* Restconf authentication callback (ca_auth) signature changed

* Not backward compatible: All uses of the ca-auth callback in restconf plugins must be changed * New version is: `int ca_auth(h, req, auth_type, authp, userp)` * where `auth_type` is the requested authentication-type (none, client-cert or user-defined) * `authp` is the returned authentication flag * `userp` is the returned associated authenticated user * and the return value is three-valued: -1: Error, 0: ignored, 1: OK * For more info see [clixon-docs](https://clixon-docs.readthedocs.io/en/latest/restconf.html) * New clixon-restconf@2020-12-30.yang revision
2021-02-09 21:15:54 +01:00 · 2021-02-09 21:15:54 +01:00 · 710fc76887
commit 710fc76887
parent 1f0147f996
54 changed files with 1216 additions and 485 deletions
--- a/test/lib.sh
+++ b/test/lib.sh
@ -196,11 +196,16 @@ fi
 # Default restconf configuration: http IPv4 
 # Can be placed in clixon-config
 # Note that https clause assumes there exists certs and keys in /etc/ssl,...
-if [ $RCPROTO = http ]; then
-    RESTCONFIG="<restconf><enable>true</enable><auth-type>password</auth-type><socket><namespace>default</namespace><address>0.0.0.0</address><port>80</port><ssl>false</ssl></socket></restconf>"
-else
-    RESTCONFIG="<restconf><enable>true</enable><auth-type>password</auth-type><server-cert-path>/etc/ssl/certs/clixon-server-crt.pem</server-cert-path><server-key-path>/etc/ssl/private/clixon-server-key.pem</server-key-path><server-ca-cert-path>/etc/ssl/certs/clixon-ca-crt.pem</server-ca-cert-path><socket><namespace>default</namespace><address>0.0.0.0</address><port>443</port><ssl>true</ssl></socket></restconf>"
-fi
+function restconf_config()
+{
+    AUTH=$1
+    if [ $RCPROTO = http ]; then
+	RESTCONFIG="<restconf><enable>true</enable><auth-type>$AUTH</auth-type><debug>1</debug><socket><namespace>default</namespace><address>0.0.0.0</address><port>80</port><ssl>false</ssl></socket></restconf>"
+    else
+	RESTCONFIG="<restconf><enable>true</enable><auth-type>$AUTH</auth-type><server-cert-path>/etc/ssl/certs/clixon-server-crt.pem</server-cert-path><server-key-path>/etc/ssl/private/clixon-server-key.pem</server-key-path><server-ca-cert-path>/etc/ssl/certs/clixon-ca-crt.pem</server-ca-cert-path><debug>1</debug><socket><namespace>default</namespace><address>0.0.0.0</address><port>443</port><ssl>true</ssl></socket></restconf>"
+    fi
+}
+

 # Some tests may set owner of testdir to something strange and quit, need
 # to reset to me
@ -374,7 +379,7 @@ function new(){
 # Evaluate and return
 # Example: expectpart $(fn arg) 0 "my return" -- "foo"
 # - evaluated expression
-# - expected command return value (0 if OK)
+# - expected command return value (0 if OK) or list of values, eg "55 56"
 # - expected stdout outcome*
 # - the token "--not--"
 # - not expected stdout outcome*
@ -391,10 +396,24 @@ function expectpart(){
 #  echo "ret:\"$ret\""
 #  echo "retval:$retval"
 #  echo "expect:\"$expect\""
-  if [ $r != $retval ]; then
-      echo -e "\e[31m\nError ($r != $retval) in Test$testnr [$testname]:"
-      echo -e "\e[0m:"
-      exit -1
+  if [ "$retval" -eq "$retval" 2> /dev/null ] ; then # single retval
+      if [ $r != $retval ]; then 
+	  echo -e "\e[31m\nError ($r != $retval) in Test$testnr [$testname]:"
+	  echo -e "\e[0m:"
+	  exit -1
+      fi
+  else # List of retvals
+      found=0
+      for rv in $retval; do
+	  if [ $r == $rv ]; then 
+	      found=1
+	  fi
+      done
+      if [ $found -eq 0 ]; then
+	  echo -e "\e[31m\nError ($r != $retval) in Test$testnr [$testname]:"
+	  echo -e "\e[0m:"
+	  exit -1
+      fi
  fi
  if [ -z "$ret" -a -z "$expect" ]; then
      return
--- a/test/test_api.sh
+++ b/test/test_api.sh
@ -24,6 +24,9 @@ if [ ! -d $pdir ]; then
    mkdir $pdir
 fi

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>/tmp/conf_yang.xml</CLICON_CONFIGFILE>
@ -273,4 +276,7 @@ stop_backend -f $cfg
 # unset conditional parameters 
 unset format

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_augment.sh
+++ b/test/test_augment.sh
@ -23,6 +23,9 @@ cfg=$dir/conf_yang.xml
 fyang=$dir/main.yang
 fyang2=$dir/ietf-interfaces@2019-03-04.yang

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -273,4 +276,7 @@ if [ $BE -ne 0 ]; then
    stop_backend -f $cfg
 fi

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_choice.sh
+++ b/test/test_choice.sh
@ -14,6 +14,9 @@ APPNAME=example
 cfg=$dir/choice.xml
 fyang=$dir/type.yang

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -298,4 +301,7 @@ fi
 # kill backend
 stop_backend -f $cfg

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_client.sh
+++ b/test/test_client.sh
@ -21,6 +21,9 @@ if [ ! -d $pdir ]; then
    mkdir $pdir
 fi

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -171,4 +174,7 @@ stop_backend -f $cfg
 # unset conditional parameters 
 unset format

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_copy_config.sh
+++ b/test/test_copy_config.sh
@ -29,6 +29,9 @@ cfg=$dir/conf_yang.xml

 # Use yang in example

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -188,4 +191,7 @@ if [ $BE -ne 0 ]; then
    stop_backend -f $cfg
 fi

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_identity.sh
+++ b/test/test_identity.sh
@ -10,6 +10,9 @@ APPNAME=example
 cfg=$dir/conf_yang.xml
 fyang=$dir/example-my-crypto.yang

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -334,4 +337,7 @@ fi

 endtest

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_nacm.sh
+++ b/test/test_nacm.sh
@ -17,6 +17,9 @@ APPNAME=example
 cfg=$dir/conf_yang.xml
 fyang=$dir/nacm-example.yang

+# Define default restconfig config: RESTCONFIG
+restconf_config user
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -132,8 +135,8 @@ if [ $RC -ne 0 ]; then
    new "kill old restconf daemon"
    stop_restconf_pre

-    new "start restconf daemon (-a is enable basic authentication)"
-    start_restconf -f $cfg -- -a
+    new "start restconf daemon"
+    start_restconf -f $cfg

    new "waiting"
    wait_restconf
@ -202,4 +205,7 @@ fi
 # kill backend
 stop_backend -f $cfg

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_nacm_datanode.sh
+++ b/test/test_nacm_datanode.sh
@ -45,6 +45,9 @@ cfg=$dir/conf_yang.xml
 fyang=$dir/nacm-example.yang
 fyang2=$dir/itf.yang

+# Define default restconfig config: RESTCONFIG
+restconf_config user
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -232,8 +235,8 @@ if [ $RC -ne 0 ]; then
    new "kill old restconf daemon"
    stop_restconf_pre

-    new "start restconf daemon (-a is enable basic authentication)"
-    start_restconf -f $cfg -- -a
+    new "start restconf daemon"
+    start_restconf -f $cfg

    new "waiting"
    wait_restconf
@ -332,4 +335,7 @@ fi
 # kill backend
 stop_backend -f $cfg

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_nacm_datanode_paths.sh
+++ b/test/test_nacm_datanode_paths.sh
@ -17,6 +17,9 @@ APPNAME=example
 cfg=$dir/conf_yang.xml
 fyang=$dir/nacm-example.yang

+# Define default restconfig config: RESTCONFIG
+restconf_config user
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -106,8 +109,8 @@ if [ $RC -ne 0 ]; then
    new "kill old restconf daemon"
    stop_restconf_pre
    
-    new "start restconf daemon (-a is enable basic authentication)"
-    start_restconf -f $cfg -- -a
+    new "start restconf daemon"
+    start_restconf -f $cfg

    new "waiting"
    wait_restconf
@ -165,4 +168,7 @@ if [ $BE -ne 0 ]; then     # Bring your own backend
    stop_backend -f $cfg
 fi

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_nacm_datanode_read.sh
+++ b/test/test_nacm_datanode_read.sh
@ -25,6 +25,9 @@ cfg=$dir/conf_yang.xml
 fyang=$dir/nacm-example.yang
 fyang2=$dir/nacm-example2.yang

+# Define default restconfig config: RESTCONFIG
+restconf_config user
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -237,8 +240,8 @@ if [ $RC -ne 0 ]; then
    new "kill old restconf daemon"
    stop_restconf_pre
    
-    new "start restconf daemon (-a is enable basic authentication)"
-    start_restconf -f $cfg -- -a
+    new "start restconf daemon"
+    start_restconf -f $cfg

    new "waiting"
    wait_restconf
@ -297,4 +300,7 @@ if [ $BE -ne 0 ]; then     # Bring your own backend
    stop_backend -f $cfg
 fi

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_nacm_datanode_write.sh
+++ b/test/test_nacm_datanode_write.sh
@ -17,6 +17,9 @@ APPNAME=example
 cfg=$dir/conf_yang.xml
 fyang=$dir/nacm-example.yang

+# Define default restconfig config: RESTCONFIG
+restconf_config user
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -233,8 +236,8 @@ if [ $RC -ne 0 ]; then
    new "kill old restconf daemon"
    stop_restconf_pre
    
-    new "start restconf daemon (-a is enable basic authentication)"
-    start_restconf -f $cfg -- -a
+    new "start restconf daemon"
+    start_restconf -f $cfg

    new "waiting"
    wait_restconf
@ -295,4 +298,7 @@ if [ $BE -ne 0 ]; then     # Bring your own backend
    stop_backend -f $cfg
 fi

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_nacm_default.sh
+++ b/test/test_nacm_default.sh
@ -13,6 +13,9 @@ fyang=$dir/nacm-example.yang
 # Which format to use as datastore format internally
 : ${format:=xml}

+# Define default restconfig config: RESTCONFIG
+restconf_config user
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -112,8 +115,8 @@ EOF
 	new "kill old restconf daemon"
 	stop_restconf_pre

-	new "start restconf daemon (-a is enable basic authentication)"
-	start_restconf -f $cfg -- -a
+	new "start restconf daemon"
+	start_restconf -f $cfg

 	new "wait restconf"
 	wait_restconf
@ -234,5 +237,8 @@ endtest

 rm -rf $dir

+# Set by restconf_config
+unset RESTCONFIG
+
 # unset conditional parameters 
 unset format
--- a/test/test_nacm_ext.sh
+++ b/test/test_nacm_ext.sh
@ -15,6 +15,9 @@ cfg=$dir/conf_yang.xml
 fyang=$dir/nacm-example.yang
 nacmfile=$dir/nacmfile

+# Define default restconfig config: RESTCONFIG
+restconf_config user
+
 # Note filter out example_backend_nacm.so in CLICON_BACKEND_REGEXP below
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
@ -151,8 +154,8 @@ if [ $RC -ne 0 ]; then
    new "kill old restconf daemon"
    stop_restconf_pre

-    new "start restconf daemon (-a is enable http basic auth)"
-    start_restconf -f $cfg -- -a
+    new "start restconf daemon"
+    start_restconf -f $cfg

    new "waiting"
    wait_restconf
@ -227,4 +230,7 @@ fi
 # kill backend
 stop_backend -f $cfg

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_nacm_module_read.sh
+++ b/test/test_nacm_module_read.sh
@ -18,6 +18,9 @@ APPNAME=example
 cfg=$dir/conf_yang.xml
 fyang=$dir/nacm-example.yang

+# Define default restconfig config: RESTCONFIG
+restconf_config user
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -134,8 +137,8 @@ if [ $RC -ne 0 ]; then
    new "kill old restconf daemon"
    stop_restconf_pre

-    new "start restconf daemon (-a is enable basic authentication)"
-    start_restconf -f $cfg -- -a
+    new "start restconf daemon"
+    start_restconf -f $cfg

    new "waiting"
    wait_restconf
@ -270,4 +273,7 @@ fi
 # kill backend
 stop_backend -f $cfg

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_nacm_module_write.sh
+++ b/test/test_nacm_module_write.sh
@ -31,6 +31,9 @@ APPNAME=example
 cfg=$dir/conf_yang.xml
 fyang=$dir/nacm-example.yang

+# Define default restconfig config: RESTCONFIG
+restconf_config user
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -153,8 +156,8 @@ if [ $RC -ne 0 ]; then
    new "kill old restconf daemon"
    stop_restconf_pre

-    new "start restconf daemon (-a is enable basic authentication)"
-    start_restconf -f $cfg -- -a
+    new "start restconf daemon"
+    start_restconf -f $cfg

    new "waiting"
    wait_restconf
@ -272,4 +275,7 @@ fi
 # kill backend
 stop_backend -f $cfg

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_nacm_protocol.sh
+++ b/test/test_nacm_protocol.sh
@ -34,6 +34,9 @@ APPNAME=example
 cfg=$dir/conf_yang.xml
 fyang=$dir/nacm-example.yang

+# Define default restconfig config: RESTCONFIG
+restconf_config user
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -155,8 +158,8 @@ if [ $RC -ne 0 ]; then
    new "kill old restconf daemon"
    stop_restconf_pre

-    new "start restconf daemon (-a is enable basic authentication)"
-    start_restconf -f $cfg -- -a
+    new "start restconf daemon"
+    start_restconf -f $cfg

    new "waiting"
    wait_restconf
@ -168,7 +171,6 @@ expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><ca
 new "commit it"
 expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><commit/></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"

-
 new "enable nacm"
 expectpart "$(curl -u andy:bar $CURLOPTS -X PUT -H "Content-Type: application/yang-data+json" -d '{"ietf-netconf-acm:enable-nacm": true}' $RCPROTO://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" 0 "HTTP/1.1 204 No Content"

@ -239,4 +241,7 @@ fi
 # kill backend
 stop_backend -f $cfg

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir 
--- a/test/test_nacm_recovery.sh
+++ b/test/test_nacm_recovery.sh
@ -20,6 +20,9 @@ fyang=$dir/nacm-example.yang

 # cred:none, exact, except

+# Define default restconfig config: RESTCONFIG
+restconf_config user
+
 cat <<EOF > $fyang
 module nacm-example{
  yang-version 1.1;
@ -103,8 +106,8 @@ EOF
 	new "kill old restconf daemon"
 	stop_restconf_pre

-	new "start restconf daemon (-a is enable basic authentication)"
-	start_restconf -f $cfg -- -a
+	new "start restconf daemon"
+	start_restconf -f $cfg

 	new "waiting"
 	wait_restconf
@ -226,4 +229,7 @@ testrun $CRED $REALUSER $PSEUDO $RECOVERY false false

 endtest

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_perf_restconf.sh
+++ b/test/test_perf_restconf.sh
@ -52,6 +52,9 @@ module scaling{
 }
 EOF

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -210,6 +213,9 @@ stop_backend -f $cfg

 rm -rf $dir

+# Set by restconf_config
+unset RESTCONFIG
+
 # unset conditional parameters 
 unset format
 unset perfnr
--- a/test/test_perf_state.sh
+++ b/test/test_perf_state.sh
@ -29,6 +29,9 @@ fyang=$dir/$APPNAME.yang
 fconfig=$dir/large.xml
 fstate=$dir/state.xml

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -214,4 +217,6 @@ unset format
 unset perfnr
 unset perfreq

+# Set by restconf_config
+unset RESTCONFIG

--- a/test/test_perf_state_only.sh
+++ b/test/test_perf_state_only.sh
@ -29,6 +29,9 @@ fyang=$dir/$APPNAME.yang
 fconfig=$dir/large.xml
 fstate=$dir/state.xml

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -198,9 +201,12 @@ fi

 rm -rf $dir

+# Define default restconfig config: RESTCONFIG
+restconf_config none
 # unset conditional parameters 
 unset format
 unset perfnr
 unset perfreq


+
--- a/test/test_restconf.sh
+++ b/test/test_restconf.sh
@ -37,6 +37,57 @@ if [ -d ${TOP_SRCDIR}/yang/clixon ]; then
 else
    cp /usr/local/share/clixon/$y $dir/
 fi
+
+if [ "${WITH_RESTCONF}" = "evhtp" ]; then
+    # Create server certs
+    certdir=$dir/certs
+    srvkey=$certdir/srv_key.pem
+    srvcert=$certdir/srv_cert.pem
+    cakey=$certdir/ca_key.pem # needed?
+    cacert=$certdir/ca_cert.pem
+    test -d $certdir || mkdir $certdir
+    . ./certs.sh
+else
+    # Define default restconfig config: RESTCONFIG
+    restconf_config none
+fi
+
+# This is a fixed 'state' implemented in routing_backend. It is assumed to be always there
+state='{"clixon-example:state":{"op":\["41","42","43"\]}'
+
+if $IPv6; then
+    # For backend config, create 4 sockets, all combinations IPv4/IPv6 + http/https
+    RESTCONFIG1=$(cat <<EOF
+<restconf xmlns="http://clicon.org/restconf">
+   <enable>true</enable>
+   <auth-type>none</auth-type>
+   <server-cert-path>$srvcert</server-cert-path>
+   <server-key-path>$srvkey</server-key-path>
+   <server-ca-cert-path>$cakey</server-ca-cert-path>
+   <socket><namespace>default</namespace><address>0.0.0.0</address><port>80</port><ssl>false</ssl></socket>
+   <socket><namespace>default</namespace><address>0.0.0.0</address><port>443</port><ssl>true</ssl></socket>
+   <socket><namespace>default</namespace><address>::</address><port>80</port><ssl>false</ssl></socket>
+   <socket><namespace>default</namespace><address>::</address><port>443</port><ssl>true</ssl></socket>
+</restconf>
+EOF
+)
+else
+       # For backend config, create 4 sockets, all combinations IPv4/IPv6 + http/https
+    RESTCONFIG1=$(cat <<EOF
+<restconf xmlns="http://clicon.org/restconf">
+   <enable>true</enable>
+   <auth-type>none</auth-type>
+   <server-cert-path>$srvcert</server-cert-path>
+   <server-key-path>$srvkey</server-key-path>
+   <server-ca-cert-path>$cakey</server-ca-cert-path>
+   <socket><namespace>default</namespace><address>0.0.0.0</address><port>80</port><ssl>false</ssl></socket>
+   <socket><namespace>default</namespace><address>0.0.0.0</address><port>443</port><ssl>true</ssl></socket>
+</restconf>
+EOF
+)
+fi
+
+# Start with common config, then append fcgi/evhtp specific config
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -54,54 +105,10 @@ cat <<EOF > $cfg
  <CLICON_BACKEND_PIDFILE>/usr/local/var/$APPNAME/$APPNAME.pidfile</CLICON_BACKEND_PIDFILE>
  <CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
  <CLICON_MODULE_LIBRARY_RFC7895>true</CLICON_MODULE_LIBRARY_RFC7895>
+  $RESTCONFIG <!-- only fcgi -->
 </clixon-config>
 EOF

-if [ "${WITH_RESTCONF}" = "evhtp" ]; then
-    # Create server certs
-    certdir=$dir/certs
-    srvkey=$certdir/srv_key.pem
-    srvcert=$certdir/srv_cert.pem
-    cakey=$certdir/ca_key.pem # needed?
-    cacert=$certdir/ca_cert.pem
-    test -d $certdir || mkdir $certdir
-    . ./certs.sh
-fi
-
-# This is a fixed 'state' implemented in routing_backend. It is assumed to be always there
-state='{"clixon-example:state":{"op":\["41","42","43"\]}'
-
-if $IPv6; then
-    # For backend config, create 4 sockets, all combinations IPv4/IPv6 + http/https
-    RESTCONFIG=$(cat <<EOF
-<restconf xmlns="http://clicon.org/restconf">
-   <enable>true</enable>
-   <auth-type>password</auth-type>
-   <server-cert-path>$srvcert</server-cert-path>
-   <server-key-path>$srvkey</server-key-path>
-   <server-ca-cert-path>$cakey</server-ca-cert-path>
-   <socket><namespace>default</namespace><address>0.0.0.0</address><port>80</port><ssl>false</ssl></socket>
-   <socket><namespace>default</namespace><address>0.0.0.0</address><port>443</port><ssl>true</ssl></socket>
-   <socket><namespace>default</namespace><address>::</address><port>80</port><ssl>false</ssl></socket>
-   <socket><namespace>default</namespace><address>::</address><port>443</port><ssl>true</ssl></socket>
-</restconf>
-EOF
-)
-else
-       # For backend config, create 4 sockets, all combinations IPv4/IPv6 + http/https
-    RESTCONFIG=$(cat <<EOF
-<restconf xmlns="http://clicon.org/restconf">
-   <enable>true</enable>
-   <auth-type>password</auth-type>
-   <server-cert-path>$srvcert</server-cert-path>
-   <server-key-path>$srvkey</server-key-path>
-   <server-ca-cert-path>$cakey</server-ca-cert-path>
-   <socket><namespace>default</namespace><address>0.0.0.0</address><port>80</port><ssl>false</ssl></socket>
-   <socket><namespace>default</namespace><address>0.0.0.0</address><port>443</port><ssl>true</ssl></socket>
-</restconf>
-EOF
-)
-fi

 # Restconf test routine with arguments:
 # 1. proto:http/https
@ -132,7 +139,7 @@ function testrun()
    wait_backend

    new "netconf edit config"
-    expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$RESTCONFIG</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
+    expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><edit-config><target><candidate/></target><config>$RESTCONFIG1</config></edit-config></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"

    new "netconf commit"
    expecteof "$clixon_netconf -qf $cfg" 0 "<rpc $DEFAULTNS><commit/></rpc>]]>]]>" "^<rpc-reply $DEFAULTNS><ok/></rpc-reply>]]>]]>$"
@ -403,4 +410,8 @@ done
 # unset conditional parameters
 unset RCPROTO

+# Set by restconf_config
+unset RESTCONFIG
+unset RESTCONFIG1
+
 rm -rf $dir
--- a/test/test_restconf2.sh
+++ b/test/test_restconf2.sh
@ -12,6 +12,9 @@ APPNAME=example
 cfg=$dir/conf.xml
 fyang=$dir/restconf.yang

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 #  <CLICON_YANG_MODULE_MAIN>example</CLICON_YANG_MODULE_MAIN>
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
@ -219,4 +222,7 @@ fi
 # kill backend
 stop_backend -f $cfg

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_restconf_err.sh
+++ b/test/test_restconf_err.sh
@ -30,6 +30,9 @@ fyang2=$dir/augment.yang
 fxml=$dir/initial.xml
 fstate=$dir/state.xml

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 #  <CLICON_YANG_MODULE_MAIN>example</CLICON_YANG_MODULE_MAIN>
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
@ -256,4 +259,7 @@ fi
 # kill backend
 stop_backend -f $cfg

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_restconf_jukebox.sh
+++ b/test/test_restconf_jukebox.sh
@ -23,6 +23,9 @@ cat <<EOF > $dir/example-system.yang
   }
 EOF

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 #  <CLICON_YANG_MODULE_MAIN>example</CLICON_YANG_MODULE_MAIN>
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
@ -267,4 +270,7 @@ fi
 # kill backend
 stop_backend -f $cfg

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_restconf_listkey.sh
+++ b/test/test_restconf_listkey.sh
@ -10,6 +10,9 @@ APPNAME=example
 cfg=$dir/conf.xml
 fyang=$dir/list.yang

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 #  <CLICON_YANG_MODULE_MAIN>example</CLICON_YANG_MODULE_MAIN>
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
@ -182,4 +185,7 @@ fi
 # kill backend
 stop_backend -f $cfg

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_restconf_netns.sh
+++ b/test/test_restconf_netns.sh
@ -41,7 +41,7 @@ test -d $certdir || mkdir $certdir
 RESTCONFIG=$(cat <<EOF
 <restconf>
   <enable>true</enable>
-   <auth-type>password</auth-type>
+   <auth-type>none</auth-type>
   <server-cert-path>$srvcert</server-cert-path>
   <server-key-path>$srvkey</server-key-path>
   <server-ca-cert-path>$cakey</server-ca-cert-path>
--- a/test/test_restconf_notifications.sh
+++ b/test/test_restconf_notifications.sh
@ -41,6 +41,9 @@ cfg=$dir/conf.xml
 fyang=$dir/stream.yang
 xml=$dir/xml.xml

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 #  <CLICON_YANG_MODULE_MAIN>example</CLICON_YANG_MODULE_MAIN>
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
@ -63,6 +66,7 @@ cat <<EOF > $cfg
  <CLICON_STREAM_PATH>streams</CLICON_STREAM_PATH>
  <CLICON_STREAM_URL>https://localhost</CLICON_STREAM_URL>
  <CLICON_STREAM_RETENTION>60</CLICON_STREAM_RETENTION>
+  $RESTCONFIG
 </clixon-config>
 EOF

@ -285,6 +289,9 @@ fi

 rm -rf $dir

+# Set by restconf_config
+unset RESTCONFIG
+
 # unset conditional parameters 
 unset clixon_util_stream
 unset nr
--- a/test/test_restconf_patch.sh
+++ b/test/test_restconf_patch.sh
@ -3,6 +3,7 @@
 # Use nacm module in example/main/example_restconf.c hardcoded to
 # andy:bar and wilma:bar

+
 # Magic line must be first in script (see README.md)
 s="$_" ; . ./lib.sh || if [ "$s" = $0 ]; then exit 0; else return 0; fi

@ -12,6 +13,9 @@ cfg=$dir/conf.xml
 startupdb=$dir/startup_db
 fjukebox=$dir/example-jukebox.yang

+# Define default restconfig config: RESTCONFIG
+restconf_config user
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -116,8 +120,8 @@ if [ $RC -ne 0 ]; then
    new "kill old restconf daemon"
    stop_restconf_pre

-    new "start restconf daemon (-a is enable basic authentication)"
-    start_restconf -f $cfg -- -a 
+    new "start restconf daemon"
+    start_restconf -f $cfg

    new "waiting restconf"
    wait_restconf
@ -173,8 +177,8 @@ if [ $RC -ne 0 ]; then
    new "kill old restconf daemon"
    stop_restconf_pre
 	
-    new "start restconf daemon (-a is enable basic authentication)"
-    start_restconf -f $cfg -- -a 
+    new "start restconf daemon"
+    start_restconf -f $cfg

    new "waiting"
    wait_restconf
@ -260,4 +264,7 @@ fi
 # kill backend
 stop_backend -f $cfg

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_restconf_rpc.sh
+++ b/test/test_restconf_rpc.sh
@ -16,6 +16,9 @@ APPNAME=example
 cfg=$dir/conf.xml
 startupdb=$dir/startup_db

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -324,5 +327,8 @@ sleep $DEMWAIT # Lots of processes need to die before next test
 new "endtest"
 endtest

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir

--- a/test/test_restconf_ssl_certs.sh
+++ b/test/test_restconf_ssl_certs.sh
@ -33,6 +33,8 @@ cacert=$certdir/ca_cert.pem

 users="andy guest" # generate certs for some users in nacm.sh

+xusers="limited"   # Set invalid cert
+
 # Whether to generate new keys or not (only if $dir is not removed)
 # Here dont generate keys if restconf started stand-alone (RC=0)
 : ${genkeys:=true}
@ -95,7 +97,7 @@ if $genkeys; then
    . ./certs.sh

    # create client certs
-    for name in $users; do
+    for name in $users $xusers; do
 	cat<<EOF > $dir/$name.cnf
 [req]
 prompt = no
@ -117,6 +119,10 @@ EOF
 	openssl x509 -req -extfile $dir/$name.cnf -days 1 -passin "pass:password" -in $certdir/$name.csr -CA $cacert -CAkey $cakey -CAcreateserial -out $certdir/$name.crt
    done # client key

+    # invalid
+    for name in $xusers; do
+	openssl x509 -req -extfile $dir/$name.cnf -days 0 -passin "pass:password" -in $certdir/$name.csr -CA $cacert -CAkey $cakey -CAcreateserial -out $certdir/$name.crt
+    done # invalid
 fi # genkeys

 # Write local config
@ -145,6 +151,7 @@ cat <<EOF > $cfg
     <server-cert-path>$srvcert</server-cert-path>
     <server-key-path>$srvkey</server-key-path>
     <server-ca-cert-path>$cacert</server-ca-cert-path>
+     <!--debug>1</debug-->
     <socket>
        <namespace>default</namespace>
        <address>0.0.0.0</address>
@ -181,8 +188,8 @@ EOF
    if [ $RC -ne 0 ]; then
 	new "kill old restconf daemon"
 	stop_restconf_pre
-	new "start restconf daemon -s -c  -- -s"
-	start_restconf -f $cfg -- -s
+	new "start restconf daemon -s -c"
+	start_restconf -f $cfg
    fi

    new "wait for restconf"
@ -203,6 +210,18 @@ EOF
    new "admin get x 42"
    expectpart "$(curl $CURLOPTS --key $certdir/andy.key --cert $certdir/andy.crt -X GET $RCPROTO://localhost/restconf/data/example:x)" 0 "HTTP/1.1 200 OK" '{"example:x":42}'

+    # Negative tests
+    new "Unknown yyy no cert get x 42"
+    echo "dummy" > $certdir/yyy.key
+    echo "dummy" > $certdir/yyy.crt
+    expectpart "$(curl $CURLOPTS --key $certdir/yyy.key --cert $certdir/yyy.crt -X GET $RCPROTO://localhost/restconf/data/example:x 2>&1)" 58 " could not load PEM client certificate"
+
+    new "Certificate required"
+    expectpart "$(curl $CURLOPTS -X GET $RCPROTO://localhost/restconf/data/example:x 2>&1)" "55 56"
+
+    new "limited invalid cert"
+    expectpart "$(curl $CURLOPTS --key $certdir/limited.key --cert $certdir/limited.crt -X GET $RCPROTO://localhost/restconf/data/example:x 2>&1)" 56 "certificate expired"
+
    if [ $RC -ne 0 ]; then
 	new "Kill restconf daemon"
 	stop_restconf
@ -226,3 +245,5 @@ rm -rf $dir

 # unset conditional parameters
 unset RCPROTO
+
+endtest
--- a/test/test_restconf_startup.sh
+++ b/test/test_restconf_startup.sh
@ -34,6 +34,9 @@ EOF

 # Use yang in example

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -128,4 +131,7 @@ if [ -f $dir/startup_db ]; then
    err "startup should not exist"
 fi

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_rpc.sh
+++ b/test/test_rpc.sh
@ -13,6 +13,9 @@ APPNAME=example

 cfg=$dir/conf.xml

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 # Use yang in example
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
@ -199,4 +202,7 @@ fi
 # kill backend
 stop_backend -f $cfg

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_submodule.sh
+++ b/test/test_submodule.sh
@ -27,6 +27,9 @@ fextra=$dir/extra.yang       # Referenced from main (with same prefix)
 fextra1=$dir/extra1.yang     # Referenced from sub1
 fextra2=$dir/extra2.yang     # Referenced from sub2

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -238,4 +241,7 @@ fi
 stop_backend -f $cfg
 sudo pkill -u root -f clixon_backend

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_yang_anydata.sh
+++ b/test/test_yang_anydata.sh
@ -21,6 +21,9 @@ fanydata=$dir/yang/anydata.yang
 funknown=$dir/yang/unknown.yang 
 fstate=$dir/state.xml

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 cat <<EOF > $fanydata
 module any{
   yang-version 1.1;
@ -277,4 +280,7 @@ testrun false true
 new "startup, treat unknown as anydata----"
 testrun true true

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir
--- a/test/test_yang_namespace.sh
+++ b/test/test_yang_namespace.sh
@ -13,6 +13,9 @@ cfg=$dir/conf_yang.xml
 fyang1=$dir/example1.yang
 fyang2=$dir/example2.yang

+# Define default restconfig config: RESTCONFIG
+restconf_config none
+
 cat <<EOF > $cfg
 <clixon-config xmlns="http://clicon.org/config">
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
@ -141,4 +144,7 @@ if [ $BE -ne 0 ]; then
    stop_backend -f $cfg
 fi

+# Set by restconf_config
+unset RESTCONFIG
+
 rm -rf $dir