VACM modules converted from a function into an object to let it keep
state (caches) in the futurepull/45/head
parent
24d1327c26
commit
d918595551
|
@ -25,6 +25,8 @@ Revision 4.2.4
|
|||
- I/O sockets buffer sizes made configurable, minimum default is now
|
||||
forced to be no less than 2**17 (to fit two huge datagrams).
|
||||
- Catch possible exceptions on pyasn1 encoder invocation.
|
||||
- VACM modules converted from a function into an object to let it keep
|
||||
state (caches) in the future.
|
||||
- Unnecessary *MibSource explicit initialization calls removed at MibBuilder.
|
||||
- Example configuration for Net-SNMP's snmptrapd added.
|
||||
- Cast additionalVarBinds into ObjectIdentifier type at
|
||||
|
|
|
@ -25,23 +25,23 @@ class SnmpEngine:
|
|||
SnmpV2cMessageProcessingModel(),
|
||||
SnmpV3MessageProcessingModel.messageProcessingModelID:
|
||||
SnmpV3MessageProcessingModel()
|
||||
}
|
||||
}
|
||||
self.securityModels = {
|
||||
SnmpV1SecurityModel.securityModelID: SnmpV1SecurityModel(),
|
||||
SnmpV2cSecurityModel.securityModelID: SnmpV2cSecurityModel(),
|
||||
SnmpUSMSecurityModel.securityModelID: SnmpUSMSecurityModel()
|
||||
}
|
||||
}
|
||||
self.accessControlModel = {
|
||||
void.accessModelID: void,
|
||||
rfc3415.accessModelID: rfc3415
|
||||
}
|
||||
void.Vacm.accessModelID: void.Vacm(),
|
||||
rfc3415.Vacm.accessModelID: rfc3415.Vacm()
|
||||
}
|
||||
|
||||
self.transportDispatcher = None
|
||||
|
||||
if self.msgAndPduDsp.mibInstrumController is None:
|
||||
raise error.PySnmpError(
|
||||
'MIB instrumentation does not yet exist'
|
||||
)
|
||||
)
|
||||
snmpEngineMaxMessageSize, = self.msgAndPduDsp.mibInstrumController.mibBuilder.importSymbols('__SNMP-FRAMEWORK-MIB', 'snmpEngineMaxMessageSize')
|
||||
snmpEngineMaxMessageSize.syntax = snmpEngineMaxMessageSize.syntax.clone(maxMessageSize)
|
||||
snmpEngineBoots, = self.msgAndPduDsp.mibInstrumController.mibBuilder.importSymbols('__SNMP-FRAMEWORK-MIB', 'snmpEngineBoots')
|
||||
|
@ -61,7 +61,7 @@ class SnmpEngine:
|
|||
):
|
||||
self.msgAndPduDsp.receiveMessage(
|
||||
self, transportDomain, transportAddress, wholeMsg
|
||||
)
|
||||
)
|
||||
|
||||
def __receiveTimerTickCbFun(self, timeNow):
|
||||
self.msgAndPduDsp.receiveTimerTick(self, timeNow)
|
||||
|
@ -74,20 +74,20 @@ class SnmpEngine:
|
|||
if self.transportDispatcher is not None:
|
||||
raise error.PySnmpError(
|
||||
'Transport dispatcher already registered'
|
||||
)
|
||||
)
|
||||
transportDispatcher.registerRecvCbFun(
|
||||
self.__receiveMessageCbFun
|
||||
)
|
||||
)
|
||||
transportDispatcher.registerTimerCbFun(
|
||||
self.__receiveTimerTickCbFun
|
||||
)
|
||||
)
|
||||
self.transportDispatcher = transportDispatcher
|
||||
|
||||
def unregisterTransportDispatcher(self):
|
||||
if self.transportDispatcher is None:
|
||||
raise error.PySnmpError(
|
||||
'Transport dispatcher not registered'
|
||||
)
|
||||
)
|
||||
self.transportDispatcher.unregisterRecvCbFun()
|
||||
self.transportDispatcher.unregisterTimerCbFun()
|
||||
self.transportDispatcher = None
|
||||
|
|
|
@ -3,111 +3,109 @@ from pysnmp.smi.error import NoSuchInstanceError
|
|||
from pysnmp.proto import errind, error
|
||||
from pysnmp import debug
|
||||
|
||||
accessModelID = 3
|
||||
|
||||
__powOfTwoSeq = [128, 64, 32, 16, 8, 4, 2, 1]
|
||||
|
||||
# 3.2
|
||||
def isAccessAllowed(
|
||||
snmpEngine,
|
||||
securityModel,
|
||||
securityName,
|
||||
securityLevel,
|
||||
viewType,
|
||||
contextName,
|
||||
variableName):
|
||||
mibInstrumController = snmpEngine.msgAndPduDsp.mibInstrumController
|
||||
class Vacm:
|
||||
accessModelID = 3
|
||||
def isAccessAllowed(self,
|
||||
snmpEngine,
|
||||
securityModel,
|
||||
securityName,
|
||||
securityLevel,
|
||||
viewType,
|
||||
contextName,
|
||||
variableName):
|
||||
mibInstrumController = snmpEngine.msgAndPduDsp.mibInstrumController
|
||||
|
||||
debug.logger & debug.flagACL and debug.logger('isAccessAllowed: securityModel %s, securityName %s, securityLevel %s, viewType %s, contextName %s for variableName %s' % (securityModel, securityName, securityLevel, viewType, contextName, variableName))
|
||||
debug.logger & debug.flagACL and debug.logger('isAccessAllowed: securityModel %s, securityName %s, securityLevel %s, viewType %s, contextName %s for variableName %s' % (securityModel, securityName, securityLevel, viewType, contextName, variableName))
|
||||
|
||||
# 3.2.1
|
||||
vacmContextEntry, = mibInstrumController.mibBuilder.importSymbols('SNMP-VIEW-BASED-ACM-MIB', 'vacmContextEntry')
|
||||
tblIdx = vacmContextEntry.getInstIdFromIndices(contextName)
|
||||
try:
|
||||
vacmContextName = vacmContextEntry.getNode(
|
||||
vacmContextEntry.name + (1,) + tblIdx
|
||||
# 3.2.1
|
||||
vacmContextEntry, = mibInstrumController.mibBuilder.importSymbols('SNMP-VIEW-BASED-ACM-MIB', 'vacmContextEntry')
|
||||
tblIdx = vacmContextEntry.getInstIdFromIndices(contextName)
|
||||
try:
|
||||
vacmContextName = vacmContextEntry.getNode(
|
||||
vacmContextEntry.name + (1,) + tblIdx
|
||||
).syntax
|
||||
except NoSuchInstanceError:
|
||||
raise error.StatusInformation(errorIndication=errind.noSuchContext)
|
||||
except NoSuchInstanceError:
|
||||
raise error.StatusInformation(errorIndication=errind.noSuchContext)
|
||||
|
||||
# 3.2.2
|
||||
vacmSecurityToGroupEntry, = mibInstrumController.mibBuilder.importSymbols(
|
||||
'SNMP-VIEW-BASED-ACM-MIB', 'vacmSecurityToGroupEntry'
|
||||
# 3.2.2
|
||||
vacmSecurityToGroupEntry, = mibInstrumController.mibBuilder.importSymbols('SNMP-VIEW-BASED-ACM-MIB', 'vacmSecurityToGroupEntry')
|
||||
tblIdx = vacmSecurityToGroupEntry.getInstIdFromIndices(
|
||||
securityModel, securityName
|
||||
)
|
||||
tblIdx = vacmSecurityToGroupEntry.getInstIdFromIndices(
|
||||
securityModel, securityName
|
||||
)
|
||||
try:
|
||||
vacmGroupName = vacmSecurityToGroupEntry.getNode(
|
||||
vacmSecurityToGroupEntry.name + (3,) + tblIdx
|
||||
try:
|
||||
vacmGroupName = vacmSecurityToGroupEntry.getNode(
|
||||
vacmSecurityToGroupEntry.name + (3,) + tblIdx
|
||||
).syntax
|
||||
except NoSuchInstanceError:
|
||||
raise error.StatusInformation(errorIndication=errind.noGroupName)
|
||||
except NoSuchInstanceError:
|
||||
raise error.StatusInformation(errorIndication=errind.noGroupName)
|
||||
|
||||
# 3.2.3
|
||||
vacmAccessEntry, = mibInstrumController.mibBuilder.importSymbols(
|
||||
'SNMP-VIEW-BASED-ACM-MIB', 'vacmAccessEntry'
|
||||
# 3.2.3
|
||||
vacmAccessEntry, = mibInstrumController.mibBuilder.importSymbols(
|
||||
'SNMP-VIEW-BASED-ACM-MIB', 'vacmAccessEntry'
|
||||
)
|
||||
# XXX partial context name match
|
||||
tblIdx = vacmAccessEntry.getInstIdFromIndices(
|
||||
vacmGroupName, contextName, securityModel, securityLevel
|
||||
# XXX partial context name match
|
||||
tblIdx = vacmAccessEntry.getInstIdFromIndices(
|
||||
vacmGroupName, contextName, securityModel, securityLevel
|
||||
)
|
||||
|
||||
# 3.2.4
|
||||
if viewType == 'read':
|
||||
entryIdx = vacmAccessEntry.name + (5,) + tblIdx
|
||||
elif viewType == 'write':
|
||||
entryIdx = vacmAccessEntry.name + (6,) + tblIdx
|
||||
elif viewType == 'notify':
|
||||
entryIdx = vacmAccessEntry.name + (7,) + tblIdx
|
||||
else:
|
||||
raise error.ProtocolError('Unknown view type %s' % viewType)
|
||||
# 3.2.4
|
||||
if viewType == 'read':
|
||||
entryIdx = vacmAccessEntry.name + (5,) + tblIdx
|
||||
elif viewType == 'write':
|
||||
entryIdx = vacmAccessEntry.name + (6,) + tblIdx
|
||||
elif viewType == 'notify':
|
||||
entryIdx = vacmAccessEntry.name + (7,) + tblIdx
|
||||
else:
|
||||
raise error.ProtocolError('Unknown view type %s' % viewType)
|
||||
|
||||
try:
|
||||
viewName = vacmAccessEntry.getNode(entryIdx).syntax
|
||||
except NoSuchInstanceError:
|
||||
raise error.StatusInformation(errorIndication=errind.noAccessEntry)
|
||||
if not len(viewName):
|
||||
raise error.StatusInformation(errorIndication=errind.noSuchView)
|
||||
try:
|
||||
viewName = vacmAccessEntry.getNode(entryIdx).syntax
|
||||
except NoSuchInstanceError:
|
||||
raise error.StatusInformation(errorIndication=errind.noAccessEntry)
|
||||
if not len(viewName):
|
||||
raise error.StatusInformation(errorIndication=errind.noSuchView)
|
||||
|
||||
# XXX split onto object & instance ?
|
||||
|
||||
# 3.2.5a
|
||||
vacmViewTreeFamilyEntry, = mibInstrumController.mibBuilder.importSymbols('SNMP-VIEW-BASED-ACM-MIB', 'vacmViewTreeFamilyEntry')
|
||||
tblIdx = vacmViewTreeFamilyEntry.getInstIdFromIndices(viewName)
|
||||
# XXX split onto object & instance ?
|
||||
|
||||
# 3.2.5a
|
||||
vacmViewTreeFamilyEntry, = mibInstrumController.mibBuilder.importSymbols('SNMP-VIEW-BASED-ACM-MIB', 'vacmViewTreeFamilyEntry')
|
||||
tblIdx = vacmViewTreeFamilyEntry.getInstIdFromIndices(viewName)
|
||||
|
||||
# Walk over entries
|
||||
initialTreeName = treeName = vacmViewTreeFamilyEntry.name + (2,) + tblIdx
|
||||
maskName = vacmViewTreeFamilyEntry.name + (3,) + tblIdx
|
||||
while 1:
|
||||
vacmViewTreeFamilySubtree = vacmViewTreeFamilyEntry.getNextNode(
|
||||
treeName
|
||||
# Walk over entries
|
||||
initialTreeName = treeName = vacmViewTreeFamilyEntry.name + (2,) + tblIdx
|
||||
maskName = vacmViewTreeFamilyEntry.name + (3,) + tblIdx
|
||||
while 1:
|
||||
vacmViewTreeFamilySubtree = vacmViewTreeFamilyEntry.getNextNode(
|
||||
treeName
|
||||
)
|
||||
vacmViewTreeFamilyMask = vacmViewTreeFamilyEntry.getNextNode(
|
||||
maskName
|
||||
vacmViewTreeFamilyMask = vacmViewTreeFamilyEntry.getNextNode(
|
||||
maskName
|
||||
)
|
||||
treeName = vacmViewTreeFamilySubtree.name
|
||||
maskName = vacmViewTreeFamilyMask.name
|
||||
if initialTreeName != treeName[:len(initialTreeName)]:
|
||||
# 3.2.5b
|
||||
raise error.StatusInformation(errorIndication=errind.notInView)
|
||||
l = len(vacmViewTreeFamilySubtree.syntax)
|
||||
if l > len(variableName):
|
||||
continue
|
||||
if vacmViewTreeFamilyMask.syntax:
|
||||
mask = []
|
||||
for c in vacmViewTreeFamilyMask.syntax.asNumbers():
|
||||
mask = mask + [ b&c for b in __powOfTwoSeq ]
|
||||
m = len(mask)-1
|
||||
idx = l-1
|
||||
while idx:
|
||||
if idx > m or mask[idx] and \
|
||||
vacmViewTreeFamilySubtree.syntax[idx] != variableName[idx]:
|
||||
break
|
||||
idx = idx - 1
|
||||
if idx: continue # no match
|
||||
else: # no mask
|
||||
if vacmViewTreeFamilySubtree.syntax != variableName[:l]:
|
||||
continue # no match
|
||||
# 3.2.5c
|
||||
return error.StatusInformation(errorIndication=errind.accessAllowed)
|
||||
treeName = vacmViewTreeFamilySubtree.name
|
||||
maskName = vacmViewTreeFamilyMask.name
|
||||
if initialTreeName != treeName[:len(initialTreeName)]:
|
||||
# 3.2.5b
|
||||
raise error.StatusInformation(errorIndication=errind.notInView)
|
||||
l = len(vacmViewTreeFamilySubtree.syntax)
|
||||
if l > len(variableName):
|
||||
continue
|
||||
if vacmViewTreeFamilyMask.syntax:
|
||||
mask = []
|
||||
for c in vacmViewTreeFamilyMask.syntax.asNumbers():
|
||||
mask = mask + [ b&c for b in __powOfTwoSeq ]
|
||||
m = len(mask)-1
|
||||
idx = l-1
|
||||
while idx:
|
||||
if idx > m or mask[idx] and \
|
||||
vacmViewTreeFamilySubtree.syntax[idx] != variableName[idx]:
|
||||
break
|
||||
idx = idx - 1
|
||||
if idx: continue # no match
|
||||
else: # no mask
|
||||
if vacmViewTreeFamilySubtree.syntax != variableName[:l]:
|
||||
continue # no match
|
||||
# 3.2.5c
|
||||
return error.StatusInformation(errorIndication=errind.accessAllowed)
|
||||
|
|
|
@ -1,19 +1,19 @@
|
|||
# Void Access Control Model
|
||||
from pysnmp.proto import errind, error
|
||||
|
||||
accessModelID = 0
|
||||
|
||||
# rfc3415 3.2
|
||||
def isAccessAllowed(
|
||||
snmpEngine,
|
||||
securityModel,
|
||||
securityName,
|
||||
securityLevel,
|
||||
viewType,
|
||||
contextName,
|
||||
variableName):
|
||||
class Vacm:
|
||||
accessModelID = 0
|
||||
def isAccessAllowed(self,
|
||||
snmpEngine,
|
||||
securityModel,
|
||||
securityName,
|
||||
securityLevel,
|
||||
viewType,
|
||||
contextName,
|
||||
variableName):
|
||||
|
||||
debug.logger & debug.flagACL and debug.logger('isAccessAllowed: viewType %s for variableName %s - OK' % (viewType, variableName))
|
||||
debug.logger & debug.flagACL and debug.logger('isAccessAllowed: viewType %s for variableName %s - OK' % (viewType, variableName))
|
||||
|
||||
# rfc3415 3.2.5c
|
||||
return error.StatusInformation(errorIndication=errind.accessAllowed)
|
||||
# rfc3415 3.2.5c
|
||||
return error.StatusInformation(errorIndication=errind.accessAllowed)
|
||||
|
|
Loading…
Reference in New Issue