- Added specific WITH_RESTCONF compile contants for _NATIVE and _FCGI for C code

- Restconf auth=none changes - Load clixon-restconf and resolve features earlier so that config features work - Removed auth=none code from example (this was non-std half-baked basic auth) - Changed tests that used auth-type=none to enable feature clixon-restconf:allow-auth-none - Moved cert creation from sub-shell to servercert function - Fixed typos for dockerfile rename of restconf evhtp to native
2021-04-07 20:33:58 +02:00 · 2021-04-07 20:33:58 +02:00 · 244060fddc
commit 244060fddc
parent 2bf75158a6
38 changed files with 159 additions and 178 deletions
--- a/7
+++ b/7
@ -5042,6 +5042,9 @@ else
  as_fn_error $? "libfcgi-dev missing" "$LINENO" 5
 fi
 $as_echo "#define WITH_RESTCONF_FCGI 1" >>confdefs.h
 # For c-code that cant use strings
 elif test "x${with_restconf}" == xnative; then
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OPENSSL_init_ssl  in -lssl" >&5
 $as_echo_n "checking for OPENSSL_init_ssl  in -lssl... " >&6; }
@ -5249,6 +5252,9 @@ else
  as_fn_error $? "libevhtp missing" "$LINENO" 5
 fi
 $as_echo "#define WITH_RESTCONF_NATIVE 1" >>confdefs.h
 # For c-code that cant use strings
 elif test "x${with_restconf}" == xno; then
   # Cant get around "no" as an answer for --without-restconf that is reset here to undefined
   with_restconf=
@ -5256,7 +5262,6 @@ else
   as_fn_error $? "No such restconf package: ${with_restconf}" "$LINENO" 5
 fi
 if test "x${with_restconf}" != "x"; then
   # This is so it appears in config.h
--- a/configure.ac
+++ b/configure.ac
@ -209,6 +209,7 @@ AC_ARG_WITH([restconf],
 if test "x${with_restconf}" == xfcgi; then
   # Lives in libfcgi-dev
   AC_CHECK_LIB(fcgi, FCGX_Init,, AC_MSG_ERROR([libfcgi-dev missing])) 
   AC_DEFINE(WITH_RESTCONF_FCGI, 1, [Use fcgi restconf mode]) # For c-code that cant use strings
 elif test "x${with_restconf}" == xnative; then
   AC_CHECK_LIB(ssl, OPENSSL_init_ssl ,, AC_MSG_ERROR([libssl missing]))
   AC_CHECK_LIB(crypto, CRYPTO_new_ex_data, , AC_MSG_ERROR([libcrypto missing])) 
@ -221,6 +222,7 @@ elif test "x${with_restconf}" == xnative; then
       #define EVHTP_DISABLE_EVTHR
       ]])
   AC_CHECK_LIB(evhtp, evhtp_new,, AC_MSG_ERROR([libevhtp missing]),[-levent -lssl -lcrypto]) 
   AC_DEFINE(WITH_RESTCONF_NATIVE, 1, [Use native restconf mode]) # For c-code that cant use strings
 elif test "x${with_restconf}" == xno; then
   # Cant get around "no" as an answer for --without-restconf that is reset here to undefined
   with_restconf=   
@ -228,7 +230,6 @@ else
   AC_MSG_ERROR([No such restconf package: ${with_restconf}])
 fi
 if test "x${with_restconf}" != "x"; then
   # This is so it appears in config.h
   AC_DEFINE_UNQUOTED(WITH_RESTCONF, ${with_restconf}, [Restconf package])
--- a/docker/main/Dockerfile.internal
+++ b/docker/main/Dockerfile.internal
@ -77,7 +77,7 @@ COPY clixon .
 RUN adduser -D -H www-data
 # Configure, build and install clixon
-RUN ./configure --prefix=/clixon/build --with-cligen=/clixon/build --with-wwwuser=www-data --enable-optyangs --with-restconf=evhtp
+RUN ./configure --prefix=/clixon/build --with-cligen=/clixon/build --with-wwwuser=www-data --enable-optyangs --with-restconf=native
 RUN make
 RUN make install
--- a/docker/main/README.md
+++ b/docker/main/README.md
@ -10,13 +10,13 @@ The directory contains the following files:
  - cleanup.sh       Kill containers
  - Dockerfile       Docker build instructions without restconf
  - Dockerfile.fcgi  Docker build instructions with nginx/fcgi restconf (this is default)
-  - Dockerfile.evhtp Docker build instructions with libevhtp restconf
+  - Dockerfile.native Docker build instructions with native restconf
  - Makefile.in      "make docker" builds the container
  - README.md	  This file
  - start.sh         Start containers
  - startsystem.sh   Internal start script copied to inside the container (dont run from shell).
  - startsystem_fcgi.sh  Variant for nginx/fcgi (default)
-  - startsystem_evhtp.sh Variant for libevhtp
+  - startsystem_native.sh Variant for native restconf
 How to run the tests:
 ```
--- a/docker/main/startsystem_native.sh
+++ b/docker/main/startsystem_native.sh
--- a/example/main/example_restconf.c
+++ b/example/main/example_restconf.c
@ -33,8 +33,6 @@
  ***** END LICENSE BLOCK *****
 * 
 * This code uses WITH_RESTCONF_FCGI to identify its run with fcgi intreface for ca_auth
 * This should be changed.
 */
 #include <stdlib.h>
@ -268,76 +266,6 @@ example_basic_auth(clicon_handle      h,
    goto done;
 }
 /*! HTTP "no auth" but uses basic authentication to get a user
 * @param[in]  h         Clicon handle
 * @param[in]  req       Per-message request www handle to use with restconf_api.h
 * @param[out] authp     NULL: Credentials failed, no user set (401 returned). 
 *                       String: Credentials OK, the associated user, must be mallloc:ed
 *                       Parameter signtificant only if retval is 1/OK
 * @retval    -1         Fatal error
 * @retval     0         Ignore, undecided, not handled, same as no callback
 * @retval     1         OK, see authp parameter for result.
 * @note authp should be malloced
 */
 static int
 example_no_auth(clicon_handle      h,
 		void              *req,
 		char             **authp)
 {
    int     retval = -1;
    cxobj  *xt = NULL;
    char   *user = NULL;
    cbuf   *cb = NULL;
    char   *auth;
    char   *passwd;
    size_t  authlen;
    int     ret;
    clicon_debug(1, "%s", __FUNCTION__);
    if (authp == NULL){
 	clicon_err(OE_PLUGIN, EINVAL, "Authp output parameter is NULL");
 	goto done;
    }
    /* At this point in the code we must use HTTP basic authentication */
    if ((auth = restconf_param_get(h, "HTTP_AUTHORIZATION")) == NULL)
 	goto fail;
    if (strlen(auth) < strlen("Basic "))
 	goto fail;
    if (strncmp("Basic ", auth, strlen("Basic ")))
 	goto fail;
    auth += strlen("Basic ");
    authlen = strlen(auth)*2;
    if ((user = malloc(authlen)) == NULL){
 	clicon_err(OE_UNIX, errno, "malloc");
 	goto done;
    }
    memset(user, 0, authlen);
    if ((ret = b64_decode(auth, user, authlen)) < 0)
 	goto done;
    /* auth string is on the format user:passwd */
    if ((passwd = index(user,':')) == NULL)
 	goto fail;
    *passwd = '\0';
    passwd++;
    clicon_debug(1, "%s http user:%s passwd:%s", __FUNCTION__, user, passwd);
    *authp = user;     /* authenticated */
    user=NULL; /* to avoid free below */
    retval = 1;
 done: /* error */
    clicon_debug(1, "%s retval:%d authp:%s", __FUNCTION__, retval, authp?"":*authp);
    if (user)
       free(user);
    if (cb)
 	cbuf_free(cb);
    if (xt)
        xml_free(xt);
    return retval;
 fail:  /* unauthenticated */
    *authp = NULL;
    retval = 0; /* Ignore use anonymous */
    goto done;
 }
 /*! Authentication callback
 * @param[in]  h         Clicon handle
 * @param[in]  req       Per-message request www handle to use with restconf_api.h
@ -360,9 +288,8 @@ example_restconf_credentials(clicon_handle      h,
    clicon_debug(1, "%s auth:%s", __FUNCTION__, clixon_auth_type_int2str(auth_type));
    switch (auth_type){
-    case CLIXON_AUTH_NONE:
+    case CLIXON_AUTH_NONE: /* FEATURE clixon-restconf:allow-auth-none must be enabled */
-	if ((retval = example_no_auth(h, req, authp)) < 0)
+	retval = 0;
 	    goto done;
 	break;
    case CLIXON_AUTH_CLIENT_CERTIFICATE:
 	retval = 0; /* Ignore, use default */
--- a/include/clixon_config.h.in
+++ b/include/clixon_config.h.in
@ -51,9 +51,6 @@
 /* Define to 1 if you have the `event' library (-levent). */
 #undef HAVE_LIBEVENT
 /* Define to 1 if you have the `event_openssl' library (-levent_openssl). */
 #undef HAVE_LIBEVENT_OPENSSL
 /* Define to 1 if you have the `evhtp' library (-levhtp). */
 #undef HAVE_LIBEVHTP
@ -63,9 +60,6 @@
 /* Define to 1 if you have the `m' library (-lm). */
 #undef HAVE_LIBM
 /* Define to 1 if you have the `pthread' library (-lpthread). */
 #undef HAVE_LIBPTHREAD
 /* Define to 1 if you have the `socket' library (-lsocket). */
 #undef HAVE_LIBSOCKET
@ -147,6 +141,12 @@
 /* Restconf package */
 #undef WITH_RESTCONF
 /* Use fcgi restconf mode */
 #undef WITH_RESTCONF_FCGI
 /* Use native restconf mode */
 #undef WITH_RESTCONF_NATIVE
 /* WWW dir for restconf daemon */
 #undef WWWDIR
--- a/lib/clixon/clixon_plugin.h
+++ b/lib/clixon/clixon_plugin.h
@ -98,7 +98,9 @@ typedef int (*clicon_upgrade_cb)(
 * For now only used by restconf frontend
 */
 enum clixon_auth_type {
-    CLIXON_AUTH_NONE = 0,           /* Message is authenticated automatically, Do not call ca-auth callback */
+    CLIXON_AUTH_NONE = 0,           /* Message is authenticated automatically to 
 				       anonymous user, maye be changed by ca-auth callback 
 				       FEATURE clixon-restconf:allow-auth-none must be enabled */
    CLIXON_AUTH_CLIENT_CERTIFICATE, /* TLS Client certification authentication */
    CLIXON_AUTH_USER,               /* User-defined authentication according to ca-auth callback. 
 				       Such as "password" authentication */
--- a/lib/src/clixon_options.c
+++ b/lib/src/clixon_options.c
@ -519,7 +519,7 @@ clicon_options_main(clicon_handle h)
    clicon_conf_xml_set(h, xconfig);
-#if defined(WITH_RESTCONF) && WITH_RESTCONF == fcgi
+#ifdef WITH_RESTCONF_FCGI
    /* Enable fcgi feature
     * Due to boot-strapping in first load of clixon config, a feature cannot be added
     * programmatically after config file load
@ -531,16 +531,17 @@ clicon_options_main(clicon_handle h)
 				YB_PARENT, NULL, &xconfig, NULL) < 0)
 	goto done;
 #endif
    /* Parse clixon yang spec */
    if (yang_spec_parse_module(h, "clixon-config", NULL, yspec) < 0)
 	goto done;    
    /* Load restconf yang. Note this is also a part of clixon-config */
    if (yang_spec_parse_module(h, "clixon-restconf", NULL, yspec)< 0)
 	goto done;
    clicon_conf_xml_set(h, NULL);
    if (xconfig){
 	xml_free(xconfig);
 	xconfig = NULL;
    }
    /* Read configfile second time now with check yang spec */
    if (parse_configfile(h, configfile, extraconfdir, yspec, &xconfig) < 0)
 	goto done;
--- a/lib/src/clixon_yang.c
+++ b/lib/src/clixon_yang.c
@ -2009,7 +2009,7 @@ ys_populate_feature(clicon_handle h,
    char      *m;
    char      *f;
-    /* get clicon config file in xml form.
+    /* Get clicon config file in xml form.
     * Bootstrapping: A feature is enabled if found in clixon-config
     */
    if ((x = clicon_conf_xml(h)) == NULL)
@ -2046,7 +2046,7 @@ ys_populate_feature(clicon_handle h,
    cv_name_set(cv, feature);
    cv_bool_set(cv, found);
    if (found)
-	clicon_debug(2, "%s %s:%s", __FUNCTION__, module, feature);
+	clicon_debug(1, "%s %s:%s", __FUNCTION__, module, feature);
    ys->ys_cv = cv;
 ok:
    retval = 0;
--- a/test/certs.sh
+++ b/test/certs.sh
@ -1,67 +0,0 @@
 #!/usr/bin/env bash
 # Create server certs
 # Assume: the following variables set:
 # $dir, $certdir, $srvkey, $srvcert, $cakey, $cacert
 # and that $certdir exists
 # 1. CA
 cat<<EOF > $dir/ca.cnf
 [ ca ]
 default_ca      = CA_default
 [ CA_default ]
 serial = ca-serial
 crl = ca-crl.pem
 database = ca-database.txt
 name_opt = CA_default
 cert_opt = CA_default
 default_crl_days = 9999
 default_md = md5
 [ req ]
 default_bits           = ${CERTKEYLEN}
 days                   = 1
 distinguished_name     = req_distinguished_name
 attributes             = req_attributes
 prompt                 = no
 output_password        = password
 [ req_distinguished_name ]
 C                      = SE
 L                      = Stockholm
 O                      = Clixon
 OU                     = clixon
 CN                     = ca
 emailAddress           = olof@hagsand.se
 [ req_attributes ]
 challengePassword      = test
 EOF
 # Generate CA cert
 openssl req -x509 -days 1 -config $dir/ca.cnf -keyout $cakey -out $cacert
 cat<<EOF > $dir/srv.cnf
 [req]
 prompt = no
 distinguished_name = dn
 req_extensions = ext
 [dn]
 CN = www.clicon.org # localhost
 emailAddress = olof@hagsand.se
 O = Clixon
 L = Stockholm
 C = SE
 [ext]
 subjectAltName = DNS:clicon.org
 EOF
 # Generate server key
 openssl genrsa -out $srvkey ${CERTKEYLEN}
 # Generate CSR (signing request)
 openssl req -new -config $dir/srv.cnf -key $srvkey -out $certdir/srv_csr.pem
 # Sign server cert by CA
 openssl x509 -req -extfile $dir/srv.cnf -days 1 -passin "pass:password" -in $certdir/srv_csr.pem -CA $cacert -CAkey $cakey -CAcreateserial -out $srvcert
--- a/test/lib.sh
+++ b/test/lib.sh
@ -195,6 +195,7 @@ fi
 # Args:
 # 1: auth-type (one of none, client-cert, user)
 # 2: pretty (if true pretty-print restconf return values)
 # Note, if AUTH=none then FEATURE clixon-restconf:allow-auth-none must be enabled
 function restconf_config()
 {
    AUTH=$1
@ -706,3 +707,89 @@ function expectmatch(){
    fi
 }
 # Create server certs
 # Output variables set as filenames on entry, set as cert/keys on exit:
 # Vars:
 # 1: cakey   filename
 # 2: cacert  filename
 # 3: srvkey  filename
 # 4: srvcert filename
 function servercerts()
 {
    if [ $# -ne 4 ]; then
 	echo "servercerts function: Expected: cakey cacert srvkey srvcert"
 	exit 1
    fi
    cakey=$1
    cacert=$2
    srvkey=$3
    srvcert=$4
    tmpdir=$dir/tmpcertdir
    test -d $tmpdir || mkdir $tmpdir
    # 1. CA
    cat<<EOF > $tmpdir/ca.cnf
 [ ca ]
 default_ca      = CA_default
 [ CA_default ]
 serial = ca-serial
 crl = ca-crl.pem
 database = ca-database.txt
 name_opt = CA_default
 cert_opt = CA_default
 default_crl_days = 9999
 default_md = md5
 [ req ]
 default_bits           = ${CERTKEYLEN}
 days                   = 1
 distinguished_name     = req_distinguished_name
 attributes             = req_attributes
 prompt                 = no
 output_password        = password
 [ req_distinguished_name ]
 C                      = SE
 L                      = Stockholm
 O                      = Clixon
 OU                     = clixon
 CN                     = ca
 emailAddress           = olof@hagsand.se
 [ req_attributes ]
 challengePassword      = test
 EOF
    # Generate CA cert
    openssl req -x509 -days 1 -config $tmpdir/ca.cnf -keyout $cakey -out $cacert
    cat<<EOF > $tmpdir/srv.cnf
 [req]
 prompt = no
 distinguished_name = dn
 req_extensions = ext
 [dn]
 CN = www.clicon.org # localhost
 emailAddress = olof@hagsand.se
 O = Clixon
 L = Stockholm
 C = SE
 [ext]
 subjectAltName = DNS:clicon.org
 EOF
    # Generate server key
    openssl genrsa -out $srvkey ${CERTKEYLEN}
    # Generate CSR (signing request)
    openssl req -new -config $tmpdir/srv.cnf -key $srvkey -out $tmpdir/srv_csr.pem
    # Sign server cert by CA
    openssl x509 -req -extfile $tmpdir/srv.cnf -days 1 -passin "pass:password" -in $tmpdir/srv_csr.pem -CA $cacert -CAkey $cakey -CAcreateserial -out $srvcert
    rm -rf $tmpdir
 }
--- a/test/long.sh
+++ b/test/long.sh
@ -49,6 +49,7 @@ EOF
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>$dir</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
--- a/test/test_api.sh
+++ b/test/test_api.sh
@ -30,6 +30,7 @@ restconf_config none false
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>/tmp/conf_yang.xml</CLICON_CONFIGFILE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
  <CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
--- a/test/test_augment.sh
+++ b/test/test_augment.sh
@ -30,6 +30,7 @@ cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>a:test</CLICON_FEATURE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>$dir</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
--- a/test/test_choice.sh
+++ b/test/test_choice.sh
@ -20,6 +20,7 @@ restconf_config none false
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>$dir</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
--- a/test/test_client.sh
+++ b/test/test_client.sh
@ -27,6 +27,7 @@ restconf_config none false
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
  <CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
--- a/test/test_copy_config.sh
+++ b/test/test_copy_config.sh
@ -36,6 +36,7 @@ cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>ietf-netconf:startup</CLICON_FEATURE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_MODULE_SET_ID>42</CLICON_MODULE_SET_ID>
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
--- a/test/test_identity.sh
+++ b/test/test_identity.sh
@ -16,6 +16,7 @@ restconf_config none false
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>$dir</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
--- a/test/test_perf_restconf.sh
+++ b/test/test_perf_restconf.sh
@ -58,6 +58,7 @@ restconf_config none false
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>$dir</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
--- a/test/test_perf_state.sh
+++ b/test/test_perf_state.sh
@ -35,6 +35,7 @@ restconf_config none false
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
  <CLICON_SOCK>/usr/local/var/$APPNAME/$APPNAME.sock</CLICON_SOCK>
--- a/test/test_perf_state_only.sh
+++ b/test/test_perf_state_only.sh
@ -35,6 +35,7 @@ restconf_config none false
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
  <CLICON_SOCK>/usr/local/var/$APPNAME/$APPNAME.sock</CLICON_SOCK>
--- a/test/test_restconf.sh
+++ b/test/test_restconf.sh
@ -48,7 +48,8 @@ if [ "${WITH_RESTCONF}" = "native" ]; then
    cakey=$certdir/ca_key.pem # needed?
    cacert=$certdir/ca_cert.pem
    test -d $certdir || mkdir $certdir
-    . ./certs.sh
+    # Create server certs and CA
    servercerts $cakey $cacert $srvkey $srvcert
 else
    # Define default restconfig config: RESTCONFIG
    restconf_config none false
@ -95,6 +96,7 @@ fi
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
  <CLICON_YANG_MAIN_DIR>$dir</CLICON_YANG_MAIN_DIR>
--- a/test/test_restconf2.sh
+++ b/test/test_restconf2.sh
@ -18,6 +18,7 @@ restconf_config none false
 #  <CLICON_YANG_MODULE_MAIN>example</CLICON_YANG_MODULE_MAIN>
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
--- a/test/test_restconf_basic_auth.sh
+++ b/test/test_restconf_basic_auth.sh
@ -5,7 +5,7 @@
 # For auth-type=ssl-certs, See test_restconf.sh test_restconf_ssl_certs.sh
 # native? and http only
 # Use the following user settings:
-#  1. none (eg no -u to curl)
+#  1. none 
 #  2. anonymous - the registered anonymous user
 #  3. andy      - a well-known user
 #  3. unknown   - unknown user
@ -200,6 +200,7 @@ function testrun()
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>ietf-netconf:startup</CLICON_FEATURE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
  <CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
@ -225,11 +226,11 @@ EOF
 	new "start restconf daemon"
 	start_restconf -f $cfg
 	new "wait restconf"
 	wait_restconf
    fi
    new "wait restconf"
    wait_restconf
    new "curl $CURLOPTS $user -X GET $RCPROTO://localhost/restconf/data/myexample:top"
    expectpart "$(curl $CURLOPTS $user -X GET $RCPROTO://localhost/restconf/data/myexample:top)" 0 $expectcode "$expectmsg"
@ -249,11 +250,11 @@ if [ $BE -ne 0 ]; then
    new "start backend -s startup -f $cfg"
    start_backend -s startup -f $cfg
    new "wait backend"
    wait_backend
 fi
 new "wait backend"
 wait_backend
 MSGANON='{"myexample:top":{"anonymous":"42"}}'
 MSGWILMA='{"myexample:top":{"wilma":"71"}}'
 # Authentication failed:
@ -270,14 +271,10 @@ new "auth-type=$AUTH anonymous"
 testrun $AUTH "-u ${anonymous}:foo" "HTTP/1.1 200 OK" "$MSGANON" # OK - anonymous
 new "auth-type=$AUTH wilma"
-testrun $AUTH "-u wilma:bar" "HTTP/1.1 200 OK" "$MSGWILMA"    # OK - wilma
+testrun $AUTH "-u wilma:bar" "HTTP/1.1 200 OK" "$MSGANON"    # OK - wilma
 new "auth-type=$AUTH wilma wrong passwd"
-testrun $AUTH "-u wilma:wrong" "HTTP/1.1 200 OK" "$MSGWILMA"  # OK - wilma
+testrun $AUTH "-u wilma:wrong" "HTTP/1.1 200 OK" "$MSGANON"  # OK - wilma
 new "auth-type=$AUTH unknown"
 testrun $AUTH "-u unknown:any" "HTTP/1.1 403 Forbidden" "$MSGERR2"   # OK, but nacm authorization fail
 AUTH=user
--- a/test/test_restconf_err.sh
+++ b/test/test_restconf_err.sh
@ -37,6 +37,7 @@ restconf_config none false
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$dir</CLICON_YANG_DIR>
  <CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
--- a/test/test_restconf_jukebox.sh
+++ b/test/test_restconf_jukebox.sh
@ -30,6 +30,7 @@ restconf_config none false
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
  <CLICON_YANG_MAIN_DIR>$dir</CLICON_YANG_MAIN_DIR>
--- a/test/test_restconf_listkey.sh
+++ b/test/test_restconf_listkey.sh
@ -17,6 +17,7 @@ restconf_config none false
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
  <CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
--- a/test/test_restconf_netns.sh
+++ b/test/test_restconf_netns.sh
@ -42,7 +42,9 @@ srvcert=$certdir/srv_cert.pem
 cakey=$certdir/ca_key.pem # needed?
 cacert=$certdir/ca_cert.pem
 test -d $certdir || mkdir $certdir
-. ./certs.sh
+
 # Create server certs and CA
 servercerts $cakey $cacert $srvkey $srvcert
 # XXX Note default port need to be 80 for wait_restconf to work
 RESTCONFIG=$(cat <<EOF
@ -81,6 +83,7 @@ cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>ietf-netconf:startup</CLICON_FEATURE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
  <CLICON_YANG_MODULE_MAIN>clixon-example</CLICON_YANG_MODULE_MAIN>
--- a/test/test_restconf_notifications.sh
+++ b/test/test_restconf_notifications.sh
@ -49,6 +49,7 @@ restconf_config none false
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
  <CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
--- a/test/test_restconf_rpc.sh
+++ b/test/test_restconf_rpc.sh
@ -26,6 +26,7 @@ cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>ietf-netconf:startup</CLICON_FEATURE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
  <CLICON_YANG_MAIN_DIR>$dir</CLICON_YANG_MAIN_DIR>
--- a/test/test_restconf_ssl_certs.sh
+++ b/test/test_restconf_ssl_certs.sh
@ -92,8 +92,8 @@ EOF
 )
 if $genkeys; then
-    # Server certs
+    # Create server certs
-    . ./certs.sh
+    servercerts $cakey $cacert $srvkey $srvcert
    # create client certs
    for name in $users $xusers; do
@ -118,7 +118,7 @@ EOF
 	openssl x509 -req -extfile $dir/$name.cnf -days 1 -passin "pass:password" -in $certdir/$name.csr -CA $cacert -CAkey $cakey -CAcreateserial -out $certdir/$name.crt
    done # client key
-    # invalid
+    # invalid (days = 0)
    for name in $xusers; do
 	openssl x509 -req -extfile $dir/$name.cnf -days 0 -passin "pass:password" -in $certdir/$name.csr -CA $cacert -CAkey $cakey -CAcreateserial -out $certdir/$name.crt
    done # invalid
--- a/test/test_restconf_startup.sh
+++ b/test/test_restconf_startup.sh
@ -40,6 +40,7 @@ restconf_config none true
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_BACKEND_DIR>/usr/local/lib/$APPNAME/backend</CLICON_BACKEND_DIR>
  <CLICON_BACKEND_REGEXP>example_backend.so$</CLICON_BACKEND_REGEXP>
--- a/test/test_rpc.sh
+++ b/test/test_rpc.sh
@ -20,6 +20,7 @@ restconf_config none false
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
  <CLICON_YANG_MODULE_MAIN>clixon-example</CLICON_YANG_MODULE_MAIN>
--- a/test/test_submodule.sh
+++ b/test/test_submodule.sh
@ -33,6 +33,7 @@ restconf_config none false
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_FEATURE>main:A</CLICON_FEATURE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$dir</CLICON_YANG_DIR>
--- a/test/test_yang_anydata.sh
+++ b/test/test_yang_anydata.sh
@ -132,6 +132,7 @@ function testrun()
    cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$dir</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
--- a/test/test_yang_namespace.sh
+++ b/test/test_yang_namespace.sh
@ -19,6 +19,7 @@ restconf_config none false
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_FEATURE>clixon-restconf:allow-auth-none</CLICON_FEATURE> <!-- Use auth-type=none -->
  <CLICON_YANG_MAIN_DIR>$dir</CLICON_YANG_MAIN_DIR>
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
--- a/yang/clixon/clixon-lib@2021-03-08.yang
+++ b/yang/clixon/clixon-lib@2021-03-08.yang
@ -182,7 +182,9 @@ module clixon-lib {
 		    description
 			"Output from status rpc";
 		    leaf active {
-			description "True if process is running, false if not";
+			description
 			    "True if process is running, false if not. 
                             More specifically, there is a process-id and it exists (in Linux: kill(pid,0)";
 			type boolean;
 		    }
 		    leaf description {