#
# Copyright (c) 2014, Arista Networks, Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# Neither the name of Arista Networks nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ARISTA NETWORKS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
"""API Module for working with EOS local user resources
The Users resource provides configuration of local user resources for
an EOS node.
Parameters:
username (string): The username parameter maps to the local username
defined in the running-config.
nopassword (boolean): Configures the username to use no password at login.
This parameter is mutually exclusive with secret
privilege (integer): Configures the user privilege level in EOS
role (string): Configures the users role in EOS
secret (string): Configures the users secret (password) to use at login.
This parameter is mutually exclusive with secret and is used in
conjunction with format.
format (string): Configures the format of the secret value. Accepted
values for format are "cleartext", "md5" and "sha512"
"""
import re
from pyeapi.api import EntityCollection
DEFAULT_ENCRYPTION = 'cleartext'
ENCRYPTION_MAP = {'cleartext': 0, 'md5': 5, 'sha512': 'sha512'}
[docs]def isprivilege(value):
"""Checks value for valid privilege level
Args:
value (str, int): Checks if value is a valid user privilege
Returns:
True if the value is valid, otherwise False
"""
try:
value = int(value)
return 0 <= value < 16
except ValueError:
return False
[docs]class Users(EntityCollection):
"""The Users class provides a configuration resource for local users.
The regex used here parses the running configuration to find username
entries. There is extra logic in the regular expression to store
the username as 'user' and then creates a backreference to find a
following configuration line that might contain the users sshkey.
"""
[docs] def get(self, name):
"""Returns the local user configuration as a resource dict
Args:
name (str): The username to return from the nodes global running-
config.
Returns:
dict: A resource dict object
If the `name` does not exist, then None is returned
"""
return self.getall().get(name)
[docs] def getall(self):
"""Returns all local users configuration as a resource dict
Returns:
dict: A dict of usernames with a nested resource dict object
"""
if self.version_number >= '4.23':
self.users_re = re.compile(r'username (?P<user>[^\s]+) '
r'privilege (\d+)'
r'(?: role ([^\s]+))?'
r'(?: (nopassword))?'
r'(?: secret (0|5|7|sha512) (.+))?'
r'.*$\n(?:username (?P=user) '
r'ssh.key (.+)$)?', re.M)
else:
self.users_re = re.compile(r'username (?P<user>[^\s]+) '
r'privilege (\d+)'
r'(?: role ([^\s]+))?'
r'(?: (nopassword))?'
r'(?: secret (0|5|7|sha512) (.+))?'
r'.*$\n(?:username (?P=user) '
r'sshkey (.+)$)?', re.M)
users = self.users_re.findall(self.config, re.M)
resources = dict()
for user in users:
resources.update(self._parse_username(user))
return resources
def _parse_username(self, config):
"""Scans the config block and returns the username as a dict
Args:
config (str): The config block to parse
Returns:
dict: A resource dict that is intended to be merged into the
user resource
"""
(username, priv, role, nopass, fmt, secret, sshkey) = config
resource = dict()
resource['privilege'] = priv
resource['role'] = role
resource['nopassword'] = nopass == 'nopassword'
resource['format'] = fmt
resource['secret'] = secret
if self.version_number >= '4.23':
resource['ssh-key'] = sshkey
else:
resource['sshkey'] = sshkey
return {username: resource}
[docs] def create(self, name, nopassword=None, secret=None, encryption=None):
"""Creates a new user on the local system.
Creating users requires either a secret (password) or the nopassword
keyword to be specified.
Args:
name (str): The name of the user to craete
nopassword (bool): Configures the user to be able to authenticate
without a password challenage
secret (str): The secret (password) to assign to this user
encryption (str): Specifies how the secret is encoded. Valid
values are "cleartext", "md5", "sha512". The default is
"cleartext"
Returns:
True if the operation was successful otherwise False
Raises:
TypeError: if the required arguments are not satisfied
"""
if secret is not None:
return self.create_with_secret(name, secret, encryption)
elif nopassword is True:
return self.create_with_nopassword(name)
else:
raise TypeError('either "nopassword" or "secret" must be '
'specified to create a user')
[docs] def create_with_secret(self, name, secret, encryption):
"""Creates a new user on the local node
Args:
name (str): The name of the user to craete
secret (str): The secret (password) to assign to this user
encryption (str): Specifies how the secret is encoded. Valid
values are "cleartext", "md5", "sha512". The default is
"cleartext"
Returns:
True if the operation was successful otherwise False
"""
try:
encryption = encryption or DEFAULT_ENCRYPTION
enc = ENCRYPTION_MAP[encryption]
except KeyError:
raise TypeError('encryption must be one of "cleartext", "md5"'
' or "sha512"')
cmd = 'username %s secret %s %s' % (name, enc, secret)
return self.configure(cmd)
[docs] def create_with_nopassword(self, name):
"""Creates a new user on the local node
Args:
name (str): The name of the user to create
Returns:
True if the operation was successful otherwise False
"""
return self.configure('username %s nopassword' % name)
[docs] def delete(self, name):
"""Deletes the local username from the config
Args:
name (str): The name of the user to delete
Returns:
True if the operation was successful otherwise False
"""
if name == 'admin':
raise TypeError('the admin user cannot be deleted.')
return self.configure('no username %s' % name)
[docs] def default(self, name):
"""Configures the local username using the default keyword
Args:
name (str): The name of the user to configure
Returns:
True if the operation was successful otherwise False
"""
return self.configure('default username %s' % name)
[docs] def set_privilege(self, name, value=None):
"""Configures the user privilege value in EOS
Args:
name (str): The name of the user to craete
value (int): The privilege value to assign to the user. Valid
values are in the range of 0 to 15
Returns:
True if the operation was successful otherwise False
Raises:
TypeError: if the value is not in the valid range
"""
cmd = 'username %s' % name
if value is not None:
if not isprivilege(value):
raise TypeError('priviledge value must be between 0 and 15')
cmd += ' privilege %s' % value
else:
cmd += ' privilege 1'
return self.configure(cmd)
[docs] def set_role(self, name, value=None, default=False, disable=False):
"""Configures the user role vale in EOS
Args:
name (str): The name of the user to create
value (str): The value to configure for the user role
default (bool): Configure the user role using the EOS CLI
default command
disable (bool): Negate the user role using the EOS CLI no command
Returns:
True if the operation was successful otherwise False
"""
cmd = self.command_builder('username %s role' % name, value=value,
default=default, disable=disable)
return self.configure(cmd)
[docs] def set_sshkey(self, name, value=None, default=False, disable=False):
"""Configures the user sshkey
Args:
name (str): The name of the user to add the sshkey to
value (str): The value to configure for the sshkey.
default (bool): Configure the sshkey using the EOS CLI
default command
disable (bool): Negate the sshkey using the EOS CLI no command
Returns:
True if the operation was successful otherwise False
"""
if self.version_number >= '4.23':
cmd = self.command_builder('username %s ssh-key' % name,
value=value,
default=default, disable=disable)
else:
cmd = self.command_builder('username %s sshkey' % name,
value=value,
default=default, disable=disable)
return self.configure(cmd)
[docs]def instance(node):
"""Returns an instance of Users
This method will create and return an instance of the Users object passing
the value of API to the object. The instance method is required for the
resource to be autoloaded by the Node object
Args:
node (Node): The node argument passes an instance of Node to the
resource
"""
return Users(node)