experiments/clixon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Limited http-data static server

Browse source 
* Renamed from www-data to http-data
* New `clixon-restconf@2022-03-21.yang` revision
  * Added option:
    * `enable-http-data`
  * Added feature: `http-data`
* Added new str2str mapper
* Test: new test_http_data.sh, added CI github action testing
This commit is contained in:
Olof hagsand 2022-04-21 15:37:58 +02:00
parent 76213057b6
commit 2a8cedf0c3
13 changed files with 551 additions and 76 deletions
Download patch file Download diff file Expand all files Collapse all files

2
yang/clixon/Makefile.in
View file

@ -46,7 +46,7 @@ YANGSPECS = clixon-config@2022-03-21.yang # 5.7
YANGSPECS += clixon-lib@2021-12-05.yang # 5.5
YANGSPECS += clixon-rfc5277@2008-07-01.yang
YANGSPECS += clixon-xml-changelog@2019-03-21.yang
YANGSPECS += clixon-restconf@2021-05-20.yang # 5.2
YANGSPECS += clixon-restconf@2022-03-21.yang # 5.7
YANGSPECS += clixon-autocli@2022-02-11.yang # 5.6
all:

30
yang/clixon/clixon-config@2022-03-21.yang
View file

@ -50,10 +50,8 @@ module clixon-config {
description
"Added option:
CLICON_NETCONF_BASE_CAPABILITY
CLICON_WWW_DATA_PATH
CLICON_WWW_DATA_ROOT
Added feature:
www-data
CLICON_HTTP_DATA_PATH
CLICON_HTTP_DATA_ROOT
Released in Clixon 5.7";
}
revision 2022-02-11 {
@ -216,20 +214,6 @@ module clixon-config {
description
"Released in Clixon 3.8";
}
feature www-data {
description
"This feature allows for a very limited www-data function as
addition to RESTCONF.
it is limited to:
1. path: Local files within WWW_DATA_ROOT
2. operation GET or HEAD
3. query parameters not supported
4. indata should be NULL (no write operations)
5. Limited media: text/html, JavaScript, image, and css
6. Authentication as restconf
7. HTTP/1+2, TLS as restconf";
}
extension search_index {
description "This list argument acts as a search index using optimized binary search.
";
@ -619,14 +603,14 @@ module clixon-config {
Note this also disables plain http/2 in prior-knowledge, that is, in http/2-only mode.
HTTP/2 in https(TLS) is unaffected";
}
leaf CLICON_WWW_DATA_PATH {
if-feature "www-data";
leaf CLICON_HTTP_DATA_PATH {
if-feature "clrc:http-data";
type string;
description
"If set, enable www data on this sub-path";
"If set, enable www data on this sub-path, must start with / (example: /data)";
}
leaf CLICON_WWW_DATA_ROOT {
if-feature "www-data";
leaf CLICON_HTTP_DATA_ROOT {
if-feature "clrc:http-data";
type string;
default "/var/www";
description

284
yang/clixon/clixon-restconf@2022-03-21.yang Normal file
View file

@ -0,0 +1,284 @@
module clixon-restconf {
yang-version 1.1;
namespace "http://clicon.org/restconf";
prefix "clrc";
import ietf-inet-types {
prefix inet;
}
organization
"Clixon";
contact
"Olof Hagsand <olof@hagsand.se>";
description
"This YANG module provides a data-model for the Clixon RESTCONF daemon.
There is also clixon-config also including some restconf options.
The separation is not always logical but there are some reasons for the split:
1. Some data (ie 'socket') is structurally complex and cannot be expressed as a
simple option
2. clixon-restconf is defined as a macro/grouping and can be included in
other YANGs. In particular, it can be used inside a datastore, which
is not possible for clixon-config.
3. Related to (2), options that should not be settable in a datastore should be
in clixon-config
***** BEGIN LICENSE BLOCK *****
Copyright (C) 2020 Olof Hagsand and Rubicon Communications, LLC(Netgate)
This file is part of CLIXON
Licensed under the Apache License, Version 2.0 (the \"License\");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an \"AS IS\" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Alternatively, the contents of this file may be used under the terms of
the GNU General Public License Version 3 or later (the \"GPL\"),
in which case the provisions of the GPL are applicable instead
of those above. If you wish to allow use of your version of this file only
under the terms of the GPL, and not to allow others to
use your version of this file under the terms of Apache License version 2,
indicate your decision by deleting the provisions above and replace them with
the notice and other provisions required by the GPL. If you do not delete
the provisions above, a recipient may use your version of this file under
the terms of any one of the Apache License version 2 or the GPL.
***** END LICENSE BLOCK *****";
revision 2022-03-21 {
description
"Added feature:
http-data - Limited static http server
Released in Clixon 5.7";
}
revision 2021-05-20 {
description
"Added log-destination for restconf
Released in Clixon 5.2";
}
revision 2021-03-15 {
description
"make authentication-type none a feature
Added flag to enable core dumps
Released in Clixon 5.1";
}
revision 2020-12-30 {
description
"Added: debug field
Added 'none' as default value for auth-type
Changed http-auth-type enum from 'password' to 'user'";
}
revision 2020-10-30 {
description
"Initial release";
}
feature fcgi {
description
"This feature indicates that the restconf server supports the fast-cgi reverse
proxy solution.
That is, a reverse proxy is the HTTP front-end and the restconf daemon listens
to a fcgi socket.
The alternative is the internal native HTTP solution.";
}
feature allow-auth-none {
description
"This feature allows the use of authentication-type none.";
}
feature http-data {
description
"This feature allows for a very limited static http-data function as
addition to RESTCONF.
It is limited to:
1. path: Local static files within WWW_DATA_ROOT
2. operation GET, HEAD, OPTIONS
3. query parameters not supported
4. indata should be NULL (no write operations)
5. Limited media: text/html, JavaScript, image, and css
6. Authentication as restconf
7. HTTP/1+2, TLS as restconf";
}
typedef http-auth-type {
type enumeration {
enum none {
if-feature "allow-auth-none";
description
"Incoming message are set to authenticated by default. No ca-auth callback is called,
Authenticated user is set to special user 'none'.
Typically assumes NACM is not enabled.";
}
enum client-certificate {
description
"TLS client certificate validation is made on each incoming message. If it passes
the authenticated user is extracted from the SSL_CN parameter
The ca-auth callback can be used to revise this behavior.";
}
enum user {
description
"User-defined authentication as defined by the ca-auth callback.
One example is some form of password authentication, such as basic auth.";
}
}
description
"Enumeration of HTTP authorization types.";
}
typedef log-destination {
type enumeration {
enum syslog {
description
"Log to syslog with:
ident: clixon_restconf and PID
facility: LOG_USER";
}
enum file {
description
"Log to generated file at /var/log/clixon_restconf.log";
}
}
}
grouping clixon-restconf{
description
"HTTP RESTCONF configuration.";
leaf enable {
type boolean;
default "false";
description
"Enables RESTCONF functionality.
Note that starting/stopping of a restconf daemon is different from it being
enabled or not.
For example, if the restconf daemon is under systemd management, the restconf
daemon will only start if enable=true.";
}
leaf enable-http-data {
type boolean;
default "false";
if-feature "http-data";
description
"Enables Limited static http-data functionality.
enable must be true for this option to be meaningful.";
}
leaf auth-type {
type http-auth-type;
description
"The authentication type.
Note client-certificate applies only if ssl-enable is true and socket has ssl";
default user;
}
leaf debug {
description
"Set debug level of restconf daemon.
0 is no debug, 1 is debugging, more is detailed debug.
Debug logs will be directed to log-destination with LOG_DEBUG level (for syslog)";
type uint32;
default 0;
}
leaf log-destination {
description
"Log destination.
If debug is not set, only notice, error and warning will be logged";
type log-destination;
default syslog;
}
leaf enable-core-dump {
description
"enable core dumps.
this is a no-op on systems that don't support it.";
type boolean;
default false;
}
leaf pretty {
type boolean;
default true;
description
"Restconf return value pretty print.
Restconf clients may add HTTP header:
Accept: application/yang-data+json, or
Accept: application/yang-data+xml
to get return value in XML or JSON.
RFC 8040 examples print XML and JSON in pretty-printed form.
Setting this value to false makes restconf return not pretty-printed
which may be desirable for performance or tests
This replaces the CLICON_RESTCONF_PRETTY option in clixon-config.yang";
}
/* From this point only specific options
* First fcgi-specific options
*/
leaf fcgi-socket {
if-feature fcgi; /* Set by default by fcgi clixon_restconf daemon */
type string;
default "/www-data/fastcgi_restconf.sock";
description
"Path to FastCGI unix socket. Should be specified in webserver
Eg in nginx: fastcgi_pass unix:/www-data/clicon_restconf.sock
Only if with-restconf=fcgi, NOT native
This replaces CLICON_RESTCONF_PATH option in clixon-config.yang";
}
/* Second, local native options */
leaf server-cert-path {
type string;
description
"Path to server certificate file.
Note only applies if socket has ssl enabled";
}
leaf server-key-path {
type string;
description
"Path to server key file
Note only applies if socket has ssl enabled";
}
leaf server-ca-cert-path {
type string;
description
"Path to server CA cert file
Note only applies if socket has ssl enabled";
}
list socket {
description
"List of server sockets that the restconf daemon listens to.
Not fcgi";
key "namespace address port";
leaf namespace {
type string;
description
"Network namespace.
On platforms where namespaces are not suppported, 'default'
Default value can be changed by RESTCONF_NETNS_DEFAULT";
}
leaf address {
type inet:ip-address;
description "IP address to bind to";
}
leaf port {
type inet:port-number;
description "TCP port to bind to";
}
leaf ssl {
type boolean;
default true;
description "Enable for HTTPS otherwise HTTP protocol";
}
}
}
container restconf {
description
"This presence is strictly not necessary since the enable flag
in clixon-restconf is the flag bearing the actual semantics.
However, removing the presence leads to default config in all
clixon installations, even those which do not use backend-started restconf.
One could see this as mostly cosmetically annoying.
Alternative would be to make the inclusion of this yang conditional.";
presence "Enables RESTCONF";
uses clixon-restconf;
}
}