cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

NSO external authentication python script example - for demo purpose

281
Views
0
Helpful
2
Comments
Cisco Employee
Dear All,
 
Referring to "NSO Access Control - Role-based and Resource-based Access" session, which was presented in Cisco NSO Developer Days 2020 (Virtual) event, I share the external authentication script that was used for the actual NSO demonstrations shared within the presentation and follow-up discussions.
 
NSO Access Control – Role-based and Resource-based Access On-Demand Session

https://youtu.be/hnoueH0vI8k

Please let me know if you will have any comments/questions on it.

Kind Regards
Fatih Ayvaz
Solutions Architect, Cisco CX
2 Comments
Cisco Employee
#!/usr/bin/env python

import sys, re

# please modify below as per your NSO_LOG directory
f=open("<some_dir>/external-authentication.log", "a+")
f.write("\nCalled\n")

credentialstring = sys.stdin.readline()[:-2][1:]

if credentialstring.endswith(';'):
newcreds = credentialstring[:-1]
else:
newcreds = credentialstring

credentials = newcreds.split(';')
stringcount = len(credentials)
if stringcount == 1:
token = credentials[0]
elif stringcount == 2:
user = credentials[0]
password = credentials[1]
elif stringcount == 5:
token = credentials[0]
extraip = credentials[1]
extraport = credentials[2]
extracontext = credentials[3]
extraproto = credentials[4]
else:
f.write("Number of fields in stdin is not recognised:\n" + "counted: " + str(stringcount) + ": in: " + newcreds + "\n")
exit()

if stringcount == 1:
f.write("Token based authentication\n" + "TOKEN: " + token + "\n")
if user == 'tokenfatih':
print "accept group_ayvaz 1000 1000 /var/python/homes/ fatih\n"
elif user == 'tokendemouser1':
print "accept demogroup1 demogroupN 1000 1000 /var/python/homes/ demouser1\n"
f.close()
exit()
elif stringcount == 5:
f.write("External-validation with extra fields(token;ip;port;context;proto)\n")
f.write("TOKEN: " + token + ": IP: " + extraip + ": PORT: " + extraport + ": CONTEXT: " + extracontext + ": PROTO: " + extraproto + "\n")
if token == 'tokenfatih':
print "accept group_ayvaz 1000 1000 /var/python/homes/ fatih\n"
elif token == 'tokendemouser1':
print "accept demogroup1 demogroupN 1000 1000 /var/python/homes/ demouser1\n"
f.close()
exit()
else:
f.write("\n" + "user: " + user + ": password: " + password + "\n")
#f.write("\n" + "user0: " + user0 + ": password0: " + password0 + "\n")
if user == 'fatih' and password == 'cisco':
print "accept group_ayvaz 1000 1000 /var/python/homes/\n"
elif user == 'demouser1' and password == 'cisco':
print "accept demogroup1 demogroupN 1000 1000 /var/python/homes/\n"
elif user == 'demouser2' and password == 'cisco':
print "accept demogroup2 demogroupN 1000 1000 /var/python/homes/\n"
elif user == 'demouser3' and password == 'cisco':
print "accept demogroup3 demogroupN 1000 1000 /var/python/homes/\n"
elif user == 'demouser4' and password == 'cisco':
print "accept demogroup4 1000 1000 /var/python/homes/\n"
else:
print "reject\n"
f.close()
exit()
Cisco Employee
#!/usr/bin/env python

import sys, re

# please modify below as per your NSO_LOG directory
f=open("<some_dir>/external-authentication.log", "a+")
f.write("\nCalled\n")

credentialstring = sys.stdin.readline()[:-2][1:]

if credentialstring.endswith(';'):
   newcreds = credentialstring[:-1]
else:
   newcreds = credentialstring

credentials = newcreds.split(';')
stringcount = len(credentials)
if stringcount == 1:
    token = credentials[0]
elif stringcount == 2:
    user = credentials[0]
    password = credentials[1]
elif stringcount == 5:
    token = credentials[0]
    extraip = credentials[1]
    extraport = credentials[2]
    extracontext = credentials[3]
    extraproto = credentials[4]
else:
    f.write("Number of fields in stdin is not recognised:\n" + "counted: " + str(stringcount) + ": in: " + newcreds + "\n")
    exit()

if stringcount == 1:
    f.write("Token based authentication\n" + "TOKEN: " + token + "\n")
    if user == 'tokenfatih':
       print "accept group_ayvaz 1000 1000 /var/python/homes/ fatih\n"
    elif user == 'tokendemouser1':
       print "accept demogroup1 demogroupN 1000 1000 /var/python/homes/ demouser1\n"
    f.close()
    exit()
elif stringcount == 5:
    f.write("External-validation with extra fields(token;ip;port;context;proto)\n")
    f.write("TOKEN: " + token + ": IP: " + extraip + ": PORT: " + extraport + ": CONTEXT: " + extracontext + ": PROTO: " + extraproto + "\n")
    if token == 'tokenfatih':
        print "accept group_ayvaz 1000 1000 /var/python/homes/ fatih\n"
    elif token == 'tokendemouser1':
        print "accept demogroup1 demogroupN 1000 1000 /var/python/homes/ demouser1\n"
    f.close()
    exit()
else:
    f.write("\n" + "user: " + user + ": password: " + password + "\n")
    #f.write("\n" + "user0: " + user0 + ": password0: " + password0 + "\n")
    if user == 'fatih' and password == 'cisco':
        print "accept group_ayvaz 1000 1000 /var/python/homes/\n"
    elif user == 'demouser1' and password == 'cisco':
        print "accept demogroup1 demogroupN 1000 1000 /var/python/homes/\n"
    elif user == 'demouser2' and password == 'cisco':
        print "accept demogroup2 demogroupN 1000 1000 /var/python/homes/\n"
    elif user == 'demouser3' and password == 'cisco':
        print "accept demogroup3 demogroupN 1000 1000 /var/python/homes/\n"
    elif user == 'demouser4' and password == 'cisco':
        print "accept demogroup4 1000 1000 /var/python/homes/\n"
    else:
        print "reject\n"
    f.close()
    exit()