Want to check in a Cisco IOS config if the VTYs have SSH only with ciscoconfparse2

Question

this is my first post here!!
I´m trying to verify if an IOS config has all its VTYs with SSH only.
I'm using Python with ciscoconfparse2 library, and I created this function (at this stage I'm not using all the parameters):

Just for context, the parameters have the following info:

in_test = (a list with several  lines: line vty 0 4, line vty 5 15 and line vty 16 31 
in_rexp = line vty 0 4 or line vty 5 15 or line vty 16 31
in_defa = transport input ssh

def func_parent(in_parse, in_test, in_rexp, in_defa, in_neg) -\> bool:
    '''
    Checks if the VTYs have SSH only.
    '''

    object_name = [
        obj for obj in in_parse.find_parent_objects(in_rexp, in_defa)]
    print(object_name)
    if not object_name:
        print(
            Fore.RED + f'{in_test} has not SSH only ----------> 9')
        return False
    else:
        print(
            Fore.GREEN + f'{in_test} has SSH only ----------> 10')
        return True

So, if the list is empty, it means no ssh...
Now, for the following config...

line vty 0 4
 exec-timeout 0 0
 logging synchronous
 length 0
 transport input ssh
line vty 5 15
 exec-timeout 0 0
 logging synchronous
 length 0
transport input ssh
 line vty 16 31
 length 0
 transport input ssh
!

I'm receiving this...

\[\<IOSCfgLine # 1972 'line vty 0 4'\>\]
line vty 0 4 has SSH only ----------\> 10      \>\>\> OK

\[\<IOSCfgLine # 1977 'line vty 5 15'\>\]
line vty 5 15 has SSH only ----------\> 10     \>\>\> OK

\[\]
line vty 16 31 has not SSH only ----------\> 9  \>\>\> WRONG

which is wrong for the VTY 16 31.....

And for this config..

line vty 0 4
 exec-timeout 0 0
 logging synchronous
 transport input ssh telnet
 length 0
line vty 5 15
 exec-timeout 0 0
 transport input telnet
 length 0
line vty 16 31
 exec-timeout 10 0
 transport input ssh telnet
 length 0
!

... this results...

\[\<IOSCfgLine # 14395 'line vty 0 4'\>\]
line vty 0 4 has SSH only ----------\> 10         \>\>\> WRONG

\[\]
line vty 5 15 has not SSH only ----------\> 9     \>\>\> OK

\[\]
line vty 16 31 has not SSH only ----------\> 9     \>\>\> OK

I'm guessing that the match condition is not working with the combo ssh and telnet.

I tryed with find_parent_objects and also with find_child_objects with the same result.
Maybe this is not the best way to check the SSH only in the config, appreciate your help!

TIA

Answer 1

I think I found the issue. The running config has an space at the beginning of the child lines, so the regexp I have to use, should take this into account. Since I was following the examples in the ciscoparseconf2 documentation, they do not include the spaces at the begining in the queryes for the functions find_parent_objects and find_child_objetcts. As soon as I reformulated the regexp like this ^\s+transport\s+input\s+ssh$, it started to return what I was expecting.

Answer 2

in_test, in_rexp and in_defa seems more complicated than necessary. Complication is the enemy of any task we attempt; complication spawns bugs and makes code maintenance harder (like when you look at this code 2 years from now).

find_object_branches() was made for this kind of problem (full disclosure: I am the author of ciscoconfparse2).

I think a cleaner approach solves the problem like this:

from ciscoconfparse2 import CiscoConfParse

config = """!
line vty 0 4
 exec-timeout 0 0
 transport input ssh telnet
line vty 5 15
 exec-timeout 0 0
 transport input telnet
line vty 16 31
 exec-timeout 10 0
 transport input ssh
!"""

parse = CiscoConfParse(config.splitlines())
branches = parse.find_object_branches(['line vty', 'transport input'])

for branch in branches:
    target_vty = branch[0].text
    target_transport = branch[1].text
    if 'ssh' in target_transport and 'telnet' not in target_transport:
        print("OK SSH", target_vty)
    else:
        print("FAIL SSH", target_vty)

As you can see above, the logic is quite simple and expressed as finding substrings with a single if statement. And, this follows the CiscoConfParse2 documentation examples, which do not require a leading space in your regex to match the transport input line.