NSO external authentication python script example - for demo purpose

faayvaz · ‎09-03-2020

Dear All,

Referring to "NSO Access Control - Role-based and Resource-based Access" session, which was presented in Cisco NSO Developer Days 2020 (Virtual) event, I share the external authentication script that was used for the actual NSO demonstrations shared within the presentation and follow-up discussions.

NSO Access Control – Role-based and Resource-based Access On-Demand Session

https://youtu.be/hnoueH0vI8k

Please let me know if you will have any comments/questions on it.

Kind Regards

Fatih Ayvaz

Solutions Architect, Cisco CX

faayvaz · ‎09-03-2020

#!/usr/bin/env python

import sys, re

# please modify below as per your NSO_LOG directory

f=open("<some_dir>/external-authentication.log", "a+")

f.write("\nCalled\n")

credentialstring = sys.stdin.readline()[:-2][1:]

if credentialstring.endswith(';'):

newcreds = credentialstring[:-1]

else:

newcreds = credentialstring

credentials = newcreds.split(';')

stringcount = len(credentials)

if stringcount == 1:

token = credentials[0]

elif stringcount == 2:

user = credentials[0]

password = credentials[1]

elif stringcount == 5:

token = credentials[0]

extraip = credentials[1]

extraport = credentials[2]

extracontext = credentials[3]

extraproto = credentials[4]

else:

f.write("Number of fields in stdin is not recognised:\n" + "counted: " + str(stringcount) + ": in: " + newcreds + "\n")

exit()

if stringcount == 1:

f.write("Token based authentication\n" + "TOKEN: " + token + "\n")

if user == 'tokenfatih':

print "accept group_ayvaz 1000 1000 /var/python/homes/ fatih\n"

elif user == 'tokendemouser1':

print "accept demogroup1 demogroupN 1000 1000 /var/python/homes/ demouser1\n"

f.close()

exit()

elif stringcount == 5:

f.write("External-validation with extra fields(token;ip;port;context;proto)\n")

f.write("TOKEN: " + token + ": IP: " + extraip + ": PORT: " + extraport + ": CONTEXT: " + extracontext + ": PROTO: " + extraproto + "\n")

if token == 'tokenfatih':

print "accept group_ayvaz 1000 1000 /var/python/homes/ fatih\n"

elif token == 'tokendemouser1':

print "accept demogroup1 demogroupN 1000 1000 /var/python/homes/ demouser1\n"

f.close()

exit()

else:

f.write("\n" + "user: " + user + ": password: " + password + "\n")

#f.write("\n" + "user0: " + user0 + ": password0: " + password0 + "\n")

if user == 'fatih' and password == 'cisco':

print "accept group_ayvaz 1000 1000 /var/python/homes/\n"

elif user == 'demouser1' and password == 'cisco':

print "accept demogroup1 demogroupN 1000 1000 /var/python/homes/\n"

elif user == 'demouser2' and password == 'cisco':

print "accept demogroup2 demogroupN 1000 1000 /var/python/homes/\n"

elif user == 'demouser3' and password == 'cisco':

print "accept demogroup3 demogroupN 1000 1000 /var/python/homes/\n"

elif user == 'demouser4' and password == 'cisco':

print "accept demogroup4 1000 1000 /var/python/homes/\n"

else:

print "reject\n"

f.close()

exit()

faayvaz · ‎09-03-2020

#!/usr/bin/env python

import sys, re

# please modify below as per your NSO_LOG directory
f=open("<some_dir>/external-authentication.log", "a+")
f.write("\nCalled\n")

credentialstring = sys.stdin.readline()[:-2][1:]

if credentialstring.endswith(';'):
   newcreds = credentialstring[:-1]
else:
   newcreds = credentialstring

credentials = newcreds.split(';')
stringcount = len(credentials)
if stringcount == 1:
    token = credentials[0]
elif stringcount == 2:
    user = credentials[0]
    password = credentials[1]
elif stringcount == 5:
    token = credentials[0]
    extraip = credentials[1]
    extraport = credentials[2]
    extracontext = credentials[3]
    extraproto = credentials[4]
else:
    f.write("Number of fields in stdin is not recognised:\n" + "counted: " + str(stringcount) + ": in: " + newcreds + "\n")
    exit()

if stringcount == 1:
    f.write("Token based authentication\n" + "TOKEN: " + token + "\n")
    if user == 'tokenfatih':
       print "accept group_ayvaz 1000 1000 /var/python/homes/ fatih\n"
    elif user == 'tokendemouser1':
       print "accept demogroup1 demogroupN 1000 1000 /var/python/homes/ demouser1\n"
    f.close()
    exit()
elif stringcount == 5:
    f.write("External-validation with extra fields(token;ip;port;context;proto)\n")
    f.write("TOKEN: " + token + ": IP: " + extraip + ": PORT: " + extraport + ": CONTEXT: " + extracontext + ": PROTO: " + extraproto + "\n")
    if token == 'tokenfatih':
        print "accept group_ayvaz 1000 1000 /var/python/homes/ fatih\n"
    elif token == 'tokendemouser1':
        print "accept demogroup1 demogroupN 1000 1000 /var/python/homes/ demouser1\n"
    f.close()
    exit()
else:
    f.write("\n" + "user: " + user + ": password: " + password + "\n")
    #f.write("\n" + "user0: " + user0 + ": password0: " + password0 + "\n")
    if user == 'fatih' and password == 'cisco':
        print "accept group_ayvaz 1000 1000 /var/python/homes/\n"
    elif user == 'demouser1' and password == 'cisco':
        print "accept demogroup1 demogroupN 1000 1000 /var/python/homes/\n"
    elif user == 'demouser2' and password == 'cisco':
        print "accept demogroup2 demogroupN 1000 1000 /var/python/homes/\n"
    elif user == 'demouser3' and password == 'cisco':
        print "accept demogroup3 demogroupN 1000 1000 /var/python/homes/\n"
    elif user == 'demouser4' and password == 'cisco':
        print "accept demogroup4 1000 1000 /var/python/homes/\n"
    else:
        print "reject\n"
    f.close()
    exit()

NSO external authentication python script example - for demo purpose

Get NSO for Free!

Collective Intelligence resolved my SSH problems with NSO on the latest macOS Mojave!

Secrets of the NSO Transaction Phases