- Better restconf debug: when restconf debug flag set in datastore, ensure the process is started with -D set

- Fixed native http support for base container - Changed test certs and restconf scripts to functions
2021-04-08 22:40:41 +02:00 · 2021-04-08 22:40:41 +02:00 · 15d01c58d8
commit 15d01c58d8
parent 244060fddc
49 changed files with 539 additions and 103 deletions
--- a/test/config.sh.in
+++ b/test/config.sh.in
@ -72,3 +72,8 @@ CLIXON_CONFIG_REV="2021-03-08"
 CLIXON_RESTCONF_REV="2020-12-30"
 CLIXON_EXAMPLE_REV="2020-12-01"

+# Length of TSL RSA key
+# Problem with small key such as 1024 not allowed in centos8 for example (why is this)
+# Problem with long keys are they take time to generate, eg on ARM
+CERTKEYLEN=2048
+
--- a/test/lib.sh
+++ b/test/lib.sh
@ -202,9 +202,9 @@ function restconf_config()
    PRETTY=$2

    if [ $RCPROTO = http ]; then
-	RESTCONFIG="<restconf><enable>true</enable><auth-type>$AUTH</auth-type><pretty>$PRETTY</pretty><debug>$DBG</debug><socket><namespace>default</namespace><address>0.0.0.0</address><port>80</port><ssl>false</ssl></socket></restconf>"
+	echo "<restconf><enable>true</enable><auth-type>$AUTH</auth-type><pretty>$PRETTY</pretty><debug>$DBG</debug><socket><namespace>default</namespace><address>0.0.0.0</address><port>80</port><ssl>false</ssl></socket></restconf>"
    else
-	RESTCONFIG="<restconf><enable>true</enable><auth-type>$AUTH</auth-type><pretty>$PRETTY</pretty><server-cert-path>/etc/ssl/certs/clixon-server-crt.pem</server-cert-path><server-key-path>/etc/ssl/private/clixon-server-key.pem</server-key-path><server-ca-cert-path>/etc/ssl/certs/clixon-ca-crt.pem</server-ca-cert-path><debug>$DBG</debug><socket><namespace>default</namespace><address>0.0.0.0</address><port>443</port><ssl>true</ssl></socket></restconf>"
+	echo "<restconf><enable>true</enable><auth-type>$AUTH</auth-type><pretty>$PRETTY</pretty><server-cert-path>/etc/ssl/certs/clixon-server-crt.pem</server-cert-path><server-key-path>/etc/ssl/private/clixon-server-key.pem</server-key-path><server-ca-cert-path>/etc/ssl/certs/clixon-ca-crt.pem</server-ca-cert-path><debug>$DBG</debug><socket><namespace>default</namespace><address>0.0.0.0</address><port>443</port><ssl>true</ssl></socket></restconf>"
    fi
 }

@ -707,23 +707,19 @@ function expectmatch(){
    fi
 }

-# Create server certs
+# Create CA certs
 # Output variables set as filenames on entry, set as cert/keys on exit:
 # Vars:
 # 1: cakey   filename
 # 2: cacert  filename
-# 3: srvkey  filename
-# 4: srvcert filename
-function servercerts()
+function cacerts()
 {
-    if [ $# -ne 4 ]; then
-	echo "servercerts function: Expected: cakey cacert srvkey srvcert"
+    if [ $# -ne 2 ]; then
+	echo "cacerts function: Expected: cakey cacert"
 	exit 1
    fi
    cakey=$1
    cacert=$2
-    srvkey=$3
-    srvcert=$4

    tmpdir=$dir/tmpcertdir

@ -765,7 +761,32 @@ challengePassword      = test
 EOF

    # Generate CA cert
-    openssl req -x509 -days 1 -config $tmpdir/ca.cnf -keyout $cakey -out $cacert
+    openssl req -x509 -days 1 -config $tmpdir/ca.cnf -keyout $cakey -out $cacert || err "Generate CA cert"
+
+    rm -rf $tmpdir
+}
+
+# Create server certs
+# Output variables set as filenames on entry, set as cert/keys on exit:
+# Vars:
+# 1: cakey   filename (input)
+# 2: cacert  filename (input)
+# 3: srvkey  filename (output)
+# 4: srvcert filename (output)
+function servercerts()
+{
+    if [ $# -ne 4 ]; then
+	echo "servercerts function: Expected: cakey cacert srvkey srvcert"
+	exit 1
+    fi
+    cakey=$1
+    cacert=$2
+    srvkey=$3
+    srvcert=$4
+
+    tmpdir=$dir/tmpcertdir
+
+    test -d $tmpdir || mkdir $tmpdir

    cat<<EOF > $tmpdir/srv.cnf
 [req]
@ -783,13 +804,13 @@ subjectAltName = DNS:clicon.org
 EOF

    # Generate server key
-    openssl genrsa -out $srvkey ${CERTKEYLEN}
+    openssl genrsa -out $srvkey ${CERTKEYLEN}  || err "Generate server key"

    # Generate CSR (signing request)
-    openssl req -new -config $tmpdir/srv.cnf -key $srvkey -out $tmpdir/srv_csr.pem
+    openssl req -new -config $tmpdir/srv.cnf -key $srvkey -out $tmpdir/srv_csr.pem || err "Generate signing request"

    # Sign server cert by CA
-    openssl x509 -req -extfile $tmpdir/srv.cnf -days 1 -passin "pass:password" -in $tmpdir/srv_csr.pem -CA $cacert -CAkey $cakey -CAcreateserial -out $srvcert
+    openssl x509 -req -extfile $tmpdir/srv.cnf -days 1 -passin "pass:password" -in $tmpdir/srv_csr.pem -CA $cacert -CAkey $cakey -CAcreateserial -out $srvcert || err "Sign server cert"

    rm -rf $tmpdir
 }
--- a/test/long.sh
+++ b/test/long.sh
@ -22,7 +22,7 @@ fyang=$dir/scaling.yang
 fconfig=$dir/large.xml

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 cat <<EOF > $fyang
 module scaling{
--- a/test/site.sh
+++ b/test/site.sh
@ -29,7 +29,4 @@ IPv6=true
 # start
 NGINXCHECK=true

-# Lenght of TSL RSA key
-# Problem with small key such as 1024 not allowed in centos8 for example (why is this)
-# Problem with long keys are they take time to generate, eg on ARM
-CERTKEYLEN=2048
+
--- a/test/test_api.sh
+++ b/test/test_api.sh
@ -25,7 +25,7 @@ if [ ! -d $pdir ]; then
 fi

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_augment.sh
+++ b/test/test_augment.sh
@ -24,7 +24,7 @@ fyang=$dir/main.yang
 fyang2=$dir/ietf-interfaces@2019-03-04.yang

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_choice.sh
+++ b/test/test_choice.sh
@ -15,7 +15,7 @@ cfg=$dir/choice.xml
 fyang=$dir/type.yang

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_client.sh
+++ b/test/test_client.sh
@ -22,7 +22,7 @@ if [ ! -d $pdir ]; then
 fi

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_copy_config.sh
+++ b/test/test_copy_config.sh
@ -30,7 +30,7 @@ cfg=$dir/conf_yang.xml
 # Use yang in example

 # Define default restconfig config: RESTCONFIG
-restconf_config none true
+RESTCONFIG=$(restconf_config none true)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_identity.sh
+++ b/test/test_identity.sh
@ -11,7 +11,7 @@ cfg=$dir/conf_yang.xml
 fyang=$dir/example-my-crypto.yang

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_nacm.sh
+++ b/test/test_nacm.sh
@ -18,7 +18,7 @@ cfg=$dir/conf_yang.xml
 fyang=$dir/nacm-example.yang

 # Define default restconfig config: RESTCONFIG
-restconf_config user false
+RESTCONFIG=$(restconf_config user false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_nacm_datanode.sh
+++ b/test/test_nacm_datanode.sh
@ -46,7 +46,7 @@ fyang=$dir/nacm-example.yang
 fyang2=$dir/itf.yang

 # Define default restconfig config: RESTCONFIG
-restconf_config user false
+RESTCONFIG=$(restconf_config user false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_nacm_datanode_paths.sh
+++ b/test/test_nacm_datanode_paths.sh
@ -18,7 +18,7 @@ cfg=$dir/conf_yang.xml
 fyang=$dir/nacm-example.yang

 # Define default restconfig config: RESTCONFIG
-restconf_config user false
+RESTCONFIG=$(restconf_config user false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_nacm_datanode_read.sh
+++ b/test/test_nacm_datanode_read.sh
@ -26,7 +26,7 @@ fyang=$dir/nacm-example.yang
 fyang2=$dir/nacm-example2.yang

 # Define default restconfig config: RESTCONFIG
-restconf_config user false
+RESTCONFIG=$(restconf_config user false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_nacm_datanode_write.sh
+++ b/test/test_nacm_datanode_write.sh
@ -18,7 +18,7 @@ cfg=$dir/conf_yang.xml
 fyang=$dir/nacm-example.yang

 # Define default restconfig config: RESTCONFIG
-restconf_config user false
+RESTCONFIG=$(restconf_config user false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_nacm_default.sh
+++ b/test/test_nacm_default.sh
@ -14,7 +14,7 @@ fyang=$dir/nacm-example.yang
 : ${format:=xml}

 # Define default restconfig config: RESTCONFIG
-restconf_config user false
+RESTCONFIG=$(restconf_config user false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_nacm_ext.sh
+++ b/test/test_nacm_ext.sh
@ -16,7 +16,7 @@ fyang=$dir/nacm-example.yang
 nacmfile=$dir/nacmfile

 # Define default restconfig config: RESTCONFIG
-restconf_config user false
+RESTCONFIG=$(restconf_config user false)

 # Note filter out example_backend_nacm.so in CLICON_BACKEND_REGEXP below
 cat <<EOF > $cfg
--- a/test/test_nacm_module_read.sh
+++ b/test/test_nacm_module_read.sh
@ -19,7 +19,7 @@ cfg=$dir/conf_yang.xml
 fyang=$dir/nacm-example.yang

 # Define default restconfig config: RESTCONFIG
-restconf_config user false
+RESTCONFIG=$(restconf_config user false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_nacm_module_write.sh
+++ b/test/test_nacm_module_write.sh
@ -32,7 +32,7 @@ cfg=$dir/conf_yang.xml
 fyang=$dir/nacm-example.yang

 # Define default restconfig config: RESTCONFIG
-restconf_config user false
+RESTCONFIG=$(restconf_config user false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_nacm_protocol.sh
+++ b/test/test_nacm_protocol.sh
@ -35,7 +35,7 @@ cfg=$dir/conf_yang.xml
 fyang=$dir/nacm-example.yang

 # Define default restconfig config: RESTCONFIG
-restconf_config user false
+RESTCONFIG=$(restconf_config user false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_nacm_recovery.sh
+++ b/test/test_nacm_recovery.sh
@ -21,7 +21,7 @@ fyang=$dir/nacm-example.yang
 # cred:none, exact, except

 # Define default restconfig config: RESTCONFIG
-restconf_config user false
+RESTCONFIG=$(restconf_config user false)

 cat <<EOF > $fyang
 module nacm-example{
--- a/test/test_perf_restconf.sh
+++ b/test/test_perf_restconf.sh
@ -53,7 +53,7 @@ module scaling{
 EOF

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_perf_state.sh
+++ b/test/test_perf_state.sh
@ -30,7 +30,7 @@ fconfig=$dir/large.xml
 fstate=$dir/state.xml

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_perf_state_only.sh
+++ b/test/test_perf_state_only.sh
@ -30,7 +30,7 @@ fconfig=$dir/large.xml
 fstate=$dir/state.xml

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_restconf.sh
+++ b/test/test_restconf.sh
@ -49,10 +49,11 @@ if [ "${WITH_RESTCONF}" = "native" ]; then
    cacert=$certdir/ca_cert.pem
    test -d $certdir || mkdir $certdir
    # Create server certs and CA
+    cacerts $cakey $cacert
    servercerts $cakey $cacert $srvkey $srvcert
 else
    # Define default restconfig config: RESTCONFIG
-    restconf_config none false
+    RESTCONFIG=$(restconf_config none false)
 fi

 # This is a fixed 'state' implemented in routing_backend. It is assumed to be always there
--- a/test/test_restconf2.sh
+++ b/test/test_restconf2.sh
@ -13,7 +13,7 @@ cfg=$dir/conf.xml
 fyang=$dir/restconf.yang

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 #  <CLICON_YANG_MODULE_MAIN>example</CLICON_YANG_MODULE_MAIN>
 cat <<EOF > $cfg
--- a/test/test_restconf_basic_auth.sh
+++ b/test/test_restconf_basic_auth.sh
@ -193,7 +193,7 @@ function testrun()
 #    echo "expectmsg:$expectmsg"
    
    # Change restconf configuration before start restconf daemon
-    restconf_config $auth false
+    RESTCONFIG=$(restconf_config $auth false)

    # Start with common config, then append fcgi/native specific config
    cat <<EOF > $cfg
--- a/test/test_restconf_err.sh
+++ b/test/test_restconf_err.sh
@ -31,7 +31,7 @@ fxml=$dir/initial.xml
 fstate=$dir/state.xml

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 #  <CLICON_YANG_MODULE_MAIN>example</CLICON_YANG_MODULE_MAIN>
 cat <<EOF > $cfg
--- a/test/test_restconf_jukebox.sh
+++ b/test/test_restconf_jukebox.sh
@ -24,7 +24,7 @@ cat <<EOF > $dir/example-system.yang
 EOF

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 #  <CLICON_YANG_MODULE_MAIN>example</CLICON_YANG_MODULE_MAIN>
 cat <<EOF > $cfg
--- a/test/test_restconf_listkey.sh
+++ b/test/test_restconf_listkey.sh
@ -11,7 +11,7 @@ cfg=$dir/conf.xml
 fyang=$dir/list.yang

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 #  <CLICON_YANG_MODULE_MAIN>example</CLICON_YANG_MODULE_MAIN>
 cat <<EOF > $cfg
--- a/test/test_restconf_netns.sh
+++ b/test/test_restconf_netns.sh
@ -44,6 +44,7 @@ cacert=$certdir/ca_cert.pem
 test -d $certdir || mkdir $certdir

 # Create server certs and CA
+cacerts $cakey $cacert
 servercerts $cakey $cacert $srvkey $srvcert

 # XXX Note default port need to be 80 for wait_restconf to work
--- a/test/test_restconf_notifications.sh
+++ b/test/test_restconf_notifications.sh
@ -43,7 +43,7 @@ fyang=$dir/stream.yang
 xml=$dir/xml.xml

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 #  <CLICON_YANG_MODULE_MAIN>example</CLICON_YANG_MODULE_MAIN>
 cat <<EOF > $cfg
--- a/test/test_restconf_patch.sh
+++ b/test/test_restconf_patch.sh
@ -13,7 +13,7 @@ startupdb=$dir/startup_db
 fjukebox=$dir/example-jukebox.yang

 # Define default restconfig config: RESTCONFIG
-restconf_config user false
+RESTCONFIG=$(restconf_config user false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_restconf_rpc.sh
+++ b/test/test_restconf_rpc.sh
@ -20,7 +20,7 @@ cfg=$dir/conf.xml
 startupdb=$dir/startup_db

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_restconf_rpc2.sh
+++ b/test/test_restconf_rpc2.sh
@ -0,0 +1,262 @@
+#!/usr/bin/env bash
+# Send restconf rpc:s when starting from backend
+# Two specific usecases that have been problematic are tested here
+# In comparison test_restconf_rpc.sh:
+# - uses externally started restconf, here started by backend
+# - generic tests, here specific
+# The first usecases is:
+#   1. Start a minimal restconf
+#   2. Kill it externally (or it exits)
+#   3. Start a server
+#   4. Query status (Error message is returned)
+# The second usecase is
+#   1. Start server with bad address
+#   2. Zombie process appears
+
+# Magic line must be first in script (see README.md)
+s="$_" ; . ./lib.sh || if [ "$s" = $0 ]; then exit 0; else return 0; fi
+
+APPNAME=example
+
+cfg=$dir/conf.xml
+startupdb=$dir/startup_db
+
+# Restconf debug
+RESTCONFDBG=0
+
+cat <<EOF > $cfg
+<clixon-config xmlns="http://clicon.org/config">
+  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
+  <CLICON_FEATURE>ietf-netconf:startup</CLICON_FEATURE>
+  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
+  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
+  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
+  <CLICON_YANG_MAIN_DIR>$dir</CLICON_YANG_MAIN_DIR>
+  <CLICON_CLISPEC_DIR>/usr/local/lib/$APPNAME/clispec</CLICON_CLISPEC_DIR>
+  <CLICON_BACKEND_DIR>/usr/local/lib/$APPNAME/backend</CLICON_BACKEND_DIR>
+  <CLICON_BACKEND_REGEXP>example_backend.so$</CLICON_BACKEND_REGEXP>
+  <CLICON_RESTCONF_DIR>/usr/local/lib/$APPNAME/restconf</CLICON_RESTCONF_DIR>
+  <CLICON_CLI_DIR>/usr/local/lib/$APPNAME/cli</CLICON_CLI_DIR>
+  <CLICON_CLI_MODE>$APPNAME</CLICON_CLI_MODE>
+  <CLICON_SOCK>/usr/local/var/$APPNAME/$APPNAME.sock</CLICON_SOCK>
+  <CLICON_BACKEND_PIDFILE>/usr/local/var/$APPNAME/$APPNAME.pidfile</CLICON_BACKEND_PIDFILE>
+  <CLICON_XMLDB_DIR>$dir</CLICON_XMLDB_DIR>
+  <CLICON_MODULE_LIBRARY_RFC7895>true</CLICON_MODULE_LIBRARY_RFC7895>
+  <!-- start restconf from backend -->
+  <CLICON_BACKEND_RESTCONF_PROCESS>true</CLICON_BACKEND_RESTCONF_PROCESS>
+</clixon-config>
+EOF
+
+cat <<EOF > $dir/example.yang
+module example {
+   namespace "urn:example:clixon";
+   prefix ex;
+   revision 2021-03-05;
+   leaf val{
+      type string;
+   }
+}
+EOF
+
+
+function testrpc()
+{
+    operation=$1
+    expectret=$2
+    
+    sleep $DEMSLEEP
+    new "send rpc $operation"
+    ret=$($clixon_netconf -qf $cfg<<EOF
+$DEFAULTHELLO
+<rpc $DEFAULTNS>
+  <process-control xmlns="http://clicon.org/lib">
+    <name>restconf</name>
+    <operation>$operation</operation>
+  </process-control>
+</rpc>]]>]]>
+EOF
+)
+
+    >&2 echo "ret:$ret" # debug
+
+    expect1="<pid xmlns=\"http://clicon.org/lib\">[0-9]*</pid>"
+    match=$(echo "$ret" | grep --null -Go "$expect1")
+#    >&2 echo "match:$match" # debug
+    if [ -z "$match" ]; then
+	pid=0
+    else
+	pid=$(echo "$match" | awk -F'[<>]' '{print $3}')
+    fi
+    >&2 echo "pid:$pid" # debug
+
+    if [ -z "$pid" ]; then
+	err "Running process" "$ret"
+    fi
+
+    new "check restconf retvalue"
+    if [ $operation = "status" ]; then
+	if [ $expectret -eq 0 ]; then
+	    if [ $pid -ne 0 ]; then
+		err "No process" "$pid"
+	    fi
+	else
+	    if [ $pid -eq 0 ]; then
+		err "Running process"
+	    fi
+	fi
+	echo "$pid" # cant use return that only uses 0-255
+    fi
+    sleep $DEMSLEEP
+}
+
+new "kill old restconf"
+stop_restconf_pre
+
+new "test params: -f $cfg"
+if [ $BE -ne 0 ]; then
+    new "kill old backend"
+    sudo clixon_backend -z -f $cfg
+    if [ $? -ne 0 ]; then
+	err
+    fi
+
+    new "start backend -s init -f $cfg"
+    start_backend -s init -f $cfg
+fi
+new "wait backend"
+wait_backend
+
+RESTCONFIG1=$(cat <<EOF
+<restconf xmlns="http://clicon.org/restconf">
+   <enable>true</enable>
+   <debug>$RESTCONFDBG</debug>
+</restconf>
+EOF
+)
+
+LIBNS='xmlns="http://clicon.org/lib"'
+
+new "get status 1"
+expecteof "$clixon_netconf -qf $cfg" 0 "$DEFAULTHELLO<rpc $DEFAULTNS><process-control xmlns=\"http://clicon.org/lib\"><name>restconf</name><operation>status</operation></process-control></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><active $LIBNS>false</active><description $LIBNS>Clixon RESTCONF process</description><command $LIBNS>/www-data/clixon_restconf -f $cfg -D $RESTCONFDBG</command></rpc-reply>]]>]]>$"
+
+new "enable minimal restconf, no server"
+expecteof "$clixon_netconf -qf $cfg" 0 "$DEFAULTHELLO<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$RESTCONFIG1</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
+
+new "netconf commit"
+expecteof "$clixon_netconf -qf $cfg" 0 "$DEFAULTHELLO<rpc $DEFAULTNS><commit/></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
+
+# Get pid2
+pid2=$(testrpc status 1)
+echo "pid:$pid2"
+
+new "get status 2"
+ret=$($clixon_netconf -qf $cfg<<EOF
+$DEFAULTHELLO
+<rpc $DEFAULTNS>
+  <process-control xmlns="http://clicon.org/lib">
+    <name>restconf</name>
+    <operation>status</operation>
+  </process-control>
+</rpc>]]>]]>
+EOF
+)
+expect="^<rpc-reply $DEFAULTNS><active $LIBNS>true</active><description $LIBNS>Clixon RESTCONF process</description><pid $LIBNS>$pid2</pid><command $LIBNS>/www-data/clixon_restconf -f $cfg -D $RESTCONFDBG</command><starttime $LIBNS>20[0-9][0-9]\-[0-9][0-9]\-[0-9][0-9]T[0-9][0-9]:[0-9][0-9]:[0-9][0-9]\.[0-9]*Z</starttime>"
+match=$(echo "$ret" | grep --null -Go "$expect")
+if [ -z "$match" ]; then
+    err "$expect" "$ret"
+fi
+
+# Kill it
+sudo kill $pid2
+sleep $DEMSLEEP
+
+# Ensure no pid
+pid2=$(testrpc status 0)
+
+RESTCONFIG2=$(cat <<EOF
+<restconf xmlns="http://clicon.org/restconf">
+   <socket><namespace>default</namespace><address>0.0.0.0</address><port>80</port><ssl>false</ssl></socket>
+</restconf>
+EOF
+)
+new "create a server"
+expecteof "$clixon_netconf -qf $cfg" 0 "$DEFAULTHELLO<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$RESTCONFIG2</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
+
+new "netconf commit"
+expecteof "$clixon_netconf -qf $cfg" 0 "$DEFAULTHELLO<rpc $DEFAULTNS><commit/></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
+
+# 3. get status
+
+new "get status 3"
+expecteof "$clixon_netconf -qf $cfg" 0 "$DEFAULTHELLO<rpc $DEFAULTNS><process-control xmlns=\"http://clicon.org/lib\"><name>restconf</name><operation>status</operation></process-control></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><active $LIBNS>true</active><description $LIBNS>Clixon RESTCONF process</description><pid $LIBNS>"
+
+if [ $BE -ne 0 ]; then
+    new "Kill backend"
+    # Check if premature kill
+    pid=$(pgrep -u root -f clixon_backend)
+    if [ -z "$pid" ]; then
+	err "backend already dead"
+    fi
+    # kill backend
+    stop_backend -f $cfg
+fi
+
+sleep $DEMSLEEP # Lots of processes need to die before next test
+
+new "kill old restconf"
+stop_restconf_pre
+
+new "test params: -f $cfg"
+if [ $BE -ne 0 ]; then
+    new "kill old backend"
+    sudo clixon_backend -z -f $cfg
+    if [ $? -ne 0 ]; then
+	err
+    fi
+
+    new "start backend -s init -f $cfg"
+    start_backend -s init -f $cfg
+fi
+new "wait backend"
+wait_backend
+
+new "get status 1"
+testrpc status 0
+
+RESTCONFIG1=$(cat <<EOF
+<restconf xmlns="http://clicon.org/restconf">
+   <enable>true</enable>
+   <debug>$RESTCONFDBG</debug>
+   <auth-type>none</auth-type>
+   <server-cert-path>$srvcert</server-cert-path>
+   <server-key-path>$srvkey</server-key-path>
+   <server-ca-cert-path>$cakey</server-ca-cert-path>
+   <pretty>false</pretty>
+   <socket><namespace>default</namespace><address>221.0.0.1</address><port>80</port><ssl>false</ssl></socket>
+</restconf>
+EOF
+)
+
+new "Create server with invalid address"
+expecteof "$clixon_netconf -qf $cfg" 0 "$DEFAULTHELLO<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$RESTCONFIG1</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
+
+new "netconf commit"
+expecteof "$clixon_netconf -qf $cfg" 0 "$DEFAULTHELLO<rpc $DEFAULTNS><commit/></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
+
+sleep $DEMSLEEP
+new "Check zombies"
+ret=$(ps aux|grep defunc | grep -v grep)
+if [ -n "$ret" ]; then
+    err "No zombie process" "$ret"
+fi
+
+new "endtest"
+endtest
+
+# Set by restconf_config
+unset RESTCONFIG1
+unset RESTCONFIG2
+unset RESTCONFDBG
+
+rm -rf $dir
+
--- a/test/test_restconf_ssl_certs.sh
+++ b/test/test_restconf_ssl_certs.sh
@ -25,15 +25,19 @@ cfg=$dir/conf.xml

 # Local for test here
 certdir=$dir/certs
+cakey=$certdir/ca_key.pem
+cacert=$certdir/ca_cert.pem
 srvkey=$certdir/srv_key.pem
 srvcert=$certdir/srv_cert.pem
-cakey=$certdir/ca_key.pem # needed?

-cacert=$certdir/ca_cert.pem
+# These is another CA (invalid) for creating invalid client certs
+xcakey=$certdir/xca_key.pem
+xcacert=$certdir/xca_cert.pem

 users="andy guest" # generate certs for some users in nacm.sh

-xusers="limited"   # Set invalid cert
+x1users="limited"   # Set invalid cert
+x2users="invalid"   # Wrong CA

 # Whether to generate new keys or not (only if $dir is not removed)
 # Here dont generate keys if restconf started stand-alone (RC=0)
@ -93,10 +97,14 @@ EOF

 if $genkeys; then
    # Create server certs
+    cacerts $cakey $cacert
    servercerts $cakey $cacert $srvkey $srvcert

+    # Other (invalid)
+    cacerts $xcakey $xcacert
+    
    # create client certs
-    for name in $users $xusers; do
+    for name in $users $x1users; do
 	cat<<EOF > $dir/$name.cnf
 [req]
 prompt = no
@ -119,9 +127,33 @@ EOF
    done # client key

    # invalid (days = 0)
-    for name in $xusers; do
+    for name in $x1users; do
 	openssl x509 -req -extfile $dir/$name.cnf -days 0 -passin "pass:password" -in $certdir/$name.csr -CA $cacert -CAkey $cakey -CAcreateserial -out $certdir/$name.crt
    done # invalid
+
+        # create client certs from invalid CA
+    for name in $x2users; do
+	cat<<EOF > $dir/$name.cnf
+[req]
+prompt = no
+distinguished_name = dn
+[dn]
+CN = $name # This can be verified using SSL_set1_host
+emailAddress = $name@foo.bar
+O = Clixon
+L = Stockholm
+C = SE
+EOF
+	# Create client key
+	openssl genrsa -out "$certdir/$name.key" 2048
+
+	# Generate CSR (signing request)
+	openssl req -new -config $dir/$name.cnf -key $certdir/$name.key -out $certdir/$name.csr
+
+	# Sign by CA
+	openssl x509 -req -extfile $dir/$name.cnf -days 1 -passin "pass:password" -in $certdir/$name.csr -CA $xcacert -CAkey $xcakey -CAcreateserial -out $certdir/$name.crt
+    done # client key
+
 fi # genkeys

 # Write local config
@ -222,6 +254,9 @@ EOF
    new "limited invalid cert"
    expectpart "$(curl $CURLOPTS --key $certdir/limited.key --cert $certdir/limited.crt -X GET $RCPROTO://localhost/restconf/data/example:x 2>&1)" "35 55 56" # 55 "certificate expired"

+    new "invalid cert from wrong CA"
+    expectpart "$(curl $CURLOPTS --key $certdir/invalid.key --cert $certdir/limited.crt -X GET $RCPROTO://localhost/restconf/data/example:x 2>&1)" 58 "unable to set private key file" # 58 unable to set private key file
+
    # Just ensure all is OK
    new "admin get x 42"
    expectpart "$(curl $CURLOPTS --key $certdir/andy.key --cert $certdir/andy.crt -X GET $RCPROTO://localhost/restconf/data/example:x)" 0 "HTTP/1.1 200 OK" '{"example:x":42}'
--- a/test/test_restconf_startup.sh
+++ b/test/test_restconf_startup.sh
@ -35,7 +35,7 @@ EOF
 # Use yang in example

 # Define default restconfig config: RESTCONFIG
-restconf_config none true
+RESTCONFIG=$(restconf_config none true)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_rpc.sh
+++ b/test/test_rpc.sh
@ -14,7 +14,7 @@ APPNAME=example
 cfg=$dir/conf.xml

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 # Use yang in example
 cat <<EOF > $cfg
--- a/test/test_submodule.sh
+++ b/test/test_submodule.sh
@ -28,7 +28,7 @@ fextra1=$dir/extra1.yang     # Referenced from sub1
 fextra2=$dir/extra2.yang     # Referenced from sub2

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
--- a/test/test_yang_anydata.sh
+++ b/test/test_yang_anydata.sh
@ -22,7 +22,7 @@ funknown=$dir/yang/unknown.yang
 fstate=$dir/state.xml

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 cat <<EOF > $fanydata
 module any{
--- a/test/test_yang_namespace.sh
+++ b/test/test_yang_namespace.sh
@ -14,7 +14,7 @@ fyang1=$dir/example1.yang
 fyang2=$dir/example2.yang

 # Define default restconfig config: RESTCONFIG
-restconf_config none false
+RESTCONFIG=$(restconf_config none false)

 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">