From 90545b05cd50ae3ab253e3fff3275417ed56cb5d Mon Sep 17 00:00:00 2001 From: Olof hagsand Date: Sat, 12 Jan 2019 13:52:35 +0100 Subject: [PATCH] nacm testcases for modules and datastore --- test/test_nacm.sh | 16 +- test/test_nacm_datanode.sh | 230 +++++++++++++++++++++++++++++ test/test_nacm_ext.sh | 21 +-- test/test_nacm_module.sh | 187 +++++++++++++++++++++++ test/test_nacm_protocol.sh | 30 ++-- yang/clixon-config@2018-10-21.yang | 4 +- 6 files changed, 455 insertions(+), 33 deletions(-) create mode 100755 test/test_nacm_datanode.sh create mode 100755 test/test_nacm_module.sh diff --git a/test/test_nacm.sh b/test/test_nacm.sh index aac4be87..82337442 100755 --- a/test/test_nacm.sh +++ b/test/test_nacm.sh @@ -16,7 +16,7 @@ cat < $cfg $cfg /usr/local/share/clixon - /usr/local/share/clixon + $fyang /usr/local/lib/$APPNAME/clispec /usr/local/lib/$APPNAME/restconf /usr/local/lib/$APPNAME/cli @@ -103,16 +103,16 @@ RULES=$(cat <$RULES]]>]]>" "^]]>]]>$" +expecteof "$clixon_netconf -qf $cfg" 0 "$RULES]]>]]>" "^]]>]]>$" new "commit it" -expecteof "$clixon_netconf -qf $cfg -y $fyang" 0 "]]>]]>" "^]]>]]>$" +expecteof "$clixon_netconf -qf $cfg" 0 "]]>]]>" "^]]>]]>$" new2 "auth get (no user: access denied)" expecteq "$(curl -sS -X GET -H \"Accept:\ application/yang-data+json\" http://localhost/restconf/data)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "The requested URL was unauthorized"}}} ' diff --git a/test/test_nacm_datanode.sh b/test/test_nacm_datanode.sh new file mode 100755 index 00000000..8bf65f56 --- /dev/null +++ b/test/test_nacm_datanode.sh @@ -0,0 +1,230 @@ +#!/bin/bash +# Authentication and authorization and IETF NACM +# NACM data node rule +# @see RFC 8341 A.1 and A.4 (and permit-all from A.2) +# Tests for: +# deny-nacm: This rule denies the "guest" group any access to the +# /nacm subtree. +# permit-acme-config: This rule gives the "limited" group read-write +# access to the acme . +# permit-dummy-interface: This rule gives the "limited" and "guest" +# groups read-update access to the acme entry named +# "dummy". This entry cannot be created or deleted by these groups; +# it can only be altered. +# permit-interface: This rule gives the "admin" group read-write +# access to all acme entries. + +APPNAME=example +# include err() and new() functions and creates $dir +. ./lib.sh +. ./nacm.sh + +cfg=$dir/conf_yang.xml +fyang=$dir/test.yang +fyangerr=$dir/err.yang + +cat < $cfg + + $cfg + /usr/local/share/clixon + $fyang + /usr/local/lib/$APPNAME/clispec + /usr/local/lib/$APPNAME/restconf + /usr/local/lib/$APPNAME/cli + $APPNAME + /usr/local/var/$APPNAME/$APPNAME.sock + /usr/local/var/$APPNAME/$APPNAME.pidfile + 1 + /usr/local/var/$APPNAME + /usr/local/lib/xmldb/text.so + false + internal + +EOF + +cat < $fyang +module $APPNAME{ + yang-version 1.1; + namespace "urn:example:clixon"; + prefix ex; + import ietf-netconf-acm { + prefix nacm; + } + leaf x{ + type int32; + description "something to edit"; + } +} +EOF + +# The groups are slightly modified from RFC8341 A.1 +# The rule-list is from A.2 +RULES=$(cat < + false + deny + deny + deny + + $NGROUPS + + + guest-acl + guest + + + deny-nacm + + /n:nacm + + * + deny + + Deny the 'guest' group any access to the /nacm data. + + + + + + limited-acl + limited + + + permit-acme-config + + /acme:acme-netconf/acme:config-parameters + + + read create update delete + + permit + + Allow the 'limited' group complete access to the acme + NETCONF configuration parameters. Showing long form + of 'access-operations' instead of shorthand. + + + + + guest-limited-acl + guest + limited + + + permit-dummy-interface + + /acme:interfaces/acme:interface[acme:name='dummy'] + + read update + permit + + Allow the 'limited' and 'guest' groups read + and update access to the dummy interface. + + + + + admin-acl + admin + + permit-interface + + /acme:interfaces/acme:interface + + * + permit + + Allow the 'admin' group full access to all acme interfaces. + + + + + $NADMIN + + + 0 +EOF +) + +# kill old backend (if any) +new "kill old backend" +sudo clixon_backend -zf $cfg +if [ $? -ne 0 ]; then + err +fi + +new "start backend -s init -f $cfg" +# start new backend +sudo $clixon_backend -s init -f $cfg +if [ $? -ne 0 ]; then + err +fi + +new "kill old restconf daemon" +sudo pkill -u www-data -f "/www-data/clixon_restconf" + +sleep 1 +new "start restconf daemon (-a is enable basic authentication)" +sudo su -c "$clixon_restconf -f $cfg -D $DBG -- -a" -s /bin/sh www-data & + +sleep $RCWAIT + +new "auth set authentication config" +expecteof "$clixon_netconf -qf $cfg" 0 "$RULES]]>]]>" "^]]>]]>$" + +new "commit it" +expecteof "$clixon_netconf -qf $cfg" 0 "]]>]]>" "^]]>]]>$" + +new "enable nacm" +expecteq "$(curl -u andy:bar -sS -X PUT -d '{"enable-nacm": true}' http://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" "" + +#--------------- nacm enabled + +new2 "auth get (wrong passwd: access denied)" +expecteq "$(curl -u andy:foo -sS -X GET http://localhost/restconf/data)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "The requested URL was unauthorized"}}} ' + +new2 "auth get (access)" +expecteq "$(curl -u andy:bar -sS -X GET http://localhost/restconf/data/example:x)" '{"example:x": 0} + ' + +#----------------Enable NACM + +new "enable nacm" +expecteq "$(curl -u andy:bar -sS -X PUT -d '{"enable-nacm": true}' http://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" "" + +new2 "admin get nacm" +expecteq "$(curl -u andy:bar -sS -X GET http://localhost/restconf/data/example:x)" '{"example:x": 0} + ' + +new2 "limited get nacm" +expecteq "$(curl -u wilma:bar -sS -X GET http://localhost/restconf/data/example:x)" '{"example:x": 0} + ' + +new2 "guest get nacm" +expecteq "$(curl -u guest:bar -sS -X GET http://localhost/restconf/data/example:x)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "The requested URL was unauthorized"}}} ' + +new "admin edit nacm" +expecteq "$(curl -u andy:bar -sS -X PUT -d '{"x": 1}' http://localhost/restconf/data/example:x)" "" + +new2 "limited edit nacm" +expecteq "$(curl -u wilma:bar -sS -X PUT -d '{"x": 2}' http://localhost/restconf/data/example:x)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}} ' + +new2 "guest edit nacm" +expecteq "$(curl -u guest:bar -sS -X PUT -d '{"x": 3}' http://localhost/restconf/data/example:x)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "The requested URL was unauthorized"}}} ' + +new "Kill restconf daemon" +sudo pkill -u www-data -f "/www-data/clixon_restconf" + +new "Kill backend" +# Check if premature kill +pid=`pgrep -u root -f clixon_backend` +if [ -z "$pid" ]; then + err "backend already dead" +fi +# kill backend +sudo clixon_backend -z -f $cfg +if [ $? -ne 0 ]; then + err "kill backend" +fi + +rm -rf $dir diff --git a/test/test_nacm_ext.sh b/test/test_nacm_ext.sh index edbef77f..5e2ad832 100755 --- a/test/test_nacm_ext.sh +++ b/test/test_nacm_ext.sh @@ -20,6 +20,7 @@ cat < $cfg $cfg /usr/local/share/example/yang /usr/local/share/clixon + $fyang /usr/local/lib/$APPNAME/clispec /usr/local/lib/$APPNAME/backend example_backend.so$ @@ -134,7 +135,7 @@ cat < $nacmfile EOF -new "test params: -f $cfg -y $fyang" +new "test params: -f $cfg" if [ $BE -ne 0 ]; then new "kill old backend -zf $cfg " @@ -143,9 +144,9 @@ if [ $BE -ne 0 ]; then err fi sleep 1 - new "start backend -s init -f $cfg -y $fyang" + new "start backend -s init -f $cfg" # start new backend - sudo $clixon_backend -s init -f $cfg -y $fyang -D $DBG + sudo $clixon_backend -s init -f $cfg -D $DBG if [ $? -ne 0 ]; then err fi @@ -155,7 +156,7 @@ new "kill old restconf daemon" sudo pkill -u www-data -f "/www-data/clixon_restconf" new "start restconf daemon (-a is enable http basic auth)" -sudo su -c "$clixon_restconf -f $cfg -y $fyang -D $DBG -- -a" -s /bin/sh www-data & +sudo su -c "$clixon_restconf -f $cfg -D $DBG -- -a" -s /bin/sh www-data & sleep $RCWAIT @@ -200,22 +201,22 @@ new2 "guest edit nacm" expecteq "$(curl -u guest:bar -sS -X PUT -d '{"x": 3}' http://localhost/restconf/data/example:x)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "access denied"}}} ' new "cli show conf as admin" -expectfn "$clixon_cli -1 -U andy -l o -f $cfg -y $fyang show conf" 0 "^x 1;$" +expectfn "$clixon_cli -1 -U andy -l o -f $cfg show conf" 0 "^x 1;$" new "cli show conf as limited" -expectfn "$clixon_cli -1 -U wilma -l o -f $cfg -y $fyang show conf" 0 "^x 1;$" +expectfn "$clixon_cli -1 -U wilma -l o -f $cfg show conf" 0 "^x 1;$" new "cli show conf as guest" -expectfn "$clixon_cli -1 -U guest -l o -f $cfg -y $fyang show conf" 255 "protocol access-denied" +expectfn "$clixon_cli -1 -U guest -l o -f $cfg show conf" 255 "protocol access-denied" new "cli rpc as admin" -expectfn "$clixon_cli -1 -U andy -l o -f $cfg -y $fyang rpc ipv4" 0 "next-hop-list 2.3.4.5;" +expectfn "$clixon_cli -1 -U andy -l o -f $cfg rpc ipv4" 0 "next-hop-list 2.3.4.5;" new "cli rpc as limited" -expectfn "$clixon_cli -1 -U wilma -l o -f $cfg -y $fyang rpc ipv4" 255 "protocol access-denied default deny" +expectfn "$clixon_cli -1 -U wilma -l o -f $cfg rpc ipv4" 255 "protocol access-denied default deny" new "cli rpc as guest" -expectfn "$clixon_cli -1 -U guest -l o -f $cfg -y $fyang rpc ipv4" 255 "protocol access-denied access denied" +expectfn "$clixon_cli -1 -U guest -l o -f $cfg rpc ipv4" 255 "protocol access-denied access denied" new "Kill restconf daemon" sudo pkill -u www-data -f "/www-data/clixon_restconf" diff --git a/test/test_nacm_module.sh b/test/test_nacm_module.sh new file mode 100755 index 00000000..e2559feb --- /dev/null +++ b/test/test_nacm_module.sh @@ -0,0 +1,187 @@ +#!/bin/bash +# Authentication and authorization and IETF NACM +# NACM module rules +# @see test_nacm.sh is slightly modified - this follows the RFC more closely +# See RFC 8341 A.1 and A.2 +# Tests for: +# deny-ncm: This rule prevents the "guest" group from reading any +# monitoring information in the "ietf-netconf-monitoring" YANG +# module. +# permit-ncm: This rule allows the "limited" group to read the +# "ietf-netconf-monitoring" YANG module. +# permit-exec: This rule allows the "limited" group to invoke any +# protocol operation supported by the server. +# permit-all: This rule allows the "admin" group complete access to +# all content in the server. No subsequent rule will match for the +# "admin" group because of this module rule + +APPNAME=example +# include err() and new() functions and creates $dir +. ./lib.sh +. ./nacm.sh + +cfg=$dir/conf_yang.xml +fyang=$dir/test.yang +fyangerr=$dir/err.yang + +cat < $cfg + + $cfg + /usr/local/share/clixon + $fyang + /usr/local/lib/$APPNAME/clispec + /usr/local/lib/$APPNAME/restconf + /usr/local/lib/$APPNAME/cli + $APPNAME + /usr/local/var/$APPNAME/$APPNAME.sock + /usr/local/var/$APPNAME/$APPNAME.pidfile + 1 + /usr/local/var/$APPNAME + /usr/local/lib/xmldb/text.so + false + internal + +EOF + +cat < $fyang +module $APPNAME{ + yang-version 1.1; + namespace "urn:example:clixon"; + prefix ex; + import ietf-netconf-acm { + prefix nacm; + } + leaf x{ + type int32; + description "something to edit"; + } +} +EOF + +# The groups are slightly modified from RFC8341 A.1 ($USER added in admin group) +# The rule-list is from A.2 +RULES=$(cat < + false + deny + deny + deny + + $NGROUPS + + + guest-acl + guest + + deny-ncm + ietf-netconf-monitoring + * + deny + + Do not allow guests any access to the NETCONF + monitoring information. + + + + + limited-acl + limited + + permit-ncm + get + ietf-netconf-monitoring + read + permit + + Allow read access to the NETCONF monitoring information. + + + + permit-exec + * + exec + permit + + Allow invocation of the supported server operations. + + + + + $NADMIN + + + 0 +EOF +) + +# kill old backend (if any) +new "kill old backend" +sudo clixon_backend -zf $cfg +if [ $? -ne 0 ]; then + err +fi + +new "start backend -s init -f $cfg" +# start new backend +sudo $clixon_backend -s init -f $cfg +if [ $? -ne 0 ]; then + err +fi + +new "kill old restconf daemon" +sudo pkill -u www-data -f "/www-data/clixon_restconf" + +sleep 1 +new "start restconf daemon (-a is enable basic authentication)" +sudo su -c "$clixon_restconf -f $cfg -D $DBG -- -a" -s /bin/sh www-data & + +sleep $RCWAIT + +new "auth set authentication config" +expecteof "$clixon_netconf -qf $cfg" 0 "$RULES]]>]]>" "^]]>]]>$" + +new "commit it" +expecteof "$clixon_netconf -qf $cfg" 0 "]]>]]>" "^]]>]]>$" + +new "enable nacm" +expecteq "$(curl -u andy:bar -sS -X PUT -d '{"enable-nacm": true}' http://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" "" + +#--------------- nacm enabled + +# Read monitoring information from ietf-netconf-monitoring +new2 "admin get nacm" +expecteq "$(curl -u andy:bar -sS -X GET http://localhost/restconf/data/example:x)" '{"example:x": 0} + ' + +new2 "limited get nacm" +expecteq "$(curl -u wilma:bar -sS -X GET http://localhost/restconf/data/example:x)" '{"example:x": 0} + ' + +new2 "guest get nacm" +expecteq "$(curl -u guest:bar -sS -X GET http://localhost/restconf/data/example:x)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}} ' + +new "admin edit nacm" +expecteq "$(curl -u andy:bar -sS -X PUT -d '{"example:x": 1}' http://localhost/restconf/data/example:x)" "" + +new2 "limited edit nacm" +expecteq "$(curl -u wilma:bar -sS -X PUT -d '{"example:x": 2}' http://localhost/restconf/data/example:x)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}} ' + +new2 "guest edit nacm" +expecteq "$(curl -u guest:bar -sS -X PUT -d '{"example:x": 3}' http://localhost/restconf/data/example:x)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}} ' + +new "Kill restconf daemon" +sudo pkill -u www-data -f "/www-data/clixon_restconf" + +new "Kill backend" +# Check if premature kill +pid=`pgrep -u root -f clixon_backend` +if [ -z "$pid" ]; then + err "backend already dead" +fi +# kill backend +sudo clixon_backend -z -f $cfg +if [ $? -ne 0 ]; then + err "kill backend" +fi + +rm -rf $dir diff --git a/test/test_nacm_protocol.sh b/test/test_nacm_protocol.sh index 8a3c298e..c0e89440 100755 --- a/test/test_nacm_protocol.sh +++ b/test/test_nacm_protocol.sh @@ -36,7 +36,7 @@ cat < $cfg $cfg /usr/local/share/clixon - /usr/local/share/clixon + $fyang /usr/local/lib/$APPNAME/clispec /usr/local/lib/$APPNAME/restconf /usr/local/lib/$APPNAME/cli @@ -125,17 +125,17 @@ RULES=$(cat <$RULES]]>]]>" "^]]>]]>$" +expecteof "$clixon_netconf -qf $cfg" 0 "$RULES]]>]]>" "^]]>]]>$" new "commit it" -expecteof "$clixon_netconf -qf $cfg -y $fyang" 0 "]]>]]>" "^]]>]]>$" +expecteof "$clixon_netconf -qf $cfg" 0 "]]>]]>" "^]]>]]>$" new "enable nacm" expecteq "$(curl -u andy:bar -sS -X PUT -d '{"enable-nacm": true}' http://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" "" +#--------------- nacm enabled + new2 "admin get nacm" expecteq "$(curl -u andy:bar -sS -X GET http://localhost/restconf/data/example:x)" '{"example:x": 0} ' # Rule 1: deny-kill-session new "deny-kill-session: limited fail (netconf)" -expecteof "$clixon_netconf -qf $cfg -y $fyang -U wilma" 0 "44]]>]]>" "^protocolaccess-deniederroraccess denied]]>]]>$" +expecteof "$clixon_netconf -qf $cfg -U wilma" 0 "44]]>]]>" "^protocolaccess-deniederroraccess denied]]>]]>$" new "deny-kill-session: guest fail (netconf)" -expecteof "$clixon_netconf -qf $cfg -y $fyang -U guest" 0 "44]]>]]>" "^protocolaccess-deniederroraccess denied]]>]]>$" +expecteof "$clixon_netconf -qf $cfg -U guest" 0 "44]]>]]>" "^protocolaccess-deniederroraccess denied]]>]]>$" new "deny-kill-session: admin ok (netconf)" -expecteof "$clixon_netconf -qf $cfg -y $fyang -U andy" 0 "44]]>]]>" "^]]>]]>$" +expecteof "$clixon_netconf -qf $cfg -U andy" 0 "44]]>]]>" "^]]>]]>$" # Rule 2: deny-delete-config new "deny-delete-config: limited fail (netconf)" -expecteof "$clixon_netconf -qf $cfg -y $fyang -U wilma" 0 "]]>]]>" "^protocolaccess-deniederroraccess denied]]>]]>$" +expecteof "$clixon_netconf -qf $cfg -U wilma" 0 "]]>]]>" "^protocolaccess-deniederroraccess denied]]>]]>$" new2 "deny-delete-config: guest fail (restconf)" expecteq "$(curl -u guest:bar -sS -X DELETE http://localhost/restconf/data)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}} ' @@ -193,10 +195,10 @@ expecteq "$(curl -u andy:bar -sS -X DELETE http://localhost/restconf/data)" '' # Here the whole config is gone so we need to start again new "auth set authentication config (restart)" -expecteof "$clixon_netconf -qf $cfg -y $fyang" 0 "$RULES]]>]]>" "^]]>]]>$" +expecteof "$clixon_netconf -qf $cfg" 0 "$RULES]]>]]>" "^]]>]]>$" new "commit it" -expecteof "$clixon_netconf -qf $cfg -y $fyang" 0 "]]>]]>" "^]]>]]>$" +expecteof "$clixon_netconf -qf $cfg" 0 "]]>]]>" "^]]>]]>$" new "enable nacm" expecteq "$(curl -u andy:bar -sS -X PUT -d '{"ietf-netconf-acm:enable-nacm": true}' http://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" "" diff --git a/yang/clixon-config@2018-10-21.yang b/yang/clixon-config@2018-10-21.yang index a9ad7414..90c6c1bf 100644 --- a/yang/clixon-config@2018-10-21.yang +++ b/yang/clixon-config@2018-10-21.yang @@ -145,7 +145,9 @@ module clixon-config { leaf CLICON_YANG_MAIN_FILE { type string; description - "If specified load a yang module in a specific absolute filename"; + "If specified load a yang module in a specific absolute filename. + This corresponds to the -y command-line option in most CLixon + programs."; } leaf CLICON_YANG_MAIN_DIR { type string;