summaryrefslogtreecommitdiff
path: root/src/conf_mode/snmp.py
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2018-06-30 21:33:52 +0200
committerChristian Poessinger <christian@poessinger.com>2018-06-30 22:04:26 +0200
commit5edf3e5d876a13143ca01c38034b19035b9f5f20 (patch)
tree12ed07dfaeb8b2fe048030f4b5c95f7e3e52b86b /src/conf_mode/snmp.py
parent22d903fd43a1366105e1236359dab399203c4d6e (diff)
downloadvyos-1x-5edf3e5d876a13143ca01c38034b19035b9f5f20.tar.gz
vyos-1x-5edf3e5d876a13143ca01c38034b19035b9f5f20.zip
T713: bugfix incorrect parsing of seclevel
SNMP v3 group seclevel was not taken into account when validating existance of user auth or priv keys.
Diffstat (limited to 'src/conf_mode/snmp.py')
-rwxr-xr-xsrc/conf_mode/snmp.py76
1 files changed, 44 insertions, 32 deletions
diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py
index 923827631..cbec20731 100755
--- a/src/conf_mode/snmp.py
+++ b/src/conf_mode/snmp.py
@@ -74,7 +74,9 @@ user_config_tmpl = """
# user
{% if v3_users %}
{% for u in v3_users %}
-{% if u.authPassword %}
+{% if u.authOID == 'none' %}
+createUser {{ u.name }}
+{% elif u.authPassword %}
createUser {{ u.name }} {{ u.authProtocol | upper }} "{{ u.authPassword }}" {{ u.privProtocol | upper }} {{ u.privPassword }}
{% else %}
usmUser 1 3 {{ u.engineID }} "{{ u.name }}" "{{ u.name }}" NULL {{ u.authOID }} {{ u.authMasterKey }} {{ u.privOID }} {{ u.privMasterKey }} 0x
@@ -469,7 +471,7 @@ def get_config():
'authMasterKey': '',
'authPassword': '',
'authProtocol': '',
- 'authOID': '',
+ 'authOID': 'none',
'engineID': '',
'group': '',
'mode': 'ro',
@@ -625,45 +627,55 @@ def verify(snmp):
if 'v3_users' in snmp.keys():
for user in snmp['v3_users']:
- if user['authPassword'] and user['authMasterKey']:
- raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user auth')
+ #
+ # Group must exist prior to mapping it into a group
+ # seclevel will be extracted from group
+ #
+ error = True
+ if user['group']:
+ if 'v3_groups' in snmp.keys():
+ for group in snmp['v3_groups']:
+ if group['name'] == user['group']:
+ seclevel = group['seclevel']
+ error = False
- if user['privPassword'] and user['privMasterKey']:
- raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user privacy')
+ if error:
+ raise ConfigError('You must create group "{0}" first'.format(user['group']))
- if user['privPassword'] == '' and user['privMasterKey'] == '':
- raise ConfigError('Must specify encrypted-key or plaintext-key for user privacy')
+ # Depending on the configured security level
+ # the user has to provide additional info
+ if seclevel is 'auth' or seclevel is 'priv':
+ if user['authPassword'] and user['authMasterKey']:
+ raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user auth')
- if user['privMasterKey'] and user['engineID'] == '':
- raise ConfigError('Can not have "encrypted-key" without engineid')
+ if user['authPassword'] == '' and user['authMasterKey'] == '':
+ raise ConfigError('Must specify encrypted-key or plaintext-key for user auth')
- if user['authPassword'] == '' and user['authMasterKey'] == '' and user['privTsmKey'] == '':
- raise ConfigError('Must specify auth or tsm-key for user auth')
+ # seclevel 'priv' is more restrictive
+ if seclevel is 'priv':
+ if user['privPassword'] and user['privMasterKey']:
+ raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user privacy')
- if user['privProtocol'] == '':
- raise ConfigError('Must specify privacy type')
+ if user['privPassword'] == '' and user['privMasterKey'] == '':
+ raise ConfigError('Must specify encrypted-key or plaintext-key for user privacy')
- if user['mode'] == '':
- raise ConfigError('Must specify user mode ro/rw')
+ if user['privMasterKey'] and user['engineID'] == '':
+ raise ConfigError('Can not have "encrypted-key" without engineid')
- if user['privTsmKey']:
- if not tsmKeyPattern.match(snmp['v3_tsm_key']):
- if not os.path.isfile('/etc/snmp/tls/certs/' + snmp['v3_tsm_key']):
- if not os.path.isfile('/config/snmp/tls/certs/' + snmp['v3_tsm_key']):
- raise ConfigError('User TSM key must be fingerprint or filename in "/config/snmp/tls/certs/" folder')
+ if user['authPassword'] == '' and user['authMasterKey'] == '' and user['privTsmKey'] == '':
+ raise ConfigError('Must specify auth or tsm-key for user auth')
- if user['group']:
- #
- # Group must exist prior to mapping it into a group
- #
- error = True
- if 'v3_groups' in snmp.keys():
- for group in snmp['v3_groups']:
- if group['name'] == user['group']:
- error = False
- if error:
- raise ConfigError('You must create group "{0}" first'.format(user['group']))
+ if user['privProtocol'] == '':
+ raise ConfigError('Must specify privacy type')
+
+ if user['mode'] == '':
+ raise ConfigError('Must specify user mode ro/rw')
+ if user['privTsmKey']:
+ if not tsmKeyPattern.match(snmp['v3_tsm_key']):
+ if not os.path.isfile('/etc/snmp/tls/certs/' + snmp['v3_tsm_key']):
+ if not os.path.isfile('/config/snmp/tls/certs/' + snmp['v3_tsm_key']):
+ raise ConfigError('User TSM key must be fingerprint or filename in "/config/snmp/tls/certs/" folder')
if 'v3_views' in snmp.keys():
for view in snmp['v3_views']: