01-16-2017 11:08 AM
I have read over the "Using List Searches" XML example in the NetMRI documentation, but my use case for wanting a list in policy compliance is a bit different. Instead of searching the list, I would like to search the config for matches on the list. My example would be a list of ip addresses, and ensuring that each of these IP addresses are on an access list in the config. Can you use a list in such a way? Let me know if you need any clarification, thanks!
Solved! Go to Solution.
01-16-2017 11:26 AM
1) You could use the list to construct the search string that you then use in a ConfigFileCheck. You can use the array join operator to make a big regular expression.
2) You could loop through and do a ConfigFileCheck for each entry in the list.
Alternatively you can just use a regexp match instead of ConfigFileCheck, but if the ConfigFileCheck will, for example, tell you want line the match is on.
01-16-2017 01:13 PM
Thanks for the quick response! Is there a good resource for some examples of different policies in XML? Or can you give a quick example of using ForEach to parse through the array returned by the list search? I'm quite versed in Python, but completely new when it comes to using XML. Thanks!
01-16-2017 01:40 PM
01-16-2017 03:16 PM
Thanks, also actually looking at the XML schema was very helpful. I got the basic idea working (pasted below), but to just add to my learning, what would be the best way to
1. make sure the entries are in the same order as the list
2. make sure there are no extraneous entries on the list
Concatenating the array beforehand and looking for one chunk would solve both issues, just wondering if there is any way to do it while looping in the way below. Just trying to learn all the options available, thanks!
<PolicyRuleLogic editor="raw-xml" xmlns='http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml'> <Expr op='array' output='missing_ips'/> <ListSearch list-name='0-ACL-37' result-columns='ip' result-mode='all' search-columns='status'> <Expr value='active'/> </ListSearch> <ForEach> <Expr variable='ip'/> <Do> <If> <ConfigFileCheck op='contains-one'> <Expr op='concat'> <Expr value='^access-list 37 permit '/> <Expr variable='_loop_value'/> </Expr> </ConfigFileCheck> <Then> </Then> <Else> <Expr op='push'> <Expr variable='missing_ips'/> <Expr variable='_loop_value'/> </Expr> </Else> </If> </Do> </ForEach> <If> <Expr op='!='> <Expr op='size'> <Expr variable='missing_ips'/> </Expr> <Expr value='0'/> </Expr> <Then> <PolicyRuleFail> <Expr op='concat'> <Expr>These IPs are missing from SNMP access: </Expr> <Expr op='join'> <Expr variable='missing_ips'/> <Expr value=', '/> </Expr> <Expr value='.'/> </Expr> </PolicyRuleFail> </Then> <Else> <PolicyRulePass>The switch has all of the correct SNMP access entries.</PolicyRulePass> </Else> </If> </PolicyRuleLogic>
01-17-2017 04:34 AM
In the github location John pointed out, a specific example that may help is the verify-users.xml rule which uses the valid_users.csv list. It is a good example of looking up on the config to verify there are no list entries present and looking up on the list to ensure they all exist in the config.
01-17-2017 09:27 AM
Great, thats a good one (and that is the way I ended up doing it yesterday before checking that out).
Not sure if I should put this one in a different thread, but can someone explain the match variables? I see in that example there is _start_match_1. Looking at another example I was trying to use _match_1, but that wasn't working, though using _match_0 did the trick. (In both my script and the example it seemed like that would have been the very first match.)
Thanks for any clarity on that one!
01-17-2017 10:18 AM
Yes, this really should be explained in the online help but I didn't see it there.
If you have a regular expression match like this:
... <Expr op='matches'> <Expr value='myfoobar barfoo123'/> <Expr value='foo(bar)? ([a-z]+)'/> </Expr> ...
it will return true (unless I have a typo), and it will set the following global _match variables:
_match_pre - the text before the match, in this case "my" _match - the entire match, in this case "foobar barfoo" _match_0 - same as _match
_match_1 - the first capture (ie, in parentheses) match, in this case 'bar'
_match_2 - the second capture, in this case 'barfoo' _match_post - the text after the match, in this case '123'
_match_array - an array where element 0 is _match_0, element 1 is _match_1, etc.
Of course if you have more than two capture groups, you'll get one _match_X for each.
In the ConfigBlockCheck, you can access the _start_match variables that are the result of the match in the starting regexp of the block, and in the case of the regexp block end method, you can access _end_match variables.
01-17-2017 10:19 AM
Note that these _match variables are global and are set on every regular expression evaluation so you'll need to save them off if you need them later.