Merge pull request #137 from mssonicbld/sonicbld/202205-merge

[code sync] Merge code from sonic-net/sonic-buildimage:202205 to 202205

files/build_templates/snmp.service.j2

@@ -10,6 +10,7 @@ StartLimitIntervalSec=1200
 StartLimitBurst=3
 
 [Service]
+ExecStartPre=/bin/bash -c 'end=$((SECONDS+20));while [ $SECONDS -lt $end ];do if /usr/bin/pgrep intfmgrd >/dev/null;then break;else sleep 1;fi;done'
 ExecStartPre=/usr/local/bin/{{docker_container_name}}.sh start
 ExecStart=/usr/local/bin/{{docker_container_name}}.sh wait
 ExecStop=/usr/local/bin/{{docker_container_name}}.sh stop

src/tacacs/bash_tacplus/bash_tacplus.c

@@ -14,8 +14,8 @@
 /* Remote user gecos prefix, which been assigned by nss_tacplus */
 #define REMOTE_USER_GECOS_PREFIX      "remote_user"
 
-/* Default value for _SC_GETPW_R_SIZE_MAX */
-#define DEFAULT_SC_GETPW_R_SIZE_MAX     1024
+/* Default value for getpwent */
+#define DEFAULT_GETPWENT_SIZE_MAX     4096
 
 /* Return value for is_local_user method */
 #define IS_LOCAL_USER              0
@@ -31,6 +31,7 @@
 /* Output syslog to mock method when build with UT */
 #if defined (BASH_PLUGIN_UT)
 #define syslog mock_syslog
+#define getpwent_r mock_getpwent_r
 #endif
 
 /* Tacacs+ log format */
@@ -42,7 +43,7 @@
 /* Tacacs+ config file timestamp string length */
 #define  CONFIG_FILE_TIME_STAMP_LEN  100
 
-/* 
+/*
     Convert log to a string because va args resoursive issue:
     http://www.c-faq.com/varargs/handoff.html
 */
@@ -199,7 +200,7 @@ int tacacs_authorization(
             continue;
         }
 
-        // increase connected servers 
+        // increase connected servers
         connected_servers++;
         result = send_authorization_message(server_fd, user, tty, host, task_id, cmd, args, argc);
         close(server_fd);
@@ -279,15 +280,15 @@ void load_tacacs_config()
     }
 
     output_debug("TACACS+ control flag: 0x%x\n", tacacs_ctrl);
-    
+
     if (tacacs_ctrl & AUTHORIZATION_FLAG_TACACS) {
         output_debug("TACACS+ per-command authorization enabled.\n");
     }
 
     if (tacacs_ctrl & AUTHORIZATION_FLAG_LOCAL) {
         output_debug("Local per-command authorization enabled.\n");
     }
-    
+
     if (tacacs_ctrl & PAM_TAC_DEBUG) {
         output_debug("TACACS+ debug enabled.\n");
     }
@@ -350,40 +351,39 @@ int is_local_user(char *user)
     }
 
     struct passwd pwd;
-    struct passwd *pwdresult;
-    char *buf;
-    size_t bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
-    if (bufsize == -1) {
-        bufsize = DEFAULT_SC_GETPW_R_SIZE_MAX;
-    }
+    struct passwd *ppwd;
+    char buf[DEFAULT_GETPWENT_SIZE_MAX];
+    int pwdresult;
+    int result = ERROR_CHECK_LOCAL_USER;
+    setpwent();
+    while (1) {
+        pwdresult = getpwent_r(&pwd, buf, sizeof(buf), &ppwd);
+        if (pwdresult) {
+            // no more pw entry
+            break;
+        }
 
-    buf = malloc(bufsize);
-    if (buf == NULL) {
-       output_error("failed to allocate getpwnam_r buffer.\n");
-       return ERROR_CHECK_LOCAL_USER;
-    }
+        if (strcmp(ppwd->pw_name, user) != 0) {
+            continue;
+        }
 
-    int s = getpwnam_r(user, &pwd, buf, bufsize, &pwdresult);
-    int result = IS_LOCAL_USER;
-    if (pwdresult == NULL) {
-        if (s == 0)
-            output_error("get user information user failed, user: %s not found\n", user);
+        // compare passwd entry, for remote user pw_gecos will start as 'remote_user'
+        if (strncmp(ppwd->pw_gecos, REMOTE_USER_GECOS_PREFIX, strlen(REMOTE_USER_GECOS_PREFIX)) == 0) {
+            output_debug("user: %s, UID: %d, GECOS: %s is remote user.\n", user, ppwd->pw_uid, ppwd->pw_gecos);
+            result = IS_REMOTE_USER;
+        }
         else {
-            output_error("get user information failed, user: %s, errorno: %d\n", user, s);
+            output_debug("user: %s, UID: %d, GECOS: %s is local user.\n", user, ppwd->pw_uid, ppwd->pw_gecos);
+            result = IS_LOCAL_USER;
         }
-
-        result = ERROR_CHECK_LOCAL_USER;
-    }
-    else if (strncmp(pwd.pw_gecos, REMOTE_USER_GECOS_PREFIX, strlen(REMOTE_USER_GECOS_PREFIX)) == 0) {
-        output_debug("user: %s, UID: %d, GECOS: %s is remote user.\n", user, pwd.pw_uid, pwd.pw_gecos);
-        result = IS_REMOTE_USER;
+        break;
     }
-    else {
-        output_debug("user: %s, UID: %d, GECOS: %s is local user.\n", user, pwd.pw_uid, pwd.pw_gecos);
-        result = IS_LOCAL_USER;
+    endpwent();
+
+    if (result == ERROR_CHECK_LOCAL_USER) {
+        output_error("get user information user failed, user: %s not found\n", user);
     }
 
-    free(buf);
     return result;
 }
 
@@ -482,7 +482,7 @@ int on_shell_execve (char *user, int shell_level, char *cmd, char **argv)
         }
     }
 
-    // return 0, so bash will continue run user command and will check user permission with linux permission check. 
+    // return 0, so bash will continue run user command and will check user permission with linux permission check.
     output_debug("start local authorization for command %s with given arguments\n", cmd);
     return 0;
-}
+}

src/tacacs/bash_tacplus/unittest/mock_helper.c

@@ -3,6 +3,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <pwd.h>
 #include <CUnit/CUnit.h>
 #include <CUnit/Basic.h>
 
@@ -65,13 +66,13 @@ void initialize_tacacs_servers()
 		getaddrinfo(buffer, "49", &hints, &servers);
 		tac_srv[idx].addr = &(tac_srv_addr[idx]);
 		memcpy(tac_srv[idx].addr, servers, sizeof(struct addrinfo));
-		
+
         tac_srv[idx].addr->ai_addr = &(tac_sock_addr[idx]);
         memcpy(tac_srv[idx].addr->ai_addr, servers->ai_addr, sizeof(struct sockaddr));
-		
+
 		snprintf(tac_srv[idx].key, sizeof(tac_srv[idx].key), "key%d", idx);
         freeaddrinfo(servers);
-		
+
 		debug_printf("MOCK: initialize_tacacs_servers with index: %d, address: %p\n", idx, tac_srv[idx].addr);
 	}
 }
@@ -119,7 +120,7 @@ void tac_free_attrib(struct tac_attrib **attr)
 {
 	memory_allocate_count--;
 	debug_printf("MOCK: tac_free_attrib memory count: %d\n", memory_allocate_count);
-	
+
 	// the mock code here only free first allocated memory, because the mock tac_add_attrib implementation not allocate new memory.
 	free(*attr);
 }
@@ -133,7 +134,7 @@ int tac_author_send(int tac_fd, const char *user, char *tty, char *host,struct t
 		// send auth message failed
 		return -1;
 	}
-	
+
 	return 0;
 }
 
@@ -146,7 +147,7 @@ int tac_author_read(int tac_fd, struct areply *reply)
 	{
 		return -1;
 	}
-	
+
 	if (TEST_SCEANRIO_CONNECTION_SEND_DENINED_RESULT == test_scenario)
 	{
 		reply->status = AUTHOR_STATUS_FAIL;
@@ -155,15 +156,15 @@ int tac_author_read(int tac_fd, struct areply *reply)
 	{
 		reply->status = AUTHOR_STATUS_PASS_REPL;
 	}
-	
+
 	return 0;
 }
 
 /* Mock tac_connect_single method */
 int tac_connect_single(const struct addrinfo *address, const char *key, struct addrinfo *source_address, int timeout, char *vrfname)
 {
 	debug_printf("MOCK: tac_connect_single with address: %p\n", address);
-	
+
 	switch (test_scenario)
 	{
 		case TEST_SCEANRIO_CONNECTION_ALL_FAILED:
@@ -183,7 +184,7 @@ char *tac_ntop(const struct sockaddr *address)
 			return tac_natop_result_buffer;
 		}
 	}
-	
+
 	return "UnknownTestAddress";
 }
 
@@ -198,12 +199,41 @@ void mock_syslog(int priority, const char *format, ...)
 {
   // set mock message data to buffer for UT.
   memset(mock_syslog_message_buffer, 0, sizeof(mock_syslog_message_buffer));
-  
+
   va_list args;
   va_start (args, format);
   // save message to buffer to UT check later
   vsnprintf(mock_syslog_message_buffer, sizeof(mock_syslog_message_buffer), format, args);
   va_end (args);
-  
+
   debug_printf("MOCK: syslog: %s\n", mock_syslog_message_buffer);
+}
+
+int mock_getpwent_r(struct passwd *restrict pwbuf,
+                      char *buf, size_t buflen,
+                      struct passwd **restrict pwbufp)
+{
+	static char* test_user = "test_user";
+	static char* root_user = "root";
+	static char* empty_gecos = "";
+	static char* remote_gecos = "remote_user";
+	*pwbufp = pwbuf;
+	switch (test_scenario)
+	{
+		case TEST_SCEANRIO_CONNECTION_SEND_SUCCESS_RESULT:
+		case TEST_SCEANRIO_CONNECTION_SEND_DENINED_RESULT:
+		case TEST_SCEANRIO_IS_LOCAL_USER_REMOTE:
+			pwbuf->pw_name = test_user;
+			pwbuf->pw_gecos = remote_gecos;
+			pwbuf->pw_uid = 1000;
+			return 0;
+		case TEST_SCEANRIO_IS_LOCAL_USER_ROOT:
+			pwbuf->pw_name = root_user;
+			pwbuf->pw_gecos = empty_gecos;
+			pwbuf->pw_uid = 0;
+			return 0;
+		case TEST_SCEANRIO_IS_LOCAL_USER_NOT_FOUND:
+			return 1;
+	}
+	return 1;
 }

src/tacacs/bash_tacplus/unittest/mock_helper.h

@@ -24,11 +24,16 @@
 /* Mock syslog buffer */
 extern char mock_syslog_message_buffer[1024];
 
-#define TEST_SCEANRIO_CONNECTION_ALL_FAILED				1
-#define TEST_SCEANRIO_CONNECTION_SEND_FAILED_RESULT			2
-#define TEST_SCEANRIO_CONNECTION_SEND_SUCCESS_READ_FAILED			3
-#define TEST_SCEANRIO_CONNECTION_SEND_DENINED_RESULT			4
-#define TEST_SCEANRIO_CONNECTION_SEND_SUCCESS_RESULT			5
+#define TEST_SCEANRIO_CONNECTION_ALL_FAILED                 1
+#define TEST_SCEANRIO_CONNECTION_SEND_FAILED_RESULT         2
+#define TEST_SCEANRIO_CONNECTION_SEND_SUCCESS_READ_FAILED   3
+#define TEST_SCEANRIO_CONNECTION_SEND_DENINED_RESULT        4
+#define TEST_SCEANRIO_CONNECTION_SEND_SUCCESS_RESULT        5
+#define TEST_SCEANRIO_LOAD_CHANGED_TACACS_CONFIG            6
+#define TEST_SCEANRIO_IS_LOCAL_USER_UNKNOWN                 7
+#define TEST_SCEANRIO_IS_LOCAL_USER_NOT_FOUND               8
+#define TEST_SCEANRIO_IS_LOCAL_USER_ROOT                    9
+#define TEST_SCEANRIO_IS_LOCAL_USER_REMOTE                  10
 
 /* Set test scenario for test*/
 void set_test_scenario(int scenario);