NACM - Module access rules not applied when "copy-config" RPC used

[lucianocuchi]

Problem:

• When a copy-config netconf operation (In the example with empty configuration) is processed some of the NACM module-access rules are not applied

Scenario:

• The system is running into and Ubuntu 22.04.1 LTS docker:

root@74b52dbc5f65:/usr/local/lib# netopeer2-server -V
netopeer2-server 2.1.59
root@74b52dbc5f65:/usr/local/lib# sysrepoctl -V      
sysrepoctl - sysrepo YANG schema manipulation tool, compiled with libsysrepo v2.2.65 (SO v7.14.25)

• And other libraries used are:

ARG V_LIBYANG=395a7d9 ARG V_LIBSSH=0.9.6 ARG V_LIBNETCONF2=2.1.31

Test details:

• The following NACM policy is applied:

root@74b52dbc5f65:/# sysrepocfg -X -d operational -x /ietf-netconf-acm:* 
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
    <enable-nacm>true</enable-nacm>
    <read-default>permit</read-default>
    <write-default>permit</write-default>
    <exec-default>permit</exec-default>
    <enable-external-groups>false</enable-external-groups>
    <denied-operations>0</denied-operations>
    <denied-data-writes>0</denied-data-writes>
    <denied-notifications>0</denied-notifications>
    <groups>
        <group>
            <name>admin</name>
            <user-name>netconf-admin</user-name>
            <user-name>netconf-cli</user-name>
        </group>
        <group>
            <name>operator</name>
            <user-name>netconf-operator</user-name>
        </group>
        <group>
            <name>read-only</name>
            <user-name>netconf-ro</user-name>
        </group>
    </groups>
    <rule-list>
        <name>read-only-policy</name>
        <group>read-only</group>
        <rule>
            <name>deny-cudx</name>
            <module-name>*</module-name>
            <access-operations>create update delete exec</access-operations>
            <action>deny</action>
            <comment>Only allow read operation</comment>
        </rule>
    </rule-list>
    <rule-list>
        <name>Netconf-server protection</name>
        <group>operator</group>
        <rule>
            <name>hide-ietf-netconf-server</name>
            <module-name>ietf-netconf-server</module-name>
            <access-operations>create update delete exec</access-operations>
            <action>deny</action>
            <comment>Do not allow modifications to ietf-netconf-server module</comment>
        </rule>
    </rule-list>
</nacm>

• And the following copy-config RPC is used for the tests:

  <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <copy-config>
      <target>
          <running/>
      </target>
      <source>
          <config/>
      </source>
  </copy-config>
  </rpc>]]>]]>

• If the read-only-user is used, a NACM error is launched, which is correct:

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
    <rpc-error>
        <error-type>protocol</error-type>
        <error-tag>access-denied</error-tag>
        <error-severity>error</error-severity>
        <error-path>/ietf-netconf:copy-config</error-path>
        <error-message xml:lang="en">Executing the operation is denied because "netconf-ro" NACM authorization failed.</error-message>
    </rpc-error>
</rpc-reply>]]>]]>

• But if the operator-user sends the RPC, it is processed and everything is deleted in the running datastore. Which should not be as the operator-user only have read permissions for ietf-netconf-server, so the RPC should fail.

[michalvasko]

Try the latest sysrepo, there was a problem in how the NACM was checked.

[lucianocuchi]

OK thanks, we will check it