* RESTCONF failed authentication changed error return code from 403 Forbiden to 401 Unauthorized following RFC 8040

2021-02-10 14:17:34 +01:00 · 2021-02-10 14:17:34 +01:00 · 6b08a22f04
commit 6b08a22f04
parent 92a3898c46
5 changed files with 22 additions and 6 deletions
--- a/apps/restconf/restconf_err.c
+++ b/apps/restconf/restconf_err.c
@ -430,6 +430,20 @@ api_return_err(clicon_handle h,
    else{
 	if ((code = restconf_err2code(tagstr)) < 0)
 	    code = 500; /* internal server error */
+	if (code == 403){
+	    /* Special case: netconf only has "access denied" while restconf 
+	     * differentiates between:
+	     *   401 Unauthorized If the RESTCONF client is not authenticated (sec 2.5)
+	     *   403 Forbidden    If the user is not authorized to access a target resource or invoke 
+	     *                    an operation
+	     */
+	    cxobj *xmsg;
+	    char  *mb;
+	    if ((xmsg = xpath_first(xerr, NULL, "error-message")) != NULL &&
+		(mb = xml_body(xmsg)) != NULL &&
+		strcmp(mb, "The requested URL was unauthorized") == 0)
+		code = 401;
+	}
    }  
    if (restconf_reply_header(req, "Content-Type", "%s", restconf_media_int2str(media)) < 0) // XXX
 	goto done;
--- a/apps/restconf/restconf_lib.c
+++ b/apps/restconf/restconf_lib.c
@ -81,8 +81,8 @@ static const map_str2int netconf_restconf_map[] = {
    {"bad-element",            400},
    {"unknown-element",        400},
    {"unknown-namespace",      400},
-    {"access-denied",          403}, 
-    {"access-denied",          401}, /* or 403 */
+    {"access-denied",          403}, /* or 401 special case if tagstr is: "The requested URL was unauthorized" handled in api_return_err */
+    {"access-denied",          401}, 
    {"lock-denied",            409},
    {"resource-denied",        409},
    {"rollback-failed",        500},