From 0379281873269776fead3cbe885f2c4b0617622d Mon Sep 17 00:00:00 2001 From: ajasnosz <139114006+ajasnosz@users.noreply.github.com> Date: Wed, 24 Jul 2024 12:58:58 +0200 Subject: [PATCH] fix: add support for security level (#1050) --- CHANGELOG.md | 1 + splunk_connect_for_snmp/snmp/auth.py | 5 +-- test/snmp/test_auth.py | 62 ++++++++++++++++++++++++++++ 3 files changed, 65 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 26af0c1e7..85bb348ef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ - added `yamllint` validation for the `values.yaml` formatting - added "in code" validation of groups and profiles - added logs configuration to docker compose deployment +- add support for different security level in snmp v3 ### Fixed - fixed a bug with configuration from values.yaml not being transferred to the UI while migrating to SC4SNMP-UI diff --git a/splunk_connect_for_snmp/snmp/auth.py b/splunk_connect_for_snmp/snmp/auth.py index 3e695b482..f53e62f55 100644 --- a/splunk_connect_for_snmp/snmp/auth.py +++ b/splunk_connect_for_snmp/snmp/auth.py @@ -136,8 +136,8 @@ def get_auth_v3(logger, ir: InventoryRecord, snmp_engine: SnmpEngine) -> UsmUser ) return UsmUserData( username, - authKey=auth_key, - privKey=priv_key, + authKey=auth_key if auth_key else None, + privKey=priv_key if priv_key else None, authProtocol=auth_protocol, privProtocol=priv_protocol, securityEngineId=security_engine_id, @@ -161,7 +161,6 @@ def get_auth_v1(ir: InventoryRecord) -> CommunityData: def get_auth( logger, ir: InventoryRecord, snmp_engine: SnmpEngine ) -> Union[UsmUserData, CommunityData]: - if ir.version == "1": return get_auth_v1(ir) elif ir.version == "2c": diff --git a/test/snmp/test_auth.py b/test/snmp/test_auth.py index fc62ffdd4..771b78292 100644 --- a/test/snmp/test_auth.py +++ b/test/snmp/test_auth.py @@ -4,6 +4,8 @@ from pysnmp.entity.config import ( usmAesBlumenthalCfb192Protocol, usmHMAC128SHA224AuthProtocol, + usmNoAuthProtocol, + usmNoPrivProtocol, ) from pysnmp.proto.rfc1902 import OctetString @@ -169,6 +171,7 @@ def test_get_auth_v3(self, m_get_secret_value, m_exists): self.assertEqual("secret1", result.userName) self.assertEqual("secret2", result.authKey) self.assertEqual("secret3", result.privKey) + self.assertEqual("authPriv", result.securityLevel) self.assertEqual(usmHMAC128SHA224AuthProtocol, result.authProtocol) self.assertEqual(usmAesBlumenthalCfb192Protocol, result.privProtocol) self.assertEqual(security_engine_result._value, result.securityEngineId._value) @@ -218,6 +221,7 @@ def test_get_auth_v3_security_engine_not_str( self.assertEqual("secret1", result.userName) self.assertEqual("secret2", result.authKey) self.assertEqual("secret3", result.privKey) + self.assertEqual("authPriv", result.securityLevel) self.assertEqual(usmHMAC128SHA224AuthProtocol, result.authProtocol) self.assertEqual(usmAesBlumenthalCfb192Protocol, result.privProtocol) self.assertEqual("ENGINE123", result.securityEngineId) @@ -246,6 +250,64 @@ def test_get_auth_v3_exception(self, m_get_secret_value, m_exists): get_auth_v3(logger, ir, snmpEngine) self.assertEqual("invalid username from secret secret_ir", e.exception.args[0]) + @patch("os.path.exists") + @patch("splunk_connect_for_snmp.snmp.auth.get_secret_value") + def test_get_auth_v3_noauthnopriv(self, m_get_secret_value, m_exists): + m_exists.return_value = True + m_get_secret_value.side_effect = [ + "secret1", + "", + "", + "SHA224", + "AES192BLMT", + "1", + "2", + ] + logger = Mock() + snmpEngine = Mock() + + result = get_auth_v3(logger, ir, snmpEngine) + security_engine_result = OctetString(hexValue="80003a8c04") + self.assertEqual("secret1", result.userName) + self.assertEqual(None, result.authKey) + self.assertEqual(None, result.privKey) + self.assertEqual("noAuthNoPriv", result.securityLevel) + self.assertEqual(usmNoAuthProtocol, result.authProtocol) + self.assertEqual(usmNoPrivProtocol, result.privProtocol) + self.assertEqual(security_engine_result._value, result.securityEngineId._value) + self.assertEqual("secret1", result.securityName) + self.assertEqual(1, result.authKeyType) + self.assertEqual(2, result.privKeyType) + + @patch("os.path.exists") + @patch("splunk_connect_for_snmp.snmp.auth.get_secret_value") + def test_get_auth_v3_authnopriv(self, m_get_secret_value, m_exists): + m_exists.return_value = True + m_get_secret_value.side_effect = [ + "secret1", + "secret2", + "", + "SHA224", + "AES192BLMT", + "1", + "2", + ] + logger = Mock() + snmpEngine = Mock() + + result = get_auth_v3(logger, ir, snmpEngine) + security_engine_result = OctetString(hexValue="80003a8c04") + self.assertEqual("secret1", result.userName) + self.assertEqual("secret2", result.authKey) + self.assertEqual(None, result.privKey) + self.assertEqual("authNoPriv", result.securityLevel) + self.assertEqual(usmHMAC128SHA224AuthProtocol, result.authProtocol) + self.assertEqual(usmNoPrivProtocol, result.privProtocol) + self.assertEqual(security_engine_result._value, result.securityEngineId._value) + self.assertEqual("secret1", result.securityName) + self.assertEqual(1, result.authKeyType) + self.assertEqual(2, result.privKeyType) + def test_get_auth_v2c(self): result = get_auth_v2c(ir) self.assertEqual("public", result.communityName)