NACM: Improved error message when no username included, and added username
This commit is contained in:
Olof hagsand
parent
87e49ca37a
commit
1be158b7be
4 changed files with 18 additions and 8 deletions
|
|
@ -1805,7 +1805,7 @@ from_client_msg(clixon_handle h,
|
||||||
goto done;
|
goto done;
|
||||||
if (ret == 0){ /* Do NACM RPC validation */
|
if (ret == 0){ /* Do NACM RPC validation */
|
||||||
creds = clicon_nacm_credentials(h);
|
creds = clicon_nacm_credentials(h);
|
||||||
if ((ret = verify_nacm_user(h, creds, ce->ce_username, username, cbret)) < 0)
|
if ((ret = verify_nacm_user(h, creds, ce->ce_username, username, rpc, cbret)) < 0)
|
||||||
goto done;
|
goto done;
|
||||||
if (ret == 0){ /* credentials fail */
|
if (ret == 0){ /* credentials fail */
|
||||||
ce->ce_out_rpc_errors++;
|
ce->ce_out_rpc_errors++;
|
||||||
|
|
|
||||||
|
|
@ -1908,9 +1908,10 @@ cli_process_control(clixon_handle h,
|
||||||
clixon_err(OE_UNIX, errno, "cbuf_new");
|
clixon_err(OE_UNIX, errno, "cbuf_new");
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
cprintf(cb, "<rpc xmlns=\"%s\"", NETCONF_BASE_NAMESPACE);
|
cprintf(cb, "<rpc xmlns=\"%s\" username=\"%s\" %s>",
|
||||||
cprintf(cb, " %s", NETCONF_MESSAGE_ID_ATTR);
|
NETCONF_BASE_NAMESPACE,
|
||||||
cprintf(cb, ">");
|
clicon_username_get(h),
|
||||||
|
NETCONF_MESSAGE_ID_ATTR);
|
||||||
cprintf(cb, "<process-control xmlns=\"%s\">", CLIXON_LIB_NS);
|
cprintf(cb, "<process-control xmlns=\"%s\">", CLIXON_LIB_NS);
|
||||||
cprintf(cb, "<name>%s</name>", name);
|
cprintf(cb, "<name>%s</name>", name);
|
||||||
cprintf(cb, "<operation>%s</operation>", opstr);
|
cprintf(cb, "<operation>%s</operation>", opstr);
|
||||||
|
|
|
||||||
|
|
@ -63,6 +63,6 @@ int nacm_datanode_write(clixon_handle h, cxobj *xr, cxobj *xt,
|
||||||
enum nacm_access access,
|
enum nacm_access access,
|
||||||
char *username, cxobj *xnacm, cbuf *cbret);
|
char *username, cxobj *xnacm, cbuf *cbret);
|
||||||
int nacm_access_pre(clixon_handle h, char *peername, char *username, cxobj **xnacmp);
|
int nacm_access_pre(clixon_handle h, char *peername, char *username, cxobj **xnacmp);
|
||||||
int verify_nacm_user(clixon_handle h, enum nacm_credentials_t cred, char *peername, char *nacmname, cbuf *cbret);
|
int verify_nacm_user(clixon_handle h, enum nacm_credentials_t cred, char *peername, char *nacmname, char *rpcname, cbuf *cbret);
|
||||||
|
|
||||||
#endif /* _CLIXON_NACM_H */
|
#endif /* _CLIXON_NACM_H */
|
||||||
|
|
|
||||||
|
|
@ -1099,6 +1099,7 @@ nacm_datanode_read(clixon_handle h,
|
||||||
* @param[in] h Clixon handle
|
* @param[in] h Clixon handle
|
||||||
* @param[in] xnacm NACM XML tree, root should be "nacm"
|
* @param[in] xnacm NACM XML tree, root should be "nacm"
|
||||||
* @param[in] username User name of requestor
|
* @param[in] username User name of requestor
|
||||||
|
* @param[in] peername Peer username if any
|
||||||
* @retval 1 OK permitted. You do not need to do next NACM step
|
* @retval 1 OK permitted. You do not need to do next NACM step
|
||||||
* @retval 0 OK but not validated. Need to do NACM step using xnacm
|
* @retval 0 OK but not validated. Need to do NACM step using xnacm
|
||||||
* @retval -1 Error
|
* @retval -1 Error
|
||||||
|
|
@ -1193,6 +1194,7 @@ nacm_access_check(clixon_handle h,
|
||||||
* If retval=0 continue with next NACM step, eg rpc, module,
|
* If retval=0 continue with next NACM step, eg rpc, module,
|
||||||
* etc. If retval = 1 access is OK and skip next NACM step.
|
* etc. If retval = 1 access is OK and skip next NACM step.
|
||||||
* @param[in] h Clixon handle
|
* @param[in] h Clixon handle
|
||||||
|
* @param[in] peername Peer username if any
|
||||||
* @param[in] username User name of requestor
|
* @param[in] username User name of requestor
|
||||||
* @param[out] xncam NACM XML tree, set if retval=0. Free after use
|
* @param[out] xncam NACM XML tree, set if retval=0. Free after use
|
||||||
* @retval 1 OK permitted. You do not need to do next NACM step.
|
* @retval 1 OK permitted. You do not need to do next NACM step.
|
||||||
|
|
@ -1277,7 +1279,8 @@ nacm_access_pre(clixon_handle h,
|
||||||
* @param[in] h Clixon handle
|
* @param[in] h Clixon handle
|
||||||
* @param[in] mode Peer credential mode: none, exact or except
|
* @param[in] mode Peer credential mode: none, exact or except
|
||||||
* @param[in] peername Peer username if any
|
* @param[in] peername Peer username if any
|
||||||
* @param[in] username username received in XML (eg for NACM)
|
* @param[in] nacmname username received in XML (eg for NACM)
|
||||||
|
* @param[in] rpcname Name of incoming rpc
|
||||||
* @param[out] cbret Set with netconf error message if ret == 0
|
* @param[out] cbret Set with netconf error message if ret == 0
|
||||||
* @retval 1 Verified
|
* @retval 1 Verified
|
||||||
* @retval 0 Not verified (cbret set)
|
* @retval 0 Not verified (cbret set)
|
||||||
|
|
@ -1297,6 +1300,7 @@ verify_nacm_user(clixon_handle h,
|
||||||
enum nacm_credentials_t cred,
|
enum nacm_credentials_t cred,
|
||||||
char *peername,
|
char *peername,
|
||||||
char *nacmname,
|
char *nacmname,
|
||||||
|
char *rpcname,
|
||||||
cbuf *cbret)
|
cbuf *cbret)
|
||||||
{
|
{
|
||||||
int retval = -1;
|
int retval = -1;
|
||||||
|
|
@ -1313,7 +1317,12 @@ verify_nacm_user(clixon_handle h,
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
if (nacmname == NULL){
|
if (nacmname == NULL){
|
||||||
if (netconf_access_denied(cbret, "application", "No NACM available") < 0)
|
if ((cbmsg = cbuf_new()) == NULL){
|
||||||
|
clixon_err(OE_UNIX, errno, "cbuf_new");
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
cprintf(cbmsg, "No NACM username attribute present in incoming RPC: \"%s\"", rpcname);
|
||||||
|
if (netconf_access_denied(cbret, "application", cbuf_get(cbmsg)) < 0)
|
||||||
goto done;
|
goto done;
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue