Class: Cisco::SnmpUser

Inherits:

NodeUtil

• Object
• NodeUtil
• Cisco::SnmpUser

Defined in:

lib/cisco_node_utils/snmpuser.rb

Overview

SnmpUser - node utility class for SNMP user configuration management

Instance Attribute Summary

• #engine_id ⇒ Object readonly

  Returns the value of attribute engine_id.

• #name ⇒ Object readonly

  Returns the value of attribute name.

Class Method Summary

• .auth_password(name, engine_id) ⇒ Object
• .default_auth_password ⇒ Object
• .default_auth_protocol ⇒ Object
• .default_engine_id ⇒ Object
• .default_groups ⇒ Object
• .default_priv_password ⇒ Object
• .default_priv_protocol ⇒ Object
• .priv_password(name, engine_id) ⇒ Object
• .users ⇒ Object

Instance Method Summary

• #auth_password ⇒ Object
• #auth_password_equal?(input_pw, is_localized = false) ⇒ Boolean

  Passwords are hashed and so cannot be retrieved directly, but can be checked for equality.

• #auth_protocol ⇒ Object
• #destroy ⇒ Object
• #groups ⇒ Object
• #initialize(name, groups, authproto, authpass, privproto, privpass, localizedkey, engineid, instantiate = true) ⇒ SnmpUser constructor

  A new instance of SnmpUser.

• #initialize_validator(name, groups, authproto, authpass, privproto, privpass, engineid, instantiate) ⇒ Object
• #priv_password ⇒ Object
• #priv_password_equal?(input_pw, is_localized = false) ⇒ Boolean

  Passwords are hashed and so cannot be retrieved directly, but can be checked for equality.

• #priv_protocol ⇒ Object

Methods inherited from NodeUtil

client, #client, config_get, #config_get, #config_get_default, config_get_default, config_set, #config_set, #get, #ios_xr?, #nexus?, #node, node, platform, #platform, supports?, #supports?

Constructor Details

#initialize(name, groups, authproto, authpass, privproto, privpass, localizedkey, engineid, instantiate = true) ⇒ SnmpUser

Returns a new instance of SnmpUser.

# File 'lib/cisco_node_utils/snmpuser.rb', line 20

def initialize(name, groups, authproto, authpass, privproto,
               privpass, localizedkey, engineid, instantiate=true)
  initialize_validator(name, groups, authproto, authpass, privproto,
                       privpass, engineid, instantiate)
  @name = name
  @engine_id = engineid

  @authproto = authproto
  @privproto = privproto
  @groups_arr = groups

  authprotostr = _auth_sym_to_str(authproto)
  privprotostr = _priv_sym_to_str(privproto)

  return unless instantiate
  # Config string syntax:
  # [no] snmp-server user <user> [group] ...
  #      [auth {md5|sha} <passwd1>
  #       [priv [aes-128] <passwd2>] [localizedkey] [engineID <id>]
  #      ]
  # Assume if multiple groups, apply all config to each
  groups = [''] if groups.empty?
  groups.each do |group|
    config_set('snmp_user', 'user', '',
               name,
               group,
               authpass.empty? ? '' : "auth #{authprotostr} #{authpass}",
               privpass.empty? ? '' : "priv #{privprotostr} #{privpass}",
               localizedkey ? 'localizedkey' : '',
               engineid.empty? ? '' : "engineID #{engineid}")
  end
end

Instance Attribute Details

#engine_id ⇒ Object (readonly)

Returns the value of attribute engine_id.

# File 'lib/cisco_node_utils/snmpuser.rb', line 206

def engine_id
  @engine_id
end

#name ⇒ Object (readonly)

Returns the value of attribute name.

# File 'lib/cisco_node_utils/snmpuser.rb', line 132

def name
  @name
end

Class Method Details

.auth_password(name, engine_id) ⇒ Object

# File 'lib/cisco_node_utils/snmpuser.rb', line 154

def self.auth_password(name, engine_id)
  if engine_id.empty?
    users = config_get('snmp_user', 'auth_password')
    return nil if users.nil? || users.empty?
    users.each_entry { |user| return user[1] if user[0] == name }
  else
    users = config_get('snmp_user', 'auth_password_with_engine_id')
    return nil if users.nil? || users.empty?
    users.each_entry do |user|
      return user[1] if user[0] == name && user[2] == engine_id
    end
  end
  nil
end

.default_auth_password ⇒ Object

# File 'lib/cisco_node_utils/snmpuser.rb', line 150

def self.default_auth_password
  config_get_default('snmp_user', 'auth_password')
end

.default_auth_protocol ⇒ Object

# File 'lib/cisco_node_utils/snmpuser.rb', line 146

def self.default_auth_protocol
  _auth_str_to_sym(config_get_default('snmp_user', 'auth_protocol'))
end

.default_engine_id ⇒ Object

# File 'lib/cisco_node_utils/snmpuser.rb', line 208

def self.default_engine_id
  config_get_default('snmp_user', 'engine_id')
end

.default_groups ⇒ Object

# File 'lib/cisco_node_utils/snmpuser.rb', line 138

def self.default_groups
  [config_get_default('snmp_user', 'group')]
end

.default_priv_password ⇒ Object

# File 'lib/cisco_node_utils/snmpuser.rb', line 202

def self.default_priv_password
  config_get_default('snmp_user', 'priv_password')
end

.default_priv_protocol ⇒ Object

# File 'lib/cisco_node_utils/snmpuser.rb', line 198

def self.default_priv_protocol
  _priv_str_to_sym(config_get_default('snmp_user', 'priv_protocol'))
end

.priv_password(name, engine_id) ⇒ Object

# File 'lib/cisco_node_utils/snmpuser.rb', line 177

def self.priv_password(name, engine_id)
  if engine_id.empty?
    users = config_get('snmp_user', 'priv_password')
    unless users.nil? || users.empty?
      users.each_entry { |user| return user[1] if user[0] == name }
    end
  else
    users = config_get('snmp_user', 'priv_password_with_engine_id')
    unless users.nil? || users.empty?
      users.each_entry do |user|
        return user[1] if user[0] == name && user[2] == engine_id
      end
    end
  end
  nil
end

.users ⇒ Object

# File 'lib/cisco_node_utils/snmpuser.rb', line 77

def self.users
  users_hash = {}
  # config_get returns hash if 1 user, array if multiple, nil if none
  users = config_get('snmp_user', 'user')
  return users_hash if users.nil?
  users.each do |user|
    # n7k has enforcepriv, use-ipv*acl, avoid them
    next if user[/(enforcePriv|use-ipv4acl|use-ipv6acl)/]
    user_var_hash = _get_snmp_user_parse(user)
    name = user_var_hash[:name]
    engineid = user_var_hash[:engineid]
    if engineid.empty?
      index = name
    else
      index = name + ' ' + engineid
    end
    auth = user_var_hash[:auth]
    priv = user_var_hash[:priv]
    groups_arr = []
    # take care of multiple groups here
    # if the name already exists in hash
    # get all the previous properties
    if users_hash.key?(index)
      groups_arr = users_hash[index].groups
      auth = users_hash[index].auth_protocol
      priv = users_hash[index].priv_protocol
    end

    # add the group to the array
    groups_arr << _get_group_arr(user_var_hash)
    users_hash[index] = SnmpUser.new(name, groups_arr.flatten, auth,
                                     '', priv, '', false,
                                     engineid,
                                     false)
  end
  users_hash
end

Instance Method Details

#auth_password ⇒ Object

# File 'lib/cisco_node_utils/snmpuser.rb', line 169

def auth_password
  SnmpUser.auth_password(@name, @engine_id)
end

#auth_password_equal?(input_pw, is_localized = false) ⇒ Boolean

Passwords are hashed and so cannot be retrieved directly, but can be checked for equality. This is done by creating a fake user with the password and then comparing the hashes

Returns:

• (Boolean)

# File 'lib/cisco_node_utils/snmpuser.rb', line 215

def auth_password_equal?(input_pw, is_localized=false)
  input_pw = input_pw.to_s unless input_pw.is_a?(String)
  # If we provide no password, and no password present, it's a match!
  return true if input_pw.empty? && auth_protocol == :none
  # If we provide no password, but a password is present, or vice versa...
  return false if input_pw.empty? || auth_protocol == :none
  # OK, we have an input password, and a password is configured
  current_pw = auth_password
  if current_pw.nil?
    fail "SNMP user #{@name} #{@engine_id} has auth #{auth_protocol} " \
         "but no password?\n" + @@node.get(command: 'show run snmp all')
  end

  if is_localized
    # In this case, the password is already hashed.
    hashed_pw = input_pw
  else
    # In this case passed in password is clear text while the running
    # config is hashed value. We need to hash the passed in clear text.

    # Create dummy user
    config_set('snmp_user', 'user', '', 'dummy_user', '',
               "auth #{_auth_sym_to_str(auth_protocol)} #{input_pw}",
               '', '',
               @engine_id.empty? ? '' : "engineID #{@engine_id}")

    # Retrieve password hashes
    hashed_pw = SnmpUser.auth_password('dummy_user', @engine_id)
    if hashed_pw.nil?
      fail "SNMP dummy user dummy_user #{@engine_id} was configured " \
           "but password is missing?\n" \
           + @@node.get(command: 'show run snmp all')
    end

    # Delete dummy user
    config_set('snmp_user', 'user', 'no', 'dummy_user', '',
               "auth #{_auth_sym_to_str(auth_protocol)} #{hashed_pw}",
               '', 'localizedkey',
               @engine_id.empty? ? '' : "engineID #{@engine_id}")
  end
  hashed_pw == current_pw
end

#auth_protocol ⇒ Object

# File 'lib/cisco_node_utils/snmpuser.rb', line 142

def auth_protocol
  @authproto
end

#destroy ⇒ Object

# File 'lib/cisco_node_utils/snmpuser.rb', line 115

def destroy
  # The parser doesn't care what the real value is but need to come to the
  # end of the parser chain. Hence we just pass in some fake values for
  # auth method and password
  unless auth_password.nil? || auth_password.empty?
    auth_str = "auth #{_auth_sym_to_str(auth_protocol)} #{auth_password}"
    local_str = 'localizedkey'
  end
  unless priv_password.nil? || priv_password.empty?
    priv_str = "priv #{_priv_sym_to_str(priv_protocol)} #{priv_password}"
  end
  config_set('snmp_user', 'user', 'no',
             @name, '', auth_str, priv_str, local_str,
             @engine_id.empty? ? '' : "engineID #{@engine_id}")
  SnmpUser.users.delete(@name + ' ' + @engine_id)
end

#groups ⇒ Object

# File 'lib/cisco_node_utils/snmpuser.rb', line 134

def groups
  @groups_arr
end

#initialize_validator(name, groups, authproto, authpass, privproto, privpass, engineid, instantiate) ⇒ Object

# File 'lib/cisco_node_utils/snmpuser.rb', line 53

def initialize_validator(name, groups, authproto, authpass, privproto,
                         privpass, engineid, instantiate)
  fail TypeError unless name.is_a?(String) &&
                        groups.is_a?(Array) &&
                        authproto.is_a?(Symbol) &&
                        authpass.is_a?(String) &&
                        privproto.is_a?(Symbol) &&
                        privpass.is_a?(String) &&
                        engineid.is_a?(String)
  fail ArgumentError if name.empty?
  # empty password but protocol provided = bad
  # non-empty password and no protocol provided = bad
  if authpass.empty?
    fail ArgumentError if [:sha, :md5].include?(authproto) && instantiate
  else
    fail ArgumentError unless [:sha, :md5].include?(authproto)
  end
  if privpass.empty?
    fail ArgumentError if [:des, :aes128].include?(privproto) && instantiate
  else
    fail ArgumentError unless [:des, :aes128].include?(privproto)
  end
end

#priv_password ⇒ Object

# File 'lib/cisco_node_utils/snmpuser.rb', line 194

def priv_password
  SnmpUser.priv_password(@name, @engine_id)
end

#priv_password_equal?(input_pw, is_localized = false) ⇒ Boolean

Passwords are hashed and so cannot be retrieved directly, but can be checked for equality. This is done by creating a fake user with the password and then comparing the hashes

Returns:

• (Boolean)

# File 'lib/cisco_node_utils/snmpuser.rb', line 261

def priv_password_equal?(input_pw, is_localized=false)
  input_pw = input_pw.to_s unless input_pw.is_a?(String)
  # If no input password, and no password present, true!
  return true if input_pw.empty? && priv_protocol == :none
  # Otherwise, if either one is missing, false!
  return false if input_pw.empty? || priv_protocol == :none
  # Otherwise, we have both input and configured passwords to compare
  current_pw = priv_password
  if current_pw.nil?
    fail "SNMP user #{@name} #{@engine_id} has priv #{priv_protocol} " \
         "but no password?\n" + @@node.get(command: 'show run snmp all')
  end

  if is_localized
    # In this case, the password is already hashed.
    hashed_pw = input_pw
  else
    # In this case passed in password is clear text while the running
    # config is hashed value. We need to hash the passed in clear text.

    # Create dummy user
    config_set('snmp_user', 'user', '', 'dummy_user', '',
               "auth #{_auth_sym_to_str(auth_protocol)} #{input_pw}",
               "priv #{_priv_sym_to_str(priv_protocol)} #{input_pw}",
               '',
               @engine_id.empty? ? '' : "engineID #{@engine_id}")

    # Retrieve password hashes
    dummyau = SnmpUser.auth_password('dummy_user', @engine_id)
    hashed_pw = SnmpUser.priv_password('dummy_user', @engine_id)
    if hashed_pw.nil?
      fail "SNMP dummy user dummy_user #{@engine_id} was configured " \
           "but password is missing?\n" \
           + @@node.get(command: 'show run snmp all')
    end

    # Delete dummy user
    config_set('snmp_user', 'user', 'no', 'dummy_user', '',
               "auth #{_auth_sym_to_str(auth_protocol)} #{dummyau}",
               "priv #{_priv_sym_to_str(priv_protocol)} #{hashed_pw}",
               'localizedkey',
               @engine_id.empty? ? '' : "engineID #{@engine_id}")
  end
  hashed_pw == current_pw
end

#priv_protocol ⇒ Object

# File 'lib/cisco_node_utils/snmpuser.rb', line 173

def priv_protocol
  @privproto
end