experiments/clixon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

* Reworked evhtp restconf config to only use clixon-restconf.yang and marked local restconf options as obsolete

Browse source 
* Extended clicon-config with clixon-restconf for local config
* Removed obsolete CLICON_TRANSACTION_MOD
This commit is contained in:
Olof hagsand 2020-11-21 13:16:29 +01:00
parent 3d10c3bfcb
commit 0b948248e4
42 changed files with 308 additions and 887 deletions
Download patch file Download diff file Expand all files Collapse all files

17
apps/backend/backend_commit.c
View file

@ -594,15 +594,6 @@ candidate_commit(clicon_handle h,
if (xmldb_get0_clear(h, td->td_src) < 0)
goto done;
/* Optionally write (potentially modified) tree back to candidate
*/
if (clicon_option_bool(h, "CLICON_TRANSACTION_MOD")){
if ((ret = xmldb_put(h, candidate, OP_REPLACE, td->td_target,
clicon_username_get(h), cbret)) < 0)
goto done;
if (ret == 0)
goto fail;
}
/* 8. Success: Copy candidate to running
*/
if (xmldb_copy(h, candidate, "running") < 0)
@ -829,14 +820,6 @@ from_client_validate(clicon_handle h,
goto done;
}
/* Optionally write (potentially modified) tree back to candidate */
if (clicon_option_bool(h, "CLICON_TRANSACTION_MOD")){
plugin_transaction_abort_all(h, td);
if ((ret = xmldb_put(h, "candidate", OP_REPLACE, td->td_target,
clicon_username_get(h), cbret)) < 0)
goto done;
goto ok;
}
cprintf(cbret, "<rpc-reply xmlns=\"%s\"><ok/></rpc-reply>", NETCONF_BASE_NAMESPACE);
/* Call plugin transaction end callbacks */
plugin_transaction_end_all(h, td);

502
apps/restconf/restconf_main_evhtp.c
View file

@ -85,7 +85,7 @@
/* Command line options to be passed to getopt(3) */
#define RESTCONF_OPTS "hD:f:E:l:p:d:y:a:u:ro:bscP:"
#define RESTCONF_OPTS "hD:f:E:l:p:d:y:a:u:ro:"
/* See see listen(5) */
#define SOCKET_LISTEN_BACKLOG 16
@ -587,67 +587,6 @@ cx_get_ssl_client_ca_certs(clicon_handle h,
return retval;
}
/*! Get Server cert info
* @param[in] h Clicon handle
* @param[in] ssl_verify_clients If true, verify client certs
* @param[out] ssl_config evhtp ssl config struct
*/
static int
cx_get_certs(clicon_handle h,
int ssl_verify_clients,
evhtp_ssl_cfg_t *ssl_config)
{
int retval = -1;
struct stat f_stat;
char *filename;
if (ssl_config == NULL){
clicon_err(OE_CFG, EINVAL, "Input parameter is NULL");
goto done;
}
if ((filename = clicon_option_str(h, "CLICON_SSL_SERVER_CERT")) == NULL){
clicon_err(OE_CFG, EFAULT, "CLICON_SSL_SERVER_CERT option missing");
goto done;
}
if ((ssl_config->pemfile = strdup(filename)) == NULL){
clicon_err(OE_CFG, errno, "strdup");
goto done;
}
if (stat(ssl_config->pemfile, &f_stat) != 0) {
clicon_err(OE_FATAL, errno, "Cannot load SSL cert '%s'", ssl_config->pemfile);
goto done;
}
if ((filename = clicon_option_str(h, "CLICON_SSL_SERVER_KEY")) == NULL){
clicon_err(OE_CFG, EFAULT, "CLICON_SSL_SERVER_KEY option missing");
goto done;
}
if ((ssl_config->privfile = strdup(filename)) == NULL){
clicon_err(OE_CFG, errno, "strdup");
goto done;
}
if (stat(ssl_config->privfile, &f_stat) != 0) {
clicon_err(OE_FATAL, errno, "Cannot load SSL key '%s'", ssl_config->privfile);
goto done;
}
if (ssl_verify_clients){
if ((filename = clicon_option_str(h, "CLICON_SSL_CA_CERT")) == NULL){
clicon_err(OE_CFG, EFAULT, "CLICON_SSL_CA_CERT option missing");
goto done;
}
if ((ssl_config->cafile = strdup(filename)) == NULL){
clicon_err(OE_CFG, errno, "strdup");
goto done;
}
if (stat(ssl_config->cafile, &f_stat) != 0) {
clicon_err(OE_FATAL, errno, "Cannot load SSL key '%s'", ssl_config->privfile);
goto done;
}
}
retval = 0;
done:
return retval;
}
static int
cx_verify_certs(int pre_verify,
evhtp_x509_store_ctx_t *store)
@ -722,9 +661,8 @@ restconf_socket_init(clicon_handle h,
clicon_err(OE_UNIX, errno, "socket");
goto done;
}
// evutil_make_socket_closeonexec(s); // XXX
// evutil_make_socket_nonblocking(s); // XXX
evutil_make_socket_closeonexec(s);
evutil_make_socket_nonblocking(s);
if (setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (void *)&on, sizeof(on)) == -1) {
clicon_err(OE_UNIX, errno, "setsockopt SO_KEEPALIVE");
goto done;
@ -780,11 +718,7 @@ usage(clicon_handle h,
"\t-a UNIX|IPv4|IPv6 Internal backend socket family\n"
"\t-u <path|addr>\t Internal socket domain path or IP addr (see -a)\n"
"\t-r \t\t Do not drop privileges if run as root\n"
"\t-b \t\t Read config from backend - not local (same as CLICON_RESTCONF_CONF=true) \n"
"\t-o <option>=<value> Set configuration option overriding config file (see clixon-config.yang)\n"
"\t-s\t\t SSL server, https (local config)\n"
"\t-c\t\t SSL verify client certs (local config)\n"
"\t-P <port>\t HTTP port (default 80, or 443 if -s is given) (local config)\n"
,
argv0,
clicon_restconf_dir(h)
@ -979,8 +913,8 @@ cx_evhtp_socket(clicon_handle h,
/* ss is a server socket that the clients connect to. The callback
therefore accepts clients on ss */
/* XXX address in evhtp should be prefixed with eg "ipv4:" */
evutil_make_socket_closeonexec(ss); // XXX
evutil_make_socket_nonblocking(ss); // XXX
// evutil_make_socket_closeonexec(ss);
// evutil_make_socket_nonblocking(ss);
if (evhtp_accept_socket(htp, ss, SOCKET_LISTEN_BACKLOG) < 0) {
/* accept_socket() does not close the descriptor
* on error, but this function does.
@ -1000,17 +934,14 @@ cx_evhtp_socket(clicon_handle h,
* @param[in] xconfig XML config
* @param[in] nsc Namespace context
* @param[in] eh Evhtp handle
* @note only if CLICON_RESTCONF_CONFIG is true (-b)
* @note only one socket allowed in this implementation
*/
static int
cx_evhtp_init(clicon_handle h,
cxobj *xconfig,
cxobj *xrestconf,
cvec *nsc,
cx_evhtp_handle *eh)
{
int retval = -1;
cxobj *xrestconf;
cxobj **vec = NULL;
size_t veclen;
char *server_cert_path = NULL;
@ -1023,11 +954,6 @@ cx_evhtp_init(clicon_handle h,
int i;
int ssl_enable = 0;
/* Extract socket fields from xconfig */
if ((xrestconf = xpath_first(xconfig, nsc, "restconf")) == NULL){
clicon_err(OE_CFG, ENOENT, "restconf top symbol not found");
goto done;
}
/* If at least one socket has ssl then enable global ssl_enable */
ssl_enable = xpath_first(xrestconf, nsc, "socket[ssl='true']") != NULL;
/* get common fields */
@ -1083,16 +1009,24 @@ cx_evhtp_init(clicon_handle h,
return retval;
}
/*! Read config from backend */
/*! Read restconf from config
* After SEVERAL iterations the code now does as follows:
* - init clixon
* - init evhtp
* - look for local config (in clixon-config file)
* - if local config found, open sockets accordingly and exit function
* - If no local config found, query backend for config and open sockets.
* That is, EITHER local config OR read config from backend once
* @param[in] h Clicon handle
* @param[in] eh Clixon's evhtp handle
* @retval 0 OK
* @retval -1 Error
*/
int
restconf_config_backend(clicon_handle h,
cx_evhtp_handle *eh,
int argc,
char **argv,
int drop_privileges)
restconf_config(clicon_handle h,
cx_evhtp_handle *eh)
{
int retval = -1;
char *argv0 = argv[0];
char *dir;
yang_stmt *yspec = NULL;
char *str;
@ -1101,19 +1035,19 @@ restconf_config_backend(clicon_handle h,
size_t cligen_buflen;
size_t cligen_bufthreshold;
cvec *nsc = NULL;
cxobj *xconfig = NULL;
cxobj *xerr = NULL;
uint32_t id = 0; /* Session id, to poll backend up */
struct passwd *pw;
cxobj *xconfig1 = NULL;
cxobj *xrestconf1 = NULL;
cxobj *xconfig2 = NULL;
cxobj *xrestconf2 = NULL;
/* Set default namespace according to CLICON_NAMESPACE_NETCONF_DEFAULT */
xml_nsctx_namespace_netconf_default(h);
assert(SSL_VERIFY_NONE == 0);
/* Access the remaining argv/argc options (after --) w clicon-argv_get() */
clicon_argv_set(h, argv0, argc, argv);
/* Init cligen buffers */
cligen_buflen = clicon_option_int(h, "CLICON_CLI_BUF_START");
cligen_bufthreshold = clicon_option_int(h, "CLICON_CLI_BUF_THRESHOLD");
@ -1191,6 +1125,20 @@ restconf_config_backend(clicon_handle h,
if (clicon_nsctx_global_set(h, nsctx_global) < 0)
goto done;
/* Init evhtp, common stuff */
if ((eh->eh_evbase = event_base_new()) == NULL){
clicon_err(OE_UNIX, errno, "event_base_new");
goto done;
}
/* First get local config */
xconfig1 = clicon_conf_xml(h);
if ((xrestconf1 = xpath_first(xconfig1, NULL, "restconf")) != NULL){
/* Initialize evhtp with local config */
if (cx_evhtp_init(h, xrestconf1, NULL, eh) < 0)
goto done;
}
else {
/* Query backend of config.
* Before evhtp, try again if not done */
while (1){
@ -1212,330 +1160,29 @@ restconf_config_backend(clicon_handle h,
clicon_err(OE_UNIX, errno, "getpwuid");
goto done;
}
if (clicon_rpc_get_config(h, pw->pw_name, "running", "/restconf", nsc, &xconfig) < 0)
if (clicon_rpc_get_config(h, pw->pw_name, "running", "/restconf", nsc, &xconfig2) < 0)
goto done;
if ((xerr = xpath_first(xconfig, NULL, "/rpc-error")) != NULL){
if ((xerr = xpath_first(xconfig2, NULL, "/rpc-error")) != NULL){
clixon_netconf_error(xerr, "Get backend restconf config", NULL);
goto done;
}
/* Init evhtp, common stuff */
if ((eh->eh_evbase = event_base_new()) == NULL){
clicon_err(OE_UNIX, errno, "event_base_new");
/* Extract socket fields from xconfig */
if ((xrestconf2 = xpath_first(xconfig2, nsc, "restconf")) != NULL){
/* Initialize evhtp with config from backend */
if (cx_evhtp_init(h, xrestconf2, nsc, eh) < 0)
goto done;
}
if (cx_evhtp_init(h, xconfig, nsc, eh) < 0)
goto done;
/* Drop privileges after evhtp and server key/cert read */
if (drop_privileges){
/* Drop privileges to WWWUSER if started as root */
if (restconf_drop_privileges(h, WWWUSER) < 0)
goto done;
}
/* Exit can go via signal handler without returning here */
if (xconfig){
xml_free(xconfig);
xconfig = NULL;
}
if (nsc){
cvec_free(nsc);
nsc = NULL;
}
/* libevent main loop */
event_base_loop(eh->eh_evbase, 0); /* XXX: replace with clixon_event_loop() */
retval = 0;
done:
if (xconfig)
xml_free(xconfig);
if (xconfig2)
xml_free(xconfig2);
if (nsc)
cvec_free(nsc);
clicon_debug(1, "restconf_main_evhtp done");
return retval;
}
/*! Read config locally */
int
restconf_config_local(clicon_handle h,
cx_evhtp_handle *eh,
int argc,
char **argv,
uint16_t port,
int ssl_verify_clients,
int use_ssl,
int drop_privileges)
{
int retval = -1;
char *argv0 = argv[0];
char *dir;
yang_stmt *yspec = NULL;
char *str;
clixon_plugin *cp = NULL;
cvec *nsctx_global = NULL; /* Global namespace context */
size_t cligen_buflen;
size_t cligen_bufthreshold;
char *restconf_ipv4_addr = NULL;
char *restconf_ipv6_addr = NULL;
evhtp_t *htp;
/* port = defaultport unless explicitly set -P */
if (port == 0){
clicon_err(OE_DAEMON, EINVAL, "Restconf bind port is 0");
goto done;
}
/* Set default namespace according to CLICON_NAMESPACE_NETCONF_DEFAULT */
xml_nsctx_namespace_netconf_default(h);
/* Check server ssl certs */
if (use_ssl){
/* Init evhtp ssl config struct */
if ((eh->eh_ssl_config = malloc(sizeof(evhtp_ssl_cfg_t))) == NULL){
clicon_err(OE_UNIX, errno, "malloc");
goto done;
}
memset(eh->eh_ssl_config, 0, sizeof(evhtp_ssl_cfg_t));
eh->eh_ssl_config->ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1;
if (cx_get_certs(h, ssl_verify_clients, eh->eh_ssl_config) < 0)
goto done;
eh->eh_ssl_config->x509_verify_cb = cx_verify_certs; /* Is extra verification necessary? */
if (ssl_verify_clients){
eh->eh_ssl_config->verify_peer = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
eh->eh_ssl_config->x509_verify_cb = cx_verify_certs;
eh->eh_ssl_config->verify_depth = 2;
}
}
// ssl_verify_mode = htp_sslutil_verify2opts(optarg);
assert(SSL_VERIFY_NONE == 0);
/* Access the remaining argv/argc options (after --) w clicon-argv_get() */
clicon_argv_set(h, argv0, argc, argv);
/* Init evhtp */
if ((eh->eh_evbase = event_base_new()) == NULL){
clicon_err(OE_UNIX, errno, "event_base_new");
goto done;
}
/* bind to a socket, optionally with specific protocol support formatting
*/
restconf_ipv4_addr = clicon_option_str(h, "CLICON_RESTCONF_IPV4_ADDR");
restconf_ipv6_addr = clicon_option_str(h, "CLICON_RESTCONF_IPV6_ADDR");
if ((restconf_ipv4_addr == NULL || strlen(restconf_ipv4_addr)==0) &&
(restconf_ipv6_addr == NULL || strlen(restconf_ipv6_addr)==0)){
clicon_err(OE_DAEMON, EINVAL, "There are no restconf IPv4 or IPv6 bind addresses");
goto done;
}
if (restconf_ipv4_addr != NULL && strlen(restconf_ipv4_addr)){
cbuf *cb;
/* create a new evhtp_t instance */
if ((htp = evhtp_new(eh->eh_evbase, NULL)) == NULL){
clicon_err(OE_UNIX, errno, "evhtp_new");
goto done;
}
/* Here the daemon either uses SSL or not, ie you cant seem to mix http and https :-( */
if (use_ssl){
if (evhtp_ssl_init(htp, eh->eh_ssl_config) < 0){
clicon_err(OE_UNIX, errno, "evhtp_new");
goto done;
}
}
#ifndef EVHTP_DISABLE_EVTHR
evhtp_use_threads_wexit(htp, NULL, NULL, 4, NULL);
#endif
/* Callback before the connection is accepted. */
evhtp_set_pre_accept_cb(htp, cx_pre_accept, h);
/* Callback right after a connection is accepted. */
evhtp_set_post_accept_cb(htp, cx_post_accept, h);
/* Callback to be executed for all /restconf api calls */
if (evhtp_set_cb(htp, "/" RESTCONF_API, cx_path_restconf, h) == NULL){
clicon_err(OE_EVENTS, errno, "evhtp_set_cb");
goto done;
}
/* Callback to be executed for all /restconf api calls */
if (evhtp_set_cb(htp, RESTCONF_WELL_KNOWN, cx_path_wellknown, h) == NULL){
clicon_err(OE_EVENTS, errno, "evhtp_set_cb");
goto done;
}
/* Generic callback called if no other callbacks are matched */
evhtp_set_gencb(htp, cx_gencb, h);
if ((cb = cbuf_new()) == NULL){
clicon_err(OE_UNIX, errno, "cbuf_new");
goto done;
}
cprintf(cb, "ipv4:%s", restconf_ipv4_addr);
if (evhtp_bind_socket(htp, /* evhtp handle */
cbuf_get(cb), /* string address, eg ipv4:<ipv4addr> */
port, /* port */
SOCKET_LISTEN_BACKLOG /* backlog flag, see listen(5) */
) < 0){
clicon_err(OE_UNIX, errno, "evhtp_bind_socket");
goto done;
}
if (cb)
cbuf_free(cb);
if (cx_htp_add(eh, htp) < 0)
goto done;
}
/* Eeh can only bind one */
if (restconf_ipv6_addr != NULL && strlen(restconf_ipv6_addr)){
cbuf *cb;
/* create a new evhtp_t instance */
if ((htp = evhtp_new(eh->eh_evbase, NULL)) == NULL){
clicon_err(OE_UNIX, errno, "evhtp_new");
goto done;
}
/* Here the daemon either uses SSL or not, ie you cant seem to mix http and https :-( */
if (use_ssl){
if (evhtp_ssl_init(htp, eh->eh_ssl_config) < 0){
clicon_err(OE_UNIX, errno, "evhtp_new");
goto done;
}
}
#ifndef EVHTP_DISABLE_EVTHR
evhtp_use_threads_wexit(htp, NULL, NULL, 4, NULL);
#endif
/* Callback before the connection is accepted. */
evhtp_set_pre_accept_cb(htp, cx_pre_accept, h);
/* Callback right after a connection is accepted. */
evhtp_set_post_accept_cb(htp, cx_post_accept, h);
/* Callback to be executed for all /restconf api calls */
if (evhtp_set_cb(htp, "/" RESTCONF_API, cx_path_restconf, h) == NULL){
clicon_err(OE_EVENTS, errno, "evhtp_set_cb");
goto done;
}
/* Callback to be executed for all /restconf api calls */
if (evhtp_set_cb(htp, RESTCONF_WELL_KNOWN, cx_path_wellknown, h) == NULL){
clicon_err(OE_EVENTS, errno, "evhtp_set_cb");
goto done;
}
/* Generic callback called if no other callbacks are matched */
evhtp_set_gencb(htp, cx_gencb, h);
if ((cb = cbuf_new()) == NULL){
clicon_err(OE_UNIX, errno, "cbuf_new");
goto done;
}
cprintf(cb, "ipv6:%s", restconf_ipv6_addr);
if (evhtp_bind_socket(htp, /* evhtp handle */
cbuf_get(cb), /* string address, eg ipv6:<ipv6addr> */
port, /* port */
SOCKET_LISTEN_BACKLOG /* backlog flag, see listen(5) */
) < 0){
clicon_err(OE_UNIX, errno, "evhtp_bind_socket");
goto done;
}
if (cb)
cbuf_free(cb);
if (cx_htp_add(eh, htp) < 0)
goto done;
}
if (drop_privileges){
/* Drop privileges to WWWUSER if started as root */
if (restconf_drop_privileges(h, WWWUSER) < 0)
goto done;
}
/* Init cligen buffers */
cligen_buflen = clicon_option_int(h, "CLICON_CLI_BUF_START");
cligen_bufthreshold = clicon_option_int(h, "CLICON_CLI_BUF_THRESHOLD");
cbuf_alloc_set(cligen_buflen, cligen_bufthreshold);
/* Add (hardcoded) netconf features in case ietf-netconf loaded here
* Otherwise it is loaded in netconf_module_load below
*/
if (netconf_module_features(h) < 0)
goto done;
/* Create top-level yang spec and store as option */
if ((yspec = yspec_new()) == NULL)
goto done;
clicon_dbspec_yang_set(h, yspec);
/* Treat unknown XML as anydata */
if (clicon_option_bool(h, "CLICON_YANG_UNKNOWN_ANYDATA") == 1)
xml_bind_yang_unknown_anydata(1);
/* Load restconf plugins before yangs are loaded (eg extension callbacks) */
if ((dir = clicon_restconf_dir(h)) != NULL)
if (clixon_plugins_load(h, CLIXON_PLUGIN_INIT, dir, NULL) < 0)
return -1;
/* Create a pseudo-plugin to create extension callback to set the ietf-routing
* yang-data extension for api-root top-level restconf function.
*/
if (clixon_pseudo_plugin(h, "pseudo restconf", &cp) < 0)
goto done;
cp->cp_api.ca_extension = restconf_main_extension_cb;
/* Load Yang modules
* 1. Load a yang module as a specific absolute filename */
if ((str = clicon_yang_main_file(h)) != NULL){
if (yang_spec_parse_file(h, str, yspec) < 0)
goto done;
}
/* 2. Load a (single) main module */
if ((str = clicon_yang_module_main(h)) != NULL){
if (yang_spec_parse_module(h, str, clicon_yang_module_revision(h),
yspec) < 0)
goto done;
}
/* 3. Load all modules in a directory */
if ((str = clicon_yang_main_dir(h)) != NULL){
if (yang_spec_load_dir(h, str, yspec) < 0)
goto done;
}
/* Load clixon lib yang module */
if (yang_spec_parse_module(h, "clixon-lib", NULL, yspec) < 0)
goto done;
/* Load yang module library, RFC7895 */
if (yang_modules_init(h) < 0)
goto done;
/* Load yang restconf module */
if (yang_spec_parse_module(h, "ietf-restconf", NULL, yspec)< 0)
goto done;
/* Add netconf yang spec, used as internal protocol */
if (netconf_module_load(h) < 0)
goto done;
/* Add system modules */
if (clicon_option_bool(h, "CLICON_STREAM_DISCOVERY_RFC8040") &&
yang_spec_parse_module(h, "ietf-restconf-monitoring", NULL, yspec)< 0)
goto done;
if (clicon_option_bool(h, "CLICON_STREAM_DISCOVERY_RFC5277") &&
yang_spec_parse_module(h, "clixon-rfc5277", NULL, yspec)< 0)
goto done;
/* Here all modules are loaded
* Compute and set canonical namespace context
*/
if (xml_nsctx_yangspec(yspec, &nsctx_global) < 0)
goto done;
if (clicon_nsctx_global_set(h, nsctx_global) < 0)
goto done;
/* Call start function in all plugins before we go interactive
*/
if (clixon_plugin_start_all(h) < 0)
goto done;
/* Call start function in all plugins before we go interactive
*/
if (clixon_plugin_start_all(h) < 0)
goto done;
event_base_loop(eh->eh_evbase, 0);
retval = 0;
done:
clicon_debug(1, "restconf_main_evhtp done");
return retval;
}
int
main(int argc,
char **argv)
@ -1546,13 +1193,8 @@ main(int argc,
clicon_handle h;
int logdst = CLICON_LOG_SYSLOG;
int dbg = 0;
int i;
cx_evhtp_handle *eh = NULL;
int drop_privileges = 1;
uint16_t defaultport = 0;
int use_ssl = 0;
int ssl_verify_clients = 0;
uint16_t port = 0;
/* In the startup, logs to stderr & debug flag set later */
clicon_log_init(__PROGRAM__, LOG_INFO, logdst);
@ -1616,8 +1258,6 @@ main(int argc,
if (clicon_options_main(h) < 0)
goto done;
// stream_path = clicon_option_str(h, "CLICON_STREAM_PATH");
/* XXX only local conf */
defaultport = (uint16_t)clicon_option_int(h, "CLICON_RESTCONF_HTTP_PORT");
/* Now rest of options, some overwrite option file */
optind = 1;
@ -1663,26 +1303,6 @@ main(int argc,
goto done;
break;
}
case 'b': /* Read config from backend - not local */
clicon_option_bool_set(h, "CLICON_RESTCONF_CONFIG", 1);
break;
case 's': /* ssl: use https */
use_ssl = 1;
/* Set to port - note can be overrifden by -P */
if ((i = clicon_option_int(h, "CLICON_RESTCONF_HTTPS_PORT")) < 0){
clicon_err(OE_CFG, EINVAL, "CLICON_RESTCONF_HTTPS_PORT not found");
goto done;
}
defaultport = (uint16_t)i;
break;
case 'c': /* ssl: verify clients */
ssl_verify_clients = 1;
break;
case 'P': /* http port */
if (!strlen(optarg))
usage(h, argv0);
port=atoi(optarg);
break;
default:
usage(h, argv0);
break;
@ -1690,13 +1310,13 @@ main(int argc,
argc -= optind;
argv += optind;
/* Access the remaining argv/argc options (after --) w clicon-argv_get() */
clicon_argv_set(h, argv0, argc, argv);
/* Dump configuration options on debug */
if (dbg)
clicon_option_dump(h, dbg);
/* port = defaultport unless explicitly set -P */
if (port == 0)
port = defaultport;
if ((eh = malloc(sizeof *eh)) == NULL){
clicon_err(OE_UNIX, errno, "malloc");
goto done;
@ -1704,21 +1324,17 @@ main(int argc,
memset(eh, 0, sizeof *eh);
_EVHTP_HANDLE = eh; /* global */
if (clicon_option_bool(h, "CLICON_RESTCONF_CONFIG") == 0){
/* Read config locally */
if (restconf_config_local(h, eh, argc, argv,
port,
ssl_verify_clients,
use_ssl,
drop_privileges
) < 0)
goto done;
}
else {
/* Read config from backend */
if (restconf_config_backend(h, eh, argc, argv, drop_privileges) < 0)
/* Read config */
if (restconf_config(h, eh) < 0)
goto done;
/* Drop privileges after evhtp and server key/cert read */
if (drop_privileges){
/* Drop privileges to WWWUSER if started as root */
if (restconf_drop_privileges(h, WWWUSER) < 0)
goto done;
}
/* libevent main loop */
event_base_loop(eh->eh_evbase, 0); /* Replace with clixon_event_loop() if libevent is replaced */
retval = 0;
done:

6
apps/restconf/restconf_main_fcgi.c
View file

@ -88,7 +88,7 @@
#include "restconf_stream.h"
/* Command line options to be passed to getopt(3) */
#define RESTCONF_OPTS "hD:f:E:l:p:d:y:a:u:ro:b"
#define RESTCONF_OPTS "hD:f:E:l:p:d:y:a:u:ro:"
/*! Convert FCGI parameters to clixon runtime data
* @param[in] h Clixon handle
@ -180,7 +180,6 @@ usage(clicon_handle h,
"\t-a UNIX|IPv4|IPv6 Internal backend socket family\n"
"\t-u <path|addr>\t Internal socket domain path or IP addr (see -a)\n"
"\t-r \t\t Do not drop privileges if run as root\n"
"\t-b \t\t Read config from backend - no-op only applies to evhtp \n"
"\t-o \"<option>=<value>\" Give configuration option overriding config file (see clixon-config.yang)\n",
argv0,
clicon_restconf_dir(h)
@ -290,8 +289,7 @@ main(int argc,
case 'f': /* config file */
case 'E': /* extra config dir */
case 'l': /* log */
case 'b': /* backend config no-op for fcgi */
break; /* see above */
break; /* taken care of in earlier getopt above */
case 'p' : /* yang dir path */
if (clicon_option_add(h, "CLICON_YANG_DIR", optarg) < 0)
goto done;

2
example/main/example.xml
View file

@ -19,6 +19,4 @@
<CLICON_NACM_MODE>disabled</CLICON_NACM_MODE>
<CLICON_STREAM_DISCOVERY_RFC5277>true</CLICON_STREAM_DISCOVERY_RFC5277>
<CLICON_MODULE_LIBRARY_RFC7895>false</CLICON_MODULE_LIBRARY_RFC7895>
<CLICON_RESTCONF_IPV4_ADDR>127.0.0.1</CLICON_RESTCONF_IPV4_ADDR>
<CLICON_RESTCONF_IPV6_ADDR>::1</CLICON_RESTCONF_IPV6_ADDR>
</clixon-config>

6
lib/src/clixon_options.c
View file

@ -375,11 +375,9 @@ parse_configfile(clicon_handle h,
while ((x = xml_child_each(xt, x, CX_ELMNT)) != NULL) {
name = xml_name(x);
body = xml_body(x);
if (name == NULL || body == NULL){
clicon_log(LOG_WARNING, "%s option NULL: name:%s body:%s",
__FUNCTION__, name, body);
/* Ignored non-leafs */
if (name == NULL || body == NULL)
continue;
}
/* Ignored from file due to bootstrapping */
if (strcmp(name,"CLICON_CONFIGFILE")==0)
continue;

6
lib/src/clixon_xml_nsctx.c
View file

@ -294,7 +294,7 @@ xml_nsctx_node(cxobj *xn,
return retval;
}
/*! Create and initialize XML namespace context from Yang node
/*! Create and initialize XML namespace context from Yang node (non-spec)
* Primary use is Yang path statements, eg leafrefs and others
* Fully explore all prefix:namespace pairs from context of one node
* @param[in] yn Yang statement in module tree (or module itself)
@ -330,6 +330,10 @@ xml_nsctx_yang(yang_stmt *yn,
char *mynamespace;
char *myprefix;
if (yang_keyword_get(yn) == Y_SPEC){
clicon_err(OE_YANG, EINVAL, "yang spec node is invalid argument");
goto done;
}
if ((nc = cvec_new(0)) == NULL){
clicon_err(OE_XML, errno, "cvec_new");
goto done;

14
lib/src/clixon_yang.c
View file

@ -2621,10 +2621,8 @@ schema_nodeid_iterate(yang_stmt *yn,
}
/*! Given an absolute schema-nodeid (eg /a/b/c) find matching yang spec
* @param[in] yspec Yang specification.
* @param[in] yn Original yang stmt (where call is made) if any
* @param[in] yn Original yang stmt (where call is made)
* @param[in] schema_nodeid Absolute schema-node-id, ie /a/b
* @param[in] keyword A schemode of this type, or -1 if any
* @param[out] yres Result yang statement node, or NULL if not found
* @retval -1 Error, with clicon_err called
* @retval 0 OK , with result in yres
@ -2676,15 +2674,19 @@ yang_abs_schema_nodeid(yang_stmt *yn,
}
}
/* Make a namespace context from yang for the prefixes (names) of nodeid_cvv */
if (xml_nsctx_yang(yn, &nsc) < 0)
if (yang_keyword_get(yn) == Y_SPEC){
if (xml_nsctx_yangspec(yn, &nsc) < 0)
goto done;
}
else if (xml_nsctx_yang(yn, &nsc) < 0)
goto done;
/* Since this is an _absolute_ schema nodeid start from top
* Get namespace */
cv = cvec_i(nodeid_cvv, 0);
prefix = cv_name_get(cv);
if ((ns = xml_nsctx_get(nsc, prefix)) == NULL){
clicon_err(OE_YANG, EFAULT, "No namespace for prefix: %s in schema node identifier: %s in module %s",
prefix, schema_nodeid, yang_argument_get(ys_module(yn)));
clicon_err(OE_YANG, EFAULT, "No namespace for prefix: %s in schema node identifier: %s",
prefix, schema_nodeid);
goto done;
}
/* Get yang module */

11
test/README.md
View file

@ -99,15 +99,22 @@ For example, in FreeBSD, add:
## https
For fcgi/nginx you need to setup https in the nginx config file, independently of clixon.
If you use evhtp with `configure --with-restconf=evhtp`, you can prepend the tests with RCPROTO=https which will run all restconf tests with SSL https and server certs.
Ensure the server keys are in order, as follows.
If you already have server certs, ensure CLICON_SSL_SERVER_CERT and CLICON_SSL_SERVER_KEY points to them.
If you already have server certs, ensure the RESTCONF variable in lib.sh points to them, by default the config is
```
<server-cert-path>/etc/ssl/certs/clixon-server-crt.pem</server-cert-path>
<server-key-path>/etc/ssl/private/clixon-server-key.pem</server-key-path>
<server-ca-cert-path>/etc/ssl/certs/clixon-ca-crt.pem</server-ca-cert-path>
```
If you do not have them, generate self-signed certs, eg as follows:
```
openssl req -x509 -nodes -newkey rsa:4096 -keyout /etc/ssl/private/clixon-server-key.pem -out /etc/ssl/certs/clixon-server-crt.pem -days 365
```
There are also client-cert tests, eg test_ssl*.sh
There are also client-cert tests, eg `test_ssl_certs.sh`

18
test/lib.sh
View file

@ -176,6 +176,15 @@ if [ ! -d $dir ]; then
mkdir $dir
fi
# Default restconf configuration: http IPv4
# Can be placed in clixon-config
# Note that https clause assumes there exists certs and keys in /etc/ssl,...
if [ $RCPROTO = http ]; then
RESTCONFIG="<restconf><auth-type>password</auth-type><socket><namespace>default</namespace><address>0.0.0.0</address><port>80</port><ssl>false</ssl></socket></restconf>"
else
RESTCONFIG="<restconf><auth-type>password</auth-type><server-cert-path>/etc/ssl/certs/clixon-server-crt.pem</server-cert-path><server-key-path>/etc/ssl/private/clixon-server-key.pem</server-key-path><server-ca-cert-path>/etc/ssl/certs/clixon-ca-crt.pem</server-ca-cert-path><socket><namespace>default</namespace><address>0.0.0.0</address><port>443</port><ssl>true</ssl></socket></restconf>"
fi
# Some tests may set owner of testdir to something strange and quit, need
# to reset to me
if [ ! -G $dir ]; then
@ -278,13 +287,8 @@ wait_backend(){
# @see wait_restconf
start_restconf(){
# Start in background
if [ $RCPROTO = https -a "${WITH_RESTCONF}" = "evhtp" ]; then
EXTRA="-s" # server certs ONLY evhtp
else
EXTRA=
fi
echo "sudo -u $wwwstartuser -s $clixon_restconf $RCLOG -D $DBG $EXTRA $*"
sudo -u $wwwstartuser -s $clixon_restconf $RCLOG -D $DBG $EXTRA $* &
echo "sudo -u $wwwstartuser -s $clixon_restconf $RCLOG -D $DBG $*"
sudo -u $wwwstartuser -s $clixon_restconf $RCLOG -D $DBG $* &
if [ $? -ne 0 ]; then
err
fi

25
test/restconfig.sh
View file

@ -1,25 +0,0 @@
#!/usr/bin/env bash
# Create restconf backend config with a single socket
# ipv4 no-ssl
# The script defines a VARIABLE containing XML config
# This is either inserted into the startup db, or installed in the backend using the
# restconfigrun() function.
# The config relies on clixon-restconf.yang being loaded.
RESTCONFIG=$(cat <<EOF
<restconf xmlns="https://clicon.org/restconf">
<auth-type>password</auth-type>
<socket><namespace>default</namespace><address>0.0.0.0</address><port>80</port><ssl>false</ssl></socket>
</restconf>
EOF
)
# Install the config above on a backend
restconfigrun()
{
new "netconf edit config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$RESTCONFIG</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "netconf commit"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><commit/></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
}

7
test/test_api.sh
View file

@ -39,6 +39,7 @@ cat <<EOF > $cfg
<CLICON_BACKEND_PIDFILE>/usr/local/var/$APPNAME/$APPNAME.pidfile</CLICON_BACKEND_PIDFILE>
<CLICON_XMLDB_DIR>$dir</CLICON_XMLDB_DIR>
<CLICON_XMLDB_FORMAT>$format</CLICON_XMLDB_FORMAT>
$RESTCONFIG
</clixon-config>
EOF
@ -228,12 +229,6 @@ if [ $BE -ne 0 ]; then
new "waiting"
wait_backend
# Load restconf config for evhtp backend config
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
stop_restconf_pre

7
test/test_augment.sh
View file

@ -38,6 +38,7 @@ cat <<EOF > $cfg
<CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
<CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
<CLICON_MODULE_LIBRARY_RFC7895>true</CLICON_MODULE_LIBRARY_RFC7895>
$RESTCONFIG
</clixon-config>
EOF
@ -167,12 +168,6 @@ fi
new "waiting"
wait_backend
# Load restconf config for evhtp backend config
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"

7
test/test_choice.sh
View file

@ -28,6 +28,7 @@ cat <<EOF > $cfg
<CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
<CLICON_BACKEND_PIDFILE>/usr/local/var/$APPNAME/$APPNAME.pidfile</CLICON_BACKEND_PIDFILE>
<CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
$RESTCONFIG
</clixon-config>
EOF
@ -119,12 +120,6 @@ fi
new "waiting"
wait_backend
# Load restconf config for evhtp backend config
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
stop_restconf_pre

7
test/test_identity.sh
View file

@ -28,6 +28,7 @@ cat <<EOF > $cfg
<CLICON_SOCK>/usr/local/var/$APPNAME/$APPNAME.sock</CLICON_SOCK>
<CLICON_BACKEND_PIDFILE>/usr/local/var/$APPNAME/$APPNAME.pidfile</CLICON_BACKEND_PIDFILE>
<CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
$RESTCONFIG
</clixon-config>
EOF
@ -154,12 +155,6 @@ fi
new "waiting"
wait_backend
# Load restconf config for evhtp backend config
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
stop_restconf_pre

3
test/test_nacm.sh
View file

@ -34,6 +34,7 @@ cat <<EOF > $cfg
<CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
<CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
<CLICON_NACM_DISABLED_ON_EMPTY>true</CLICON_NACM_DISABLED_ON_EMPTY>
$RESTCONFIG
</clixon-config>
EOF
@ -132,7 +133,7 @@ if [ $RC -ne 0 ]; then
stop_restconf_pre
new "start restconf daemon (-a is enable basic authentication)"
start_restconf -f $cfg -o CLICON_RESTCONF_CONFIG=false -- -a
start_restconf -f $cfg -- -a
new "waiting"
wait_restconf

27
test/test_nacm_datanode.sh
View file

@ -63,6 +63,7 @@ cat <<EOF > $cfg
<CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
<CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
<CLICON_NACM_DISABLED_ON_EMPTY>true</CLICON_NACM_DISABLED_ON_EMPTY>
$RESTCONFIG
</clixon-config>
EOF
@ -227,22 +228,6 @@ fi
new "waiting"
wait_backend
new "auth set authentication config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "set app config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$CONFIG</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "commit it"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><commit/></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
# Load restconf config for evhtp backend config
# NACM is disabled by RULES
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
stop_restconf_pre
@ -254,6 +239,16 @@ if [ $RC -ne 0 ]; then
wait_restconf
fi
new "auth set authentication config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "set app config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$CONFIG</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "commit it"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><commit/></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "enable nacm"
expectpart "$(curl -u andy:bar $CURLOPTS -X PUT -H "Content-Type: application/yang-data+json" -d '{"ietf-netconf-acm:enable-nacm": true}' $RCPROTO://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" 0 "HTTP/1.1 204 No Content"

3
test/test_nacm_datanode_paths.sh
View file

@ -36,6 +36,7 @@ cat <<EOF > $cfg
<CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
<CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
<CLICON_NACM_CREDENTIALS>none</CLICON_NACM_CREDENTIALS>
$RESTCONFIG
</clixon-config>
EOF
@ -106,7 +107,7 @@ if [ $RC -ne 0 ]; then
stop_restconf_pre
new "start restconf daemon (-a is enable basic authentication)"
start_restconf -f $cfg -o CLICON_RESTCONF_CONFIG=false -- -a
start_restconf -f $cfg -- -a
new "waiting"
wait_restconf

28
test/test_nacm_datanode_read.sh
View file

@ -43,6 +43,7 @@ cat <<EOF > $cfg
<CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
<CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
<CLICON_NACM_DISABLED_ON_EMPTY>true</CLICON_NACM_DISABLED_ON_EMPTY>
$RESTCONFIG
</clixon-config>
EOF
@ -232,23 +233,6 @@ fi
new "waiting"
wait_backend
new "auth set authentication config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "set app config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$CONFIG</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "commit it"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><commit/></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
# Load restconf config for evhtp backend config
# Must be done before restconf started NACM is disabled
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
stop_restconf_pre
@ -260,6 +244,16 @@ if [ $RC -ne 0 ]; then
wait_restconf
fi
new "auth set authentication config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "set app config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$CONFIG</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "commit it"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><commit/></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "enable nacm"
expectpart "$(curl -u andy:bar $CURLOPTS -X PUT -H "Content-Type: application/yang-data+json" -d '{"ietf-netconf-acm:enable-nacm": true}' $RCPROTO://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" 0 "HTTP/1.1 204 No Content"

27
test/test_nacm_datanode_write.sh
View file

@ -35,6 +35,7 @@ cat <<EOF > $cfg
<CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
<CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
<CLICON_NACM_DISABLED_ON_EMPTY>true</CLICON_NACM_DISABLED_ON_EMPTY>
$RESTCONFIG
</clixon-config>
EOF
@ -228,22 +229,6 @@ fi
new "waiting"
wait_backend
new "auth set authentication config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "set app config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$CONFIG</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "commit it"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><commit/></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
# Load restconf config for evhtp backend config
# Must be done before restconf but after first config
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
stop_restconf_pre
@ -255,6 +240,16 @@ if [ $RC -ne 0 ]; then
wait_restconf
fi
new "auth set authentication config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "set app config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$CONFIG</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "commit it"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><commit/></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "enable nacm"
expectpart "$(curl -u andy:bar $CURLOPTS -X PUT -H "Content-Type: application/yang-data+json" -d '{"ietf-netconf-acm:enable-nacm": true}' $RCPROTO://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" 0 "HTTP/1.1 204 No Content"

4
test/test_nacm_default.sh
View file

@ -32,6 +32,7 @@ cat <<EOF > $cfg
<CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
<CLICON_NACM_DISABLED_ON_EMPTY>true</CLICON_NACM_DISABLED_ON_EMPTY>
<CLICON_XMLDB_FORMAT>$format</CLICON_XMLDB_FORMAT>
$RESTCONFIG
</clixon-config>
EOF
@ -110,9 +111,8 @@ EOF
new "kill old restconf daemon"
stop_restconf_pre
# Cannot use CLICON_RESTCONF_CONFIG=true because of bootstrap problem
new "start restconf daemon (-a is enable basic authentication)"
start_restconf -f $cfg -o CLICON_RESTCONF_CONFIG=false -- -a
start_restconf -f $cfg -- -a
new "waiting"
wait_restconf

7
test/test_nacm_ext.sh
View file

@ -36,6 +36,7 @@ cat <<EOF > $cfg
<CLICON_NACM_MODE>external</CLICON_NACM_MODE>
<CLICON_NACM_FILE>$nacmfile</CLICON_NACM_FILE>
<CLICON_NACM_CREDENTIALS>none</CLICON_NACM_CREDENTIALS>
$RESTCONFIG
</clixon-config>
EOF
@ -146,12 +147,6 @@ fi
new "waiting"
wait_backend
# Load restconf config for evhtp backend config
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
stop_restconf_pre

20
test/test_nacm_module_read.sh
View file

@ -36,6 +36,7 @@ cat <<EOF > $cfg
<CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
<CLICON_NACM_CREDENTIALS>none</CLICON_NACM_CREDENTIALS>
<CLICON_NACM_DISABLED_ON_EMPTY>true</CLICON_NACM_DISABLED_ON_EMPTY>
$RESTCONFIG
</clixon-config>
EOF
@ -129,18 +130,6 @@ fi
new "waiting"
wait_backend
new "auth set authentication config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "commit it"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><commit/></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
# Load restconf config for evhtp backend config
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
stop_restconf_pre
@ -152,6 +141,13 @@ if [ $RC -ne 0 ]; then
wait_restconf
fi
new "auth set authentication config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "commit it"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><commit/></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "enable nacm"
expectpart "$(curl -u andy:bar $CURLOPTS -X PUT -H "Content-Type: application/yang-data+json" -d '{"ietf-netconf-acm:enable-nacm": true}' $RCPROTO://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" 0 "HTTP/1.1 204 No Content"

3
test/test_nacm_module_write.sh
View file

@ -49,6 +49,7 @@ cat <<EOF > $cfg
<CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
<CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
<CLICON_NACM_DISABLED_ON_EMPTY>true</CLICON_NACM_DISABLED_ON_EMPTY>
$RESTCONFIG
</clixon-config>
EOF
@ -153,7 +154,7 @@ if [ $RC -ne 0 ]; then
stop_restconf_pre
new "start restconf daemon (-a is enable basic authentication)"
start_restconf -f $cfg -o CLICON_RESTCONF_CONFIG=false -- -a
start_restconf -f $cfg -- -a
new "waiting"
wait_restconf

21
test/test_nacm_protocol.sh
View file

@ -53,6 +53,7 @@ cat <<EOF > $cfg
<CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
<CLICON_NACM_CREDENTIALS>none</CLICON_NACM_CREDENTIALS>
<CLICON_NACM_DISABLED_ON_EMPTY>true</CLICON_NACM_DISABLED_ON_EMPTY>
$RESTCONFIG
</clixon-config>
EOF
@ -149,19 +150,6 @@ fi
new "waiting"
wait_backend
new "auth set authentication config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "commit it"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><commit/></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
# Load restconf config for evhtp backend config
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
@ -174,6 +162,13 @@ if [ $RC -ne 0 ]; then
wait_restconf
fi
new "auth set authentication config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "commit it"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><commit/></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "enable nacm"
expectpart "$(curl -u andy:bar $CURLOPTS -X PUT -H "Content-Type: application/yang-data+json" -d '{"ietf-netconf-acm:enable-nacm": true}' $RCPROTO://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" 0 "HTTP/1.1 204 No Content"

3
test/test_nacm_recovery.sh
View file

@ -85,6 +85,7 @@ cat <<EOF > $cfg
<CLICON_NACM_RECOVERY_USER>$recovery</CLICON_NACM_RECOVERY_USER>
<CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
<CLICON_NACM_CREDENTIALS>$cred</CLICON_NACM_CREDENTIALS>
$RESTCONFIG
</clixon-config>
EOF
if [ $BE -ne 0 ]; then
@ -103,7 +104,7 @@ EOF
stop_restconf_pre
new "start restconf daemon (-a is enable basic authentication)"
start_restconf -f $cfg -o CLICON_RESTCONF_CONFIG=false -- -a
start_restconf -f $cfg -- -a
new "waiting"
wait_restconf

7
test/test_perf_restconf.sh
View file

@ -69,6 +69,7 @@ cat <<EOF > $cfg
<CLICON_CLISPEC_DIR>/usr/local/lib/example/clispec</CLICON_CLISPEC_DIR>
<CLICON_CLI_LINESCROLLING>0</CLICON_CLI_LINESCROLLING>
<CLICON_FEATURE>ietf-netconf:startup</CLICON_FEATURE>
$RESTCONFIG
</clixon-config>
EOF
@ -87,12 +88,6 @@ fi
new "waiting"
wait_backend
# Load restconf config for evhtp backend config
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
stop_restconf_pre

7
test/test_perf_state.sh
View file

@ -47,6 +47,7 @@ cat <<EOF > $cfg
<CLICON_CLISPEC_DIR>/usr/local/lib/example/clispec</CLICON_CLISPEC_DIR>
<CLICON_CLI_LINESCROLLING>0</CLICON_CLI_LINESCROLLING>
<CLICON_FEATURE>ietf-netconf:startup</CLICON_FEATURE>
$RESTCONFIG
</clixon-config>
EOF
@ -108,12 +109,6 @@ fi
new "waiting"
wait_backend
# Load restconf config for evhtp backend config
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
stop_restconf_pre

7
test/test_perf_state_only.sh
View file

@ -46,6 +46,7 @@ cat <<EOF > $cfg
<CLICON_CLI_DIR>/usr/local/lib/example/cli</CLICON_CLI_DIR>
<CLICON_CLISPEC_DIR>/usr/local/lib/example/clispec</CLICON_CLISPEC_DIR>
<CLICON_FEATURE>ietf-netconf:startup</CLICON_FEATURE>
$RESTCONFIG
</clixon-config>
EOF
@ -108,12 +109,6 @@ if [ $BE -ne 0 ]; then
wait_backend
fi
# Load restconf config for evhtp backend config
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"

44
test/test_restconf.sh
View file

@ -39,6 +39,7 @@ cat <<EOF > $cfg
<CLICON_BACKEND_PIDFILE>/usr/local/var/$APPNAME/$APPNAME.pidfile</CLICON_BACKEND_PIDFILE>
<CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
<CLICON_MODULE_LIBRARY_RFC7895>true</CLICON_MODULE_LIBRARY_RFC7895>
</clixon-config>
EOF
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
@ -50,23 +51,8 @@ if [ "${WITH_RESTCONF}" = "evhtp" ]; then
cacert=$certdir/ca_cert.pem
test -d $certdir || mkdir $certdir
. ./certs.sh
cat <<EOF >> $cfg
<CLICON_SSL_SERVER_CERT>$srvcert</CLICON_SSL_SERVER_CERT>
<CLICON_SSL_SERVER_KEY>$srvkey</CLICON_SSL_SERVER_KEY>
<CLICON_SSL_CA_CERT>$srvcert</CLICON_SSL_CA_CERT>
EOF
fi
if $IPv6; then
cat <<EOF >> $cfg
<CLICON_RESTCONF_IPV6_ADDR>::</CLICON_RESTCONF_IPV6_ADDR>
EOF
fi
cat <<EOF >> $cfg
</clixon-config>
EOF
# This is a fixed 'state' implemented in routing_backend. It is assumed to be always there
state='{"clixon-example:state":{"op":\["41","42","43"\]}'
@ -93,7 +79,8 @@ else
<server-cert-path>$srvcert</server-cert-path>
<server-key-path>$srvkey</server-key-path>
<server-ca-cert-path>$cakey</server-ca-cert-path>
<socket><namespace>default</namespace><address>0.0.0.0</address><port>80</port><ssl>false</ssl></socket>
<socket><namespace>default</namespace><address>0.0.0.0</address><port>80</port><ssl>false</ssl></sock
et>
<socket><namespace>default</namespace><address>0.0.0.0</address><port>443</port><ssl>true</ssl></socket>
</restconf>
EOF
@ -108,12 +95,10 @@ testrun()
{
proto=$1 # http/https
addr=$2 # 127.0.0.1/::1
config=$3 # local/backend
RCPROTO=$proto # for start/wait of restconf
echo "proto:$proto"
echo "addr:$addr"
echo "config:$config"
new "test params: -f $cfg -- -s"
if [ $BE -ne 0 ]; then
@ -131,26 +116,19 @@ testrun()
new "wait backend"
wait_backend
if [ $config = backend ] ; then # Create a backend config
# restconf backend config
new "netconf edit config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$RESTCONFIG</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
new "netconf commit"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><commit/></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
stop_restconf_pre
if [ $config = backend ] ; then # Add -b option
new "start restconf daemon -o CLICON_RESTCONF_CONFIG=true"
start_restconf -f $cfg -o CLICON_RESTCONF_CONFIG=true
else
new "start restconf daemon -o CLICON_RESTCONF_CONFIG=false"
start_restconf -f $cfg -o CLICON_RESTCONF_CONFIG=false
fi
new "start restconf daemon ZZZ"
echo "cfg:$cfg"
start_restconf -f $cfg
fi
new "wait restconf"
wait_restconf
@ -396,16 +374,8 @@ for proto in $protos; do
addrs="$addrs \[::1\]"
fi
for addr in $addrs; do
configs="local"
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
# backend config retrieval only implemented for evhtp
configs="$configs backend"
fi
echo "configs:$configs"
for config in $configs; do
new "restconf test: proto:$proto addr:$addr config:$config"
testrun $proto $addr $config
done
testrun $proto $addr
done
done

7
test/test_restconf2.sh
View file

@ -23,6 +23,7 @@ cat <<EOF > $cfg
<CLICON_SOCK>/usr/local/var/$APPNAME/$APPNAME.sock</CLICON_SOCK>
<CLICON_BACKEND_PIDFILE>$dir/restconf.pidfile</CLICON_BACKEND_PIDFILE>
<CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
$RESTCONFIG
</clixon-config>
EOF
@ -84,12 +85,6 @@ fi
new "waiting"
wait_backend
# Load restconf config for evhtp backend config
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
stop_restconf_pre

7
test/test_restconf_err.sh
View file

@ -46,6 +46,7 @@ cat <<EOF > $cfg
<CLICON_CLISPEC_DIR>/usr/local/lib/$APPNAME/clispec</CLICON_CLISPEC_DIR>
<CLICON_CLI_DIR>/usr/local/lib/$APPNAME/cli</CLICON_CLI_DIR>
<CLICON_CLI_MODE>$APPNAME</CLICON_CLI_MODE>
$RESTCONFIG
</clixon-config>
EOF
@ -168,12 +169,6 @@ fi
new "waiting"
wait_backend
# Load restconf config for evhtp backend config
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
stop_restconf_pre

7
test/test_restconf_jukebox.sh
View file

@ -36,6 +36,7 @@ cat <<EOF > $cfg
<CLICON_BACKEND_PIDFILE>$dir/restconf.pidfile</CLICON_BACKEND_PIDFILE>
<CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
<CLICON_STREAM_DISCOVERY_RFC8040>true</CLICON_STREAM_DISCOVERY_RFC8040>
$RESTCONFIG
</clixon-config>
EOF
@ -77,12 +78,6 @@ fi
new "waiting"
wait_backend
# Load restconf config for evhtp backend config
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
stop_restconf_pre

7
test/test_restconf_listkey.sh
View file

@ -21,6 +21,7 @@ cat <<EOF > $cfg
<CLICON_SOCK>/usr/local/var/$APPNAME/$APPNAME.sock</CLICON_SOCK>
<CLICON_BACKEND_PIDFILE>$dir/restconf.pidfile</CLICON_BACKEND_PIDFILE>
<CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
$RESTCONFIG
</clixon-config>
EOF
@ -80,12 +81,6 @@ fi
new "waiting"
wait_backend
# Load restconf config for evhtp backend config
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
stop_restconf_pre

5
test/test_restconf_patch.sh
View file

@ -26,6 +26,7 @@ cat <<EOF > $cfg
<CLICON_XMLDB_DIR>$dir</CLICON_XMLDB_DIR>
<CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
<CLICON_NACM_DISABLED_ON_EMPTY>true</CLICON_NACM_DISABLED_ON_EMPTY>
$RESTCONFIG
</clixon-config>
EOF
@ -116,7 +117,7 @@ if [ $RC -ne 0 ]; then
stop_restconf_pre
new "start restconf daemon (-a is enable basic authentication)"
start_restconf -f $cfg -o CLICON_RESTCONF_CONFIG=false -- -a
start_restconf -f $cfg -- -a
new "waiting restconf"
wait_restconf
@ -173,7 +174,7 @@ if [ $RC -ne 0 ]; then
stop_restconf_pre
new "start restconf daemon (-a is enable basic authentication)"
start_restconf -f $cfg -o CLICON_RESTCONF_CONFIG=false -- -a
start_restconf -f $cfg -- -a
new "waiting"
wait_restconf

7
test/test_restconf_startup.sh
View file

@ -44,6 +44,7 @@ cat <<EOF > $cfg
<CLICON_SOCK>/usr/local/var/$APPNAME/$APPNAME.sock</CLICON_SOCK>
<CLICON_BACKEND_PIDFILE>/usr/local/var/$APPNAME/$APPNAME.pidfile</CLICON_BACKEND_PIDFILE>
<CLICON_XMLDB_DIR>$dir</CLICON_XMLDB_DIR>
$RESTCONFIG
</clixon-config>
EOF
@ -64,12 +65,6 @@ testrun(){
new "waiting"
wait_backend
# Load restconf config for evhtp backend config
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
new "kill old restconf daemon"
stop_restconf_pre

7
test/test_rpc.sh
View file

@ -28,6 +28,7 @@ cat <<EOF > $cfg
<CLICON_SOCK>/usr/local/var/$APPNAME/$APPNAME.sock</CLICON_SOCK>
<CLICON_BACKEND_PIDFILE>/usr/local/var/$APPNAME/$APPNAME.pidfile</CLICON_BACKEND_PIDFILE>
<CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
$RESTCONFIG
</clixon-config>
EOF
@ -45,12 +46,6 @@ fi
new "waiting"
wait_backend
# Load restconf config for evhtp backend config
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
stop_restconf_pre

103
test/test_ssl_certs.sh
View file

@ -43,42 +43,6 @@ fi
test -d $certdir || mkdir $certdir
# Use yang in example
# Get config from backend?
cat <<EOF > $cfg
<clixon-config xmlns="http://clicon.org/config">
<CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
<CLICON_FEATURE>ietf-netconf:startup</CLICON_FEATURE>
<CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
<CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
<CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
<CLICON_CLISPEC_DIR>/usr/local/lib/$APPNAME/clispec</CLICON_CLISPEC_DIR>
<CLICON_BACKEND_DIR>/usr/local/lib/$APPNAME/backend</CLICON_BACKEND_DIR>
<CLICON_BACKEND_REGEXP>example_backend.so$</CLICON_BACKEND_REGEXP>
<CLICON_RESTCONF_DIR>/usr/local/lib/$APPNAME/restconf</CLICON_RESTCONF_DIR>
<CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
<CLICON_CLI_DIR>/usr/local/lib/$APPNAME/cli</CLICON_CLI_DIR>
<CLICON_CLI_MODE>$APPNAME</CLICON_CLI_MODE>
<CLICON_SOCK>/usr/local/var/$APPNAME/$APPNAME.sock</CLICON_SOCK>
<CLICON_BACKEND_PIDFILE>/usr/local/var/$APPNAME/$APPNAME.pidfile</CLICON_BACKEND_PIDFILE>
<CLICON_XMLDB_DIR>$dir</CLICON_XMLDB_DIR>
<CLICON_MODULE_LIBRARY_RFC7895>true</CLICON_MODULE_LIBRARY_RFC7895>
<CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
<CLICON_SSL_SERVER_CERT>$srvcert</CLICON_SSL_SERVER_CERT>
<CLICON_SSL_SERVER_KEY>$srvkey</CLICON_SSL_SERVER_KEY>
<CLICON_SSL_CA_CERT>$cacert</CLICON_SSL_CA_CERT>
EOF
if $IPv6; then
cat <<EOF >> $cfg
<CLICON_RESTCONF_IPV6_ADDR>::</CLICON_RESTCONF_IPV6_ADDR>
EOF
fi
cat <<EOF >> $cfg
</clixon-config>
EOF
cat <<EOF > $fyang
module example{
yang-version 1.1;
@ -155,44 +119,49 @@ EOF
fi # genkeys
# Set a clixon-restconf config
ssl=true
port=443
authtype=client-certificate
# Run with and without getting config from backend
# arg 1: false: local config; true: use config backend
testrun()
{
USEBACKEND=$1
# Startup DB with proper NACM config
if $USEBACKEND; then
cat <<EOF > $dir/startup_db
<config>
<restconf xmlns="https://clicon.org/restconf">
<auth-type>$authtype</auth-type>
# Write local config
cat <<EOF > $cfg
<clixon-config xmlns="http://clicon.org/config">
<CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
<CLICON_FEATURE>ietf-netconf:startup</CLICON_FEATURE>
<CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
<CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
<CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
<CLICON_CLISPEC_DIR>/usr/local/lib/$APPNAME/clispec</CLICON_CLISPEC_DIR>
<CLICON_BACKEND_DIR>/usr/local/lib/$APPNAME/backend</CLICON_BACKEND_DIR>
<CLICON_BACKEND_REGEXP>example_backend.so$</CLICON_BACKEND_REGEXP>
<CLICON_RESTCONF_DIR>/usr/local/lib/$APPNAME/restconf</CLICON_RESTCONF_DIR>
<CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
<CLICON_CLI_DIR>/usr/local/lib/$APPNAME/cli</CLICON_CLI_DIR>
<CLICON_CLI_MODE>$APPNAME</CLICON_CLI_MODE>
<CLICON_SOCK>/usr/local/var/$APPNAME/$APPNAME.sock</CLICON_SOCK>
<CLICON_BACKEND_PIDFILE>/usr/local/var/$APPNAME/$APPNAME.pidfile</CLICON_BACKEND_PIDFILE>
<CLICON_XMLDB_DIR>$dir</CLICON_XMLDB_DIR>
<CLICON_MODULE_LIBRARY_RFC7895>true</CLICON_MODULE_LIBRARY_RFC7895>
<CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
<restconf>
<auth-type>client-certificate</auth-type>
<server-cert-path>$srvcert</server-cert-path>
<server-key-path>$srvkey</server-key-path>
<server-ca-cert-path>$cacert</server-ca-cert-path>
<socket>
<namespace>default</namespace>
<address>0.0.0.0</address>
<port>$port</port>
<ssl>$ssl</ssl>
<port>443</port>
<ssl>true</ssl>
</socket>
</restconf>
$RULES
</config>
</clixon-config>
EOF
else
# Run The test, ssl config is in local config
testrun()
{
cat <<EOF > $dir/startup_db
<config>
$RULES
</config>
EOF
fi
if [ $BE -ne 0 ]; then
new "kill old backend"
sudo clixon_backend -zf $cfg
@ -211,13 +180,8 @@ EOF
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
stop_restconf_pre
if $USEBACKEND; then
new "start restconf daemon -b -- -s"
start_restconf -f $cfg -o CLICON_RESTCONF_CONFIG=true -- -s
else
new "start restconf daemon -s -c -- -s"
start_restconf -f $cfg -s -c -o CLICON_RESTCONF_CONFIG=false -- -s
fi
start_restconf -f $cfg -- -s
fi
new "wait for restconf"
@ -254,11 +218,8 @@ EOF
fi
}
new "Use local restconf config"
testrun false
new "Get restconf config from backend"
testrun true
new "Run test"
testrun
rm -rf $dir

7
test/test_submodule.sh
View file

@ -43,6 +43,7 @@ cat <<EOF > $cfg
<CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
<CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
<CLICON_MODULE_LIBRARY_RFC7895>false</CLICON_MODULE_LIBRARY_RFC7895>
$RESTCONFIG
</clixon-config>
EOF
@ -161,12 +162,6 @@ fi
new "wait backend"
wait_backend
# Load restconf config for evhtp backend config
if [ "${WITH_RESTCONF}" = "evhtp" ]; then
. ./restconfig.sh
restconfigrun
fi
if [ $RC -ne 0 ]; then
new "kill old restconf daemon"
stop_restconf_pre

3
test/test_yang_anydata.sh
View file

@ -145,6 +145,7 @@ testrun()
<CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
<CLICON_YANG_UNKNOWN_ANYDATA>$unknown</CLICON_YANG_UNKNOWN_ANYDATA>
$F
$RESTCONFIG
</clixon-config>
EOF
@ -181,7 +182,7 @@ EOF
stop_restconf_pre
new "start restconf daemon"
start_restconf -f $cfg -o CLICON_RESTCONF_CONFIG=false
start_restconf -f $cfg
fi
new "wait restconf"

34
test/test_yang_namespace.sh
View file

@ -27,6 +27,7 @@ cat <<EOF > $cfg
<CLICON_BACKEND_PIDFILE>/usr/local/var/$APPNAME/$APPNAME.pidfile</CLICON_BACKEND_PIDFILE>
<CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
<CLICON_MODULE_LIBRARY_RFC7895>true</CLICON_MODULE_LIBRARY_RFC7895>
$RESTCONFIG
</clixon-config>
EOF
@ -82,7 +83,7 @@ if [ $RC -ne 0 ]; then
stop_restconf_pre
new "start restconf daemon"
start_restconf -f $cfg -o CLICON_RESTCONF_CONFIG=false
start_restconf -f $cfg
new "waiting"
wait_restconf
@ -116,7 +117,6 @@ expectpart "$(curl $CURLOPTS -X POST -H "Content-Type: application/yang-data+jso
#new "restconf get config example1"
#expectpart "$(curl $CURLOPTS -X GET $RCPROTO://localhost/restconf/data/example1:x)" 0 "HTTP/1.1 200 OK" '{"example1:x":42}'
# XXX GET ../example2:x is translated to select=/x which gets both example1&2
#new "restconf get config example2"
#expectpart "$(curl $CURLOPTS -X GET $RCPROTO://localhost/restconf/data/example2:x)" 0 "HTTP/1.1 200 OK" '{"example2:x":{"y":42}}'
@ -134,20 +134,20 @@ if [ $RC -ne 0 ]; then
stop_restconf
fi
if [ $BE -eq 0 ]; then
exit # BE
fi
new "Kill backend"
# Check if premature kill
pid=$(pgrep -u root -f clixon_backend)
if [ -z "$pid" ]; then
if [ $BE -ne 0 ]; then
new "Kill backend"
# Check if premature kill
pid=$(pgrep -u root -f clixon_backend)
if [ -z "$pid" ]; then
err "backend already dead"
fi
# kill backend
sudo clixon_backend -z -f $cfg
if [ $? -ne 0 ]; then
err "kill backend"
fi
sudo pkill -u root -f clixon_backend
fi
# kill backend
sudo clixon_backend -z -f $cfg
rm -rf $dir
if [ $? -ne 0 ]; then
err "kill backend"
fi
sudo pkill -u root -f clixon_backend
fi
#rm -rf $dir

56
yang/clixon/clixon-config@2020-11-03.yang
View file

@ -3,6 +3,9 @@ module clixon-config {
namespace "http://clicon.org/config";
prefix cc;
import clixon-restconf {
prefix clrc;
}
organization
"Clicon / Clixon";
@ -42,7 +45,15 @@ module clixon-config {
revision 2020-11-03 {
description
"Added: CLICON_RESTCONF_CONFIG";
"Moved to clixon-restconf.yang and marked as obsolete:
CLICON_RESTCONF_IPV4_ADDR
CLICON_RESTCONF_IPV6_ADDR
CLICON_RESTCONF_HTTP_PORT
CLICON_RESTCONF_HTTPS_PORT
CLICON_SSL_SERVER_CERT
CLICON_SSL_SERVER_KEY
CLICON_SSL_CA_CERT
Removed obsolete option CLICON_TRANSACTION_MOD";
}
revision 2020-10-01 {
description
@ -270,6 +281,9 @@ module clixon-config {
}
container clixon-config {
container restconf {
uses clrc:clixon-restconf;
}
leaf-list CLICON_FEATURE {
description
"Supported features as used by YANG feature/if-feature
@ -412,81 +426,69 @@ module clixon-config {
Setting this value to false makes restconf return not pretty-printed
which may be desirable for performance or tests";
}
leaf CLICON_RESTCONF_CONFIG {
type boolean;
default false;
description
"If set, get restconf-specific configuration from the backend running datastore,
using clixon-restconf.yang.
If not set, load all config from local clixon XML config file.
This only applies to with-restconf=evhtp, NOT with restconf=fcgi (nginx)
A consequence is that if set, the following option in this YANG are obsolete:
CLICON_RESTCONF_IPV4_ADDR
CLICON_RESTCONF_IPV6_ADDR
CLICON_RESTCONF_HTTP_PORT
CLICON_RESTCONF_HTTPS_PORT
CLICON_SSL_SERVER_CERT
CLICON_SSL_SERVER_KEY
CLICON_SSL_CA_CERT
";
}
leaf CLICON_RESTCONF_IPV4_ADDR {
type string;
default "0.0.0.0";
status obsolete;
description
"RESTCONF IPv4 socket binding address.
Applies to native http by config option --with-restconf=evhtp.
Obsolete if CLICON_RESTCONF_CONFIG is true";
This config is moved to clixon-restconf.yang.";
}
leaf CLICON_RESTCONF_IPV6_ADDR {
type string;
status obsolete;
description
"RESTCONF IPv6 socket binding address.
Applies to native http by config option --with-restconf=evhtp.
Obsolete if CLICON_RESTCONF_CONFIG is true";
This config is moved to clixon-restconf.yang.";
}
leaf CLICON_RESTCONF_HTTP_PORT {
type uint16;
default 80;
status obsolete;
description
"RESTCONF socket binding port, non-ssl
In the restconf daemon, it can be overriden by -P <port>
Applies to native http only by config option --with-restconf=evhtp.
Obsolete if CLICON_RESTCONF_CONFIG is true";
This config is moved to clixon-restconf.yang.";
}
leaf CLICON_RESTCONF_HTTPS_PORT {
type uint16;
default 443;
status obsolete;
description
"RESTCONF socket binding port, ssl
In the restconf daemon, this is the port chosen if -s is given.
Note it can be overriden by -P <port>
Applies to native http by config option --with-restconf=evhtp.
Obsolete if CLICON_RESTCONF_CONFIG is true";
This config is moved to clixon-restconf.yang.";
}
leaf CLICON_SSL_SERVER_CERT {
type string;
default "/etc/ssl/certs/clixon-server-crt.pem";
status obsolete;
description
"SSL server cert for restconf https.
Applies to native http only by config option --with-restconf=evhtp.
Obsolete if CLICON_RESTCONF_CONFIG is true";
This config is moved to clixon-restconf.yang.";
}
leaf CLICON_SSL_SERVER_KEY {
type string;
default "/etc/ssl/private/clixon-server-key.pem";
status obsolete;
description
"SSL server private key for restconf https.
Applies to native http only by config option --with-restconf=evhtp.
Obsolete if CLICON_RESTCONF_CONFIG is true";
This config is moved to clixon-restconf.yang.";
}
leaf CLICON_SSL_CA_CERT {
type string;
default "/etc/ssl/certs/clixon-ca_crt.pem";
status obsolete;
description
"SSL CA cert for client authentication.
Applies to native http only by config option --with-restconf=evhtp.
Obsolete if CLICON_RESTCONF_CONFIG is true";
This config is moved to clixon-restconf.yang.";
}
leaf CLICON_CLI_DIR {
type string;

13
yang/clixon/clixon-restconf@2020-10-30.yang
View file

@ -83,8 +83,7 @@ module clixon-restconf {
description
"Common operations that can be performed on a service";
}
container restconf {
presence "Enables RESTCONF";
grouping clixon-restconf{
description
"HTTP daemon configuration.";
leaf-list auth-type {
@ -98,24 +97,18 @@ module clixon-restconf {
description
"Path to server certificate file.
Note only applies if socket has ssl enabled";
default "/etc/ssl/private/clixon-server-crt.pem";
/* See CLICON_SSL_SERVER_CERT */
}
leaf server-key-path {
type string;
description
"Path to server key file
Note only applies if socket has ssl enabled";
default "/etc/ssl/private/clixon-server-key.pem";
/* See CLICON_SSL_SERVER_KEY */
}
leaf server-ca-cert-path {
type string;
description
"Path to server CA cert file
Note only applies if socket has ssl enabled";
default "/etc/ssl/certs/clixon-ca_crt.pem";
/* CLICON_SSL_CA_CERT */
}
list socket {
key "namespace address port";
@ -138,6 +131,10 @@ module clixon-restconf {
}
}
}
container restconf {
presence "Enables RESTCONF";
uses clixon-restconf;
}
rpc restconf-control {
input {
leaf operation {