* plugin_start() callbacks added for restconf

* Hard-wired users for authentication example

test/test_auth_ext.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 # Authentication and authorization and IETF NACM
+# External NACM file
 # See RFC 8321 A.2
 # But replaced ietf-netconf-monitoring with *
 
@@ -10,12 +11,13 @@ APPNAME=example
 cfg=$dir/conf_yang.xml
 fyang=$dir/test.yang
 fyangerr=$dir/err.yang
+nacmfile=$dir/nacmfile
 
 cat <<EOF > $cfg
 <config>
   <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
   <CLICON_YANG_DIR>/usr/local/share/$APPNAME/yang</CLICON_YANG_DIR>
-  <CLICON_YANG_MODULE_MAIN>$APPNAME</CLICON_YANG_MODULE_MAIN>
+  <CLICON_YANG_MODULE_MAIN>$fyang</CLICON_YANG_MODULE_MAIN>
   <CLICON_CLISPEC_DIR>/usr/local/lib/$APPNAME/clispec</CLICON_CLISPEC_DIR>
   <CLICON_RESTCONF_DIR>/usr/local/lib/$APPNAME/restconf</CLICON_RESTCONF_DIR>
   <CLICON_CLI_DIR>/usr/local/lib/$APPNAME/cli</CLICON_CLI_DIR>
@@ -26,23 +28,21 @@ cat <<EOF > $cfg
   <CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
   <CLICON_XMLDB_PLUGIN>/usr/local/lib/xmldb/text.so</CLICON_XMLDB_PLUGIN>
   <CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
-  <CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
+  <CLICON_NACM_MODE>external</CLICON_NACM_MODE>
+  <CLICON_NACM_FILE>$nacmfile</CLICON_NACM_FILE>
 </config>
 EOF
 
 cat <<EOF > $fyang
 module $APPNAME{
   prefix ex;
-  import ietf-netconf-acm {
-	prefix nacm;
-  }
   container authentication {
 	description "Example code for enabling www basic auth and some example 
                      users";
     leaf basic_auth{
 	description "Basic user / password authentication as in HTTP basic auth";
 	type boolean;
-	default false;
+	default true;
     }
     list auth {
 	description "user / password entries. Valid if basic_auth=true";
@@ -64,21 +64,9 @@ module $APPNAME{
 }
 EOF
 
-RULES=$(cat <<EOF
-   <authentication>
-     <basic_auth>true</basic_auth>
-     <auth>
-        <user>adm1</user><password>bar</password>
-     </auth>
-     <auth>
-        <user>wilma</user><password>bar</password>
-     </auth>
-     <auth>
-        <user>guest</user><password>bar</password>
-     </auth>
-   </authentication>
+cat <<EOF > $nacmfile
    <nacm>
-     <enable-nacm>false</enable-nacm>
+     <enable-nacm>true</enable-nacm>
      <read-default>deny</read-default>
      <write-default>deny</write-default>
      <exec-default>deny</exec-default>
@@ -151,12 +139,10 @@ RULES=$(cat <<EOF
        </rule>
      </rule-list>
    </nacm>
-   <x>0</x>
 EOF
-)
 
 # kill old backend (if any)
-new "kill old backend"
+new "kill old backend -zf $cfg -y $fyang"
 sudo clixon_backend -zf $cfg -y $fyang
 if [ $? -ne 0 ]; then
     err
@@ -172,8 +158,8 @@ fi
 new "kill old restconf daemon"
 sudo pkill -u www-data clixon_restconf
 sleep 1
-new "start restconf daemon"
-sudo start-stop-daemon -S -q -o -b -x /www-data/clixon_restconf -d /www-data -c www-data -- -f $cfg -y $fyang
+new "start restconf daemon (-a is enable http basic auth)"
+sudo start-stop-daemon -S -q -o -b -x /www-data/clixon_restconf -d /www-data -c www-data -- -f $cfg -y $fyang -- -a
 
 sleep 1
 
@@ -184,11 +170,8 @@ new2 "auth get"
 expecteq "$(curl -u adm1:bar -sS -X GET http://localhost/restconf/data)" '{"data": null}
 
'
 
-new "auth set authentication config"
-expecteof "$clixon_netconf -qf $cfg -y $fyang" "<rpc><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
-
-new "commit it"
-expecteof "$clixon_netconf -qf $cfg -y $fyang" "<rpc><commit/></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
+new "Set x to 0"
+expecteq "$(curl -u adm1:bar -sS -X PUT -d '{"x": 0}' http://localhost/restconf/data/x)" ""
 
 new2 "auth get (no user: access denied)"
 expecteq "$(curl -sS -X GET -H \"Accept:\ application/yang-data+json\" http://localhost/restconf/data)" '{"ietf-restconf:errors" : {"error": {"error-tag": "access-denied","error-type": "protocol","error-severity": "error","error-message": "The requested URL was unauthorized"}}}
'
@@ -200,11 +183,6 @@ new2 "auth get (access)"
 expecteq "$(curl -u adm1:bar -sS -X GET http://localhost/restconf/data/x)" '{"x": 0}
 
'
 
-#----------------Enable NACM
-
-new "enable nacm"
-expecteq "$(curl -u adm1:bar -sS -X PUT -d '{"enable-nacm": true}' http://localhost/restconf/data/nacm/enable-nacm)" ""
-
 new2 "admin get nacm"
 expecteq "$(curl -u adm1:bar -sS -X GET http://localhost/restconf/data/x)" '{"x": 0}
 
'
@@ -214,7 +192,7 @@ expecteq "$(curl -u wilma:bar -sS -X GET http://localhost/restconf/data/x)" '{"x
 
'
 
 new2 "guest get nacm"
-expecteq "$(curl -u guest:bar -sS -X GET http://localhost/restconf/data/x)" '{"ietf-restconf:errors" : {"error": {"error-tag": "access-denied","error-type": "protocol","error-severity": "error","error-message": "access denied"}}}
'
+expecteq "$(curl -u guest:bar -sS -X GET http://localhost/restconf/data/x)" '{"ietf-restconf:errors" : {"error": {"error-tag": "access-denied","error-type": "protocol","error-severity": "error","error-message": "The requested URL was unauthorized"}}}
'
 
 new "admin edit nacm"
 expecteq "$(curl -u adm1:bar -sS -X PUT -d '{"x": 1}' http://localhost/restconf/data/x)" ""
@@ -223,7 +201,7 @@ new2 "limited edit nacm"
 expecteq "$(curl -u wilma:bar -sS -X PUT -d '{"x": 2}' http://localhost/restconf/data/x)" '{"ietf-restconf:errors" : {"error": {"error-tag": "access-denied","error-type": "protocol","error-severity": "error","error-message": "default deny"}}}
'
 
 new2 "guest edit nacm"
-expecteq "$(curl -u guest:bar -sS -X PUT -d '{"x": 3}' http://localhost/restconf/data/x)" '{"ietf-restconf:errors" : {"error": {"error-tag": "access-denied","error-type": "protocol","error-severity": "error","error-message": "access denied"}}}
'
+expecteq "$(curl -u guest:bar -sS -X PUT -d '{"x": 3}' http://localhost/restconf/data/x)" '{"ietf-restconf:errors" : {"error": {"error-tag": "access-denied","error-type": "protocol","error-severity": "error","error-message": "The requested URL was unauthorized"}}}
'
 
 new "Kill restconf daemon"
 sudo pkill -u www-data clixon_restconf