experiments/clixon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

* Added CLICON_NACM_MODE "internal-rpc" which is for RPC functionality only

Browse source
This commit is contained in:
Olof Hagsand 2019-03-22 17:09:05 +01:00
parent 0898870e68
commit 69dcc721a9
5 changed files with 36 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

3
CHANGELOG.md
View file

@ -50,6 +50,7 @@
``` ```
### Minor changes ### Minor changes
* Added CLICON_NACM_MODE "internal-rpc" which is for RPC functionality only, ie no module or data-node read-write functionality. This is for backward compatibility with Clixon 3. (A reduced-functionality "internal")
* Made Makefile concurrent so that it can be compiled with -jN * Made Makefile concurrent so that it can be compiled with -jN
* Added flags to example backend to control its behaviour: * Added flags to example backend to control its behaviour:
* Start with `-- -r` to run the reset plugin * Start with `-- -r` to run the reset plugin
@ -68,7 +69,7 @@
* Added libgen.h for baseline() * Added libgen.h for baseline()
### Corrected Bugs ### Corrected Bugs
* Re-inserted `cli_output_reset` for what was erroneuos thought to be an obsolete function ( * Re-inserted `cli_output_reset` for what was erroneuos thought to be an obsolete function
* See in 3.9.0 minro changes: Replaced all calls to (obsolete) `cli_output` with `fprintf` * See in 3.9.0 minro changes: Replaced all calls to (obsolete) `cli_output` with `fprintf`
* Allowed Yang extended Xpath functions (syntax only): * Allowed Yang extended Xpath functions (syntax only):
* re-match, deref, derived-from, derived-from-or-self, enum-value, bit-is-set * re-match, deref, derived-from, derived-from-or-self, enum-value, bit-is-set

6
apps/backend/backend_client.c
View file

@ -321,7 +321,7 @@ from_client_get_config(clicon_handle h,
goto ok; goto ok;
} }
/* Pre-NACM access step */ /* Pre-NACM access step */
if ((ret = nacm_access_pre(h, username, &xnacm)) < 0) if ((ret = nacm_access_pre(h, username, NACM_DATA, &xnacm)) < 0)
goto done; goto done;
if (ret == 0){ /* Do NACM validation */ if (ret == 0){ /* Do NACM validation */
if (xpath_vec(xret, "%s", &xvec, &xlen, xpath?xpath:"/") < 0) if (xpath_vec(xret, "%s", &xvec, &xlen, xpath?xpath:"/") < 0)
@ -790,7 +790,7 @@ from_client_get(clicon_handle h,
goto ok; goto ok;
} }
/* Pre-NACM access step */ /* Pre-NACM access step */
if ((ret = nacm_access_pre(h, username, &xnacm)) < 0) if ((ret = nacm_access_pre(h, username, NACM_DATA, &xnacm)) < 0)
goto done; goto done;
if (ret == 0){ /* Do NACM validation */ if (ret == 0){ /* Do NACM validation */
if (xpath_vec(xret, "%s", &xvec, &xlen, xpath?xpath:"/") < 0) if (xpath_vec(xret, "%s", &xvec, &xlen, xpath?xpath:"/") < 0)
@ -1114,7 +1114,7 @@ from_client_msg(clicon_handle h,
clicon_debug(1, "%s module:%s rpc:%s", __FUNCTION__, module, rpc); clicon_debug(1, "%s module:%s rpc:%s", __FUNCTION__, module, rpc);
/* Pre-NACM access step */ /* Pre-NACM access step */
xnacm = NULL; xnacm = NULL;
if ((ret = nacm_access_pre(h, username, &xnacm)) < 0) if ((ret = nacm_access_pre(h, username, NACM_RPC, &xnacm)) < 0)
goto done; goto done;
if (ret == 0){ /* Do NACM validation */ if (ret == 0){ /* Do NACM validation */
/* NACM rpc operation exec validation */ /* NACM rpc operation exec validation */

13
lib/clixon/clixon_nacm.h
View file

@ -60,6 +60,17 @@ enum nacm_access{
NACM_DELETE, NACM_DELETE,
NACM_EXEC NACM_EXEC
}; };
/*! In RFC8341, NACM defines three access points: rpc
* 3.4.4 Incoming RPC Message Validation
* 3.4.5 Data Node Access Validation
* 3.4.6 Outgoing <notification> Authorization
*/
enum nacm_point {
NACM_RPC,
NACM_DATA,
NACM_NOTIFICATION,
};
/* /*
* Prototypes * Prototypes
*/ */
@ -67,7 +78,7 @@ int nacm_rpc(char *rpc, char *module, char *username, cxobj *xnacm, cbuf *cbret)
int nacm_datanode_read(cxobj *xt, cxobj **xvec, size_t xlen, char *username, cxobj *nacm_xtree); int nacm_datanode_read(cxobj *xt, cxobj **xvec, size_t xlen, char *username, cxobj *nacm_xtree);
int nacm_datanode_write(cxobj *xt, cxobj *xr, enum nacm_access access, int nacm_datanode_write(cxobj *xt, cxobj *xr, enum nacm_access access,
char *username, cxobj *xnacm, cbuf *cbret); char *username, cxobj *xnacm, cbuf *cbret);
int nacm_access_pre(clicon_handle h, char *username, cxobj **xnacmp); int nacm_access_pre(clicon_handle h, char *username, enum nacm_point point, cxobj **xnacmp);
int nacm_access(char *mode, cxobj *xnacmin, char *username); int nacm_access(char *mode, cxobj *xnacmin, char *username);
#endif /* _CLIXON_NACM_H */ #endif /* _CLIXON_NACM_H */

13
lib/src/clixon_nacm.c
View file

@ -808,7 +808,7 @@ nacm_access(char *mode,
goto permit; goto permit;
/* 0. If nacm-mode is external, get NACM defintion from separet tree, /* 0. If nacm-mode is external, get NACM defintion from separet tree,
otherwise get it from internal configuration */ otherwise get it from internal configuration */
if (strcmp(mode, "external") && strcmp(mode, "internal")){ if (strcmp(mode, "external") && strcmp(mode, "internal") && strcmp(mode, "internal-rpc")){
clicon_err(OE_XML, 0, "Invalid NACM mode: %s", mode); clicon_err(OE_XML, 0, "Invalid NACM mode: %s", mode);
goto done; goto done;
} }
@ -846,6 +846,7 @@ nacm_access(char *mode,
* etc. If retval = 1 access is OK and skip next NACM step. * etc. If retval = 1 access is OK and skip next NACM step.
* @param[in] h Clicon handle * @param[in] h Clicon handle
* @param[in] username User name of requestor * @param[in] username User name of requestor
* @param[in] point NACM access control point
* @param[out] xncam NACM XML tree, set if retval=0. Free after use * @param[out] xncam NACM XML tree, set if retval=0. Free after use
* @retval -1 Error * @retval -1 Error
* @retval 0 OK but not validated. Need to do NACM step using xnacm * @retval 0 OK but not validated. Need to do NACM step using xnacm
@ -864,6 +865,7 @@ nacm_access(char *mode,
int int
nacm_access_pre(clicon_handle h, nacm_access_pre(clicon_handle h,
char *username, char *username,
enum nacm_point point,
cxobj **xnacmp) cxobj **xnacmp)
{ {
int retval = -1; int retval = -1;
@ -882,6 +884,15 @@ nacm_access_pre(clicon_handle h,
if (xmldb_get(h, "running", "nacm", 0, &xnacm0, NULL) < 0) if (xmldb_get(h, "running", "nacm", 0, &xnacm0, NULL) < 0)
goto done; goto done;
} }
else if (strcmp(mode, "internal-rpc")==0){
/* Special mode only implemet exec rpc access point */
if (point == NACM_RPC){
if (xmldb_get(h, "running", "nacm", 0, &xnacm0, NULL) < 0)
goto done;
}
else
goto permit;
}
} }
/* If config does not exist then the operation is permitted(?) */ /* If config does not exist then the operation is permitted(?) */
if (xnacm0 == NULL) if (xnacm0 == NULL)

7
yang/clixon/clixon-config@2019-03-05.yang
View file

@ -121,6 +121,13 @@ module clixon-config {
enum internal{ enum internal{
description "NACM is enabled and available in the regular config"; description "NACM is enabled and available in the regular config";
} }
enum internal-rpc{
description
"NACM is enabled and available in the regular config.
But only for RPC functionality, ie no module or data-node
read-write functionality.
This is for backward compatibility with Clixon 3.8.";
}
enum external{ enum external{
description "NACM is enabled and available in a separate config"; description "NACM is enabled and available in a separate config";
} }