Add option to configure snmpd auth type

MD5 will not work under FIPS. We need a way to configure the snmpd auth type to something other than MD5 (the other supported option is SHA). Otherwise snmpd will not start up under FIPS. Change-Id: I92e6c5283f6d0ba605fa2c0bcda6bea9041a0f4f
2021-10-07 17:11:49 -04:00 · 2021-10-07 17:11:49 -04:00 · ecd7f49175
parent f13a4f489d
commit ecd7f49175
2 changed files with 37 additions and 6 deletions
--- a/manifests/profile/base/snmp.pp
+++ b/manifests/profile/base/snmp.pp
@ -32,6 +32,10 @@
 #   THT via SnmpdReadonlyUserName and SnmpdReadonlyUserPassword.
 #   Defaults to undef.
 #
+# [*snmpd_auth_type*]
+#   The SNMP auth type
+#   Defaults to hiera('snmpd_readonly_user_authtype') if set else 'MD5'
+#
 # [*snmpd_password*]
 #   The SNMP password
 #   Defaults to hiera('snmpd_readonly_user_password')
@ -46,14 +50,15 @@
 #   Defaults to hiera('step')
 #
 class tripleo::profile::base::snmp (
-  $snmpd_config   = undef,
-  $snmpd_password = hiera('snmpd_readonly_user_password'),
-  $snmpd_user     = hiera('snmpd_readonly_user_name'),
-  $step           = Integer(hiera('step')),
+  $snmpd_config    = undef,
+  $snmpd_auth_type = hiera('snmpd_readonly_user_authtype', 'MD5'),
+  $snmpd_password  = hiera('snmpd_readonly_user_password'),
+  $snmpd_user      = hiera('snmpd_readonly_user_name'),
+  $step            = Integer(hiera('step')),
 ) {
  if $step >= 4 {
    snmp::snmpv3_user { $snmpd_user:
-      authtype => 'MD5',
+      authtype => $snmpd_auth_type,
      authpass => $snmpd_password,
    }
    if $snmpd_config {
@ -63,7 +68,7 @@ class tripleo::profile::base::snmp (
      }
    } else {
      class { 'snmp':
-        snmpd_config => [ join(['createUser ', $snmpd_user, ' MD5 "', $snmpd_password, '"']),
+        snmpd_config => [ join(['createUser ', $snmpd_user, ' ', $snmpd_auth_type, ' "', $snmpd_password, '"']),
                          join(['rouser ', $snmpd_user]),
                          'proc  cron',
                          'includeAllDisks  10%',
--- a/spec/classes/tripleo_profile_base_snmp_spec.rb
+++ b/spec/classes/tripleo_profile_base_snmp_spec.rb
@ -44,6 +44,32 @@ describe 'tripleo::profile::base::snmp' do
        )
      end
    end
+    context 'with default configuration and SHA' do
+      let :params do
+        {
+          :snmpd_user      => 'ro_snmp_user',
+          :snmpd_password  => 'secrete',
+          :snmpd_auth_type => 'SHA',
+          :step            => 4,
+        }
+      end
+
+      it 'should configure snmpd with SHA' do
+        is_expected.to contain_class('snmp').with(
+          :snmpd_config => [
+            'createUser ro_snmp_user SHA "secrete"',
+            'rouser ro_snmp_user',
+            'proc  cron',
+            'includeAllDisks  10%',
+            'master agentx',
+            'iquerySecName internalUser',
+            'rouser internalUser',
+            'defaultMonitors yes',
+             'linkUpDownNotifications yes',
+          ]
+        )
+      end
+    end
    context 'with snmpd_config setting' do
      let :params do
        {