* Restconf authentication callback (ca_auth) signature changed

* Not backward compatible: All uses of the ca-auth callback in restconf plugins must be changed * New version is: `int ca_auth(h, req, auth_type, authp, userp)` * where `auth_type` is the requested authentication-type (none, client-cert or user-defined) * `authp` is the returned authentication flag * `userp` is the returned associated authenticated user * and the return value is three-valued: -1: Error, 0: ignored, 1: OK * For more info see [clixon-docs](https://clixon-docs.readthedocs.io/en/latest/restconf.html) * New clixon-restconf@2020-12-30.yang revision
2021-02-09 21:15:54 +01:00 · 2021-02-09 21:15:54 +01:00 · 710fc76887
commit 710fc76887
parent 1f0147f996
54 changed files with 1216 additions and 485 deletions
--- a/lib/clixon/clixon_plugin.h
+++ b/lib/clixon/clixon_plugin.h
@ -51,6 +51,7 @@
 * Types
 */

+    
 /*! Registered RPC callback function 
 * @param[in]  h       Clicon handle 
 * @param[in]  xn      Request: <rpc><xn></rpc> 
@ -92,9 +93,18 @@ typedef int (*clicon_upgrade_cb)(
    cbuf         *cbret
 );  

-/*
- * Prototypes
+/* Clixon authentication type
+ * @see http-auth-type in clixon-restconf.yang
+ * For now only used by restconf frontend
 */
+enum clixon_auth_type {
+    CLIXON_AUTH_NONE = 0,           /* Message is authenticated automatically, Do not call ca-auth callback */
+    CLIXON_AUTH_CLIENT_CERTIFICATE, /* TLS Client certification authentication */
+    CLIXON_AUTH_USER,               /* User-defined authentication according to ca-auth callback. 
+				       Such as "password" authentication */
+};
+typedef enum clixon_auth_type clixon_auth_type_t;
+
 /* Common plugin function names, function types and signatures. 
 * This plugin code is exytended by backend, cli, netconf, restconf plugins
 *   Cli     see cli_plugin.c
@ -135,14 +145,41 @@ typedef int (plgextension_t)(clicon_handle h, yang_stmt *yext, yang_stmt *ys);
 /*! Called by restconf on each incoming request to check credentials and return username
 */

-/* Plugin authorization. Set username option (or not)
- * @param[in]  Clicon handle
- * @param[in]  void*, eg Fastcgihandle request restconf
- * @retval  -1 Fatal error
- * @retval   0 Credential not OK
- * @retval   1 Credential OK
+/*! Plugin callback for authenticating messages (for restconf)
+ *
+ * Given a message (its headers) and authentication type, determine if the message
+ * passes authentication.
+ *
+ * If the message is not authenticated, an error message is returned with tag: "access denied" and 
+ * HTTP error code 401 Unauthorized  - Client is not authenticated
+ *
+ * If the message is authenticated, a user is associated with the message. This user can be derived
+ * from the headers or mapped in an application-dependent way. This user is used internally in Clixon and
+ * sent via the IPC protocol to the backend where it may be used for NACM authorization.
+ *
+ * The auth-type parameter specifies how the authentication is made and what default value is:
+ *  none:        Message is authenticated. No callback is called, authenticated user is set to special user
+ *               "none". Typically assumes NACM is not enabled.
+ *  client-cert: Default: Set to authenticated and extract the username from the SSL_CN parameter
+ *               A callback can revise this behavior
+ *  user:        Default: Message is not authenticated (401 returned)
+ *               Typically done by basic auth, eg HTTP_AUTHORIZATION header, and verify password
+ * 
+ * If there are multiple callbacks, the first result which is not "ignore" is returned. This is to allow for
+ * different callbacks registering different classes, or grouping of authentication.
+ *
+ * @param[in]  h         Clicon handle
+ * @param[in]  req       Per-message request www handle to use with restconf_api.h
+ * @param[in]  auth_type Authentication type: none, user-defined, or client-cert
+ * @param[out] authp     0: Credentials failed, no user set (401 returned). 1: Credentials OK and user set
+ * @param[out] userp     The associated user, malloced by plugin. Only if retval is 1/OK and authp=1, 
+ * @retval    -1         Fatal error
+ * @retval     0         Ignore, undecided, not handled, same as no callback
+ * @retval     1         OK, see auth parameter on result.
+ *
+ * @note user should be freed by caller
 */
-typedef int (plgauth_t)(clicon_handle, void *);
+typedef int (plgauth_t)(clicon_handle h, void *req, clixon_auth_type_t auth_type, int *authp, char **userp);

 /*! Reset system status 
 * @param[in]  h   Clicon handle
@ -305,8 +342,7 @@ int clixon_plugin_start_all(clicon_handle h);
 int clixon_plugin_exit_one(clixon_plugin *cp, clicon_handle h);
 int clixon_plugin_exit_all(clicon_handle h);

-int clixon_plugin_auth_one(clixon_plugin *cp, clicon_handle h, void *arg);
-int clixon_plugin_auth_all(clicon_handle h, void *arg);
+int clixon_plugin_auth_all(clicon_handle h, void *req, clixon_auth_type_t auth_type, int *authp, char **userp);

 int clixon_plugin_extension_one(clixon_plugin *cp, clicon_handle h, yang_stmt *yext, yang_stmt *ys);
 int clixon_plugin_extension_all(clicon_handle h, yang_stmt *yext, yang_stmt *ys);
@ -324,4 +360,8 @@ int upgrade_callback_reg_fn(clicon_handle h, clicon_upgrade_cb cb, const char *s
 int upgrade_callback_delete_all(clicon_handle h);
 int upgrade_callback_call(clicon_handle h, cxobj *xt, char *ns, uint16_t op, uint32_t from, uint32_t to, cbuf *cbret);

+const clixon_auth_type_t clixon_auth_type_str2int(char *auth_type);
+const char *clixon_auth_type_int2str(clixon_auth_type_t auth_type);
+
+
 #endif  /* _CLIXON_PLUGIN_H_ */
--- a/lib/src/clixon_plugin.c
+++ b/lib/src/clixon_plugin.c
@ -46,6 +46,7 @@
 #include <dlfcn.h>
 #include <dirent.h>
 #include <syslog.h>
+#include <assert.h>

 #include <sys/stat.h>
 #include <sys/param.h>
@ -55,6 +56,7 @@

 #include "clixon_err.h"
 #include "clixon_queue.h"
+#include "clixon_string.h"
 #include "clixon_hash.h"
 #include "clixon_log.h"
 #include "clixon_file.h"
@ -462,73 +464,91 @@ clixon_plugin_exit_all(clicon_handle h)
 }

 /*! Run the restconf user-defined credentials callback 
- * @param[in]  cp   Plugin handle
- * @param[in]  h    Clicon handle
- * @param[in]  arg  Argument, such as fastcgi handler for restconf
- * @retval    -1    Error
- * @retval     0    Not authenticated
- * @retval     1    Authenticated 
+ * @param[in]  h         Clicon handle
+ * @param[in]  req       Per-message request www handle to use with restconf_api.h
+ * @param[in]  auth_type Authentication type: none, user-defined, or client-cert
+ * @param[out] authp     0: Credentials failed, no user set (401 returned). 1: Credentials OK and user set
+ * @param[out] userp     The associated user, malloced by plugin. Only if retval is 1/OK and authp=1, 
+ * @retval    -1         Fatal error
+ * @retval     0         Ignore, undecided, not handled, same as no callback
+ * @retval     1         OK, see auth parameter on result.
 * @note If authenticated either a callback was called and clicon_username_set() 
 *       Or no callback was found.
 */
-int
-clixon_plugin_auth_one(clixon_plugin *cp,
-		       clicon_handle h, 
-		       void         *arg)
+static int
+clixon_plugin_auth_one(clixon_plugin     *cp,
+		       clicon_handle      h, 
+		       void              *req,
+		       clixon_auth_type_t auth_type,
+		       int               *authp,
+		       char             **userp)
 {
-    int        retval = 1;  /* Authenticated */
+    int        retval = -1; 
    plgauth_t *fn;          /* Plugin auth */

+    clicon_debug(1, "%s", __FUNCTION__);
    if ((fn = cp->cp_api.ca_auth) != NULL){
-	if ((retval = fn(h, arg)) < 0) {
+	if ((retval = fn(h, req, auth_type, authp, userp)) < 0) {
 	    if (clicon_errno < 0) 
 		clicon_log(LOG_WARNING, "%s: Internal error: Auth callback in plugin: %s returned -1 but did not make a clicon_err call",
 			   __FUNCTION__, cp->cp_name);
 	    goto done;
 	}
    }
+    else
+	retval = 0; /* Ignored / no callback */
 done:
+    clicon_debug(1, "%s retval:%d user:%s", __FUNCTION__, retval, *userp);
    return retval;
 }

 /*! Run the restconf user-defined credentials callback for all plugins
 * Find first authentication callback and call that, then return.
 * The callback is to set the authenticated user
- * @param[in]  cp      Plugin handle
- * @param[in]  h    Clicon handle
- * @param[in]  arg  Argument, such as fastcgi handler for restconf
- * @retval    -1    Error
- * @retval     0    Not authenticated
- * @retval     1    Authenticated 
- * @note If authenticated either a callback was called and clicon_username_set() 
- *       Or no callback was found.
+ * @param[in]  h         Clicon handle
+ * @param[in]  req       Per-message request www handle to use with restconf_api.h
+ * @param[in]  auth_type Authentication type: none, user-defined, or client-cert
+ * @param[out] authp     0: Credentials failed, no user set (401 returned). 1: Credentials OK and user set
+ * @param[out] userp     The associated user, malloced by plugin. Only if retval is 1/OK and authp=1, 
+ * @retval    -1         Fatal error
+ * @retval     0         Ignore, undecided, not handled, same as no callback
+ * @retval     1         OK, see auth parameter on result.
 */
 int
-clixon_plugin_auth_all(clicon_handle h, 
-		       void         *arg)
+clixon_plugin_auth_all(clicon_handle      h, 
+		       void              *req,
+		       clixon_auth_type_t auth_type,
+		       int               *authp,
+		       char             **userp)
 {
    int            retval = -1;
    clixon_plugin *cp = NULL;
-    int            i = 0;
-    int            ret;
+    int            ret = 0; 
    
+    clicon_debug(1, "%s", __FUNCTION__);
+    if (authp == NULL || userp == NULL){
+	clicon_err(OE_PLUGIN, EINVAL, "Output parameter is NULL");
+	goto done;
+    }    
+    *authp = -1;
+    *userp = NULL;
+    ret = 0; /* ignore */
    while ((cp = clixon_plugin_each(h, cp)) != NULL) {
-	i++;
-	if ((ret = clixon_plugin_auth_one(cp, h, arg)) < 0)
+	if ((ret = clixon_plugin_auth_one(cp, h, req, auth_type, authp, userp)) < 0)
 	    goto done;
 	if (ret == 1)
-	    goto authenticated;
-	break;
+	    break; /* result, not ignored */
+	/* ret == 0, ignore try next */
+    }
+    retval = ret;
+    if (retval == 1){
+	assert(*authp != -1);
+	if (*authp == 1)
+	    assert(*userp != NULL);
    }
-    if (i==0)
-	retval = 1;
-    else
-	retval = 0;
 done:
+    clicon_debug(1, "%s retval:%d", __FUNCTION__, retval);
    return retval;
- authenticated:
-    retval = 1;
-    goto done;
 }

 /*! Callback for a yang extension (unknown) statement single plugin
@ -931,3 +951,29 @@ upgrade_callback_call(clicon_handle h,
    goto done;
 }

+/* Authentication type
+ * @see http-auth-type in clixon-restconf.yang
+ * @see restconf_media_str2int
+ */
+static const map_str2int clixon_auth_type[] = {
+    {"none",               CLIXON_AUTH_NONE},
+    {"client-certificate", CLIXON_AUTH_CLIENT_CERTIFICATE},
+    {"user",               CLIXON_AUTH_USER},
+    {NULL,                 -1}
+};
+
+/*! Translate from string to auth-type
+ */
+const clixon_auth_type_t
+clixon_auth_type_str2int(char *auth_type)
+{
+    return clicon_str2int(clixon_auth_type, auth_type);
+}
+
+/*! Translate from auth-type to string
+ */
+const char *
+clixon_auth_type_int2str(clixon_auth_type_t auth_type)
+{
+    return clicon_int2str(clixon_auth_type, auth_type);
+}