diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-12-09 23:14:50 +0100 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-12-17 21:26:58 +0100 |
| commit | cd11ba957a33933742304b4efbba77461e803cb3 (patch) | |
| tree | c2ecb82a831f3e7c763579bf451b7c456b41502f /src/tests/test_utils_auth.py | |
| parent | 3d5ebd5956c4e4333e66097d6d339c2329c21295 (diff) | |
| download | vyos-1x-cd11ba957a33933742304b4efbba77461e803cb3.tar.gz vyos-1x-cd11ba957a33933742304b4efbba77461e803cb3.zip | |
login: T8086: replace getpwall() user enumeration to avoid NSS/TACACS timeouts
The previous implementation of "system login" relied on Python's pwd.getpwall()
to enumerate user accounts. This forces a full walk through the NSS stack,
which is acceptable in general but problematic for our use-case. VyOS only
needs information about locally created accounts and not remote accounts
provided via AAA backends such as TACACS or RADIUS.
When TACACS servers are unreachable, NSS lookups become extremely slow due to
repeated timeouts. As a result, any operation triggering pwd.getpwall()
(including configuration commits) can stall for several minutes.
This change introduces a dedicated helper, get_local_passwd_entries(), which
reads /etc/passwd directly and avoids NSS entirely. Since only local UIDs are
relevant, this provides all required data with no external dependencies.
Performance improvement on VyOS 1.4.3 with two unreachable TACACS servers:
# set system login tacacs server 192.168.1.50 key test123
# set system login tacacs server 192.168.1.51 key test123
# time commit
Before:
real 3m29.825s
user 0m0.329s
sys 0m0.246s
After:
real 0m1.464s
user 0m0.337s
sys 0m0.195s
This significantly improves commit performance and removes sensitivity to AAA
server outages.
Diffstat (limited to 'src/tests/test_utils_auth.py')
| -rw-r--r-- | src/tests/test_utils_auth.py | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/src/tests/test_utils_auth.py b/src/tests/test_utils_auth.py new file mode 100644 index 000000000..f3b52ab29 --- /dev/null +++ b/src/tests/test_utils_auth.py @@ -0,0 +1,75 @@ +# Copyright VyOS maintainers and contributors <maintainers@vyos.io> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import pwd +import unittest + +from vyos.utils import auth + +class TestVyOSUtilsAuth(unittest.TestCase): + def test_uid_root(self): + self.assertEqual(auth.get_local_passwd_entries(0).pw_name, 'root') + self.assertEqual(auth.get_local_passwd_entries(0).pw_uid, 0) + + def test_uid_daemon(self): + uid = None + for user in auth.get_local_passwd_entries(): + if user.pw_name == 'daemon': + uid = user.pw_uid + break + + self.assertEqual(auth.get_local_passwd_entries(uid).pw_name, 'daemon') + self.assertEqual(auth.get_local_passwd_entries(uid).pw_uid, uid) + + def test_uid_not_found(self): + self.assertEqual(auth.get_local_passwd_entries(5465487635), None) + + def test_get_local_users_returns_existing_usernames(self): + # Returned users exist, skip list is excluded, and UIDs are in range + + all_users = set(s_user.pw_name for s_user in pwd.getpwall()) + local_users = auth.get_local_users() + + # All returned users must really exist + for user in local_users: + self.assertIn(user, all_users) + + # Nobody in the skip list + for skipped in auth.SYSTEM_USER_SKIP_LIST: + self.assertNotIn(skipped, local_users) + + # All are within UID range + for s_user in pwd.getpwall(): + if s_user.pw_name in local_users: + self.assertGreaterEqual(s_user.pw_uid, auth.MIN_USER_UID) + self.assertLessEqual(s_user.pw_uid, auth.MAX_USER_UID) + + def test_get_user_home_dir_for_real_user(self): + # User's homedir is a non-empty string for a valid user + + local_users = auth.get_local_users() + if local_users: + for user in local_users: + home_dir = auth.get_user_home_dir(user) + self.assertIsInstance(home_dir, str) + self.assertTrue(bool(home_dir)) # Should not be empty + else: + self.skipTest("No suitable non-system users found on this system") + + def test_get_user_home_dir_invalid_user(self): + # Raises KeyError for nonexistent username + + user = "__this_user_does_not_exist__" # Test using unlikely username + with self.assertRaises(KeyError): + auth.get_user_home_dir(user) |
