experiments/clixon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

NACM datanode write rules have been changed from looking at datastore being chekend (eg running/candidate/startup) to *only* look at running.

Browse source 
Fixed: NACM datanode write problem: read/write/exec default rules did not work.
This commit is contained in:
Olof hagsand 2020-03-12 14:58:30 +01:00
parent 78aac85b18
commit 71efe18f94
11 changed files with 205 additions and 158 deletions
Download patch file Download diff file Expand all files Collapse all files

2
CHANGELOG.md
View file

@ -39,6 +39,7 @@ Expected: Early March 2020
[search](https://clixon-docs.readthedocs.io/en/latest/xml.html#searching-in-xml) [search](https://clixon-docs.readthedocs.io/en/latest/xml.html#searching-in-xml)
### API changes on existing features (you may need to change your code) ### API changes on existing features (you may need to change your code)
* NACM datanode write rules have been changed from looking at datastore being chekend (eg running/candidate/startup) to *only* look at running.
* C-API: * C-API:
* All uses of `api_path2xpath_cvv()` should be replaced by `api_path2xpath()` * All uses of `api_path2xpath_cvv()` should be replaced by `api_path2xpath()`
* `api_path2xpath()` added an `xerr` argument. * `api_path2xpath()` added an `xerr` argument.
@ -97,6 +98,7 @@ Expected: Early March 2020
### Corrected Bugs ### Corrected Bugs
* Fixed: NACM datanode write problem: read/write/exec default rules did not work.
* Fixed [Makefile syntax error *** mixed implicit and normal rules #104](https://github.com/clicon/clixon/issues/104). Make operator `|=` seems not to work on GNU make version < 4. * Fixed [Makefile syntax error *** mixed implicit and normal rules #104](https://github.com/clicon/clixon/issues/104). Make operator `|=` seems not to work on GNU make version < 4.
* Yang specs with recursive grouping/use statement is now fixed: instead of stack overflow, you get an error message and an exit * Yang specs with recursive grouping/use statement is now fixed: instead of stack overflow, you get an error message and an exit
* Fixed: Some state data was sorted but should not have been. * Fixed: Some state data was sorted but should not have been.

52
apps/backend/backend_client.c
View file

@ -444,7 +444,7 @@ client_statedata(clicon_handle h,
* @see from_client_get * @see from_client_get
*/ */
static int static int
client_config_only(clicon_handle h, client_get_config_only(clicon_handle h,
cvec *nsc, cvec *nsc,
yang_stmt *yspec, yang_stmt *yspec,
char *db, char *db,
@ -458,7 +458,6 @@ client_config_only(clicon_handle h,
cxobj *xnacm = NULL; cxobj *xnacm = NULL;
cxobj **xvec = NULL; cxobj **xvec = NULL;
size_t xlen; size_t xlen;
int ret;
/* Note xret can be pruned by nacm below (and change name), /* Note xret can be pruned by nacm below (and change name),
* so zero-copy cant be used * so zero-copy cant be used
@ -470,9 +469,8 @@ client_config_only(clicon_handle h,
goto ok; goto ok;
} }
/* Pre-NACM access step */ /* Pre-NACM access step */
if ((ret = nacm_access_pre(h, username, NACM_DATA, &xnacm)) < 0) xnacm = clicon_nacm_cache(h);
goto done; if (xnacm != NULL){ /* Do NACM validation */
if (ret == 0){ /* Do NACM validation */
if (xpath_vec(xret, nsc, "%s", &xvec, &xlen, xpath?xpath:"/") < 0) if (xpath_vec(xret, nsc, "%s", &xvec, &xlen, xpath?xpath:"/") < 0)
goto done; goto done;
/* NACM datanode/module read validation */ /* NACM datanode/module read validation */
@ -494,8 +492,6 @@ client_config_only(clicon_handle h,
done: done:
if (xvec) if (xvec)
free(xvec); free(xvec);
if (xnacm)
xml_free(xnacm);
if (xret) if (xret)
xml_free(xret); xml_free(xret);
return retval; return retval;
@ -582,7 +578,7 @@ from_client_get_config(clicon_handle h,
goto ok; goto ok;
} }
} }
if ((ret = client_config_only(h, nsc, yspec, db, xpath, username, -1, cbret)) < 0) if ((ret = client_get_config_only(h, nsc, yspec, db, xpath, username, -1, cbret)) < 0)
goto done; goto done;
ok: ok:
retval = 0; retval = 0;
@ -1016,7 +1012,6 @@ from_client_get(clicon_handle h,
cxobj *xfilter; cxobj *xfilter;
char *xpath = NULL; char *xpath = NULL;
cxobj *xret = NULL; cxobj *xret = NULL;
int ret;
cxobj **xvec = NULL; cxobj **xvec = NULL;
size_t xlen; size_t xlen;
cxobj *xnacm = NULL; cxobj *xnacm = NULL;
@ -1030,6 +1025,7 @@ from_client_get(clicon_handle h,
cxobj *xerr = NULL; cxobj *xerr = NULL;
cxobj *xr; cxobj *xr;
cxobj *xb; cxobj *xb;
int ret;
username = clicon_username_get(h); username = clicon_username_get(h);
if ((yspec = clicon_dbspec_yang(h)) == NULL){ if ((yspec = clicon_dbspec_yang(h)) == NULL){
@ -1072,7 +1068,7 @@ from_client_get(clicon_handle h,
} }
} }
if (content == CONTENT_CONFIG){ /* config only, no state */ if (content == CONTENT_CONFIG){ /* config only, no state */
if (client_config_only(h, nsc, yspec, "running", xpath, username, depth, cbret) < 0) if (client_get_config_only(h, nsc, yspec, "running", xpath, username, depth, cbret) < 0)
goto done; goto done;
goto ok; goto ok;
} }
@ -1173,9 +1169,8 @@ from_client_get(clicon_handle h,
goto done; goto done;
/* Pre-NACM access step */ /* Pre-NACM access step */
if ((ret = nacm_access_pre(h, username, NACM_DATA, &xnacm)) < 0) xnacm = clicon_nacm_cache(h);
goto done; if (xnacm != NULL){ /* Do NACM validation */
if (ret == 0){ /* Do NACM validation */
if (xpath_vec(xret, nsc, "%s", &xvec, &xlen, xpath?xpath:"/") < 0) if (xpath_vec(xret, nsc, "%s", &xvec, &xlen, xpath?xpath:"/") < 0)
goto done; goto done;
/* NACM datanode/module read validation */ /* NACM datanode/module read validation */
@ -1201,8 +1196,6 @@ from_client_get(clicon_handle h,
xml_free(xerr); xml_free(xerr);
if (xpath) if (xpath)
free(xpath); free(xpath);
if (xnacm)
xml_free(xnacm);
if (xvec) if (xvec)
free(xvec); free(xvec);
if (nsc) if (nsc)
@ -1565,6 +1558,7 @@ from_client_msg(clicon_handle h,
cxobj *xnacm = NULL; cxobj *xnacm = NULL;
cxobj *xret = NULL; cxobj *xret = NULL;
uint32_t id; uint32_t id;
enum nacm_credentials_t creds;
clicon_debug(1, "%s", __FUNCTION__); clicon_debug(1, "%s", __FUNCTION__);
yspec = clicon_dbspec_yang(h); yspec = clicon_dbspec_yang(h);
@ -1627,22 +1621,21 @@ from_client_msg(clicon_handle h,
clicon_debug(1, "%s module:%s rpc:%s", __FUNCTION__, module, rpc); clicon_debug(1, "%s module:%s rpc:%s", __FUNCTION__, module, rpc);
/* Pre-NACM access step */ /* Pre-NACM access step */
xnacm = NULL; xnacm = NULL;
if ((ret = nacm_access_pre(h, username, NACM_RPC, &xnacm)) < 0)
if ((ret = nacm_access_pre(h, username, &xnacm)) < 0)
goto done; goto done;
if (ret == 0){ /* Do NACM validation */ /* Cache XML NACM tree here. Use with caution, only valid on from_client_msg stack */
enum nacm_credentials_t mode; if (clicon_nacm_cache_set(h, xnacm) < 0)
mode = clicon_nacm_credentials(h); goto done;
if ((ret = verify_nacm_user(mode, ce->ce_username, username, cbret)) < 0) if (ret == 0){ /* Do NACM RPC validation */
creds = clicon_nacm_credentials(h);
if ((ret = verify_nacm_user(creds, ce->ce_username, username, cbret)) < 0)
goto done; goto done;
if (ret == 0) /* credentials fail */ if (ret == 0) /* credentials fail */
goto reply; goto reply;
/* NACM rpc operation exec validation */ /* NACM rpc operation exec validation */
if ((ret = nacm_rpc(rpc, module, username, xnacm, cbret)) < 0) if ((ret = nacm_rpc(rpc, module, username, xnacm, cbret)) < 0)
goto done; goto done;
if (xnacm){
xml_free(xnacm);
xnacm = NULL;
}
if (ret == 0) /* Not permitted and cbret set */ if (ret == 0) /* Not permitted and cbret set */
goto reply; goto reply;
} }
@ -1658,7 +1651,13 @@ from_client_msg(clicon_handle h,
goto done; goto done;
goto reply; goto reply;
} }
if (xnacm){
xml_free(xnacm);
xnacm = NULL;
if (clicon_nacm_cache_set(h, NULL) < 0)
goto done;
} }
} /* while */
reply: reply:
if (cbuf_len(cbret) == 0) if (cbuf_len(cbret) == 0)
if (netconf_operation_failed(cbret, "application", clicon_errno?clicon_err_reason:"unknown")< 0) if (netconf_operation_failed(cbret, "application", clicon_errno?clicon_err_reason:"unknown")< 0)
@ -1687,8 +1686,11 @@ from_client_msg(clicon_handle h,
retval = 0; retval = 0;
done: done:
clicon_debug(1, "%s retval:%d", __FUNCTION__, retval); clicon_debug(1, "%s retval:%d", __FUNCTION__, retval);
if (xnacm) if (xnacm){
xml_free(xnacm); xml_free(xnacm);
if (clicon_nacm_cache_set(h, NULL) < 0)
goto done;
}
if (xret) if (xret)
xml_free(xret); xml_free(xret);
if (xt) if (xt)

1
apps/backend/backend_commit.c
View file

@ -362,6 +362,7 @@ startup_commit(clicon_handle h,
goto done; goto done;
/* 9, write (potentially modified) tree to running /* 9, write (potentially modified) tree to running
* XXX note here startup is copied to candidate, which may confuse everything * XXX note here startup is copied to candidate, which may confuse everything
* XXX default values are overwritten
*/ */
if ((ret = xmldb_put(h, "running", OP_REPLACE, td->td_target, if ((ret = xmldb_put(h, "running", OP_REPLACE, td->td_target,
clicon_username_get(h), cbret)) < 0) clicon_username_get(h), cbret)) < 0)

3
lib/clixon/clixon_data.h
View file

@ -67,6 +67,9 @@ int clicon_nsctx_global_set(clicon_handle h, cvec *nsctx);
cxobj * clicon_nacm_ext(clicon_handle h); cxobj * clicon_nacm_ext(clicon_handle h);
int clicon_nacm_ext_set(clicon_handle h, cxobj *xn); int clicon_nacm_ext_set(clicon_handle h, cxobj *xn);
cxobj *clicon_nacm_cache(clicon_handle h);
int clicon_nacm_cache_set(clicon_handle h, cxobj *xn);
cxobj *clicon_conf_xml(clicon_handle h); cxobj *clicon_conf_xml(clicon_handle h);
int clicon_conf_xml_set(clicon_handle h, cxobj *x); int clicon_conf_xml_set(clicon_handle h, cxobj *x);

13
lib/clixon/clixon_nacm.h
View file

@ -52,16 +52,6 @@ enum nacm_access{
NACM_EXEC NACM_EXEC
}; };
/*! In RFC8341, NACM defines three access points: rpc
* 3.4.4 Incoming RPC Message Validation
* 3.4.5 Data Node Access Validation
* 3.4.6 Outgoing <notification> Authorization
*/
enum nacm_point {
NACM_RPC,
NACM_DATA,
NACM_NOTIFICATION,
};
/* /*
* Prototypes * Prototypes
*/ */
@ -69,7 +59,6 @@ int nacm_rpc(char *rpc, char *module, char *username, cxobj *xnacm, cbuf *cbret)
int nacm_datanode_read(cxobj *xt, cxobj **xvec, size_t xlen, char *username, cxobj *nacm_xtree); int nacm_datanode_read(cxobj *xt, cxobj **xvec, size_t xlen, char *username, cxobj *nacm_xtree);
int nacm_datanode_write(cxobj *xt, cxobj *xr, enum nacm_access access, int nacm_datanode_write(cxobj *xt, cxobj *xr, enum nacm_access access,
char *username, cxobj *xnacm, cbuf *cbret); char *username, cxobj *xnacm, cbuf *cbret);
int nacm_access_pre(clicon_handle h, char *username, enum nacm_point point, cxobj **xnacmp); int nacm_access_pre(clicon_handle h, char *username, cxobj **xnacmp);
int nacm_access(clicon_handle h, char *mode, cxobj *xnacmin, char *username);
#endif /* _CLIXON_NACM_H */ #endif /* _CLIXON_NACM_H */

38
lib/src/clixon_data.c
View file

@ -264,6 +264,44 @@ clicon_nacm_ext_set(clicon_handle h,
return 0; return 0;
} }
/*! Get NACM (rfc 8341) XML parse tree cache
* @param[in] h Clicon handle
* @retval xn XML NACM tree, or NULL. Direct pointer, no copying
* @note Use with caution, only valid on a stack, direct pointer freed on function return
* @see from_client_msg
*/
cxobj *
clicon_nacm_cache(clicon_handle h)
{
clicon_hash_t *cdat = clicon_data(h);
size_t len;
void *p;
if ((p = clicon_hash_value(cdat, "nacm_cache", &len)) != NULL)
return *(cxobj **)p;
return NULL;
}
/*! Set NACM (rfc 8341) external XML parse tree cache
* @param[in] h Clicon handle
* @param[in] xn XML Nacm tree direct pointer, no copying
* @note Use with caution, only valid on a stack, direct pointer freed on function return
* @see from_client_msg
*/
int
clicon_nacm_cache_set(clicon_handle h,
cxobj *xn)
{
clicon_hash_t *cdat = clicon_data(h);
/* It is the pointer to xn that should be copied by hash,
so we send a ptr to the ptr to indicate what to copy.
*/
if (clicon_hash_add(cdat, "nacm_cache", &xn, sizeof(xn)) == NULL)
return -1;
return 0;
}
/*! Get YANG specification for Clixon system options and features /*! Get YANG specification for Clixon system options and features
* Must use hash functions directly since they are not strings. * Must use hash functions directly since they are not strings.
* Example: features are typically accessed directly in the config tree. * Example: features are typically accessed directly in the config tree.

23
lib/src/clixon_datastore_write.c
View file

@ -831,8 +831,6 @@ xmldb_put(clicon_handle h,
db_elmnt *de = NULL; db_elmnt *de = NULL;
int ret; int ret;
cxobj *xnacm = NULL; cxobj *xnacm = NULL;
char *mode;
cxobj *xnacm0 = NULL;
cxobj *xmodst = NULL; cxobj *xmodst = NULL;
cxobj *x; cxobj *x;
int permit = 0; /* nacm permit all */ int permit = 0; /* nacm permit all */
@ -874,23 +872,10 @@ xmldb_put(clicon_handle h,
if (xml_apply0(x1, -1, xml_sort_verify, NULL) < 0) if (xml_apply0(x1, -1, xml_sort_verify, NULL) < 0)
clicon_log(LOG_NOTICE, "%s: verify failed #1", __FUNCTION__); clicon_log(LOG_NOTICE, "%s: verify failed #1", __FUNCTION__);
#endif #endif
mode = clicon_option_str(h, "CLICON_NACM_MODE");
if (mode){ xnacm = clicon_nacm_cache(h);
if (strcmp(mode, "external")==0) permit = (xnacm==NULL);
xnacm0 = clicon_nacm_ext(h);
else if (strcmp(mode, "internal")==0)
xnacm0 = x0;
}
/* Create namespace context for with nacm namespace as default */
if ((nsc = xml_nsctx_init(NULL, "urn:ietf:params:xml:ns:yang:ietf-netconf-acm")) == NULL)
goto done;
if (xnacm0 != NULL &&
(xnacm = xpath_first(xnacm0, nsc, "nacm")) != NULL){
/* Pre-NACM access step, if permit, then dont do any nacm checks in
* text_modify_* below */
if ((permit = nacm_access(h, mode, xnacm, username)) < 0)
goto done;
}
/* Here assume if xnacm is set and !permit do NACM */ /* Here assume if xnacm is set and !permit do NACM */
/* /*
* Modify base tree x with modification x1. This is where the * Modify base tree x with modification x1. This is where the

37
lib/src/clixon_nacm.c
View file

@ -832,14 +832,12 @@ nacm_datanode_write(cxobj *xt,
* @endcode * @endcode
* @see RFC8341 3.4 Access Control Enforcement Procedures * @see RFC8341 3.4 Access Control Enforcement Procedures
*/ */
int static int
nacm_access(clicon_handle h, nacm_access(clicon_handle h,
char *mode,
cxobj *xnacm, cxobj *xnacm,
char *username) char *username)
{ {
int retval = -1; int retval = -1;
cxobj *xnacm0 = NULL;
char *enabled; char *enabled;
cxobj *x; cxobj *x;
cvec *nsc = NULL; cvec *nsc = NULL;
@ -847,17 +845,6 @@ nacm_access(clicon_handle h,
clicon_debug(1, "%s", __FUNCTION__); clicon_debug(1, "%s", __FUNCTION__);
if ((nsc = xml_nsctx_init(NULL, NACM_NS)) == NULL) if ((nsc = xml_nsctx_init(NULL, NACM_NS)) == NULL)
goto done; goto done;
if (mode == NULL || strcmp(mode, "disabled") == 0)
goto permit;
/* 0. If nacm-mode is external, get NACM defintion from separet tree,
otherwise get it from internal configuration */
if (strcmp(mode, "external") && strcmp(mode, "internal")){
clicon_err(OE_XML, 0, "Invalid NACM mode: %s", mode);
goto done;
}
/* If config does not exist, then the operation is permitted. (?) */
if (xnacm == NULL)
goto permit;
/* Do initial nacm processing common to all access validation in /* Do initial nacm processing common to all access validation in
* RFC8341 3.4 */ * RFC8341 3.4 */
/* 1. If the "enable-nacm" leaf is set to "false", then the protocol /* 1. If the "enable-nacm" leaf is set to "false", then the protocol
@ -876,8 +863,6 @@ nacm_access(clicon_handle h,
done: done:
if (nsc) if (nsc)
xml_nsctx_free(nsc); xml_nsctx_free(nsc);
if (retval != 0 && xnacm0)
xml_free(xnacm0);
clicon_debug(1, "%s retval:%d (0:deny 1:permit)", __FUNCTION__, retval); clicon_debug(1, "%s retval:%d (0:deny 1:permit)", __FUNCTION__, retval);
return retval; return retval;
permit: permit:
@ -891,7 +876,6 @@ nacm_access(clicon_handle h,
* etc. If retval = 1 access is OK and skip next NACM step. * etc. If retval = 1 access is OK and skip next NACM step.
* @param[in] h Clicon handle * @param[in] h Clicon handle
* @param[in] username User name of requestor * @param[in] username User name of requestor
* @param[in] point NACM access control point
* @param[out] xncam NACM XML tree, set if retval=0. Free after use * @param[out] xncam NACM XML tree, set if retval=0. Free after use
* @retval -1 Error * @retval -1 Error
* @retval 0 OK but not validated. Need to do NACM step using xnacm * @retval 0 OK but not validated. Need to do NACM step using xnacm
@ -910,7 +894,6 @@ nacm_access(clicon_handle h,
int int
nacm_access_pre(clicon_handle h, nacm_access_pre(clicon_handle h,
char *username, char *username,
enum nacm_point point,
cxobj **xnacmp) cxobj **xnacmp)
{ {
int retval = -1; int retval = -1;
@ -920,10 +903,12 @@ nacm_access_pre(clicon_handle h,
cxobj *xnacm = NULL; cxobj *xnacm = NULL;
cvec *nsc = NULL; cvec *nsc = NULL;
if ((nsc = xml_nsctx_init(NULL, NACM_NS)) == NULL) mode = clicon_option_str(h, "CLICON_NACM_MODE");
goto done; if (mode == NULL)
if ((mode = clicon_option_str(h, "CLICON_NACM_MODE")) != NULL){ goto permit;
if (strcmp(mode, "external")==0){ else if (strcmp(mode, "disabled")==0)
goto permit;
else if (strcmp(mode, "external")==0){
if ((x = clicon_nacm_ext(h))) if ((x = clicon_nacm_ext(h)))
if ((xnacm0 = xml_dup(x)) == NULL) if ((xnacm0 = xml_dup(x)) == NULL)
goto done; goto done;
@ -932,7 +917,13 @@ nacm_access_pre(clicon_handle h,
if (xmldb_get0(h, "running", nsc, "nacm", 1, &xnacm0, NULL) < 0) if (xmldb_get0(h, "running", nsc, "nacm", 1, &xnacm0, NULL) < 0)
goto done; goto done;
} }
else{
clicon_err(OE_XML, 0, "Invalid NACM mode: %s", mode);
goto done;
} }
if ((nsc = xml_nsctx_init(NULL, NACM_NS)) == NULL)
goto done;
/* If config does not exist then the operation is permitted(?) */ /* If config does not exist then the operation is permitted(?) */
if (xnacm0 == NULL) if (xnacm0 == NULL)
goto permit; goto permit;
@ -943,7 +934,7 @@ nacm_access_pre(clicon_handle h,
goto done; goto done;
xnacm0 = NULL; xnacm0 = NULL;
/* Initial NACM steps and common to all NACM access validation. */ /* Initial NACM steps and common to all NACM access validation. */
if ((retval = nacm_access(h, mode, xnacm, username)) < 0) if ((retval = nacm_access(h, xnacm, username)) < 0)
goto done; goto done;
if (retval == 0){ /* if retval == 0 then return an xml nacm tree */ if (retval == 0){ /* if retval == 0 then return an xml nacm tree */
*xnacmp = xnacm; *xnacmp = xnacm;

2
test/test_datastore.sh
View file

@ -49,10 +49,8 @@ EOF
xml='<config><x xmlns="urn:example:clixon"><y><a>1</a><b>2</b><c>first-entry</c></y><y><a>1</a><b>3</b><c>second-entry</c></y><y><a>2</a><b>3</b><c>third-entry</c></y><d/><f><e>a</e><e>b</e><e>c</e></f><g>astring</g></x></config>' xml='<config><x xmlns="urn:example:clixon"><y><a>1</a><b>2</b><c>first-entry</c></y><y><a>1</a><b>3</b><c>second-entry</c></y><y><a>2</a><b>3</b><c>third-entry</c></y><d/><f><e>a</e><e>b</e><e>c</e></f><g>astring</g></x></config>'
name=text name=text
mydir=$dir/$name mydir=$dir/$name
if [ ! -d $mydir ]; then if [ ! -d $mydir ]; then

79
test/test_nacm_default.sh
View file

@ -1,6 +1,6 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# Basic NACM default rule without any groups # Basic NACM default rule without any groups
# Start from startup db # Start from startup db as well as init db and load using POST
# Magic line must be first in script (see README.md) # Magic line must be first in script (see README.md)
s="$_" ; . ./lib.sh || if [ "$s" = $0 ]; then exit 0; else return 0; fi s="$_" ; . ./lib.sh || if [ "$s" = $0 ]; then exit 0; else return 0; fi
@ -63,6 +63,8 @@ EOF
# 5: expected return value of test1 # 5: expected return value of test1
# 6: expected return value of test2 # 6: expected return value of test2
# 7: expected return value of test3 # 7: expected return value of test3
# 8: startup mode: startup or init
# 9: Dont set default values (nullify them)
testrun(){ testrun(){
enablenacm=$1 enablenacm=$1
readdefault=$2 readdefault=$2
@ -71,10 +73,24 @@ testrun(){
ret1=$5 ret1=$5
ret2=$6 ret2=$6
ret3=$7 ret3=$7
db=$8
nulldef=$9
# NACM in startup # Set default values (or not)
sudo tee $dir/startup_db > /dev/null << EOF if [ $nulldef -ne 0 ]; then
<config> # Defaults should be: true permit deny permit:
# nacm enabled, exec default permit, read permit (expect fail)"
# which means results should be 0 1 3
# Also enable-nacm is present since otherwise the nacm container would be removed
# since it is non-presence
NACM=$(cat <<EOF
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<enable-nacm>${enablenacm}</enable-nacm>
</nacm>
EOF
)
else
NACM=$(cat <<EOF
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm"> <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<enable-nacm>${enablenacm}</enable-nacm> <enable-nacm>${enablenacm}</enable-nacm>
<read-default>${readdefault}</read-default> <read-default>${readdefault}</read-default>
@ -82,20 +98,27 @@ testrun(){
<exec-default>${execdefault}</exec-default> <exec-default>${execdefault}</exec-default>
<enable-external-groups>true</enable-external-groups> <enable-external-groups>true</enable-external-groups>
</nacm> </nacm>
<x xmlns="urn:example:nacm">42</x>
</config>
EOF EOF
)
fi
# Initial data
XML='<x xmlns="urn:example:nacm">42</x>'
# Use startup or set values with POST (below)
if [ $db = startup ]; then
sudo echo "<config>$NACM$XML</config>" > $dir/startup_db
fi
if [ $BE -ne 0 ]; then # Bring your own backend if [ $BE -ne 0 ]; then # Bring your own backend
new "kill old backend" new "kill old backend"
sudo clixon_backend -zf $cfg sudo clixon_backend -zf $cfg
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
err err
fi fi
new "start backend -s startup -f $cfg" new "start backend -s $db -f $cfg"
start_backend -s startup -f $cfg start_backend -s $db -f $cfg
else else
new "Restart backend as eg follows: -Ff $cfg -s startup" new "Restart backend as eg follows: -Ff $cfg -s $db"
sleep $BETIMEOUT
fi fi
new "waiting" new "waiting"
@ -110,6 +133,15 @@ EOF
new "waiting" new "waiting"
wait_restconf wait_restconf
# Use POST (instead of startup)
if [ $db = init ]; then
new "Set Initial data using POST"
expectpart "$(curl -u guest:bar -siS -X POST -H "Content-Type: application/yang-data+xml" -d "$XML" http://localhost/restconf/data)" 0 "HTTP/1.1 201 Created"
new "Set NACM using POST"
expectpart "$(curl -u guest:bar -siS -X POST -H "Content-Type: application/yang-data+xml" -d "$NACM" http://localhost/restconf/data)" 0 "HTTP/1.1 201 Created"
fi
#----------- First get #----------- First get
case "$ret1" in case "$ret1" in
0) ret='{"nacm-example:x":42} 0) ret='{"nacm-example:x":42}
@ -165,35 +197,42 @@ EOF
} # testrun } # testrun
# Run a lot of tests with different settings of default read/write/exec # Run a lot of tests with different settings of default read/write/exec
# Outer loop either starts from startup or inits config via restconf POST
for db in startup init; do
new "nacm enabled and all defaults permit" new "nacm enabled and all defaults permit"
testrun true permit permit permit 0 0 0 testrun true permit permit permit 0 0 0 $db 0
new "nacm disabled and all defaults permit" new "nacm disabled and all defaults permit"
testrun false permit permit permit 0 0 0 testrun false permit permit permit 0 0 0 $db 0
new "nacm disabled and all defaults deny" new "nacm disabled and all defaults deny"
testrun false deny deny deny 0 0 0 testrun false deny deny deny 0 0 0 $db 0
new "nacm enabled, all defaults deny (expect fail)" new "nacm enabled, all defaults deny (expect fail)"
testrun true deny deny deny 1 1 1 testrun true deny deny deny 1 1 1 $db 0
new "nacm enabled, exec default deny - read permit (expect fail)" new "nacm enabled, exec default deny - read permit (expect fail)"
testrun true permit deny deny 1 1 1 testrun true permit deny deny 1 1 1 $db 0
new "nacm enabled, exec default deny - write permit (expect fail)" new "nacm enabled, exec default deny - write permit (expect fail)"
testrun true deny permit deny 1 1 1 testrun true deny permit deny 1 1 1 $db 0
new "nacm enabled, exec default deny read/write permit (expect fail)" new "nacm enabled, exec default deny read/write permit (expect fail)"
testrun true permit permit deny 1 1 1 testrun true permit permit deny 1 1 1 $db 0
new "nacm enabled, exec default permit, all others deny (expect fail)" new "nacm enabled, exec default permit, all others deny (expect fail)"
testrun true deny deny permit 2 1 2 testrun true deny deny permit 2 1 2 $db 0
new "nacm enabled, exec default permit, read permit (expect fail)" new "nacm enabled, exec default permit, read permit (expect fail)"
testrun true permit deny permit 0 1 3 testrun true permit deny permit 0 1 3 $db 0 # This is yang default
new "nacm enabled, with default values (no settings - should be same as previous)"
# note last 1 means nullify all default values)
testrun true xxx xxx xxx 0 1 3 init 1
new "nacm enabled, exec default permit, write permit (expect fail)" new "nacm enabled, exec default permit, write permit (expect fail)"
testrun true deny permit permit 2 0 2 testrun true deny permit permit 2 0 2 $db 0
done
rm -rf $dir rm -rf $dir

47
test/test_nacm_module_write.sh
View file

@ -168,8 +168,7 @@ nacm(){
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><commit/></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$" expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><commit/></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
new "enable nacm" new "enable nacm"
expectpart "$(curl -u andy:bar -sS -X PUT -H 'Content-Type: application/yang-data+json' -d '{"ietf-netconf-acm:enable-nacm":true}' http://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" 0 "" expectpart "$(curl -u andy:bar -siS -X PUT -H 'Content-Type: application/yang-data+json' -d '{"ietf-netconf-acm:enable-nacm":true}' http://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" 0 "HTTP/1.1 204 No Content"
# -H 'Content-Type: application/yang-data+json'
} }
#--------------- enable nacm #--------------- enable nacm
@ -184,75 +183,75 @@ nacm
# replace all, then must include NACM rules as well # replace all, then must include NACM rules as well
MSG="<data>$RULES</data>" MSG="<data>$RULES</data>"
new "update root list permit" new "update root list permit"
expectpart "$(curl -u andy:bar -sS -H 'Content-Type: application/yang-data+xml' -X PUT http://localhost/restconf/data -d "$MSG")" 0 '' expectpart "$(curl -u andy:bar -siS -H 'Content-Type: application/yang-data+xml' -X PUT http://localhost/restconf/data -d "$MSG")" 0 'HTTP/1.1 204 No Content'
# Usually a 'HTTP/1.1 100 Continue' as well
new "delete root list deny" new "delete root list deny"
expecteq "$(curl -u wilma:bar -sS -X DELETE http://localhost/restconf/data)" 0 '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"default deny"}}} ' expectpart "$(curl -u wilma:bar -siS -X DELETE http://localhost/restconf/data)" 0 'HTTP/1.1 403 Forbidden' '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"default deny"}}} '
new "delete root permit" new "delete root permit"
expecteq "$(curl -u andy:bar -sS -X DELETE http://localhost/restconf/data)" 0 '' expectpart "$(curl -u andy:bar -siS -X DELETE http://localhost/restconf/data)" 0 'HTTP/1.1 204 No Content'
#--------------- re-enable nacm #--------------- re-enable nacm
nacm nacm
#----------leaf #----------leaf
new "create leaf deny" new "create leaf deny"
expecteq "$(curl -u guest:bar -sS -H 'Content-Type: application/yang-data+xml' -X PUT http://localhost/restconf/data/nacm-example:x -d '<x xmlns="urn:example:nacm">42</x>')" 0 '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"access denied"}}} ' expectpart "$(curl -u guest:bar -siS -H 'Content-Type: application/yang-data+xml' -X PUT http://localhost/restconf/data/nacm-example:x -d '<x xmlns="urn:example:nacm">42</x>')" 0 'HTTP/1.1 403 Forbidden' '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"access denied"}}} '
new "create leaf permit" new "create leaf permit"
expecteq "$(curl -u wilma:bar -sS -H 'Content-Type: application/yang-data+xml' -X PUT http://localhost/restconf/data/nacm-example:x -d '<x xmlns="urn:example:nacm">42</x>')" 0 '' expectpart "$(curl -u wilma:bar -siS -H 'Content-Type: application/yang-data+xml' -X PUT http://localhost/restconf/data/nacm-example:x -d '<x xmlns="urn:example:nacm">42</x>')" 0 'HTTP/1.1 201 Created'
new "update leaf deny" new "update leaf deny"
expecteq "$(curl -u wilma:bar -sS -H 'Content-Type: application/yang-data+xml' -X PUT http://localhost/restconf/data/nacm-example:x -d '<x xmlns="urn:example:nacm">99</x>')" 0 '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"access denied"}}} ' expectpart "$(curl -u wilma:bar -siS -H 'Content-Type: application/yang-data+xml' -X PUT http://localhost/restconf/data/nacm-example:x -d '<x xmlns="urn:example:nacm">99</x>')" 0 'HTTP/1.1 403 Forbidden' '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"access denied"}}} '
new "update leaf permit" new "update leaf permit"
expecteq "$(curl -u guest:bar -sS -H 'Content-Type: application/yang-data+xml' -X PUT http://localhost/restconf/data/nacm-example:x -d '<x xmlns="urn:example:nacm">99</x>')" 0 '' expectpart "$(curl -u guest:bar -siS -H 'Content-Type: application/yang-data+xml' -X PUT http://localhost/restconf/data/nacm-example:x -d '<x xmlns="urn:example:nacm">99</x>')" 0 'HTTP/1.1 204 No Content'
new "read leaf check" new "read leaf check"
expecteq "$(curl -u guest:bar -sS -X GET http://localhost/restconf/data/nacm-example:x)" 0 '{"nacm-example:x":99} expectpart "$(curl -u guest:bar -siS -X GET http://localhost/restconf/data/nacm-example:x)" 0 'HTTP/1.1 200 OK' '{"nacm-example:x":99}'
'
new "delete leaf deny" new "delete leaf deny"
expecteq "$(curl -u guest:bar -sS -X DELETE http://localhost/restconf/data/nacm-example:x)" 0 '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"access denied"}}} ' expectpart "$(curl -u guest:bar -siS -X DELETE http://localhost/restconf/data/nacm-example:x)" 0 'HTTP/1.1 403 Forbidden' '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"access denied"}}} '
new "delete leaf permit" new "delete leaf permit"
expecteq "$(curl -u wilma:bar -sS -X DELETE http://localhost/restconf/data/nacm-example:x)" 0 '' expectpart "$(curl -u wilma:bar -siS -X DELETE http://localhost/restconf/data/nacm-example:x)" 0 'HTTP/1.1 204 No Content'
#----- list/container #----- list/container
new "create list deny" new "create list deny"
expecteq "$(curl -u guest:bar -sS -H 'Content-Type: application/yang-data+xml' -X PUT http://localhost/restconf/data/nacm-example:a=key42 -d '<a xmlns="urn:example:nacm"><k>key42</k><b><c>str</c></b></a>')" 0 '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"access denied"}}} ' expectpart "$(curl -u guest:bar -siS -H 'Content-Type: application/yang-data+xml' -X PUT http://localhost/restconf/data/nacm-example:a=key42 -d '<a xmlns="urn:example:nacm"><k>key42</k><b><c>str</c></b></a>')" 0 'HTTP/1.1 403 Forbidden' '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"access denied"}}}'
new "create list permit" new "create list permit"
expecteq "$(curl -u wilma:bar -sS -H 'Content-Type: application/yang-data+xml' -X PUT http://localhost/restconf/data/nacm-example:a=key42 -d '<a xmlns="urn:example:nacm"><k>key42</k><b><c>str</c></b></a>')" 0 '' expectpart "$(curl -u wilma:bar -siS -H 'Content-Type: application/yang-data+xml' -X PUT http://localhost/restconf/data/nacm-example:a=key42 -d '<a xmlns="urn:example:nacm"><k>key42</k><b><c>str</c></b></a>')" 0 'HTTP/1.1 201 Created'
new "update list deny" new "update list deny"
expecteq "$(curl -u wilma:bar -sS -H 'Content-Type: application/yang-data+xml' -X PUT http://localhost/restconf/data/nacm-example:a=key42 -d '<a xmlns="urn:example:nacm"><k>key42</k><b><c>update</c></b></a>')" 0 '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"access denied"}}} ' expectpart "$(curl -u wilma:bar -siS -H 'Content-Type: application/yang-data+xml' -X PUT http://localhost/restconf/data/nacm-example:a=key42 -d '<a xmlns="urn:example:nacm"><k>key42</k><b><c>update</c></b></a>')" 0 'HTTP/1.1 403 Forbidden' '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"access denied"}}'
new "update list permit" new "update list permit"
expecteq "$(curl -u guest:bar -sS -H 'Content-Type: application/yang-data+xml' -X PUT http://localhost/restconf/data/nacm-example:a=key42 -d '<a xmlns="urn:example:nacm"><k>key42</k><b><c>update</c></b></a>')" 0 '' expectpart "$(curl -u guest:bar -siS -H 'Content-Type: application/yang-data+xml' -X PUT http://localhost/restconf/data/nacm-example:a=key42 -d '<a xmlns="urn:example:nacm"><k>key42</k><b><c>update</c></b></a>')" 0 'HTTP/1.1 204 No Content'
new "read list check" new "read list check"
expecteq "$(curl -u guest:bar -sS -X GET http://localhost/restconf/data/nacm-example:a=key42)" 0 '{"nacm-example:a":[{"k":"key42","b":{"c":"update"}}]} expectpart "$(curl -u guest:bar -siS -X GET http://localhost/restconf/data/nacm-example:a=key42)" 0 'HTTP/1.1 200 OK' '{"nacm-example:a":[{"k":"key42","b":{"c":"update"}}]}
' '
new "delete list deny" new "delete list deny"
expecteq "$(curl -u guest:bar -sS -X DELETE http://localhost/restconf/data/nacm-example:a=key42)" 0 '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"access denied"}}} ' expectpart "$(curl -u guest:bar -siS -X DELETE http://localhost/restconf/data/nacm-example:a=key42)" 0 'HTTP/1.1 403 Forbidden' '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"access denied"}}} '
new "delete list permit" new "delete list permit"
expecteq "$(curl -u wilma:bar -sS -X DELETE http://localhost/restconf/data/nacm-example:a=key42)" 0 '' expectpart "$(curl -u wilma:bar -siS -X DELETE http://localhost/restconf/data/nacm-example:a=key42)" 0 'HTTP/1.1 204 No Content'
#----- default deny (clixon-example limit and guest have default access) #----- default deny (clixon-example limit and guest have default access)
new "default create list deny" new "default create list deny"
expecteq "$(curl -u wilma:bar -sS -X PUT -H "Content-Type: application/yang-data+json" http://localhost/restconf/data/clixon-example:translate/translate=key42 -d '{"clixon-example:translate":[{"k":"key42","value":"val42"}]}')" 0 '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"default deny"}}} ' expectpart "$(curl -u wilma:bar -siS -X PUT -H "Content-Type: application/yang-data+json" http://localhost/restconf/data/clixon-example:translate/translate=key42 -d '{"clixon-example:translate":[{"k":"key42","value":"val42"}]}')" 0 'HTTP/1.1 403 Forbidden' '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"default deny"}}'
new "create list permit" new "create list permit"
expecteq "$(curl -u andy:bar -sS -X PUT -H "Content-Type: application/yang-data+json" http://localhost/restconf/data/clixon-example:translate/translate=key42 -d '{"clixon-example:translate": [{"k":"key42","value":"val42"}]}')" 0 '' expectpart "$(curl -u andy:bar -siS -X PUT -H "Content-Type: application/yang-data+json" http://localhost/restconf/data/clixon-example:translate/translate=key42 -d '{"clixon-example:translate": [{"k":"key42","value":"val42"}]}')" 0 'HTTP/1.1 201 Created'
new "default update list deny" new "default update list deny"
expecteq "$(curl -u wilma:bar -sS -X PUT -H "Content-Type: application/yang-data+json" http://localhost/restconf/data/clixon-example:translate=key42 -d '{"clixon-example:translate": [{"k":"key42","value":"val99"}]}')" 0 '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"default deny"}}} ' expectpart "$(curl -u wilma:bar -siS -X PUT -H "Content-Type: application/yang-data+json" http://localhost/restconf/data/clixon-example:translate=key42 -d '{"clixon-example:translate": [{"k":"key42","value":"val99"}]}')" 0 'HTTP/1.1 403 Forbidden' '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"default deny"}}'
new "default delete list deny" new "default delete list deny"
expecteq "$(curl -u wilma:bar -sS -X DELETE http://localhost/restconf/data/clixon-example:translate=key42)" 0 '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"default deny"}}} ' expectpart "$(curl -u wilma:bar -siS -X DELETE http://localhost/restconf/data/clixon-example:translate=key42)" 0 'HTTP/1.1 403 Forbidden' '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"default deny"}}'
if [ $RC -ne 0 ]; then if [ $RC -ne 0 ]; then
new "Kill restconf daemon" new "Kill restconf daemon"