experiments/clixon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

* Added CLICON_ANONYMOUS_USER to clicon-config.yang

Browse source 
* evhtp restconf closes session on -1 fatal error (no hang)
* restconf auth-type=none call ca_auth callback
* main example for auth_type=none uses basic auth to get user but without passwd check
This commit is contained in:
Olof hagsand 2021-02-21 14:48:12 +01:00
parent f97b03efc8
commit 3d07db24d9
7 changed files with 454 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

24
apps/restconf/restconf_lib.c
View file

@ -457,7 +457,7 @@ restconf_drop_privileges(clicon_handle h,
return -1;
}
if (group_name2gid(group, &gid) < 0){
clicon_log(LOG_ERR, "'%s' does not seem to be a valid user group.\n" /* \n required here due to multi-line log */
clicon_log(LOG_ERR, "'%s' does not seem to be a valid user group." /* \n required here due to multi-line log */
"The config demon requires a valid group to create a server UNIX socket\n"
"Define a valid CLICON_SOCK_GROUP in %s or via the -g option\n"
"or create the group and add the user to it. Check documentation for how to do this on your platform",
@ -516,24 +516,30 @@ restconf_authentication_cb(clicon_handle h,
char *username = NULL;
cxobj *xret = NULL;
cxobj *xerr;
char *anonymous = NULL;
auth_type = restconf_auth_type_get(h);
clicon_debug(1, "%s auth-type:%s", __FUNCTION__, clixon_auth_type_int2str(auth_type));
ret = 0;
authenticated = 0;
if (auth_type != CLIXON_AUTH_NONE)
if ((ret = clixon_plugin_auth_all(h, req,
auth_type,
&authenticated,
&username)) < 0)
goto done;
/* ret: -1 Error, 0: Ignore/not handled, 1: OK see authenticated parameter */
if ((ret = clixon_plugin_auth_all(h, req,
auth_type,
&authenticated,
&username)) < 0)
goto done;
if (ret == 1){ /* OK, tag username to handle */
clicon_username_set(h, username);
if (authenticated == 1)
clicon_username_set(h, username);
}
else { /* Default behaviour */
switch (auth_type){
case CLIXON_AUTH_NONE:
clicon_username_set(h, "none");
/* if not handled by callback, use anonymous user */
if ((anonymous = clicon_option_str(h, "CLICON_ANONYMOUS_USER")) == NULL){
break; /* not authenticated */
}
clicon_username_set(h, anonymous);
authenticated = 1;
break;
case CLIXON_AUTH_CLIENT_CERTIFICATE: {

24
apps/restconf/restconf_main_evhtp.c
View file

@ -451,6 +451,7 @@ static void
cx_path_wellknown(evhtp_request_t *req,
void *arg)
{
int retval = -1;
cx_evhtp_handle *eh = (cx_evhtp_handle*)arg;
clicon_handle h = eh->eh_h;
int ret;
@ -472,17 +473,32 @@ cx_path_wellknown(evhtp_request_t *req,
/* Clear (fcgi) paramaters from this request */
if (restconf_param_del_all(h) < 0)
goto done;
retval = 0;
done:
/* Catch all on fatal error. This does not terminate the process but closes request stream */
if (retval < 0)
evhtp_send_reply(req, EVHTP_RES_ERROR);
return; /* void */
}
/*! /restconf callback
/*! Callback for each incoming http request for path /
*
* This are all messages except /.well-known, Registered with evhtp_set_cb
*
* @param[in] req evhtp request structure defining the incoming message
* @param[in] arg cx_evhtp handle clixon specific fields
* @retval void
* Discussion: problematic if fatal error -1 is returneod from clixon routines
* without actually terminating. Consider:
* 1) sending some error? and/or
* 2) terminating the process?
* @see cx_genb
*/
static void
cx_path_restconf(evhtp_request_t *req,
void *arg)
{
int retval = -1;
cx_evhtp_handle *eh = (cx_evhtp_handle*)arg;
clicon_handle h = eh->eh_h;
int ret;
@ -505,13 +521,17 @@ cx_path_restconf(evhtp_request_t *req,
if (ret == 1){
/* call generic function */
if (api_root_restconf(h, req, qvec) < 0)
goto done;
goto done;
}
/* Clear (fcgi) paramaters from this request */
if (restconf_param_del_all(h) < 0)
goto done;
retval = 0;
done:
/* Catch all on fatal error. This does not terminate the process but closes request stream */
if (retval < 0)
evhtp_send_reply(req, EVHTP_RES_ERROR);
if (qvec)
cvec_free(qvec);
return; /* void */