From d5b6952e5607ff6b0a6e8a170d3fe8d7cf8d9ca2 Mon Sep 17 00:00:00 2001
From: Olof hagsand <olof@hagsand.se>
Date: Thu, 6 Aug 2020 21:51:33 +0200
Subject: [PATCH] new test scripts

---
 test/test_leaf_default.sh  | 203 ++++++++++++++++++++++++++++++++
 test/test_nacm_recovery.sh | 235 +++++++++++++++++++++++++++++++++++++
 2 files changed, 438 insertions(+)
 create mode 100755 test/test_leaf_default.sh
 create mode 100755 test/test_nacm_recovery.sh

diff --git a/test/test_leaf_default.sh b/test/test_leaf_default.sh
new file mode 100755
index 00000000..87ad2f9c
--- /dev/null
+++ b/test/test_leaf_default.sh
@@ -0,0 +1,203 @@
+#!/usr/bin/env bash
+# Clixon leaf default test
+# Check top-level default as https://github.com/clicon/clixon/issues/111
+# Also check
+# Sanity check default value may not be in list key
+# RFC 7950:
+# 7.6.1 The usage of the default value depends on the leaf's closest ancestor node in the
+#       schema tree that is not a non-presence container (see Section 7.5.1):
+# 7.8.2 any default values in the key leafs or their types are ignored.
+#             v non-presence container (presence false) DEFAULT
+# ancestor--> ancestor --> leaf --> default
+# ^leafs closest ancestor that is not a non-presence container
+
+# Magic line must be first in script (see README.md)
+s="$_" ; . ./lib.sh || if [ "$s" = $0 ]; then exit 0; else return 0; fi
+
+APPNAME=example
+
+cfg=$dir/conf_yang.xml
+fyang=$dir/leafref.yang
+
+cat <<EOF > $cfg
+<clixon-config xmlns="http://clicon.org/config">
+  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
+  <CLICON_FEATURE>ietf-netconf:startup</CLICON_FEATURE>
+  <CLICON_YANG_DIR>$dir</CLICON_YANG_DIR>
+  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
+  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
+  <CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
+  <CLICON_CLISPEC_DIR>/usr/local/lib/$APPNAME/clispec</CLICON_CLISPEC_DIR>
+  <CLICON_CLI_DIR>/usr/local/lib/$APPNAME/cli</CLICON_CLI_DIR>
+  <CLICON_CLI_MODE>$APPNAME</CLICON_CLI_MODE>
+  <CLICON_SOCK>/usr/local/var/$APPNAME/$APPNAME.sock</CLICON_SOCK>
+  <CLICON_BACKEND_PIDFILE>/usr/local/var/$APPNAME/$APPNAME.pidfile</CLICON_BACKEND_PIDFILE>
+  <CLICON_XMLDB_DIR>$dir</CLICON_XMLDB_DIR>
+</clixon-config>
+EOF
+
+cat <<EOF > $fyang
+module example{
+    yang-version 1.1;
+    namespace "urn:example:clixon";
+    prefix ex;
+    leaf r1 { 
+      description "Top level leaf";	
+        type uint32; 
+        default 11;  /* should be set */
+    }
+    leaf r2 { 
+      description "Top level leaf";	
+        type uint32; 
+        default 22;  /* should be set on startup */
+    }
+    container np3{
+      description "No presence container";
+      leaf s3 {
+        type uint32;
+        default 33;  /* should be set on startup */
+      } 
+      container np31{
+        leaf s31 {
+          type uint32;
+          default 31;  /* should be set on startup */
+        } 
+      }
+    }
+    container p4{
+      presence "A presence container";
+      description "Not a no presence container";
+      leaf s4 {
+        type uint32;
+        default 44; 
+      } 
+      container np45{
+        description "No presence container";	
+	leaf s5 {
+          type uint32;
+          default 45; 
+        }   
+      }
+    }
+}
+EOF
+
+# This is base default XML with all default values from root filled in
+XML='<r1 xmlns="urn:example:clixon">11</r1><r2 xmlns="urn:example:clixon">22</r2><np3 xmlns="urn:example:clixon"><s3>33</s3><np31><s31>31</s31></np31></np3>'
+
+new "test params: -f $cfg"
+
+if [ $BE -ne 0 ]; then
+    new "kill old backend"
+    sudo clixon_backend -zf $cfg
+    if [ $? -ne 0 ]; then
+	err
+    fi
+    new "start backend  -s init -f $cfg"
+    start_backend -s init -f $cfg
+
+    new "waiting"
+    wait_backend
+fi
+
+new "get config"
+expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><get-config><source><candidate/></source></get-config></rpc>]]>]]>' "^<rpc-reply><data>$XML</data></rpc-reply>]]>]]>$"
+
+new "Change default value r1"
+expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></target><config><r1 xmlns="urn:example:clixon">99</r1></config></edit-config></rpc>]]>]]>' "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
+
+new "get config r1"
+expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><get-config><source><candidate/></source><filter type=\"xpath\" select=\"/ex:r1\" xmlns:ex=\"urn:example:clixon\" /></get-config></rpc>]]>]]>" '^<rpc-reply><data><r1 xmlns="urn:example:clixon">99</r1></data></rpc-reply>]]>]]>$'
+
+new "Remove r1"
+expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></target><config><r1 xmlns="urn:example:clixon" nc:operation="delete" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">99</r1></config></edit-config></rpc>]]>]]>' "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
+
+new "get config"
+expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><get-config><source><candidate/></source></get-config></rpc>]]>]]>' "^<rpc-reply><data>$XML</data></rpc-reply>]]>]]>$"
+
+if [ $BE -ne 0 ]; then
+    new "Kill backend"
+    # Check if premature kill
+    pid=$(pgrep -u root -f clixon_backend)
+    if [ -z "$pid" ]; then
+	err "backend already dead"
+    fi
+    # kill backend
+    stop_backend -f $cfg
+fi
+
+# From startup 1, only r1, all else should be filled in
+SXML='<r1 xmlns="urn:example:clixon">99</r1>'
+cat <<EOF > $dir/startup_db
+<config>
+  $SXML
+</config>
+EOF
+XML='<r1 xmlns="urn:example:clixon">99</r1><r2 xmlns="urn:example:clixon">22</r2><np3 xmlns="urn:example:clixon"><s3>33</s3><np31><s31>31</s31></np31></np3>'
+
+if [ $BE -ne 0 ]; then
+    new "kill old backend"
+    sudo clixon_backend -zf $cfg
+    if [ $? -ne 0 ]; then
+	err
+    fi
+    new "start backend  -s startup -f $cfg"
+    start_backend -s startup -f $cfg
+
+    new "waiting"
+    wait_backend
+fi
+
+new "get startup config"
+expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><get-config><source><candidate/></source></get-config></rpc>]]>]]>' "^<rpc-reply><data>$XML</data></rpc-reply>]]>]]>$"
+
+# permission kludges
+sudo chmod 666 $dir/running_db
+new "Check running no defaults"
+echo "SXML:$SXML"
+ret=$(diff $dir/running_db <(echo "<config>
+   $SXML
+</config>"))
+#echo "ret:$ret"
+if [ $? -ne 0 ]; then
+    err "<config>$SXML</config>" "$ret"
+fi	
+
+new "Kill backend"
+# Check if premature kill
+pid=$(pgrep -u root -f clixon_backend)
+if [ -z "$pid" ]; then
+    err "backend already dead"
+fi
+
+# From startup 2, only prsence p4, s4/np5 should be filled in
+cat <<EOF > $dir/startup_db
+<config>
+  <p4 xmlns="urn:example:clixon"></p4>
+</config>
+EOF
+XML='<r1 xmlns="urn:example:clixon">11</r1><r2 xmlns="urn:example:clixon">22</r2><np3 xmlns="urn:example:clixon"><s3>33</s3><np31><s31>31</s31></np31></np3><p4 xmlns="urn:example:clixon"><s4>44</s4><np45><s5>45</s5></np45></p4>'
+if [ $BE -ne 0 ]; then
+    new "kill old backend"
+    sudo clixon_backend -zf $cfg
+    if [ $? -ne 0 ]; then
+	err
+    fi
+    new "start backend  -s startup -f $cfg"
+    start_backend -s startup -f $cfg
+
+    new "waiting"
+    wait_backend
+fi
+
+new "get startup config with presence"
+expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><get-config><source><candidate/></source></get-config></rpc>]]>]]>' "^<rpc-reply><data>$XML</data></rpc-reply>]]>]]>$"
+
+new "Kill backend"
+# Check if premature kill
+pid=$(pgrep -u root -f clixon_backend)
+if [ -z "$pid" ]; then
+    err "backend already dead"
+fi
+
+rm -rf $dir
diff --git a/test/test_nacm_recovery.sh b/test/test_nacm_recovery.sh
new file mode 100755
index 00000000..dda5c68a
--- /dev/null
+++ b/test/test_nacm_recovery.sh
@@ -0,0 +1,235 @@
+#!/usr/bin/env bash
+# NACM recovery user and credentials for internal mode
+# Use read-only NACM as use-case, ie to be able to break a deadlock and access
+# the config even though NACM is enabled and write is DENY
+# Only use netconf - restconf also has authentication on web level, and that gets
+# another layer
+# The only recovery session that work are: (last true arg to testrun)
+#
+
+# Magic line must be first in script (see README.md)
+s="$_" ; . ./lib.sh || if [ "$s" = $0 ]; then exit 0; else return 0; fi
+
+APPNAME=example
+
+# Common NACM scripts
+. ./nacm.sh
+
+cfg=$dir/conf_yang.xml
+fyang=$dir/nacm-example.yang
+
+# cred:none, exact, except
+
+cat <<EOF > $fyang
+module nacm-example{
+  yang-version 1.1;
+  namespace "urn:example:nacm";
+  prefix nex;
+  import clixon-example {
+	prefix ex;
+  }
+  import ietf-netconf-acm {
+	prefix nacm;
+  }
+  leaf x{
+    type int32;
+    description "something to edit";
+  }
+}
+EOF
+
+# The groups are slightly modified from RFC8341 A.1
+# The rule-list is from A.2
+RULES='<x xmlns="urn:example:nacm">0</x><nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm"><enable-nacm>true</enable-nacm><read-default>permit</read-default><write-default>permit</write-default><exec-default>permit</exec-default><enable-external-groups>true</enable-external-groups></nacm>'
+
+
+DEFAULT='<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm"><enable-nacm>true</enable-nacm><read-default>permit</read-default><write-default>deny</write-default><exec-default>permit</exec-default><enable-external-groups>true</enable-external-groups></nacm>'
+
+# Arguments:
+# cred:     none/exact/except
+# realuser: sudo/su as user, this is the real "peer" user
+# pseudo:   mimic/run as user, this is the one sent in XML
+# recovery: recovery user
+# getp:     true: get works; false: get does not work
+# putp:     true: expected to work; false: not work
+testrun()
+{
+    cred=$1
+    realuser=$2
+    pseudo=$3
+    recovery=$4
+    getp=$5
+    putp=$6
+
+    if [ "$realuser" = "root" ]; then
+	prefix="sudo "
+    else
+	prefix=""
+    fi
+    
+cat <<EOF > $cfg
+<clixon-config xmlns="http://clicon.org/config">
+  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
+  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
+  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
+  <CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
+  <CLICON_CLISPEC_DIR>/usr/local/lib/$APPNAME/clispec</CLICON_CLISPEC_DIR>
+  <CLICON_RESTCONF_DIR>/usr/local/lib/$APPNAME/restconf</CLICON_RESTCONF_DIR>
+  <CLICON_CLI_DIR>/usr/local/lib/$APPNAME/cli</CLICON_CLI_DIR>
+  <CLICON_CLI_MODE>$APPNAME</CLICON_CLI_MODE>
+  <CLICON_SOCK>/usr/local/var/$APPNAME/$APPNAME.sock</CLICON_SOCK>
+  <CLICON_BACKEND_DIR>/usr/local/lib/$APPNAME/backend</CLICON_BACKEND_DIR>
+  <CLICON_BACKEND_PIDFILE>/usr/local/var/$APPNAME/$APPNAME.pidfile</CLICON_BACKEND_PIDFILE>
+  <CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
+  <CLICON_MODULE_LIBRARY_RFC7895>false</CLICON_MODULE_LIBRARY_RFC7895>
+  <CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
+  <CLICON_NACM_RECOVERY_USER>$recovery</CLICON_NACM_RECOVERY_USER>
+  <CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
+  <CLICON_NACM_CREDENTIALS>$cred</CLICON_NACM_CREDENTIALS>
+</clixon-config>
+EOF
+    if [ $BE -ne 0 ]; then
+	sudo clixon_backend -zf $cfg
+	if [ $? -ne 0 ]; then
+	    err
+	fi
+	new "start backend -s init -f $cfg"
+	start_backend -s init -f $cfg
+
+	new "waiting"
+	wait_backend
+    fi
+    if [ $RC -ne 0 ]; then
+	new "kill old restconf daemon"
+	stop_restconf_pre
+
+	new "start restconf daemon (-a is enable basic authentication)"
+	start_restconf -f $cfg -- -a
+
+	new "waiting"
+	wait_restconf
+    fi
+
+    if $getp; then
+	# default is read allowed so this should always succeed.
+	new "get startup default ok"
+	expecteof "$prefix$clixon_netconf -qf $cfg -U $pseudo" 0 "<rpc><get-config><source><candidate/></source></get-config></rpc>]]>]]>" "^<rpc-reply><data>$DEFAULT</data></rpc-reply>]]>]]>$"
+	# This would normally not work except in recovery situations
+    else
+	new "get startup not ok"
+	expecteof "$prefix$clixon_netconf -qf $cfg -U $pseudo" 0 "<rpc><get-config><source><candidate/></source></get-config></rpc>]]>]]>" "^<rpc-reply><rpc-error><error-type>application</error-type><error-tag>access-denied</error-tag><error-severity>error</error-severity><error-message>User $realuser credential not matching NACM user $pseudo</error-message></rpc-error></rpc-reply>]]>]]>$"
+	return;
+    fi
+	
+    if $putp; then
+	new "put, expect ok"
+	expecteof "$prefix$clixon_netconf -qf $cfg -U $pseudo" 0 "<rpc><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "<rpc-reply><ok/></rpc-reply>]]>]]>"
+
+	new "get rules ok"
+	expecteof "$prefix$clixon_netconf -qf $cfg -U $pseudo" 0 '<rpc><get-config><source><candidate/></source></get-config></rpc>]]>]]>' "^<rpc-reply><data>$RULES</data></rpc-reply>]]>]]>$"
+    else
+	new "put, expect fail"
+	expecteof "$prefix$clixon_netconf -qf $cfg -U $pseudo" 0 "<rpc><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply><rpc-error><error-type>application</error-type><error-tag>access-denied</error-tag><error-severity>error</error-severity><error-message>default deny</error-message></rpc-error></rpc-reply>]]>]]>$"
+    fi
+    if [ $RC -ne 0 ]; then
+	new "Kill restconf daemon"
+	stop_restconf 
+    fi
+
+    if [ $BE -ne 0 ]; then
+	new "Kill backend"
+	# Check if premature kill
+	pid=$(pgrep -u root -f clixon_backend)
+	if [ -z "$pid" ]; then
+	    err "backend already dead"
+	fi
+	# kill backend
+	stop_backend -f $cfg
+    fi
+}
+
+#------- REALUSER: $USER
+
+# Neither of these should work: user != recovery
+REALUSER=$USER
+PSEUDO=$USER
+RECOVERY=_recovery
+for c in none exact except; do
+    new "cred: $c realuser:$REALUSER pseudo:$PSEUDO recovery:$RECOVERY"
+    testrun $c $REALUSER $PSEUDO $RECOVERY true false
+done
+
+# All these should work: user == recovery
+REALUSER=$USER
+PSEUDO=$USER
+RECOVERY=$USER
+for c in none exact except; do
+    new "cred: $c realuser:$REALUSER pseudo:$PSEUDO recovery:$RECOVERY"
+    testrun $c $REALUSER $PSEUDO $RECOVERY true true
+done
+
+# Only none credentials should work
+REALUSER=$USER
+PSEUDO=_recovery
+RECOVERY=_recovery
+new "cred: none realuser:$REALUSER pseudo:$PSEUDO recovery:$RECOVERY"
+testrun none $REALUSER $PSEUDO $RECOVERY true true
+for c in exact except; do
+    new "cred: $c realuser:$REALUSER pseudo:$PSEUDO recovery:$RECOVERY"
+    testrun $c $REALUSER $PSEUDO $RECOVERY false false
+done
+
+# None of these work
+REALUSER=$USER
+PSEUDO=_recovery
+RECOVERY=$USER
+new "cred: none realuser:$REALUSER pseudo:$PSEUDO recovery:$RECOVERY"
+testrun none $REALUSER $PSEUDO $RECOVERY true false
+for c in exact except; do
+    new "cred: $c realuser:$REALUSER pseudo:$PSEUDO recovery:$RECOVERY"
+    testrun $c $REALUSER $PSEUDO $RECOVERY false false
+done
+
+#------- REALUSER: ROOT
+
+# Neither of these should work: user != recovery
+REALUSER=root
+PSEUDO=root
+RECOVERY=_recovery
+for c in none exact except; do
+    new "cred: $c realuser:$REALUSER pseudo:$PSEUDO recovery:$RECOVERY"
+    testrun $c $REALUSER $PSEUDO $RECOVERY true false
+done
+
+# All these should work: user == recovery
+REALUSER=root
+PSEUDO=root
+RECOVERY=root
+for c in none exact except; do
+    new "cred: $c realuser:$REALUSER pseudo:$PSEUDO recovery:$RECOVERY"
+    testrun $c $REALUSER $PSEUDO $RECOVERY true true
+done
+
+# none and except credentials should work
+REALUSER=root
+PSEUDO=_recovery
+RECOVERY=_recovery
+for c in none except; do
+    new "cred: $c realuser:$REALUSER pseudo:$PSEUDO recovery:$RECOVERY"
+    testrun $c $REALUSER $PSEUDO $RECOVERY true true
+done
+new "cred: exact realuser:$REALUSER pseudo:$PSEUDO recovery:$RECOVERY"
+testrun exact $REALUSER $PSEUDO $RECOVERY false false
+
+# None of these work
+REALUSER=root
+PSEUDO=_recovery
+RECOVERY=root
+for c in none except; do
+    new "cred: $c realuser:$REALUSER pseudo:$PSEUDO recovery:$RECOVERY"
+    testrun $c $REALUSER $PSEUDO $RECOVERY true false
+done
+new "cred: exact realuser:$REALUSER pseudo:$PSEUDO recovery:$RECOVERY"
+testrun exact $REALUSER $PSEUDO $RECOVERY false false
+
+rm -rf $dir