def DeployConfig_jcs(local_int, ckn, cak, conn_name=None):
logger.debug('====> In DeployConfig_jcs')
try:
if conn_name is None:
conn_name = id_generator()
script = "system-check.py"
change_xml = """<security>
<macsec>
<connectivity-association>
<name>{0}</name>
<security-mode>static-cak</security-mode>
<pre-shared-key>
<ckn>{1}</ckn>
<cak>{2}</cak>
</pre-shared-key>
</connectivity-association>
<interfaces>
<name>{3}</name>
<connectivity-association>{0}</connectivity-association>
</interfaces>
</macsec>
</security>""".format(conn_name, ckn, cak, local_int)
jcs.emit_change(change_xml, "change", "xml")
except Exception as e:
jcs.emit_warning(
'Cannot deploy pre-shared key, skip automatically MACsec deployment'
)
jcs.emit_warning('Please see debug logs for detail.')
quit()
logger.debug('<==== Out DeployConfig_jcs')
def main():
root = Junos_Configuration
message = " - Permission all is assigned to invalid class"
for element in root.findall("./system/login/class[permissions='all']"):
jcs.emit_warning("class: " + element.find("name").text + message)
def main():
# Get configuration root object
root = Junos_Configuration
message = "Permission all is assigned to invalid class."
# Warn about any login classes with the all permission set
for element in root.findall("./system/login/class[permissions='all']"):
jcs.emit_warning("class:" + element.find('name').text + " " + message)
def main():
# Get configuration root object
root = Junos_Configuration
# Check for 'lo0' interface existence and firewall configuration
lo0_interface = root.find("./interfaces/interface[name='lo0']")
lo0_interface_firewall = lo0_interface.find(
"./unit[name='0']/family/inet/filter/input")
# Emit warning if firewall not configured
if lo0_interface and not (lo0_interface_firewall):
jcs.emit_warning("no lo0.0 firewall filter is assigned")
def main():
# Get configuration root object
root = Junos_Configuration
# Loop through all logical interfaces
for element in root.findall("./interfaces/interface/unit"):
# Missing description
if element.find('description') == None:
# Emit warning message to console
jcs.emit_warning("Interface description is missing: " +
element.find('../name').text + " Unit: " +
element.find('name').text)
def main():
# jcs.output => Output the message to CLI
jcs.output('testing jcs output ')
# jcs.get_input => Prompt user for input, echoed back to user
user_input = jcs.get_input(' ')
# Dump the user entered output
jcs.output(user_input)
# jcs.get_secret => Prompt user for input, not echoed back to user
user_input = jcs.get_secret(' ')
# Dump the user entered output
jcs.output(user_input)
# Run the script with 'cli> op extensions.py detail ' to view progress message
jcs.progress("Progress message from python op-script")
# Syslog the message
jcs.syslog("pfe.alert", "Sample syslog message from python op-script")
jcs.syslog("161", "Sample syslog message from python op-script")
# Getting hostname of box (Please note DNS needs to be configured)
hostname = jcs.hostname("bng-ui-vm-05")
print hostname
# SYSCTL information
osrelease = jcs.sysctl("kern.osrelease", "s")
slotid = jcs.sysctl("hw.re.slotid", "i")
print osrelease
print slotid
# This is from jcs.printf(...)
jcs.printf("%s", "JUNOS")
# Send information to configured trace file using jcs.trace(...)
jcs.trace("teting jcs trace")
# Emit warning message to console
jcs.emit_warning("Warning message from Python op script")
# Dampening script execution based on return value
dampen_value = jcs.dampen('TEST', 3, 10)
print dampen_value
# Emit error message to console
jcs.emit_error("Error message from Python op script")
def main():
# Get configuration root object
root = Junos_Configuration
# Check for 'fxp0' existence
fxp0_interface = root.find("./interfaces/interface[name='fxp0']")
# Compare attribute value
if fxp0_interface is not None:
inherited_re0 = fxp0_interface.find("[@{http://xml.juniper.net/junos/*/junos}group='re0']")
inherited_re1 = fxp0_interface.find("[@{http://xml.juniper.net/junos/*/junos}group='re1']")
# Emit warning if 'fxp0' configured and not inheirted from 're' group
if inherited_re0 is None and inherited_re1 is None:
jcs.emit_warning("fxp0 configuration is present but not inherited from re group")
else:
jcs.emit_warning("fxp0 configuration not present")
def rest_request_post(query):
logger.debug('====> In rest_request_post')
response = None
try:
headers = {"content-type": "application/json"}
response = requests.post(url="http://{0}:{1}/QueryCAKCKN".format(
SERVER_IP, SERVER_PORT),
headers=headers,
data=json.dumps({
"LocalChassisID":
query.LocalChassisID,
"LocalInt":
query.LocalInt,
"LocalHostname":
query.LocalHostname,
"RemoteChassisID":
query.RemoteChassisID,
"RemoteInt":
query.RemoteInt,
"RemoteHostname":
query.RemoteHostname
}))
except Exception as e:
jcs.emit_warning(
'Cannot request data from server, please check sever connectivity with URL: {0}:{1}'
.format(SERVER_IP, SERVER_PORT))
jcs.emit_warning('Following AutoMACsec configuration would SKIP!')
logger.error(str(e))
quit()
logger.debug('<==== Out rest_request_post')
return response
def main():
root = Junos_Configuration
if not (root.xpath("./chassis/source-route")):
jcs.emit_warning("IP source-route processing is not enabled.")
def main():
jcs.emit_warning("Warning message from Python commit script")
jcs.emit_error("Error message from Python commit script")
def main():
dev = Device()
info = InfoCollector(dev)
# check if device supports macsec function.
chassis_hardware = dev.rpc.get_chassis_inventory()
device_description = chassis_hardware.xpath(".//description")[0].text
logger.info("device_description is: " + device_description)
device_name = device_description.split(sep, 1)[0]
logger.info("device_name is: " + device_name)
if device_name in device_list:
logger.info("This device supports macsec function!")
else:
logger.info(
"This device is not supporting MACsec funtion for now. Process abort."
)
return
if device_name in device_list_license:
logger.info(
"This device also requests a licnese to be installed for macsec function,start checking required license now..."
)
licenses = dev.rpc.get_license_summary_information()
for ifd in licenses.getiterator("feature-summary"):
if (ifd.find("name").text.strip() == 'macsec'):
logger.info("License name: " + ifd.find("name").text.strip())
logger.info("MACsec license has installed.")
break
else:
print("Searching for required macsec license...")
logger.info("Searching for required macsec license...")
#collecting MACsec info
dictLocalIntConn = info.getMACsec_interface_conn()
dictConnCKNCAK = info.getMACsec_conn_key()
#collecting local info
Local_ChassisID, Local_Hostname = info.get_local_id_hostname()
#compose query for interface which is half configured.
for local_int in info.dictLocalIntConn:
remote_chassisID, remote_int, remote_hostname = info.get_remote_ID_port_by_LLDP(
local_int)
query = tuple_Query_CKNCAK(Local_ChassisID, local_int, Local_Hostname,
remote_chassisID, remote_int,
remote_hostname)
lstQueryCKNCAK.append(query)
logger.info('Information ready, prepared to query from remote master')
#Query preshared key from server.
for query in lstQueryCKNCAK:
#Get responding ckn & cak
dict_ServerResponse = json.loads(rest_request_post(query).text)
logger.info('Got response from remote master')
#Check existing ckn & cak match or not, if there's any.
if dictLocalIntConn[query.LocalInt] in dictConnCKNCAK:
logger.info('pre-shared key comparison')
#Get current configured preshared key
cur_CKNCAK = dictConnCKNCAK[dictLocalIntConn[query.LocalInt]]
if ((dict_ServerResponse['ckn'] != cur_CKNCAK.ckn
or dict_ServerResponse['cak'] != Decryptor().juniper_decrypt(
cur_CKNCAK.cak)) and dict_ServerResponse['ckn'] != None
and dict_ServerResponse['cak'] != None):
#ckn cak needs to be updated.
logger.info('pre-shared key needs update')
jcs.emit_warning(
"Get latest pre-shared key from server, update it to interface {0}"
.format(query.LocalInt))
DeployConfig_jcs(query.LocalInt, dict_ServerResponse['ckn'],
dict_ServerResponse['cak'],
dictLocalIntConn[query.LocalInt])
logger.info('finish pre-shared key update')
else:
logger.info('pre-shared key match, skip update.')
#ckn & cak matched, do not reconfigured.
pass
else:
#There's not exising pre-shared key, deploy it.
logger.info(
'pre-shared key not existed, need to deploy a new one.')
if dict_ServerResponse['ckn'] != None and dict_ServerResponse[
'cak'] != None:
jcs.emit_warning(
"Automatically generate pre-shared key and deploy it on interface {0}"
.format(query.LocalInt))
DeployConfig_jcs(query.LocalInt, dict_ServerResponse['ckn'],
dict_ServerResponse['cak'],
dictLocalIntConn[query.LocalInt])
logger.info('pre-shared key deployed.')
else:
#display error msg since there's no existing record in Database.
#Possible scenario:
#1. User delete the record and macsec configuration accidentally
# -> LLDP is not working. -> Cannot recover from error state.
# -> Inform user to delete both side's macsec configuration, and make sure LLDP is up&running, then try again.
logger.error(
'No match record in remote_master\'s database, please delete related records \
and make sure LLDP is up and running between devices')
logger.error(
'e.g. junos@MX480> op delete_MACsec_interface.py <Device ChassisID> <Device interface name>'
)
jcs.emit_error(
"There's not matched pre-shared key in database, please delete both side's macsec configuration and try again."
)
# Check if MKA works
'''
import jcs
jcs.emit_warning("Hello World")
from junos import Junos_Configuration as root
import jcs
if __name__ == "__main__":
message = "Permission all is assigned to invalid class."
for element in root.findall("system/login/class[permissions='all']"):
jcs.emit_warning("class:" + element.findtext('name') + " " + message)
