bin: backport fixes to shell/cli copy command

This is a backport of the following commits from origin/main: 3b24fab
e6a04fb 92e80b4 ad96965 3e03ece 21256a8 b7d91e4 d26e311 0977ab4 f83fbc6

---

cli: fix 'copy FILE running-config' use-case

When copying to the running datastore we cannot use sr_copy_config(),
instead we must use sr_replace_config().  This fix covers both the case
of 'copy startup-config running-config' and 'copy FILE running-config'.

Fixes #1203

---

cli: add 'validate', or '-n', dry run to copy command

This commit adds config file validation to the copy command, discussed
in #373.  Allowing users to test their config files before restoring a
backup.  The feature could also be used for the automatic rollback when
downgrading to an earlier version of the OS.

Fixes #373

---

cli: fix copy to missing startup-config file

Fixes #981

---

cli: restrict copy and erase commands

This is a follow-up to PR #717 where path traversal protection was
discussed.  A year later and it's clear that having a user-friendly
copy tool in the shell is a good thing, but that we proably want to
restrict what it can do when called from the CLI.

A sanitize flag (-s) is added to control the behavior, when used in the
shell without -s, both commands act like traditional UNIX tools and do
assume . for relative paths, and allow ../, whereas when running from
the CLI only /media/ is allowed and otherwise files are assumed to be
in $HOME or /cfg

---

cli: sanitize regular file to file copy

The regular file-to-file copy, was missing calls to cfg_adjust(), this
commit fixes that and adds some helpful comments for each use-case.

Also, drop insecure mktemp() in favor of our own version which uses the
basename of the remote source file.

---

bin: add bash completion for copy command

Add bash completion for the common datastores, like we already do in the
CLI, and update the usage text accordingly.

Also, make sure to install to /usr/bin, not /bin since we've now merged
the hierarchies since a while back.

---

bin: copy: Refactor

copy() made some...creative...use of control flow that made it quite
difficult to follow.

Take a first priciples approach to simplify the logic.

---

bin: copy: Always get startup from sysrepo

This will make sure to apply NACM rules for all the data. It also
makes it possible for a luser access a subset of the data, even if
they to do not have read access to /cfg/startup-config.cfg.

Signed-off-by: Joachim Wiberg <[email protected]>

Author: troglobit

package/bin/bin.mk

@@ -11,7 +11,7 @@ BIN_LICENSE = BSD-3-Clause
 BIN_LICENSE_FILES = LICENSE
 BIN_REDISTRIBUTE = NO
 BIN_DEPENDENCIES = sysrepo libite
-BIN_CONF_OPTS = --prefix= --disable-silent-rules
+BIN_CONF_OPTS = --disable-silent-rules
 BIN_AUTORECONF = YES
 
 define BIN_CONF_ENV

src/bin/Makefile.am

@@ -3,11 +3,15 @@ ACLOCAL_AMFLAGS  = -I m4
 
 bin_PROGRAMS     = copy erase files
 
+# Bash completion
+bashcompdir      = $(datadir)/bash-completion/completions
+dist_bashcomp_DATA = copy.bash
+
 copy_SOURCES     = copy.c util.c util.h
 copy_CPPFLAGS    = -D_DEFAULT_SOURCE -D_GNU_SOURCE
 copy_CFLAGS      = -W -Wall -Wextra
-copy_CFLAGS     += $(libite_CFLAGS) $(sysrepo_CFLAGS)
-copy_LDADD       = $(libite_LIBS)   $(sysrepo_LIBS)
+copy_CFLAGS     += $(libite_CFLAGS) $(libyang_CFLAGS) $(sysrepo_CFLAGS)
+copy_LDADD       = $(libite_LIBS)   $(libyang_LIBS)   $(sysrepo_LIBS)
 
 erase_SOURCES    = erase.c util.c util.h
 erase_CPPFLAGS   = -D_DEFAULT_SOURCE -D_GNU_SOURCE

src/bin/configure.ac

@@ -15,6 +15,7 @@ AC_PROG_INSTALL
 PKG_PROG_PKG_CONFIG
 
 PKG_CHECK_MODULES([libite],  [libite  >= 2.5.0])
+PKG_CHECK_MODULES([libyang], [libyang >= 3.0.0])
 PKG_CHECK_MODULES([sysrepo], [sysrepo >= 2.2.36])
 
 # Misc variable replacements for below Summary
@@ -55,8 +56,8 @@ cat <<EOF
   System environment....: ${sysconfig_path:-${sysconfig}}
   C Compiler............: $CC $CFLAGS $CPPFLAGS $LDFLAGS $LIBS
   Linker................: $LD $LLDP_LDFLAGS $LLDP_BIN_LDFLAGS $LDFLAGS $LIBS
-  CFLAGS................: $libite_CFLAGS $sysrepo_CFLAGS
-  LIBS..................: $libite_LIBS $sysrepo_LIBS
+  CFLAGS................: $libite_CFLAGS $libyang_CFLAGS $sysrepo_CFLAGS
+  LIBS..................: $libite_LIBS $libyang_LIBS $sysrepo_LIBS
 
 ------------- Compiler version --------------
 $($CC --version || true)

src/bin/copy.bash

@@ -0,0 +1,93 @@
+# bash completion for copy command
+# SPDX-License-Identifier: ISC
+
+_copy_completion()
+{
+    local cur prev opts
+    COMPREPLY=()
+    cur="${COMP_WORDS[COMP_CWORD]}"
+    prev="${COMP_WORDS[COMP_CWORD-1]}"
+
+    # Options for the copy command
+    opts="-h -n -q -s -t -u -v"
+
+    local datastores_dst="running-config startup-config"
+    local datastores_src="factory-config operational-state running-config"
+
+    case "${prev}" in
+        -t)
+            # Timeout expects a number, no completion
+            return 0
+            ;;
+        -u)
+            # Username, could complete with getent passwd but keep it simple
+            return 0
+            ;;
+    esac
+
+    # If current word starts with -, complete options
+    if [[ ${cur} == -* ]]; then
+        COMPREPLY=( $(compgen -W "${opts}" -- ${cur}) )
+        return 0
+    fi
+
+    # Determine position (source or destination)
+    # Count non-option arguments before current position
+    local arg_count=0
+    local i
+    for ((i=1; i < COMP_CWORD; i++)); do
+        case "${COMP_WORDS[i]}" in
+            -h|-n|-q|-s|-v)
+                # Flag without argument
+                ;;
+            -t|-u)
+                # Flag with argument, skip next word
+                ((i++))
+                ;;
+            -*)
+                # Unknown flag, might have argument
+                ;;
+            *)
+                # Non-option argument
+                ((arg_count++))
+                ;;
+        esac
+    done
+
+    # Helper function to add non-hidden files/dirs, filtering out dotfiles unless explicitly requested
+    _add_files() {
+        local IFS=$'\n'
+        local files
+
+        # If user is explicitly typing a dotfile path, include dotfiles
+        if [[ ${cur} == .* || ${cur} == */.* ]]; then
+            files=( $(compgen -f -- "${cur}") )
+        else
+            # Only show non-hidden files and directories
+            files=( $(compgen -f -- "${cur}" | grep -v '/\.[^/]*$' | grep -v '^\.[^/]') )
+        fi
+
+        COMPREPLY+=( "${files[@]}" )
+    }
+
+    case ${arg_count} in
+        0)
+            # First argument (source): complete with files and all datastores including factory-config
+            COMPREPLY=( $(compgen -W "${datastores_src}" -- ${cur}) )
+            _add_files
+            ;;
+        1)
+            # Second argument (destination): complete with files and limited datastores (no factory-config)
+            COMPREPLY=( $(compgen -W "${datastores_dst}" -- ${cur}) )
+            _add_files
+            ;;
+        *)
+            # No more arguments expected
+            return 0
+            ;;
+    esac
+
+    return 0
+}
+
+complete -F _copy_completion copy