experiments/clixon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

* New clixon-config@2020-08-17.yang revision

Browse source 
* Added `CLICON_RESTCONF_ADDRESS` for setting evhtp bind address
This commit is contained in:
Olof hagsand 2020-08-17 14:48:40 +02:00
parent 1011a38385
commit adc6edf545
5 changed files with 141 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

11
CHANGELOG.md
View file

@ -1,5 +1,6 @@
# Clixon Changelog
* [4.7.0](#470) Expected: September 2020
* [4.6.0](#460) 14 August 2020
* [4.5.0](#450) 12 May 2020
* [4.4.0](#440) 5 April 2020
@ -22,6 +23,16 @@
* [3.3.2](#332) Aug 27 2017
* [3.3.1](#331) June 7 2017
## 4.7.0
Expected: September 2020
### API changes on existing protocol/config features
Users may have to change how they access the system
* New clixon-config@2020-08-17.yang revision
* Added `CLICON_RESTCONF_ADDRESS` for setting evhtp bind address
## 4.6.0
14 August 2020

17
apps/restconf/restconf_main_evhtp.c
View file

@ -563,9 +563,9 @@ usage(clicon_handle h,
"\t-y <file>\t Load yang spec file (override yang main module)\n"
"\t-a UNIX|IPv4|IPv6 Internal backend socket family\n"
"\t-u <path|addr>\t Internal socket domain path or IP addr (see -a)\n"
"\t-o \"<option>=<value>\" Give configuration option overriding config file (see clixon-config.yang)\n"
"\t-s\t SSL server, https\n"
"\t-c\t SSL verify client certs\n"
"\t-o <option>=<value> Set configuration option overriding config file (see clixon-config.yang)\n"
"\t-s\t\t SSL server, https\n"
"\t-c\t\t SSL verify client certs\n"
"\t-P <port>\t HTTP port (default 80, or 443 if -s is given)\n"
,
argv0,
@ -602,6 +602,7 @@ main(int argc,
int dbg = 0;
int use_ssl = 0;
int ssl_verify_clients = 0;
char *restconf_address = NULL;
/* In the startup, logs to stderr & debug flag set later */
clicon_log_init(__PROGRAM__, LOG_INFO, logdst);
@ -788,7 +789,15 @@ main(int argc,
/* bind to a socket, optionally with specific protocol support formatting
* If port is proteced must be done as root?
*/
if (evhtp_bind_socket(htp, "127.0.0.1", port, 128) < 0){
if ((restconf_address = clicon_option_str(h, "CLICON_RESTCONF_ADDRESS")) == NULL){
clicon_err(OE_CFG, EINVAL, "Missing clixon option: CLICON_RESTCONF_ADDRESS");
goto done;
}
if (evhtp_bind_socket(htp, /* evhtp handle */
restconf_address, /* string address, eg ipv4:<ipv4addr> */
port, /* port */
16 /* backlog flag, see listen(5) */
) < 0){
clicon_err(OE_UNIX, errno, "evhtp_bind_socket");
goto done;
}

38
test/test_ssl_certs.sh
View file

@ -7,12 +7,13 @@
# Magic line must be first in script (see README.md)
s="$_" ; . ./lib.sh || if [ "$s" = $0 ]; then exit 0; else return 0; fi
# Only works with evhtp and https
if [ "${WITH_RESTCONF}" != "evhtp" -o "$RCPROTO" != https ]; then
if [ "${WITH_RESTCONF}" != "evhtp" ]; then
if [ "$s" = $0 ]; then exit 0; else return 0; fi # skip
fi
RCPROTO=https
APPNAME=example
# Common NACM scripts
@ -30,8 +31,8 @@ cacert=$certdir/ca_cert.pem
users="andy guest" # generate certs for some users in nacm.sh
# Whether to generate new keys or not (only if $dir is not removed)
# Here dont generate keys if restconf started stand-alone
genkeys=true
# Here dont generate keys if restconf started stand-alone (RC=0)
: ${genkeys:=true}
if [ $RC -eq 0 ]; then
genkeys=false
fi
@ -43,6 +44,7 @@ test -d $certdir || mkdir $certdir
cat <<EOF > $cfg
<clixon-config xmlns="http://clicon.org/config">
<CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
<CLICON_FEATURE>ietf-netconf:startup</CLICON_FEATURE>
<CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
<CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
<CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
@ -51,11 +53,12 @@ cat <<EOF > $cfg
<CLICON_BACKEND_REGEXP>example_backend.so$</CLICON_BACKEND_REGEXP>
<CLICON_RESTCONF_DIR>/usr/local/lib/$APPNAME/restconf</CLICON_RESTCONF_DIR>
<CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
<CLICON_RESTCONF_ADDRESS>127.0.0.1</CLICON_RESTCONF_ADDRESS>
<CLICON_CLI_DIR>/usr/local/lib/$APPNAME/cli</CLICON_CLI_DIR>
<CLICON_CLI_MODE>$APPNAME</CLICON_CLI_MODE>
<CLICON_SOCK>/usr/local/var/$APPNAME/$APPNAME.sock</CLICON_SOCK>
<CLICON_BACKEND_PIDFILE>/usr/local/var/$APPNAME/$APPNAME.pidfile</CLICON_BACKEND_PIDFILE>
<CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
<CLICON_XMLDB_DIR>$dir</CLICON_XMLDB_DIR>
<CLICON_MODULE_LIBRARY_RFC7895>true</CLICON_MODULE_LIBRARY_RFC7895>
<CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
<CLICON_SSL_SERVER_CERT>$srvcert</CLICON_SSL_SERVER_CERT>
@ -199,6 +202,13 @@ done
fi # genkeys
# Startup DB with proper NACM config
cat <<EOF > $dir/startup_db
<config>
$RULES
</config>
EOF
if [ $BE -ne 0 ]; then
new "kill old backend"
sudo clixon_backend -zf $cfg
@ -207,8 +217,8 @@ if [ $BE -ne 0 ]; then
fi
sudo pkill -f clixon_backend # to be sure
new "start backend -s init -f $cfg"
start_backend -s init -f $cfg
new "start backend -s startup -f $cfg"
start_backend -s startup -f $cfg
fi
new "wait for backend"
@ -220,18 +230,11 @@ if [ $RC -ne 0 ]; then
new "start restconf daemon -c means client certs, -- -s means ssl client cert authentication in example"
start_restconf -f $cfg -c -- -s
fi
new "wait for restconf"
wait_restconf --key $certdir/andy.key --cert $certdir/andy.crt
new "auth set authentication config"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
new "commit it"
expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><commit/></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
new "enable nacm"
expectpart "$(curl $CURLOPTS --key $certdir/andy.key --cert $certdir/andy.crt -X PUT -H "Content-Type: application/yang-data+json" -d '{"ietf-netconf-acm:enable-nacm": true}' $RCPROTO://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" 0 "HTTP/1.1 204 No Content"
@ -241,6 +244,13 @@ expectpart "$(curl $CURLOPTS --key $certdir/andy.key --cert $certdir/andy.crt -X
new "guest get x"
expectpart "$(curl $CURLOPTS --key $certdir/guest.key --cert $certdir/guest.crt -X GET $RCPROTO://localhost/restconf/data/example:x)" 0 "HTTP/1.1 403 Forbidden" '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"access denied"}}}'
new "admin set x 42"
expectpart "$(curl $CURLOPTS --key $certdir/andy.key --cert $certdir/andy.crt -X PUT -H "Content-Type: application/yang-data+json" -d '{"example:x":42}' $RCPROTO://localhost/restconf/data/example:x)" 0 "HTTP/1.1 204 No Content"
new "admin get x 42"
expectpart "$(curl $CURLOPTS --key $certdir/andy.key --cert $certdir/andy.crt -X GET $RCPROTO://localhost/restconf/data/example:x)" 0 "HTTP/1.1 200 OK" '{"example:x":42}'
if [ $RC -ne 0 ]; then
new "Kill restconf daemon"
stop_restconf

2
yang/clixon/Makefile.in
View file

@ -42,7 +42,7 @@ datarootdir = @datarootdir@
# See also OPT_YANG_INSTALLDIR for the standard yang files
YANG_INSTALLDIR = @YANG_INSTALLDIR@
YANGSPECS = clixon-config@2020-06-17.yang
YANGSPECS = clixon-config@2020-08-17.yang
YANGSPECS += clixon-lib@2020-04-23.yang
YANGSPECS += clixon-rfc5277@2008-07-01.yang
YANGSPECS += clixon-xml-changelog@2019-03-21.yang

104
yang/clixon/clixon-config@2020-04-23.yang → yang/clixon/clixon-config@2020-08-17.yang
View file

@ -42,6 +42,18 @@ module clixon-config {
/* Deleted: clixon-stats state for clixon XML and memory statistics. (moved to clixon-lib)
*/
revision 2020-08-17 {
description
"Added: CLICON_RESTCONF_ADDRESS";
}
revision 2020-06-17 {
description
"Added: CLICON_CLI_LINES_DEFAULT
Added enum HIDE to CLICON_CLI_GENMODEL
Added CLICON_SSL_SERVER_CERT, CLICON_SSL_SERVER_KEY, CLICON_SSL_CA_CERT
Added CLICON_NACM_DISABLED_ON_EMPTY
Removed default valude of CLICON_NACM_RECOVERY_USER";
}
revision 2020-04-23 {
description
"Added: CLICON_YANG_UNKNOWN_ANYDATA to treat unknown XML (wrt YANG) as anydata.
@ -159,6 +171,9 @@ module clixon-config {
enum ALL{
description "Keywords on all variables: c a x <x> y <y>";
}
enum HIDE{
description "Keywords on non-key variables and hide container around lists: a <x> y <y>";
}
}
}
typedef nacm_mode{
@ -235,8 +250,7 @@ module clixon-config {
}
enum exact {
description
"Exact match between NACM user and unix socket peer user.
Except for root user that can pose as any user.";
"Exact match between NACM user and unix socket peer user.";
}
enum except {
description
@ -323,9 +337,14 @@ module clixon-config {
type boolean;
default false;
description
"Treat unknown XML/JSON nodes as anydata.
"Treat unknown XML/JSON nodes as anydata when loading from startup db.
This does not apply to namespaces, which means a top-level node: xxx:yyy
is accepted only if yyy is unknown, not xxx";
is accepted only if yyy is unknown, not xxx.
Note that this option has several caveats which needs to be fixed. Please
use with care.
The primary issue is that the unknown->anydata handling is not restricted to
only loading from startup but may occur in other circumstances as well. This
means that sanity checks of erroneous XML/JSON may not be properly signalled.";
}
leaf CLICON_BACKEND_DIR {
type string;
@ -369,6 +388,40 @@ module clixon-config {
Setting this value to false makes restconf return not pretty-printed
which may be desirable for performance or tests";
}
leaf CLICON_RESTCONF_ADDRESS {
type string;
default "ipv4:0.0.0.0";
description
"RESTCONF outward address.
Applies to native http (eg evhtp), not proxy solutions (eg fcgi).
This is essentially from libevhtp: Bind to a socket, optionally with specific protocol
support formatting. The addr can be defined as one of the following:
ipv6:<ipv6addr> for binding to an IPv6 address.
unix:<named pipe> for binding to a unix named socket
ipv4:<ipv4addr> for binding to an ipv4 address
If not given, the addr is assumed to be ipv4.";
}
leaf CLICON_SSL_SERVER_CERT {
type string;
default "/etc/ssl/certs/clixon-server-crt.pem";
description
"SSL server cert for restconf https. This is not required if you use
--with-restconf=fcgi, ie a reverse-proxy based such as nginx over fcgi";
}
leaf CLICON_SSL_SERVER_KEY {
type string;
default "/etc/ssl/private/clixon-server-key.pem";
description
"SSL server private key for restconf https. This is not required if you use
--with-restconf=fcgi, ie a reverse-proxy based such as nginx over fcgi";
}
leaf CLICON_SSL_CA_CERT {
type string;
default "/etc/ssl/certs/clixon-ca_crt.pem";
description
"SSL CA cert for client authentication. This is not required if you use
--with-restconf=fcgi, ie a reverse-proxy based such as nginx over fcgi";
}
leaf CLICON_CLI_DIR {
type string;
description
@ -443,6 +496,18 @@ module clixon-config {
Set to 1 if you want CLI to scroll sideways when approaching
right margin";
}
leaf CLICON_CLI_LINES_DEFAULT {
type int32;
default 24;
description
"Set to number of CLI terminal rows for pageing/scrolling. 0 means unlimited.
The number is set statically UNLESS:
- there is no terminal, such as file input, in which case nr lines is 0
- there is a terminal sufficiently powerful to read the number of lines from
ioctl calls.
In other words, this setting is used ONLY on raw terminals such as serial
consoles.";
}
leaf CLICON_CLI_TAB_MODE {
type int8;
default 0;
@ -642,13 +707,14 @@ module clixon-config {
leaf CLICON_NACM_MODE {
type nacm_mode;
default disabled;
description "RFC8341 network access configuration control model
(NACM) mode: disabled, in regular (internal) config
or separate external file given by CLICON_NACM_FILE";
description
"RFC8341 network access configuration control model (NACM) mode: disabled,
in regular (internal) config or separate external file given by CLICON_NACM_FILE";
}
leaf CLICON_NACM_FILE {
type string;
description "RFC8341 NACM external configuration file";
description
"RFC8341 NACM external configuration file (if CLIXON_NACM_MODE is external)";
}
leaf CLICON_NACM_CREDENTIALS {
type nacm_cred_mode;
@ -656,19 +722,31 @@ module clixon-config {
description
"Verify nacm user credentials with unix socket peer cred.
This means nacm user must match unix user accessing the backend
socket.
Except for recovery user and www user (for restconf)";
socket.";
}
leaf CLICON_NACM_RECOVERY_USER {
type string;
default "_nacm_recovery";
description
"RFC8341 defines a 'recovery session' as outside the scope. Clixon
"RFC8341 defines a 'recovery session' as outside its scope. Clixon
defines this user as having special admin rights to exempt from
all access control enforcements.
Note setting of CLICON_NACM_CREDENTIALS is important, if set to
exact for example, this user must exist and be used, otherwise
another user (such as root or www) can pose as it.";
another user (such as root or www) can pose as the recovery user.";
}
leaf CLICON_NACM_DISABLED_ON_EMPTY {
type boolean;
default false;
description
"RFC 8341 and ietf-netconf-acm@2018-02-14.yang defines enable-nacm as true by
default. Since also write-default is deny by default it leads to that empty
configs can not be edited.
This means that a startup config must always have a NACM configuration or
that the NACM recovery session is used to edit an empty config.
If this option is set, Clixon disables NACM if a datastore is empty on load.
Note that it only makes the check on initial load, not if a store 'becomes'
empty, but enables a clixon nacm system to start empty and add an NACM
config after boot.";
}
leaf CLICON_MODULE_LIBRARY_RFC7895 {
type boolean;