* NACM extension (RFC8341)

* NACM module support (RFC8341 A1+A2) * Recovery user "_nacm_recovery" added. * Example use is restconf PUT when NACM edit-config is permitted, then automatic commit and discard are permitted using recovery user. * Example user changed adm1 to andy to comply with RFC8341 example * Yang code upgrade (RFC7950) * RPC method input parameters validated * see https://github.com/clicon/clixon/issues/4 * Correct XML namespace handling * XML multiple modules was based on "loose" semantics so that yang modules were found by iterating thorugh namespaces until a match was made. This did not adhere to proper [XML namespace handling](https://www.w3.org/TR/2009/REC-xml-names-20091208), and causes problems with overlapping names and false positives. Below see XML accepted (but wrong), and correct namespace declaration: ``` <rpc><my-own-method></rpc> # Wrong but accepted <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> # Correct <my-own-method xmlns="http://example.net/me/my-own/1.0"> </rpc> ``` * To keep old loose semantics set config option CLICON_XML_NS_ITERATE (true by default) * XML to JSON translator support for mapping xmlns attribute to module name prefix. * Default namespace is still "urn:ietf:params:xml:ns:netconf:base:1.0" * See https://github.com/clicon/clixon/issues/49 * Changed all make tags --> make TAGS * Keyvalue datastore removed (it has been disabled since 3.3.3) * debug rpc added in example application (should be in clixon-config).
2018-12-16 19:46:26 +01:00 · 2018-12-16 19:46:26 +01:00 · ae1af8da9e
commit ae1af8da9e
parent e5c0b06cf9
63 changed files with 1852 additions and 3492 deletions
--- a/test/nacm.sh
+++ b/test/nacm.sh
@ -0,0 +1,47 @@
+#!/bin/bash
+# Authentication and authorization and IETF NACM
+# Library variable and functions
+
+USER=$(whoami)
+
+# Three groups from RFC8341 A.1 (admin extended with $USER)
+NGROUPS=$(cat <<EOF
+     <groups>
+       <group>
+         <name>admin</name>
+         <user-name>admin</user-name>
+         <user-name>andy</user-name>
+         <user-name>$USER</user-name>
+       </group>
+       <group>
+         <name>limited</name>
+         <user-name>wilma</user-name>
+         <user-name>bam-bam</user-name>
+       </group>
+       <group>
+         <name>guest</name>
+         <user-name>guest</user-name>
+         <user-name>guest@example.com</user-name>
+       </group>
+     </groups>
+EOF
+)
+
+# Permit all rule for admin group from RFC8341 A.2
+NADMIN=$(cat <<EOF
+     <rule-list>
+       <name>admin-acl</name>
+       <group>admin</group>
+       <rule>
+         <name>permit-all</name>
+         <module-name>*</module-name>
+         <access-operations>*</access-operations>
+         <action>permit</action>
+         <comment>
+             Allow the 'admin' group complete access to all operations and data.
+         </comment>
+       </rule>
+     </rule-list>
+EOF
+)
+