add enable secret support for sync device and sync device data onboaring job

[latuannetnam]

Closes: #480

What's Changed

This PR adds support for enable secrets (privileged mode passwords) during device onboarding via the sync_devices job. Devices requiring privileged mode (e.g., Cisco IOS) can now automatically enter enable mode using secrets stored in Nautobot Secrets Groups.

Summary of Changes

Credential Handling:

• _parse_credentials() now retrieves TYPE_SECRET from Secrets Groups in addition to username and password
• Returns 3-tuple: (username, password, secret) instead of 2-tuple
• Automatically falls back to using password as enable secret if TYPE_SECRET is not defined

Connection Setup:

• _set_inventory() accepts optional secret parameter
• Merges enable secret into netmiko connection options extras
• Maintains backward compatibility with existing configurations

Command Execution:

• Added enable=True parameter to netmiko_send_command task calls
• Automatically enters privileged mode before executing show commands
• Uses enable secret from connection options

Configuration Example

Create a Secrets Group with three secrets:

Secrets Group: "Cisco-Production"
├── Username (TYPE_USERNAME) → "network_admin"
├── Password (TYPE_PASSWORD) → "login_password"  
└── Enable Secret (TYPE_SECRET) → "enable_password"

Assign to devices in Nautobot. The sync_devices job will automatically use the enable secret to enter privileged mode.

Backward Compatibility

✅ Fully backward compatible:

• If no TYPE_SECRET is defined, the password is used as the enable secret
• Existing configurations without enable secrets continue to work unchanged
• No breaking changes to existing functionality

To Do

• Explanation of Change(s)
• Added change log fragment(s) (for more information see the documentation)
• [] Attached Screenshots, Payload Example
• Unit, Integration Tests
  • ✅ test_inventory_creator.py: 7/7 tests passed
  • ✅ Added test_parse_user_pass_and_secret for enable secret parsing
  • ✅ Added test_set_inventory_with_secret for connection options
  • ✅ Added test_set_inventory_without_secret for fallback behavior
• Documentation Updates (when adding/changing features)
• Outline Remaining Work, Constraints from Design

Files Modified

• nornir_plays/command_getter.py
• nornir_plays/inventory_creator.py
• tests/test_command_getter.py
• tests/test_inventory_creator.py

Remaining Work

• Add changelog fragment
• Update user documentation with enable secret configuration examples

[jeffkala]

Definitely a miss just for that "sync_devices" job. It would have worked natively for the second "sync network data" job. I'll have to look through this closely as the entire "on demand" nature of the nornir inventory has been on my mind lately.

Largely I'd say this seems something specific to your environment being more locked down then we tend to see. Meaning its not as common to have to do enable mode for show commands.

[latuannetnam]

Definitely a miss just for that "sync_devices" job. It would have worked natively for the second "sync network data" job. I'll have to look through this closely as the entire "on demand" nature of the nornir inventory has been on my mind lately.

Largely I'd say this seems something specific to your environment being more locked down then we tend to see. Meaning its not as common to have to do enable mode for show commands.

We’re onboarding Eltek (https://www.eltek.com/) devices in our network, and due to our security policy, certain commands must be executed in privileged mode. Specifically, show running-config, which is used by the mgmt_interface command mapper, is only permitted in enable mode.

Because of this requirement, we need to implement the enable feature to properly support this device platform. This isn’t so much about the general workflow of the jobs, but rather about complying with the access restrictions enforced in our environment for Eltek devices.

[latuannetnam]

Hi team 👋

Gentle ping on this PR! This adds enable secret support for device onboarding (issue #480), which is needed for devices with strict privilege mode requirements.

The implementation is backward compatible and follows existing Secrets Group patterns. Would appreciate a review when you have time!

Thanks! 🙏

[jeffkala]

Looks good to me, thank you so much for your contribution.

[jeffkala]

@latuannetnam what version of NB are you running? This PR is going into develop which is only the 3.0 compatible version for Nautobot core 3.0. So if you're on NB 2.0 then you'll have to cherry pick it into the ltm-2.4 branch.

Also please get the rest of the test passing. And a change fragment added.

[latuannetnam]

@jeffkala Thanks for the review and approval!

I've addressed the remaining items:

✅ Tests passing - All 173 unit tests now pass successfully
✅ Change fragment added - Created changes/482.added documenting the enable secret support feature

The PR is ready for merge. Let me know if you need anything else!

[latuannetnam]

@jeffkala I’m already running this PR on Nautobot 3.0+ in my production environment and it’s working well 👍
So targeting the NB 3.0 / develop branch is totally fine from my side.

[cdtomkins]

Could you please fix the changelog fragment to match the expected format and fix the docs build errors. Thanks!

[latuannetnam]

Could you please fix the changelog fragment to match the expected format and fix the docs build errors. Thanks!

@cdtomkins Thanks for the feedback! I've just pushed the fixes:

1. Changelog fragment – Removed the YAML frontmatter from changes/482.added. It now uses the correct plain text format as specified in the Nautobot development guidelines.

2. Docs build – Added custom_command_mapper_per_platform.md to the nav section in mkdocs.yml. The docs now build cleanly with --strict mode.

Let me know if anything else needs adjustment!