Implement snmpv3_user fact and snmp::snmpv3_usm_hash function #157
Conversation
|
Hi @smoeding, thanks for the PR. Can you take a look at the failed travis job? |
|
This looks good to me. Can somebody else please take a look as well? |
|
Would we dare to put the |
| dispatch :snmpv3_usm_hash do | ||
| required_param 'String', :authtype | ||
| required_param 'String', :engine | ||
| required_param 'String', :passphrase |
There was a problem hiding this comment.
I'm not sure but can we use required_param 'String[8]', :passphrase ?
There was a problem hiding this comment.
Would it be sufficient to implement the type restriction in snmp::snmpv3_user?
|
I have update the fact to include more details about the snmpv3 users that are currently configured. This includes details about the This should be enough to use the cleartext |
|
I will prepare a rebase & squash for the PR. |
This rewrite of `snmp::snmpv3_user` (re)creates the user if it does not exist or the stored passwords do not match the expected values. It uses the `snmpv3_user` fact to retrieve the currently configured SNMPv3 users and calculates the expected password hashes by calling the `snmp::snmpv3_usm_hash` function using the cleartext password. Updating the passwords in Puppet will now correctly update the passwords in the SNMP configuration file. (closes #4).
|
Hi @smoeding . Thank you for the PR. I written some questions with in line comments. |
|
I'm not sure if I understand your question correctly. The Puppet code tries to figure out if the hash in the config file is the same that is generated by executing the documented function using the engine id and the cleartext password as input. If they are equal, nothing is done. Otherwise Puppet adds a The unit tests already contain tests for different scenarios: user missing, user defined but with different hashes, ... and checks that the |
|
The unit tests test the catalog. The acceptance tests test the result of catalog. I saw you proposed good range of unit tests. If you know how to do, IMO it is interesting to add acceptance tests about modifying user settings. If you are interested by learning how to do, we can provide some guidance on #voxpupuli channel (IRC or Slack). And otherwise we can merge the PR like this and i'll update acceptance in a new PR. Don't worry about this. Simply tell me your choice. |
|
I never looked into setting up acceptance tests. One reason is that I don't have a Vagrant setup available. And unfortunately I won't have the time to look into something like that in the near future. So please feel free to add any acceptance tests yourself! Thanks! |
|
Ok. Thank you for this PR. |
|
@smoeding Thanks! |
Pull Request (PR) description
This PR contains the code for the new
snmpv3_userfact andsnmp::snmpv3_usm_hashfunction.The fact is a structured fact that contains the configured SNMPv3 users and the the engine plus the passphrase hash that has been generated (e.g. by using
snmp::snmpv3_user). Example:The function can be used to calculate the SHA1 or MD5 hashes for a given engine and passphrase. The generated hash can be compared with the value returned by the fact to determine if the user actually has the password that Puppet tries to enforce.
The function is a ruby version of the code published in RFC-3414 (sections A.2.1 and A.2.2).
With this fact and function the
snmp::snmpv3_userdefined type could be extended to actually check the existing user and trigger an update if the hashes do not match. Something like this has also been discussed in issue #4.Maybe a custom type/provider implementation for
snmpv3_userwould be better. But I'm not sure how good restarting the SNMP daemon would fit into the type/provider model.