACPLUS)_DEP_FLAGS := $(SONIC_COMMON_FLAGS_LIST)
$(BASH_TACPLUS)_DEP_FILES := $(DEP_FILES)

13 changes: 13 additions & 0 deletions rules/tacacs.mk
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,19 @@ $(LIBNSS_TACPLUS)_RDEPENDS += $(LIBTAC2)
$(LIBNSS_TACPLUS)_SRC_PATH = $(SRC_PATH)/tacacs/nss
SONIC_MAKE_DEBS += $(LIBNSS_TACPLUS)


# bash-tacplus packages
BASH_TACPLUS_VERSION = 1.0.0

export BASH_TACPLUS_VERSION

BASH_TACPLUS = bash-tacplus_$(BASH_TACPLUS_VERSION)_$(CONFIGURED_ARCH).deb
$(BASH_TACPLUS)_DEPENDS += $(LIBTAC_DEV)
$(BASH_TACPLUS)_RDEPENDS += $(LIBTAC2)
$(BASH_TACPLUS)_SRC_PATH = $(SRC_PATH)/tacacs/bash_tacplus
SONIC_DPKG_DEBS += $(BASH_TACPLUS)


# The .c, .cpp, .h & .hpp files under src/{$DBG_SRC_ARCHIVE list}
# are archived into debug one image to facilitate debugging.
#
Expand Down
3 changes: 2 additions & 1 deletion slave.mk
Original file line number Diff line number Diff line change
Expand Up @@ -921,7 +921,8 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
$(PYTHON3_SWSSCOMMON) \
$(SONIC_UTILITIES_DATA) \
$(SONIC_HOST_SERVICES_DATA) \
$(BASH)) \
$(BASH) \
$(BASH_TACPLUS)) \
liuh-80 marked this conversation as resolved.
Show resolved Hide resolved
$$(addprefix $(TARGET_PATH)/,$$($$*_DOCKERS)) \
$$(addprefix $(TARGET_PATH)/,$$(SONIC_PACKAGES_LOCAL)) \
$$(addprefix $(FILES_PATH)/,$$($$*_FILES)) \
Expand Down
1 change: 1 addition & 0 deletions src/tacacs/.gitignore
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
*
!.gitignore
!bash_tacplus/*
nsm/*
!nsm/Makefile
!nsm/*.patch
Expand Down
27 changes: 27 additions & 0 deletions src/tacacs/bash_tacplus/Makefile.am
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
###########################################################################
##
## File: ./Makefile.am
## Versions: $Id: Makefile.am,v 1.0 2021/08/24 12:04:29 liuh@microsoft.com Exp $
## Created: 2021/08/24
##
###########################################################################

ACLOCAL_AMFLAGS = -I config
AUTOMAKE_OPTIONS = subdir-objects

moduledir = @plugindir@
module_LTLIBRARIES = bash_tacplus.la
bash_tacplus_la_SOURCES = bash_tacplus.h \
bash_tacplus.c
bash_tacplus_la_CFLAGS = $(AM_CFLAGS) -I $(top_srcdir)/libtac/include
bash_tacplus_la_LDFLAGS = -module -avoid-version

EXTRA_DIST = bash_tacplus.spec

MAINTAINERCLEANFILES = Makefile.in config.h.in configure aclocal.m4 \
config/config.guess config/config.sub config/depcomp \
config/install-sh config/ltmain.sh config/missing

pkgconfigdir = $(libdir)/pkgconfig

SUBDIRS = unittest
Loading