* Experimental NACM RFC8341 Network Configuration Access Control Model.
* CLICON_NACM_MODE config option, default is disabled. * Added username attribute to all rpc:s from frontend to backend * Added NACM backend module in example
This commit is contained in:
Olof hagsand
parent
04a3f4db1b
commit
7650803475
32 changed files with 908 additions and 274 deletions
|
|
@ -125,16 +125,16 @@ clicon_file_dirent(const char *dir,
|
|||
clicon_err(OE_DB, 0, "regcomp: %s", errbuf);
|
||||
return -1;
|
||||
}
|
||||
if ((dirp = opendir (dir)) == NULL) {
|
||||
if ((dirp = opendir(dir)) == NULL) {
|
||||
if (errno == ENOENT) /* Dir does not exist -> return 0 matches */
|
||||
retval = 0;
|
||||
else
|
||||
clicon_err(OE_UNIX, errno, "opendir(%s)", dir);
|
||||
goto quit;
|
||||
}
|
||||
for (res = readdir_r (dirp, &dent, &dresp);
|
||||
for (res = readdir_r(dirp, &dent, &dresp);
|
||||
dresp;
|
||||
res = readdir_r (dirp, &dent, &dresp)) {
|
||||
res = readdir_r(dirp, &dent, &dresp)) {
|
||||
if (res != 0) {
|
||||
clicon_err(OE_UNIX, 0, "readdir: %s", strerror(errno));
|
||||
goto quit;
|
||||
|
|
@ -161,7 +161,7 @@ clicon_file_dirent(const char *dir,
|
|||
goto quit;
|
||||
}
|
||||
new = tmp;
|
||||
memcpy (&new[nent], &dent, sizeof(dent));
|
||||
memcpy(&new[nent], &dent, sizeof(dent));
|
||||
nent++;
|
||||
|
||||
} /* while */
|
||||
|
|
|
|||
|
|
@ -57,6 +57,7 @@
|
|||
#include "clixon_err.h"
|
||||
#include "clixon_handle.h"
|
||||
#include "clixon_yang.h"
|
||||
#include "clixon_log.h"
|
||||
#include "clixon_xml.h"
|
||||
#include "clixon_netconf_lib.h"
|
||||
|
||||
|
|
@ -438,6 +439,38 @@ netconf_access_denied(cbuf *cb,
|
|||
goto done;
|
||||
}
|
||||
|
||||
/*! Create Netconf access-denied error XML tree according to RFC 6241 App A
|
||||
*
|
||||
* An expected element is missing.
|
||||
* @param[out] xret Error XML tree
|
||||
* @param[in] type Error type: "application" or "protocol"
|
||||
* @param[in] message Error message
|
||||
*/
|
||||
int
|
||||
netconf_access_denied_xml(cxobj **xret,
|
||||
char *type,
|
||||
char *message)
|
||||
{
|
||||
int retval =-1;
|
||||
cbuf *cbret = NULL;
|
||||
|
||||
if ((cbret = cbuf_new()) == NULL){
|
||||
clicon_err(OE_XML, errno, "cbuf_new");
|
||||
goto done;
|
||||
}
|
||||
if (netconf_access_denied(cbret, type, message) < 0)
|
||||
goto done;
|
||||
if (xml_parse_string(cbuf_get(cbret), NULL, xret) < 0)
|
||||
goto done;
|
||||
if (xml_rootchild(*xret, 0, xret) < 0)
|
||||
goto done;
|
||||
retval = 0;
|
||||
done:
|
||||
if (cbret)
|
||||
cbuf_free(cbret);
|
||||
return retval;
|
||||
}
|
||||
|
||||
/*! Create Netconf lock-denied error XML tree according to RFC 6241 App A
|
||||
*
|
||||
* Access to the requested lock is denied because the lock is currently held
|
||||
|
|
@ -655,7 +688,7 @@ netconf_operation_failed(cbuf *cb,
|
|||
goto err;
|
||||
if (message && cprintf(cb, "<error-message>%s</error-message>", message) < 0)
|
||||
goto err;
|
||||
if (cprintf(cb, "</rpc-error></rpc-reply>") <0)
|
||||
if (cprintf(cb, "</rpc-error></rpc-reply>") < 0)
|
||||
goto err;
|
||||
retval = 0;
|
||||
done:
|
||||
|
|
@ -665,6 +698,39 @@ netconf_operation_failed(cbuf *cb,
|
|||
goto done;
|
||||
}
|
||||
|
||||
/*! Create Netconf operation-failed error XML tree according to RFC 6241 App A
|
||||
*
|
||||
* Request could not be completed because the requested operation failed for
|
||||
* some reason not covered by any other error condition.
|
||||
* @param[out] xret Error XML tree
|
||||
* @param[in] type Error type: "rpc", "application" or "protocol"
|
||||
* @param[in] message Error message
|
||||
*/
|
||||
int
|
||||
netconf_operation_failed_xml(cxobj **xret,
|
||||
char *type,
|
||||
char *message)
|
||||
{
|
||||
int retval =-1;
|
||||
cbuf *cbret = NULL;
|
||||
|
||||
if ((cbret = cbuf_new()) == NULL){
|
||||
clicon_err(OE_XML, errno, "cbuf_new");
|
||||
goto done;
|
||||
}
|
||||
if (netconf_operation_failed(cbret, type, message) < 0)
|
||||
goto done;
|
||||
if (xml_parse_string(cbuf_get(cbret), NULL, xret) < 0)
|
||||
goto done;
|
||||
if (xml_rootchild(*xret, 0, xret) < 0)
|
||||
goto done;
|
||||
retval = 0;
|
||||
done:
|
||||
if (cbret)
|
||||
cbuf_free(cbret);
|
||||
return retval;
|
||||
}
|
||||
|
||||
/*! Create Netconf malformed-message error XML tree according to RFC 6241 App A
|
||||
*
|
||||
* A message could not be handled because it failed to be parsed correctly.
|
||||
|
|
|
|||
|
|
@ -242,13 +242,15 @@ plugin_load_one(clicon_handle h,
|
|||
* @param[in] h Clicon handle
|
||||
* @param[in] function Which function symbol to load and call (eg CLIXON_PLUGIN_INIT)
|
||||
* @param[in] dir Directory. .so files in this dir will be loaded.
|
||||
* @param[in] regexp Regexp for matching files in plugin directory. Default *.so.
|
||||
* @retval 0 OK
|
||||
* @retval -1 Error
|
||||
*/
|
||||
int
|
||||
clixon_plugins_load(clicon_handle h,
|
||||
char *function,
|
||||
char *dir)
|
||||
char *dir,
|
||||
char *regexp)
|
||||
{
|
||||
int retval = -1;
|
||||
int ndp;
|
||||
|
|
@ -259,7 +261,8 @@ clixon_plugins_load(clicon_handle h,
|
|||
|
||||
clicon_debug(1, "%s", __FUNCTION__);
|
||||
/* Get plugin objects names from plugin directory */
|
||||
if((ndp = clicon_file_dirent(dir, &dp, "(.so)$", S_IFREG))<0)
|
||||
if((ndp = clicon_file_dirent(dir, &dp,
|
||||
regexp?regexp:"(.so)$", S_IFREG))<0)
|
||||
goto done;
|
||||
/* Load all plugins */
|
||||
for (i = 0; i < ndp; i++) {
|
||||
|
|
|
|||
|
|
@ -91,6 +91,7 @@ clicon_rpc_msg(clicon_handle h,
|
|||
cxobj *xret = NULL;
|
||||
yang_spec *yspec;
|
||||
|
||||
clicon_debug(1, "%s request:%s", __FUNCTION__, msg->op_body);
|
||||
if ((sock = clicon_sock(h)) == NULL){
|
||||
clicon_err(OE_FATAL, 0, "CLICON_SOCK option not set");
|
||||
goto done;
|
||||
|
|
@ -327,10 +328,14 @@ clicon_rpc_edit_config(clicon_handle h,
|
|||
cbuf *cb = NULL;
|
||||
cxobj *xret = NULL;
|
||||
cxobj *xerr;
|
||||
char *username;
|
||||
|
||||
if ((cb = cbuf_new()) == NULL)
|
||||
goto done;
|
||||
cprintf(cb, "<rpc><edit-config><target><%s/></target>", db);
|
||||
cprintf(cb, "<rpc");
|
||||
if ((username = clicon_username_get(h)) != NULL)
|
||||
cprintf(cb, " username=\"%s\"", username);
|
||||
cprintf(cb, "><edit-config><target><%s/></target>", db);
|
||||
cprintf(cb, "<default-operation>%s</default-operation>",
|
||||
xml_operation2str(op));
|
||||
if (xmlstr)
|
||||
|
|
@ -377,8 +382,12 @@ clicon_rpc_copy_config(clicon_handle h,
|
|||
struct clicon_msg *msg = NULL;
|
||||
cxobj *xret = NULL;
|
||||
cxobj *xerr;
|
||||
char *username;
|
||||
|
||||
if ((msg = clicon_msg_encode("<rpc><copy-config><source><%s/></source><target><%s/></target></copy-config></rpc>", db1, db2)) == NULL)
|
||||
username = clicon_username_get(h);
|
||||
if ((msg = clicon_msg_encode("<rpc username=\"%s\"><copy-config><source><%s/></source><target><%s/></target></copy-config></rpc>",
|
||||
username?username:"",
|
||||
db1, db2)) == NULL)
|
||||
goto done;
|
||||
if (clicon_rpc_msg(h, msg, &xret, NULL) < 0)
|
||||
goto done;
|
||||
|
|
@ -413,8 +422,11 @@ clicon_rpc_delete_config(clicon_handle h,
|
|||
struct clicon_msg *msg = NULL;
|
||||
cxobj *xret = NULL;
|
||||
cxobj *xerr;
|
||||
char *username;
|
||||
|
||||
if ((msg = clicon_msg_encode("<rpc><delete-config><target><%s/></target></delete-config></rpc>", db)) == NULL)
|
||||
username = clicon_username_get(h);
|
||||
if ((msg = clicon_msg_encode("<rpc username=\"%s\"><delete-config><target><%s/></target></delete-config></rpc>",
|
||||
username?username:"", db)) == NULL)
|
||||
goto done;
|
||||
if (clicon_rpc_msg(h, msg, &xret, NULL) < 0)
|
||||
goto done;
|
||||
|
|
@ -445,8 +457,11 @@ clicon_rpc_lock(clicon_handle h,
|
|||
struct clicon_msg *msg = NULL;
|
||||
cxobj *xret = NULL;
|
||||
cxobj *xerr;
|
||||
char *username;
|
||||
|
||||
if ((msg = clicon_msg_encode("<rpc><lock><target><%s/></target></lock></rpc>", db)) == NULL)
|
||||
username = clicon_username_get(h);
|
||||
if ((msg = clicon_msg_encode("<rpc username=\"%s\"><lock><target><%s/></target></lock></rpc>",
|
||||
username?username:"", db)) == NULL)
|
||||
goto done;
|
||||
if (clicon_rpc_msg(h, msg, &xret, NULL) < 0)
|
||||
goto done;
|
||||
|
|
@ -477,8 +492,10 @@ clicon_rpc_unlock(clicon_handle h,
|
|||
struct clicon_msg *msg = NULL;
|
||||
cxobj *xret = NULL;
|
||||
cxobj *xerr;
|
||||
char *username;
|
||||
|
||||
if ((msg = clicon_msg_encode("<rpc><unlock><target><%s/></target></unlock></rpc>", db)) == NULL)
|
||||
username = clicon_username_get(h);
|
||||
if ((msg = clicon_msg_encode("<rpc username=\"%s\"><unlock><target><%s/></target></unlock></rpc>", username?username:"", db)) == NULL)
|
||||
goto done;
|
||||
if (clicon_rpc_msg(h, msg, &xret, NULL) < 0)
|
||||
goto done;
|
||||
|
|
@ -574,8 +591,11 @@ clicon_rpc_close_session(clicon_handle h)
|
|||
struct clicon_msg *msg = NULL;
|
||||
cxobj *xret = NULL;
|
||||
cxobj *xerr;
|
||||
char *username;
|
||||
|
||||
if ((msg = clicon_msg_encode("<rpc><close-session/></rpc>")) == NULL)
|
||||
username = clicon_username_get(h);
|
||||
if ((msg = clicon_msg_encode("<rpc username=\"%s\"><close-session/></rpc>",
|
||||
username?username:"")) == NULL)
|
||||
goto done;
|
||||
if (clicon_rpc_msg(h, msg, &xret, NULL) < 0)
|
||||
goto done;
|
||||
|
|
@ -606,8 +626,11 @@ clicon_rpc_kill_session(clicon_handle h,
|
|||
struct clicon_msg *msg = NULL;
|
||||
cxobj *xret = NULL;
|
||||
cxobj *xerr;
|
||||
char *username;
|
||||
|
||||
if ((msg = clicon_msg_encode("<rpc><kill-session><session-id>%d</session-id></kill-session></rpc>", session_id)) == NULL)
|
||||
username = clicon_username_get(h);
|
||||
if ((msg = clicon_msg_encode("<rpc username=\"%s\"><kill-session><session-id>%d</session-id></kill-session></rpc>",
|
||||
username?username:"", session_id)) == NULL)
|
||||
goto done;
|
||||
if (clicon_rpc_msg(h, msg, &xret, NULL) < 0)
|
||||
goto done;
|
||||
|
|
@ -638,8 +661,10 @@ clicon_rpc_validate(clicon_handle h,
|
|||
struct clicon_msg *msg = NULL;
|
||||
cxobj *xret = NULL;
|
||||
cxobj *xerr;
|
||||
char *username;
|
||||
|
||||
if ((msg = clicon_msg_encode("<rpc><validate><source><%s/></source></validate></rpc>", db)) == NULL)
|
||||
username = clicon_username_get(h);
|
||||
if ((msg = clicon_msg_encode("<rpc username=\"%s\"><validate><source><%s/></source></validate></rpc>", username?username:"", db)) == NULL)
|
||||
goto done;
|
||||
if (clicon_rpc_msg(h, msg, &xret, NULL) < 0)
|
||||
goto done;
|
||||
|
|
@ -668,8 +693,10 @@ clicon_rpc_commit(clicon_handle h)
|
|||
struct clicon_msg *msg = NULL;
|
||||
cxobj *xret = NULL;
|
||||
cxobj *xerr;
|
||||
char *username;
|
||||
|
||||
if ((msg = clicon_msg_encode("<rpc><commit/></rpc>")) == NULL)
|
||||
username = clicon_username_get(h);
|
||||
if ((msg = clicon_msg_encode("<rpc username=\"%s\"><commit/></rpc>", username?username:"")) == NULL)
|
||||
goto done;
|
||||
if (clicon_rpc_msg(h, msg, &xret, NULL) < 0)
|
||||
goto done;
|
||||
|
|
@ -698,8 +725,10 @@ clicon_rpc_discard_changes(clicon_handle h)
|
|||
struct clicon_msg *msg = NULL;
|
||||
cxobj *xret = NULL;
|
||||
cxobj *xerr;
|
||||
char *username;
|
||||
|
||||
if ((msg = clicon_msg_encode("<rpc><discard-changes/></rpc>")) == NULL)
|
||||
username = clicon_username_get(h);
|
||||
if ((msg = clicon_msg_encode("<rpc username=\"%s\"><discard-changes/></rpc>", username?username:"")) == NULL)
|
||||
goto done;
|
||||
if (clicon_rpc_msg(h, msg, &xret, NULL) < 0)
|
||||
goto done;
|
||||
|
|
@ -736,11 +765,14 @@ clicon_rpc_create_subscription(clicon_handle h,
|
|||
struct clicon_msg *msg = NULL;
|
||||
cxobj *xret = NULL;
|
||||
cxobj *xerr;
|
||||
char *username;
|
||||
|
||||
if ((msg = clicon_msg_encode("<rpc><create-subscription>"
|
||||
username = clicon_username_get(h);
|
||||
if ((msg = clicon_msg_encode("<rpc username=\"%s\"><create-subscription>"
|
||||
"<stream>%s</stream>"
|
||||
"<filter>%s</filter>"
|
||||
"</create-subscription></rpc>",
|
||||
username?username:"",
|
||||
stream?stream:"", filter?filter:"")) == NULL)
|
||||
goto done;
|
||||
if (clicon_rpc_msg(h, msg, &xret, s0) < 0)
|
||||
|
|
@ -772,8 +804,10 @@ clicon_rpc_debug(clicon_handle h,
|
|||
struct clicon_msg *msg = NULL;
|
||||
cxobj *xret = NULL;
|
||||
cxobj *xerr;
|
||||
char *username;
|
||||
|
||||
if ((msg = clicon_msg_encode("<rpc><debug><level>%d</level></debug></rpc>", level)) == NULL)
|
||||
username = clicon_username_get(h);
|
||||
if ((msg = clicon_msg_encode("<rpc username=\"%s\"><debug><level>%d</level></debug></rpc>", username?username:"", level)) == NULL)
|
||||
goto done;
|
||||
if (clicon_rpc_msg(h, msg, &xret, NULL) < 0)
|
||||
goto done;
|
||||
|
|
|
|||
|
|
@ -317,8 +317,9 @@ xml_yang_validate_add(cxobj *xt,
|
|||
yang_stmt *ys;
|
||||
char *body;
|
||||
|
||||
/* if not given by argument (overide) use default link */
|
||||
if ((ys = xml_spec(xt)) != NULL){
|
||||
/* if not given by argument (overide) use default link
|
||||
and !Node has a config sub-statement and it is false */
|
||||
if ((ys = xml_spec(xt)) != NULL && yang_config(ys) != 0){
|
||||
switch (ys->ys_keyword){
|
||||
case Y_LIST:
|
||||
/* fall thru */
|
||||
|
|
@ -327,6 +328,8 @@ xml_yang_validate_add(cxobj *xt,
|
|||
yc = ys->ys_stmt[i];
|
||||
if (yc->ys_keyword != Y_LEAF)
|
||||
continue;
|
||||
if (yang_config(yc)==0)
|
||||
continue;
|
||||
if (yang_mandatory(yc) && xml_find(xt, yc->ys_argument)==NULL){
|
||||
clicon_err(OE_CFG, 0,"Missing mandatory variable: %s",
|
||||
yc->ys_argument);
|
||||
|
|
@ -386,8 +389,10 @@ xml_yang_validate_all(cxobj *xt,
|
|||
yang_stmt *ys;
|
||||
yang_stmt *ytype;
|
||||
|
||||
/* if not given by argument (overide) use default link */
|
||||
if ((ys = xml_spec(xt)) != NULL){
|
||||
/* if not given by argument (overide) use default link
|
||||
and !Node has a config sub-statement and it is false */
|
||||
if ((ys = xml_spec(xt)) != NULL &&
|
||||
yang_config(ys) != 0){
|
||||
switch (ys->ys_keyword){
|
||||
case Y_LEAF:
|
||||
/* fall thru */
|
||||
|
|
@ -1644,6 +1649,9 @@ api_path2xml(char *api_path,
|
|||
* @param[in] y0 Yang spec corresponding to xml-node x0. NULL if x0 is NULL
|
||||
* @param[in] x0p Parent of x0
|
||||
* @param[in] x1 xml tree which modifies base
|
||||
* @param[out] reason If retval=0 a malloced string
|
||||
* @retval 0 OK. If reason is set, Yang error
|
||||
* @retval -1 Error
|
||||
* Assume x0 and x1 are same on entry and that y is the spec
|
||||
* @see put in clixon_keyvalue.c
|
||||
*/
|
||||
|
|
@ -1651,7 +1659,8 @@ static int
|
|||
xml_merge1(cxobj *x0,
|
||||
yang_node *y0,
|
||||
cxobj *x0p,
|
||||
cxobj *x1)
|
||||
cxobj *x1,
|
||||
char **reason)
|
||||
{
|
||||
int retval = -1;
|
||||
char *x1name;
|
||||
|
|
@ -1699,24 +1708,35 @@ xml_merge1(cxobj *x0,
|
|||
x1cname = xml_name(x1c);
|
||||
/* Get yang spec of the child */
|
||||
if ((yc = yang_find_datanode(y0, x1cname)) == NULL){
|
||||
clicon_err(OE_YANG, errno, "No yang node found: %s", x1cname);
|
||||
goto done;
|
||||
if (reason && (*reason = strdup("XML node has no corresponding yang specification (Invalid XML or wrong Yang spec?")) == NULL){
|
||||
clicon_err(OE_UNIX, errno, "strdup");
|
||||
goto done;
|
||||
}
|
||||
break;
|
||||
}
|
||||
/* See if there is a corresponding node in the base tree */
|
||||
x0c = NULL;
|
||||
if (yc && match_base_child(x0, x1c, &x0c, yc) < 0)
|
||||
goto done;
|
||||
if (xml_merge1(x0c, (yang_node*)yc, x0, x1c) < 0)
|
||||
if (xml_merge1(x0c, (yang_node*)yc, x0, x1c, reason) < 0)
|
||||
goto done;
|
||||
if (*reason != NULL)
|
||||
goto ok;
|
||||
}
|
||||
} /* else Y_CONTAINER */
|
||||
// ok:
|
||||
ok:
|
||||
retval = 0;
|
||||
done:
|
||||
return retval;
|
||||
}
|
||||
|
||||
/*! Merge XML trees x1 into x0 according to yang spec yspec
|
||||
* @param[in] x0 Base xml tree (can be NULL in add scenarios)
|
||||
* @param[in] x1 xml tree which modifies base
|
||||
* @param[in] yspec Yang spec
|
||||
* @param[out] reason If retval=0 a malloced string. Needs to be freed by caller
|
||||
* @retval 0 OK. If reason is set, Yang error
|
||||
* @retval -1 Error
|
||||
* @note both x0 and x1 need to be top-level trees
|
||||
* @see text_modify_top as more generic variant (in datastore text)
|
||||
* @note returns -1 if YANG do not match, you may want to have a softer error
|
||||
|
|
@ -1724,7 +1744,8 @@ xml_merge1(cxobj *x0,
|
|||
int
|
||||
xml_merge(cxobj *x0,
|
||||
cxobj *x1,
|
||||
yang_spec *yspec)
|
||||
yang_spec *yspec,
|
||||
char **reason)
|
||||
{
|
||||
int retval = -1;
|
||||
char *x1cname; /* child name */
|
||||
|
|
@ -1738,16 +1759,21 @@ xml_merge(cxobj *x0,
|
|||
x1cname = xml_name(x1c);
|
||||
/* Get yang spec of the child */
|
||||
if ((yc = yang_find_topnode(yspec, x1cname, YC_DATANODE)) == NULL){
|
||||
clicon_err(OE_YANG, ENOENT, "No yang spec");
|
||||
goto done;
|
||||
if (reason && (*reason = strdup("XML node has no corresponding yang specification (Invalid XML or wrong Yang spec?")) == NULL){
|
||||
clicon_err(OE_UNIX, errno, "strdup");
|
||||
goto done;
|
||||
}
|
||||
break;
|
||||
}
|
||||
/* See if there is a corresponding node in the base tree */
|
||||
if (match_base_child(x0, x1c, &x0c, yc) < 0)
|
||||
goto done;
|
||||
if (xml_merge1(x0c, (yang_node*)yc, x0, x1c) < 0)
|
||||
if (xml_merge1(x0c, (yang_node*)yc, x0, x1c, reason) < 0)
|
||||
goto done;
|
||||
if (*reason != NULL)
|
||||
break;
|
||||
}
|
||||
retval = 0;
|
||||
retval = 0; /* OK */
|
||||
done:
|
||||
return retval;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue