diff --git a/CHANGELOG.md b/CHANGELOG.md index 93dad3ba..3c649c46 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,8 +27,8 @@ Expected: May 2020 ### Major New features * NACM RFC341 datanode paths - * Read operations now implemented - * Create/Write/Update not yet + * NACM datanode read paths + * NYI: NACM datanode paths for create/delete/update ### API changes on existing protocol/config features (You may have have to change how you use Clixon) diff --git a/lib/src/clixon_nacm.c b/lib/src/clixon_nacm.c index 665d0f35..934f379f 100644 --- a/lib/src/clixon_nacm.c +++ b/lib/src/clixon_nacm.c @@ -321,34 +321,7 @@ nacm_rpc(char *rpc, * @retval -1 Error * @retval 0 No Match * @retval 1 Match - * @retval 1 SubMatch - - o For HEAD and GET requests, any data nodes that are ancestor nodes - of the target resource are considered to be part of the retrieval - request for access control purposes. - Data nodes to which the client does not have read access are silently - omitted, along with any descendants, -the selection criteria are applied to the subset of nodes that the user - is authorized to read, not the entire datastore. - * Assume tree: - * tree - * | - * a - * / \ - * b c - * access: / - * rule1: /a/b deny - * rule2: / permit - * returned tree: - * tree - * | - * a - * \ - * c - * Algorithm: - * Traverse all rules and access the tree: - * rule1: purge b - * rule2: accept rest. + * @note not used for read */ static int nacm_rule_datanode_path(clicon_handle h, @@ -361,7 +334,7 @@ nacm_rule_datanode_path(clicon_handle h, cxobj *xp; /* Node specified by path */ cxobj *xa; /* Ancestor */ char *path0; /* Non-canonical path */ - char *path; /* Canonical path */ + char *path=NULL; /* Canonical path */ yang_stmt *yspec; cxobj **xvec = NULL; size_t xlen = 0; @@ -396,6 +369,10 @@ nacm_rule_datanode_path(clicon_handle h, match: retval = 1; done: + if (nsc0) + cvec_free(nsc0); + if (path) + free(path); if (xvec) free(xvec); return retval; @@ -504,47 +481,49 @@ nacm_rule_datanode(clicon_handle h, goto done; } +/*! Perform NACM action: mark if permit, del if deny + * @param[in] xrule NACM rule + * @param[in] xn XML node (requested node) + * @retval -1 Error + * @retval 0 OK + */ static int nacm_data_read_action(cxobj *xrule, - cxobj *xp, - int default_permit) + cxobj *xn) { int retval = -1; char *action; if ((action = xml_find_body(xrule, "action")) != NULL){ - if (strcmp(action, "deny")==0){ - if (xml_purge(xp) < 0) - goto done; - } - else if (strcmp(action, "permit")==0){ - if (default_permit) - ; - else - xml_flag_set(xp, XML_FLAG_MARK); - } + if (strcmp(action, "deny")==0) + xml_flag_set(xn, XML_FLAG_DEL); + else if (strcmp(action, "permit")==0) + xml_flag_set(xn, XML_FLAG_MARK); } retval = 0; - done: + //done: return retval; } -/* - * @retval -1 Error - * @retval 0 OK and rule does not match - * @retval 1 OK and rule matches +/*! Match specific rule to specific requested node + * @param[in] xt XML root tree with "config" label + * @param[in] xn XML node (requested node) + * @param[in] xrule NACM rule + * @param[in] yspec YANG spec + * @retval -1 Error + * @retval 0 OK and rule does not match + * @retval 1 OK and rule matches * Two distinct cases: * (1) read_default is permit * mark all deny rules and remove them * (2) read_default is deny: * mark all permit rules and ancestors, remove everything else */ -// xml_apply_ancestor(xn, (xml_applyfn_t*)xml_flag_set, (void*)XML_FLAG_CHANGE); static int -nacm_data_read_xrule(clicon_handle h, - cxobj *xt, - cxobj *xrule, - int default_permit) +nacm_data_read_xrule_xml(cxobj *xt, + cxobj *xn, + cxobj *xrule, + yang_stmt *yspec) { int retval = -1; cxobj *xp; @@ -553,18 +532,23 @@ nacm_data_read_xrule(clicon_handle h, char *access_operations; cvec *nsc0 = NULL; /* Non-canonical namespace context */ char *path0; /* Non-canonical path */ - char *path; /* Canonical path */ - yang_stmt *yspec; + char *path=NULL; /* Canonical path */ yang_stmt *ymod; cxobj **xvec = NULL; size_t xlen = 0; char *module_rule; /* rule module name */ - int i; - yspec = clicon_dbspec_yang(h); if ((module_rule = xml_find_body(xrule, "module-name")) == NULL) goto nomatch; - + /* 6a) The rule's "module-name" leaf is "*" or equals the name of + * the YANG module where the requested data node is defined. + */ + if (strcmp(module_rule, "*") != 0){ + if (ys_module_by_xml(yspec, xn, &ymod) < 0) + goto done; + if (strcmp(yang_argument_get(ymod), module_rule) != 0) + goto nomatch; + } /* 6b) Either (1) the rule does not have a "rule-type" defined or (2) the "rule-type" is "data-node" and the "path" matches the requested data node, action node, or notification node. */ @@ -578,25 +562,8 @@ nacm_data_read_xrule(clicon_handle h, if (!match_access(access_operations, "read", NULL)) goto nomatch; if (pathobj == NULL){ - /* 6a) The rule's "module-name" leaf is "*" or equals the name of - * the YANG module where the requested data node is defined. - * Go thru all children of xt, - */ - i = 0; - xp = NULL; - while ((xp = xml_child_each(xt, xp, CX_ELMNT)) != NULL) { - if (strcmp(module_rule, "*") != 0){ - if (ys_module_by_xml(yspec, xp, &ymod) < 0) - goto done; - if (strcmp(yang_argument_get(ymod), module_rule) != 0) - continue; - } - i++; - if (nacm_data_read_action(xrule, xp, default_permit) < 0) - goto done; - } - if (i==0) - goto nomatch; + if (nacm_data_read_action(xrule, xn) < 0) + goto done; goto match; } path0 = clixon_trim2(xml_body(pathobj), " \t\n"); @@ -606,7 +573,13 @@ nacm_data_read_xrule(clicon_handle h, /* instance-id requires canonical paths */ if (xpath2canonical(path0, nsc0, yspec, &path, NULL) < 0) goto done; - /* XXX path may not be yang-consistent gives an error,... but retval =0 back,... */ + /* path may not be yang-consistent gives an error,... but retval =0 back,... + * Here I may need another function. + * I have a top-level node "xt", a node "xn" and a "path". + * I want to know if "xn" is or is a descendant of the matches of path on xt. + * The brute force is to evaluate the result in xvec and then see if ancestors of + * xn is in xvec. + */ if ((ret = clixon_xml_find_instance_id(xt, yspec, &xvec, &xlen, "%s", path)) < 0) goto done; switch (ret){ @@ -618,21 +591,20 @@ nacm_data_read_xrule(clicon_handle h, goto nomatch; assert(xlen == 1); xp = xvec[0]; /* XXX: loop? */ - /* 6a) The rule's "module-name" leaf is "*" or equals the name of - * the YANG module where the requested data node is defined. */ - if (strcmp(module_rule, "*") != 0){ - if (ys_module_by_xml(yspec, xp, &ymod) < 0) - goto done; - if (strcmp(yang_argument_get(ymod), module_rule) != 0) - goto nomatch; - } - if (nacm_data_read_action(xrule, xp, default_permit) < 0) + /* Check if ancestor is xp */ + if (xn != xp && !xml_isancestor(xn, xp)) + goto nomatch; + if (nacm_data_read_action(xrule, xn) < 0) goto done; break; } /* switch */ match: retval = 1; /* match */ done: + if (path) + free(path); + if (nsc0) + cvec_free(nsc0); if (xvec) free(xvec); return retval; @@ -641,13 +613,114 @@ nacm_data_read_xrule(clicon_handle h, goto done; } +/*! Recursive check for NACM read rules among all XML nodes + * @param[in] h Clicon handle + * @param[in] xt XML root tree with "config" label + * @param[in] xn XML node (requested node) + * @param[in] gvec Vector of groups + * @param[in] glen Length of group vector + * @param[in] rlistvec Vector of rules + * @param[in] rlistlen Length of rule vector + * @param[in] nsc Namespace context + * @param[in] yspec YANG spec + * @retval 0 OK + * @retval -1 Error + */ +static int +nacm_datanode_read_recurse(clicon_handle h, + cxobj *xt, + cxobj *xn, + cxobj **gvec, + size_t glen, + cxobj **rlistvec, + size_t rlistlen, + cvec *nsc, + yang_stmt *yspec) +{ + int retval=-1; + cxobj *rlist; + cxobj **rvec = NULL; /* rules */ + size_t rlen; + cxobj *x; + int i; + int j; + char *gname; + cxobj *xrule; + cxobj *xprev; + int match; + + if (xml_spec(xn)){ /* Check this node */ + for (i=0; i? - * permit - t; deny - f - * r1 | r2 | r3 | result (r0 and r4 are dont cares - dont match) - * ------+------+------+--------- - * t | t | t | - * t | t | f | - * t | f | t | - * t | f | f | - * f | t | t | - * f | t | f | - * f | f | t | - * f | f | f | * - * - read access on / which returns ? - * permit - t; deny - f - * r0 | r4 | result - * ------+------+--------- - * t | t | - * t | f | - * f | t | - * f | f | - * Algorithm 1, based on an xml tree XT: - * The special variable ACTION can have values: - * permit/deny/default - * 1. Traverse through all nodes x in xt. Set ACTION to default - * - Find first exact matching rule r of non-default rules r1-rn on x - * - if found set ACTION to r->action (permit/deny). - * - if ACTION is deny purge x and all descendants - * - if ACTION is permit, mark x as PERMIT - * - continue traverse - * 2. If default action is - * 2. Traverse through all nodes x in xt. Set ACTION to default r0->action - * - if x is marked as PERMIT - * - if ACTION is deny deny purge x and all descendants + * Some observations: + * 1. The requested node is a set of nodes in a tree (not just the top-node) + * 2. Any node descendants of a deny is denied (except default) + * 3. First rule matching a node is the active rule + * + * Algorithm: Select either (A) or (B) * - * Algorithm 2 (based on requested node set XRS which are sub-trees in XT). - * For each XR in XRS, check match with rule r1-rn, r0. - * 1. XR is PERMIT - * - Recursively match subtree to find reject sub-trees and purge. - * 2. XR is REJECT. Purge XR. - * Module-rule w no path is implicit rule on top node. + * 1. Select next node N in the requested node tree: + * 2. Select next R rule in the set of applicable rules: + * 3. If N does not match R, and remaining rules, goto 2. + * 4. If N matches R as deny, remove that subtree + * 5. If N matches R as accept, mark that node + * 6(A). If N did not match any rule R, and default rule is deny, remove that subtree + * 7. If remaining nodes, goto 1 + * 8(B) If default rule is deny, recursively remove all subtrees that are not marked * - * A module rule has the "module-name" leaf set but no nodes from the - * "rule-type" choice set. * @see RFC8341 3.4.5. Data Node Access Validation * @see nacm_datanode_write * @see nacm_rpc @@ -727,16 +772,11 @@ nacm_datanode_read(clicon_handle h, int retval = -1; cxobj **gvec = NULL; /* groups */ size_t glen; - char *gname; cxobj **rlistvec = NULL; /* rule-list */ size_t rlistlen; int i; - int j; char *read_default = NULL; - int matches = 0; cvec *nsc = NULL; - cxobj *xrule; - int ret; /* Create namespace context for with nacm namespace as default */ if ((nsc = xml_nsctx_init(NULL, NACM_NS)) == NULL) @@ -764,53 +804,21 @@ nacm_datanode_read(clicon_handle h, clicon_err(OE_XML, EINVAL, "No nacm read-default rule"); goto done; } - matches = 0; - for (i=0; i 0) - matches++; - } - if (rvec){ - free(rvec); - rvec=NULL; - } - } - /* If there were accpet rules in some matches, remove everything else */ - if (matches && strcmp(read_default, "deny") == 0) + if (nacm_datanode_read_recurse(h, xt, xt, gvec, glen, rlistvec, rlistlen, nsc, + clicon_dbspec_yang(h)) < 0) + goto done; +#if 1 + /* Step 8(B) above: + * If default rule is deny, recursively remove all subtrees that are not marked + */ + if (strcmp(read_default, "deny") == 0) if (xml_tree_prune_flagged_sub(xt, XML_FLAG_MARK, 1, NULL) < 0) goto done; - if (strcmp(read_default, "deny") == 0){ - if (matches == 0) - goto step9; /* delete all */ - else /* Accept rules that override default delete: delete everything not marked) */ - if (xml_tree_prune_flagged_sub(xt, XML_FLAG_MARK, 1, NULL) < 0) - goto done; - } +#endif /* reset flag */ if (xml_apply(xt, CX_ELMNT, (xml_applyfn_t*)xml_flag_reset, (void*)XML_FLAG_MARK) < 0) goto done; + goto ok; /* 8. At this point, no matching rule was found in any rule-list entry. */ @@ -821,7 +829,7 @@ nacm_datanode_read(clicon_handle h, "nacm:default-deny-all" statement, then the requested data node and all its descendants are not included in the reply. */ - for (i=0; icp_yang; if ((modns = yang_find_mynamespace(yc)) == NULL) goto fail; + if (xvecp) for (i=0; i. +# +# permit-dummy-interface: This rule gives the "limited" and "guest" +# groups read-update access to the acme entry named +# "dummy". This entry cannot be created or deleted by these groups; +# it can only be altered. +# +# permit-interface: This rule gives the "admin" group read-write +# access to all acme entries. +# +# Test as follows: +# 1. limit can read /nacm +# 2. guest cannot read /nacm +# 3. limited can read and set /config-parameters +# 4. guest cannot set /config-parametesr +# 5. guest|limit cannot POST dummy interface +# 6. admin can POST dummy interface +# 7. guest|limit can read and PUT dummy interface +# 8. guest|limit cannot DELETE dummy interface +# 9. admin can DELETE dummy interface + +# Magic line must be first in script (see README.md) +s="$_" ; . ./lib.sh || if [ "$s" = $0 ]; then exit 0; else return 0; fi + +APPNAME=example + +# Common NACM scripts +. ./nacm.sh + +cfg=$dir/conf_yang.xml +fyang=$dir/nacm-example.yang +fyang2=$dir/itf.yang + +cat < $cfg + + $cfg + /usr/local/share/clixon + $IETFRFC + $dir + $fyang + /usr/local/lib/$APPNAME/clispec + /usr/local/lib/$APPNAME/restconf + /usr/local/lib/$APPNAME/cli + $APPNAME + /usr/local/var/$APPNAME/$APPNAME.sock + /usr/local/lib/$APPNAME/backend + /usr/local/var/$APPNAME/$APPNAME.pidfile + /usr/local/var/$APPNAME + false + internal + none + +EOF + +# There are two implicit modules defined by RFC 8341 +# This is a try to define them +cat < $fyang +module nacm-example{ + yang-version 1.1; + namespace "http://example.com/ns/netconf"; + prefix ex; + import ietf-netconf-acm { + prefix nacm; + } + import itf { + prefix acme; + } + container acme-netconf{ + container config-parameters{ + list parameter{ + key name; + leaf name{ + type string; + } + leaf value{ + type string; + } + } + } + } +} +EOF + +cat < $fyang2 +module itf{ + yang-version 1.1; + namespace "http://example.com/ns/itf"; + prefix acme; + + container interfaces{ + list interface{ + key name; + leaf key{ + type string; + } + leaf value{ + type string; + } + } + } +} +EOF + +# The groups are slightly modified from RFC8341 A.1 ($USER added in admin group) +# The rule-list is from A.4 +# Note read-default is set to permit to ensure that deny-nacm is meaningful +RULES=$(cat < + false + permit + deny + permit + + $NGROUPS + + + guest-acl + guest + + deny-nacm + + /n:nacm + + * + deny + + Deny the 'guest' group any access to the /nacm data. + + + + + limited-acl + limited + + permit-acme-config + + /acme:acme-netconf/acme:config-parameters + + + read create update delete + + permit + + Allow the 'limited' group complete access to the acme + NETCONF configuration parameters. Showing long form + of 'access-operations' instead of shorthand. + + + + + guest-limited-acl + guest + limited + + + permit-dummy-interface + + /acme:interfaces/acme:interface[acme:name='dummy'] + + read update + permit + + Allow the 'limited' and 'guest' groups read + and update access to the dummy interface. + + + + + + admin-acl + admin + + permit-interface + + /acme:interfaces/acme:interface + + * + permit + + Allow the 'admin' group full access to all acme interfaces. + + + + + +EOF +) + +CONFIG=$(cat < + + + a + 72 + + + +EOF +) + +new "test params: -f $cfg" + +if [ $BE -ne 0 ]; then + new "kill old backend" + sudo clixon_backend -zf $cfg + if [ $? -ne 0 ]; then + err + fi + new "start backend -s init -f $cfg" + start_backend -s init -f $cfg +fi + +new "waiting" +wait_backend + +if [ $RC -ne 0 ]; then + new "kill old restconf daemon" + sudo pkill -u $wwwuser -f clixon_restconf + + new "start restconf daemon (-a is enable basic authentication)" + start_restconf -f $cfg -- -a + + new "waiting" + wait_restconf +fi + +new "auth set authentication config" +expecteof "$clixon_netconf -qf $cfg" 0 "$RULES]]>]]>" "^]]>]]>$" + +new "set app config" +expecteof "$clixon_netconf -qf $cfg" 0 "$CONFIG]]>]]>" "^]]>]]>$" + +new "commit it" +expecteof "$clixon_netconf -qf $cfg" 0 "]]>]]>" "^]]>]]>$" + +new "enable nacm" +expectpart "$(curl -u andy:bar -siS -X PUT -H "Content-Type: application/yang-data+json" -d '{"ietf-netconf-acm:enable-nacm": true}' http://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" 0 "HTTP/1.1 204 No Content" + +#--------------- nacm enabled + +#user:admin,wilma,guest +new "admin can read /nacm" +expectpart "$(curl -u andy:bar -siS -X GET http://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" 0 'HTTP/1.1 200 OK' '{"ietf-netconf-acm:enable-nacm":true}' + +new "1. limit can read /nacm" +expectpart "$(curl -u wilma:bar -siS -X GET http://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" 0 'HTTP/1.1 200 OK' '{"ietf-netconf-acm:enable-nacm":true}' + +# Comment: it should NOT be access-denied, it should be not found, since then you say it exists but you +# dont have access to it which is insecure +new "2. guest cannot read /nacm" +expectpart "$(curl -u guest:bar -siS -X GET http://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" 0 'HTTP/1.1 404 Not Found' '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"invalid-value","error-severity":"error","error-message":"Instance does not exist"}}}' + +# 3. limited can read and set /config-parameters +new "3. limited can read config-parameters" +expectpart "$(curl -u wilma:bar -siS -X GET http://localhost/restconf/data/nacm-example:acme-netconf/config-parameters)" 0 'HTTP/1.1 200 OK' '{"nacm-example:config-parameters":{"parameter":\[{"name":"a","value":"72"}\]}}' + +if false; then # notyet +new "3. limited can set config-parameters" +expectpart "$(curl -u wilma:bar -siS -X PUT -H "Content-Type: application/yang-data+json" http://localhost/restconf/data/nacm-example:acme-netconf/config-parameters/parameter=a -d '{"nacm-example:parameter":[{"name":"a","value":"93"}]}')" 0 'HTTP/1.1 200 OK' +fi + +new "4. guest cannot set /config-parameter" +expectpart "$(curl -u wilma:bar -siS -X PUT -H "Content-Type: application/yang-data+json" http://localhost/restconf/data/nacm-example:acme-netconf/config-parameters/parameter=a -d '{"nacm-example:parameter":[{"name":"a","value":"93"}]}')" 0 'HTTP/1.1 403 Forbidden' '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"default deny"}}}' + +# 5. guest|limit cannot POST dummy interface +# 6. admin can POST dummy interface +# 7. guest|limit can read and PUT dummy interface +# 8. guest|limit cannot DELETE dummy interface +# 9. admin can DELETE dummy interface + +if [ $RC -ne 0 ]; then + new "Kill restconf daemon" + stop_restconf +fi + +if [ $BE -eq 0 ]; then + exit # BE +fi + +new "Kill backend" +# Check if premature kill +pid=$(pgrep -u root -f clixon_backend) +if [ -z "$pid" ]; then + err "backend already dead" +fi +# kill backend +stop_backend -f $cfg + +rm -rf $dir diff --git a/test/test_nacm_datanode_read.sh b/test/test_nacm_datanode_read.sh new file mode 100755 index 00000000..881682e5 --- /dev/null +++ b/test/test_nacm_datanode_read.sh @@ -0,0 +1,300 @@ +#!/usr/bin/env bash +# Authentication and authorization and IETF NACM +# NACM data node rules +# The RFC 8341 examples in the appendix are very limited. +# Here focus on datanode paths from a read perspective. +# The limit user is used for this +# The following shows a tree of the paths where permit/deny actions can be set: +# read-default +# module +# /table +# /table/parameters/parameter +# +# The test goes through all permutations and checks the expected behaviour +# + +# Magic line must be first in script (see README.md) +s="$_" ; . ./lib.sh || if [ "$s" = $0 ]; then exit 0; else return 0; fi + +APPNAME=example + +# Common NACM scripts +. ./nacm.sh + +cfg=$dir/conf_yang.xml +fyang=$dir/nacm-example.yang +fyang2=$dir/nacm-example2.yang + +cat < $cfg + + $cfg + /usr/local/share/clixon + $IETFRFC + $dir + $fyang + /usr/local/lib/$APPNAME/clispec + /usr/local/lib/$APPNAME/restconf + /usr/local/lib/$APPNAME/cli + $APPNAME + /usr/local/var/$APPNAME/$APPNAME.sock + /usr/local/lib/$APPNAME/backend + /usr/local/var/$APPNAME/$APPNAME.pidfile + /usr/local/var/$APPNAME + false + internal + none + +EOF + +cat < $fyang +module nacm-example{ + yang-version 1.1; + namespace "urn:example:nacm"; + prefix ex; + import ietf-netconf-acm { + prefix nacm; + } + import nacm-example2 { + prefix ex2; + } + container table{ + container parameters{ + list parameter{ + key name; + leaf name{ + type string; + } + leaf value{ + type string; + } + } + } + } + container other{ + leaf value{ + type string; + } + } +} +EOF + +cat < $fyang2 +module nacm-example2{ + yang-version 1.1; + namespace "urn:example:nacm2"; + prefix ex2; + container other2{ + leaf value{ + type string; + } + } +} +EOF + +RULES=$(cat < + false + deny + deny + permit + + $NGROUPS + + + limited-acl + limited + + + parameter + * + read + /ex:table/ex:parameters/ex:parameter + permit + + + table + * + read + /ex:table + permit + + + module + nacm-example + read + permit + + + + + $NADMIN + + +EOF +) + +CONFIG=$(cat < + + + a + 72 + + + + + 99 + + + 88 + +EOF +) + +# +# Arguments, permit/deny on different levels: +# Configs (permit/deny): +# - read-default +# - module as a whole +# - table: root symbol +# - param: sub symbol +# Tests, epxect true/false: +# - read other module +# - read other in same module +# - read table +# - read parameter +testrun(){ + readdefault=$1 + module=$2 + table=$3 + parameter=$4 + test1=$5 + test2=$6 + test3=$7 + test4=$8 + + new "read-default:$readdefault module:$module table:$table parameter:$parameter" + + new "set read-default $readdefault" + expectpart "$(curl -u andy:bar -siS -X PUT -H "Content-Type: application/yang-data+json" http://localhost/restconf/data/ietf-netconf-acm:nacm/read-default -d "{\"ietf-netconf-acm:read-default\":\"$readdefault\"}" )" 0 "HTTP/1.1 204 No Content" + + new "set module rule $module" + expectpart "$(curl -u andy:bar -siS -X PUT -H "Content-Type: application/yang-data+json" http://localhost/restconf/data/ietf-netconf-acm:nacm/rule-list=limited-acl/rule=module/action -d "{\"ietf-netconf-acm:action\":\"$module\"}" )" 0 "HTTP/1.1 204 No Content" + + new "set table rule $table" + expectpart "$(curl -u andy:bar -siS -X PUT -H "Content-Type: application/yang-data+json" http://localhost/restconf/data/ietf-netconf-acm:nacm/rule-list=limited-acl/rule=table/action -d "{\"ietf-netconf-acm:action\":\"$table\"}" )" 0 "HTTP/1.1 204 No Content" + + new "set parameter rule $parameter" + expectpart "$(curl -u andy:bar -siS -X PUT -H "Content-Type: application/yang-data+json" http://localhost/restconf/data/ietf-netconf-acm:nacm/rule-list=limited-acl/rule=parameter/action -d "{\"ietf-netconf-acm:action\":\"$parameter\"}" )" 0 "HTTP/1.1 204 No Content" + +#--------------- Here check + new "get other module" + if $test1; then + expectpart "$(curl -u wilma:bar -siS -X GET http://localhost/restconf/data/nacm-example2:other2/value)" 0 'HTTP/1.1 200 OK' '{"nacm-example2:value":"88"}' + else + expectpart "$(curl -u wilma:bar -siS -X GET http://localhost/restconf/data/nacm-example2:other2/value)" 0 'HTTP/1.1 404 Not Found' '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"invalid-value","error-severity":"error","error-message":"Instance does not exist"}}}' + fi + + new "get other in same module" + if $test2; then + expectpart "$(curl -u wilma:bar -siS -X GET http://localhost/restconf/data/nacm-example:other/value)" 0 'HTTP/1.1 200 OK' '{"nacm-example:value":"99"}' + else + expectpart "$(curl -u wilma:bar -siS -X GET http://localhost/restconf/data/nacm-example:other/value)" 0 'HTTP/1.1 404 Not Found' '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"invalid-value","error-severity":"error","error-message":"Instance does not exist"}}}' + fi + + new "get table" + if $test3; then + expectpart "$(curl -u wilma:bar -siS -X GET http://localhost/restconf/data/nacm-example:table?depth=1)" 0 'HTTP/1.1 200 OK' '{"nacm-example:table":{}}' + else + expectpart "$(curl -u wilma:bar -siS -X GET http://localhost/restconf/data/nacm-example:table?depth=1)" 0 'HTTP/1.1 404 Not Found' '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"invalid-value","error-severity":"error","error-message":"Instance does not exist"}}}' + fi + new "get parameter" + if $test4; then + expectpart "$(curl -u wilma:bar -siS -X GET http://localhost/restconf/data/nacm-example:table/parameters/parameter=a)" 0 'HTTP/1.1 200 OK' '{"nacm-example:parameter":\[{"name":"a","value":"72"}\]}' + else + expectpart "$(curl -u wilma:bar -siS -X GET http://localhost/restconf/data/nacm-example:table/parameters/parameter=a)" 0 'HTTP/1.1 404 Not Found' '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"invalid-value","error-severity":"error","error-message":"Instance does not exist"}}}' + fi + +} # testrun + +new "test params: -f $cfg" + +if [ $BE -ne 0 ]; then + new "kill old backend" + sudo clixon_backend -zf $cfg + if [ $? -ne 0 ]; then + err + fi + new "start backend -s init -f $cfg" + start_backend -s init -f $cfg +fi + +new "waiting" +wait_backend + +if [ $RC -ne 0 ]; then + new "kill old restconf daemon" + sudo pkill -u $wwwuser -f clixon_restconf + + new "start restconf daemon (-a is enable basic authentication)" + start_restconf -f $cfg -- -a + + new "waiting" + wait_restconf +fi + +new "auth set authentication config" +expecteof "$clixon_netconf -qf $cfg" 0 "$RULES]]>]]>" "^]]>]]>$" + +new "set app config" +expecteof "$clixon_netconf -qf $cfg" 0 "$CONFIG]]>]]>" "^]]>]]>$" + +new "commit it" +expecteof "$clixon_netconf -qf $cfg" 0 "]]>]]>" "^]]>]]>$" + +new "enable nacm" +expectpart "$(curl -u andy:bar -siS -X PUT -H "Content-Type: application/yang-data+json" -d '{"ietf-netconf-acm:enable-nacm": true}' http://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" 0 "HTTP/1.1 204 No Content" + +#--------------- nacm enabled +# config: def module table parameter +# test: mod other table parameter +# default deny +testrun deny deny deny deny false false false false +testrun deny deny deny permit false false false false +testrun deny deny permit deny false false true false +testrun deny deny permit permit false false true true + +testrun deny permit deny deny false true false false +testrun deny permit deny permit false true false false +testrun deny permit permit deny false true true false +testrun deny permit permit permit false true true true + +# default permit +testrun permit deny deny deny true false false false +testrun permit deny deny permit true false false false +testrun permit deny permit deny true false true false +testrun permit deny permit permit true false true true + +testrun permit permit deny deny true true false false +testrun permit permit deny permit true true false false +testrun permit permit permit deny true true true false +testrun permit permit permit permit true true true true + +if [ $RC -ne 0 ]; then + new "Kill restconf daemon" + stop_restconf +fi +if [ $BE -ne 0 ]; then # Bring your own backend + new "Kill backend" + # Check if premature kill + pid=$(pgrep -u root -f clixon_backend) + if [ -z "$pid" ]; then + err "backend already dead" + fi + # kill backend + stop_backend -f $cfg +fi + + + +rm -rf $dir