plugins/python: add python approval plugin wrapper

2025-08-22 01:49:11 +00:00 · 2020-02-11 10:29:20 +01:00 · 2020-02-11 10:29:20 +01:00 · 23af39b005
commit 23af39b005
parent 33e7fdcae0
7 changed files with 308 additions and 12 deletions
--- a/4
+++ b/4
@ -314,10 +314,14 @@ plugins/python/example_policy_plugin.py
 plugins/python/pyhelpers.c
 plugins/python/pyhelpers.h
 plugins/python/pyhelpers_cpychecker.h
+plugins/python/python_plugin_io_multi.inc
+plugins/python/python_plugin_audit_multi.inc
+plugins/python/python_plugin_approval_multi.inc
 plugins/python/python_baseplugin.c
 plugins/python/python_convmessage.c
 plugins/python/python_importblocker.c
 plugins/python/python_plugin_audit.c
+plugins/python/python_plugin_approval.c
 plugins/python/python_plugin_common.c
 plugins/python/python_plugin_common.h
 plugins/python/python_plugin_group.c
--- a/plugins/python/Makefile.in
+++ b/plugins/python/Makefile.in
@ -119,7 +119,7 @@ EXAMPLES = example_conversation.py  example_debugging.py  example_group_plugin.p

 OBJS =	python_plugin_common.lo python_plugin_policy.lo python_plugin_io.lo python_plugin_group.lo pyhelpers.lo \
 	python_importblocker.lo python_convmessage.lo sudo_python_module.lo sudo_python_debug.lo \
-	python_baseplugin.lo python_plugin_audit.lo
+	python_baseplugin.lo python_plugin_audit.lo python_plugin_approval.lo

 IOBJS = $(OBJS:.lo=.i)

@ -266,6 +266,12 @@ python_importblocker.i: $(srcdir)/python_importblocker.c \
 	$(CC) -E -o $@ $(CPPFLAGS) $<
 python_importblocker.plog: python_importblocker.i
 	rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/python_importblocker.c --i-file $< --output-file $@
+python_plugin_approval.lo: $(srcdir)/python_plugin_approval.c 
+	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/python_plugin_approval.c
+python_plugin_approval.i: $(srcdir)/python_plugin_approval.c 
+	$(CC) -E -o $@ $(CPPFLAGS) $<
+python_plugin_approval.plog: python_plugin_approval.i
+	rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/python_plugin_approval.c --i-file $< --output-file $@
 python_plugin_audit.lo: $(srcdir)/python_plugin_audit.c 
 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/python_plugin_audit.c
 python_plugin_audit.i: $(srcdir)/python_plugin_audit.c 
--- a/plugins/python/python_plugin_approval.c
+++ b/plugins/python/python_plugin_approval.c
@ -0,0 +1,210 @@
+/*
+ * SPDX-License-Identifier: ISC
+ *
+ * Copyright (c) 2019 Robert Manner <robert.manner@oneidentity.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This is an open source non-commercial project. Dear PVS-Studio, please check it.
+ * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
+ */
+
+#include "python_plugin_common.h"
+
+struct ApprovalPluginContext
+{
+    struct PluginContext base_ctx;
+    struct approval_plugin *plugin;
+};
+
+#define BASE_CTX(approval_ctx) (&(approval_ctx->base_ctx))
+
+#define PY_APPROVAL_PLUGIN_VERSION SUDO_API_MKVERSION(1, 0)
+
+#define CALLBACK_PLUGINFUNC(func_name) approval_ctx->plugin->func_name
+
+// This also verifies compile time that the name matches the sudo plugin API.
+#define CALLBACK_PYNAME(func_name) ((void)CALLBACK_PLUGINFUNC(func_name), #func_name)
+
+#define MARK_CALLBACK_OPTIONAL(function_name) \
+    do { \
+        python_plugin_mark_callback_optional(plugin_ctx, CALLBACK_PYNAME(function_name), \
+            (void **)&CALLBACK_PLUGINFUNC(function_name)); \
+    } while(0)
+
+
+static int
+python_plugin_approval_open(struct ApprovalPluginContext *approval_ctx,
+    unsigned int version, sudo_conv_t conversation, sudo_printf_t sudo_printf,
+    char * const settings[], char * const user_info[], int submit_optind,
+    char * const submit_argv[], char * const submit_envp[],
+    char * const plugin_options[], const char **errstr)
+{
+    debug_decl(python_plugin_approval_open, PYTHON_DEBUG_CALLBACKS);
+    (void) version;
+
+    int rc = python_plugin_register_logging(conversation, sudo_printf, settings);
+    if (rc != SUDO_RC_OK) {
+        debug_return_int(rc);
+    }
+
+    struct PluginContext *plugin_ctx = BASE_CTX(approval_ctx);
+
+    rc = python_plugin_init(plugin_ctx, plugin_options, version);
+    if (rc != SUDO_RC_OK) {
+        debug_return_int(rc);
+    }
+
+    PyObject *py_kwargs = NULL, *py_submit_optind = NULL,
+             *py_submit_argv = NULL;
+
+    if ((py_kwargs = python_plugin_construct_args(version, settings, user_info,
+                                                  submit_envp, plugin_options)) == NULL ||
+        (py_submit_optind = PyLong_FromLong(submit_optind)) == NULL ||
+        (py_submit_argv = py_str_array_to_tuple(submit_argv)) == NULL)
+    {
+        py_log_last_error("Failed to construct plugin instance");
+        rc = SUDO_RC_ERROR;
+    } else {
+        PyDict_SetItemString(py_kwargs, "submit_optind", py_submit_optind);
+        PyDict_SetItemString(py_kwargs, "submit_argv", py_submit_argv);
+
+        rc = python_plugin_construct_custom(plugin_ctx, py_kwargs);
+        CALLBACK_SET_ERROR(plugin_ctx, errstr);
+    }
+
+    Py_CLEAR(py_kwargs);
+    Py_CLEAR(py_submit_argv);
+    Py_CLEAR(py_submit_optind);
+
+    if (rc != SUDO_RC_OK) {
+        debug_return_int(rc);
+    }
+
+    // skip plugin callbacks which are not mandatory
+    MARK_CALLBACK_OPTIONAL(show_version);
+
+    debug_return_int(rc);
+}
+
+static void
+python_plugin_approval_close(struct ApprovalPluginContext *approval_ctx)
+{
+    debug_decl(python_plugin_approval_close, PYTHON_DEBUG_CALLBACKS);
+
+    struct PluginContext *plugin_ctx = BASE_CTX(approval_ctx);
+    PyThreadState_Swap(plugin_ctx->py_interpreter);
+    python_plugin_deinit(plugin_ctx);
+
+    debug_return;
+}
+
+static int
+python_plugin_approval_check(struct ApprovalPluginContext *approval_ctx,
+                             char * const command_info[], char * const run_argv[],
+                             char * const run_envp[], const char **errstr)
+{
+    debug_decl(python_plugin_approval_check, PYTHON_DEBUG_CALLBACKS);
+
+    struct PluginContext *plugin_ctx = BASE_CTX(approval_ctx);
+
+    PyObject *py_command_info = NULL, *py_run_argv = NULL, *py_run_envp = NULL,
+        *py_args = NULL;
+
+    int rc = SUDO_RC_ERROR;
+    if ((py_command_info = py_str_array_to_tuple(command_info)) != NULL &&
+        (py_run_argv = py_str_array_to_tuple(run_argv)) != NULL &&
+        (py_run_envp = py_str_array_to_tuple(run_envp)) != NULL)
+    {
+        py_args = Py_BuildValue("(OOO)", py_command_info, py_run_argv, py_run_envp);
+    }
+
+    rc = python_plugin_api_rc_call(plugin_ctx, CALLBACK_PYNAME(check), py_args);
+    CALLBACK_SET_ERROR(plugin_ctx, errstr);
+
+    Py_CLEAR(py_args);
+    Py_CLEAR(py_command_info);
+    Py_CLEAR(py_run_argv);
+    Py_CLEAR(py_run_envp);
+
+    debug_return_int(rc);
+}
+
+int
+python_plugin_approval_show_version(struct ApprovalPluginContext *approval_ctx, int verbose)
+{
+    debug_decl(python_plugin_approval_show_version, PYTHON_DEBUG_CALLBACKS);
+
+    struct PluginContext *plugin_ctx = BASE_CTX(approval_ctx);
+    PyThreadState_Swap(plugin_ctx->py_interpreter);
+
+    if (verbose) {
+        py_sudo_log(SUDO_CONV_INFO_MSG, "Python approval plugin API version %d.%d\n",
+                    SUDO_API_VERSION_GET_MAJOR(PY_APPROVAL_PLUGIN_VERSION),
+                    SUDO_API_VERSION_GET_MINOR(PY_APPROVAL_PLUGIN_VERSION));
+    }
+
+    debug_return_int(python_plugin_show_version(plugin_ctx,
+        CALLBACK_PYNAME(show_version), verbose));
+}
+
+__dso_public struct approval_plugin python_approval;
+
+// generate symbols for loading multiple approval plugins:
+#define APPROVAL_SYMBOL_NAME(symbol) symbol
+#include "python_plugin_approval_multi.inc"
+#define APPROVAL_SYMBOL_NAME(symbol) symbol##1
+#include "python_plugin_approval_multi.inc"
+#define APPROVAL_SYMBOL_NAME(symbol) symbol##2
+#include "python_plugin_approval_multi.inc"
+#define APPROVAL_SYMBOL_NAME(symbol) symbol##3
+#include "python_plugin_approval_multi.inc"
+#define APPROVAL_SYMBOL_NAME(symbol) symbol##4
+#include "python_plugin_approval_multi.inc"
+#define APPROVAL_SYMBOL_NAME(symbol) symbol##5
+#include "python_plugin_approval_multi.inc"
+#define APPROVAL_SYMBOL_NAME(symbol) symbol##6
+#include "python_plugin_approval_multi.inc"
+#define APPROVAL_SYMBOL_NAME(symbol) symbol##7
+#include "python_plugin_approval_multi.inc"
+
+static struct approval_plugin *extra_approval_plugins[] = {
+    &python_approval1,
+    &python_approval2,
+    &python_approval3,
+    &python_approval4,
+    &python_approval5,
+    &python_approval6,
+    &python_approval7
+};
+
+__dso_public struct approval_plugin *
+python_approval_clone(void)
+{
+    static size_t counter = 0;
+    struct approval_plugin *next_plugin = NULL;
+
+    size_t max = sizeof(extra_approval_plugins) / sizeof(*extra_approval_plugins);
+    if (counter < max) {
+        next_plugin = extra_approval_plugins[counter];
+        ++counter;
+    } else if (counter == max) {
+        ++counter;
+        py_sudo_log(SUDO_CONV_ERROR_MSG,
+                    "sudo: loading more than %d sudo python approval plugins is not supported\n", counter);
+    }
+
+    return next_plugin;
+}
--- a/plugins/python/python_plugin_approval_multi.inc
+++ b/plugins/python/python_plugin_approval_multi.inc
@ -0,0 +1,57 @@
+/* The purpose of this file is to generate a approval_plugin symbols,
+ * with an I/O plugin context which is unique to it and its functions.
+ * The callbacks inside are just wrappers around the real functions in python_plugin_approval.c,
+ * their only purpose is to add the unique context to each separate approval_plugin call.
+ */
+
+#define PLUGIN_CTX APPROVAL_SYMBOL_NAME(plugin_ctx)
+#define CALLBACK_CFUNC(func_name) APPROVAL_SYMBOL_NAME(_python_plugin_approval_ ## func_name)
+
+extern struct approval_plugin APPROVAL_SYMBOL_NAME(python_approval);
+static struct ApprovalPluginContext PLUGIN_CTX = { {}, &APPROVAL_SYMBOL_NAME(python_approval) };
+
+
+int
+CALLBACK_CFUNC(open)(unsigned int version, sudo_conv_t conversation,
+    sudo_printf_t sudo_printf, char * const settings[],
+    char * const user_info[], int submit_optind,
+    char * const submit_argv[], char * const submit_envp[],
+    char * const plugin_options[], const char **errstr)
+{
+    return python_plugin_approval_open(&PLUGIN_CTX, version, conversation,
+        sudo_printf, settings, user_info, submit_optind, submit_argv,
+        submit_envp, plugin_options, errstr);
+}
+
+void
+CALLBACK_CFUNC(close)(void)
+{
+    python_plugin_approval_close(&PLUGIN_CTX);
+}
+
+int
+CALLBACK_CFUNC(check)(char * const command_info[], char * const run_argv[],
+    char * const run_envp[], const char **errstr)
+{
+    return python_plugin_approval_check(&PLUGIN_CTX, command_info, run_argv,
+        run_envp, errstr);
+}
+
+int
+CALLBACK_CFUNC(show_version)(int verbose)
+{
+    return python_plugin_approval_show_version(&PLUGIN_CTX, verbose);
+}
+
+__dso_public struct approval_plugin APPROVAL_SYMBOL_NAME(python_approval) = {
+    SUDO_APPROVAL_PLUGIN,
+    SUDO_API_VERSION,
+    CALLBACK_CFUNC(open),
+    CALLBACK_CFUNC(close),
+    CALLBACK_CFUNC(check),
+    CALLBACK_CFUNC(show_version)
+};
+
+#undef PLUGIN_CTX
+#undef CALLBACK_CFUNC
+#undef APPROVAL_SYMBOL_NAME
--- a/plugins/python/python_plugin_common.c
+++ b/plugins/python/python_plugin_common.c
@ -181,14 +181,11 @@ cleanup:
    debug_return_int(rc);
 }

-int
-python_plugin_construct(struct PluginContext *plugin_ctx, unsigned int version,
+PyObject *
+python_plugin_construct_args(unsigned int version,
                        char *const settings[], char *const user_info[],
                        char *const user_env[], char *const plugin_options[])
 {
-    debug_decl(python_plugin_construct, PYTHON_DEBUG_PLUGIN_LOAD);
-
-    int rc = SUDO_RC_ERROR;
    PyObject *py_settings = NULL;
    PyObject *py_user_info = NULL;
    PyObject *py_user_env = NULL;
@ -208,18 +205,36 @@ python_plugin_construct(struct PluginContext *plugin_ctx, unsigned int version,
        PyDict_SetItemString(py_kwargs, "user_info", py_user_info) != 0 ||
        PyDict_SetItemString(py_kwargs, "plugin_options", py_plugin_options) != 0)
    {
+        Py_CLEAR(py_kwargs);
+    }
+
+    Py_CLEAR(py_settings);
+    Py_CLEAR(py_user_info);
+    Py_CLEAR(py_user_env);
+    Py_CLEAR(py_plugin_options);
+    Py_CLEAR(py_version);
+    return py_kwargs;
+}
+
+int
+python_plugin_construct(struct PluginContext *plugin_ctx, unsigned int version,
+                        char *const settings[], char *const user_info[],
+                        char *const user_env[], char *const plugin_options[])
+{
+    debug_decl(python_plugin_construct, PYTHON_DEBUG_PLUGIN_LOAD);
+
+    int rc = SUDO_RC_ERROR;
+    PyObject *py_kwargs = python_plugin_construct_args(
+        version, settings, user_info, user_env, plugin_options);
+
+    if (py_kwargs == NULL) {
        py_log_last_error("Failed to construct plugin instance");
        rc = SUDO_RC_ERROR;
    } else {
        rc = python_plugin_construct_custom(plugin_ctx, py_kwargs);
    }

-    Py_XDECREF(py_settings);
-    Py_XDECREF(py_user_info);
-    Py_XDECREF(py_user_env);
-    Py_XDECREF(py_plugin_options);
-    Py_XDECREF(py_version);
-    Py_XDECREF(py_kwargs);
+    Py_CLEAR(py_kwargs);

    debug_return_int(rc);
 }
--- a/plugins/python/python_plugin_common.h
+++ b/plugins/python/python_plugin_common.h
@ -40,6 +40,9 @@ int python_plugin_init(struct PluginContext *plugin_ctx, char * const plugin_opt

 int python_plugin_construct_custom(struct PluginContext *plugin_ctx, PyObject *py_kwargs);

+PyObject *python_plugin_construct_args(unsigned int version, char *const settings[],
+    char *const user_info[], char *const user_env[], char *const plugin_options[]);
+
 int python_plugin_construct(struct PluginContext *plugin_ctx, unsigned int version,
    char *const settings[], char *const user_info[],
    char *const user_env[], char *const plugin_options[]);
--- a/plugins/python/sudo_python_module.c
+++ b/plugins/python/sudo_python_module.c
@ -620,6 +620,7 @@ sudo_module_init(void)
        {"POLICY", SUDO_POLICY_PLUGIN},
        {"AUDIT", SUDO_AUDIT_PLUGIN},
        {"IO", SUDO_IO_PLUGIN},
+        {"APPROVAL", SUDO_APPROVAL_PLUGIN}
    };
    MODULE_REGISTER_ENUM("PLUGIN_TYPE", constants_plugin_types);