-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathcredential_sets_inline.py
127 lines (104 loc) · 3.81 KB
/
credential_sets_inline.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
from nornir import InitNornir
import os
import yaml
from ansible.parsing.vault import VaultLib, VaultSecret
from ansible.cli import CLI
from ansible.parsing.dataloader import DataLoader
def decrypt_vault(
filename, vault_password=None, vault_password_file=None, vault_prompt=False
):
"""
filename: name of your encrypted file that needs decrypted.
vault_password: key that will decrypt the vault.
vault_password_file: file containing key that will decrypt the vault.
vault_prompt: Force vault to prompt for a password if everything else fails.
"""
loader = DataLoader()
if vault_password:
vault_secret = [([], VaultSecret(vault_password.encode()))]
elif vault_password_file:
vault_secret = CLI.setup_vault_secrets(
loader=loader, vault_ids=[vault_password_file]
)
else:
vault_secret = CLI.setup_vault_secrets(
loader=loader, vault_ids=[], auto_prompt=vault_prompt
)
vault = VaultLib(vault_secret)
with open(filename) as f:
unencrypted_yaml = vault.decrypt(f.read())
unencrypted_yaml = yaml.safe_load(unencrypted_yaml)
return unencrypted_yaml
#list in a standalone yaml file, or defaults.yaml
#have a prefix in set/group name? eg creds_ios, etc
#a device should only have a single credential set/group
credential_sets = ['ios','nxos','eos','junos']
#credentials.yaml encrypted with vault
#
#---
#ios:
# username: fred
# password: flintstone
#nxos:
# username: barney
# password: rubble
#eos:
# username: bambam
# password: rubble
#junos:
# username: neo
# password: spoonboy
#removed username and password from defaults.yaml
#move to its own python file so other scripts can import?
class credentialStore:
def __init__(self):
self.creds = self._get_creds()
def _get_creds(self):
filename = os.path.expanduser('~/nocreds_inventory/credentials.yaml')
password_file = os.path.expanduser('~/nocreds_inventory/shallnotpass.txt')
result = decrypt_vault(filename=filename,vault_password_file=password_file)
return dict(result)
def get(self, group):
#what about enable and other connection parameters?
username = None
password = None
if group in self.creds:
username = self.creds[group].get('username', None)
password = self.creds[group].get('password', None)
return username, password
def main():
nr = InitNornir(config_file=os.path.expanduser('~/nocreds_inventory/config.yaml'),
logging={'enabled': False})
print('\n\nInitial credentials')
print('='*30)
for host, host_obj in nr.inventory.hosts.items():
print(f'{host}')
print(f'Username: {host_obj.username}')
print(f'Password: {host_obj.password}')
print('-'*30)
print('\n\nGetting credentials')
print('='*30)
creds = credentialStore()
for host, host_obj in nr.inventory.hosts.items():
#only check credential sets if none already present
if not host_obj.username or not host_obj.password:
for group in host_obj.groups:
username = None
password = None
if group in credential_sets:
username, password = creds.get(group)
#only one credential set per device
break
if not host_obj.username:
host_obj.username = username
if not host_obj.password:
host_obj.password = password
print('\n\nFinal credentials')
print('='*30)
for host, host_obj in nr.inventory.hosts.items():
print(f'{host}')
print(f'Username: {host_obj.username}')
print(f'Password: {host_obj.password}')
print('-'*30)
if __name__ == '__main__':
main()