diff --git a/CHANGELOG.md b/CHANGELOG.md index 1c548fb7..11a7b845 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -50,6 +50,7 @@ ``` ### Minor changes +* Added CLICON_NACM_MODE "internal-rpc" which is for RPC functionality only, ie no module or data-node read-write functionality. This is for backward compatibility with Clixon 3. (A reduced-functionality "internal") * Made Makefile concurrent so that it can be compiled with -jN * Added flags to example backend to control its behaviour: * Start with `-- -r` to run the reset plugin @@ -68,7 +69,7 @@ * Added libgen.h for baseline() ### Corrected Bugs -* Re-inserted `cli_output_reset` for what was erroneuos thought to be an obsolete function ( +* Re-inserted `cli_output_reset` for what was erroneuos thought to be an obsolete function * See in 3.9.0 minro changes: Replaced all calls to (obsolete) `cli_output` with `fprintf` * Allowed Yang extended Xpath functions (syntax only): * re-match, deref, derived-from, derived-from-or-self, enum-value, bit-is-set diff --git a/apps/backend/backend_client.c b/apps/backend/backend_client.c index 49420687..feba64f5 100644 --- a/apps/backend/backend_client.c +++ b/apps/backend/backend_client.c @@ -321,7 +321,7 @@ from_client_get_config(clicon_handle h, goto ok; } /* Pre-NACM access step */ - if ((ret = nacm_access_pre(h, username, &xnacm)) < 0) + if ((ret = nacm_access_pre(h, username, NACM_DATA, &xnacm)) < 0) goto done; if (ret == 0){ /* Do NACM validation */ if (xpath_vec(xret, "%s", &xvec, &xlen, xpath?xpath:"/") < 0) @@ -790,7 +790,7 @@ from_client_get(clicon_handle h, goto ok; } /* Pre-NACM access step */ - if ((ret = nacm_access_pre(h, username, &xnacm)) < 0) + if ((ret = nacm_access_pre(h, username, NACM_DATA, &xnacm)) < 0) goto done; if (ret == 0){ /* Do NACM validation */ if (xpath_vec(xret, "%s", &xvec, &xlen, xpath?xpath:"/") < 0) @@ -1114,7 +1114,7 @@ from_client_msg(clicon_handle h, clicon_debug(1, "%s module:%s rpc:%s", __FUNCTION__, module, rpc); /* Pre-NACM access step */ xnacm = NULL; - if ((ret = nacm_access_pre(h, username, &xnacm)) < 0) + if ((ret = nacm_access_pre(h, username, NACM_RPC, &xnacm)) < 0) goto done; if (ret == 0){ /* Do NACM validation */ /* NACM rpc operation exec validation */ diff --git a/lib/clixon/clixon_nacm.h b/lib/clixon/clixon_nacm.h index 4b016dd5..83997de6 100644 --- a/lib/clixon/clixon_nacm.h +++ b/lib/clixon/clixon_nacm.h @@ -60,6 +60,17 @@ enum nacm_access{ NACM_DELETE, NACM_EXEC }; + +/*! In RFC8341, NACM defines three access points: rpc + * 3.4.4 Incoming RPC Message Validation + * 3.4.5 Data Node Access Validation + * 3.4.6 Outgoing Authorization + */ +enum nacm_point { + NACM_RPC, + NACM_DATA, + NACM_NOTIFICATION, +}; /* * Prototypes */ @@ -67,7 +78,7 @@ int nacm_rpc(char *rpc, char *module, char *username, cxobj *xnacm, cbuf *cbret) int nacm_datanode_read(cxobj *xt, cxobj **xvec, size_t xlen, char *username, cxobj *nacm_xtree); int nacm_datanode_write(cxobj *xt, cxobj *xr, enum nacm_access access, char *username, cxobj *xnacm, cbuf *cbret); -int nacm_access_pre(clicon_handle h, char *username, cxobj **xnacmp); +int nacm_access_pre(clicon_handle h, char *username, enum nacm_point point, cxobj **xnacmp); int nacm_access(char *mode, cxobj *xnacmin, char *username); #endif /* _CLIXON_NACM_H */ diff --git a/lib/src/clixon_nacm.c b/lib/src/clixon_nacm.c index 6f53d88f..6e95cbbe 100644 --- a/lib/src/clixon_nacm.c +++ b/lib/src/clixon_nacm.c @@ -808,7 +808,7 @@ nacm_access(char *mode, goto permit; /* 0. If nacm-mode is external, get NACM defintion from separet tree, otherwise get it from internal configuration */ - if (strcmp(mode, "external") && strcmp(mode, "internal")){ + if (strcmp(mode, "external") && strcmp(mode, "internal") && strcmp(mode, "internal-rpc")){ clicon_err(OE_XML, 0, "Invalid NACM mode: %s", mode); goto done; } @@ -846,6 +846,7 @@ nacm_access(char *mode, * etc. If retval = 1 access is OK and skip next NACM step. * @param[in] h Clicon handle * @param[in] username User name of requestor + * @param[in] point NACM access control point * @param[out] xncam NACM XML tree, set if retval=0. Free after use * @retval -1 Error * @retval 0 OK but not validated. Need to do NACM step using xnacm @@ -864,6 +865,7 @@ nacm_access(char *mode, int nacm_access_pre(clicon_handle h, char *username, + enum nacm_point point, cxobj **xnacmp) { int retval = -1; @@ -882,6 +884,15 @@ nacm_access_pre(clicon_handle h, if (xmldb_get(h, "running", "nacm", 0, &xnacm0, NULL) < 0) goto done; } + else if (strcmp(mode, "internal-rpc")==0){ + /* Special mode only implemet exec rpc access point */ + if (point == NACM_RPC){ + if (xmldb_get(h, "running", "nacm", 0, &xnacm0, NULL) < 0) + goto done; + } + else + goto permit; + } } /* If config does not exist then the operation is permitted(?) */ if (xnacm0 == NULL) diff --git a/yang/clixon/clixon-config@2019-03-05.yang b/yang/clixon/clixon-config@2019-03-05.yang index bbf62324..99b3eaad 100644 --- a/yang/clixon/clixon-config@2019-03-05.yang +++ b/yang/clixon/clixon-config@2019-03-05.yang @@ -121,6 +121,13 @@ module clixon-config { enum internal{ description "NACM is enabled and available in the regular config"; } + enum internal-rpc{ + description + "NACM is enabled and available in the regular config. + But only for RPC functionality, ie no module or data-node + read-write functionality. + This is for backward compatibility with Clixon 3.8."; + } enum external{ description "NACM is enabled and available in a separate config"; }