netutils icon indicating copy to clipboard operation
netutils copied to clipboard

Published 20 hours ago verified publisher icon networktocode

Add a `get_certificate` filter for Cisco and other configurations that include special characters

Open mundruid opened this issue 3 years ago • 4 comments

Environment

  • netutils version:

A get_certificates filter needs to be added for configurations that add special characters in their certificates, for example Cisco ios has a hidden tab character: https://napalm.readthedocs.io/en/latest/support/ios.html

Proposed Functionality

A filter get_certificate that takes as input a running configuration and extracts its certificates, similar to the following:

def get_certificate(
    configuration: str,
    platform: str,
) -> Optional[str]:
    """Extracts certificate from downloaded configuration with all the included special characters and intricacies of a cisco certificate.

    Args:
        configuration (str): Running configuration copied from device.
        platform (str): Device platform. Ex: ios, nxos etc.

        {{ config | get_certificate("ios")}}
        {{ "ios" | get_certificate }}

    Returns:
        str: Certificates.
    """
    # this function is Cisco specific, it can take a list of config commands or the name of a file
    # with cisco config, parse it and return a specific part based on a regex
    parse = CiscoConfParse(config=configuration, syntax=platform)
    crypto_trustpoint = parse.find_all_children("^crypto pki trustpoint")
    crypto_cert_chain = parse.find_all_children("^crypto pki certificate chain")
    if crypto_trustpoint or crypto_cert_chain:
        return "\n".join(["!"] + crypto_trustpoint + ["!"] + crypto_cert_chain + ["!"])

    return None

Use Case

This feature will be useful for config replacement and a simple diff of running and candidate configs that does not include special chars.

mundruid avatar May 24 '22 06:05 mundruid

We try to avoid dependencies, any change we can do this without CiscoConfParse? Any dependency would be optional.

itdependsnetworks avatar May 24 '22 12:05 itdependsnetworks

Docstring would also need an example section so the docs are auto generated properly.

jeffkala avatar May 24 '22 13:05 jeffkala

We try to avoid dependencies, any change we can do this without CiscoConfParse? Any dependency would be optional.

I can implement something similar to CiscoConfParse from scratch. It would be specific to certificates. Would that be acceptable?

mundruid avatar Jul 27 '22 19:07 mundruid

That would be great, that was kinda the point of #124

itdependsnetworks avatar Jul 27 '22 21:07 itdependsnetworks