Fixed: A long TLS+HTTP/2 request such as by a browser causing block of other requests.

Test: Disabled privileges test if clixon_restconf started with -r

CHANGELOG.md

@@ -112,6 +112,7 @@ Users may have to change how they access the system
 
 ### Corrected Bugs
 
+* Fixed: A long TLS+HTTP/2 request such as by a browser causing block of other requests.
 * Fixed: [Error message seen twice in some cases](https://github.com/clicon/clixon/issues/325)
 * Fixed: [if choice is declared with multiple elements or leaf-list with in a case scope , addition or updation is not happening as expected](https://github.com/clicon/clixon/issues/327)
   * This includes several choice/case adjustments to follow RFC 7950 Sec 7.9 better

apps/restconf/restconf_native.c

@@ -465,7 +465,7 @@ native_send_badrequest(clicon_handle       h,
  * @retval    -1    Error
  */
 static int
-native_clear_input(clicon_handle         h,
+http1_native_clear_input(clicon_handle         h,
 			 restconf_stream_data *sd)
 {
     int retval = -1;
@@ -524,6 +524,7 @@ read_ssl(restconf_conn *rc,
     }
     retval = 0;
  done:
+    clicon_debug(1, "%s %d", __FUNCTION__, retval);
     return retval;
 }
 
@@ -577,7 +578,8 @@ read_regular(restconf_conn *rc,
 }
 
 #ifdef HAVE_HTTP1
-/*! RESTCONF HTTP/1 processing after chunk of bytes read
+
+/*! Restconf HTTP/1 processing after chunk of bytes read
  *
  * @param[in]  rc           Restconf connection handle 
  * @param[in]  buf          Input buffer
@@ -588,7 +590,7 @@ read_regular(restconf_conn *rc,
  * @retval     1            OK
  */
 static int
-restconf_http1(restconf_conn        *rc,
+restconf_http1_process(restconf_conn        *rc,
 		       char                 *buf,
 		       size_t                n,
 		       int                  *readmore)
@@ -641,7 +643,7 @@ restconf_http1(restconf_conn        *rc,
 	    else if ((ret = clixon_event_poll(rc->rc_s)) < 0)
 		goto done;
 	    if (ret > 0){
-		if (native_clear_input(h, sd) < 0)
+		if (http1_native_clear_input(h, sd) < 0)
 		    goto done;
 		(*readmore)++;
 		goto ok;
@@ -790,15 +792,18 @@ restconf_http2_upgrade(restconf_conn *rc)
 }
 #endif /* HAVE_LIBHTTP1 */
 
-/*!
+/*! Restconf HTTP/2 processing after chunk of bytes read
+ * @param[in]  rc       Restconf connection
  * @param[in]  buf      Input buffer
  * @param[in]  n        Size of input buffer
+ * @param[in]  n        Length of data in input buffer
+ * @param[out] readmore If set, read data again, do not continue processing
  * @retval     -1       Error
  * @retval     0        Socket closed, quit
  * @retval     1        OK
  */
 static int
-restconf_http2(restconf_conn *rc,
+restconf_http2_process(restconf_conn *rc,
 		       char          *buf,
 		       size_t         n,
 		       int           *readmore)
@@ -823,7 +828,13 @@ restconf_http2(restconf_conn *rc,
 	    retval = 0;
 	    goto done;
 	}
-	/* There may be more data frames */
+	/* Check if read more data frames */
+	ret = 0;
+	if (rc->rc_ssl)
+	    ret = SSL_pending(rc->rc_ssl);
+	else if ((ret = clixon_event_poll(rc->rc_s)) < 0)
+	    goto done;
+	if (ret > 0)
 	    (*readmore)++;
     }
     retval = 1;
@@ -891,7 +902,7 @@ restconf_connection(int   s,
 #ifdef HAVE_HTTP1
 	case HTTP_10:
 	case HTTP_11:
-	    if ((ret = restconf_http1(rc, buf, n, &readmore)) < 0)
+	    if ((ret = restconf_http1_process(rc, buf, n, &readmore)) < 0)
 		goto done;
 	    if (ret == 0)
 		goto ok;
@@ -905,12 +916,10 @@ restconf_connection(int   s,
 #endif /* HAVE_HTTP1 */
 #ifdef HAVE_LIBNGHTTP2
 	case HTTP_2:
-	    if ((ret = restconf_http2(rc, buf, n, &readmore)) < 0)
+	    if ((ret = restconf_http2_process(rc, buf, n, &readmore)) < 0)
 		goto done;
 	    if (ret == 0)
 		goto ok;
-	    if (readmore)
-		continue;
 	    break;
 #endif /* HAVE_LIBNGHTTP2 */
 	default:

test/test_http_data.sh

@@ -228,11 +228,15 @@ EOF
 	new "WWW get http soft link"
 	expectpart "$(curl $CURLOPTS -X GET -H 'Accept: text/html' $proto://localhost/data/inside.html)" 0 "HTTP/$HVER 403" "Content-Type: text/html" "<title>403 Forbidden</title>" --not-- "<title>Dont access this</title>"
 	
-	
-	if [ ! -f /.dockerenv ] ; then	# XXX Privs dont not work on docker/alpine?
+	# Two cases where the privileges test is not run:
+	# 1) Docker in alpine for some reason
+	# 2) Restconf run explicitly as root (eg coverage)
+	if [ ! -f /.dockerenv ] ; then  
+            if [[ "$clixon_restconf" != *"-r"* ]]; then
 		new "WWW get http not read access"
 		expectpart "$(curl $CURLOPTS -X GET -H 'Accept: text/html' $proto://localhost/data/noread.html)" 0 "HTTP/$HVER 403" "Content-Type: text/html" "<title>403 Forbidden</title>"
             fi
+	fi
 
 	# Try .. Cannot get .. in path to work in curl (it seems to remove it)
 	if [ "$proto" = http -a -n "$netcat" ]; then