yumapro  20.10-12
YumaPro SDK
agt_acm.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2008 - 2012, Andy Bierman, All Rights Reserved.
3  * Copyright (c) 2012 - 2021, YumaWorks, Inc., All Rights Reserved.
4  *
5  * Unless required by applicable law or agreed to in writing,
6  * software distributed under the License is distributed on an
7  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
8  * KIND, either express or implied. See the License for the
9  * specific language governing permissions and limitations
10  * under the License.
11  */
12 #ifndef _H_agt_acm
13 #define _H_agt_acm
14 
15 /* FILE: agt_acm.h
16 *********************************************************************
17 * *
18 * P U R P O S E *
19 * *
20 *********************************************************************/
21 
27 /*********************************************************************
28 * *
29 * C H A N G E H I S T O R Y *
30 * *
31 *********************************************************************
32 
33 date init comment
34 ----------------------------------------------------------------------
35 03-feb-06 abb Begun
36 14-may-09 abb add per-msg cache to speed up performance
37 */
38 
39 #include <xmlstring.h>
40 
41 #ifndef _H_agt
42 #include "agt.h"
43 #endif
44 
45 #ifndef _H_dlq
46 #include "dlq.h"
47 #endif
48 
49 #ifndef _H_obj
50 #include "obj.h"
51 #endif
52 
53 #ifndef _H_ses
54 #include "ses.h"
55 #endif
56 
57 #ifndef _H_status
58 #include "status.h"
59 #endif
60 
61 #ifndef _H_val
62 #include "val.h"
63 #endif
64 
65 #ifndef _H_xml_msg
66 #include "xml_msg.h"
67 #endif
68 
69 #ifndef _H_xmlns
70 #include "xmlns.h"
71 #endif
72 
73 #ifndef _H_xpath
74 #include "xpath.h"
75 #endif
76 
77 #ifdef __cplusplus
78 extern "C" {
79 #endif
80 
81 /********************************************************************
82 * *
83 * C O N S T A N T S *
84 * *
85 *********************************************************************/
86 
87 /* this is defined by the vendor and not allowed to change by
88  * the user since there are no translation functions between models
89  * Pick RFC 6536 as the default.
90  */
91 // To change ACM models, also change the nacm:default-deny-* extensions
92 // in all YANG modules using these YANG extensions
93 #define AGT_DEF_ACM_MODEL AGT_ACM_MODEL_IETF_NACM
94 
96 //#define AGT_DEF_ACM_MODEL AGT_ACM_MODEL_YUMA_NACM
97 
98 
99 /********************************************************************
100 * *
101 * T Y P E S *
102 * *
103 *********************************************************************/
104 
105 
106 /********************************************************************
107 * *
108 * F U N C T I O N S *
109 * *
110 *********************************************************************/
111 
112 /* Header only */
113 
114 
139 extern status_t
140  agt_acm_init (void);
141 
142 
148 extern status_t
149  agt_acm_init2 (void);
150 
151 
157 extern void
158  agt_acm_cleanup (void);
159 
160 
169 extern boolean
170  agt_acm_rpc_allowed (xml_msg_hdr_t *msg,
171  const xmlChar *user,
172  const obj_template_t *rpcobj);
173 
174 
185 extern boolean
186  agt_acm_notif_allowed (const xmlChar *user,
187  const obj_template_t *notifobj);
188 
189 
205 extern boolean
206  agt_acm_val_write_allowed (xml_msg_hdr_t *msg,
207  const xmlChar *user,
208  val_value_t *newval,
209  val_value_t *curval,
210  op_editop_t editop);
211 
212 
221 extern boolean
222  agt_acm_val_read_allowed (xml_msg_hdr_t *msg,
223  const xmlChar *user,
224  val_value_t *val);
225 
226 
237 extern status_t
238  agt_acm_init_msg_cache (ses_cb_t *scb,
239  xml_msg_hdr_t *msg);
240 
241 
249 extern void
250  agt_acm_clear_msg_cache (xml_msg_hdr_t *msg);
251 
252 
259 extern void agt_acm_clear_session_cache (ses_cb_t *scb);
260 
261 
268 extern void agt_acm_invalidate_session_cache (ses_cb_t *scb);
269 
270 
278 extern boolean
279  agt_acm_session_cache_valid (const ses_cb_t *scb);
280 
281 
289 extern boolean
290  agt_acm_session_is_superuser (const ses_cb_t *scb);
291 
292 
298 extern agt_acmode_t
299  agt_acm_get_acmode (void);
300 
301 
307 extern void
308  agt_acm_set_acmode (agt_acmode_t newmode);
309 
310 
316 extern boolean
317  agt_acm_get_log_writes (void);
318 
319 
325 extern boolean
326  agt_acm_get_log_reads (void);
327 
328 
337 extern boolean
338  agt_acm_is_superuser (const xmlChar *username);
339 
340 
346 extern uint32
347  agt_acm_get_deniedRpcs (void);
348 
349 
355 extern uint32
357 
358 
364 extern uint32
366 
367 
374 extern void
376 
377 
386 extern void
387  agt_acm_set_datarules (val_value_t *val,
388  uint32 msgid);
389 
390 
397 extern void
398  agt_acm_clean_obj_datarule_cache (ncx_module_t *mod);
399 
400 
404 #ifdef __cplusplus
405 } /* end extern 'C' */
406 #endif
407 
408 #endif /* _H_agt_acm */
agt_acm_extern_val_read_allowed
boolean agt_acm_extern_val_read_allowed(xml_msg_hdr_t *msg, const xmlChar *user, const val_value_t *val)
Check if the specified user is allowed to read a value node.
Definition: agt_acm_extern.c:290
ses.h
NETCONF Session Common definitions module.
agt_acm_ietf_session_cache_valid
boolean agt_acm_ietf_session_cache_valid(const ses_cb_t *scb)
Check if a session ACM cache is valid.
Definition: agt_acm_ietf.c:5600
agt_acm_get_log_reads
boolean agt_acm_get_log_reads(void)
Get the log_reads flag.
Definition: agt_acm.c:933
agt_ses.h
Server Session Management.
agt_util.h
Utility Functions for NCX Server method routines.
agt_acm_notif_allowed
boolean agt_acm_notif_allowed(const xmlChar *user, const obj_template_t *notifobj)
Check if the specified user is allowed to receive a notification event.
Definition: agt_acm.c:408
OP_EDITOP_NONE
@ OP_EDITOP_NONE
not set
Definition: op.h:123
agt_acm_ietf_init1
status_t agt_acm_ietf_init1(void)
Phase 1: Load the external data module.
Definition: agt_acm_ietf.c:4986
agt_acm_extern.h
NETCONF Server Access Control handler for external data model.
log_error
void log_error(const char *fstr,...) __attribute__((format(printf
Generate a new LOG_DEBUG_ERROR log entry.
val.h
Value Node Basic Support.
agt_acm_ietf_init2
status_t agt_acm_ietf_init2(void)
Phase 2 : Initialize the external data model configuration data structures.
Definition: agt_acm_ietf.c:5105
agt_acm_extern_notif_allowed
boolean agt_acm_extern_notif_allowed(const xmlChar *user, const obj_template_t *notifobj)
Check if the specified user is allowed to receive a notification event.
Definition: agt_acm_extern.c:229
agt_not_is_replay_event
boolean agt_not_is_replay_event(const obj_template_t *notifobj)
Check if the specified notfication is the replayComplete or notificationComplete notification events.
Definition: agt_not.c:6267
agt_acm_get_deniedDataWrites
uint32 agt_acm_get_deniedDataWrites(void)
Get the deniedDataWrites counter.
Definition: agt_acm.c:992
agt_acm_ietf_clear_session_cache
void agt_acm_ietf_clear_session_cache(ses_cb_t *scb)
Clear an agt_acm_cache_t struct in a session control block.
Definition: agt_acm_ietf.c:5555
ncx_num.h
NCX Module Library Number Utility Functions.
agt_acm_get_log_writes
boolean agt_acm_get_log_writes(void)
Get the log_writes flag.
Definition: agt_acm.c:917
agt_acm_ietf_clean_obj_datarule
void agt_acm_ietf_clean_obj_datarule(ncx_module_t *mod)
Check all the rule list entry and its OBJ datarule cache and clean if the modules is getting unloaded...
Definition: agt_acm_ietf.c:5754
agt_acm_ietf_val_read_allowed
boolean agt_acm_ietf_val_read_allowed(xml_msg_hdr_t *msg, const xmlChar *user, val_value_t *val)
Check if the specified user is allowed to read a value node.
Definition: agt_acm_ietf.c:5472
AGT_ACM_MODEL_YUMA_NACM
@ AGT_ACM_MODEL_YUMA_NACM
YUMA NACM (obsolete, not supported)
Definition: agt.h:631
agt_acm_clear_session_cache
void agt_acm_clear_session_cache(ses_cb_t *scb)
Clear an agt_acm_cache_t struct in a session control block.
Definition: agt_acm.c:755
agt_acm_get_acmode
agt_acmode_t agt_acm_get_acmode(void)
Get the –access-control mode.
Definition: agt_acm.c:885
AGT_ACM_MODEL_EXTERNAL
@ AGT_ACM_MODEL_EXTERNAL
external ACM via yp_system library
Definition: agt.h:632
ncxconst.h
Contains NCX constants.
ncxmod.h
NCX Module Load Manager.
agt_not.h
NETCONF Notifications DM module support.
agt_acm_set_acmode
void agt_acm_set_acmode(agt_acmode_t newmode)
Set the –access-control mode.
Definition: agt_acm.c:901
agt_acm_extern_init1
status_t agt_acm_extern_init1(void)
Phase 1: Load the external data module.
Definition: agt_acm_extern.c:129
AGT_ACM_MODEL_NONE
@ AGT_ACM_MODEL_NONE
not set
Definition: agt.h:629
agt_cb.h
NETCONF Server Data Model callback handler.
log_debug2
void void void void void void void void void log_debug2(const char *fstr,...) __attribute__((format(printf
Generate a new LOG_DEBUG_DEBUG2 log entry.
agt_val.h
NETCONF Server database callback handler.
xpath1.h
XPath 1.0 expression support.
def_reg.h
Definition Registry module.
NO_ERR
@ NO_ERR
000
Definition: status_enum.h:188
xpath.h
Schema and data model Xpath search support.
agt_audit.h
NETCONF protocol audit log support.
agt_acm_ietf_val_write_allowed
boolean agt_acm_ietf_val_write_allowed(xml_msg_hdr_t *msg, const xmlChar *user, val_value_t *newval, val_value_t *curval, op_editop_t editop)
Check if the specified user is allowed to access a value node.
Definition: agt_acm_ietf.c:5419
agt_acm_ietf_clean_xpath_cache
void agt_acm_ietf_clean_xpath_cache(void)
Clean any cached XPath results because the data rule results.
Definition: agt_acm_ietf.c:5621
log_debug4
void void void void void void void void void void void void void log_debug4(const char *fstr,...) __attribute__((format(printf
Generate a new LOG_DEBUG_DEBUG4 log entry.
obj_get_name
const xmlChar * obj_get_name(const obj_template_t *obj)
Get the name field for this obj.
Definition: obj.c:10511
agt_acm_init2
status_t agt_acm_init2(void)
Phase 2 : Initialize the nacm.yang configuration data structures.
Definition: agt_acm.c:207
LOGDEBUG2
#define LOGDEBUG2
Check if at least log-level=debug2.
Definition: log.h:292
AGT_ACM_MODEL_IETF_NACM
@ AGT_ACM_MODEL_IETF_NACM
IETF NACM (default)
Definition: agt.h:630
agt_audit_handle_acm_exec_error
void agt_audit_handle_acm_exec_error(const xmlChar *user, const xmlChar *modname, const xmlChar *rpcname)
Generate an acm-exec-error event if enabled.
Definition: agt_audit.c:690
ERR_INTERNAL_VAL
@ ERR_INTERNAL_VAL
004
Definition: status_enum.h:194
val_util.h
Value Node Utilities.
agt_acm_invalidate_session_cache
void agt_acm_invalidate_session_cache(ses_cb_t *scb)
Mark an agt_acm_cache_t struct in a session control block as invalid so it will be refreshed next use...
Definition: agt_acm.c:790
agt_acm_ietf_notif_allowed
boolean agt_acm_ietf_notif_allowed(const xmlChar *user, const obj_template_t *notifobj)
Check if the specified user is allowed to receive a notification event.
Definition: agt_acm_ietf.c:5388
ERR_INTERNAL_INIT_SEQ
@ ERR_INTERNAL_INIT_SEQ
007
Definition: status_enum.h:197
agt_acm_extern_init_msg_cache
status_t agt_acm_extern_init_msg_cache(ses_cb_t *scb, xml_msg_hdr_t *msg)
Malloc and initialize an agt_acm_cache_t struct and attach it to the incoming message.
Definition: agt_acm_extern.c:173
agt_acm_val_write_allowed
boolean agt_acm_val_write_allowed(xml_msg_hdr_t *msg, const xmlChar *user, val_value_t *newval, val_value_t *curval, op_editop_t editop)
Check if the specified user is allowed to access a value node.
Definition: agt_acm.c:510
AGT_ACMOD_ENFORCING
@ AGT_ACMOD_ENFORCING
full enforcement
Definition: agt.h:609
agt.h
Multi-Protocol Network Management Server.
agt_acm_ietf_cleanup
void agt_acm_ietf_cleanup(void)
Cleanup the external access control module.
Definition: agt_acm_ietf.c:5142
agt_acm_clean_xpath_cache
void agt_acm_clean_xpath_cache(void)
Clean any cached XPath results because the data rule results may not be valid anymore.
Definition: agt_acm.c:1023
agt_acm_extern_rpc_allowed
boolean agt_acm_extern_rpc_allowed(xml_msg_hdr_t *msg, const xmlChar *user, const obj_template_t *rpcobj)
Check if the specified user is allowed to invoke an RPC.
Definition: agt_acm_extern.c:201
agt_acm_session_is_superuser
boolean agt_acm_session_is_superuser(const ses_cb_t *scb)
Check if the specified session is the superuser.
Definition: agt_acm.c:868
xml_msg.h
XML and JSON Message send and receive support.
agt_acm_val_read_allowed
boolean agt_acm_val_read_allowed(xml_msg_hdr_t *msg, const xmlChar *user, val_value_t *val)
Check if the specified user is allowed to read a value node.
Definition: agt_acm.c:618
agt_acm_extern_init2
status_t agt_acm_extern_init2(void)
Phase 2 : Initialize the external data model configuration data structures.
Definition: agt_acm_extern.c:89
agt_acm_clear_msg_cache
void agt_acm_clear_msg_cache(xml_msg_hdr_t *msg)
Clear an agt_acm_cache_t struct attached to the specified message.
Definition: agt_acm.c:734
obj_get_mod_name
const xmlChar * obj_get_mod_name(const obj_template_t *obj)
Get the module name for this object.
Definition: obj.c:12176
agt_acm_set_datarules
void agt_acm_set_datarules(val_value_t *val, uint32 msgid)
Check the dataruleQ in the object and all child nodes.
Definition: agt_acm.c:1057
agt_acm_session_cache_valid
boolean agt_acm_session_cache_valid(const ses_cb_t *scb)
Check if the specified session NACM cache is valid.
Definition: agt_acm.c:827
agt_acm_ietf.h
NETCONF Server Access Control handler for IETF data model.
agt_acm_get_deniedRpcs
uint32 agt_acm_get_deniedRpcs(void)
Get the deniedRpcs counter.
Definition: agt_acm.c:976
xml_strcmp
int xml_strcmp(const xmlChar *s1, const xmlChar *s2)
String compare for xmlChar.
Definition: xml_util.c:1746
OP_EDITOP_LOAD
@ OP_EDITOP_LOAD
load, internal enum
Definition: op.h:128
LOGDEBUG4
#define LOGDEBUG4
Check if at least log-level=debug4.
Definition: log.h:302
agt_acm_get_deniedNotifications
uint32 agt_acm_get_deniedNotifications(void)
Get the deniedNotification counter.
Definition: agt_acm.c:1008
xmlns_nc_id
xmlns_id_t xmlns_nc_id(void)
Get the ID for the NETCONF namespace or 0 if it doesn't exist.
Definition: xmlns.c:880
agt_acm_is_superuser
boolean agt_acm_is_superuser(const xmlChar *username)
Check if the specified user name is the superuser Low-level access; no scb available.
Definition: agt_acm.c:954
ncx_list.h
NCX Module Library List Utility Functions.
agt_acm_ietf_invalidate_session_cache
void agt_acm_ietf_invalidate_session_cache(ses_cb_t *scb)
Invalidate an agt_acm_cache_t struct in a session control block.
Definition: agt_acm_ietf.c:5576
agt_acm.h
NETCONF Server Access Control Entry Points.
AGT_ACMOD_NONE
@ AGT_ACMOD_NONE
not set
Definition: agt.h:608
agt_get_profile
agt_profile_t * agt_get_profile(void)
Get the server profile struct.
Definition: agt.c:4118
agt_audit_handle_acm_write_error
void agt_audit_handle_acm_write_error(const xmlChar *user, val_value_t *val, op_editop_t editop)
Generate an acm-write-error event if enabled.
Definition: agt_audit.c:615
agt_acm_extern_val_write_allowed
boolean agt_acm_extern_val_write_allowed(xml_msg_hdr_t *msg, const xmlChar *user, const val_value_t *newval, const val_value_t *curval, op_editop_t editop)
Check if the specified user is allowed to access a value node.
Definition: agt_acm_extern.c:261
agt_acm_rpc_allowed
boolean agt_acm_rpc_allowed(xml_msg_hdr_t *msg, const xmlChar *user, const obj_template_t *rpcobj)
Check if the specified user is allowed to invoke an RPC.
Definition: agt_acm.c:296
ncx.h
YANG module utility functions.
agt_acm_cleanup
void agt_acm_cleanup(void)
Cleanup the NETCONF Server access control module.
Definition: agt_acm.c:251
obj.h
Data Object Support.
agt_acm_ietf_set_datarules
void agt_acm_ietf_set_datarules(val_value_t *val, uint32 msgid)
Check the dataruleQ in the object and all child nodes For each rule found.
Definition: agt_acm_ietf.c:5690
agt_acm_ietf_rpc_allowed
boolean agt_acm_ietf_rpc_allowed(xml_msg_hdr_t *msg, const xmlChar *user, const obj_template_t *rpcobj)
Check if the specified user is allowed to invoke an RPC.
Definition: agt_acm_ietf.c:5277
agt_acm_clean_obj_datarule_cache
void agt_acm_clean_obj_datarule_cache(ncx_module_t *mod)
Check all the rule list entry and its OBJ datarule cache and clean if the modules is getting unloaded...
Definition: agt_acm.c:1095
AGT_ACMOD_OFF
@ AGT_ACMOD_OFF
NACM completely off.
Definition: agt.h:612
SET_ERROR
#define SET_ERROR(E)
macro SET_ERROR
Definition: status_enum.h:103
agt_acm_init
status_t agt_acm_init(void)
Initialize the NETCONF Server access control module.
Definition: agt_acm.c:138
xmlns.h
XML namespace support.
AGT_ACMOD_DISABLED
@ AGT_ACMOD_DISABLED
almost all access control turned off
Definition: agt.h:611
status.h
Global error messages for status code enumerations.
agt_acm_extern_cleanup
void agt_acm_extern_cleanup(void)
Cleanup the external access control module.
Definition: agt_acm_extern.c:145
obj_get_nsid
xmlns_id_t obj_get_nsid(const obj_template_t *obj)
Get the namespace ID for this object.
Definition: obj.c:12395
dlq.h
dlq provides general double-linked list and queue support:
agt_acm_init_msg_cache
status_t agt_acm_init_msg_cache(ses_cb_t *scb, xml_msg_hdr_t *msg)
Malloc and initialize an agt_acm_cache_t struct and attach it to the incoming message.
Definition: agt_acm.c:686
agt_acm_ietf_init_msg_cache
status_t agt_acm_ietf_init_msg_cache(ses_cb_t *scb, xml_msg_hdr_t *msg)
Malloc and initialize an agt_acm_cache_t struct and attach it to the incoming message.
Definition: agt_acm_ietf.c:5512