From 1be158b7beb7ed7f812e3580b3e2765c3a4c7392 Mon Sep 17 00:00:00 2001
From: Olof hagsand <olof@hagsand.se>
Date: Sun, 14 Apr 2024 11:26:11 +0200
Subject: [PATCH] NACM: Improved error message when no username included, and
 added username

---
 apps/backend/backend_client.c |  2 +-
 apps/cli/cli_common.c         |  7 ++++---
 lib/clixon/clixon_nacm.h      |  2 +-
 lib/src/clixon_nacm.c         | 15 ++++++++++++---
 4 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/apps/backend/backend_client.c b/apps/backend/backend_client.c
index 38c81ae0..9ca339b1 100644
--- a/apps/backend/backend_client.c
+++ b/apps/backend/backend_client.c
@@ -1805,7 +1805,7 @@ from_client_msg(clixon_handle        h,
             goto done;
         if (ret == 0){ /* Do NACM RPC validation */
             creds = clicon_nacm_credentials(h);
-            if ((ret = verify_nacm_user(h, creds, ce->ce_username, username, cbret)) < 0)
+            if ((ret = verify_nacm_user(h, creds, ce->ce_username, username, rpc, cbret)) < 0)
                 goto done;
             if (ret == 0){ /* credentials fail */
                 ce->ce_out_rpc_errors++;
diff --git a/apps/cli/cli_common.c b/apps/cli/cli_common.c
index 0edf846b..0fe4b3af 100644
--- a/apps/cli/cli_common.c
+++ b/apps/cli/cli_common.c
@@ -1908,9 +1908,10 @@ cli_process_control(clixon_handle h,
         clixon_err(OE_UNIX, errno, "cbuf_new");
         goto done;
     }
-    cprintf(cb, "<rpc xmlns=\"%s\"", NETCONF_BASE_NAMESPACE);
-    cprintf(cb, " %s", NETCONF_MESSAGE_ID_ATTR);
-    cprintf(cb, ">");
+    cprintf(cb, "<rpc xmlns=\"%s\" username=\"%s\" %s>",
+            NETCONF_BASE_NAMESPACE,
+            clicon_username_get(h),
+            NETCONF_MESSAGE_ID_ATTR);
     cprintf(cb, "<process-control xmlns=\"%s\">", CLIXON_LIB_NS);
     cprintf(cb, "<name>%s</name>", name);
     cprintf(cb, "<operation>%s</operation>", opstr);
diff --git a/lib/clixon/clixon_nacm.h b/lib/clixon/clixon_nacm.h
index c4b0b352..651a0221 100644
--- a/lib/clixon/clixon_nacm.h
+++ b/lib/clixon/clixon_nacm.h
@@ -63,6 +63,6 @@ int nacm_datanode_write(clixon_handle h, cxobj *xr, cxobj *xt,
                         enum nacm_access access,
                         char *username, cxobj *xnacm, cbuf *cbret);
 int nacm_access_pre(clixon_handle h, char *peername, char *username, cxobj **xnacmp);
-int verify_nacm_user(clixon_handle h, enum nacm_credentials_t cred, char *peername, char *nacmname, cbuf *cbret);
+int verify_nacm_user(clixon_handle h, enum nacm_credentials_t cred, char *peername, char *nacmname, char *rpcname, cbuf *cbret);
 
 #endif /* _CLIXON_NACM_H */
diff --git a/lib/src/clixon_nacm.c b/lib/src/clixon_nacm.c
index 0a9678e1..baa8efdb 100644
--- a/lib/src/clixon_nacm.c
+++ b/lib/src/clixon_nacm.c
@@ -1099,6 +1099,7 @@ nacm_datanode_read(clixon_handle h,
  * @param[in]  h        Clixon handle
  * @param[in]  xnacm    NACM XML tree, root should be "nacm"
  * @param[in]  username User name of requestor
+ * @param[in]  peername Peer username if any
  * @retval     1        OK permitted. You do not need to do next NACM step
  * @retval     0        OK but not validated. Need to do NACM step using xnacm
  * @retval    -1        Error
@@ -1193,6 +1194,7 @@ nacm_access_check(clixon_handle h,
  * If retval=0 continue with next NACM step, eg rpc, module, 
  * etc. If retval = 1 access is OK and skip next NACM step.
  * @param[in]  h        Clixon handle
+ * @param[in]  peername Peer username if any
  * @param[in]  username User name of requestor
  * @param[out] xncam    NACM XML tree, set if retval=0. Free after use
  * @retval     1        OK permitted. You do not need to do next NACM step.
@@ -1272,12 +1274,13 @@ nacm_access_pre(clixon_handle  h,
     goto done;
 }
 
-/*! Verify nacm user with  peer uid credentials
+/*! Verify nacm user with peer uid credentials
  *
  * @param[in]  h         Clixon handle
  * @param[in]  mode      Peer credential mode: none, exact or except
  * @param[in]  peername  Peer username if any
- * @param[in]  username  username received in XML (eg for NACM)
+ * @param[in]  nacmname  username received in XML (eg for NACM)
+ * @param[in]  rpcname   Name of incoming rpc
  * @param[out] cbret     Set with netconf error message if ret == 0
  * @retval     1         Verified
  * @retval     0         Not verified (cbret set)
@@ -1297,6 +1300,7 @@ verify_nacm_user(clixon_handle           h,
                  enum nacm_credentials_t cred,
                  char                   *peername,
                  char                   *nacmname,
+                 char                   *rpcname,
                  cbuf                   *cbret)
 {
     int   retval = -1;
@@ -1313,7 +1317,12 @@ verify_nacm_user(clixon_handle           h,
         goto fail;
     }
     if (nacmname == NULL){
-        if (netconf_access_denied(cbret, "application", "No NACM available") < 0)
+        if ((cbmsg = cbuf_new()) == NULL){
+            clixon_err(OE_UNIX, errno, "cbuf_new");
+            goto done;
+        }
+        cprintf(cbmsg, "No NACM username attribute present in incoming RPC: \"%s\"", rpcname);
+        if (netconf_access_denied(cbret, "application", cbuf_get(cbmsg)) < 0)
             goto done;
         goto fail;
     }