/* * ***** BEGIN LICENSE BLOCK ***** Copyright (C) 2009-2019 Olof Hagsand and Benny Holmgren This file is part of CLIXON. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Alternatively, the contents of this file may be used under the terms of the GNU General Public License Version 3 or later (the "GPL"), in which case the provisions of the GPL are applicable instead of those above. If you wish to allow use of your version of this file only under the terms of the GPL, and not to allow others to use your version of this file under the terms of Apache License version 2, indicate your decision by deleting the provisions above and replace them with the notice and other provisions required by the GPL. If you do not delete the provisions above, a recipient may use your version of this file under the terms of any one of the Apache License version 2 or the GPL. ***** END LICENSE BLOCK ***** * NACM code according to RFC8341 Network Configuration Access Control Model */ #ifdef HAVE_CONFIG_H #include "clixon_config.h" /* generated by config & autoconf */ #endif #include #include #include #include #include #include #include #include #include /* cligen */ #include /* clixon */ #include "clixon_queue.h" #include "clixon_hash.h" #include "clixon_err.h" #include "clixon_log.h" #include "clixon_string.h" #include "clixon_handle.h" #include "clixon_yang.h" #include "clixon_xml.h" #include "clixon_options.h" #include "clixon_data.h" #include "clixon_netconf_lib.h" #include "clixon_xpath_ctx.h" #include "clixon_xpath.h" #include "clixon_yang_module.h" #include "clixon_datastore.h" #include "clixon_xml_nsctx.h" #include "clixon_nacm.h" /* NACM namespace for use with xml namespace contexts and xpath */ #define NACM_NS "urn:ietf:params:xml:ns:yang:ietf-netconf-acm" /*! Match nacm access operations according to RFC8341 3.4.4. * Incoming RPC Message Validation Step 7 (c) * The rule's "access-operations" leaf has the "exec" bit set or * has the special value "*". * @param[in] mode Primary mode, eg read, create, update, delete, exec * @param[in] mode2 Secondary mode, eg "write" * @retval 0 No match * @retval 1 Match * @note access_operations is bit-fields */ static int match_access(char *access_operations, char *mode, char *mode2) { if (access_operations==NULL) return 0; if (strcmp(access_operations,"*")==0) return 1; if (strstr(access_operations, mode)!=NULL) return 1; if (mode2 && strstr(access_operations, mode2)!=NULL) return 1; return 0; } /*! Match nacm single rule. Either match with access or deny. Or not match. * @param[in] rpc rpc name * @param[in] module Yang module name * @param[in] xrule NACM rule XML tree * @param[out] cbret Cligen buffer result. Set to an error msg if retval=0. * @retval -1 Error * @retval 0 Matching rule AND Not access and cbret set * @retval 1 Matching rule AND Access * @retval 2 No matching rule Goto step 10 * @see RFC8341 3.4.4. Incoming RPC Message Validation 7.(cont) A rule matches if all of the following criteria are met: * The rule's "module-name" leaf is "*" or equals the name of the YANG module where the protocol operation is defined. * Either (1) the rule does not have a "rule-type" defined or (2) the "rule-type" is "protocol-operation" and the "rpc-name" is "*" or equals the name of the requested protocol operation. * The rule's "access-operations" leaf has the "exec" bit set or has the special value "*". */ static int nacm_rule_rpc(char *rpc, char *module, cxobj *xrule) { int retval = -1; char *module_rule; /* rule module name */ char *rpc_rule; char *access_operations; /* 7a) The rule's "module-name" leaf is "*" or equals the name of the YANG module where the protocol operation is defined. */ if ((module_rule = xml_find_body(xrule, "module-name")) == NULL) goto nomatch; if (strcmp(module_rule,"*") && strcmp(module_rule,module)) goto nomatch; /* 7b) Either (1) the rule does not have a "rule-type" defined or (2) the "rule-type" is "protocol-operation" and the "rpc-name" is "*" or equals the name of the requested protocol operation. */ if ((rpc_rule = xml_find_body(xrule, "rpc-name")) == NULL){ if (xml_find_body(xrule, "path") || xml_find_body(xrule, "notification-name")) goto nomatch; } if (rpc_rule && (strcmp(rpc_rule, "*") && strcmp(rpc_rule, rpc))) goto nomatch; /* 7c) The rule's "access-operations" leaf has the "exec" bit set or has the special value "*". */ access_operations = xml_find_body(xrule, "access-operations"); if (!match_access(access_operations, "exec", NULL)) goto nomatch; retval = 1; done: return retval; nomatch: retval = 0; goto done; } /*! Process nacm incoming RPC message validation steps * @param[in] module Yang module name * @param[in] rpc rpc name * @param[in] username User name of requestor * @param[in] xnacm NACM xml tree * @param[out] cbret Cligen buffer result. Set to an error msg if retval=0. * @retval -1 Error * @retval 0 Not access and cbret set * @retval 1 Access * @see RFC8341 3.4.4. Incoming RPC Message Validation * @see nacm_datanode_write * @see nacm_datanode_read */ int nacm_rpc(char *rpc, char *module, char *username, cxobj *xnacm, cbuf *cbret) { int retval = -1; cxobj *xrule; cxobj **gvec = NULL; /* groups */ size_t glen; cxobj *rlist; cxobj **rlistvec = NULL; /* rule-list */ size_t rlistlen; cxobj **rvec = NULL; /* rules */ size_t rlen; int i, j; char *exec_default = NULL; char *gname; char *action; int match= 0; cvec *nsc = NULL; /* Create namespace context for with nacm namespace as default */ if ((nsc = xml_nsctx_init(NULL, NACM_NS)) == NULL) goto done; /* 3. If the requested operation is the NETCONF protocol operation, then the protocol operation is permitted. */ if (strcmp(rpc, "close-session") == 0) goto permit; /* 4. Check all the "group" entries to see if any of them contain a "user-name" entry that equals the username for the session making the request. (If the "enable-external-groups" leaf is "true", add to these groups the set of groups provided by the transport layer.) */ if (username == NULL) goto step10; /* User's group */ if (xpath_vec(xnacm, nsc, "groups/group[user-name='%s']", &gvec, &glen, username) < 0) goto done; /* 5. If no groups are found, continue with step 10. */ if (glen == 0) goto step10; /* 6. Process all rule-list entries, in the order they appear in the configuration. If a rule-list's "group" leaf-list does not match any of the user's groups, proceed to the next rule-list entry. */ if (xpath_vec(xnacm, nsc, "rule-list", &rlistvec, &rlistlen) < 0) goto done; for (i=0; i or , then the protocol operation is denied. */ if (strcmp(rpc, "kill-session")==0 || strcmp(rpc, "delete-config")==0){ if (netconf_access_denied(cbret, "application", "default deny") < 0) goto done; goto deny; } /* 12. If the "exec-default" leaf is set to "permit", then permit the protocol operation; otherwise, deny the request. */ exec_default = xml_find_body(xnacm, "exec-default"); if (exec_default ==NULL || strcmp(exec_default, "permit")==0) goto permit; if (netconf_access_denied(cbret, "application", "default deny") < 0) goto done; goto deny; permit: retval = 1; done: clicon_debug(1, "%s retval:%d (0:deny 1:permit)", __FUNCTION__, retval); if (nsc) xml_nsctx_free(nsc); if (gvec) free(gvec); if (rlistvec) free(rlistvec); if (rvec) free(rvec); return retval; deny: /* Here, cbret must contain a netconf error msg */ assert(cbuf_len(cbret)); retval = 0; goto done; } /*--------------------------------------------------------------- * Datanode/module read and write */ /*! We have a rule matching user group. Now match proper write operation and module * @retval -1 Error * @retval 0 No Match * @retval 1 Match * @see RFC8341 3.4.5. Data Node Access Validation point (6) */ static int nacm_rule_datanode(cxobj *xt, cxobj *xr, cxobj *xrule, enum nacm_access access) { int retval = -1; char *path; char *access_operations; char *module_rule; /* rule module name */ yang_stmt *ys; yang_stmt *ymod; char *module; cxobj *xpath; /* xpath match */ cxobj *xp; /* parent */ cvec *nsc = NULL; /* Create namespace context for with nacm namespace as default */ if ((nsc = xml_nsctx_init(NULL, NACM_NS)) == NULL) goto done; /* 6a) The rule's "module-name" leaf is "*" or equals the name of * the YANG module where the requested data node is defined. */ if ((module_rule = xml_find_body(xrule, "module-name")) == NULL) goto nomatch; if (strcmp(module_rule,"*")!=0){ if (xr==NULL || (ys = xml_spec(xr)) == NULL) goto nomatch; ymod = ys_module(ys); module = yang_argument_get(ymod); if (strcmp(module, module_rule) != 0) goto nomatch; } /* 6b) Either (1) the rule does not have a "rule-type" defined or (2) the "rule-type" is "data-node" and the "path" matches the requested data node, action node, or notification node. A path is considered to match if the requested node is the node specified by the path or is a descendant node of the path.*/ if ((path = xml_find_body(xrule, "path")) == NULL){ if (xml_find_body(xrule, "rpc-name") ||xml_find_body(xrule, "notification-name")) goto nomatch; } access_operations = xml_find_body(xrule, "access-operations"); switch (access){ case NACM_READ: /* 6c) For a "read" access operation, the rule's "access-operations" leaf has the "read" bit set or has the special value "*" */ if (!match_access(access_operations, "read", NULL)) goto nomatch; break; case NACM_CREATE: /* 6d) For a "create" access operation, the rule's "access-operations" leaf has the "create" bit set or has the special value "*". */ if (!match_access(access_operations, "create", "write")) goto nomatch; break; case NACM_DELETE: /* 6e) For a "delete" access operation, the rule's "access-operations" leaf has the "delete" bit set or has the special value "*". */ if (!match_access(access_operations, "delete", "write")) goto nomatch; break; case NACM_UPDATE: /* 6f) For an "update" access operation, the rule's "access-operations" leaf has the "update" bit set or has the special value "*". */ if (!match_access(access_operations, "update", "write")) goto nomatch; break; default: break; } /* Here module is matched, now check for path if any NYI */ if (path){ if ((xpath = xpath_first(xt, nsc, "%s", path)) == NULL) goto nomatch; /* The requested node xr is the node specified by the path or is a * descendant node of the path: * xmatch is one of xvec[] or an ancestor of the xvec[] nodes. */ xp = xr; do { if (xpath == xp) goto match; } while ((xp = xml_parent(xp)) != NULL); } match: retval = 1; done: if (nsc) xml_nsctx_free(nsc); return retval; nomatch: retval = 0; goto done; } /*! Go through all rules for a requested node * @param[in] xt XML root tree with "config" label * @param[in] xr Requested node (node in xt) * @param[in] gvec NACM groups where user is member * @param[in] glen Length of gvec * @param[in] rlistvec NACM rule-list entries * @param[in] rlistlen Length of rlistvec * @param[in] nsc NACM namespace context for xpaths * @param[out] xrulep If set, then points to matching rule */ static int nacm_data_read_xr(cxobj *xt, cxobj *xr, cxobj **gvec, size_t glen, cxobj **rlistvec, size_t rlistlen, cvec *nsc, cxobj **xrulep) { int retval = -1; int i, j; cxobj *rlist; char *gname; cxobj **rvec = NULL; /* rules */ size_t rlen; cxobj *xrule = NULL; int match = 0; for (i=0; i and Operations * Data nodes to which the client does not have read access are silently * omitted, along with any descendants, from the message. * For NETCONF filtering purposes, the selection criteria are applied to the * subset of nodes that the user is authorized to read, not the entire datastore. * @note assume mode is internal or external, not disabled * @node There is unclarity on what "a data node" means wrt a read operation. * Suppose a tree is accessed. Is "the data node" just the top of the tree? * (1) Or is it all nodes, recursively, in the data-tree? * (2) Or is the datanode only the requested tree, NOT the whole datatree? * Example: * - r0 default permit/deny * * - rule r1 to permit/deny /a * - rule r2 to permit/deny /a/b * - rule r3 to permit/deny /a/b/c * - rule r4 to permit/deny /d * - read access on /a/b which returns ? * permit - t; deny - f * r1 | r2 | r3 | result (r0 and r4 are dont cares - dont match) * ------+------+------+--------- * t | t | t | * t | t | f | * t | f | t | * t | f | f | * f | t | t | * f | t | f | * f | f | t | * f | f | f | * * - read access on / which returns ? * permit - t; deny - f * r0 | r4 | result * ------+------+--------- * t | t | * t | f | * f | t | * f | f | * Algorithm 1, based on an xml tree XT: * The special variable ACTION can have values: * permit/deny/default * 1. Traverse through all nodes x in xt. Set ACTION to default * - Find first exact matching rule r of non-default rules r1-rn on x * - if found set ACTION to r->action (permit/deny). * - if ACTION is deny purge x and all descendants * - if ACTION is permit, mark x as PERMIT * - continue traverse * 2. If default action is * 2. Traverse through all nodes x in xt. Set ACTION to default r0->action * - if x is marked as PERMIT * - if ACTION is deny deny purge x and all descendants * * Algorithm 2 (based on requested node set XRS which are sub-trees in XT). * For each XR in XRS, check match with rule r1-rn, r0. * 1. XR is PERMIT * - Recursively match subtree to find reject sub-trees and purge. * 2. XR is REJECT. Purge XR. * Module-rule w no path is implicit rule on top node. * * A module rule has the "module-name" leaf set but no nodes from the * "rule-type" choice set. * @see RFC8341 3.4.5. Data Node Access Validation * @see nacm_datanode_write * @see nacm_rpc */ int nacm_datanode_read(cxobj *xt, cxobj **xrvec, size_t xrlen, char *username, cxobj *xnacm) { int retval = -1; cxobj **gvec = NULL; /* groups */ size_t glen; cxobj *xr; cxobj **rlistvec = NULL; /* rule-list */ size_t rlistlen; int i; char *read_default = NULL; cxobj *xrule; char *action; cvec *nsc = NULL; /* Create namespace context for with nacm namespace as default */ if ((nsc = xml_nsctx_init(NULL, NACM_NS)) == NULL) goto done; /* 3. Check all the "group" entries to see if any of them contain a "user-name" entry that equals the username for the session making the request. (If the "enable-external-groups" leaf is "true", add to these groups the set of groups provided by the transport layer.) */ if (username == NULL) goto step9; /* User's group */ if (xpath_vec(xnacm, nsc, "groups/group[user-name='%s']", &gvec, &glen, username) < 0) goto done; /* 4. If no groups are found (glen=0), continue and check read-default in step 11. */ /* 5. Process all rule-list entries, in the order they appear in the configuration. If a rule-list's "group" leaf-list does not match any of the user's groups, proceed to the next rule-list entry. */ if (xpath_vec(xnacm, nsc, "rule-list", &rlistvec, &rlistlen) < 0) goto done; /* read-default has default permit so should never be NULL */ if ((read_default = xml_find_body(xnacm, "read-default")) == NULL){ clicon_err(OE_XML, EINVAL, "No nacm read-default rule"); goto done; } for (i=0; i