... | ... | @@ -69,7 +69,8 @@ of [Python 3 standard library](https://docs.python.org/3/library) |
|
|
should be kept to a reasonable minimum. The initial version depends on
|
|
|
two such packages:
|
|
|
|
|
|
* [Hyper-h2](http://python-hyper.org/h2/en/stable/) – HTTP/2 library,
|
|
|
* [Hyper-h2](http://python-hyper.org/h2/en/stable/) – Python 3 library
|
|
|
implementing HTTP/2,
|
|
|
|
|
|
* [Yangson](https://gitlab.labs.nic.cz/llhotka/yangson) – YANG 1.1
|
|
|
library (see below).
|
... | ... | @@ -139,22 +140,56 @@ a minumum set of server configuration parameters: |
|
|
|
|
|
## Server Loop
|
|
|
|
|
|
JetConf currently uses HYPER, which is a HTTP/2 protocol implementation
|
|
|
for Python 3. The communication is done exclusively over secure TLS
|
|
|
connection.
|
|
|
1. The client opens a secure TLS connection.
|
|
|
|
|
|
For user authentication, JetConf uses client certificates issued by custom
|
|
|
certification authority. The certificate of this CA needs to be specified
|
|
|
in the 'server' section of config file.
|
|
|
1. The client is authenticated via a client certificate. The
|
|
|
certificate of the CA that issued the client certificate needs to
|
|
|
be specified in the configuration file. The *e-mail* field obtained
|
|
|
from the client certificate is henceforth used as the user name,
|
|
|
in particular for access control. If the client cannot be
|
|
|
authenicated, `401 Unauthorized` is sent, and the connection
|
|
|
terminated.
|
|
|
|
|
|
The 'e-mail' field of client certificate serves as the username.
|
|
|
1. The NACM data is queried to determine which groups the user is a
|
|
|
member of.
|
|
|
|
|
|
1. The server waits for an incoming client request.
|
|
|
|
|
|
1. A received request is parsed and handed over to the appropriate
|
|
|
component. If the media type specified is not supported (in
|
|
|
particular, is not `+json`), `415 Unsupported Media Type` is sent,
|
|
|
If the message is otherwise invalid, `400 Bad Request` is sent.
|
|
|
|
|
|
1. Depending on the type of the request (read, write or RPC operation
|
|
|
invocation) and the Request-URI, the required permissions are
|
|
|
determined, and the NACM database is checked to verify that the
|
|
|
user posseses all of them. If not, `403 Forbidden` is sent.
|
|
|
|
|
|
1. If the request is an RPC operation, it is invoked and an
|
|
|
appropriate reply or error message generated.
|
|
|
|
|
|
1. If the request is a read operation, the corresponding data are retrieved
|
|
|
from the datastore and formatted into a reply, or an error status
|
|
|
code is returned.
|
|
|
|
|
|
1. If the request is a write operation, the changes are applied using
|
|
|
a persistent structure API (so that the original unmodified
|
|
|
configuration remains available). The new configration is passed to
|
|
|
the Yangson library for validation. If the validation succeeds, the
|
|
|
new configuration is written to non-volatile memory, and passed to
|
|
|
server instrumentation that applies the necessary changes. An
|
|
|
appropriate response or error code is generated and sent.
|
|
|
|
|
|
1. After finishing one of the steps 7, 8 or 9, the server returns to
|
|
|
step 4.
|
|
|
|
|
|
## Python Modules
|
|
|
|
|
|
* rest_server - A module providing the HTTP/2 and user authentication
|
|
|
functionality for REST operations.
|
|
|
* http_handlers - Handlers connecting HTTP requests to datastore operations
|
|
|
* data - Datastore implementation
|
|
|
* nacm - Basic NACM implementation
|
|
|
* config - Module for reading and parsing the config file
|
|
|
* helpers - A few static helper classes shared across modules |
|
|
* *rest_server*: a module providing the HTTP/2 and user authentication
|
|
|
functionality for REST operations,
|
|
|
* *http_handlers*: handlers connecting HTTP requests to datastore
|
|
|
operations,
|
|
|
* *data*: datastore implementation,
|
|
|
* *nacm*: basic NACM implementation,
|
|
|
* *config*: a module for reading and parsing the config file,
|
|
|
* *helpers*: static helper classes shared across modules. |