netsnmp 0.1.3 → 0.1.4

data/lib/netsnmp/security_parameters.rb

@@ -1,8 +1,9 @@
 # frozen_string_literal: true
+
 module NETSNMP
   # This module encapsulates the public API for encrypting/decrypting and signing/verifying.
-  # 
-  # It doesn't interact with other layers from the library, rather it is used and passed all 
+  #
+  # It doesn't interact with other layers from the library, rather it is used and passed all
   # the arguments (consisting mostly of primitive types).
   # It also provides validation of the security options passed with a client is initialized in v3 mode.
   class SecurityParameters
@@ -11,8 +12,15 @@ module NETSNMP
     IPAD = "\x36" * 64
     OPAD = "\x5c" * 64
 
+    # Timeliness is part of SNMP V3 Security
+    # The topic is described very nice here https://www.snmpsharpnet.com/?page_id=28
+    # https://www.ietf.org/rfc/rfc2574.txt 1.4.1 Timeliness
+    # The probe is outdated after 150 seconds which results in a PDU Error, therefore it should expire before that and be renewed
+    # The 150 Seconds is specified in https://www.ietf.org/rfc/rfc2574.txt 2.2.3
+    TIMELINESS_THRESHOLD = 150
+
     attr_reader :security_level, :username
-    attr_accessor :engine_id
+    attr_reader :engine_id
 
     # @param [String] username the snmp v3 username
     # @param [String] engine_id the device engine id (initialized to '' for report)
@@ -28,13 +36,14 @@ module NETSNMP
     #   not explicitly set), and :priv_password becomes mandatory.
     #
     def initialize(
-                   username: , 
+                   username:,
                    engine_id: "",
-                   security_level: nil, 
-                   auth_protocol: nil, 
-                   auth_password: nil, 
-                   priv_protocol: nil, 
-                   priv_password: nil)
+                   security_level: nil,
+                   auth_protocol: nil,
+                   auth_password: nil,
+                   priv_protocol: nil,
+                   priv_password: nil
+    )
       @security_level = security_level
       @username = username
       @engine_id = engine_id
@@ -47,21 +56,25 @@ module NETSNMP
       @priv_pass_key = passkey(@priv_password) unless @priv_password.nil?
     end
 
+    def engine_id=(id)
+      @timeliness = Process.clock_gettime(Process::CLOCK_MONOTONIC, :second)
+      @engine_id = id
+    end
 
     # @param [#to_asn, #to_der] pdu the pdu to encode (must quack like a asn1 type)
     # @param [String] salt the salt to use
     # @param [Integer] engine_time the reported engine time
     # @param [Integer] engine_boots the reported boots time
-    # 
-    # @return [Array] a pair, where the first argument in the asn structure with the encoded pdu, 
+    #
+    # @return [Array] a pair, where the first argument in the asn structure with the encoded pdu,
     #    and the second is the calculated salt (if it has been encrypted)
-    def encode(pdu, salt: , engine_time: , engine_boots: )
+    def encode(pdu, salt:, engine_time:, engine_boots:)
       if encryption
-        encrypted_pdu, salt = encryption.encrypt(pdu.to_der, engine_boots: engine_boots, 
+        encrypted_pdu, salt = encryption.encrypt(pdu.to_der, engine_boots: engine_boots,
                                                              engine_time: engine_time)
-        [OpenSSL::ASN1::OctetString.new(encrypted_pdu), OpenSSL::ASN1::OctetString.new(salt) ]
+        [OpenSSL::ASN1::OctetString.new(encrypted_pdu), OpenSSL::ASN1::OctetString.new(salt)]
       else
-        [ pdu.to_asn, salt ]
+        [pdu.to_asn, salt]
       end
     end
 
@@ -69,12 +82,12 @@ module NETSNMP
     # @param [String] salt the salt from the incoming der
     # @param [Integer] engine_time the reported engine time
     # @param [Integer] engine_boots the reported engine boots
-    def decode(der, salt: , engine_time: , engine_boots: )
+    def decode(der, salt:, engine_time:, engine_boots:)
       asn = OpenSSL::ASN1.decode(der)
       if encryption
         encrypted_pdu = asn.value
         pdu_der = encryption.decrypt(encrypted_pdu, salt: salt, engine_time: engine_time, engine_boots: engine_boots)
-        OpenSSL::ASN1.decode(pdu_der)      
+        OpenSSL::ASN1.decode(pdu_der)
       else
         asn
       end
@@ -86,7 +99,7 @@ module NETSNMP
     # @note this method is used in the process of authenticating a message
     def sign(message)
       # don't sign unless you have to
-      return nil if not @auth_protocol
+      return nil unless @auth_protocol
 
       key = auth_key.dup
 
@@ -95,24 +108,30 @@ module NETSNMP
       k2 = key.xor(OPAD)
 
       digest.reset
-      digest << ( k1 + message )
+      digest << (k1 + message)
       d1 = digest.digest
 
       digest.reset
-      digest << ( k2 + d1 )
-      digest.digest[0,12]
+      digest << (k2 + d1)
+      digest.digest[0, 12]
     end
 
     # @param [String] stream the encoded incoming payload
     # @param [String] salt the incoming payload''s salt
     #
-    # @raise [NETSNMP::Error] if the message's integration has been violated 
+    # @raise [NETSNMP::Error] if the message's integration has been violated
     def verify(stream, salt)
       return if @security_level < 1
       verisalt = sign(stream)
       raise Error, "invalid message authentication salt" unless verisalt == salt
     end
 
+    def must_revalidate?
+      return @engine_id.empty? unless authorizable?
+      return true if @engine_id.empty? || @timeliness.nil?
+      (Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) - @timeliness) >= TIMELINESS_THRESHOLD
+    end
+
     private
 
     def auth_key
@@ -125,46 +144,43 @@ module NETSNMP
 
     def check_parameters
       @security_level = case @security_level
-        when Integer then @security_level
-        when /no_?auth/         then 0
-        when /auth_?no_?priv/   then 1
-        when /auth_?priv/, nil  then 3
-        else
-          raise Error, "security level not supported: #{@security_level}"
-      end
-
-      if @security_level > 0
+                        when Integer then @security_level
+                        when /no_?auth/         then 0
+                        when /auth_?no_?priv/   then 1
+                        when /auth_?priv/, nil  then 3
+                        else
+                          raise Error, "security level not supported: #{@security_level}"
+                        end
+
+      if @security_level.positive?
         @auth_protocol ||= :md5 # this is the default
         raise "security level requires an auth password" if @auth_password.nil?
-        raise "auth password must have between 8 to 32 characters" if not (8..32).include?(@auth_password.length)
-      end
-      if @security_level > 1
-        @priv_protocol ||= :des
-        raise "security level requires a priv password" if @priv_password.nil?
-        raise "priv password must have between 8 to 32 characters" if not (8..32).include?(@priv_password.length)
+        raise "auth password must have between 8 to 32 characters" unless (8..32).cover?(@auth_password.length)
       end
+      return unless @security_level > 1
+      @priv_protocol ||= :des
+      raise "security level requires a priv password" if @priv_password.nil?
+      raise "priv password must have between 8 to 32 characters" unless (8..32).cover?(@priv_password.length)
     end
 
     def localize_key(key)
-
       digest.reset
       digest << key
-      digest << @engine_id 
+      digest << @engine_id
       digest << key
 
       digest.digest
     end
 
     def passkey(password)
-
       digest.reset
       password_index = 0
 
-      buffer = String.new
+      # buffer = +""
       password_length = password.length
       while password_index < 1048576
         initial = password_index % password_length
-        rotated = password[initial..-1] + password[0,initial]
+        rotated = password[initial..-1] + password[0, initial]
         buffer = rotated * (64 / rotated.length) + rotated[0, 64 % rotated.length]
         password_index += 64
         digest << buffer
@@ -172,27 +188,30 @@ module NETSNMP
       end
 
       dig = digest.digest
-      dig = dig[0,16] if @auth_protocol == :md5
+      dig = dig[0, 16] if @auth_protocol == :md5
       dig
     end
 
-    def digest 
+    def digest
       @digest ||= case @auth_protocol
-      when :md5 then OpenSSL::Digest::MD5.new
-      when :sha then OpenSSL::Digest::SHA1.new
-      else 
-        raise Error, "unsupported auth protocol: #{@auth_protocol}"
-      end
+                  when :md5 then OpenSSL::Digest::MD5.new
+                  when :sha then OpenSSL::Digest::SHA1.new
+                  else
+                    raise Error, "unsupported auth protocol: #{@auth_protocol}"
+                  end
     end
 
     def encryption
       @encryption ||= case @priv_protocol
-      when :des
-        Encryption::DES.new(priv_key)
-      when :aes
-        Encryption::AES.new(priv_key)
-      end
+                      when :des
+                        Encryption::DES.new(priv_key)
+                      when :aes
+                        Encryption::AES.new(priv_key)
+                      end
     end
 
+    def authorizable?
+      @auth_protocol && @auth_protocol != :none
+    end
   end
 end

data/lib/netsnmp/session.rb

@@ -1,13 +1,14 @@
 # frozen_string_literal: true
+
 module NETSNMP
-  # Let's just remind that there is no session in snmp, this is just an abstraction. 
-  # 
+  # Let's just remind that there is no session in snmp, this is just an abstraction.
+  #
   class Session
     TIMEOUT = 2
 
-    # @param [Hash] opts the options set 
+    # @param [Hash] opts the options set
     def initialize(version: 1, community: "public", **options)
-      @version   = 1
+      @version   = version
       @community = community
       validate(options)
     end
@@ -25,7 +26,7 @@ module NETSNMP
     # @return [NETSNMP::PDU] a pdu
     #
     def build_pdu(type, *vars)
-      PDU.build(type, headers: [ @version, @community ], varbinds: vars)
+      PDU.build(type, headers: [@version, @community], varbinds: vars)
     end
 
     # send a pdu, receives a pdu
@@ -35,7 +36,7 @@ module NETSNMP
     # @return [NETSNMP::PDU] the response pdu
     #
     def send(pdu)
-      encoded_request = encode(pdu) 
+      encoded_request = encode(pdu)
       encoded_response = @transport.send(encoded_request)
       decode(encoded_response)
     end
@@ -46,7 +47,7 @@ module NETSNMP
       proxy = options[:proxy]
       if proxy
         @proxy = true
-        @transport = proxy 
+        @transport = proxy
       else
         host, port = options.values_at(:host, :port)
         raise "you must provide an hostname/ip under :host" unless host
@@ -54,16 +55,15 @@ module NETSNMP
         @transport = Transport.new(host, port.to_i, timeout: options.fetch(:timeout, TIMEOUT))
       end
       @version = case @version
-        when Integer then @version # assume the use know what he's doing
-        when /v?1/ then 0 
-        when /v?2c?/ then 1 
-        when /v?3/ then 3
-        else
-          raise "unsupported snmp version (#{@version})"
-      end
+                 when Integer then @version # assume the use know what he's doing
+                 when /v?1/ then 0
+                 when /v?2c?/ then 1
+                 when /v?3/ then 3
+                 else
+                   raise "unsupported snmp version (#{@version})"
+                 end
     end
 
-
     def encode(pdu)
       pdu.to_der
     end
@@ -75,13 +75,13 @@ module NETSNMP
     class Transport
       MAXPDUSIZE = 0xffff + 1
 
-      def initialize(host, port, timeout: )
+      def initialize(host, port, timeout:)
         @socket = UDPSocket.new
-        @socket.connect( host, port )
+        @socket.connect(host, port)
         @timeout = timeout
       end
 
-      def close 
+      def close
         @socket.close
       end
 
@@ -96,9 +96,9 @@ module NETSNMP
         end
       end
 
-      def recv(bytesize=MAXPDUSIZE)
+      def recv(bytesize = MAXPDUSIZE)
         perform_io do
-          datagram, _ = @socket.recvfrom_nonblock(bytesize)
+          datagram, = @socket.recvfrom_nonblock(bytesize)
           datagram
         end
       end
@@ -118,11 +118,9 @@ module NETSNMP
       end
 
       def wait(mode)
-        unless @socket.__send__(mode, @timeout)
-          raise Timeout::Error, "Timeout after #{@timeout} seconds"
-        end   
+        return if @socket.__send__(mode, @timeout)
+        raise Timeout::Error, "Timeout after #{@timeout} seconds"
       end
-
     end
   end
 end

data/lib/netsnmp/timeticks.rb

@@ -1,12 +1,12 @@
+# frozen_string_literal: true
+
 module NETSNMP
   class Timetick < Numeric
-
     # @param [Integer] ticks number of microseconds since the time it was read
     def initialize(ticks)
       @ticks = ticks
     end
 
-
     def to_s
       days = days_since
       hours = hours_since(days)
@@ -24,7 +24,7 @@ module NETSNMP
     end
 
     def coerce(other)
-      [ Timetick.new(other), self]
+      [Timetick.new(other), self]
     end
 
     def <=>(other)
@@ -32,24 +32,23 @@ module NETSNMP
     end
 
     def +(other)
-      Timetick.new( (to_i + other.to_i))
+      Timetick.new((to_i + other.to_i))
     end
 
     def -(other)
-      Timetick.new( (to_i - other.to_i))
+      Timetick.new((to_i - other.to_i))
     end
 
     def *(other)
-      Timetick.new( (to_i * other.to_i))
+      Timetick.new((to_i * other.to_i))
     end
 
     def /(other)
-      Timetick.new( (to_i / other.to_i))
+      Timetick.new((to_i / other.to_i))
     end
 
     private
 
-
     def days_since
       Rational(@ticks, 8_640_000)
     end
@@ -61,10 +60,9 @@ module NETSNMP
     def minutes_since(hours)
       Rational((hours.to_f - hours.to_i) * 60)
     end
-      
+
     def milliseconds_since(minutes)
       Rational((minutes.to_f - minutes.to_i) * 60)
     end
-
   end
 end

data/lib/netsnmp/v3_session.rb

@@ -1,12 +1,12 @@
 # frozen_string_literal: true
+
 module NETSNMP
   # Abstraction for the v3 semantics.
   class V3Session < Session
-
     # @param [String, Integer] version SNMP version (always 3)
     def initialize(version: 3, context: "", **opts)
       @context = context
-      @security_parameters = opts.delete(:security_parameters) 
+      @security_parameters = opts.delete(:security_parameters)
       super
     end
 
@@ -15,12 +15,12 @@ module NETSNMP
     # @return [NETSNMP::ScopedPDU] a pdu
     def build_pdu(type, *vars)
       engine_id = security_parameters.engine_id
-      pdu = ScopedPDU.build(type, headers: [engine_id, @context], varbinds: vars)
+      ScopedPDU.build(type, headers: [engine_id, @context], varbinds: vars)
     end
 
     # @see {NETSNMP::Session#send}
     def send(*)
-      pdu, _ = super
+      pdu, = super
       pdu
     end
 
@@ -28,29 +28,27 @@ module NETSNMP
 
     def validate(**options)
       super
-      if s = @security_parameters
+      if (s = @security_parameters)
         # inspect public API
         unless s.respond_to?(:encode) &&
                s.respond_to?(:decode) &&
                s.respond_to?(:sign)   &&
                s.respond_to?(:verify)
-          raise Error, "#{s} doesn't respect the sec params public API (#encode, #decode, #sign)" 
-        end 
+          raise Error, "#{s} doesn't respect the sec params public API (#encode, #decode, #sign)"
+        end
       else
-        @security_parameters = SecurityParameters.new(security_level: options[:security_level], 
+        @security_parameters = SecurityParameters.new(security_level: options[:security_level],
                                                       username:       options[:username],
                                                       auth_protocol:  options[:auth_protocol],
                                                       priv_protocol:  options[:priv_protocol],
                                                       auth_password:  options[:auth_password],
                                                       priv_password:  options[:priv_password])
-  
+
       end
     end
 
     def security_parameters
-      if @security_parameters.engine_id.empty?
-        @security_parameters.engine_id = probe_for_engine
-      end
+      @security_parameters.engine_id = probe_for_engine if @security_parameters.must_revalidate?
       @security_parameters
     end
 
@@ -69,7 +67,7 @@ module NETSNMP
     end
 
     def encode(pdu)
-      Message.encode(pdu, security_parameters: @security_parameters, 
+      Message.encode(pdu, security_parameters: @security_parameters,
                           engine_boots: @engine_boots,
                           engine_time: @engine_time)
     end

data/lib/netsnmp/varbind.rb

@@ -1,12 +1,12 @@
 # frozen_string_literal: true
+
 module NETSNMP
   # Abstracts the PDU variable structure into a ruby object
   #
   class Varbind
-
     attr_reader :oid, :value
 
-    def initialize(oid , value: nil, type: nil, **opts)
+    def initialize(oid, value: nil, type: nil, **_opts)
       @oid = OID.build(oid)
       @type = type
       @value = convert_val(value) if value
@@ -23,29 +23,28 @@ module NETSNMP
     def to_asn
       asn_oid = OID.to_asn(@oid)
       asn_val = if @type
-        convert_to_asn(@type, @value)
-      else
-        case @value
-        when String
-          OpenSSL::ASN1::OctetString.new(@value)
-        when Integer
-          OpenSSL::ASN1::Integer.new(@value)
-        when true, false
-          OpenSSL::ASN1::Boolean.new(@value)
-        when nil
-          OpenSSL::ASN1::Null.new(nil)
-        when IPAddr
-          OpenSSL::ASN1::ASN1Data.new(@value.hton, 0, :APPLICATION)
-        when Timetick
-          @value.to_asn
-        else
-          raise Error, "#{@value}: unsupported varbind type"
-        end
-      end
-      OpenSSL::ASN1::Sequence.new( [asn_oid, asn_val] )
+                  convert_to_asn(@type, @value)
+                else
+                  case @value
+                  when String
+                    OpenSSL::ASN1::OctetString.new(@value)
+                  when Integer
+                    OpenSSL::ASN1::Integer.new(@value)
+                  when true, false
+                    OpenSSL::ASN1::Boolean.new(@value)
+                  when nil
+                    OpenSSL::ASN1::Null.new(nil)
+                  when IPAddr
+                    OpenSSL::ASN1::ASN1Data.new(@value.hton, 0, :APPLICATION)
+                  when Timetick
+                    @value.to_asn
+                  else
+                    raise Error, "#{@value}: unsupported varbind type"
+                  end
+                end
+      OpenSSL::ASN1::Sequence.new([asn_oid, asn_val])
     end
 
-
     def convert_val(asn_value)
       case asn_value
       when OpenSSL::ASN1::OctetString
@@ -68,10 +67,10 @@ module NETSNMP
       when OpenSSL::ASN1::ASN1Data
         # application data
         convert_application_asn(asn_value)
-      when OpenSSL::BN
+      # when OpenSSL::BN
       else
-       asn_value # assume it's already primitive
-      end 
+        asn_value # assume it's already primitive
+      end
     end
 
     def convert_to_asn(typ, value)
@@ -79,35 +78,40 @@ module NETSNMP
       asn_val = value
       if typ.is_a?(Symbol)
         asn_type = case typ
-          when :ipaddress then 0
-          when :counter32 then 1
-          when :gauge then 2
-          when :timetick
-            return Timetick.new(value).to_asn
-          when :opaque then 4
-          when :nsap then 5
-          when :counter64 then 6
-          when :uinteger then 7
-          else  
-            raise Error, "#{typ}: unsupported application type"
-        end
+                   when :ipaddress then 0
+                   when :counter32
+                     asn_val = [value].pack("n*")
+                     1
+                   when :gauge
+                     asn_val = [value].pack("n*")
+                     2
+                   when :timetick
+                     return Timetick.new(value).to_asn
+                   when :opaque then 4
+                   when :nsap then 5
+                   when :counter64 then 6
+                   when :uinteger then 7
+                   else
+                     raise Error, "#{typ}: unsupported application type"
+                   end
       end
       OpenSSL::ASN1::ASN1Data.new(asn_val, asn_type, :APPLICATION)
     end
 
     def convert_application_asn(asn)
       case asn.tag
-        when 0 # IP Address
-          IPAddr.new_ntoh(asn.value)
-        when 1 # ASN counter 32
-          asn.value.unpack("n*")[0] || 0
-        when 2 # gauge
-        when 3 # timeticks
-          Timetick.new(asn.value.unpack("N*")[0] || 0)
-        when 4 # opaque
-        when 5 # NSAP
-        when 6 # ASN Counter 64
-        when 7 # ASN UInteger
+      when 0 # IP Address
+        IPAddr.new_ntoh(asn.value)
+      when 1 # ASN counter 32
+        asn.value.unpack("n*")[0] || 0
+      when 2 # gauge
+        asn.value.unpack("n*")[0] || 0
+      when 3 # timeticks
+        Timetick.new(asn.value.unpack("N*")[0] || 0)
+        # when 4 # opaque
+        # when 5 # NSAP
+        # when 6 # ASN Counter 64
+        # when 7 # ASN UInteger
       end
     end
   end

data/lib/netsnmp/version.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module NETSNMP
-  VERSION = '0.1.3'
+  VERSION = "0.1.4"
 end