Fixed: [Cannot create or modify NACM data node access rule with path using JSON encoding #129](https://github.com/clicon/clixon/issues/129). The evaluation of NACM datanode rule path is assumed to be canonical namespace and cannot be overruled with xmlns rules.
This commit is contained in:
Olof hagsand
parent
043acb6a54
commit
41ac192362
7 changed files with 87 additions and 14 deletions
|
|
@ -51,7 +51,7 @@ CXX=@CXX@
|
|||
CC=@CC@
|
||||
|
||||
# Web user default (ie what RESTCONF daemon runs as). Default: www-data
|
||||
WWWUSER=@wwwuser@
|
||||
wwwuser=@wwwuser@
|
||||
|
||||
# Home dir for web user, by default /www-data
|
||||
WWWDIR=@wwwdir@
|
||||
|
|
|
|||
|
|
@ -266,7 +266,7 @@ stop_restconf_pre(){
|
|||
# 1) Dont use $clixon_restconf (dont work in valgrind)
|
||||
# 2) Dont use -u $WWWUSER since clixon_restconf may drop privileges.
|
||||
stop_restconf(){
|
||||
# sudo pkill -u $WWWUSER -f clixon_restconf # Dont use $clixon_restoconf doesnt work in valgrind
|
||||
# sudo pkill -u $wwwuser -f clixon_restconf # Dont use $clixon_restoconf doesnt work in valgrind
|
||||
sudo pkill -f clixon_restconf
|
||||
if [ $valgrindtest -eq 3 ]; then
|
||||
sleep 1
|
||||
|
|
|
|||
|
|
@ -10,6 +10,10 @@
|
|||
# v non-presence container (presence false) DEFAULT
|
||||
# ancestor--> ancestor --> leaf --> default
|
||||
# ^leafs closest ancestor that is not a non-presence container
|
||||
# Test has three parts where system is started three times:
|
||||
# 1) with init
|
||||
# 2) with startup: r1 only
|
||||
# 3) with startup: p4 only
|
||||
|
||||
# Magic line must be first in script (see README.md)
|
||||
s="$_" ; . ./lib.sh || if [ "$s" = $0 ]; then exit 0; else return 0; fi
|
||||
|
|
@ -79,6 +83,25 @@ module example{
|
|||
}
|
||||
}
|
||||
}
|
||||
container xs-config {
|
||||
description "Typical contruct where a list element has a default leaf";
|
||||
list x {
|
||||
key "name";
|
||||
leaf name {
|
||||
type string;
|
||||
}
|
||||
container y {
|
||||
leaf inside {
|
||||
type boolean;
|
||||
default false;
|
||||
}
|
||||
}
|
||||
leaf outside {
|
||||
type boolean;
|
||||
default false;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
|
|
@ -115,6 +138,12 @@ expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></
|
|||
new "get config"
|
||||
expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><get-config><source><candidate/></source></get-config></rpc>]]>]]>' "^<rpc-reply><data>$XML</data></rpc-reply>]]>]]>$"
|
||||
|
||||
new "Set x list element"
|
||||
expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></target><config><xs-config xmlns="urn:example:clixon"><x><name>a</name></x></xs-config></config></edit-config></rpc>]]>]]>' "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
|
||||
|
||||
new "get config (should contain y/inside+outside)"
|
||||
expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><get-config><source><candidate/></source></get-config></rpc>]]>]]>' "^<rpc-reply><data>$XML<xs-config xmlns=\"urn:example:clixon\"><x><name>a</name><y><inside>false</inside></y><outside>false</outside></x></xs-config></data></rpc-reply>]]>]]>$"
|
||||
|
||||
if [ $BE -ne 0 ]; then
|
||||
new "Kill backend"
|
||||
# Check if premature kill
|
||||
|
|
@ -187,7 +216,7 @@ if [ -z "$pid" ]; then
|
|||
err "backend already dead"
|
||||
fi
|
||||
|
||||
# From startup 2, only prsence p4, s4/np5 should be filled in
|
||||
# From startup 2, only presence p4, s4/np5 should be filled in
|
||||
cat <<EOF > $dir/startup_db
|
||||
<config>
|
||||
<p4 xmlns="urn:example:clixon"></p4>
|
||||
|
|
@ -217,4 +246,34 @@ if [ -z "$pid" ]; then
|
|||
err "backend already dead"
|
||||
fi
|
||||
|
||||
# Only single x list element
|
||||
cat <<EOF > $dir/startup_db
|
||||
<config>
|
||||
<xs-config xmlns="urn:example:clixon"><x><name>a</name></x></xs-config>
|
||||
</config>
|
||||
EOF
|
||||
XML='<r1 xmlns="urn:example:clixon">11</r1><r2 xmlns="urn:example:clixon">22</r2><np3 xmlns="urn:example:clixon"><s3>33</s3><np31><s31>31</s31></np31></np3>'
|
||||
if [ $BE -ne 0 ]; then
|
||||
new "kill old backend"
|
||||
sudo clixon_backend -zf $cfg
|
||||
if [ $? -ne 0 ]; then
|
||||
err
|
||||
fi
|
||||
new "start backend -s startup -f $cfg"
|
||||
start_backend -s startup -f $cfg
|
||||
|
||||
new "waiting"
|
||||
wait_backend
|
||||
fi
|
||||
|
||||
new "get startup config with list default"
|
||||
expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><get-config><source><candidate/></source></get-config></rpc>]]>]]>' "^<rpc-reply><data>$XML<xs-config xmlns=\"urn:example:clixon\"><x><name>a</name><y><inside>false</inside></y><outside>false</outside></x></xs-config></data></rpc-reply>]]>]]>$"
|
||||
|
||||
new "Kill backend"
|
||||
# Check if premature kill
|
||||
pid=$(pgrep -u root -f clixon_backend)
|
||||
if [ -z "$pid" ]; then
|
||||
err "backend already dead"
|
||||
fi
|
||||
|
||||
rm -rf $dir
|
||||
|
|
|
|||
|
|
@ -132,8 +132,8 @@ RULES=$(cat <<EOF
|
|||
<group>guest</group>
|
||||
<rule>
|
||||
<name>deny-nacm</name>
|
||||
<path xmlns:n="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
|
||||
/n:nacm
|
||||
<path xmlns:nacm="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
|
||||
/nacm:nacm
|
||||
</path>
|
||||
<access-operations>*</access-operations>
|
||||
<action>deny</action>
|
||||
|
|
@ -147,8 +147,8 @@ RULES=$(cat <<EOF
|
|||
<group>limited</group>
|
||||
<rule>
|
||||
<name>permit-acme-config</name>
|
||||
<path xmlns:acme="http://example.com/ns/netconf">
|
||||
/acme:acme-netconf/acme:config-parameters
|
||||
<path xmlns:ex="http://example.com/ns/netconf">
|
||||
/ex:acme-netconf/acme:config-parameters
|
||||
</path>
|
||||
<access-operations>
|
||||
read create update delete
|
||||
|
|
|
|||
|
|
@ -112,8 +112,6 @@ if [ $RC -ne 0 ]; then
|
|||
wait_restconf
|
||||
fi
|
||||
|
||||
|
||||
|
||||
new "admin read OK"
|
||||
expectpart "$(curl -u andy:bar -siS -X GET http://localhost/restconf/data/nacm-example:table/parameters/parameter=a)" 0 'HTTP/1.1 200 OK' '{"nacm-example:parameter":\[{"name":"a","value":"72"}\]}'
|
||||
|
||||
|
|
@ -142,12 +140,14 @@ expectpart "$(curl -u andy:bar -siS -X POST http://localhost/restconf/data/ietf
|
|||
new "Read NACM rule"
|
||||
expectpart "$(curl -u andy:bar -siS -X GET http://localhost/restconf/data/ietf-netconf-acm:nacm/rule-list=limited-acl)" 0 "HTTP/1.1 200 OK" '{"ietf-netconf-acm:rule-list":\[{"name":"limited-acl","group":"limited","rule":\[{"name":"table","module-name":"\*","path":"/ex:table","access-operations":"read","action":"permit"}\]}\]}'
|
||||
|
||||
if false; then
|
||||
new "limit read OK (Set rul w JSON)"
|
||||
expectpart "$(curl -u wilma:bar -siS -X GET http://localhost/restconf/data/nacm-example:table/parameters/parameter=a)" 0 'HTTP/1.1 200 OK' '{"nacm-example:parameter":\[{"name":"a","value":"72"}\]}'
|
||||
|
||||
new "Delete NACM read rule"
|
||||
expectpart "$(curl -u andy:bar -siS -X DELETE http://localhost/restconf/data/ietf-netconf-acm:nacm/rule-list=limited-acl)" 0 "HTTP/1.1 204 No Content"
|
||||
|
||||
new "Fail limit read"
|
||||
# XXX: No namespace found for prefix: ex
|
||||
# See [Cannot create or modify NACM data node access rule with path using JSON encoding #129](https://github.com/clicon/clixon/issues/129)
|
||||
expectpart "$(curl -u wilma:bar -siS -X GET http://localhost/restconf/data/nacm-example:table/parameters/parameter=a)" 0 'HTTP/1.1 404 Not Found' '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"invalid-value","error-severity":"error","error-message":"Instance does not exist"}}}'
|
||||
fi
|
||||
|
||||
if [ $RC -ne 0 ]; then
|
||||
new "Kill restconf daemon"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue