trigger.tacacsrc — Network credentials library

Abstract interface to .tacacsrc credentials file.

Designed to interoperate with the legacy DeviceV2 implementation, but provide a reasonable API on top of that. The name and format of the .tacacsrc file are not ideal, but compatibility matters.

class trigger.tacacsrc.Credentials(username, password, realm)
password

Alias for field number 1

realm

Alias for field number 2

username

Alias for field number 0

class trigger.tacacsrc.Tacacsrc(tacacsrc_file=None, use_gpg=False, generate_new=False)

Encrypts, decrypts and returns credentials for use by network devices and other tools.

Pass use_gpg=True to force GPG, otherwise it relies on settings.USE_GPG_AUTH

*_old functions should be removed after everyone is moved to the new system.

update_creds(creds, realm, user=None)

Update username/password for a realm/device and set self.creds_updated bit to trigger .write().

Parameters:

  • creds – Dictionary of credentials keyed by realm

  • realm – The realm to update within the creds dict

  • user – (Optional) Username passed to prompt_credentials()

user_has_gpg()

Checks if user has .gnupg directory and .tacacsrc.gpg file.

write()

Writes .tacacsrc(.gpg) using the accurate method (old vs. new).

trigger.tacacsrc.convert_tacacsrc()

Converts old .tacacsrc to new .tacacsrc.gpg.

trigger.tacacsrc.get_device_password(device=None, tcrc=None)

Fetch the password for a device/realm or create a new entry for it. If device is not passed, settings.DEFAULT_REALM is used, which is default realm for most devices.

Parameters:

  • device – Realm or device name to updated

  • device – Optional Tacacsrc instance

trigger.tacacsrc.prompt_credentials(device, user=None)

Prompt for username, password and return them as Credentials namedtuple.

Parameters:

  • device – Device or realm name to store

  • user – (Optional) If set, use as default username

trigger.tacacsrc.update_credentials(device, username=None)

Update the credentials for a given device/realm. Assumes the same username that is already cached unless it is passed.

This may seem redundant at first compared to Tacacsrc.update_creds() but we need this factored out so that we don’t end up with a race condition when credentials are messed up.

Returns True if it actually updated something or None if it didn’t.

Parameters:

  • device – Device or realm name to update

  • username – Username for credentials

trigger.tacacsrc.validate_credentials(creds=None)

Given a set of credentials, try to return a Credentials object.

If creds is unset it will fetch from .tacacsrc.

Expects either a 2-tuple of (username, password) or a 3-tuple of (username, password, realm). If only (username, password) are provided, realm will be populated from DEFAULT_REALM.

Parameters:

creds – A tuple of credentials.