puresnmp_plugins.security.usm module
This module implements the SNMPv3 “User Security Model” as defined in RFC 3414
- exception puresnmp_plugins.security.usm.AuthenticationError
Bases:
USMError
This error is raised whenever something goes wrong during authentication
- exception puresnmp_plugins.security.usm.DecryptionError
Bases:
USMError
This error is raised whenever something goes wrong during decryption
- class puresnmp_plugins.security.usm.DiscoData(authoritative_engine_id: bytes, authoritative_engine_boots: int, authoritative_engine_time: int, unknown_engine_ids: int)
Bases:
object
Helper class to wrap data received from a SNMPv3 discovery message.
- exception puresnmp_plugins.security.usm.EncryptionError
Bases:
USMError
This error is raised whenever something goes wrong during encryption
- exception puresnmp_plugins.security.usm.USMError
Bases:
SnmpError
Generic exception for errors cased by the USM module
- class puresnmp_plugins.security.usm.USMSecurityParameters(authoritative_engine_id: bytes, authoritative_engine_boots: int, authoritative_engine_time: int, user_name: bytes, auth_params: bytes, priv_params: bytes)
Bases:
object
This class wraps the various values for the USM
- static decode(data: bytes) USMSecurityParameters
Construct a USMSecurityParameters instance from pure bytes
- static from_snmp_type(seq: Sequence) USMSecurityParameters
Construct a USMSecurityParameters instance from an SNMP/X690 Sequence
- exception puresnmp_plugins.security.usm.UnknownUser
Bases:
USMError
This error is raised when a message is processed that is not consistent with the user-name passed in the credentials.
- exception puresnmp_plugins.security.usm.UnsupportedSecurityLevel
Bases:
USMError
This error is raised when the data included in the credentials is invalid or incomplete.
- class puresnmp_plugins.security.usm.UserSecurityModel
Bases:
SecurityModel
[PlainMessage
,PlainMessage
|EncryptedMessage
]Implementation of the use-security model as defined by
puresnmp.security.SecurityModel
- generate_request_message(message: PlainMessage, security_engine_id: bytes, credentials: Credentials) PlainMessage | EncryptedMessage
Take a plain unprocessed message and applies security to the message as defined by the concrete security model.
It returns the processed message including security modifications. Further processing is provided by the “message-processing-model” to prepare it for sending out to the network.
The kind of processing applied to the message depends on the credential type.
- Parameters:
message – The original message
security_engine_id – The engine-id of the receiving SNMP engine
credentials – A credential object giving information on what kind of operations are needed on the message.
- process_incoming_message(message: PlainMessage | EncryptedMessage, credentials: Credentials) PlainMessage
Takes a message which included potential security modifications (like encryption) and “undoes” these modifications in order to make the message usable again.
Returns an unprocessed message.
The kind of processing applied to the message depends on the credential type.
- Parameters:
message – The original message
credentials – A credential object giving information on what kind of operations are needed on the message.
- async send_discovery_message(transport_handler: Callable[[bytes], Awaitable[bytes]]) DiscoData
Send a discovery message to the remote engine.
- Parameters:
handler – A callable that is responsible to send data to the remote engine. This callable should already be aware of how to connect. It takes the bytes to be sent to the remote and should return the response bytes without any processing.
- puresnmp_plugins.security.usm.apply_authentication(unauthed_message: PlainMessage | EncryptedMessage, credentials: V3, security_engine_id: bytes) PlainMessage | EncryptedMessage
Add authentication-information to an SNMPv3 message
- Parameters:
unauthed_message – Either an encrypted or plain message that we want to update with authentication information.
credentials – The user-credentials
security_engine_id – The engine-id of the remote device
- Returns:
A message (of the same type) with authentication information added to and security_parameters of the message.
- puresnmp_plugins.security.usm.apply_encryption(message: PlainMessage, credentials: V3, security_name: bytes, security_engine_id: bytes, engine_boots: int, engine_time: int) PlainMessage | EncryptedMessage
Derive a new encrypted message from a plain message given user-credentials and target-engine information.
- Parameters:
message – The unencrypted message
credentials – The SNMPv3 credentials to be applied to the message
security_name – The username used in the request
security_engine_id – The engine-id of the remote device
engine_boots – Encryption timeliness data as received from the discovery process
engine_time – Encryption timeliness data as received from the discovery process
- Returns:
Either an encrypted message, or a plain-message (depending on credential type)
- puresnmp_plugins.security.usm.create() UserSecurityModel
Creates a new instance of the USM
- puresnmp_plugins.security.usm.decrypt_message(message: PlainMessage | EncryptedMessage, credentials: V3) PlainMessage
Decrypt a message using the given credentials
- puresnmp_plugins.security.usm.reset_digest(message: Message) Message
Replace the current message-digest in a message with zeroes.
As the digest is embedded inside the message, it needs to be zeroed out when deriving the digest from a message. Otherwise the digest of the same message would change, because the digest changes.
- Parameters:
message – The message (with or without digest)
- Returns:
A new message with zeroed digest
- puresnmp_plugins.security.usm.validate_usm_message(message: PlainMessage) None
If the message contains known error-indicators, raise an appropriate exception.
- Raises:
SnmpError – If an error was found
- puresnmp_plugins.security.usm.verify_authentication(message: Message, credentials: V3, security_params: USMSecurityParameters) None
Verify authenticity of the message using the credentials.
- Raises:
AuthenticationError – If the message is not authentic