nac-test-pyats-common 0.2.0__py3-none-any.whl → 0.2.1__py3-none-any.whl

nac_test_pyats_common/sdwan/auth.py

@@ -14,14 +14,21 @@ The module implements a two-tier API design:
 
 This design ensures efficient session management by reusing valid sessions and only
 re-authenticating when necessary, reducing unnecessary API calls to the SDWAN Manager.
+
+Note on Fork Safety:
+    This module uses urllib instead of httpx for synchronous authentication requests.
+    httpx is NOT fork-safe on macOS - creating httpx.Client after fork() causes
+    silent crashes due to OpenSSL threading issues. urllib uses simpler primitives
+    that work correctly after fork().
 """
 
 import os
 from typing import Any
 
-import httpx
-from nac_test.pyats_core.common.auth_cache import (
-    AuthCache,  # type: ignore[import-untyped]
+from nac_test.pyats_core.common.auth_cache import AuthCache
+from nac_test.pyats_core.common.subprocess_auth import (
+    SubprocessAuthError,  # noqa: F401 - re-exported for callers to catch
+    execute_auth_subprocess,
 )
 
 # Default session lifetime for SDWAN Manager authentication in seconds
@@ -63,7 +70,7 @@ class SDWANManagerAuth:
 
     @staticmethod
     def _authenticate(
-        url: str, username: str, password: str
+        url: str, username: str, password: str, verify_ssl: bool = False
     ) -> tuple[dict[str, Any], int]:
         """Perform direct SDWAN Manager authentication and obtain session data.
 
@@ -77,12 +84,19 @@ class SDWANManagerAuth:
         3. Attempt to fetch XSRF token (for 19.2+ only)
         4. Return session data with TTL
 
+        Note: On macOS, SSL operations in forked processes crash due to OpenSSL
+        threading issues. This method uses subprocess with spawn context to perform
+        authentication in a fresh process, avoiding the fork+SSL crash.
+
         Args:
             url: Base URL of the SDWAN Manager (e.g., "https://sdwan-manager.example.com").
                 Should not include trailing slashes or API paths.
             username: SDWAN Manager username for authentication. This should be a valid
                 user configured with appropriate permissions.
             password: Password for the specified user account.
+            verify_ssl: Whether to verify SSL certificates. Defaults to False to
+                handle self-signed certificates commonly used in lab and development
+                deployments.
 
         Returns:
             A tuple containing:
@@ -91,61 +105,99 @@ class SDWANManagerAuth:
                 - expires_in (int): Session lifetime in seconds (typically 1800).
 
         Raises:
-            httpx.HTTPStatusError: If SDWAN Manager returns a non-2xx status code,
-                typically indicating authentication failure (401) or server error.
-            httpx.RequestError: If the request fails due to network issues,
-                connection timeouts, or other transport-level problems.
-            ValueError: If the JSESSIONID cookie is not received in the response,
-                indicating a malformed or unexpected response.
-
-        Note:
-            SSL verification is disabled (verify=False) to handle self-signed
-            certificates commonly used in lab and development deployments.
-            In production environments, proper certificate validation should be enabled
-            by either installing the certificate in the trust store or providing
-            a custom CA bundle via the verify parameter.
+            SubprocessAuthError: If authentication subprocess fails.
+            ValueError: If the authentication response is malformed.
         """
-        # NOTE: SSL verification is disabled (verify=False) to handle self-signed
-        # certificates commonly used in lab and development deployments.
-        with httpx.Client(verify=False, timeout=AUTH_REQUEST_TIMEOUT_SECONDS) as client:
-            # Step 1: Form-based login to SDWAN Manager
-            auth_response = client.post(
-                f"{url}/j_security_check",
-                data={"j_username": username, "j_password": password},
-                headers={"Content-Type": "application/x-www-form-urlencoded"},
-                follow_redirects=False,
-            )
-            auth_response.raise_for_status()
-
-            # Validate JSESSIONID cookie was received
-            if "JSESSIONID" not in auth_response.cookies:
-                raise ValueError(
-                    "No JSESSIONID cookie received from SDWAN Manager. "
-                    "This may indicate invalid credentials or a server error. "
-                    f"Response status: {auth_response.status_code}"
-                )
-
-            jsessionid = auth_response.cookies["JSESSIONID"]
-
-            # Step 2: Attempt to get XSRF token (19.2+ only)
-            # Pre-19.2 versions do not require XSRF token, so failures are expected
-            xsrf_token: str | None = None
-            try:
-                token_response = client.get(
-                    f"{url}/dataservice/client/token",
-                    cookies={"JSESSIONID": jsessionid},
-                    timeout=XSRF_TOKEN_FETCH_TIMEOUT_SECONDS,
-                )
-                if token_response.status_code == 200:
-                    xsrf_token = token_response.text.strip()
-            except (httpx.HTTPError, httpx.TimeoutException):
-                # Pre-19.2 does not support XSRF tokens, continue without
-                pass
-
-            return {
-                "jsessionid": jsessionid,
-                "xsrf_token": xsrf_token,
-            }, SDWAN_MANAGER_SESSION_LIFETIME_SECONDS
+        # Build auth parameters for subprocess
+        auth_params = {
+            "url": url,
+            "username": username,
+            "password": password,
+            "timeout": AUTH_REQUEST_TIMEOUT_SECONDS,
+            "xsrf_timeout": XSRF_TOKEN_FETCH_TIMEOUT_SECONDS,
+            "verify_ssl": verify_ssl,
+        }
+
+        # SDWAN-specific authentication logic
+        # This script assumes `params` dict is already loaded by execute_auth_subprocess
+        auth_script_body = """
+import http.cookiejar
+import ssl
+import urllib.parse
+import urllib.request
+
+url = params["url"]
+username = params["username"]
+password = params["password"]
+timeout = params["timeout"]
+xsrf_timeout = params["xsrf_timeout"]
+verify_ssl = params["verify_ssl"]
+
+# Create SSL context
+ssl_context = ssl.create_default_context()
+if not verify_ssl:
+    ssl_context.check_hostname = False
+    ssl_context.verify_mode = ssl.CERT_NONE
+
+# Create cookie jar and opener
+cookie_jar = http.cookiejar.CookieJar()
+https_handler = urllib.request.HTTPSHandler(context=ssl_context)
+cookie_handler = urllib.request.HTTPCookieProcessor(cookie_jar)
+opener = urllib.request.build_opener(https_handler, cookie_handler)
+
+# Step 1: Form-based login to /j_security_check
+auth_data = urllib.parse.urlencode({
+    "j_username": username,
+    "j_password": password
+}).encode("utf-8")
+
+auth_request = urllib.request.Request(
+    f"{url}/j_security_check",
+    data=auth_data,
+    headers={"Content-Type": "application/x-www-form-urlencoded"},
+    method="POST"
+)
+
+try:
+    opener.open(auth_request, timeout=timeout)
+except urllib.error.HTTPError as e:
+    if e.code != 302:  # 302 redirect is expected on successful login
+        raise
+
+# Extract JSESSIONID from cookies
+jsessionid = None
+for cookie in cookie_jar:
+    if cookie.name == "JSESSIONID":
+        jsessionid = cookie.value
+        break
+
+if jsessionid is None:
+    result = {"error": "No JSESSIONID cookie received - authentication may have failed"}
+else:
+    # Step 2: Fetch XSRF token (required for SDWAN Manager 19.2+)
+    xsrf_token = None
+    try:
+        token_request = urllib.request.Request(
+            f"{url}/dataservice/client/token",
+            headers={"Cookie": f"JSESSIONID={jsessionid}"},
+            method="GET"
+        )
+        token_response = opener.open(token_request, timeout=xsrf_timeout)
+        if token_response.status == 200:
+            xsrf_token = token_response.read().decode("utf-8").strip()
+    except Exception:
+        pass  # Pre-19.2 versions do not support XSRF tokens
+
+    result = {"jsessionid": jsessionid, "xsrf_token": xsrf_token}
+"""
+
+        # Execute authentication in subprocess (fork-safe on macOS)
+        auth_result = execute_auth_subprocess(auth_params, auth_script_body)
+
+        return {
+            "jsessionid": auth_result["jsessionid"],
+            "xsrf_token": auth_result.get("xsrf_token"),
+        }, SDWAN_MANAGER_SESSION_LIFETIME_SECONDS
 
     @classmethod
     def get_auth(cls) -> dict[str, Any]:
@@ -165,6 +217,8 @@ class SDWANManagerAuth:
             SDWAN_URL: Base URL of the SDWAN Manager
             SDWAN_USERNAME: SDWAN Manager username for authentication
             SDWAN_PASSWORD: SDWAN Manager password for authentication
+            SDWAN_INSECURE: If "True", "1", or "yes" (default: "True"), SSL certificate
+                verification is disabled. Set to "False" to enable SSL verification.
 
         Returns:
             A dictionary containing:
@@ -175,11 +229,10 @@ class SDWANManagerAuth:
         Raises:
             ValueError: If any required environment variables (SDWAN_URL,
                 SDWAN_USERNAME, SDWAN_PASSWORD) are not set.
-            httpx.HTTPStatusError: If SDWAN Manager returns a non-2xx status code during
-                authentication, typically indicating invalid credentials (401) or
-                server issues (5xx).
-            httpx.RequestError: If the request fails due to network issues,
-                connection timeouts, or other transport-level problems.
+            SubprocessAuthError: If authentication fails due to invalid credentials,
+                network issues, connection timeouts, or SDWAN Manager server errors.
+                The error message will contain details from the authentication
+                subprocess.
 
         Example:
             >>> # Set environment variables first
@@ -197,6 +250,11 @@ class SDWANManagerAuth:
         url = os.environ.get("SDWAN_URL")
         username = os.environ.get("SDWAN_USERNAME")
         password = os.environ.get("SDWAN_PASSWORD")
+        insecure = os.environ.get("SDWAN_INSECURE", "True").lower() in (
+            "true",
+            "1",
+            "yes",
+        )
 
         if not all([url, username, password]):
             missing_vars: list[str] = []
@@ -213,9 +271,12 @@ class SDWANManagerAuth:
         # Normalize URL by removing trailing slash
         url = url.rstrip("/")  # type: ignore[union-attr]
 
+        # SDWAN_INSECURE=True means verify_ssl=False
+        verify_ssl = not insecure
+
         def auth_wrapper() -> tuple[dict[str, Any], int]:
             """Wrapper for authentication that captures closure variables."""
-            return cls._authenticate(url, username, password)  # type: ignore[arg-type]
+            return cls._authenticate(url, username, password, verify_ssl)  # type: ignore[arg-type]
 
         # AuthCache.get_or_create returns dict[str, Any], but mypy can't verify this
         # because nac_test lacks py.typed marker.

nac_test_pyats_common/sdwan/device_resolver.py

@@ -5,6 +5,16 @@
 
 This module provides the SDWANDeviceResolver class, which extends
 BaseDeviceResolver to implement SD-WAN schema navigation.
+
+Device Fields Returned:
+    - hostname: System hostname from device_variables.system_hostname
+    - host: Management IP address (CIDR stripped)
+    - os: Always 'iosxe' (SD-WAN edges are IOS-XE based)
+    - platform: Always 'sdwan' (for PyATS abstraction optimization)
+    - device_id: Chassis ID
+    - type: Always 'router'
+    - username: From IOSXE_USERNAME environment variable
+    - password: From IOSXE_PASSWORD environment variable
 """
 
 import logging
@@ -173,28 +183,33 @@ class SDWANDeviceResolver(BaseDeviceResolver):
 
         return ip_value
 
-    def extract_os_type(self, device_data: dict[str, Any]) -> str:
-        """Return 'iosxe' as all SD-WAN edge devices are IOS-XE based.
+    def extract_os_platform_type(self, device_data: dict[str, Any]) -> dict[str, str]:
+        """Return PyATS abstraction info for SD-WAN edge devices.
+
+        All SD-WAN edge devices are IOS-XE based with 'sdwan' platform.
 
         Args:
-            device_data: Router data dictionary (unused, OS is hardcoded).
+            device_data: Router data dictionary (unused, values are hardcoded).
 
         Returns:
-            Always returns 'iosxe'.
+            Dictionary with 'os' and 'platform' keys.
         """
-        return "iosxe"
+        return {
+            "os": "iosxe",
+            "platform": "sdwan",
+        }
 
     def build_device_dict(self, device_data: dict[str, Any]) -> dict[str, Any]:
         """Build device dictionary with SD-WAN specific defaults.
 
-        Extends the base implementation to add type='router' since
-        all SD-WAN edge devices are routers.
+        Extends the base implementation to add type='router'.
+        Platform is set to 'sdwan' via extract_os_platform_type().
 
         Args:
             device_data: Router data dictionary from the data model.
 
         Returns:
-            Device dictionary with hostname, host, os, device_id, and type.
+            Device dictionary with hostname, host, os, platform, device_id, and type.
         """
         # Get base device dict from parent
         device_dict = super().build_device_dict(device_data)

{nac_test_pyats_common-0.2.0.dist-info → nac_test_pyats_common-0.2.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: nac-test-pyats-common
-Version: 0.2.0
+Version: 0.2.1
 Summary: Architecture adapters for Network as Code (NaC) PyATS testing - auth classes, test base classes, and device resolvers
 Project-URL: Homepage, https://github.com/netascode/nac-test-pyats-common
 Project-URL: Documentation, https://github.com/netascode/nac-test-pyats-common
@@ -23,8 +23,9 @@ Classifier: Programming Language :: Python :: 3.13
 Classifier: Topic :: Software Development :: Testing
 Classifier: Topic :: System :: Networking
 Requires-Python: >=3.10
+Requires-Dist: filelock>=3.20.1
 Requires-Dist: httpx>=0.28
-Requires-Dist: nac-test==1.1.0b2
+Requires-Dist: nac-test==1.1.0b3
 Provides-Extra: dev
 Requires-Dist: bandit[toml]>=1.8.6; extra == 'dev'
 Requires-Dist: mypy>=1.10; extra == 'dev'

nac_test_pyats_common-0.2.1.dist-info/RECORD

@@ -0,0 +1,25 @@
+nac_test_pyats_common/__init__.py,sha256=4fOaRhzkJJDyW00-wPzEzgWdmLXSLfxkiV-Z39RWmq8,1770
+nac_test_pyats_common/py.typed,sha256=BrP39il8_cNN1K0KDeyBUtySS9oI2_SK5xKx1SxdSoY,59
+nac_test_pyats_common/aci/__init__.py,sha256=Y9VhBZ3_GXLBk3_Wtg1SRG_Dxx134Etf9k-0wvrOMwQ,1335
+nac_test_pyats_common/aci/auth.py,sha256=pkM7BRWJ1doajqZr73T4Gd3vPWydttk_QtOIEcf8tS4,11558
+nac_test_pyats_common/aci/test_base.py,sha256=Kz_TpY3yeveAfSUMVGhSiQ3s7AHOzIJEz97rpy6pVWE,7575
+nac_test_pyats_common/catc/__init__.py,sha256=ZGOQBvjFvq7h9LtfOyxFEmlir7htpy8sfWoJuDwGjsA,1986
+nac_test_pyats_common/catc/api_test_base.py,sha256=F1zNKaYfHV_vRxJ30TcebDj26itNZ05lLHtUa4wslA0,8905
+nac_test_pyats_common/catc/auth.py,sha256=u-kasgmoZCvZBKwrZUsoo9e1azxJUJg9odZkpXkUq7g,11623
+nac_test_pyats_common/catc/device_resolver.py,sha256=I17QuPQpJj4p7zXzAjHJrHZcaICcHdAX9DV_0qgQni8,5754
+nac_test_pyats_common/catc/ssh_test_base.py,sha256=wUldp2T9cmSEALBtbOgUQvQ2txuid3ErJEO27kM-kiI,4482
+nac_test_pyats_common/common/__init__.py,sha256=Y0qrZEKx2g8Zm1CTHJpeLocwMasspP6NQuhyrRiA1wA,1084
+nac_test_pyats_common/common/base_device_resolver.py,sha256=ul-zao-qcLZc1p_xvDCUAnvR5zqZM8mZda4iBP5S7LU,17625
+nac_test_pyats_common/iosxe/__init__.py,sha256=GSuLGyxcu8dFouspTjXuQ1Mi27vDluVR8ZCcJrPcIiY,2147
+nac_test_pyats_common/iosxe/iosxe_resolver.py,sha256=_2cug-eZfO5iKE3Po2kh9hJB7StRjs-Cm-BdXqKb5pg,2388
+nac_test_pyats_common/iosxe/registry.py,sha256=djRFzxuEu8IdyTmi1puhIHGZGSMjys0l1v4-uzYCwAU,5723
+nac_test_pyats_common/iosxe/test_base.py,sha256=NjXbf0ZY-CBWhd3jpIAhylL5kyRrHM6FlhGlFtjLSjM,4569
+nac_test_pyats_common/sdwan/__init__.py,sha256=mrziVp5kMgykKnFPvWykuVLuky6xwEv6oEcfrbxFXxY,1777
+nac_test_pyats_common/sdwan/api_test_base.py,sha256=dtPKd094gdQTNHaYeoPQxNle6uCULNII2sroAweZ5Jw,8834
+nac_test_pyats_common/sdwan/auth.py,sha256=4qIi2ypMPK2Pkw6rfhSkxpoJGDRRvt4fJ5rO01p-4II,11790
+nac_test_pyats_common/sdwan/device_resolver.py,sha256=5cTfcH6OUH98AiJCDo9uQL3GUcudGkE2V_nlysl6eHk,7811
+nac_test_pyats_common/sdwan/ssh_test_base.py,sha256=rZF7txhu0FGtPtTzGMZFqB9hwClmtggroZwRuX3BGU4,4210
+nac_test_pyats_common-0.2.1.dist-info/METADATA,sha256=cOKNshimaxKY2EHl51EWxhnhsOG8wteZGTRPqf6G6OY,13104
+nac_test_pyats_common-0.2.1.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+nac_test_pyats_common-0.2.1.dist-info/licenses/LICENSE,sha256=zt2sx-c0iEk6-OO0iqRQ4l6fIGazRKW_qLMqfDpLm6M,16295
+nac_test_pyats_common-0.2.1.dist-info/RECORD,,

nac_test_pyats_common-0.2.0.dist-info/RECORD

@@ -1,25 +0,0 @@
-nac_test_pyats_common/__init__.py,sha256=4fOaRhzkJJDyW00-wPzEzgWdmLXSLfxkiV-Z39RWmq8,1770
-nac_test_pyats_common/py.typed,sha256=BrP39il8_cNN1K0KDeyBUtySS9oI2_SK5xKx1SxdSoY,59
-nac_test_pyats_common/aci/__init__.py,sha256=Y9VhBZ3_GXLBk3_Wtg1SRG_Dxx134Etf9k-0wvrOMwQ,1335
-nac_test_pyats_common/aci/auth.py,sha256=1Rk2uBGb_CGgkBh9dD3LagIsbJPKRgsSFDYEeyiC50U,7867
-nac_test_pyats_common/aci/test_base.py,sha256=SoPh91AXPvMshJXIyjiZumSgxOAN4xPkpSb3t0B9kdE,6256
-nac_test_pyats_common/catc/__init__.py,sha256=ZGOQBvjFvq7h9LtfOyxFEmlir7htpy8sfWoJuDwGjsA,1986
-nac_test_pyats_common/catc/api_test_base.py,sha256=kGp6rZ4S3zP3MW5BD02K5uVxmtE-vRlG2A99kaLgyDo,7507
-nac_test_pyats_common/catc/auth.py,sha256=1oDZr_PEWOz1IZOUm_kyKzIFPQubMo_wemj-Q3D7ALU,9522
-nac_test_pyats_common/catc/device_resolver.py,sha256=YgJJn1pXONXCAMnfXA-_Iuo6tkLtD9EekHbPbae6mRg,5363
-nac_test_pyats_common/catc/ssh_test_base.py,sha256=wUldp2T9cmSEALBtbOgUQvQ2txuid3ErJEO27kM-kiI,4482
-nac_test_pyats_common/common/__init__.py,sha256=Y0qrZEKx2g8Zm1CTHJpeLocwMasspP6NQuhyrRiA1wA,1084
-nac_test_pyats_common/common/base_device_resolver.py,sha256=xP4QF-kNp_8rFo9N6wzfJSIpNOgnPkeZmWAbH0k5tGo,15091
-nac_test_pyats_common/iosxe/__init__.py,sha256=GSuLGyxcu8dFouspTjXuQ1Mi27vDluVR8ZCcJrPcIiY,2147
-nac_test_pyats_common/iosxe/iosxe_resolver.py,sha256=XzzwRCa1cuQ6HmeUB1Z2vITOwYdhuDlugDD1eVXAoIE,2355
-nac_test_pyats_common/iosxe/registry.py,sha256=djRFzxuEu8IdyTmi1puhIHGZGSMjys0l1v4-uzYCwAU,5723
-nac_test_pyats_common/iosxe/test_base.py,sha256=NjXbf0ZY-CBWhd3jpIAhylL5kyRrHM6FlhGlFtjLSjM,4569
-nac_test_pyats_common/sdwan/__init__.py,sha256=mrziVp5kMgykKnFPvWykuVLuky6xwEv6oEcfrbxFXxY,1777
-nac_test_pyats_common/sdwan/api_test_base.py,sha256=NuqrxODrRw7ZvEIuoc1Bup60thKqJOfiGz96T4QJ8Ng,7632
-nac_test_pyats_common/sdwan/auth.py,sha256=CMgf_AYCalVQNjdUfDlE-0-z5tnhU_Wnscgt5ZW61RY,10322
-nac_test_pyats_common/sdwan/device_resolver.py,sha256=1GdM5QKftj4F5bGmsbH90--VqoFZaDPMerHF1dAceMQ,7169
-nac_test_pyats_common/sdwan/ssh_test_base.py,sha256=rZF7txhu0FGtPtTzGMZFqB9hwClmtggroZwRuX3BGU4,4210
-nac_test_pyats_common-0.2.0.dist-info/METADATA,sha256=9Qbd0AYAGd33wI1iwbynSClOmApEC-Iny0geUrBoIzA,13072
-nac_test_pyats_common-0.2.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-nac_test_pyats_common-0.2.0.dist-info/licenses/LICENSE,sha256=zt2sx-c0iEk6-OO0iqRQ4l6fIGazRKW_qLMqfDpLm6M,16295
-nac_test_pyats_common-0.2.0.dist-info/RECORD,,