experiments/clixon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Bugfix: Default NACM policies applied even if NACM is disabled

Browse source
This commit is contained in:
Olof hagsand 2019-03-13 11:34:18 +01:00
parent 932ca2e8ce
commit 29535d5997
3 changed files with 16 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -57,6 +57,7 @@
* Added libgen.h for baseline() * Added libgen.h for baseline()
### Corrected Bugs ### Corrected Bugs
* Bugfix: Default NACM policies applied even if NACM is disabled
* [Identityref inside augment statement](https://github.com/clicon/clixon/issues/77) * [Identityref inside augment statement](https://github.com/clicon/clixon/issues/77)
* Yang-stmt enhanced with "shortcut" to original module * Yang-stmt enhanced with "shortcut" to original module
* Yang augment created multiple augmented children (no side-effect) * Yang augment created multiple augmented children (no side-effect)

20
datastore/clixon_xmldb_text.c
View file

@ -1117,7 +1117,7 @@ text_modify(struct text_handle *th,
} }
case OP_REMOVE: /* fall thru */ case OP_REMOVE: /* fall thru */
if (x0){ if (x0){
if (xnacm){ if (!permit && xnacm){
if ((ret = nacm_datanode_write(NULL, x0, NACM_DELETE, username, xnacm, cbret)) < 0) if ((ret = nacm_datanode_write(NULL, x0, NACM_DELETE, username, xnacm, cbret)) < 0)
goto done; goto done;
if (ret == 0) if (ret == 0)
@ -1149,6 +1149,7 @@ text_modify(struct text_handle *th,
* @param[in] yspec Top-level yang spec (if y is NULL) * @param[in] yspec Top-level yang spec (if y is NULL)
* @param[in] op OP_MERGE, OP_REPLACE, OP_REMOVE, etc * @param[in] op OP_MERGE, OP_REPLACE, OP_REMOVE, etc
* @param[in] username User name of requestor for nacm * @param[in] username User name of requestor for nacm
* @param[in] permit If set, NACM has permitted this tree on an upper level
* @param[in] xnacm NACM XML tree * @param[in] xnacm NACM XML tree
* @param[out] cbret Initialized cligen buffer. Contains return XML if retval is 0. * @param[out] cbret Initialized cligen buffer. Contains return XML if retval is 0.
* @retval -1 Error * @retval -1 Error
@ -1164,6 +1165,7 @@ text_modify_top(struct text_handle *th,
enum operation_type op, enum operation_type op,
char *username, char *username,
cxobj *xnacm, cxobj *xnacm,
int permit,
cbuf *cbret) cbuf *cbret)
{ {
int retval = -1; int retval = -1;
@ -1174,7 +1176,6 @@ text_modify_top(struct text_handle *th,
yang_stmt *ymod;/* yang module */ yang_stmt *ymod;/* yang module */
char *opstr; char *opstr;
int ret; int ret;
int permit = 0;
/* Assure top-levels are 'config' */ /* Assure top-levels are 'config' */
assert(x0 && strcmp(xml_name(x0),"config")==0); assert(x0 && strcmp(xml_name(x0),"config")==0);
@ -1191,7 +1192,7 @@ text_modify_top(struct text_handle *th,
case OP_DELETE: case OP_DELETE:
case OP_REMOVE: case OP_REMOVE:
case OP_REPLACE: case OP_REPLACE:
if (xnacm){ if (!permit && xnacm){
if ((ret = nacm_datanode_write(NULL, x0, NACM_DELETE, username, xnacm, cbret)) < 0) if ((ret = nacm_datanode_write(NULL, x0, NACM_DELETE, username, xnacm, cbret)) < 0)
goto done; goto done;
if (ret == 0) if (ret == 0)
@ -1225,7 +1226,7 @@ text_modify_top(struct text_handle *th,
} }
/* Special case top-level replace */ /* Special case top-level replace */
else if (op == OP_REPLACE || op == OP_DELETE){ else if (op == OP_REPLACE || op == OP_DELETE){
if (xnacm && !permit){ if (!permit && xnacm){
if ((ret = nacm_datanode_write(NULL, x1, NACM_UPDATE, username, xnacm, cbret)) < 0) if ((ret = nacm_datanode_write(NULL, x1, NACM_UPDATE, username, xnacm, cbret)) < 0)
goto done; goto done;
if (ret == 0) if (ret == 0)
@ -1349,6 +1350,7 @@ text_put(xmldb_handle xh,
char *mode; char *mode;
cxobj *xnacm0 = NULL; cxobj *xnacm0 = NULL;
cxobj *xmodst = NULL; cxobj *xmodst = NULL;
int permit = 0; /* nacm permit all */
if (cbret == NULL){ if (cbret == NULL){
clicon_err(OE_XML, EINVAL, "cbret is NULL"); clicon_err(OE_XML, EINVAL, "cbret is NULL");
@ -1392,17 +1394,17 @@ text_put(xmldb_handle xh,
} }
if (xnacm0 != NULL && if (xnacm0 != NULL &&
(xnacm = xpath_first(xnacm0, "nacm")) != NULL){ (xnacm = xpath_first(xnacm0, "nacm")) != NULL){
/* Pre-NACM access step */ /* Pre-NACM access step, if permit, then dont do any nacm checks in
if ((ret = nacm_access(mode, xnacm, username)) < 0) * text_modify_* below */
if ((permit = nacm_access(mode, xnacm, username)) < 0)
goto done; goto done;
} }
/* Here assume if xnacm is set (actually may be ret==0?) do NACM */ /* Here assume if xnacm is set and !permit do NACM */
/* /*
* Modify base tree x with modification x1. This is where the * Modify base tree x with modification x1. This is where the
* new tree is made. * new tree is made.
*/ */
if ((ret = text_modify_top(th, x0, x1, yspec, op, username, xnacm, cbret)) < 0) if ((ret = text_modify_top(th, x0, x1, yspec, op, username, xnacm, permit, cbret)) < 0)
goto done; goto done;
/* If xml return - ie netconf error xml tree, then stop and return OK */ /* If xml return - ie netconf error xml tree, then stop and return OK */
if (ret == 0) if (ret == 0)

4
test/test_nacm.sh
View file

@ -136,6 +136,10 @@ new "auth get"
expecteq "$(curl -u andy:bar -sS -X GET http://localhost/restconf/data/nacm-example:x)" 0 'null expecteq "$(curl -u andy:bar -sS -X GET http://localhost/restconf/data/nacm-example:x)" 0 'null
' '
# explicitly disable nacm (regression on netgate bug)
new "disable nacm"
expecteq "$(curl -u andy:bar -sS -X PUT -d '{"ietf-netconf-acm:enable-nacm": false}' http://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" 0 ""
new "auth set authentication config" new "auth set authentication config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$" expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"