* Restconf authentication callback (ca_auth) signature changed

* Not backward compatible: All uses of the ca-auth callback in restconf plugins must be changed * New version is: `int ca_auth(h, req, auth_type, authp, userp)` * where `auth_type` is the requested authentication-type (none, client-cert or user-defined) * `authp` is the returned authentication flag * `userp` is the returned associated authenticated user * and the return value is three-valued: -1: Error, 0: ignored, 1: OK * For more info see [clixon-docs](https://clixon-docs.readthedocs.io/en/latest/restconf.html) * New clixon-restconf@2020-12-30.yang revision
2021-02-09 21:15:54 +01:00 · 2021-02-09 21:15:54 +01:00 · 710fc76887
commit 710fc76887
parent 1f0147f996
54 changed files with 1216 additions and 485 deletions
--- a/yang/clixon/Makefile.in
+++ b/yang/clixon/Makefile.in
@ -45,7 +45,7 @@ YANGSPECS	 = clixon-config@2020-12-30.yang
 YANGSPECS	+= clixon-lib@2020-12-30.yang
 YANGSPECS	+= clixon-rfc5277@2008-07-01.yang
 YANGSPECS	+= clixon-xml-changelog@2019-03-21.yang
-YANGSPECS	+= clixon-restconf@2020-10-30.yang
+YANGSPECS	+= clixon-restconf@2020-12-30.yang

 APPNAME	        = clixon  # subdir ehere these files are installed

--- a/yang/clixon/clixon-restconf@2020-12-30.yang
+++ b/yang/clixon/clixon-restconf@2020-12-30.yang
@ -0,0 +1,160 @@
+module clixon-restconf {
+    yang-version 1.1;
+    namespace "http://clicon.org/restconf";
+    prefix "clrc";
+
+    import ietf-inet-types {
+	prefix inet;
+    }
+
+    organization
+	"Clixon";
+
+    contact
+	"Olof Hagsand <olof@hagsand.se>";
+
+    description
+	"This YANG module provides a data-model for the Clixon RESTCONF daemon.
+       ***** BEGIN LICENSE BLOCK *****
+       Copyright (C) 2020 Olof Hagsand and Rubicon Communications, LLC(Netgate)
+       
+       This file is part of CLIXON
+
+       Licensed under the Apache License, Version 2.0 (the \"License\");
+       you may not use this file except in compliance with the License.
+       You may obtain a copy of the License at
+            http://www.apache.org/licenses/LICENSE-2.0
+       Unless required by applicable law or agreed to in writing, software
+       distributed under the License is distributed on an \"AS IS\" BASIS,
+       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+       See the License for the specific language governing permissions and
+       limitations under the License.
+
+       Alternatively, the contents of this file may be used under the terms of
+       the GNU General Public License Version 3 or later (the \"GPL\"),
+       in which case the provisions of the GPL are applicable instead
+       of those above. If you wish to allow use of your version of this file only
+       under the terms of the GPL, and not to allow others to
+       use your version of this file under the terms of Apache License version 2, 
+       indicate your decision by deleting the provisions above and replace them with
+       the notice and other provisions required by the GPL. If you do not delete
+       the provisions above, a recipient may use your version of this file under
+       the terms of any one of the Apache License version 2 or the GPL.
+
+       ***** END LICENSE BLOCK *****";
+
+    revision 2020-12-30 {
+	description
+	    "Added: debug field
+             Added 'none' as default value for auth-type
+             Changed http-auth-type enum from 'password' to 'user'";
+    }
+    revision 2020-10-30 {
+	description
+	    "Initial release";
+    }
+    typedef http-auth-type {
+	type enumeration {
+	    enum none {
+		description
+		    "Incoming message are set to authenticated by default. No ca-auth callback is called, 
+                     Authenticated user is set to special user 'none'. 
+                     Typically assumes NACM is not enabled.";
+	    }
+	    enum client-certificate {
+		description
+		    "TLS client certificate validation is made on each incoming message. If it passes
+                    the authenticated user is extracted from the SSL_CN parameter
+                     The ca-auth callback can be used to revise this behavior.";
+	    }
+	    enum user {
+		description
+		    "User-defined authentication as defined by the ca-auth callback.
+                     One example is some form of password authentication, such as basic auth.";
+	    }
+	}
+	description
+	    "Enumeration of HTTP authorization types.";
+    }
+    grouping clixon-restconf{
+	description
+	    "HTTP RESTCONF configuration.";
+	leaf enable {
+	    type boolean;
+	    default "false"; 
+	    description
+		"Enables RESTCONF functionality.
+                 Note that starting/stopping of a restconf daemon is different from it being
+                 enabled or not.
+                 For example, if the restconf daemon is under systemd management, the restconf
+                 daemon will only start if enable=true.";
+	}
+	leaf auth-type {
+	    type http-auth-type;
+	    description
+		"The authentication type.
+                 Note client-certificate applies only if ssl-enable is true and socket has ssl";
+	    default none;
+	}
+	leaf server-cert-path {
+	    type string;
+	    description
+		"Path to server certificate file. 
+                 Note only applies if socket has ssl enabled";
+	}
+	leaf server-key-path {
+	    type string;
+	    description
+		"Path to server key file
+                 Note only applies if socket has ssl enabled";
+	}
+	leaf server-ca-cert-path {
+	    type string;
+	    description
+		"Path to server CA cert file
+	         Note only applies if socket has ssl enabled";
+	}
+	leaf debug {
+	    description
+		"Set debug level of restconf daemon. 
+                 0 is no debug, 1 is debugging, more is detailed debug. 
+                 Debug logs will be directed to syslog with
+                    ident: clixon_restconf and PID
+                    facility: LOG_USER
+                    level: LOG_DEBUG";
+	    type uint32;	    
+	    default 0;
+	}
+	list socket {
+	    key "namespace address port";
+	    leaf namespace {
+		type string;
+		description "indicates a namespace for instance. On platforms where namespaces are not suppported, always 'default'";
+	    }
+	    leaf address {
+		type inet:ip-address;
+		description "IP address to bind to";
+	    }
+	    leaf port {
+		type inet:port-number;
+		description "IP port to bind to";
+	    }
+	    leaf ssl {
+		type boolean;
+		default true;
+		description "Enable for HTTPS otherwise HTTP protocol";
+	    }
+	}
+    }
+    container restconf {
+	description
+	    "This presence is strictly not necessary since the enable flag
+             in clixon-restconf is the flag bearing the actual semantics.
+             However, removing the presence leads to default config in all
+             clixon installations, even those which do not use backend-started restconf.
+             One could see this as mostly cosmetically annoying.
+             Alternative would be to make the inclusion of this yang conditional.";
+	presence "Enables RESTCONF";
+	uses clixon-restconf;
+    }
+}