[TACACS+] Add Bash TACACS+ plugin for per-command authorization.

ThirdPartyLicenses.txt

@@ -7,6 +7,7 @@ This file provides information regarding components that are being relicensed to
 Microsoft is offering you a license to use the following components, to the extent they are included within the Microsoft Azure Cross-Platform Command-Line Interface (the "Microsoft Program"), subject to the terms of your license to use the Microsoft Product. Insofar as a component is dual licensed under the GPL and a license that permits relicensing under proprietary terms, Microsoft neither took the code under the GPL nor distributes it thereunder but under the terms of the license that permits relicensing under proprietary terms, as set out below. All notices and licenses set forth below are for informational purposes only.
 
  1. onie-mk-demo.sh, sharch_body.sh, install.sh imported and modified from ONIE versions 2014.11 and 2015.8 using GNU GENERAL PUBLIC LICENSE Version 2
+ 2. src\tacacs\bash\bash_tacplus based on https://github.com/daveolson53/tacplus-auth project using GNU GENERAL PUBLIC LICENSE Version 2
 
 /*
  *   ONIE is Free Software.  You can redistribute ONIE and/or modify it
@@ -297,9 +298,9 @@ Microsoft is offering you a license to use the following components, to the exte
  * 		     END OF TERMS AND CONDITIONS
  */
 
-2. union-fsck imported and modified from initramfs-tools version 0.91e (http://anonscm.debian.org/cgit/kernel/initramfs-tools.git/tag/?h=0.91e) using GPL v2 or any later version
+3. union-fsck imported and modified from initramfs-tools version 0.91e (http://anonscm.debian.org/cgit/kernel/initramfs-tools.git/tag/?h=0.91e) using GPL v2 or any later version
 
-3. boot0 imported from https://github.com/aristanetworks/sonic using GNU GENERAL PUBLIC LICENSE Version 3
+4. boot0 imported from https://github.com/aristanetworks/sonic using GNU GENERAL PUBLIC LICENSE Version 3
 
 /*                     GNU GENERAL PUBLIC LICENSE
  *                        Version 3, 29 June 2007
@@ -977,7 +978,7 @@ Microsoft is offering you a license to use the following components, to the exte
  * <http://www.gnu.org/philosophy/why-not-lgpl.html>.
  */
 
-4. apt-clean, apt-gzip-indexes, apt-no-languages imported from docker v1.11.1
+5. apt-clean, apt-gzip-indexes, apt-no-languages imported from docker v1.11.1
 /*
  *                                 Apache License
  *                           Version 2.0, January 2004

files/build_templates/sonic_debian_extension.j2

@@ -313,6 +313,9 @@ sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libpam-tacplus_*.deb || \
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
 sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libnss-tacplus_*.deb || \
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
+# Install bash-tacplus
+sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/bash-tacplus_*.deb || \
+    sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
 # Disable tacplus by default
 sudo LANG=C chroot $FILESYSTEM_ROOT pam-auth-update --remove tacplus
 sudo sed -i -e '/^passwd/s/ tacplus//' $FILESYSTEM_ROOT/etc/nsswitch.conf

rules/tacacs.mk

@@ -29,6 +29,19 @@ $(LIBNSS_TACPLUS)_RDEPENDS += $(LIBTAC2)
 $(LIBNSS_TACPLUS)_SRC_PATH = $(SRC_PATH)/tacacs/nss
 SONIC_MAKE_DEBS += $(LIBNSS_TACPLUS)
 
+
+# bash-tacplus packages
+BASH_TACPLUS_VERSION = 1.0.0
+
+export BASH_TACPLUS_VERSION
+
+BASH_TACPLUS = bash-tacplus_$(BASH_TACPLUS_VERSION)_$(CONFIGURED_ARCH).deb
+$(BASH_TACPLUS)_DEPENDS += $(LIBTAC_DEV)
+$(BASH_TACPLUS)_RDEPENDS += $(LIBTAC2)
+$(BASH_TACPLUS)_SRC_PATH = $(SRC_PATH)/tacacs/bash
+SONIC_MAKE_DEBS += $(BASH_TACPLUS)
+
+
 # The .c, .cpp, .h & .hpp files under src/{$DBG_SRC_ARCHIVE list}
 # are archived into debug one image to facilitate debugging.
 #

src/tacacs/.gitignore

@@ -1,5 +1,8 @@
 *
 !.gitignore
+bash/*
+!bash/Makefile
+!bash/bash_tacplus/*
 nsm/*
 !nsm/Makefile
 !nsm/*.patch

src/tacacs/bash/Makefile

@@ -0,0 +1,25 @@
+.ONESHELL:
+SHELL = /bin/bash
+.SHELLFLAGS += -e
+
+MAIN_TARGET = bash-tacplus_$(NSS_TACPLUS_VERSION)_$(CONFIGURED_ARCH).deb
+
+$(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
+	pushd ./bash_tacplus
+
+	# config source code
+	autoreconf
+	./configure
+
+	# build bash_tacplus
+	make
+	dpkg-buildpackage -rfakeroot -b -us -uc -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR)
+
+	# run UT after build package
+	make -C unittest && make test -C unittest
+
+	popd
+
+	mv $(DERIVED_TARGETS) $* $(DEST)/
+
+$(addprefix $(DEST)/, $(DERIVED_TARGETS)): $(DEST)/% : $(DEST)/$(MAIN_TARGET)

src/tacacs/bash/bash_tacplus/Makefile.am

@@ -0,0 +1,26 @@
+###########################################################################
+##
+## File:        ./Makefile.am
+## Versions:    $Id: Makefile.am,v 1.0 2021/08/24 12:04:29 liuh@microsoft.com Exp $
+## Created:     2021/08/24
+##
+###########################################################################
+
+ACLOCAL_AMFLAGS = -I config
+AUTOMAKE_OPTIONS = subdir-objects
+
+moduledir = @plugindir@
+module_LTLIBRARIES = bash_tacplus.la
+bash_tacplus_la_SOURCES = bash_tacplus.h \
+bash_tacplus.c
+bash_tacplus_la_CFLAGS = $(AM_CFLAGS) -I $(top_srcdir)/libtac/include
+bash_tacplus_la_LDFLAGS = -module -avoid-version
+
+EXTRA_DIST = bash_tacplus.spec
+
+MAINTAINERCLEANFILES = Makefile.in config.h.in configure aclocal.m4 \
+                       config/config.guess  config/config.sub  config/depcomp \
+                       config/install-sh config/ltmain.sh config/missing
+
+pkgconfigdir = $(libdir)/pkgconfig
+