T855: fix SNMP python verify() to allow non group assignment

VyOS 1.1.8 support SNMPv3 without a group beeing assigned to a user. This was yet not supported in VyOS 1.2.0. Use for testing: ================ set service snmp v3 user testsnmpv3 auth plain 'authkey12345' set service snmp v3 user testsnmpv3 auth type sha set service snmp v3 user testsnmpv3 mode ro set service snmp v3 user testsnmpv3 privacy plain 'privkey12345' set service snmp v3 user testsnmpv3 privacy type aes
author: Christian Poessinger <christian@poessinger.com> 2018-09-25 20:09:22 +0200
committer: Christian Poessinger <christian@poessinger.com> 2018-09-29 10:08:57 +0200
commit: 6b138fe680c9dc97bddbf981fe0c747ede55f660 (patch)
tree: c053c1c874e3090f219471f75c79b5173b091d1a /src
parent: 44355e6525daec62120601073065f63c9f9a7993 (diff)
download: vyos-1x-6b138fe680c9dc97bddbf981fe0c747ede55f660.tar.gz
vyos-1x-6b138fe680c9dc97bddbf981fe0c747ede55f660.zip
1 files changed, 22 insertions, 25 deletions
diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py
index 69952e5e2..cbca72a85 100755
--- a/src/conf_mode/snmp.py
+++ b/src/conf_mode/snmp.py
@@ -669,48 +669,45 @@ def verify(snmp):
             # Group must exist prior to mapping it into a group
             # seclevel will be extracted from group
             #
-            error = True
             if user['group']:
+                error = True
                 if 'v3_groups' in snmp.keys():
                     for group in snmp['v3_groups']:
                         if group['name'] == user['group']:
                             seclevel = group['seclevel']
                             error = False
 
-            if error:
-                raise ConfigError('You must create group "{0}" first'.format(user['group']))
+                if error:
+                    raise ConfigError('You must create group "{0}" first'.format(user['group']))
 
             # Depending on the configured security level
             # the user has to provide additional info
-            if seclevel in ('auth', 'priv'):
-                if user['authPassword'] and user['authMasterKey']:
-                    raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user auth')
+            if user['authPassword'] and user['authMasterKey']:
+                raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user auth')
 
-                if (not user['authPassword'] and not user['authMasterKey']):
-                    raise ConfigError('Must specify encrypted-key or plaintext-key for user auth')
+            if (not user['authPassword'] and not user['authMasterKey']):
+                raise ConfigError('Must specify encrypted-key or plaintext-key for user auth')
 
-                # seclevel 'priv' is more restrictive
-                if seclevel in ('priv'):
-                    if user['privPassword'] and user['privMasterKey']:
-                        raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user privacy')
+            if user['privPassword'] and user['privMasterKey']:
+                raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user privacy')
 
-                    if user['privPassword'] == '' and user['privMasterKey'] == '':
-                        raise ConfigError('Must specify encrypted-key or plaintext-key for user privacy')
+            if user['privPassword'] == '' and user['privMasterKey'] == '':
+                raise ConfigError('Must specify encrypted-key or plaintext-key for user privacy')
 
-                    if user['privMasterKey'] and user['engineID'] == '':
-                        raise ConfigError('Can not have "encrypted-key" without engineid')
+            if user['privMasterKey'] and user['engineID'] == '':
+                raise ConfigError('Can not have "encrypted-key" without engineid')
 
-                    if user['authPassword'] == '' and user['authMasterKey'] == '' and user['privTsmKey'] == '':
-                        raise ConfigError('Must specify auth or tsm-key for user auth')
+            if user['authPassword'] == '' and user['authMasterKey'] == '' and user['privTsmKey'] == '':
+                raise ConfigError('Must specify auth or tsm-key for user auth')
 
-                    if user['mode'] == '':
-                        raise ConfigError('Must specify user mode ro/rw')
+            if user['mode'] == '':
+                raise ConfigError('Must specify user mode ro/rw')
 
-                    if user['privTsmKey']:
-                        if not tsmKeyPattern.match(snmp['v3_tsm_key']):
-                            if not os.path.isfile('/etc/snmp/tls/certs/' + snmp['v3_tsm_key']):
-                                if not os.path.isfile('/config/snmp/tls/certs/' + snmp['v3_tsm_key']):
-                                    raise ConfigError('User TSM key must be fingerprint or filename in "/config/snmp/tls/certs/" folder')
+            if user['privTsmKey']:
+                if not tsmKeyPattern.match(snmp['v3_tsm_key']):
+                    if not os.path.isfile('/etc/snmp/tls/certs/' + snmp['v3_tsm_key']):
+                        if not os.path.isfile('/config/snmp/tls/certs/' + snmp['v3_tsm_key']):
+                            raise ConfigError('User TSM key must be fingerprint or filename in "/config/snmp/tls/certs/" folder')
 
     if 'v3_views' in snmp.keys():
         for view in snmp['v3_views']:
author	Christian Poessinger <christian@poessinger.com>	2018-09-25 20:09:22 +0200
committer	Christian Poessinger <christian@poessinger.com>	2018-09-29 10:08:57 +0200
commit	6b138fe680c9dc97bddbf981fe0c747ede55f660 (patch)
tree	c053c1c874e3090f219471f75c79b5173b091d1a /src
parent	44355e6525daec62120601073065f63c9f9a7993 (diff)
download	vyos-1x-6b138fe680c9dc97bddbf981fe0c747ede55f660.tar.gz vyos-1x-6b138fe680c9dc97bddbf981fe0c747ede55f660.zip