ln2 yang module UPDATE create groupings

CESNET · Oct 26, 2023 · 038bb96 · 038bb96
1 parent 252ea54
commit 038bb96
Showing 1 changed file with 99 additions and 142 deletions.
diff --git a/modules/[email protected] b/modules/[email protected]
@@ -240,25 +240,10 @@ module libnetconf2-netconf-server {
         https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
   }
 
-  augment "/ncs:netconf-server" {
-    leaf hello-timeout {
-      type uint16;
-      default 60;
-      description
-        "Represents the maximum number of seconds the server will wait for receiving a hello message.";
-    }
-  }
-
-  augment "/ncs:netconf-server" {
-    leaf idle-timeout {
-      type uint16;
-      default 0;
-      description
-        "Represents the maximum number of seconds a NETCONF session may remain idle. The value of 0 represents indefinitely.";
-    }
-  }
+  grouping ssh-authentication-params-grouping {
+    description
+      "Grouping for SSH authentication parameters.";
 
-  augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
     leaf auth-attempts {
       type uint16;
       default 3;
@@ -268,124 +253,58 @@ module libnetconf2-netconf-server {
 
     leaf auth-timeout {
       type uint16;
-      default 10;
+      default 30;
       units "seconds";
       description
         "Represents the maximum amount of seconds an authentication can go on for.";
     }
   }
 
-  // CH auth-attempts and auth-timeout
-  augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/
-          ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
-    leaf auth-attempts {
-      type uint16;
-      default 3;
-      description
-        "Represents the number of failed attempts before an authentication is deemed unsuccessful.";
-    }
-
-    leaf auth-timeout {
-      type uint16;
-      default 10;
-      units "seconds";
-      description
-        "Represents the maximum amount of seconds an authentication can go on for.";
-    }
-  }
+  grouping keyboard-interactive-grouping {
+    description
+      "Grouping for the SSH Keyboard interactive authentication method.";
 
-  augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/
-          ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
     container keyboard-interactive {
-      presence "";
-      leaf pam-config-file-name {
-        type string;
-        mandatory true;
-      }
-      leaf pam-config-file-dir {
-        type string;
-      }
+      presence "Indicates that PAM configuration file name has been configured.
+               This statement is present so the mandatory descendant
+               nodes do not imply that this node must be
+               configured.";
       description
         "Keyboard interactive SSH authentication method.";
-    }
-  }
-
-  // CH KB int
-  augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/
-          ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
-    container keyboard-interactive {
-      presence "";
       leaf pam-config-file-name {
         type string;
         mandatory true;
       }
       leaf pam-config-file-dir {
         type string;
       }
-      description
-        "Keyboard interactive SSH authentication method.";
     }
   }
 
-  augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport" {
+  grouping endpoint-auth-reference-grouping {
     description
-      "Defines a new transport called UNIX socket.";
-    case unix-socket {
-      container unix-socket {
-        leaf path {
-          type string;
-          mandatory true;
-        }
-        leaf mode {
-          type string {
-            pattern '[0124567]{3}';
-          }
-        }
-        leaf uid {
-          type uint16;
-        }
-        leaf gid {
-          type uint16;
-        }
-      }
-    }
-  }
-
-  augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
-    description
-      "Reference to another SSH endpoint's client-authentication container.
-       All the users set in the referencing endpoint will be tried first and if and only if
-       there is no match, the referenced endpoint's users will be tried. The references can be
+      "Reference to another endpoint. The purpose is to use the referenced endpoint's authentication mechanisms.
+       If a connection occurs on an endpoint, the connecting user will be tried to be authenticated
+       using the given endpoint's defined methods. If the user wasn't authenticated and the endpoint
+       references another endpoint, the authentication will be tried again. However, this time
+       using the referenced endpoint's mechanisms. The references can be
        multiple, however there must not be a cycle.";
 
     leaf endpoint-client-auth {
-      type leafref {
-        path "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:name";
-      }
-
-      must "deref(.)/../*[local-name() = 'ssh']";
-    }
-  }
-
-  augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
-    description
-      "Reference to another TLS endpoint's client-authentication container.
-       All the users set in the referencing endpoint will be tried first and if and only if
-       there is no match, the referenced endpoint's users will be tried. The references can be
-       multiple, however there must not be a cycle.";
-
-    leaf endpoint-client-auth {
-      type leafref {
-        path "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:name";
+      type union {
+        type leafref {
+          path "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:name";
+        }
+        type leafref {
+          path "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:name";
+        }
       }
-
-      must "deref(.)/../*[local-name() = 'tls']";
     }
   }
 
-  augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
+  grouping certificate-revocation-list-grouping {
     description
-      "Indicates that the TLS server is using a Certificate Revocation List
+      "A grouping for the Certificate Revocation List, which is used
        to authenticate clients or to deny access for certain certificates.
        The given Certificate Revocation List must be PEM or DER encoded.";
 
@@ -425,47 +344,85 @@ module libnetconf2-netconf-server {
     }
   }
 
-  // CH CRL
-  augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/
-          ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
-    description
-      "Indicates that the Call Home TLS server is using a Certificate Revocation List
-       to authenticate clients or to deny access for certain certificates.
-       The given Certificate Revocation List must be PEM or DER encoded.";
+  augment "/ncs:netconf-server" {
+    leaf hello-timeout {
+      type uint16;
+      default 60;
+      description
+        "Represents the maximum number of seconds the server will wait for receiving a hello message.";
+    }
+  }
 
-    reference
-      "RFC 5280:
-         Internet X.509 Public Key Infrastructure Certificate
-         and Certificate Revocation List (CRL) Profile";
+  augment "/ncs:netconf-server" {
+    leaf idle-timeout {
+      type uint16;
+      default 0;
+      description
+        "Represents the maximum number of seconds a NETCONF session may remain idle. The value of 0 represents indefinitely.";
+    }
+  }
 
-    choice certificate-revocation-list {
-      leaf crl-url {
-        type string;
-        description
-          "An URL from which the Certificate Revocation List will be
-           downloaded and used. The HTTP protocol works, but other
-           protocols, such as FTP, may work as well.";
-      }
+  augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
+    uses ssh-authentication-params-grouping;
+  }
 
-      leaf crl-path {
-        type string;
-        description
-          "A path to a Certificate Revocation List file.";
-      }
+  augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
+    uses ssh-authentication-params-grouping;
+  }
 
-      leaf crl-cert-ext {
-        type empty;
-        description
-          "Indicates that the Certificate Revocation List
-           Distribution Points extension will be used to fetch
-           Certificate Revocation Lists from. This will be done
-           for all the configured Certificate Authority certificates.";
+  augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
+    uses keyboard-interactive-grouping;
+  }
 
-        reference
-          "RFC 5280:
-             Internet X.509 Public Key Infrastructure Certificate
-             and Certificate Revocation List (CRL) Profile, Section 4.2.1.13";
+  augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
+    uses keyboard-interactive-grouping;
+  }
+
+  augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport" {
+    case unix-socket {
+      container unix-socket {
+        description
+          "Defines a new transport called UNIX socket.";
+        leaf path {
+          type string;
+          mandatory true;
+        }
+        leaf mode {
+          type string {
+            pattern '[0124567]{3}';
+          }
+        }
+        leaf uid {
+          type uint16;
+        }
+        leaf gid {
+          type uint16;
+        }
       }
     }
   }
+
+  augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
+    uses endpoint-auth-reference-grouping;
+  }
+
+  augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
+    uses endpoint-auth-reference-grouping;
+  }
+
+  augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
+    uses endpoint-auth-reference-grouping;
+  }
+
+  augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
+    uses endpoint-auth-reference-grouping;
+  }
+
+  augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
+    uses certificate-revocation-list-grouping;
+  }
+
+  augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
+    uses certificate-revocation-list-grouping;
+  }
 }