From 244060fddcdd199df48f828442d6c34834d605b5 Mon Sep 17 00:00:00 2001 From: Olof hagsand Date: Wed, 7 Apr 2021 20:33:58 +0200 Subject: [PATCH] - Added specific WITH_RESTCONF compile contants for _NATIVE and _FCGI for C code - Restconf auth=none changes - Load clixon-restconf and resolve features earlier so that config features work - Removed auth=none code from example (this was non-std half-baked basic auth) - Changed tests that used auth-type=none to enable feature clixon-restconf:allow-auth-none - Moved cert creation from sub-shell to servercert function - Fixed typos for dockerfile rename of restconf evhtp to native --- configure | 7 +- configure.ac | 3 +- ...{Dockerfile.internal => Dockerfile.native} | 2 +- docker/main/README.md | 4 +- ...tsystem_evhtp.sh => startsystem_native.sh} | 0 example/main/example_restconf.c | 77 +--------------- include/clixon_config.h.in | 12 +-- lib/clixon/clixon_plugin.h | 4 +- lib/src/clixon_options.c | 7 +- lib/src/clixon_yang.c | 4 +- test/certs.sh | 67 -------------- test/lib.sh | 87 +++++++++++++++++++ test/long.sh | 1 + test/test_api.sh | 1 + test/test_augment.sh | 1 + test/test_choice.sh | 1 + test/test_client.sh | 1 + test/test_copy_config.sh | 1 + test/test_identity.sh | 1 + test/test_perf_restconf.sh | 1 + test/test_perf_state.sh | 1 + test/test_perf_state_only.sh | 1 + test/test_restconf.sh | 4 +- test/test_restconf2.sh | 1 + test/test_restconf_basic_auth.sh | 23 +++-- test/test_restconf_err.sh | 1 + test/test_restconf_jukebox.sh | 1 + test/test_restconf_listkey.sh | 1 + test/test_restconf_netns.sh | 5 +- test/test_restconf_notifications.sh | 1 + test/test_restconf_rpc.sh | 1 + test/test_restconf_ssl_certs.sh | 6 +- test/test_restconf_startup.sh | 1 + test/test_rpc.sh | 1 + test/test_submodule.sh | 1 + test/test_yang_anydata.sh | 1 + test/test_yang_namespace.sh | 1 + yang/clixon/clixon-lib@2021-03-08.yang | 4 +- 38 files changed, 159 insertions(+), 178 deletions(-) rename docker/main/{Dockerfile.internal => Dockerfile.native} (98%) rename docker/main/{startsystem_evhtp.sh => startsystem_native.sh} (100%) delete mode 100644 test/certs.sh diff --git a/configure b/configure index a0467783..303ae5b5 100755 --- a/configure +++ b/configure @@ -5042,6 +5042,9 @@ else as_fn_error $? "libfcgi-dev missing" "$LINENO" 5 fi + +$as_echo "#define WITH_RESTCONF_FCGI 1" >>confdefs.h + # For c-code that cant use strings elif test "x${with_restconf}" == xnative; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OPENSSL_init_ssl in -lssl" >&5 $as_echo_n "checking for OPENSSL_init_ssl in -lssl... " >&6; } @@ -5249,6 +5252,9 @@ else as_fn_error $? "libevhtp missing" "$LINENO" 5 fi + +$as_echo "#define WITH_RESTCONF_NATIVE 1" >>confdefs.h + # For c-code that cant use strings elif test "x${with_restconf}" == xno; then # Cant get around "no" as an answer for --without-restconf that is reset here to undefined with_restconf= @@ -5256,7 +5262,6 @@ else as_fn_error $? "No such restconf package: ${with_restconf}" "$LINENO" 5 fi - if test "x${with_restconf}" != "x"; then # This is so it appears in config.h diff --git a/configure.ac b/configure.ac index 5fd5c099..d3bb8acf 100644 --- a/configure.ac +++ b/configure.ac @@ -209,6 +209,7 @@ AC_ARG_WITH([restconf], if test "x${with_restconf}" == xfcgi; then # Lives in libfcgi-dev AC_CHECK_LIB(fcgi, FCGX_Init,, AC_MSG_ERROR([libfcgi-dev missing])) + AC_DEFINE(WITH_RESTCONF_FCGI, 1, [Use fcgi restconf mode]) # For c-code that cant use strings elif test "x${with_restconf}" == xnative; then AC_CHECK_LIB(ssl, OPENSSL_init_ssl ,, AC_MSG_ERROR([libssl missing])) AC_CHECK_LIB(crypto, CRYPTO_new_ex_data, , AC_MSG_ERROR([libcrypto missing])) @@ -221,6 +222,7 @@ elif test "x${with_restconf}" == xnative; then #define EVHTP_DISABLE_EVTHR ]]) AC_CHECK_LIB(evhtp, evhtp_new,, AC_MSG_ERROR([libevhtp missing]),[-levent -lssl -lcrypto]) + AC_DEFINE(WITH_RESTCONF_NATIVE, 1, [Use native restconf mode]) # For c-code that cant use strings elif test "x${with_restconf}" == xno; then # Cant get around "no" as an answer for --without-restconf that is reset here to undefined with_restconf= @@ -228,7 +230,6 @@ else AC_MSG_ERROR([No such restconf package: ${with_restconf}]) fi - if test "x${with_restconf}" != "x"; then # This is so it appears in config.h AC_DEFINE_UNQUOTED(WITH_RESTCONF, ${with_restconf}, [Restconf package]) diff --git a/docker/main/Dockerfile.internal b/docker/main/Dockerfile.native similarity index 98% rename from docker/main/Dockerfile.internal rename to docker/main/Dockerfile.native index e4d56f0f..734f1e2f 100644 --- a/docker/main/Dockerfile.internal +++ b/docker/main/Dockerfile.native @@ -77,7 +77,7 @@ COPY clixon . RUN adduser -D -H www-data # Configure, build and install clixon -RUN ./configure --prefix=/clixon/build --with-cligen=/clixon/build --with-wwwuser=www-data --enable-optyangs --with-restconf=evhtp +RUN ./configure --prefix=/clixon/build --with-cligen=/clixon/build --with-wwwuser=www-data --enable-optyangs --with-restconf=native RUN make RUN make install diff --git a/docker/main/README.md b/docker/main/README.md index 6e3395a8..3c875e5a 100644 --- a/docker/main/README.md +++ b/docker/main/README.md @@ -10,13 +10,13 @@ The directory contains the following files: - cleanup.sh Kill containers - Dockerfile Docker build instructions without restconf - Dockerfile.fcgi Docker build instructions with nginx/fcgi restconf (this is default) - - Dockerfile.evhtp Docker build instructions with libevhtp restconf + - Dockerfile.native Docker build instructions with native restconf - Makefile.in "make docker" builds the container - README.md This file - start.sh Start containers - startsystem.sh Internal start script copied to inside the container (dont run from shell). - startsystem_fcgi.sh Variant for nginx/fcgi (default) - - startsystem_evhtp.sh Variant for libevhtp + - startsystem_native.sh Variant for native restconf How to run the tests: ``` diff --git a/docker/main/startsystem_evhtp.sh b/docker/main/startsystem_native.sh similarity index 100% rename from docker/main/startsystem_evhtp.sh rename to docker/main/startsystem_native.sh diff --git a/example/main/example_restconf.c b/example/main/example_restconf.c index 04e9e397..7c21d2fa 100644 --- a/example/main/example_restconf.c +++ b/example/main/example_restconf.c @@ -33,8 +33,6 @@ ***** END LICENSE BLOCK ***** * - * This code uses WITH_RESTCONF_FCGI to identify its run with fcgi intreface for ca_auth - * This should be changed. */ #include @@ -268,76 +266,6 @@ example_basic_auth(clicon_handle h, goto done; } -/*! HTTP "no auth" but uses basic authentication to get a user - * @param[in] h Clicon handle - * @param[in] req Per-message request www handle to use with restconf_api.h - * @param[out] authp NULL: Credentials failed, no user set (401 returned). - * String: Credentials OK, the associated user, must be mallloc:ed - * Parameter signtificant only if retval is 1/OK - * @retval -1 Fatal error - * @retval 0 Ignore, undecided, not handled, same as no callback - * @retval 1 OK, see authp parameter for result. - * @note authp should be malloced - */ -static int -example_no_auth(clicon_handle h, - void *req, - char **authp) -{ - int retval = -1; - cxobj *xt = NULL; - char *user = NULL; - cbuf *cb = NULL; - char *auth; - char *passwd; - size_t authlen; - int ret; - - clicon_debug(1, "%s", __FUNCTION__); - if (authp == NULL){ - clicon_err(OE_PLUGIN, EINVAL, "Authp output parameter is NULL"); - goto done; - } - /* At this point in the code we must use HTTP basic authentication */ - if ((auth = restconf_param_get(h, "HTTP_AUTHORIZATION")) == NULL) - goto fail; - if (strlen(auth) < strlen("Basic ")) - goto fail; - if (strncmp("Basic ", auth, strlen("Basic "))) - goto fail; - auth += strlen("Basic "); - authlen = strlen(auth)*2; - if ((user = malloc(authlen)) == NULL){ - clicon_err(OE_UNIX, errno, "malloc"); - goto done; - } - memset(user, 0, authlen); - if ((ret = b64_decode(auth, user, authlen)) < 0) - goto done; - /* auth string is on the format user:passwd */ - if ((passwd = index(user,':')) == NULL) - goto fail; - *passwd = '\0'; - passwd++; - clicon_debug(1, "%s http user:%s passwd:%s", __FUNCTION__, user, passwd); - *authp = user; /* authenticated */ - user=NULL; /* to avoid free below */ - retval = 1; - done: /* error */ - clicon_debug(1, "%s retval:%d authp:%s", __FUNCTION__, retval, authp?"":*authp); - if (user) - free(user); - if (cb) - cbuf_free(cb); - if (xt) - xml_free(xt); - return retval; - fail: /* unauthenticated */ - *authp = NULL; - retval = 0; /* Ignore use anonymous */ - goto done; -} - /*! Authentication callback * @param[in] h Clicon handle * @param[in] req Per-message request www handle to use with restconf_api.h @@ -360,9 +288,8 @@ example_restconf_credentials(clicon_handle h, clicon_debug(1, "%s auth:%s", __FUNCTION__, clixon_auth_type_int2str(auth_type)); switch (auth_type){ - case CLIXON_AUTH_NONE: - if ((retval = example_no_auth(h, req, authp)) < 0) - goto done; + case CLIXON_AUTH_NONE: /* FEATURE clixon-restconf:allow-auth-none must be enabled */ + retval = 0; break; case CLIXON_AUTH_CLIENT_CERTIFICATE: retval = 0; /* Ignore, use default */ diff --git a/include/clixon_config.h.in b/include/clixon_config.h.in index 16421fa9..afc69f0a 100644 --- a/include/clixon_config.h.in +++ b/include/clixon_config.h.in @@ -51,9 +51,6 @@ /* Define to 1 if you have the `event' library (-levent). */ #undef HAVE_LIBEVENT -/* Define to 1 if you have the `event_openssl' library (-levent_openssl). */ -#undef HAVE_LIBEVENT_OPENSSL - /* Define to 1 if you have the `evhtp' library (-levhtp). */ #undef HAVE_LIBEVHTP @@ -63,9 +60,6 @@ /* Define to 1 if you have the `m' library (-lm). */ #undef HAVE_LIBM -/* Define to 1 if you have the `pthread' library (-lpthread). */ -#undef HAVE_LIBPTHREAD - /* Define to 1 if you have the `socket' library (-lsocket). */ #undef HAVE_LIBSOCKET @@ -147,6 +141,12 @@ /* Restconf package */ #undef WITH_RESTCONF +/* Use fcgi restconf mode */ +#undef WITH_RESTCONF_FCGI + +/* Use native restconf mode */ +#undef WITH_RESTCONF_NATIVE + /* WWW dir for restconf daemon */ #undef WWWDIR diff --git a/lib/clixon/clixon_plugin.h b/lib/clixon/clixon_plugin.h index 2930a8d8..6cda4bfa 100644 --- a/lib/clixon/clixon_plugin.h +++ b/lib/clixon/clixon_plugin.h @@ -98,7 +98,9 @@ typedef int (*clicon_upgrade_cb)( * For now only used by restconf frontend */ enum clixon_auth_type { - CLIXON_AUTH_NONE = 0, /* Message is authenticated automatically, Do not call ca-auth callback */ + CLIXON_AUTH_NONE = 0, /* Message is authenticated automatically to + anonymous user, maye be changed by ca-auth callback + FEATURE clixon-restconf:allow-auth-none must be enabled */ CLIXON_AUTH_CLIENT_CERTIFICATE, /* TLS Client certification authentication */ CLIXON_AUTH_USER, /* User-defined authentication according to ca-auth callback. Such as "password" authentication */ diff --git a/lib/src/clixon_options.c b/lib/src/clixon_options.c index e4904cd1..50b80882 100644 --- a/lib/src/clixon_options.c +++ b/lib/src/clixon_options.c @@ -519,7 +519,7 @@ clicon_options_main(clicon_handle h) clicon_conf_xml_set(h, xconfig); -#if defined(WITH_RESTCONF) && WITH_RESTCONF == fcgi +#ifdef WITH_RESTCONF_FCGI /* Enable fcgi feature * Due to boot-strapping in first load of clixon config, a feature cannot be added * programmatically after config file load @@ -531,16 +531,17 @@ clicon_options_main(clicon_handle h) YB_PARENT, NULL, &xconfig, NULL) < 0) goto done; #endif - /* Parse clixon yang spec */ if (yang_spec_parse_module(h, "clixon-config", NULL, yspec) < 0) goto done; + /* Load restconf yang. Note this is also a part of clixon-config */ + if (yang_spec_parse_module(h, "clixon-restconf", NULL, yspec)< 0) + goto done; clicon_conf_xml_set(h, NULL); if (xconfig){ xml_free(xconfig); xconfig = NULL; } - /* Read configfile second time now with check yang spec */ if (parse_configfile(h, configfile, extraconfdir, yspec, &xconfig) < 0) goto done; diff --git a/lib/src/clixon_yang.c b/lib/src/clixon_yang.c index 1d0ea4f6..c33a66ac 100644 --- a/lib/src/clixon_yang.c +++ b/lib/src/clixon_yang.c @@ -2009,7 +2009,7 @@ ys_populate_feature(clicon_handle h, char *m; char *f; - /* get clicon config file in xml form. + /* Get clicon config file in xml form. * Bootstrapping: A feature is enabled if found in clixon-config */ if ((x = clicon_conf_xml(h)) == NULL) @@ -2046,7 +2046,7 @@ ys_populate_feature(clicon_handle h, cv_name_set(cv, feature); cv_bool_set(cv, found); if (found) - clicon_debug(2, "%s %s:%s", __FUNCTION__, module, feature); + clicon_debug(1, "%s %s:%s", __FUNCTION__, module, feature); ys->ys_cv = cv; ok: retval = 0; diff --git a/test/certs.sh b/test/certs.sh deleted file mode 100644 index ddfe3f0e..00000000 --- a/test/certs.sh +++ /dev/null @@ -1,67 +0,0 @@ -#!/usr/bin/env bash -# Create server certs -# Assume: the following variables set: -# $dir, $certdir, $srvkey, $srvcert, $cakey, $cacert -# and that $certdir exists - -# 1. CA -cat< $dir/ca.cnf -[ ca ] -default_ca = CA_default - -[ CA_default ] -serial = ca-serial -crl = ca-crl.pem -database = ca-database.txt -name_opt = CA_default -cert_opt = CA_default -default_crl_days = 9999 -default_md = md5 - -[ req ] -default_bits = ${CERTKEYLEN} -days = 1 -distinguished_name = req_distinguished_name -attributes = req_attributes -prompt = no -output_password = password - -[ req_distinguished_name ] -C = SE -L = Stockholm -O = Clixon -OU = clixon -CN = ca -emailAddress = olof@hagsand.se - -[ req_attributes ] -challengePassword = test - -EOF - -# Generate CA cert -openssl req -x509 -days 1 -config $dir/ca.cnf -keyout $cakey -out $cacert - -cat< $dir/srv.cnf -[req] -prompt = no -distinguished_name = dn -req_extensions = ext -[dn] -CN = www.clicon.org # localhost -emailAddress = olof@hagsand.se -O = Clixon -L = Stockholm -C = SE -[ext] -subjectAltName = DNS:clicon.org -EOF - -# Generate server key -openssl genrsa -out $srvkey ${CERTKEYLEN} - -# Generate CSR (signing request) -openssl req -new -config $dir/srv.cnf -key $srvkey -out $certdir/srv_csr.pem - -# Sign server cert by CA -openssl x509 -req -extfile $dir/srv.cnf -days 1 -passin "pass:password" -in $certdir/srv_csr.pem -CA $cacert -CAkey $cakey -CAcreateserial -out $srvcert diff --git a/test/lib.sh b/test/lib.sh index f14cc4ec..1a258658 100755 --- a/test/lib.sh +++ b/test/lib.sh @@ -195,6 +195,7 @@ fi # Args: # 1: auth-type (one of none, client-cert, user) # 2: pretty (if true pretty-print restconf return values) +# Note, if AUTH=none then FEATURE clixon-restconf:allow-auth-none must be enabled function restconf_config() { AUTH=$1 @@ -706,3 +707,89 @@ function expectmatch(){ fi } +# Create server certs +# Output variables set as filenames on entry, set as cert/keys on exit: +# Vars: +# 1: cakey filename +# 2: cacert filename +# 3: srvkey filename +# 4: srvcert filename +function servercerts() +{ + if [ $# -ne 4 ]; then + echo "servercerts function: Expected: cakey cacert srvkey srvcert" + exit 1 + fi + cakey=$1 + cacert=$2 + srvkey=$3 + srvcert=$4 + + tmpdir=$dir/tmpcertdir + + test -d $tmpdir || mkdir $tmpdir + + # 1. CA + cat< $tmpdir/ca.cnf +[ ca ] +default_ca = CA_default + +[ CA_default ] +serial = ca-serial +crl = ca-crl.pem +database = ca-database.txt +name_opt = CA_default +cert_opt = CA_default +default_crl_days = 9999 +default_md = md5 + +[ req ] +default_bits = ${CERTKEYLEN} +days = 1 +distinguished_name = req_distinguished_name +attributes = req_attributes +prompt = no +output_password = password + +[ req_distinguished_name ] +C = SE +L = Stockholm +O = Clixon +OU = clixon +CN = ca +emailAddress = olof@hagsand.se + +[ req_attributes ] +challengePassword = test + +EOF + + # Generate CA cert + openssl req -x509 -days 1 -config $tmpdir/ca.cnf -keyout $cakey -out $cacert + + cat< $tmpdir/srv.cnf +[req] +prompt = no +distinguished_name = dn +req_extensions = ext +[dn] +CN = www.clicon.org # localhost +emailAddress = olof@hagsand.se +O = Clixon +L = Stockholm +C = SE +[ext] +subjectAltName = DNS:clicon.org +EOF + + # Generate server key + openssl genrsa -out $srvkey ${CERTKEYLEN} + + # Generate CSR (signing request) + openssl req -new -config $tmpdir/srv.cnf -key $srvkey -out $tmpdir/srv_csr.pem + + # Sign server cert by CA + openssl x509 -req -extfile $tmpdir/srv.cnf -days 1 -passin "pass:password" -in $tmpdir/srv_csr.pem -CA $cacert -CAkey $cakey -CAcreateserial -out $srvcert + + rm -rf $tmpdir +} diff --git a/test/long.sh b/test/long.sh index ba8d7fbc..35d49aaa 100755 --- a/test/long.sh +++ b/test/long.sh @@ -49,6 +49,7 @@ EOF cat < $cfg $cfg + clixon-restconf:allow-auth-none $dir /usr/local/share/clixon $IETFRFC diff --git a/test/test_api.sh b/test/test_api.sh index 62116784..76cdee51 100755 --- a/test/test_api.sh +++ b/test/test_api.sh @@ -30,6 +30,7 @@ restconf_config none false cat < $cfg /tmp/conf_yang.xml + clixon-restconf:allow-auth-none /usr/local/share/clixon $IETFRFC $fyang diff --git a/test/test_augment.sh b/test/test_augment.sh index c5ab2f16..15cf6bbd 100755 --- a/test/test_augment.sh +++ b/test/test_augment.sh @@ -30,6 +30,7 @@ cat < $cfg $cfg a:test + clixon-restconf:allow-auth-none $dir /usr/local/share/clixon $fyang diff --git a/test/test_choice.sh b/test/test_choice.sh index f9f67427..ab909ccf 100755 --- a/test/test_choice.sh +++ b/test/test_choice.sh @@ -20,6 +20,7 @@ restconf_config none false cat < $cfg $cfg + clixon-restconf:allow-auth-none $dir /usr/local/share/clixon $IETFRFC diff --git a/test/test_client.sh b/test/test_client.sh index 7afb1794..69a1ccf0 100755 --- a/test/test_client.sh +++ b/test/test_client.sh @@ -27,6 +27,7 @@ restconf_config none false cat < $cfg $cfg + clixon-restconf:allow-auth-none /usr/local/share/clixon $IETFRFC $fyang diff --git a/test/test_copy_config.sh b/test/test_copy_config.sh index d40a52df..772e5a04 100755 --- a/test/test_copy_config.sh +++ b/test/test_copy_config.sh @@ -36,6 +36,7 @@ cat < $cfg $cfg ietf-netconf:startup + clixon-restconf:allow-auth-none 42 /usr/local/share/clixon $IETFRFC diff --git a/test/test_identity.sh b/test/test_identity.sh index 989d596a..eccbea15 100755 --- a/test/test_identity.sh +++ b/test/test_identity.sh @@ -16,6 +16,7 @@ restconf_config none false cat < $cfg $cfg + clixon-restconf:allow-auth-none $dir /usr/local/share/clixon $IETFRFC diff --git a/test/test_perf_restconf.sh b/test/test_perf_restconf.sh index 7a33325d..a9e20b72 100755 --- a/test/test_perf_restconf.sh +++ b/test/test_perf_restconf.sh @@ -58,6 +58,7 @@ restconf_config none false cat < $cfg $cfg + clixon-restconf:allow-auth-none $dir /usr/local/share/clixon $fyang diff --git a/test/test_perf_state.sh b/test/test_perf_state.sh index 0bf9e529..5a224a96 100755 --- a/test/test_perf_state.sh +++ b/test/test_perf_state.sh @@ -35,6 +35,7 @@ restconf_config none false cat < $cfg $cfg + clixon-restconf:allow-auth-none /usr/local/share/clixon $fyang /usr/local/var/$APPNAME/$APPNAME.sock diff --git a/test/test_perf_state_only.sh b/test/test_perf_state_only.sh index 8f038583..6ba8ac0d 100755 --- a/test/test_perf_state_only.sh +++ b/test/test_perf_state_only.sh @@ -35,6 +35,7 @@ restconf_config none false cat < $cfg $cfg + clixon-restconf:allow-auth-none /usr/local/share/clixon $fyang /usr/local/var/$APPNAME/$APPNAME.sock diff --git a/test/test_restconf.sh b/test/test_restconf.sh index de21710d..438d50f5 100755 --- a/test/test_restconf.sh +++ b/test/test_restconf.sh @@ -48,7 +48,8 @@ if [ "${WITH_RESTCONF}" = "native" ]; then cakey=$certdir/ca_key.pem # needed? cacert=$certdir/ca_cert.pem test -d $certdir || mkdir $certdir - . ./certs.sh + # Create server certs and CA + servercerts $cakey $cacert $srvkey $srvcert else # Define default restconfig config: RESTCONFIG restconf_config none false @@ -95,6 +96,7 @@ fi cat < $cfg $cfg + clixon-restconf:allow-auth-none /usr/local/share/clixon $IETFRFC $dir diff --git a/test/test_restconf2.sh b/test/test_restconf2.sh index 7e07f89f..8b27e9f9 100755 --- a/test/test_restconf2.sh +++ b/test/test_restconf2.sh @@ -18,6 +18,7 @@ restconf_config none false # example cat < $cfg + clixon-restconf:allow-auth-none $cfg /usr/local/share/clixon $IETFRFC diff --git a/test/test_restconf_basic_auth.sh b/test/test_restconf_basic_auth.sh index ce610879..fa254578 100755 --- a/test/test_restconf_basic_auth.sh +++ b/test/test_restconf_basic_auth.sh @@ -5,7 +5,7 @@ # For auth-type=ssl-certs, See test_restconf.sh test_restconf_ssl_certs.sh # native? and http only # Use the following user settings: -# 1. none (eg no -u to curl) +# 1. none # 2. anonymous - the registered anonymous user # 3. andy - a well-known user # 3. unknown - unknown user @@ -200,6 +200,7 @@ function testrun() $cfg ietf-netconf:startup + clixon-restconf:allow-auth-none /usr/local/share/clixon $IETFRFC $fyang @@ -225,10 +226,10 @@ EOF new "start restconf daemon" start_restconf -f $cfg - - new "wait restconf" - wait_restconf fi + + new "wait restconf" + wait_restconf new "curl $CURLOPTS $user -X GET $RCPROTO://localhost/restconf/data/myexample:top" expectpart "$(curl $CURLOPTS $user -X GET $RCPROTO://localhost/restconf/data/myexample:top)" 0 $expectcode "$expectmsg" @@ -249,11 +250,11 @@ if [ $BE -ne 0 ]; then new "start backend -s startup -f $cfg" start_backend -s startup -f $cfg - - new "wait backend" - wait_backend fi +new "wait backend" +wait_backend + MSGANON='{"myexample:top":{"anonymous":"42"}}' MSGWILMA='{"myexample:top":{"wilma":"71"}}' # Authentication failed: @@ -270,14 +271,10 @@ new "auth-type=$AUTH anonymous" testrun $AUTH "-u ${anonymous}:foo" "HTTP/1.1 200 OK" "$MSGANON" # OK - anonymous new "auth-type=$AUTH wilma" -testrun $AUTH "-u wilma:bar" "HTTP/1.1 200 OK" "$MSGWILMA" # OK - wilma +testrun $AUTH "-u wilma:bar" "HTTP/1.1 200 OK" "$MSGANON" # OK - wilma new "auth-type=$AUTH wilma wrong passwd" -testrun $AUTH "-u wilma:wrong" "HTTP/1.1 200 OK" "$MSGWILMA" # OK - wilma - -new "auth-type=$AUTH unknown" -testrun $AUTH "-u unknown:any" "HTTP/1.1 403 Forbidden" "$MSGERR2" # OK, but nacm authorization fail - +testrun $AUTH "-u wilma:wrong" "HTTP/1.1 200 OK" "$MSGANON" # OK - wilma AUTH=user diff --git a/test/test_restconf_err.sh b/test/test_restconf_err.sh index ecb4255c..486bf2b3 100755 --- a/test/test_restconf_err.sh +++ b/test/test_restconf_err.sh @@ -37,6 +37,7 @@ restconf_config none false cat < $cfg $cfg + clixon-restconf:allow-auth-none /usr/local/share/clixon $dir $fyang diff --git a/test/test_restconf_jukebox.sh b/test/test_restconf_jukebox.sh index fccff480..10cd0345 100755 --- a/test/test_restconf_jukebox.sh +++ b/test/test_restconf_jukebox.sh @@ -30,6 +30,7 @@ restconf_config none false cat < $cfg $cfg + clixon-restconf:allow-auth-none /usr/local/share/clixon $IETFRFC $dir diff --git a/test/test_restconf_listkey.sh b/test/test_restconf_listkey.sh index a95e30ed..9fd67a45 100755 --- a/test/test_restconf_listkey.sh +++ b/test/test_restconf_listkey.sh @@ -17,6 +17,7 @@ restconf_config none false cat < $cfg $cfg + clixon-restconf:allow-auth-none /usr/local/share/clixon $IETFRFC $fyang diff --git a/test/test_restconf_netns.sh b/test/test_restconf_netns.sh index 89f433ab..d06d4811 100755 --- a/test/test_restconf_netns.sh +++ b/test/test_restconf_netns.sh @@ -42,7 +42,9 @@ srvcert=$certdir/srv_cert.pem cakey=$certdir/ca_key.pem # needed? cacert=$certdir/ca_cert.pem test -d $certdir || mkdir $certdir -. ./certs.sh + +# Create server certs and CA +servercerts $cakey $cacert $srvkey $srvcert # XXX Note default port need to be 80 for wait_restconf to work RESTCONFIG=$(cat < $cfg $cfg ietf-netconf:startup + clixon-restconf:allow-auth-none /usr/local/share/clixon $IETFRFC clixon-example diff --git a/test/test_restconf_notifications.sh b/test/test_restconf_notifications.sh index 47009f40..13954f05 100755 --- a/test/test_restconf_notifications.sh +++ b/test/test_restconf_notifications.sh @@ -49,6 +49,7 @@ restconf_config none false cat < $cfg $cfg + clixon-restconf:allow-auth-none /usr/local/share/clixon $IETFRFC $fyang diff --git a/test/test_restconf_rpc.sh b/test/test_restconf_rpc.sh index 3e2de6f2..f2d0ebe7 100755 --- a/test/test_restconf_rpc.sh +++ b/test/test_restconf_rpc.sh @@ -26,6 +26,7 @@ cat < $cfg $cfg ietf-netconf:startup + clixon-restconf:allow-auth-none /usr/local/share/clixon $IETFRFC $dir diff --git a/test/test_restconf_ssl_certs.sh b/test/test_restconf_ssl_certs.sh index 6365671a..4c760476 100755 --- a/test/test_restconf_ssl_certs.sh +++ b/test/test_restconf_ssl_certs.sh @@ -92,8 +92,8 @@ EOF ) if $genkeys; then - # Server certs - . ./certs.sh + # Create server certs + servercerts $cakey $cacert $srvkey $srvcert # create client certs for name in $users $xusers; do @@ -118,7 +118,7 @@ EOF openssl x509 -req -extfile $dir/$name.cnf -days 1 -passin "pass:password" -in $certdir/$name.csr -CA $cacert -CAkey $cakey -CAcreateserial -out $certdir/$name.crt done # client key - # invalid + # invalid (days = 0) for name in $xusers; do openssl x509 -req -extfile $dir/$name.cnf -days 0 -passin "pass:password" -in $certdir/$name.csr -CA $cacert -CAkey $cakey -CAcreateserial -out $certdir/$name.crt done # invalid diff --git a/test/test_restconf_startup.sh b/test/test_restconf_startup.sh index 60e0a194..bf4f176c 100755 --- a/test/test_restconf_startup.sh +++ b/test/test_restconf_startup.sh @@ -40,6 +40,7 @@ restconf_config none true cat < $cfg $cfg + clixon-restconf:allow-auth-none /usr/local/share/clixon /usr/local/lib/$APPNAME/backend example_backend.so$ diff --git a/test/test_rpc.sh b/test/test_rpc.sh index 456f77b2..bbdf03db 100755 --- a/test/test_rpc.sh +++ b/test/test_rpc.sh @@ -20,6 +20,7 @@ restconf_config none false cat < $cfg $cfg + clixon-restconf:allow-auth-none /usr/local/share/clixon $IETFRFC clixon-example diff --git a/test/test_submodule.sh b/test/test_submodule.sh index 95fa98c6..b9207829 100755 --- a/test/test_submodule.sh +++ b/test/test_submodule.sh @@ -33,6 +33,7 @@ restconf_config none false cat < $cfg main:A + clixon-restconf:allow-auth-none $cfg /usr/local/share/clixon $dir diff --git a/test/test_yang_anydata.sh b/test/test_yang_anydata.sh index 245e21c9..12ddcfec 100755 --- a/test/test_yang_anydata.sh +++ b/test/test_yang_anydata.sh @@ -132,6 +132,7 @@ function testrun() cat < $cfg $cfg + clixon-restconf:allow-auth-none /usr/local/share/clixon $dir $IETFRFC diff --git a/test/test_yang_namespace.sh b/test/test_yang_namespace.sh index 910c6c2a..5cd5b476 100755 --- a/test/test_yang_namespace.sh +++ b/test/test_yang_namespace.sh @@ -19,6 +19,7 @@ restconf_config none false cat < $cfg $cfg + clixon-restconf:allow-auth-none $dir /usr/local/share/clixon $IETFRFC diff --git a/yang/clixon/clixon-lib@2021-03-08.yang b/yang/clixon/clixon-lib@2021-03-08.yang index cff8808b..c6fb9830 100644 --- a/yang/clixon/clixon-lib@2021-03-08.yang +++ b/yang/clixon/clixon-lib@2021-03-08.yang @@ -182,7 +182,9 @@ module clixon-lib { description "Output from status rpc"; leaf active { - description "True if process is running, false if not"; + description + "True if process is running, false if not. + More specifically, there is a process-id and it exists (in Linux: kill(pid,0)"; type boolean; } leaf description {