mirrors/thatmattlove-hyperglass
1
0
Fork 1
mirror of https://github.com/thatmattlove/hyperglass.git synced 2026-01-17 00:38:06 +00:00
Code Issues Activity

fixed issue with IPv6 BGP Route lookups

Browse source
This commit is contained in:
checktheroads 2019-05-10 14:10:32 -07:00
parent 04e94462fe
commit eb947a7c17
6 changed files with 107 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

58
docs/configuration/router-privileges.md Normal file
View file

@ -0,0 +1,58 @@
More than likely, you'll want to "lock down" what commands can be executed with the credentials you've provided in `hyperglass/hyperglass/config/devices.toml`. It is **strongly** recommended to use a low privilege read only account and not your full administrator account. Even though Hyperglass is coded to only run certain commands to begin with, you're more than likely still exposing the server Hyperglass runs on to the internet, and on that server is a plain text file with your router's credentials in it. Take precautions.
# Creating Restricted Accounts
## Cisco IOS
On Cisco IOS, **parser views** are the recommended tool to restrict access. Basic instructions for configuring Cisco IOS parser views for the default enabled query types are below:
```
parser view hyperglass
secret <secret>
commands exec include all terminal width
commands exec include all terminal length
commands exec include all traceroute
commands exec include all ping
commands exec include all show bgp
!
username hyperglass privilege 15 view hyperglass secret <secret>
```
!!! info "Terminal"
The `terminal length` and `terminal width` commands are required by Netmiko for session handling. If you remove these, Hyperglass will not work.
## Cisco IOS-XR
On Cisco IOS-XR, **taskgroups** are the recommended tool to restrict access. Basic instructoins for configuring Cisco IOS-XR taskgroups for the default enabled query types are below:
```
taskgroup hyperglass
task read bgp
!
usergroup hyperglass
taskgroup hyperglass
!
username hyperglass
group hyperglass
group operator
secret <secret>
```
!!! warning "IOS-XR"
I have not yet figured out a way to enable all the extended options for `ping` and `traceroute` (source IP, count, etc.) without adding the `group operator` statement to the taskgroup. If anyone knows of a way to do this, I welcome a docs PR.
## Juniper
On JunOS, **system login classes** are the recommended tool to restrict access. Basic instructoins for configuring Juniper JunOS login classes for the default enabled query types are below:
```
edit system login class hyperglass
set permissions floppy
set allow-commands-regexp [ "show route protocol bgp" ping traceroute "show route protocol bgp table inet.0" "show route protocol bgp table inet6.0" "ping inet" "ping inet6" "traceroute inet" "traceroute inet6" ]
top
set system login user hyperglass class hyperglass authentication plain-text-password
```

5
hyperglass/app.py
View file

@ -68,7 +68,10 @@ cache = Cache(
def clearCache():
"""Function to clear the Flask-Caching cache"""
with app.app_context():
cache.clear()
try:
cache.clear()
except:
raise
# Main / Flask route where html is rendered via Jinja2

67
hyperglass/cmd_construct.py
View file

@ -21,6 +21,7 @@ routers_list = devices["router"]
# Also handles input validation & error handling
def cmd_construct(router, cmd, ipprefix):
inputParams = router, cmd, ipprefix
log.warning(*inputParams)
try:
# Loop through routers config file, match input router with configured routers, set variables
for r in routers_list:
@ -56,7 +57,9 @@ def cmd_construct(router, cmd, ipprefix):
i=ipprefix
)
code = 200
log.info(msg, code, router, type, command)
log.warning(
msg, code, router, type, command
)
return (msg, code, router, type, command)
# Extended Communities, 32 bit format
elif re.match("^[0-9]{1,10}$", ipprefix):
@ -67,7 +70,9 @@ def cmd_construct(router, cmd, ipprefix):
i=ipprefix
)
code = 200
log.info(msg, code, router, type, command)
log.warning(
msg, code, router, type, command
)
return (msg, code, router, type, command)
# RFC 8092 Large Community Support
elif re.match(
@ -81,7 +86,9 @@ def cmd_construct(router, cmd, ipprefix):
i=ipprefix
)
code = 200
log.info(msg, code, router, type, command)
log.warning(
msg, code, router, type, command
)
return (msg, code, router, type, command)
else:
msg = "{i} is an invalid BGP Community Format.".format(
@ -100,7 +107,9 @@ def cmd_construct(router, cmd, ipprefix):
i=ipprefix
)
code = 200
log.info(msg, code, router, type, command)
log.warning(
msg, code, router, type, command
)
return (msg, code, router, type, command)
else:
msg = "{i} is an invalid AS_PATH regex.".format(
@ -121,7 +130,7 @@ def cmd_construct(router, cmd, ipprefix):
i=ipprefix
)
code = 200
log.info(
log.warning(
msg, code, router, type, command
)
return (
@ -132,31 +141,25 @@ def cmd_construct(router, cmd, ipprefix):
command,
)
# Use netaddr library to verify if input is a valid IPv6 address or prefix
elif IPNetwork(ipprefix).ip.version == 6:
for a, c in ipv6_commands.items():
if a == cmd:
command = c.format(
target=ipprefix
)
msg = "{i} is a valid IPv6 Adddress.".format(
i=ipprefix
)
code = 200
log.info(
msg,
code,
router,
type,
command,
)
return (
msg,
code,
router,
type,
command,
)
# Exception from netaddr library will return a user-facing error
elif IPNetwork(ipprefix).ip.version == 6:
for a, c in ipv6_commands.items():
if a == cmd:
command = c.format(target=ipprefix)
msg = "{i} is a valid IPv6 Adddress.".format(
i=ipprefix
)
code = 200
log.warning(
msg, code, router, type, command
)
return (
msg,
code,
router,
type,
command,
)
# Exception from netaddr library will return a user-facing error
except:
msg = "{i} is an invalid IP Address.".format(
i=ipprefix
@ -178,7 +181,7 @@ def cmd_construct(router, cmd, ipprefix):
i=ipprefix
)
code = 200
log.info(
log.warning(
msg, code, router, type, command
)
return (
@ -199,7 +202,7 @@ def cmd_construct(router, cmd, ipprefix):
i=ipprefix
)
code = 200
log.info(
log.warning(
msg, code, router, type, command
)
return (

2
hyperglass/cmd_execute.py
View file

@ -26,6 +26,7 @@ general_error = "Error connecting to device."
def cmd_execute(lg_data):
log.warning(lg_data)
# Check POST data from JS, if location matches a configured router's
# location, use the router's configured IP address to connect
for r in routers_list:
@ -47,6 +48,7 @@ def cmd_execute(lg_data):
log.error(msg, code, lg_data)
return (msg, code, lg_data)
# Send "clean" request to cmd_construct to build the command that will be sent to the router
print(lg_router_address)
msg, status, router, type, command = cmd_construct(
lg_router_address, lg_data["cmd"], lg_data["ipprefix"]
)

13
hyperglass/manage.py
View file

@ -1,6 +1,9 @@
import os
import sys
import app
import logging
log = logging.getLogger(__name__)
def clearcache():
@ -11,10 +14,8 @@ def clearcache():
for arg in sys.argv:
try:
if arg == "clearcache":
if arg == "clearcache":
try:
clearcache()
print("Successfully cleared cache.")
except:
print("Failed to clear cache.")
raise
except:
raise

1
hyperglass/templates/index.html
View file

@ -85,6 +85,7 @@
<div class="control has-icons-left">
<div class="select is-medium is-rounded">
<select id="network" name="network">
<!-- <option value="" disabled></option> -->
{% for net in device_networks %}
<option value="{{ net }}">AS{{ net }}</option>
{% endfor %}