experiments/clixon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

NACM: Improved error message when no username included, and added username

Browse source
This commit is contained in:
Olof hagsand 2024-04-14 11:26:11 +02:00
parent 87e49ca37a
commit 1be158b7be
4 changed files with 18 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apps/backend/backend_client.c
View file

@ -1805,7 +1805,7 @@ from_client_msg(clixon_handle h,
goto done; goto done;
if (ret == 0){ /* Do NACM RPC validation */ if (ret == 0){ /* Do NACM RPC validation */
creds = clicon_nacm_credentials(h); creds = clicon_nacm_credentials(h);
if ((ret = verify_nacm_user(h, creds, ce->ce_username, username, cbret)) < 0) if ((ret = verify_nacm_user(h, creds, ce->ce_username, username, rpc, cbret)) < 0)
goto done; goto done;
if (ret == 0){ /* credentials fail */ if (ret == 0){ /* credentials fail */
ce->ce_out_rpc_errors++; ce->ce_out_rpc_errors++;

7
apps/cli/cli_common.c
View file

@ -1908,9 +1908,10 @@ cli_process_control(clixon_handle h,
clixon_err(OE_UNIX, errno, "cbuf_new"); clixon_err(OE_UNIX, errno, "cbuf_new");
goto done; goto done;
} }
cprintf(cb, "<rpc xmlns=\"%s\"", NETCONF_BASE_NAMESPACE); cprintf(cb, "<rpc xmlns=\"%s\" username=\"%s\" %s>",
cprintf(cb, " %s", NETCONF_MESSAGE_ID_ATTR); NETCONF_BASE_NAMESPACE,
cprintf(cb, ">"); clicon_username_get(h),
NETCONF_MESSAGE_ID_ATTR);
cprintf(cb, "<process-control xmlns=\"%s\">", CLIXON_LIB_NS); cprintf(cb, "<process-control xmlns=\"%s\">", CLIXON_LIB_NS);
cprintf(cb, "<name>%s</name>", name); cprintf(cb, "<name>%s</name>", name);
cprintf(cb, "<operation>%s</operation>", opstr); cprintf(cb, "<operation>%s</operation>", opstr);

2
lib/clixon/clixon_nacm.h
View file

@ -63,6 +63,6 @@ int nacm_datanode_write(clixon_handle h, cxobj *xr, cxobj *xt,
enum nacm_access access, enum nacm_access access,
char *username, cxobj *xnacm, cbuf *cbret); char *username, cxobj *xnacm, cbuf *cbret);
int nacm_access_pre(clixon_handle h, char *peername, char *username, cxobj **xnacmp); int nacm_access_pre(clixon_handle h, char *peername, char *username, cxobj **xnacmp);
int verify_nacm_user(clixon_handle h, enum nacm_credentials_t cred, char *peername, char *nacmname, cbuf *cbret); int verify_nacm_user(clixon_handle h, enum nacm_credentials_t cred, char *peername, char *nacmname, char *rpcname, cbuf *cbret);
#endif /* _CLIXON_NACM_H */ #endif /* _CLIXON_NACM_H */

15
lib/src/clixon_nacm.c
View file

@ -1099,6 +1099,7 @@ nacm_datanode_read(clixon_handle h,
* @param[in] h Clixon handle * @param[in] h Clixon handle
* @param[in] xnacm NACM XML tree, root should be "nacm" * @param[in] xnacm NACM XML tree, root should be "nacm"
* @param[in] username User name of requestor * @param[in] username User name of requestor
* @param[in] peername Peer username if any
* @retval 1 OK permitted. You do not need to do next NACM step * @retval 1 OK permitted. You do not need to do next NACM step
* @retval 0 OK but not validated. Need to do NACM step using xnacm * @retval 0 OK but not validated. Need to do NACM step using xnacm
* @retval -1 Error * @retval -1 Error
@ -1193,6 +1194,7 @@ nacm_access_check(clixon_handle h,
* If retval=0 continue with next NACM step, eg rpc, module, * If retval=0 continue with next NACM step, eg rpc, module,
* etc. If retval = 1 access is OK and skip next NACM step. * etc. If retval = 1 access is OK and skip next NACM step.
* @param[in] h Clixon handle * @param[in] h Clixon handle
* @param[in] peername Peer username if any
* @param[in] username User name of requestor * @param[in] username User name of requestor
* @param[out] xncam NACM XML tree, set if retval=0. Free after use * @param[out] xncam NACM XML tree, set if retval=0. Free after use
* @retval 1 OK permitted. You do not need to do next NACM step. * @retval 1 OK permitted. You do not need to do next NACM step.
@ -1272,12 +1274,13 @@ nacm_access_pre(clixon_handle h,
goto done; goto done;
} }
/*! Verify nacm user with peer uid credentials /*! Verify nacm user with peer uid credentials
* *
* @param[in] h Clixon handle * @param[in] h Clixon handle
* @param[in] mode Peer credential mode: none, exact or except * @param[in] mode Peer credential mode: none, exact or except
* @param[in] peername Peer username if any * @param[in] peername Peer username if any
* @param[in] username username received in XML (eg for NACM) * @param[in] nacmname username received in XML (eg for NACM)
* @param[in] rpcname Name of incoming rpc
* @param[out] cbret Set with netconf error message if ret == 0 * @param[out] cbret Set with netconf error message if ret == 0
* @retval 1 Verified * @retval 1 Verified
* @retval 0 Not verified (cbret set) * @retval 0 Not verified (cbret set)
@ -1297,6 +1300,7 @@ verify_nacm_user(clixon_handle h,
enum nacm_credentials_t cred, enum nacm_credentials_t cred,
char *peername, char *peername,
char *nacmname, char *nacmname,
char *rpcname,
cbuf *cbret) cbuf *cbret)
{ {
int retval = -1; int retval = -1;
@ -1313,7 +1317,12 @@ verify_nacm_user(clixon_handle h,
goto fail; goto fail;
} }
if (nacmname == NULL){ if (nacmname == NULL){
if (netconf_access_denied(cbret, "application", "No NACM available") < 0) if ((cbmsg = cbuf_new()) == NULL){
clixon_err(OE_UNIX, errno, "cbuf_new");
goto done;
}
cprintf(cbmsg, "No NACM username attribute present in incoming RPC: \"%s\"", rpcname);
if (netconf_access_denied(cbret, "application", cbuf_get(cbmsg)) < 0)
goto done; goto done;
goto fail; goto fail;
} }