class PuppetX::Eos::Tacacs

Tacacs provides instance methods to retrieve and set tacacs configuration values.

Constants

DEFAULT_PORT

Default Tacacs TCP port

GROUP_MEMBER_REGEXP

FIXME Needs to be updated

SERVER_GROUP_REGEXP

Regular expression to extract a tacacs server’s attributes from the running-configuration text. The explicit [ ] spaces enable line wrappping and indentation with the /x flag.

SERVER_REGEXP

Regular expression to extract a tacacs server’s attributes from the running-configuration text. The explicit [ ] spaces enable line wrappping and indentation with the /x flag.

Public Instance Methods

getall() click to toggle source

getall Returns an Array with a single resource Hash describing the current state of the global tacacs configuration on the target device. This method is intended to be used by a provider’s instances class method.

The resource hash returned contains the following information:

* name: ('settings')
* enable: (true | false) if tacacs functionality is enabled.  This is
  always true for EOS.
* key: (String) the key either in plaintext or hashed format
* key_format: (Integer) e.g. 0 or 7
* timeout: (Integer) seconds before the timeout period ends

@api public

@return [Array<Hash>] Single element Array of resource hashes

# File lib/puppet_x/eos/modules/tacacs.rb, line 50
def getall
  config = running_configuration
  rsrc_hsh = tacacs_global_defaults
  rsrc_hsh.merge!(parse_global_key(config))
  rsrc_hsh.merge!(parse_global_timeout(config))
  [rsrc_hsh]
end
parse_group_servers(config, name) click to toggle source

parse_group_servers parses the list of servers associated with a tacacs server group given a group name and a running configuration text.

@param [String] config The running configuration text.

@param [String] name The name of the server group to parse.

@api private

@return [Array<Hash<Symbol,Object>] Array of server attributes

# File lib/puppet_x/eos/modules/tacacs.rb, line 217
def parse_group_servers(config, name)
  regexp = /aaa group server tacacs[+] #{name}(.*?)!/m
  mdata = regexp.match(config)
  tuples = mdata[1].scan(GROUP_MEMBER_REGEXP)
  tuples.collect do |(hostname, vrf, port)|
    { hostname: hostname, port: port ? port.to_i : DEFAULT_PORT }
  end
end
remove_server(opts = {}) click to toggle source

remove_server removes the tacacs server identified by the hostname, and port attributes.

@api public

@return [Boolean] true if no errors

# File lib/puppet_x/eos/modules/tacacs.rb, line 294
def remove_server(opts = {})
  cmd = "no tacacs-server host #{opts[:hostname]}"
  cmd << " port #{opts[:port]}" if opts[:port]
  result = api.config(cmd)
  result == [{}]
end
remove_server_group(opts = {}) click to toggle source

remove_server_group removes a tacacs server group by name. This API call maps to the ‘no aaa group server tacacs <name>` command.

@option opts [String] :name (‘TAC-GR’) The name of the tacacs server

group to remove.

@api public

@return [Boolean] true if no errors

# File lib/puppet_x/eos/modules/tacacs.rb, line 262
def remove_server_group(opts = {})
  result = api.config("no aaa group server tacacs+ #{opts[:name]}")
  result == [{}]
end
server_groups() click to toggle source

server_groups retrieves a list of tacacs server groups from the target device.

@api public

@return [Array<Hash<Symbol,Object>>] Array of resource hashes

# File lib/puppet_x/eos/modules/tacacs.rb, line 197
def server_groups
  config = running_configuration
  regexp = SERVER_GROUP_REGEXP
  tuples = config.scan(regexp)
  tuples.map do |(name)|
    { name: name, servers: parse_group_servers(config, name) }
  end
end
servers() click to toggle source

servers returns an Array of tacacs server resource hashes. Each hash describes the current state of the tacacs server and is suitable for use in initializing a tacacs_server provider.

The resource hash returned contains the following information:

* hostname: hostname or ip address, part of the identifier
* port: (Fixnum) TCP port of the server, part of the identifier
* key: (String) the key either in plaintext or hashed format
* key_format: (Fixnum) e.g. 0 or 7
* timeout: (Fixnum) seconds before the timeout period ends
* multiplex: (Boolean) true when configured to make requests through a
  single connection

@api public

@return [Array<Hash<Symbol,Object>>] Array of resource hashes

# File lib/puppet_x/eos/modules/tacacs.rb, line 175
def servers
  config = running_configuration
  tuples = config.scan(SERVER_REGEXP)
  tuples.map do |(host, mplex, port, tout, keyfm, key)|
    hsh = { port: DEFAULT_PORT }
    hsh[:hostname]         = host       if host
    hsh[:port]             = port.to_i  if port
    hsh[:timeout]          = tout.to_i  if tout
    hsh[:key_format]       = keyfm.to_i if keyfm
    hsh[:key]              = key        if key
    hsh[:multiplex]        = mplex ? true : false
    hsh
  end
end
set_global_key(opts = {}) click to toggle source

set_global_key configures the tacacs default key. This method maps to the ‘tacacs-server key` EOS configuration command, e.g. `tacacs-server key 7 070E234F1F5B4A`.

@option opts [String] :key (‘070E234F1F5B4A’) The key value

@option opts [Fixnum] :key_format (7) The key format, 0 for plaintext

and 7 for a hashed value.  7 will be assumed if this option is not
provided.

@api public

@return [Boolean] true if no errors

# File lib/puppet_x/eos/modules/tacacs.rb, line 132
def set_global_key(opts = {})
  format = opts[:key_format] || 7
  key = opts[:key]
  fail ArgumentError, 'key option is required' unless key
  result = api.config("tacacs-server key #{format} #{key}")
  result == [{}]
end
set_timeout(opts = {}) click to toggle source

set_timeout configures the tacacs default timeout. This method maps to the ‘tacacs-server timeout` setting.

@option opts [Fixnum] :timeout (50) The timeout in seconds to

configure.

@api public

@return [Boolean] true if no errors

# File lib/puppet_x/eos/modules/tacacs.rb, line 150
def set_timeout(opts = {})
  timeout = opts[:timeout]
  fail ArgumentError, 'timeout option is required' unless timeout
  result = api.config("tacacs-server timeout #{timeout}")
  result == [{}]
end
update_server(opts = {}) click to toggle source

update_server configures a tacacs server resource on the target device. This API method maps to the ‘tacacs server host` command, e.g. `tacacs-server host 1.2.3.4 single-connection port 4949 timeout 6 key 7 06070D221D1C5A`

@api public

@return [Boolean] true if there are no errors

# File lib/puppet_x/eos/modules/tacacs.rb, line 276
def update_server(opts = {})
  key_format = opts[:key_format] || 7
  cmd = "tacacs-server host #{opts[:hostname]}"
  cmd << ' single-connection'               if opts[:multiplex]
  cmd << " port #{opts[:port]}"             if opts[:port]
  cmd << " timeout #{opts[:timeout]}"       if opts[:timeout]
  cmd << " key #{key_format} #{opts[:key]}" if opts[:key]
  result = api.config(cmd)
  result == [{}]
end
update_server_group(opts = {}) click to toggle source

update_server_group updates a tacacs server group given an Array of server attributes and the name of the server group. The update happens by first deleting the existing group if it exists then creating it again with all of the specified servers.

@param [String] name The name of the server group to update

@param [Array<Hash<Symbol,Object>>] servers The array of servers to

associate with the server group.  This hash should have at least the
:hostname key.

@api public

@return [Boolean] true if no errors

# File lib/puppet_x/eos/modules/tacacs.rb, line 241
def update_server_group(opts = {})
  cmd = "aaa group server tacacs+ #{opts[:name]}"
  api.config("no #{cmd}")
  cmds = [cmd]
  opts[:servers].each do |hsh|
    cmds << "server #{hsh[:hostname]} port #{hsh[:port] || DEFAULT_PORT}"
  end
  result = api.config(cmds)
  !result.find { |r| r != {} }
end

Private Instance Methods

parse_global_key(config) click to toggle source

parse_global_key takes a running configuration as a string and parses out the radius global key and global key format if it exists in the configuration. An empty Hash is returned if there is no global key configured. The intent of the Hash is to be merged into a property hash.

@param [String] config The running configuration as a single string.

@api private

@return [Hash<Symbol,Object>] resource hash attributes

# File lib/puppet_x/eos/modules/tacacs.rb, line 88
def parse_global_key(config)
  rsrc_hsh = {}
  (key_format, key) = config.scan(/tacacs-server key (\d+) (\w+)/).first
  rsrc_hsh[:key_format] = key_format.to_i if key_format
  rsrc_hsh[:key] = key if key
  rsrc_hsh
end
parse_global_timeout(config) click to toggle source

parse_global_timeout takes a running configuration as a string and parses out the tacacs global timeout if it exists in the configuration. An empty Hash is returned if there is no global timeout value configured. The intent of the Hash is to be merged into a property hash.

@param [String] config The running configuration as a single string.

@api private

@return [Hash<Symbol,Object>] resource hash attributes

# File lib/puppet_x/eos/modules/tacacs.rb, line 109
def parse_global_timeout(config)
  rsrc_hsh = {}
  timeout = config.scan(/tacacs-server timeout (\d+)/).first
  # EOS default is 5 (does not show up in the running config)
  rsrc_hsh[:timeout] = timeout.first.to_i if timeout
  rsrc_hsh
end
tacacs_global_defaults() click to toggle source

tacacs_global_defaults returns the default values for the tacacs_global resource. This is in a single method to keep the information in one place. If a value is explicitly configured to be the same as a default value it will not show up in the running configuration and as a result will not be parsed out by the parse instance methods. This method exposes the default values.

@return [Array<Hash>] Single element Array of resource hashes

# File lib/puppet_x/eos/modules/tacacs.rb, line 67
def tacacs_global_defaults
  {
    name: 'settings',
    enable: true,
    timeout: 5,
  }
end