Files
claudetools/.claude/skills/yealink-ymcs/scripts/ymcs_client.py
Mike Swanson 850e685d8d feat: yealink-ymcs skill — YMCS v2 device-management API, pairs with packetdial
New skill to manage ACG's Yealink phone fleets via Yealink Management Cloud Service v2
(us-api.ymcs.yealink.com). RTFM'd the API (token auth via POST /v2/token Basic+bearer, NOT the
legacy RPS HMAC; legacy-TLS renegotiation required) + endpoint map from the dszp/n8n-nodes-
yealinkymcs community node. Live-verified: token auth, sites (one ACG AccessKey sees ALL client
sites — VWP/GuruHQ/Ace Pick Up Parks as children of the ACG parent), devices, accounts,
rps-servers (RPS = "WL - ACG" ftp://p.packetdials.net). Gated writes (--confirm): add-devices-by-mac,
add-sipaccount (push a NetSapiens SIP cred onto a phone = the PBX glue), reboot, reset, rps add/del;
+ raw passthrough (auto-recovers the MSYS /v2 path-mangling). Creds vaulted at
services/yealink-ymcs.sops.yaml. Pairs with packetdial onboard-domain for new-client phone
provisioning; VWP is the live pilot. Honest [V]/[P] verification status in SKILL.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-22 09:59:52 -07:00

198 lines
9.2 KiB
Python

#!/usr/bin/env python3
"""ymcs_client.py — Yealink Management Cloud Service (YMCS) v2 open-API client.
Manages ACG-managed client Yealink phone fleets. Pairs with the `packetdial`
skill (NetSapiens PBX): YMCS owns the physical phones (provisioning, config,
firmware); the PBX owns the SIP accounts the phones register to.
Auth (v2): POST /v2/token with HTTP Basic (AccessKeyID:Secret) -> bearer token
(cached ~24h). Subsequent calls send `Authorization: Bearer <token>`. Every
request also carries `timestamp` (ms) + `nonce` headers. Yealink's servers
require LEGACY TLS renegotiation — handled via an SSL context with
OP_LEGACY_SERVER_CONNECT.
Credentials come from the SOPS vault entry `services/yealink-ymcs.sops.yaml`
(credentials.access_key_id / access_key_secret), or env overrides
YMCS_ACCESS_KEY_ID / YMCS_ACCESS_KEY_SECRET. Region via YMCS_REGION (default us).
List endpoints are POST with {skip, limit, autoCount} and return {total, data:[]}.
"""
import sys, os, json, ssl, base64, uuid, time, subprocess
import urllib.request, urllib.error, urllib.parse
REGION_HOSTS = {
"us": "https://us-api.ymcs.yealink.com",
"eu": "https://eu-api.ymcs.yealink.com",
"au": "https://au-api.ymcs.yealink.com",
}
VAULT_ENTRY = "services/yealink-ymcs.sops.yaml"
def _log_skill_error(msg, context=""):
try:
root = os.environ.get("CLAUDETOOLS_ROOT") or os.path.abspath(
os.path.join(os.path.dirname(__file__), "..", "..", "..", "..")
)
h = os.path.join(root, ".claude", "scripts", "log-skill-error.sh")
if not os.path.exists(h):
return
a = ["bash", h, "yealink-ymcs", msg]
if context:
a += ["--context", context]
subprocess.run(a, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, timeout=10)
except Exception:
pass
class YmcsError(Exception):
pass
def _repo_root():
return os.environ.get("CLAUDETOOLS_ROOT") or os.path.abspath(
os.path.join(os.path.dirname(__file__), "..", "..", "..", "..")
)
def _vault_field(field):
"""Read a field from the YMCS vault entry via vault.sh (None if absent)."""
vault_sh = os.path.join(_repo_root(), ".claude", "scripts", "vault.sh")
if not os.path.exists(vault_sh):
return None
try:
r = subprocess.run(["bash", vault_sh, "get-field", VAULT_ENTRY, field],
capture_output=True, text=True, timeout=30)
v = (r.stdout or "").strip()
return v or None
except Exception:
return None
def _legacy_tls_context():
"""SSL context that permits Yealink's legacy TLS renegotiation."""
ctx = ssl.create_default_context()
legacy = getattr(ssl, "OP_LEGACY_SERVER_CONNECT", 0x4)
ctx.options |= legacy
return ctx
class YmcsClient:
def __init__(self):
self.key_id = (os.environ.get("YMCS_ACCESS_KEY_ID")
or _vault_field("credentials.access_key_id"))
self.key_secret = (os.environ.get("YMCS_ACCESS_KEY_SECRET")
or _vault_field("credentials.access_key_secret"))
if not self.key_id or not self.key_secret:
raise YmcsError(
"No YMCS credentials. Expected vault " + VAULT_ENTRY +
" (credentials.access_key_id/access_key_secret) or env "
"YMCS_ACCESS_KEY_ID/YMCS_ACCESS_KEY_SECRET."
)
self.region = (os.environ.get("YMCS_REGION") or "us").lower()
self.base = REGION_HOSTS.get(self.region, REGION_HOSTS["us"])
self._ctx = _legacy_tls_context()
self._token = None
# ---- low-level HTTP ----
def _http(self, method, url, headers, body=None):
data = json.dumps(body).encode() if body is not None else None
req = urllib.request.Request(url, data=data, method=method, headers=headers)
try:
with urllib.request.urlopen(req, timeout=30, context=self._ctx) as r:
raw = r.read().decode("utf-8", "replace")
return r.status, (json.loads(raw) if raw.strip() else None)
except urllib.error.HTTPError as e:
raw = e.read().decode("utf-8", "replace")
try:
return e.code, json.loads(raw)
except Exception:
return e.code, {"error": raw[:400]}
except Exception as e:
return 0, {"error": str(e)}
def _stamp_headers(self, extra=None):
h = {"Content-Type": "application/json",
"timestamp": str(int(time.time() * 1000)),
"nonce": uuid.uuid4().hex}
if extra:
h.update(extra)
return h
# ---- auth ----
def token(self):
if self._token:
return self._token
basic = base64.b64encode(f"{self.key_id}:{self.key_secret}".encode()).decode()
h = self._stamp_headers({"Authorization": "Basic " + basic})
st, r = self._http("POST", self.base + "/v2/token", h, {"grant_type": "client_credentials"})
if st != 200 or not isinstance(r, dict) or not r.get("access_token"):
_log_skill_error(f"token request failed (HTTP {st})", context=f"resp={json.dumps(r)[:120]}")
raise YmcsError(f"YMCS token request failed (HTTP {st}): {json.dumps(r)[:300]}")
self._token = r["access_token"]
return self._token
# ---- authenticated request ----
def request(self, method, endpoint, body=None, params=None):
if not endpoint.startswith("/"):
endpoint = "/" + endpoint
url = self.base + endpoint
if params:
q = {k: v for k, v in params.items() if v is not None}
if q:
url += "?" + urllib.parse.urlencode(q)
h = self._stamp_headers({"Authorization": "Bearer " + self.token()})
st, r = self._http(method, url, h, body)
if st == 401: # token may have expired mid-life; refresh once
self._token = None
h = self._stamp_headers({"Authorization": "Bearer " + self.token()})
st, r = self._http(method, url, h, body)
if st not in (200, 201, 204):
raise YmcsError(f"YMCS API {method} {endpoint} -> HTTP {st}: {json.dumps(r)[:300]}")
return r
def _list(self, endpoint, limit=500, extra=None, fetch_all=True):
"""POST a paged list endpoint ({skip,limit,autoCount}); returns the data list.
Set fetch_all=False (or limit small) for a single page.
"""
out, skip, total = [], 0, None
while True:
body = {"skip": skip, "limit": limit, "autoCount": total is None}
if extra:
body.update(extra)
r = self.request("POST", endpoint, body=body)
if total is None:
total = (r or {}).get("total", 0)
items = (r or {}).get("data", []) or []
out.extend(items)
skip += len(items)
if not fetch_all or not items or skip >= (total or 0):
break
return {"total": total, "count": len(out), "data": out}
# ================= READ wrappers (safe) =================
def list_sites(self, **f): return self._list("/v2/dm/listSites", extra=f or None)
def list_devices(self, **f): return self._list("/v2/dm/listDevices", extra=f or None)
def list_accounts(self, **f): return self._list("/v2/dm/listAccounts", extra=f or None)
def list_device_groups(self, **f): return self._list("/v2/dm/listDeviceGroups", extra=f or None)
def list_device_configs(self, **f): return self._list("/v2/dm/listDeviceConfigs", extra=f or None)
def list_firmwares(self, **f): return self._list("/v2/dm/listFirmwares", extra=f or None)
def list_official_firmwares(self, **f): return self._list("/v2/dm/listOfficalFirmwares", extra=f or None)
def list_alarms(self, **f): return self._list("/v2/dm/listAlarms", extra=f or None)
def list_oplogs(self, **f): return self._list("/v2/dm/listOpLogs", extra=f or None)
def models(self, **f): return self.request("POST", "/v2/dm/models", body=(f or {}))
def rps_list_servers(self, **f): return self._list("/v2/rps/listServers", extra=f or None)
def rps_list_devices(self, **f): return self._list("/v2/rps/listDevices", extra=f or None)
# ================= WRITE wrappers (gated by the CLI --confirm) =================
def add_devices_by_mac(self, body): return self.request("POST", "/v2/dm/addDevicesByMac", body=body)
def add_devices(self, body): return self.request("POST", "/v2/dm/addDevices", body=body)
def del_devices(self, body): return self.request("POST", "/v2/dm/delDevices", body=body)
def device_reboot(self, body): return self.request("POST", "/v2/dm/device/reboot", body=body)
def device_reset(self, body): return self.request("POST", "/v2/dm/device/reset", body=body)
def rps_add_devices(self, body): return self.request("POST", "/v2/rps/addDevices", body=body)
def rps_delete_devices(self, body): return self.request("POST", "/v2/rps/deleteDevices", body=body)
# SIP-account create = the PBX glue: push a NetSapiens SIP cred onto a device.
# POST /v2/dm/sipAccounts requires sipServer1, register name/user/password, mac, etc.
def add_sip_account(self, body): return self.request("POST", "/v2/dm/sipAccounts", body=body)