[TACACS] Improve per-command authorization performance by read passwd entry with getpwent

[liuh-80]

Improve per-command authorization performance by read passwd entry with getpwent.

Why I did it

Currently per-command authorization will check if user is remote user with getpwnam API, which will trigger tacplus-nss for authentication with TACACS server.
But this is not necessary because when user login the user information already add to local passwd file.
Use getpwent API can directly read from passwd file, this will improve per-command authorization performance.

Work item tracking

• Microsoft ADO: 25104723

How I did it

Improve per-command authorization performance by read passwd entry with getpwent.

How to verify it

Pass all UT.

Which release branch to backport (provide reason below if selected)

• 201811
• 201911
• 202006
• 202012
• 202106
• 202111
• 202205
• 202211
• 202305

Tested branch (Please provide the tested image version)

• SONiC.master-16460.356317-6c3424111
• SONiC.202205-16659.368899-1c78e9b70

Description for the changelog

Improve per-command authorization performance by read passwd entry with getpwent.

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

[qiluo-msft]

In "Tested branch (Please provide the tested image version)", please provide a version to indicate you have tested on earliest backport branch. #Closed

[qiluo-msft]

int is_local_user(char *user)

Suggest extensively unit test. #Closed

---

Refers to: src/tacacs/bash_tacplus/bash_tacplus.c:345 in ad1647d. [](commit_id = ad1647d, deletion_comment = False)

[liuh-80]

Suggest extensively unit test.

Fixed, add UT to cover new codes.

[liuh-80]

Fixed, PR description updated.

Change can't be clean cherry-pick to 202205, create a manually cherry-pick PR: #16659

[liuh-80]

Close and open to trigger re-build.

[liuh-80]

TACACS UT keeps failed on T0 device, every time failed on different place. test on local test bed all UT passed.

After check test failed log, seems UT check TACPLUS server log before server updates it.
Before this change, the per-command authorization need take longer time, so there is enough time to make tacplus server write data to log.

create a new UT to fix this issue.:

sonic-net/sonic-mgmt#10110

[liuh-80]

UT fix merged, close and re-open to trigger validation.

[liuh-80]

Master branch build image failed, waiting fix merge first: #16859

[liuh-80]

Cherry-pick to 202205 will have conflict, here is manually cherry-pick PR for 202205: #16659

[liuh-80]

UT still failed, seems found a corner case, will fix and update later.

[liuh-80]

Close and reopen to trigger rebuild and validation.

[qiluo-msft]

continue

This will lead to a loop, is it possible that the code flow always like this and keep burning CPU in an infinite loop?

[liuh-80]

This will not be an infinity loop, the getpwent_r API designed to return next entry in passwd, the loop will end when there is no next entry:

https://www.man7.org/linux/man-pages/man3/getpwent_r.3.html