From f7d4df01a64022938ed7124505d955f3797e9ebd Mon Sep 17 00:00:00 2001 From: Olof Hagsand Date: Thu, 11 Feb 2021 14:47:54 +0000 Subject: [PATCH] restconf test fixes for freebsd and others --- lib/src/clixon_client.c | 6 +-- lib/src/clixon_netns.c | 12 +++++- test/lib.sh | 2 +- test/test_client.sh | 2 +- test/test_netconf_ssh_callhome.sh | 50 ++++++++++++++++++++++- test/test_restconf_ssl_certs.sh | 2 +- test/vagrant/clixon.sh | 4 +- util/clixon_netconf_ssh_callhome.c | 1 + util/clixon_netconf_ssh_callhome_client.c | 1 + 9 files changed, 68 insertions(+), 12 deletions(-) diff --git a/lib/src/clixon_client.c b/lib/src/clixon_client.c index 79025280..06b51299 100644 --- a/lib/src/clixon_client.c +++ b/lib/src/clixon_client.c @@ -453,18 +453,18 @@ clixon_client_get_body_val(int sock, if (clixon_client_get_xdata(sock, namespace, xpath, &xdata) < 0) goto done; if (xdata == NULL){ - clicon_err(OE_XML, ENODATA, "No xml obj found"); + clicon_err(OE_XML, EINVAL, "No xml obj found"); goto done; } /* Is this an error, maybe an "unset" retval ? */ if (xml_child_nr_type(xdata, CX_ELMNT) == 0){ - clicon_err(OE_XML, ENODATA, "Value not found"); + clicon_err(OE_XML, EINVAL, "Value not found"); goto done; } if (clixon_xml_bottom(xdata, &xobj) < 0) goto done; if (xobj == NULL){ - clicon_err(OE_XML, ENODATA, "No xml value found"); + clicon_err(OE_XML, EINVAL, "No xml value found"); goto done; } *val = xml_body(xobj); diff --git a/lib/src/clixon_netns.c b/lib/src/clixon_netns.c index d704002e..66dc2ac9 100644 --- a/lib/src/clixon_netns.c +++ b/lib/src/clixon_netns.c @@ -27,8 +27,9 @@ #include #include #include - -#include +#ifdef HAVE_SETNS /* linux network namespaces */ +#include /* setns / unshare */ +#endif #include #include #include @@ -207,10 +208,12 @@ fork_netns_socket(const char *netns, clicon_err(OE_UNIX, errno, "open(%s)", nspath); return -1; } +#ifdef HAVE_SETNS if (setns(fd, CLONE_NEWNET) < 0){ clicon_err(OE_UNIX, errno, "setns(%s)", netns); return -1; } +#endif close(fd); /* Create socket in this namespace */ if (create_socket(sa, sin_len, backlog, &s) < 0) @@ -258,8 +261,13 @@ clixon_netns_socket(const char *netns, goto ok; } else { +#ifdef HAVE_SETNS if (fork_netns_socket(netns, sa, sin_len, backlog, sock) < 0) goto done; +#else + clicon_err(OE_UNIX, errno, "No namespace support on platform: %s", netns); + return -1; +#endif } ok: retval = 0; diff --git a/test/lib.sh b/test/lib.sh index db6bf96c..0c0d3688 100755 --- a/test/lib.sh +++ b/test/lib.sh @@ -207,7 +207,7 @@ function restconf_config() if [ $RCPROTO = http ]; then RESTCONFIG="true$AUTH$PRETTY$DBGdefault
0.0.0.0
80false" else - RESTCONFIG="true$AUTH/etc/ssl/certs/clixon-server-crt.pem/etc/ssl/private/clixon-server-key.pem/etc/ssl/certs/clixon-ca-crt.pem$DBGdefault
0.0.0.0
443true" + RESTCONFIG="true$AUTH$PRETTY/etc/ssl/certs/clixon-server-crt.pem/etc/ssl/private/clixon-server-key.pem/etc/ssl/certs/clixon-ca-crt.pem$DBGdefault
0.0.0.0
443true" fi } diff --git a/test/test_client.sh b/test/test_client.sh index 1c4b5b93..32ed2f18 100755 --- a/test/test_client.sh +++ b/test/test_client.sh @@ -112,7 +112,7 @@ main(int argc, EOF new "compile $cfile -> $app" -expectpart "$($CC -g -Wall -I/usr/local/include $cfile -o $app -lclixon)" 0 "" +expectpart "$($CC -g -Wall -I/usr/local/include $cfile -o $app -L /usr/local/lib -lclixon)" 0 "" new "test params: -s init -f $cfg" diff --git a/test/test_netconf_ssh_callhome.sh b/test/test_netconf_ssh_callhome.sh index 999c5bec..f621c128 100755 --- a/test/test_netconf_ssh_callhome.sh +++ b/test/test_netconf_ssh_callhome.sh @@ -15,8 +15,15 @@ fi APPNAME=example cfg=$dir/conf_yang.xml +sshcfg=$dir/ssh.conf sshdcfg=$dir/sshd.conf rpccmd=$dir/rpccmd.xml +keydir=$dir/keydir +test -d $keydir || mkdir $keydir +chmod 700 $keydir +key=$keydir/mykey +# XXX cant get it to work with this file under tmp dir so have to place it in homedir +authfile=$HOME/.ssh/clixon_authorized_keys_removeme # Use yang in example @@ -48,14 +55,27 @@ cat < $rpccmd ]]>]]> EOF +# Generate temporary ssh keys without passphrase +# This is to avoid being prompt for password or passhrase +rm -f $key $key.pub +ssh-keygen -q -f $key -b 256 -t ed25519 -N "" -C "Clixon test temporary key" +cp $key.pub $authfile + # Make the callback after a sleep in separate thread simulating the server # The result is not checked, only the client-side function callhomefn() { sleep 1 + cat<$sshdcfg +PasswordAuthentication no +AuthorizedKeysFile $authfile + +EOF new "Start Callhome in background" - expectpart "$(sudo ${clixon_netconf_ssh_callhome} -a 127.0.0.1 -c $cfg)" 255 "" + echo "sudo clixon_netconf_ssh_callhome} -D 1 -a 127.0.0.1 -C $sshdcfg -c $cfg" + expectpart "$(sudo ${clixon_netconf_ssh_callhome} -D 1 -a 127.0.0.1 -C $sshdcfg -c $cfg)" 255 "" + rm -f $authfile } new "test params: -f $cfg" @@ -77,8 +97,31 @@ fi # Start callhome server-side in background thread callhomefn & +# Choose unhashed host key +# See rfc8071 Sec 3.1 +# C5 As part of establishing an SSH or TLS connection, the NETCONF/ +# RESTCONF client MUST validate the server's presented host key or +# certificate. This validation MAY be accomplished by certificate +# path validation or by comparing the host key or certificate to a +# previously trusted or "pinned" value. If a certificate is +# presented and it contains revocation-checking information, the +# NETCONF/RESTCONF client SHOULD check the revocation status of the +# certificate. If it is determined that a certificate has been +# revoked, the client MUST immediately close the connection. + +cat< $dir/knownhosts +. $(cat /etc/ssh/ssh_host_ed25519_key.pub) +EOF +cat< $sshcfg +StrictHostKeyChecking yes +UserKnownHostsFile $dir/knownhosts +HashKnownHosts no +EOF + new "Start Listener client" -expectpart "$(ssh -s -v -o ProxyUseFdpass=yes -o ProxyCommand="${clixon_netconf_ssh_callhome_client} -a 127.0.0.1" . netconf < $rpccmd)" 0 "urn:ietf:params:netconf:base:1.0urn:ietf:params:netconf:capability:yang-library:1.0?revision=2019-01-04&module-set-id=42urn:ietf:params:netconf:capability:candidate:1.0urn:ietf:params:netconf:capability:validate:1.1urn:ietf:params:netconf:capability:startup:1.0urn:ietf:params:netconf:capability:xpath:1.0urn:ietf:params:netconf:capability:notification:1.02]]>]]>" "]]>]]>" +echo "ssh -s -v -i $key -o ProxyUseFdpass=yes -o ProxyCommand=\"clixon_netconf_ssh_callhome_client -a 127.0.0.1\" . netconf" +#-F $sshcfg +expectpart "$(ssh -s -F $sshcfg -v -i $key -o ProxyUseFdpass=yes -o ProxyCommand="${clixon_netconf_ssh_callhome_client} -a 127.0.0.1" . netconf < $rpccmd)" 0 "urn:ietf:params:netconf:base:1.0urn:ietf:params:netconf:capability:yang-library:1.0?revision=2019-01-04&module-set-id=42urn:ietf:params:netconf:capability:candidate:1.0urn:ietf:params:netconf:capability:validate:1.1urn:ietf:params:netconf:capability:startup:1.0urn:ietf:params:netconf:capability:xpath:1.0urn:ietf:params:netconf:capability:notification:1.02]]>]]>" "]]>]]>" # Wait wait @@ -96,4 +139,7 @@ fi new "Endtest" endtest + +rm -f $authfile + rm -rf $dir diff --git a/test/test_restconf_ssl_certs.sh b/test/test_restconf_ssl_certs.sh index 0becf6e0..76812138 100755 --- a/test/test_restconf_ssl_certs.sh +++ b/test/test_restconf_ssl_certs.sh @@ -220,7 +220,7 @@ EOF expectpart "$(curl $CURLOPTS -X GET $RCPROTO://localhost/restconf/data/example:x 2>&1)" "55 56" new "limited invalid cert" - expectpart "$(curl $CURLOPTS --key $certdir/limited.key --cert $certdir/limited.crt -X GET $RCPROTO://localhost/restconf/data/example:x 2>&1)" 56 "certificate expired" + expectpart "$(curl $CURLOPTS --key $certdir/limited.key --cert $certdir/limited.crt -X GET $RCPROTO://localhost/restconf/data/example:x 2>&1)" "55 56" # 55 "certificate expired" if [ $RC -ne 0 ]; then new "Kill restconf daemon" diff --git a/test/vagrant/clixon.sh b/test/vagrant/clixon.sh index 6f1ffefc..8118a7d0 100755 --- a/test/vagrant/clixon.sh +++ b/test/vagrant/clixon.sh @@ -30,7 +30,7 @@ fi test -d src || mkdir src test -d src/cligen || (cd src;git clone https://github.com/clicon/cligen.git) cd src/cligen -git pull +git pull origin master if [ $release = "freebsd" ]; then ./configure @@ -51,7 +51,7 @@ sudo $MAKE install cd test -d src/clixon || (cd src;git clone https://github.com/clicon/clixon.git) cd src/clixon -git pull +git pull origin master if [ $release = "freebsd" ]; then LDFLAGS=-L/usr/local/lib ./configure --with-cligen=/usr/local --enable-optyangs --with-restconf=${with_restconf} diff --git a/util/clixon_netconf_ssh_callhome.c b/util/clixon_netconf_ssh_callhome.c index 03608fa3..d539eeb8 100644 --- a/util/clixon_netconf_ssh_callhome.c +++ b/util/clixon_netconf_ssh_callhome.c @@ -76,6 +76,7 @@ sudo clixon_netconf_ssh_callhome -a 127.0.0.1 -c /var/tmp/./test_netconf_ssh_cal #include #include #include +#include #define NETCONF_CH_SSH 4334 #define SSHDBIN_DEFAULT "/usr/sbin/sshd" diff --git a/util/clixon_netconf_ssh_callhome_client.c b/util/clixon_netconf_ssh_callhome_client.c index ee6c5869..37ed3db1 100644 --- a/util/clixon_netconf_ssh_callhome_client.c +++ b/util/clixon_netconf_ssh_callhome_client.c @@ -75,6 +75,7 @@ Example sshd-config (-c option):n #include #include #include +#include #define NETCONF_CH_SSH 4334 #define UTIL_OPTS "hD:f:a:p:"