#!/bin/bash # Authentication and authorization and IETF NACM # External NACM file # See RFC 8341 A.2 # But replaced ietf-netconf-monitoring with * APPNAME=example # include err() and new() functions and creates $dir . ./lib.sh cfg=$dir/conf_yang.xml fyang=$dir/test.yang fyangerr=$dir/err.yang nacmfile=$dir/nacmfile # Note filter out example_backend_nacm.so in CLICON_BACKEND_REGEXP below cat < $cfg $cfg /usr/local/share/example/yang $fyang /usr/local/lib/$APPNAME/clispec /usr/local/lib/$APPNAME/backend example_backend.so$ /usr/local/lib/$APPNAME/restconf /usr/local/lib/$APPNAME/cli $APPNAME /usr/local/var/$APPNAME/$APPNAME.sock /usr/local/var/$APPNAME/$APPNAME.pidfile 1 /usr/local/var/$APPNAME /usr/local/lib/xmldb/text.so false external $nacmfile EOF cat < $fyang module $APPNAME{ prefix ex; import ietf-interfaces { prefix if; } import iana-if-type { prefix ianaift; } container authentication { description "Example code for enabling www basic auth and some example users"; leaf basic_auth{ description "Basic user / password authentication as in HTTP basic auth"; type boolean; default true; } list auth { description "user / password entries. Valid if basic_auth=true"; key user; leaf user{ description "User name"; type string; } leaf password{ description "Password"; type string; } } } leaf x{ type int32; description "something to edit"; } container interfaces-state { config false; list interface{ key "name"; leaf name{ type string; } leaf type{ type string; } leaf if-index { type int32; } } } } EOF cat < $nacmfile

true

deny

admin

adm1

limited

wilma

bam-bam

guest

guest@example.com

guest-acl guest deny-ncm

deny Do not allow guests any access to any information.

limited-acl limited permit-get

get

exec

permit Allow get permit-get-config

get-config

exec

permit Allow get-config

admin-acl admin permit-all

permit Allow the 'admin' group complete access to all operations and data.

EOF # kill old backend (if any) new "kill old backend -zf $cfg -y $fyang" sudo clixon_backend -zf $cfg -y $fyang if [ $? -ne 0 ]; then err fi sleep 1 new "start backend -s init -f $cfg -y $fyang" # start new backend sudo $clixon_backend -s init -f $cfg -y $fyang if [ $? -ne 0 ]; then err fi sleep 1 new "kill old restconf daemon" sudo pkill -u www-data clixon_restconf new "start restconf daemon (-a is enable http basic auth)" sudo start-stop-daemon -S -q -o -b -x /www-data/clixon_restconf -d /www-data -c www-data -- -f $cfg -y $fyang -- -a sleep 1 new "restconf DELETE whole datastore" expecteq "$(curl -u adm1:bar -sS -X DELETE http://localhost/restconf/data)" "" new2 "auth get" expecteq "$(curl -u adm1:bar -sS -X GET http://localhost/restconf/data/ietf-interfaces:interfaces-state)" '{"interfaces-state": {"interface": [{"name": "eth0","type": "ex:eth","if-index": 42}]}} ' new "Set x to 0" expecteq "$(curl -u adm1:bar -sS -X PUT -d '{"x": 0}' http://localhost/restconf/data/x)" "" new2 "auth get (no user: access denied)" expecteq "$(curl -sS -X GET -H \"Accept:\ application/yang-data+json\" http://localhost/restconf/data)" '{"ietf-restconf:errors" : {"error": {"error-tag": "access-denied","error-type": "protocol","error-severity": "error","error-message": "The requested URL was unauthorized"}}} ' new2 "auth get (wrong passwd: access denied)" expecteq "$(curl -u adm1:foo -sS -X GET http://localhost/restconf/data)" '{"ietf-restconf:errors" : {"error": {"error-tag": "access-denied","error-type": "protocol","error-severity": "error","error-message": "The requested URL was unauthorized"}}} ' new2 "auth get (access)" expecteq "$(curl -u adm1:bar -sS -X GET http://localhost/restconf/data/x)" '{"x": 0} ' new2 "admin get nacm" expecteq "$(curl -u adm1:bar -sS -X GET http://localhost/restconf/data/x)" '{"x": 0} ' new2 "limited get nacm" expecteq "$(curl -u wilma:bar -sS -X GET http://localhost/restconf/data/x)" '{"x": 0} ' new2 "guest get nacm" expecteq "$(curl -u guest:bar -sS -X GET http://localhost/restconf/data/x)" '{"ietf-restconf:errors" : {"error": {"error-tag": "access-denied","error-type": "protocol","error-severity": "error","error-message": "The requested URL was unauthorized"}}} ' new "admin edit nacm" expecteq "$(curl -u adm1:bar -sS -X PUT -d '{"x": 1}' http://localhost/restconf/data/x)" "" new2 "limited edit nacm" expecteq "$(curl -u wilma:bar -sS -X PUT -d '{"x": 2}' http://localhost/restconf/data/x)" '{"ietf-restconf:errors" : {"error": {"error-tag": "access-denied","error-type": "protocol","error-severity": "error","error-message": "default deny"}}} ' new2 "guest edit nacm" expecteq "$(curl -u guest:bar -sS -X PUT -d '{"x": 3}' http://localhost/restconf/data/x)" '{"ietf-restconf:errors" : {"error": {"error-tag": "access-denied","error-type": "protocol","error-severity": "error","error-message": "The requested URL was unauthorized"}}} ' new "cli show conf as admin" expectfn "$clixon_cli -1 -U adm1 -l o -f $cfg -y $fyang show conf" 0 "^x 1;$" new "cli show conf as limited" expectfn "$clixon_cli -1 -U wilma -l o -f $cfg -y $fyang show conf" 0 "^x 1;$" new "cli show conf as guest" expectfn "$clixon_cli -1 -U guest -l o -f $cfg -y $fyang show conf" 255 "protocol access-denied" new "cli rpc as admin" expectfn "$clixon_cli -1 -U adm1 -l o -f $cfg -y $fyang rpc ipv4" 0 "2.3.4.5" new "cli rpc as limited" expectfn "$clixon_cli -1 -U wilma -l o -f $cfg -y $fyang rpc ipv4" 255 "protocol access-denied default deny" new "cli rpc as guest" expectfn "$clixon_cli -1 -U guest -l o -f $cfg -y $fyang rpc ipv4" 255 "protocol access-denied access denied" new "Kill restconf daemon" sudo pkill -u www-data clixon_restconf new "Kill backend" pid=`pgrep clixon_backend` if [ -z "$pid" ]; then err "backend already dead" fi # kill backend sudo clixon_backend -zf $cfg if [ $? -ne 0 ]; then err "kill backend" fi rm -rf $dir