#!/usr/bin/env bash # Authentication and authorization and IETF NACM # External NACM file # See RFC 8341 A.2 # But replaced ietf-netconf-monitoring with * # Magic line must be first in script (see README.md) s="$_" ; . ./lib.sh || if [ "$s" = $0 ]; then exit 0; else return 0; fi APPNAME=example # Common NACM scripts . ./nacm.sh cfg=$dir/conf_yang.xml fyang=$dir/nacm-example.yang nacmfile=$dir/nacmfile # Note filter out example_backend_nacm.so in CLICON_BACKEND_REGEXP below cat < $cfg $cfg /usr/local/share/clixon $IETFRFC $fyang /usr/local/lib/$APPNAME/clispec /usr/local/lib/$APPNAME/backend example_backend.so$ /usr/local/lib/$APPNAME/restconf /usr/local/lib/$APPNAME/cli $APPNAME /usr/local/var/$APPNAME/$APPNAME.sock false /usr/local/var/$APPNAME/$APPNAME.pidfile /usr/local/var/$APPNAME false external $nacmfile none $RESTCONFIG EOF cat < $fyang module nacm-example{ yang-version 1.1; namespace "urn:example:nacm"; import clixon-example { prefix ex; } prefix nacm; container authentication { presence "To keep this from auto-expanding"; description "Example code for enabling www basic auth and some example users"; leaf basic_auth{ description "Basic user / password authentication as in HTTP basic auth"; type boolean; default true; } list auth { description "user / password entries. Valid if basic_auth=true"; key user; leaf user{ description "User name"; type string; } leaf password{ description "Password"; type string; } } } leaf x{ type int32; description "something to edit"; } } EOF cat < $nacmfile

true

permit

deny

deny $NGROUPS guest-acl guest deny-ncm

deny Do not allow guests any access to any information. limited-acl limited permit-get

get

exec

permit Allow get permit-get-config

get-config

exec

permit Allow get-config $NADMIN 0 EOF new "test params: -f $cfg" if [ $BE -ne 0 ]; then new "kill old backend -zf $cfg " sudo clixon_backend -zf $cfg if [ $? -ne 0 ]; then err fi sleep 1 new "start backend -s init -f $cfg -- -s" # start new backend start_backend -s init -f $cfg -- -s fi new "waiting" wait_backend if [ $RC -ne 0 ]; then new "kill old restconf daemon" stop_restconf_pre new "start restconf daemon (-a is enable http basic auth)" start_restconf -f $cfg -- -a new "waiting" wait_restconf fi new "auth get" expectpart "$(curl -u andy:bar $CURLOPTS -X GET $RCPROTO://localhost/restconf/data)" 0 'HTTP/1.1 200 OK' '{"data":{"clixon-example:state":{"op":\["41","42","43"\]}' new "Set x to 0" expectpart "$(curl -u andy:bar $CURLOPTS -X PUT -H "Content-Type: application/yang-data+json" -d '{"nacm-example:x": 0}' $RCPROTO://localhost/restconf/data/nacm-example:x)" 0 "HTTP/1.1 201 Created" new "auth get (no user: access denied)" expectpart "$(curl $CURLOPTS -X GET -H \"Accept:\ application/yang-data+json\" $RCPROTO://localhost/restconf/data)" 0 "HTTP/1.1 403 Forbidden" '{"ietf-restconf:errors":{"error":{"error-type":"protocol","error-tag":"access-denied","error-severity":"error","error-message":"The requested URL was unauthorized"}}}' new "auth get (wrong passwd: access denied)" expectpart "$(curl -u andy:foo $CURLOPTS -X GET $RCPROTO://localhost/restconf/data)" 0 "HTTP/1.1 403 Forbidden" '{"ietf-restconf:errors":{"error":{"error-type":"protocol","error-tag":"access-denied","error-severity":"error","error-message":"The requested URL was unauthorized"}}}' new "auth get (access)" expectpart "$(curl -u andy:bar $CURLOPTS -X GET $RCPROTO://localhost/restconf/data/nacm-example:x)" 0 "HTTP/1.1 200 OK" '{"nacm-example:x":0}' new "admin get nacm" expectpart "$(curl -u andy:bar $CURLOPTS -X GET $RCPROTO://localhost/restconf/data/nacm-example:x)" 0 "HTTP/1.1 200 OK" '{"nacm-example:x":0}' new "limited get nacm" expectpart "$(curl -u wilma:bar $CURLOPTS -X GET $RCPROTO://localhost/restconf/data/nacm-example:x)" 0 "HTTP/1.1 200 OK" '{"nacm-example:x":0}' new "guest get nacm" expectpart "$(curl -u guest:bar $CURLOPTS -X GET $RCPROTO://localhost/restconf/data/nacm-example:x)" 0 "HTTP/1.1 403 Forbidden" '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"access denied"}}}' new "admin edit nacm" expectpart "$(curl -u andy:bar $CURLOPTS -X PUT -H "Content-Type: application/yang-data+json" -d '{"nacm-example:x": 1}' $RCPROTO://localhost/restconf/data/nacm-example:x)" 0 "HTTP/1.1 204 No Content" new "limited edit nacm" expectpart "$(curl -u wilma:bar $CURLOPTS -X PUT -H "Content-Type: application/yang-data+json" -d '{"nacm-example:x": 2}' $RCPROTO://localhost/restconf/data/nacm-example:x)" 0 "HTTP/1.1 403 Forbidden" '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"default deny"}}}' new "guest edit nacm" expectpart "$(curl -u guest:bar $CURLOPTS -X PUT -H "Content-Type: application/yang-data+json" -d '{"nacm-example:x": 3}' $RCPROTO://localhost/restconf/data/nacm-example:x)" 0 "HTTP/1.1 403 Forbidden" '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"access denied"}}}' new "cli show conf as admin" expectpart "$($clixon_cli -1 -U andy -l o -f $cfg show conf)" 0 "x 1;" new "cli show conf as limited" expectpart "$($clixon_cli -1 -U wilma -l o -f $cfg show conf)" 0 "x 1;" new "cli show conf as guest" expectpart "$($clixon_cli -1 -U guest -l o -f $cfg show conf)" 255 "application access-denied" new "cli rpc as admin" expectfn "$clixon_cli -1 -U andy -l o -f $cfg rpc ipv4" 0 'ipv442' new "cli rpc as limited" expectfn "$clixon_cli -1 -U wilma -l o -f $cfg rpc ipv4" 255 "access-denied default deny" new "cli rpc as guest" expectfn "$clixon_cli -1 -U guest -l o -f $cfg rpc ipv4" 255 "access-denied access denied" if [ $RC -ne 0 ]; then new "Kill restconf daemon" stop_restconf fi if [ $BE -eq 0 ]; then exit # BE fi new "Kill backend" # Check if premature kill pid=$(pgrep -u root -f clixon_backend) if [ -z "$pid" ]; then err "backend already dead" fi # kill backend stop_backend -f $cfg rm -rf $dir