diff --git a/apps/backend/backend_client.c b/apps/backend/backend_client.c
index caa00ae9..8a379c0d 100644
--- a/apps/backend/backend_client.c
+++ b/apps/backend/backend_client.c
@@ -1317,9 +1317,8 @@ from_client_hello(clicon_handle h,
id = clicon_session_id_get(h);
id++;
clicon_session_id_set(h, id);
- cprintf(cbret, "%lu", id);
+ cprintf(cbret, "%u", id);
retval = 0;
- // done:
return retval;
}
diff --git a/apps/restconf/restconf_methods.c b/apps/restconf/restconf_methods.c
index c0cca915..0ecf18f4 100644
--- a/apps/restconf/restconf_methods.c
+++ b/apps/restconf/restconf_methods.c
@@ -292,7 +292,7 @@ api_data_write(clicon_handle h,
goto ok;
}
xret = NULL;
- if (clicon_rpc_get_config(h, NACM_RECOVERY_USER,
+ if (clicon_rpc_get_config(h, clicon_nacm_recovery_user(h),
"candidate", cbuf_get(cbpath), nsc, &xret) < 0){
if (netconf_operation_failed_xml(&xerr, "protocol", clicon_err_reason) < 0)
goto done;
@@ -612,7 +612,7 @@ api_data_write(clicon_handle h,
/* commit/discard should be done automaticaly by the system, therefore
* recovery user is used here (edit-config but not commit may be permitted
by NACM */
- cprintf(cbx, "", NACM_RECOVERY_USER);
+ cprintf(cbx, "", clicon_nacm_recovery_user(h));
cprintf(cbx, "");
if (clicon_rpc_netconf(h, cbuf_get(cbx), &xretcom, NULL) < 0)
goto done;
@@ -641,7 +641,7 @@ api_data_write(clicon_handle h,
* consequence of a RESTCONF edit operation.
*/
cbuf_reset(cbx);
- cprintf(cbx, "", NACM_RECOVERY_USER);
+ cprintf(cbx, "", clicon_nacm_recovery_user(h));
cprintf(cbx, "");
if (clicon_rpc_netconf(h, cbuf_get(cbx), &xretcom, NULL) < 0)
goto done;
@@ -881,13 +881,13 @@ api_data_delete(clicon_handle h,
/* commit/discard should be done automatically by the system, therefore
* recovery user is used here (edit-config but not commit may be permitted
by NACM */
- cprintf(cbx, "", NACM_RECOVERY_USER);
+ cprintf(cbx, "", clicon_nacm_recovery_user(h));
cprintf(cbx, "");
if (clicon_rpc_netconf(h, cbuf_get(cbx), &xretcom, NULL) < 0)
goto done;
if ((xe = xpath_first(xretcom, "//rpc-error")) != NULL){
cbuf_reset(cbx);
- cprintf(cbx, "", NACM_RECOVERY_USER);
+ cprintf(cbx, "", clicon_nacm_recovery_user(h));
cprintf(cbx, "");
if (clicon_rpc_netconf(h, cbuf_get(cbx), &xretdis, NULL) < 0)
goto done;
@@ -910,7 +910,7 @@ api_data_delete(clicon_handle h,
* consequence of a RESTCONF edit operation.
*/
cbuf_reset(cbx);
- cprintf(cbx, "", NACM_RECOVERY_USER);
+ cprintf(cbx, "", clicon_nacm_recovery_user(h));
cprintf(cbx, "");
if (clicon_rpc_netconf(h, cbuf_get(cbx), &xretcom, NULL) < 0)
goto done;
diff --git a/apps/restconf/restconf_methods_post.c b/apps/restconf/restconf_methods_post.c
index b3cd7ec5..c7700f41 100644
--- a/apps/restconf/restconf_methods_post.c
+++ b/apps/restconf/restconf_methods_post.c
@@ -348,7 +348,7 @@ api_data_post(clicon_handle h,
/* commit/discard should be done automaticaly by the system, therefore
* recovery user is used here (edit-config but not commit may be permitted
by NACM */
- cprintf(cbx, "", NACM_RECOVERY_USER);
+ cprintf(cbx, "", clicon_nacm_recovery_user(h));
cprintf(cbx, "");
if (clicon_rpc_netconf(h, cbuf_get(cbx), &xretcom, NULL) < 0)
goto done;
@@ -377,7 +377,7 @@ api_data_post(clicon_handle h,
* consequence of a RESTCONF edit operation.
*/
cbuf_reset(cbx);
- cprintf(cbx, "", NACM_RECOVERY_USER);
+ cprintf(cbx, "", clicon_nacm_recovery_user(h));
cprintf(cbx, "");
if (clicon_rpc_netconf(h, cbuf_get(cbx), &xretcom, NULL) < 0)
goto done;
diff --git a/lib/clixon/clixon_nacm.h b/lib/clixon/clixon_nacm.h
index 83997de6..b1b94831 100644
--- a/lib/clixon/clixon_nacm.h
+++ b/lib/clixon/clixon_nacm.h
@@ -36,15 +36,6 @@
#ifndef _CLIXON_NACM_H
#define _CLIXON_NACM_H
-/*
- * Constants
- */
-/* RFC8341 defines a "recovery session" as outside the scope.
- * Clixon defines this user as having special admin rights to expemt from
- * all access control enforcements
- */
-#define NACM_RECOVERY_USER "_nacm_recovery"
-
/*
* Types
*/
@@ -79,6 +70,6 @@ int nacm_datanode_read(cxobj *xt, cxobj **xvec, size_t xlen, char *username, cxo
int nacm_datanode_write(cxobj *xt, cxobj *xr, enum nacm_access access,
char *username, cxobj *xnacm, cbuf *cbret);
int nacm_access_pre(clicon_handle h, char *username, enum nacm_point point, cxobj **xnacmp);
-int nacm_access(char *mode, cxobj *xnacmin, char *username);
+int nacm_access(clicon_handle h, char *mode, cxobj *xnacmin, char *username);
#endif /* _CLIXON_NACM_H */
diff --git a/lib/src/clixon_datastore_write.c b/lib/src/clixon_datastore_write.c
index 3f4ef5c7..8ddc69fb 100644
--- a/lib/src/clixon_datastore_write.c
+++ b/lib/src/clixon_datastore_write.c
@@ -1023,7 +1023,7 @@ xmldb_put(clicon_handle h,
(xnacm = xpath_first_nsc(xnacm0, nsc, "nacm")) != NULL){
/* Pre-NACM access step, if permit, then dont do any nacm checks in
* text_modify_* below */
- if ((permit = nacm_access(mode, xnacm, username)) < 0)
+ if ((permit = nacm_access(h, mode, xnacm, username)) < 0)
goto done;
}
/* Here assume if xnacm is set and !permit do NACM */
diff --git a/lib/src/clixon_nacm.c b/lib/src/clixon_nacm.c
index 8ba668a7..3e2848e1 100644
--- a/lib/src/clixon_nacm.c
+++ b/lib/src/clixon_nacm.c
@@ -824,7 +824,7 @@ nacm_datanode_write(cxobj *xt,
* @retval 0 OK but not validated. Need to do NACM step using xnacm
* @retval 1 OK permitted. You do not need to do next NACM step
* @code
- * if ((ret = nacm_access(mode, xnacm, username)) < 0)
+ * if ((ret = nacm_access(h, mode, xnacm, username)) < 0)
* err;
* if (ret == 0){
* // Next step NACM processing
@@ -834,9 +834,10 @@ nacm_datanode_write(cxobj *xt,
* @see RFC8341 3.4 Access Control Enforcement Procedures
*/
int
-nacm_access(char *mode,
- cxobj *xnacm,
- char *username)
+nacm_access(clicon_handle h,
+ char *mode,
+ cxobj *xnacm,
+ char *username)
{
int retval = -1;
cxobj *xnacm0 = NULL;
@@ -869,7 +870,7 @@ nacm_access(char *mode,
goto permit;
/* 2. If the requesting session is identified as a recovery session,
then the protocol operation is permitted. NYI */
- if (username && strcmp(username, NACM_RECOVERY_USER) == 0)
+ if (username && strcmp(username, clicon_nacm_recovery_user(h)) == 0)
goto permit;
retval = 0; /* not permitted yet. continue with next NACM step */
@@ -943,7 +944,7 @@ nacm_access_pre(clicon_handle h,
goto done;
xnacm0 = NULL;
/* Initial NACM steps and common to all NACM access validation. */
- if ((retval = nacm_access(mode, xnacm, username)) < 0)
+ if ((retval = nacm_access(h, mode, xnacm, username)) < 0)
goto done;
if (retval == 0){ /* if retval == 0 then return an xml nacm tree */
*xnacmp = xnacm;
diff --git a/lib/src/clixon_proto_client.c b/lib/src/clixon_proto_client.c
index f2b73403..785b1eb0 100644
--- a/lib/src/clixon_proto_client.c
+++ b/lib/src/clixon_proto_client.c
@@ -963,7 +963,6 @@ clicon_hello_req(clicon_handle h,
clicon_err(OE_XML, errno, "parse_uint32");
goto done;
}
- fprintf(stderr, "id:%lu\n", *id);
retval = 0;
done:
if (msg)
diff --git a/test/test_sock.sh b/test/test_sock.sh
index a2e62054..d82c53bd 100755
--- a/test/test_sock.sh
+++ b/test/test_sock.sh
@@ -5,6 +5,9 @@
# Magic line must be first in script (see README.md)
s="$_" ; . ./lib.sh || if [ "$s" = $0 ]; then exit 0; else return 0; fi
+# Raw unit tester of backend unix socket
+: ${clixon_util_socket:=clixon_util_socket}
+
#
# client <---> backend
# ^ is unix, ipv4, ipv6 socket
@@ -18,11 +21,11 @@ fyang=$dir/socket.yang
# check socket works
# 1: UNIX|IPv4|IPv6
# 2: unix file or ipv4 address or ipv6 address
-# 3: sock port (if ipv4 or ipv6)
+# 3: session-id
testrun(){
family=$1
sock=$2
- port=$3
+ id=$3
cat < $cfg
@@ -31,7 +34,7 @@ cat < $cfg
/usr/local/share/clixon
clixon-example
$family
- $port
+ 4535
$sock
/usr/local/lib/$APPNAME/clispec
/usr/local/lib/$APPNAME/cli
@@ -56,6 +59,12 @@ EOF
new "$clixon_cli -1f $cfg show version"
expectfn "$clixon_cli -1f $cfg show version" 0 "$version."
+
+ new "hello session-id 1"
+ expecteof "$clixon_util_socket -a $family -s $sock -D $DBG" 0 "" "1"
+
+ new "hello session-id 2"
+ expecteof "$clixon_util_socket -a $family -s $sock -D $DBG" 0 "" "2"
if [ $BE -ne 0 ]; then
new "Kill backend"
@@ -70,10 +79,10 @@ EOF
}
new "Unix socket"
-testrun UNIX $dir/sock 0
+testrun UNIX $dir/sock
new "IPv4 socket"
-testrun IPv4 127.0.0.1 7878
+testrun IPv4 127.0.0.1
#new "IPv6 socket" NYI
#testrun IPv6 ::1 7878
diff --git a/yang/clixon/clixon-config@2019-09-11.yang b/yang/clixon/clixon-config@2019-09-11.yang
index dc014559..7eb343cd 100644
--- a/yang/clixon/clixon-config@2019-09-11.yang
+++ b/yang/clixon/clixon-config@2019-09-11.yang
@@ -586,7 +586,7 @@ module clixon-config {
type string;
default "_nacm_recovery";
description
- "C8341 defines a 'recovery session' as outside the scope. Clixon
+ "RFC8341 defines a 'recovery session' as outside the scope. Clixon
defines this user as having special admin rights to exempt from
all access control enforcements.
Note setting of CLICON_NACM_CREDENTIALS is important, if set to