From 5edf3e5d876a13143ca01c38034b19035b9f5f20 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 30 Jun 2018 21:33:52 +0200 Subject: T713: bugfix incorrect parsing of seclevel SNMP v3 group seclevel was not taken into account when validating existance of user auth or priv keys. --- src/conf_mode/snmp.py | 76 +++++++++++++++++++++++++++++---------------------- 1 file changed, 44 insertions(+), 32 deletions(-) diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index 923827631..cbec20731 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -74,7 +74,9 @@ user_config_tmpl = """ # user {% if v3_users %} {% for u in v3_users %} -{% if u.authPassword %} +{% if u.authOID == 'none' %} +createUser {{ u.name }} +{% elif u.authPassword %} createUser {{ u.name }} {{ u.authProtocol | upper }} "{{ u.authPassword }}" {{ u.privProtocol | upper }} {{ u.privPassword }} {% else %} usmUser 1 3 {{ u.engineID }} "{{ u.name }}" "{{ u.name }}" NULL {{ u.authOID }} {{ u.authMasterKey }} {{ u.privOID }} {{ u.privMasterKey }} 0x @@ -469,7 +471,7 @@ def get_config(): 'authMasterKey': '', 'authPassword': '', 'authProtocol': '', - 'authOID': '', + 'authOID': 'none', 'engineID': '', 'group': '', 'mode': 'ro', @@ -625,45 +627,55 @@ def verify(snmp): if 'v3_users' in snmp.keys(): for user in snmp['v3_users']: - if user['authPassword'] and user['authMasterKey']: - raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user auth') + # + # Group must exist prior to mapping it into a group + # seclevel will be extracted from group + # + error = True + if user['group']: + if 'v3_groups' in snmp.keys(): + for group in snmp['v3_groups']: + if group['name'] == user['group']: + seclevel = group['seclevel'] + error = False - if user['privPassword'] and user['privMasterKey']: - raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user privacy') + if error: + raise ConfigError('You must create group "{0}" first'.format(user['group'])) - if user['privPassword'] == '' and user['privMasterKey'] == '': - raise ConfigError('Must specify encrypted-key or plaintext-key for user privacy') + # Depending on the configured security level + # the user has to provide additional info + if seclevel is 'auth' or seclevel is 'priv': + if user['authPassword'] and user['authMasterKey']: + raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user auth') - if user['privMasterKey'] and user['engineID'] == '': - raise ConfigError('Can not have "encrypted-key" without engineid') + if user['authPassword'] == '' and user['authMasterKey'] == '': + raise ConfigError('Must specify encrypted-key or plaintext-key for user auth') - if user['authPassword'] == '' and user['authMasterKey'] == '' and user['privTsmKey'] == '': - raise ConfigError('Must specify auth or tsm-key for user auth') + # seclevel 'priv' is more restrictive + if seclevel is 'priv': + if user['privPassword'] and user['privMasterKey']: + raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user privacy') - if user['privProtocol'] == '': - raise ConfigError('Must specify privacy type') + if user['privPassword'] == '' and user['privMasterKey'] == '': + raise ConfigError('Must specify encrypted-key or plaintext-key for user privacy') - if user['mode'] == '': - raise ConfigError('Must specify user mode ro/rw') + if user['privMasterKey'] and user['engineID'] == '': + raise ConfigError('Can not have "encrypted-key" without engineid') - if user['privTsmKey']: - if not tsmKeyPattern.match(snmp['v3_tsm_key']): - if not os.path.isfile('/etc/snmp/tls/certs/' + snmp['v3_tsm_key']): - if not os.path.isfile('/config/snmp/tls/certs/' + snmp['v3_tsm_key']): - raise ConfigError('User TSM key must be fingerprint or filename in "/config/snmp/tls/certs/" folder') + if user['authPassword'] == '' and user['authMasterKey'] == '' and user['privTsmKey'] == '': + raise ConfigError('Must specify auth or tsm-key for user auth') - if user['group']: - # - # Group must exist prior to mapping it into a group - # - error = True - if 'v3_groups' in snmp.keys(): - for group in snmp['v3_groups']: - if group['name'] == user['group']: - error = False - if error: - raise ConfigError('You must create group "{0}" first'.format(user['group'])) + if user['privProtocol'] == '': + raise ConfigError('Must specify privacy type') + + if user['mode'] == '': + raise ConfigError('Must specify user mode ro/rw') + if user['privTsmKey']: + if not tsmKeyPattern.match(snmp['v3_tsm_key']): + if not os.path.isfile('/etc/snmp/tls/certs/' + snmp['v3_tsm_key']): + if not os.path.isfile('/config/snmp/tls/certs/' + snmp['v3_tsm_key']): + raise ConfigError('User TSM key must be fingerprint or filename in "/config/snmp/tls/certs/" folder') if 'v3_views' in snmp.keys(): for view in snmp['v3_views']: -- cgit v1.2.3