Fixed: [Cannot create or modify NACM data node access rule with path using JSON encoding #129](https://github.com/clicon/clixon/issues/129). The evaluation of NACM datanode rule path is assumed to be canonical namespace and cannot be overruled with xmlns rules.

2020-08-30 17:03:49 +02:00 · 2020-08-30 17:03:49 +02:00 · 41ac192362
commit 41ac192362
parent 043acb6a54
7 changed files with 87 additions and 14 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -30,12 +30,16 @@ Expected: September 2020
 Users may have to change how they access the system
 * NACM datanode paths fixed to canonical namespace
  * The fix of [Cannot create or modify NACM data node access rule with path using JSON encoding #129](https://github.com/clicon/clixon/issues/129) leads that data-node paths, eg `<rule>...<path>ex:table/ex:parameter</path></rule>` instance-identifiers are restricted to canonical namespace identifiers for both XML and JSON encoding. That is, if a symbol (such as `table` above) is a symbol in a module with prefix `ex`, another prefix cannot be used, even though defined with a `xmlns:` rule.
 * New clixon-config@2020-08-17.yang revision
  * Added options for Restconf evhtp setting default bind socket address and ports `CLICON_RESTCONF_IPV4_ADDR`, `CLICON_RESTCONF_IPV6_ADDR`, `CLICON_RESTCONF_HTTP_PORT`, `CLICON_RESTCONF_HTTPS_PORT`
 ### Corrected Bugs
-* Corrected error message for list min/max-value to comply to RFC 7950: a proper path is now returned, peviously only the list symbol. it is also exposed in the CLI correctly.
+* Fixed: [Cannot create or modify NACM data node access rule with path using JSON encoding #129](https://github.com/clicon/clixon/issues/129). The evaluation of NACM datanode rule path is assumed to be canonical namespace and cannot be overruled with `xmlns` rules.
 * Corrected error message for list min/max-value to comply to RFC 7950: a proper path is now returned, previously only the final list symbol was returned. This error-path is also now exposed in the CLI error message correctly.
  * Example: `<error-path>/c/a1</error-path>`
 * Fixed: [Yang modules skipped if the name is a proper prefix of other module name](https://github.com/clicon/clixon/issues/130)
 * Fixed an error in global default values. Global default values were not written to datastore after startup, but AFTER an edit/commit.
--- a/lib/src/clixon_nacm.c
+++ b/lib/src/clixon_nacm.c
@ -454,12 +454,22 @@ nacm_datanode_prepare(clicon_handle     h,
 	    }
 	    else{
 		path0 = clixon_trim2(xml_body(pathobj), " \t\n");
 		/* Get canonical namespace context for nacm paths */
 		if ((path = strdup(path0)) == NULL){
 		    clicon_err(OE_UNIX, errno, "strdup");
 		    goto done;
 		}
 #if 0
 		/* See https://github.com/clicon/clixon/issues/129:
 		 * If this is enabled, you are back to the problem of JSON encodings
 		 */
 		/* Create namespace context for with nacm namespace as default */
 		if (xml_nsctx_node(pathobj, &nsc0) < 0)
 		    goto done;
 		/* instance-id requires canonical paths */
 		if (xpath2canonical(path0, nsc0, yspec, &path, NULL) < 0)
 		    goto done;
 #endif
 		if ((ret = clixon_xml_find_instance_id(xt, yspec, &xvec, &xlen, "%s", path)) < 0)
 		    goto done;
 		if (ret == 0)
--- a/test/config.sh.in
+++ b/test/config.sh.in
@ -51,7 +51,7 @@ CXX=@CXX@
 CC=@CC@
 # Web user default (ie what RESTCONF daemon runs as). Default: www-data
-WWWUSER=@wwwuser@
+wwwuser=@wwwuser@
 # Home dir for web user, by default /www-data
 WWWDIR=@wwwdir@
--- a/test/lib.sh
+++ b/test/lib.sh
@ -266,7 +266,7 @@ stop_restconf_pre(){
 # 1) Dont use $clixon_restconf (dont work in valgrind)
 # 2) Dont use -u $WWWUSER since clixon_restconf may drop privileges.
 stop_restconf(){
-    #    sudo pkill -u $WWWUSER -f clixon_restconf # Dont use $clixon_restoconf doesnt work in valgrind
+    #    sudo pkill -u $wwwuser -f clixon_restconf # Dont use $clixon_restoconf doesnt work in valgrind
    sudo pkill -f clixon_restconf
    if [ $valgrindtest -eq 3 ]; then 
 	sleep 1
--- a/test/test_leaf_default.sh
+++ b/test/test_leaf_default.sh
@ -10,6 +10,10 @@
 #             v non-presence container (presence false) DEFAULT
 # ancestor--> ancestor --> leaf --> default
 # ^leafs closest ancestor that is not a non-presence container
 # Test has three parts where system is started three times:
 # 1) with init
 # 2) with startup: r1 only
 # 3) with startup: p4 only
 # Magic line must be first in script (see README.md)
 s="$_" ; . ./lib.sh || if [ "$s" = $0 ]; then exit 0; else return 0; fi
@ -79,6 +83,25 @@ module example{
        }   
      }
    }
    container xs-config {
        description "Typical contruct where a list element has a default leaf";
 	list x {
 	    key "name";
 	    leaf name {
 		type string;
 	    }
 	    container y {
 		leaf inside {
 		    type boolean;
 		    default false;
 		}
            }
   	    leaf outside {
 	        type boolean;
 		default false;
 	    }
 	 }
     }
 }
 EOF
@ -115,6 +138,12 @@ expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></
 new "get config"
 expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><get-config><source><candidate/></source></get-config></rpc>]]>]]>' "^<rpc-reply><data>$XML</data></rpc-reply>]]>]]>$"
 new "Set x list element"
 expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></target><config><xs-config xmlns="urn:example:clixon"><x><name>a</name></x></xs-config></config></edit-config></rpc>]]>]]>' "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
 new "get config (should contain y/inside+outside)"
 expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><get-config><source><candidate/></source></get-config></rpc>]]>]]>' "^<rpc-reply><data>$XML<xs-config xmlns=\"urn:example:clixon\"><x><name>a</name><y><inside>false</inside></y><outside>false</outside></x></xs-config></data></rpc-reply>]]>]]>$"
 if [ $BE -ne 0 ]; then
    new "Kill backend"
    # Check if premature kill
@ -187,7 +216,7 @@ if [ -z "$pid" ]; then
    err "backend already dead"
 fi
-# From startup 2, only prsence p4, s4/np5 should be filled in
+# From startup 2, only presence p4, s4/np5 should be filled in
 cat <<EOF > $dir/startup_db
 <config>
  <p4 xmlns="urn:example:clixon"></p4>
@ -217,4 +246,34 @@ if [ -z "$pid" ]; then
    err "backend already dead"
 fi
 # Only single x list element
 cat <<EOF > $dir/startup_db
 <config>
   <xs-config xmlns="urn:example:clixon"><x><name>a</name></x></xs-config>
 </config>
 EOF
 XML='<r1 xmlns="urn:example:clixon">11</r1><r2 xmlns="urn:example:clixon">22</r2><np3 xmlns="urn:example:clixon"><s3>33</s3><np31><s31>31</s31></np31></np3>'
 if [ $BE -ne 0 ]; then
    new "kill old backend"
    sudo clixon_backend -zf $cfg
    if [ $? -ne 0 ]; then
 	err
    fi
    new "start backend  -s startup -f $cfg"
    start_backend -s startup -f $cfg
    new "waiting"
    wait_backend
 fi
 new "get startup config with list default"
 expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><get-config><source><candidate/></source></get-config></rpc>]]>]]>' "^<rpc-reply><data>$XML<xs-config xmlns=\"urn:example:clixon\"><x><name>a</name><y><inside>false</inside></y><outside>false</outside></x></xs-config></data></rpc-reply>]]>]]>$"
 new "Kill backend"
 # Check if premature kill
 pid=$(pgrep -u root -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
 rm -rf $dir
--- a/test/test_nacm_datanode.sh
+++ b/test/test_nacm_datanode.sh
@ -132,8 +132,8 @@ RULES=$(cat <<EOF
       <group>guest</group>
       <rule>
         <name>deny-nacm</name>
-         <path xmlns:n="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
+         <path xmlns:nacm="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
-           /n:nacm
+           /nacm:nacm
         </path>
         <access-operations>*</access-operations>
         <action>deny</action>
@ -147,8 +147,8 @@ RULES=$(cat <<EOF
       <group>limited</group>
       <rule>
         <name>permit-acme-config</name>
-         <path xmlns:acme="http://example.com/ns/netconf">
+         <path xmlns:ex="http://example.com/ns/netconf">
-           /acme:acme-netconf/acme:config-parameters
+           /ex:acme-netconf/acme:config-parameters
         </path>
         <access-operations>
           read create update delete
--- a/test/test_nacm_datanode_paths.sh
+++ b/test/test_nacm_datanode_paths.sh
@ -112,8 +112,6 @@ if [ $RC -ne 0 ]; then
    wait_restconf
 fi
 new "admin read OK"
 expectpart "$(curl -u andy:bar -siS -X GET http://localhost/restconf/data/nacm-example:table/parameters/parameter=a)" 0 'HTTP/1.1 200 OK' '{"nacm-example:parameter":\[{"name":"a","value":"72"}\]}'
@ -142,12 +140,14 @@ expectpart "$(curl -u andy:bar -siS -X POST  http://localhost/restconf/data/ietf
 new "Read NACM rule"
 expectpart "$(curl -u andy:bar -siS -X GET http://localhost/restconf/data/ietf-netconf-acm:nacm/rule-list=limited-acl)" 0  "HTTP/1.1 200 OK" '{"ietf-netconf-acm:rule-list":\[{"name":"limited-acl","group":"limited","rule":\[{"name":"table","module-name":"\*","path":"/ex:table","access-operations":"read","action":"permit"}\]}\]}'
-if false; then
+new "limit read OK (Set rul w JSON)"
 expectpart "$(curl -u wilma:bar -siS -X GET http://localhost/restconf/data/nacm-example:table/parameters/parameter=a)" 0 'HTTP/1.1 200 OK' '{"nacm-example:parameter":\[{"name":"a","value":"72"}\]}'
 new "Delete NACM read rule"
 expectpart "$(curl -u andy:bar -siS -X DELETE http://localhost/restconf/data/ietf-netconf-acm:nacm/rule-list=limited-acl)" 0 "HTTP/1.1 204 No Content"
 new "Fail limit read"
 # XXX: No namespace found for prefix: ex
 # See [Cannot create or modify NACM data node access rule with path using JSON encoding #129](https://github.com/clicon/clixon/issues/129)
 expectpart "$(curl -u wilma:bar -siS -X GET http://localhost/restconf/data/nacm-example:table/parameters/parameter=a)" 0 'HTTP/1.1 404 Not Found' '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"invalid-value","error-severity":"error","error-message":"Instance does not exist"}}}'
 fi
 if [ $RC -ne 0 ]; then
    new "Kill restconf daemon"