T713: bugfix incorrect parsing of seclevel

SNMP v3 group seclevel was not taken into account when validating existance of
user auth or priv keys.

1 files changed, 44 insertions, 32 deletions

diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py
index 923827631..cbec20731 100755
--- a/src/conf_mode/snmp.py
+++ b/src/conf_mode/snmp.py
@@ -74,7 +74,9 @@ user_config_tmpl = """
 # user
 {% if v3_users %}
 {% for u in v3_users %}
-{% if u.authPassword %}
+{% if u.authOID == 'none' %}
+createUser {{ u.name }}
+{% elif u.authPassword %}
 createUser {{ u.name }} {{ u.authProtocol | upper }} "{{ u.authPassword }}" {{ u.privProtocol | upper }} {{ u.privPassword }}
 {% else %}
 usmUser 1 3 {{ u.engineID }} "{{ u.name }}" "{{ u.name }}" NULL {{ u.authOID }} {{ u.authMasterKey }} {{ u.privOID }} {{ u.privMasterKey }} 0x
@@ -469,7 +471,7 @@ def get_config():
                 'authMasterKey': '',
                 'authPassword': '',
                 'authProtocol': '',
-                'authOID': '',
+                'authOID': 'none',
                 'engineID': '',
                 'group': '',
                 'mode': 'ro',
@@ -625,45 +627,55 @@ def verify(snmp):
 
     if 'v3_users' in snmp.keys():
         for user in snmp['v3_users']:
-            if user['authPassword'] and user['authMasterKey']:
-                raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user auth')
+            #
+            # Group must exist prior to mapping it into a group
+            # seclevel will be extracted from group
+            #
+            error = True
+            if user['group']:
+                if 'v3_groups' in snmp.keys():
+                    for group in snmp['v3_groups']:
+                        if group['name'] == user['group']:
+                            seclevel = group['seclevel']
+                            error = False
 
-            if user['privPassword'] and user['privMasterKey']:
-                raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user privacy')
+            if error:
+                raise ConfigError('You must create group "{0}" first'.format(user['group']))
 
-            if user['privPassword'] == '' and user['privMasterKey'] == '':
-                raise ConfigError('Must specify encrypted-key or plaintext-key for user privacy')
+            # Depending on the configured security level
+            # the user has to provide additional info
+            if seclevel is 'auth' or seclevel is 'priv':
+                if user['authPassword'] and user['authMasterKey']:
+                    raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user auth')
 
-            if user['privMasterKey'] and user['engineID'] == '':
-                raise ConfigError('Can not have "encrypted-key" without engineid')
+                if user['authPassword'] == '' and user['authMasterKey'] == '':
+                    raise ConfigError('Must specify encrypted-key or plaintext-key for user auth')
 
-            if user['authPassword'] == '' and user['authMasterKey'] == '' and user['privTsmKey'] == '':
-                raise ConfigError('Must specify auth or tsm-key for user auth')
+                # seclevel 'priv' is more restrictive
+                if seclevel is 'priv':
+                    if user['privPassword'] and user['privMasterKey']:
+                        raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user privacy')
 
-            if user['privProtocol'] == '':
-                raise ConfigError('Must specify privacy type')
+                    if user['privPassword'] == '' and user['privMasterKey'] == '':
+                        raise ConfigError('Must specify encrypted-key or plaintext-key for user privacy')
 
-            if user['mode'] == '':
-                raise ConfigError('Must specify user mode ro/rw')
+                    if user['privMasterKey'] and user['engineID'] == '':
+                        raise ConfigError('Can not have "encrypted-key" without engineid')
 
-            if user['privTsmKey']:
-                if not tsmKeyPattern.match(snmp['v3_tsm_key']):
-                    if not os.path.isfile('/etc/snmp/tls/certs/' + snmp['v3_tsm_key']):
-                        if not os.path.isfile('/config/snmp/tls/certs/' + snmp['v3_tsm_key']):
-                            raise ConfigError('User TSM key must be fingerprint or filename in "/config/snmp/tls/certs/" folder')
+                    if user['authPassword'] == '' and user['authMasterKey'] == '' and user['privTsmKey'] == '':
+                        raise ConfigError('Must specify auth or tsm-key for user auth')
 
-            if user['group']:
-                #
-                # Group must exist prior to mapping it into a group
-                #
-                error = True
-                if 'v3_groups' in snmp.keys():
-                    for group in snmp['v3_groups']:
-                        if group['name'] == user['group']:
-                            error = False
-                if error:
-                    raise ConfigError('You must create group "{0}" first'.format(user['group']))
+                    if user['privProtocol'] == '':
+                        raise ConfigError('Must specify privacy type')
+
+                    if user['mode'] == '':
+                        raise ConfigError('Must specify user mode ro/rw')
 
+                    if user['privTsmKey']:
+                        if not tsmKeyPattern.match(snmp['v3_tsm_key']):
+                            if not os.path.isfile('/etc/snmp/tls/certs/' + snmp['v3_tsm_key']):
+                                if not os.path.isfile('/config/snmp/tls/certs/' + snmp['v3_tsm_key']):
+                                    raise ConfigError('User TSM key must be fingerprint or filename in "/config/snmp/tls/certs/" folder')
 
     if 'v3_views' in snmp.keys():
         for view in snmp['v3_views']: