![HPEDEVLogo](Pictures/hpe-dev-logo.png)

# Welcome to the Hack Shack
Powered by [HPE DEV Team](https://hpedev.io)

# Speaker: [Joe Neville](mailto:joe.neville@hpe.com)

Find me on [Twitter](https://twitter.com/joeneville_), [LinkedIn](https://www.linkedin.com/in/joe-neville-52a93a7/), [Blog](https://nullzero.co.uk) 

<p align="center">
  <img src="Pictures/hackshackdisco.png">
  
</p>

# Introduction to Aruba API Yourself !
This lab is an introduction to Python, Aruba APIs and network automation.

# Lab Flow
HackShack workshops are delivered through a central point that allows a portable, dynamic version of the lab guides. We use a JupyterHub server on which all the different labs guides are stored in a notebook format (*.ipynb). These Notebooks are accessible from the internet for the event.

The notebooks can be downloaded on to your own laptop for further use. In order to use  them, you will need to install the Jupyter Notebook application available [here](https://jupyter.org/install).
Beginners guide available [here](https://jupyter-notebook-beginner-guide.readthedocs.io/en/latest/what_is_jupyter.html)

Please now listen to the instructor guidelines on how to use this notebook and follow the different steps.

Happy labs ! :-)



# Task 0: Aruba AOS-CX Swagger

Please watch as the instructor explains the Swagger interface for Aruba AOS-CX.

* Virtually everything that can be configured on an AOS-CX device is accessible via the API. 
* AOS-CX is a core networking device OS, with a large feature set covering Layer 2 & advanced Layer 3.
* As a result of the feature set, AOS-CX has a large API.
* AOS-CX does not use written documentation to present the API. This would be unwieldy.
* Instead AOS-CX uses Swagger, an open-source software framework.
* Swagger is used to present the AOS-CX API, creating an interactive interface to the live OS.
* In this first exercise you are going to log into a Swagger interface and take a look around.

### Task 0.1 - GET the Firmware via Swagger

1. Point a browser at one of your AOS-CX nodes.  
2. Log in with the provided username / password.
3. Navigate to the cog top-right.
![cog](Pictures/1-1_cog.png)
4. Go to V10.04
![version](Pictures/1-1_1004.png)

You will now be presented with the Swagger interface.

1. Go to the header labeled 'Firmware' and click on it to open it.
![version](Pictures/1-1_firmware.png)
2. Click 'Try it out' then 'Execute'.
![try](Pictures/1-1_try.png)
![execute](Pictures/1-1_execute.png)
3. You should see the 'curl', 'Request URL' and the 'Response'.

* Swagger is a useful tool if we want to interact with the API programmatically.
* Swagger shows the data available, the URLs and parameters needed to interact with the APIs, and the response data.

### Task 0.2 - Login via Swagger

1. Back on the swagger interface, go to Login.  


![login](Pictures/1-2_login.png)  


2. If you open that up there's only one type of call, a POST. We need to send a POST call with our credentials to the switch to authenticate and receive a cookie (like a temporary access code).
3. We then combine our cookie with our subsequent calls to prove we have the necessary credentials to configure the device.
4. Don't worry, we don't actually need to handle the cookie at all here. The swagger interface handles all of this for us if we successfully login.
5. You should see that with have Parameters that are marked as 'required'.
6. Click 'Try it out' and type your username / password in the boxes that appear.
7. Then hit 'Execute'.  


![creds](Pictures/1-2_creds.png)  


You should see the cURL, Request URL and the Server Response. Hopefully that is a Code 200, which means you've successfully logged in.
You can check the codes just below that which tells us that 200 means OK.

If the Login fails, you should get a 401 code, this means 'unauthorized'. Usually that means you've entered the wrong username / password combination.

However, just like cookies in real life, there are only so many to hand out. Once three cookies have been issued by the switch, you'll get a 401 saying 'Login failed: session limit reached.'
Cookies timeout after a period of time, this is 15 minutes if unused. 
We can manually reset the cookies by logging into the AOS-CX device via SSH and performing a manual with the command: 

```
https-server session close all
```

### Task 0.3 - Logout via Swagger

* There are only a finite amount of cookies.
* Use a 'Logout' API call to instruct AOS-CX to expire a specific cookie.
* You should always login and logout when interacting with the API to ensure your session does not fail because of lack of cookies.


1. On the Swagger interface, go to Logout.
2. 'Try it out'.
3. 'Execute'.
4. If you are logging in successfully this will log you out.


### Task 0.4 - POST a VLAN

* The Swagger interface can also be used to configure AOS-CX.

1. You've just logged out, so you'll need to log back in. Do that, following the steps in Task 1.2.
2. Naviagate to VLAN and expand that.
3. To get a feel of the data format and the URL, do a GET to see the VLANs on AOS-CX already. The response will list the VLANs, see below for an example.

```
{
  "1": "/rest/v10.04/system/vlans/1",
  "98": "/rest/v10.04/system/vlans/98",
  "99": "/rest/v10.04/system/vlans/99",
  "200": "/rest/v10.04/system/vlans/200",
  "300": "/rest/v10.04/system/vlans/300"
}
```

To configure a VLAN, we need to know the following:

* We are logging in successfully
* The URL we need to send the POST to.
* What data we need to send in the body of the call.


1. We should already be logged in.
2. For the URL, navigate to POST /system/vlans and open that (if you want the GET infomation to close up, just hit that link again).
3. Click on 'Edit Value', just below Request body.

![vlan](Pictures/1-4_vlan.png)

5. Then scroll down and hit Edit.

![edit](Pictures/1-4_edit.png)

6. Then request body should now turn black-on-white and you can edit the values. 
   This is a little tricky because you must to use the exact format and the mandatory values to create the VLAN.
   The mandatory values are:

     'id' - This the the VLAN number
     'name' - This is the VLAN...name!

   We are just doing the minimum to create a new VLAN so all the other information can be deleted, EXCEPT for the enclosing brackets '{}'
   To help you out here is an example that will create VLAN 99 with the name "my-API-VLAN"

```
{
  "id": 99,
  "name": "my-API-VLAN"
}
```

![json](Pictures/1-4_json.png)



7. You can add this to the response body or create your own.
8. If successfully, you will get a response code of 201, which means 'Created'.

![success](Pictures/1-4_success.png)

9. Do a GET vlan API call to see your new VLAN on the device. You can also do a 'show VLAN' via the CLI to prove it works to yourself via the more traditional method.

Now let's recap those vital pieces of information:

 * We've got to be logged in
 * We need the URL to send our call to.
 * We need to know the type of call to send.
 * We need to know the data and the format to send in our POST call.
 * Logout.

 Now let's transfer what we know over to Python.
 

## Task 1 Use Code to interact with the Aruba API

In this task we are going to use code to interact with the Aruba AOS-CX API.

* The Jupyter Notebook uses Python but you don't have to use Python to interact with Aruba APIs, any language with an HTTPS client library will do.   
* The HTTPS library handles the low-level HTTPS calls, the certificates and the response.    
* This workshop uses the popular 'Requests' HTTPS Python library.


### Task 1.1 Login / Logout with Python

* First we are going to login in. 
* For that we will need to send a POST call a URL on our AOS-CX device.
* The call will need to include our username & password in the 'Parameters'.
* If we are successful, we will receive back a response code and a cookie.
* We can print the response code to screen.
* To logout we will need to send a call to the logout URL but it must include our cookie. 
* We do not need to copy and paste the cookie. 'Requests' has useful function called a cookie jar that we can use to store the cookie and reuse it, as long as we use the same session.


In [None]:
#### Example with notes


# import required for code not in core Python
import requests
import urllib3
# this disables warning about self-signed certs
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Store your destination IP address as a variable. Replace the IP address with yours.
ip_add = "$$ipadd_1"
# Create a variable for your username and password
params= {"username": "admin", "password": "admin123"}

# Create our Session
session = requests.Session()
# This is where we login. You can see the word post to send a post call
login = session.post(f"https://{ip_add}/rest/v10.04/login", params=params, verify=False)
# Print the login session to screen
print(f"This is the login code: {login.status_code}")
# Logout POST call - the cookie will be carried in the session
logout = session.post(f"https://{ip_add}/rest/v10.04/logout")
# Print the login session to screen
print(f"This is the logout code: {logout.status_code}")

In [None]:
#### Example without notes ('easier to read' version)

import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
ip_add = "$$ipadd_1"
params= {"username": "admin", "password": "admin123"}

session = requests.Session()
login = session.post(f"https://{ip_add}/rest/v10.04/login", params=params, verify=False)
print(f"This is the login code: {login.status_code}")
print(f"This is the cookie:\n {login.cookies}")
logout = session.post(f"https://{ip_add}/rest/v10.04/logout")
print(f"This is the logout code: {logout.status_code}")

---
If all is correct, you should see something like the following:

```
This is the login code: 200
This is the cookie: <RequestsCookieJar[<Cookie id=T2sEriSo5Lel4XIMldNo1A== for 192.168.56.101/>, <Cookie user=eyJ1c2VyIjoiYWRtaW4iLCJsZXZlbCI6MTUsInR5cGUiOiJMT0NBTCIsIm1ldGhvZCI6IkxPQ0FMIn0= for 192.168.56.101/>]>
This is the logout code: 200
```

* If you are successful first time, why not try to run the code again but with the wrong username or password?  
* What status code do you see?

### Task 1.2 A Word about Security 

* The script above is insecure. It contains the username and password.
* However, using code and an API does not mean compromising your security policy.
* Here are a number of methods to access a username and password combination, without placing the details in the code:

1. *Environment variables* - you can write sensitive information like passwords to local machine environment variables, Python can access these, you just need to put a pointer in the script and the code will import the variable. This is good for a single machine but the script will fail if shared and run on a computer that doesn't have the environment variables set correctly.
2. *Python keyring library or similar* - there are third-party code libraries that can be imported into your code just in the way that requests is used, but these will interact with your OS key store like macOS 'keychain' or 'Windows Credential Locker' or similar. Essentially this is like setting the environment variables, and sufferes from the same problem of needing to be set on every machine for the code to run. See https://pypi.org/project/keyring/ for more details.
3. *Input secret on execution* - This is the most user-friendly way to approach secrets for the beginner. A function is added to the code instead for the actual password, and when the script is run, the code asks the user for the password, which they then enter. Simple and portable, with all the normal problems associated with passwords, but at least you're not including such sensitive information in your scripts.  

Python has a library to handle password input. It is called 'getpass' and is used in the code example below.

In [None]:
import requests
import urllib3
# new import statement for getpass
import getpass

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

ip_add = "$$ipadd_1"
# create a variable for our password and call getpass.
my_password = getpass.getpass()
# use my_password variable in our parameters
params= {"username": "admin", "password": my_password}

session = requests.Session()
login = session.post(f"https://{ip_add}/rest/v10.04/login", params=params, verify=False)
print(f"This is the login code: {login.status_code}")
print(f"This is the cookie_jar: {login.cookies}")
logout = session.post(f"https://{ip_add}/rest/v10.04/logout")
print(f"This is the logout code: {logout.status_code}")

* Please note, for convenience, the rest of the workbook will display the username and password in the code.


### Task 1.3 Python & Whitespace

* The code example so far have been sequential. The code runs from top to bottom.
* If an error is hit, the code will exit.
* This can cause a problem. If we hit an error before the Logout API call is sent, a cookie will be used. We could lock ourselves out from the API. The code we have been running so far has been strictly sequential running from top to bottom as it appears on the page.
* We need to create hierarchy in the code so that the Logout call will always be sent as a final step, regardless of errors.
* In Python we can do this using the 'try' and 'finally' method; and with the use of whitespace.  
* Whitespace is very important when writing Python, moreso than most other languages. We create structures, and relationships, between code using whitespace.

* Here is the code for our login, but rewritten to include the following:

1. 'try' is added before login. This tells the computer to run the next code block.
2. There is a code block under the 'try' statement, it is indented by four spaces to indicate it is part of the 'try' statment's block.
3. There is a 'finally' statement that is at the same level as the 'try' statement. It stands apart from the 'try' code block.
4. The logout call is indented by four spaces under the 'finally' statement.

In [None]:
import requests
import urllib3
import getpass

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

ip_add = "$$ipadd_1"
my_password = getpass.getpass()
params= {"username": "admin", "password": my_password}

session = requests.Session()
# New try statement and indented code block, followed by a finally statement and code block
try:
    login = session.post(f"https://{ip_add}/rest/v10.04/login", params=params, verify=False)
    print(f"This is the login code: {login.status_code}")
    print(f"This is the cookie_jar: {login.cookies}")
finally:
    logout = session.post(f"https://{ip_add}/rest/v10.04/logout")
    print(f"This is the logout code: {logout.status_code}")


* The code still runs from top to bottom.
* But now we have two code blocks that are nested in the main flow of the top to bottom flow. 
* When Python reaches the 'try' statement, it tries to run the indented code block. 
* If there are any problems in that code block, rather than the script stopping, it will drop out of the block back to the global non-indented level, thus hitting 'finally', at which point it will run our all-important logout statement.

* The code belows demonstrates how an error, the bogus 'print' statement, will stop the flow and prevent the 'Logout' call.

In [None]:
import requests
import urllib3


urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

ip_add = "$$ipadd_1"
params= {"username": "admin", "password": "admin123"}

session = requests.Session()
login = session.post(f"https://{ip_add}/rest/v10.04/login", params=params, verify=False)
print(f"This is the login code: {login.status_code}")
print(bogus)
logout = session.post(f"https://{ip_add}/rest/v10.04/logout")
print(f"This is the logout code: {logout.status_code}")

* Now the same code, but with 'try' and 'finally'.

In [None]:
import requests
import urllib3
import getpass

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

ip_add = "$$ipadd_1"
params= {"username": "admin", "password": "admin123"}

session = requests.Session()

try:
    login = session.post(f"https://{ip_add}/rest/v10.04/login", params=params, verify=False)
    print(f"This is the login code: {login.status_code}")
    print(bogus)
finally:
    logout = session.post(f"https://{ip_add}/rest/v10.04/logout")
    print(f"This is the logout code: {logout.status_code}")

* The error will still be generated. This is a 'NameError'.
* However, the 'Logout' call still runs.

---
#### 🤓 Extra Time for Pythonistas 🐍

* Having the error messsage kicked up to the screen is all fine and good, but a bit ugly. We can actually capture that error and present it in a much more graceful way, using only a couple of extra lines. 

* Here we use 'except' and then capture a NameError as the variable 'err' which we then print to screen with a friendly message:

In [None]:
import requests
import urllib3
import getpass

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

ip_add = "$$ipadd_1"
params= {"username": "admin", "password": "admin123"}

session = requests.Session()
try:
    login = session.post(f"https://{ip_add}/rest/v10.04/login", params=params, verify=False)
    print(f"This is the login code: {login.status_code}")
    print(bogus)
except NameError as err:
    print("Oh no, you hit an error: ", err)
finally:
    logout = session.post(f"https://{ip_add}/rest/v10.04/logout")
    print(f"This is the logout code: {logout.status_code}")

### Task 2.1 - Let's Get Some Data

* Logging in and logging out are the vital first steps towards mastery of an API, but they are not very exciting, or useful, on their own.
* Let's get the firmware of our device. That's always a useful piece of information to have.

In [None]:
import requests
import urllib3
import getpass

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

ip_add = "$$ipadd_1"
params= {"username": "admin", "password": "admin123"}

session = requests.Session()
try:
    login = session.post(f"https://{ip_add}/rest/v10.04/login", params=params, verify=False)
    print(f"This is the login code: {login.status_code}")
    firmware = session.get(f"https://{ip_add}/rest/v10.04/firmware", verify=False)
    print(firmware.json())
finally:
    logout = session.post(f"https://{ip_add}/rest/v10.04/logout")
    print(f"This is the logout code: {logout.status_code}")

* In the 'try' code block we've added a GET call to ".../rest/v10.04/firmware".
* If the GET call is successful, we then print the information to screen with the next line `print(firmware.json())`
* The AOS-CX API returns data in a structured format known as JavaScript Object Notation, or JSON. Here we are printing it to screen.

Example:

```
This is the login code: 200
{'current_version': 'Virtual.10.04.0001', 'primary_version': '', 'secondary_version': '', 'default_image': '', 'booted_image': ''}
This is the logout code: 200
```

* We can print out JSON formatted in such a way that is a bit easier to read with the 'pprint' function, that is the pretty print feature.



In [None]:
import requests
import urllib3
import getpass
import pprint

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

ip_add = "$$ipadd_1"
params= {"username": "admin", "password": "admin123"}

session = requests.Session()
try:
    login = session.post(f"https://{ip_add}/rest/v10.04/login", params=params, verify=False)
    print(f"This is the login code: {login.status_code}")
    firmware = session.get(f"https://{ip_add}/rest/v10.04/firmware", verify=False)
    pprint.pprint(firmware.json())
finally:
    logout = session.post(f"https://{ip_add}/rest/v10.04/logout")
    print(f"This is the logout code: {logout.status_code}")

### Task 2.2 About JSON

* JSON is a structured data format. 
* JSON can be converted into a Python data type called a dictionary. Python has various other data types, such as lists and tuples but here we will look at dictionaries.
* Python dictionaries are key-value pairs. The key is the first part of the information, and it is linked to the values, the second part, then surrounded by brackets, like this:

```
{'key': 'value'}
```
* We can retrieve a 'value' from a dictionary by calling the 'key'.
* In the example below, we extract the firmware version by calling the key 'current_version'. That will return the 'value'.
* Notice how we call a key by putting it after the JSON and surrounding it with square brackets:

```
my_firmware = firmware.json()['current_version']
```
* Next we print out a new sentence and embed the 'my_firmware' variable in it:

```
print("My firmware is: {}".format(my_firmware))
```


In [None]:
import requests
import urllib3
import getpass
import pprint

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

ip_add = "$$ipadd_1"
params= {"username": "admin", "password": "admin123"}

session = requests.Session()
try:
    login = session.post(f"https://{ip_add}/rest/v10.04/login", params=params, verify=False)
    print(f"This is the login code: {login.status_code}")
    firmware = session.get(f"https://{ip_add}/rest/v10.04/firmware", verify=False)
    my_firmware = firmware.json()['current_version']
    print(f"My firmware is: {my_firmware}")
finally:
    logout = session.post(f"https://{ip_add}/rest/v10.04/logout")
    print(f"This is the logout code: {logout.status_code}")

### Task 2.3 Meet the neighbours - GET LLDP

* Using the API to gather information about the network is a prime use case for automation.  
* Let's get some info about our neighbouring device by querying the LLDP table. That will give us a lot of data about who our CX devices can see on the wire.

In [None]:
import requests
import urllib3
import pprint

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

ip_add = "$$ipadd_1"
params= {"username": "admin", "password": "admin123"}

session = requests.Session()
try:
    login = session.post(f"https://{ip_add}/rest/v10.04/login", params=params, verify=False)
    print(f"This is the login code: {login.status_code}")
    lldp = session.get(f"https://{ip_add}/rest/v10.04/system/interfaces/1%2F1%2F1/lldp_neighbors?depth=2", verify=False)
    my_lldp = lldp.json()
    pprint.pprint(my_lldp)
finally:
    logout = session.post(f"https://{ip_add}/rest/v10.04/logout")
    print(f"This is the logout code: {logout.status_code}")

* The API for this call returns a lot of information, probably too much for us to easily look through. But this isn't about what we can read, this is structured data for our code to consume.  
* We just need to do a bit of work to pick out the salient info.

---

#### Beyond The Basics - Beginner feel free to skip this detail

*If you are new to Python you should skip this section. It covers an intermediate topic.*

You might notice that the first key is a MAC address and port. This is dynamic information and will change depending upon the neighbour.
As such we can't call the key specifically in our code, because we do not know beforehand what it will be.
We need to skip over the initial key and access the value, which happens to be as dictionary itself. That has keys that will be called.
We can solve this in a number of ways, one concise approach is to unpack the key and values separately.

We can do this with by unpacking the items() method: `for k, v in my_lldp.items()`

In [None]:
my_dict = {"mykey1": "one", 'mykey2': "two" }
for k, v in my_dict.items():
    print(k, v)

---



### Continue here

* Don't worry if you've skipped over the 'Beyond The Basics' section, let's move on and grab some information from the wealth of JSON that is returned.  
* In the code below we parse the hostname of our neighbours and the MAC address.  
* You might notice that we are using the dynamic value of the neighbouring hostname in both lines.  
* In a template, our code would look like this:

```
My neighbour is: <hostname>
The <hostname> MAC address is: <MAC-address>
```

In [None]:
import requests
import urllib3
import pprint

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

ip_add = "$$ipadd_1"
params= {"username": "admin", "password": "admin123"}

session = requests.Session()
try:
    login = session.post(f"https://{ip_add}/rest/v10.04/login", params=params, verify=False)
    print(f"This is the login code: {login.status_code}\n")
    lldp = session.get(f"https://{ip_add}/rest/v10.04/system/interfaces/1%2F1%2F1/lldp_neighbors?depth=2", verify=False)
    my_lldp = lldp.json()
    for k, v in my_lldp.items():
        print(f"My neighbour is: {v['neighbor_info']['chassis_name']}")
        print(f"The {v['neighbor_info']['chassis_name']} MAC address is: {v['chassis_id']}\n")
finally:
    logout = session.post(f"https://{ip_add}/rest/v10.04/logout")
    print(f"This is the logout code: {logout.status_code}")

## Task 3 Let's network with loops and lists

### Task 3.1 Python lists

* Interacting with a single device is cool, but it isn't real networking. For that we need to interact with multiple devices.  
* So far we have just inputed our IP address as a single string E.G. `ip_add = "$$ipadd_1"`.
* What we need to do is use an input that consists of multiple strings.  
 * Python has numerous data types that can hold multiple pieces of data. For this example we are going to use a list.
* A list in Python can be made up of strings, or integers, or even other lists and dictionaries. We group the data between square brackets and separate it with commas.
* Python lists are **zero-indexed*, which means each item in a list has a number assigned to it and the numbering starts at zero. 
* We can access items in a list by calling the number against the list using the number itself and square brackets.  
* The first item is `my_list[0]` the second is `my_list[1]`.

Here's a code example:

In [None]:
my_list1 = ['one', 'two', 'three', 'four']

print(f"\nThis is the first item in my list: {my_list1[0]}")
print(f"\nThis is the second item in my list: {my_list1[1]}")

---

### Task 3.2 Loops and lists

* Items in a list have an index number and they remain in the same order.
* That allows us to go through a list, visiting each item in turn, and "do something".  
* We can do this with a loop, visiting each item on a list.

* In the example below we take each one of the items in my list and print it to screen.

In [None]:
my_list1 = ['one', 'two', 'three', 'four']

for item in my_list1:
    print(item)

This can be a little tricky for beginners to grasp.

1. In the 'for' loop, the word 'item' is just a placeholder, to effectively hold the information that is generated while we step through the list.
2. In our list the string 'one' is the first item, so item is effectively the string 'one' at this point.
3. We then move down to the print statement and print whatever is now stored as the item to screen. This is the string 'one'.
4. Here's where the loop comes in, we now move back up to the first line, and take the next item on the list, the string of 'two' and store that as item.
5. Move down to the print and so on through the list until we reach the end.

* Loops become a lot more interesting when we not just handle the data, but actually subject it to conditionals.
* In the next example, we print the integer of 2 rather than the string 'two'. 
* Note that the original list is not touched by our actions when we print, that remains the same. See, I've printed out the original list at the end here to prove it.

In [None]:
my_list1 = ['one', 'two', 'three', 'four']

for item in my_list1:
    if item == 'two':
        print('2')
    else:
        print(item.upper())
        
print(my_list1)

---

### Task 3.3 Loops, lists and networks

* Loops and lists are useful tools for handling data in Python but they are especially important when it comes to network automation because we often need to interact with multiple devices at once.
* Rather than just inputing a single IP address in a string, we can use a list of IP addresess for our target hosts and then loop over the list.
* That way we can perform our desired tasks, like GET the code from multiple devices in one operation. That's much more like a network automation operation.
* We handle ip addresses just like strings. Creating a list of addresses is just like creating a list of fruit.



In [None]:
my_ip_list = ["$$ipadd_1", "$$ipadd_2"]

for ip in my_ip_list:
    print(ip)

* This 'for' loop creates an object of 'ip' that contains the string of the IP address from our list.  
* We can now feed these IP addresses into our operations, just like we did with a single address statement of `ip_add = "$$ipadd_1"`

In [None]:
import requests
import urllib3
import getpass
import pprint

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

my_ip_list = ["$$ipadd_1", "$$ipadd_2"]
params= {"username": "admin", "password": "admin123"}


for ip in my_ip_list:
    session = requests.Session()
    try:
        print(f"\nHere we log into: {ip}\n")
        login = session.post(f"https://{ip}/rest/v10.04/login", params=params, verify=False)
        print(f"This is the login code: {login.status_code}")
        firmware = session.get(f"https://{ip}/rest/v10.04/firmware", verify=False)
        pprint.pprint(firmware.json())
    finally:
        logout = session.post(f"https://{ip}/rest/v10.04/logout")
        print(f"This is the logout code: {logout.status_code}\n")

#### Task 3.4.1 GET the code
* In the following loop we will GET the hostname of the device and the code version.

In [None]:
import requests
import urllib3
import getpass
import pprint

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

my_ip_list = ["$$ipadd_1", "$$ipadd_2"]
params= {"username": "admin", "password": "admin123"}


for ip in my_ip_list:
    session = requests.Session()
    try:
        login = session.post(f"https://{ip}/rest/v10.04/login", params=params, verify=False)
        print(f"Login code: {login.status_code}")
        hostname_response = session.get(f"https://{ip}/rest/v10.04/system", verify=False)
        firmware_reponse = session.get(f"https://{ip}/rest/v10.04/firmware", verify=False)
        hostname = hostname_response.json()["hostname"]
        firmware = firmware_reponse.json()["current_version"]    
        print(f"Device Name: {hostname}\t Code: {firmware}")
    finally:
        logout = session.post(f"https://{ip}/rest/v10.04/logout")
        print(f"Logout code: {logout.status_code}\n")

#### Task 3.4.2 GET the code and do an IF check

* The code above might seem like a small task but in a network with multiple devices, running checks such as this can be useful. 
* We're not changing the config so there's no risk of affecting the devices themselves, just doing a mass gather of data from our estate.  
* Let's take this a step further then. Printing all the information to screen is kind of useful once, but not exactly what we want if we are going to run the tests regularly to check the code levels.
* It would be much better if we just print out a warning if the code was not the correct version.
* Let's put an if statement into our code to only print on certain conditions.

In [None]:
import requests
import urllib3
import getpass
import pprint

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

my_ip_list = ["$$ipadd_1", "$$ipadd_2"]
params = {"username": "admin", "password": "admin123"}
conservative_release = "Virtual.10.04.0001"


non_compliance = False
for ip in my_ip_list:
    session = requests.Session()
    try:
        login = session.post(f"https://{ip}/rest/v10.04/login", params=params, verify=False)
        hostname_response = session.get(f"https://{ip}/rest/v10.04/system", verify=False)
        firmware_reponse = session.get(f"https://{ip}/rest/v10.04/firmware", verify=False)
        device_name = hostname_response.json()["hostname"]
        firmware = firmware_reponse.json()["current_version"]
        if firmware != conservative_release:
            non_compliance = True
            print(f"This device is running the wrong code:\n {device_name}. It is running {firmware}")
    finally:
        logout = session.post(f"https://{ip}/rest/v10.04/logout")
if non_compliance == False:
    print("\nAll devices running the correct image\n")

* Now let's run that again but with a fake 'conservative_release'.  
* This time we run the test with "Virtual.10.04.3000" as the correct image. Both devices will fail the test and should be printed to screen.

In [None]:
import requests
import urllib3
import getpass
import pprint

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

my_ip_list = ["$$ipadd_1", "$$ipadd_2"]
params = {"username": "admin", "password": "admin123"}
conservative_release = "Virtual.10.04.3000"


non_compliance = False
for ip in my_ip_list:
    session = requests.Session()
    try:
        login = session.post(f"https://{ip}/rest/v10.04/login", params=params, verify=False)
        hostname_response = session.get(f"https://{ip}/rest/v10.04/system", verify=False)
        firmware_reponse = session.get(f"https://{ip}/rest/v10.04/firmware", verify=False)
        device_name = hostname_response.json()["hostname"]
        firmware = firmware_reponse.json()["current_version"]
        if firmware != conservative_release:
            non_compliance = True
            print(f"This device is running the wrong code:\n {device_name}\n It is running {firmware}\n")
    finally:
        logout = session.post(f"https://{ip}/rest/v10.04/logout")
if non_compliance == False:
    print("\nAll devices running the correct image\n")

* We are beginning to introduce multiple steps for our code to pass through. Here's an explanation of what is going on

1. Set a value of False for the object non-compliance. This Python object is called a boolean, we can use it to track a state of True or False, a bit like a light-switch, either on or off. At the start, before the loop we set the non_compliance switch to False: `non_compliance = False`
2. We run through the login, GET the hostname and firmware.
3. We then run an 'if' check against the string returned in the "current_version".
4. If the firmware doesn't match the conservative_release we flip the switch on "non_compliance" and print out the details.
5. We then log out and go through the loop again. Note that "non-compliance" is set to False outside of the loop, so this is not reset. If we see non-compliance once in the whole process, it is always set True.
6. Finally we do a check against non_compliance, and if it has not been set to True, we print out a line to declare this. That's a cleaner way to finish than just leaving a blank page.


### Task 4 - Extra Time

If you are confident with Python, why not try to pick out some other details from the API?

Use the Python examples that we've already used to build queries to the following URLs:

"https://{ip}/rest/v10.04/system"

"https://{ip}/rest/v10.04/system/interfaces?depth=2"

"https://{ip}/rest/v10.04/system/users"



# Lab Wrap Up

* Hopefully that gave you some insight into the Aruba AOS-CX REST API, Python and network automation.  
* Though the tasks we performed were relatively minor, all automation journeys are advised to start small; focusing on small, repetitive tasks that take up time during an engineer's week.  
* Using GETs via the API rather than always relying on SSH & CLI for show commands is a good place to start because that will just take data from the device, it won't change the configuration state.  
* But that's not to say that the API is only good to 'GET' data. We can fully configure a device via the AOS-CX API as well! 

# Conclusion
* Let's conclude [here](HackShack-Conclusion.ipynb)