Gitiles
Code Review Sign In
gerrit.cesnet.cz / CzechLight / rousette

An almost-RESTCONF server built on top of sysrepo

Clone this repo:

Branches

  1. 062ceec tests: pretty print any std::optional in doctest reporting by Tomáš Pecka · 3 weeks ago master
  2. c1cb6de tests: subscribe to running DS in read tests by Tomáš Pecka · 3 weeks ago
  3. e1ecf3f tests: add function that subscribes to module running DS by Tomáš Pecka · 3 weeks ago
  4. 0ddf4b8 restconf: Add support for creating data resources with POST by Tomáš Pecka · 5 weeks ago
  5. fbd9280 restconf: rename URI to URIPath by Tomáš Pecka · 4 weeks ago

An almost-RESTCONF server

License Gerrit Zuul CI

Usage

One day, this might become a RESTCONF server on top of sysrepo. Before that happens, it will, hopefully, be a small HTTP wrapper around sysrepo which publishes some data in a RESTCONF format.

Since this service only talks cleartext HTTP/2, it's recommended to run it behind a reverse proxy.

Access control model

Rousette implements RFC 8341 (NACM). The access rights for users (and groups) are configurable via ietf-netconf-acm YANG model.

The reverse proxy must pass the authorization header as-is and delegate authentication/authorization to the RESTCONF server. The server currently supports two authentication/authorization methods:

  • a systemwide PAM setup through the Basic HTTP authentication, i.e., via the authorization header, which is checked against the system's PAM configuration
  • a special anonymous access.

When the request does not contain the authorization header, and anonymous access is enabled (see below), the server will perform extra safety checks. When certain conditions are met, the anonymous access will be mapped to a NACM account named in the ANONYMOUS_USER CMake option. Such user must be in group ANONYMOUS_USER_GROUP (CMake option) and there must be some specific access rights set up in ietf-netconf-acm model (these are currently very opinionated for our use-case):

  1. The first entry of rule-list list must be configured for ANONYMOUS_USER_GROUP.
  2. All the rules except the last one in this rule-list entry must enable only "read" access operation.
  3. The last rule in the first rule-set must be a wildcard rule that disables all operations over all modules.

The anonymous user access is disabled whenever these rules are not met.

Dependencies

  • nghttp2-asio - asynchronous C++ library for HTTP/2
  • sysrepo-cpp - object-oriented bindings of the sysrepo library
  • libyang-cpp - C++ bindings for libyang
  • systemd - the shared library for logging to sd-journal
  • PAM - for authentication
  • spdlog - Very fast, header-only/compiled, C++ logging library
  • Boost's system and thread
  • C++20 compiler (e.g., GCC 10.x+, clang 10+)
  • CMake 3.19+
  • optionally for built-in tests, Doctest as a C++ unit test framework
  • optionally for built-in tests, trompeloeil for mock objects in C++
  • optionally for built-in tests, pam_matrix and pam_wrapper for PAM mocking

Building

The standard way of building rousette looks like this:

mkdir build
cd build
cmake ..
make
make install

Contributing

The development is being done on Gerrit here. Instructions on how to submit patches can be found here. GitHub Pull Requests are not used.