module yumaworks-cert-usermap {

    yang-version 1.1;

    namespace
      "urn:ymaworks:params:xml:ns:yumaworks-cert-usermap";

    prefix ywcu;

    import ietf-netconf-acm {
      prefix nacm;
    }
    import ietf-x509-cert-to-name {
      prefix x509c2n;
    }

    organization "YumaWorks, Inc.";

    contact
      "Support <support at yumaworks.com>";

    description
      "Run-Time access to cert-to-user mappings.
        This module is only loaded if the with-yumaworks-cert-usermap
        parameter is set to 'true'.

        Copyright (c) 2022 YumaWorks, Inc. All rights reserved.

        Redistribution and use in source and binary forms, with or
        without modification, is permitted pursuant to, and subject
        to the license terms contained in, the BSD 3-Clause License
        http://opensource.org/licenses/BSD-3-Clause.

       ";

    revision "2022-02-06" {
      description
        "Initial version for 21.10-6.";
    }


    container cert-usermap {
      nacm:default-deny-all;
      description
        "Contains all configured cert-to-name entries.
         All entries from the --cert-usermap CLI parameter
         are independent of this configuration data.

         The server will check the --cert-usermap parameters
         first. If no match then the cert-to-name list will
         be checked.

         Note that the 'fingerprint' leaf is a formatted
         hex-string. The first byte in the hex-string is
         the hashing algorithm identifier.
         The server does not use this value for any purpose.
         The following values defined in 'TLS HashAlgorithm
         Registry' (RFC 5246) are accepted:

           Registry value       First Octet
           --------------       -----------
           - md5(1)              01
           - sha1(2)             02
           - sha224(3)           03
           - sha256(4)           04
           - sha384(5)           05
           - sha512(6)           06
        ";
      list cert-to-name {
        key "id";
        description
          "This list defines how certificates are mapped to names.
The name is derived by considering each cert-to-name
list entry in order.  The cert-to-name entry's fingerprint
determines whether the list entry is a match:

1) If the cert-to-name list entry's fingerprint value
   matches that of the presented certificate, then consider
   the list entry a successful match.

2) If the cert-to-name list entry's fingerprint value
   matches that of a locally held copy of a trusted CA
   certificate, and that CA certificate was part of the CA
   certificate chain to the presented certificate, then
   consider the list entry a successful match.

Once a matching cert-to-name list entry has been found, the
map-type is used to determine how the name associated with
the certificate should be determined.  See the map-type
leaf's description for details on determining the name value.
If it is impossible to determine a name from the cert-to-name
list entry's data combined with the data presented in the
certificate, then additional cert-to-name list entries MUST
be searched to look for another potential match.

Security administrators are encouraged to make use of
certificates with subjectAltName fields that can be mapped to
names so that a single root CA certificate can allow all
child certificates' subjectAltName fields to map directly to
a name via a 1:1 transformation.";
        reference
          "RFC 6353: Transport Layer Security (TLS) Transport Model
            for the Simple Network Management Protocol (SNMP).
            SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry";

        leaf id {
          type uint32;
          description
            "The id specifies the order in which the entries in the
cert-to-name list are searched.  Entries with lower
numbers are searched first.";
          reference
            "RFC 6353: Transport Layer Security (TLS) Transport Model
              for the Simple Network Management Protocol
              (SNMP).
              SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID";

        }

        leaf fingerprint {
          type x509c2n:tls-fingerprint;
          mandatory true;
          description
            "Specifies a value with which the fingerprint of the
full certificate presented by the peer is compared.  If
the fingerprint of the full certificate presented by the
peer does not match the fingerprint configured, then the
entry is skipped, and the search for a match continues.";
          reference
            "RFC 6353: Transport Layer Security (TLS) Transport Model
              for the Simple Network Management Protocol
              (SNMP).
              SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint";

        }

        leaf map-type {
          type identityref {
            base cert-to-name;
          }
          mandatory true;
          description
            "Specifies the algorithm used to map the certificate
presented by the peer to a name.

Mappings that need additional configuration objects should
use the 'when' statement to make them conditional based on
the map-type.";
          reference
            "RFC 6353: Transport Layer Security (TLS) Transport Model
              for the Simple Network Management Protocol
              (SNMP).
              SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType";

        }

        leaf name {
          when
            "../map-type = 'x509c2n:specified'";
          type string;
          mandatory true;
          description
            "Directly specifies the NETCONF username when the
map-type is 'specified'.";
          reference
            "RFC 6353: Transport Layer Security (TLS) Transport Model
              for the Simple Network Management Protocol
              (SNMP).
              SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData";

        }
      }  // list cert-to-name
    }  // container cert-usermap
  }  // module yumaworks-cert-usermap