Update tests for config and listener

DataDog · Dec 18, 2023 · 9c0f195 · 9c0f195
1 parent 55a336e
commit 9c0f195
Show file tree

Hide file tree

Showing 3 changed files with 171 additions and 31 deletions.
diff --git a/pkg/snmp/traps/config/config_test.go b/pkg/snmp/traps/config/config_test.go
@@ -29,6 +29,54 @@ var expectedEngineIDs = map[string]string{
 	"VeryLongHostnameThatIsDifferent":                "\x80\xff\xff\xff\xff\xe7\x21\xcc\xd7\x0b\xe1\x60\xc5\x18\xd7\xde\x17\x86\xb0\x7d\x36",
 }
 
+var usersV3 = []UserV3{
+	{
+		Username:     "user",
+		AuthKey:      "password",
+		AuthProtocol: "MD5",
+		PrivKey:      "password",
+		PrivProtocol: "AES",
+	},
+	{
+		Username:     "user",
+		AuthKey:      "password",
+		AuthProtocol: "SHA",
+		PrivKey:      "password",
+		PrivProtocol: "DES",
+	},
+	{
+		Username:     "user2",
+		AuthKey:      "password",
+		AuthProtocol: "MD5",
+		PrivKey:      "password",
+		PrivProtocol: "AES",
+	},
+}
+
+var usmUsers = []*gosnmp.UsmSecurityParameters{
+	&gosnmp.UsmSecurityParameters{
+		UserName:                 "user",
+		AuthenticationProtocol:   gosnmp.MD5,
+		AuthenticationPassphrase: "password",
+		PrivacyProtocol:          gosnmp.AES,
+		PrivacyPassphrase:        "password",
+	},
+	&gosnmp.UsmSecurityParameters{
+		UserName:                 "user",
+		AuthenticationProtocol:   gosnmp.SHA,
+		AuthenticationPassphrase: "password",
+		PrivacyProtocol:          gosnmp.DES,
+		PrivacyPassphrase:        "password",
+	},
+	&gosnmp.UsmSecurityParameters{
+		UserName:                 "user2",
+		AuthenticationProtocol:   gosnmp.MD5,
+		AuthenticationPassphrase: "password",
+		PrivacyProtocol:          gosnmp.AES,
+		PrivacyPassphrase:        "password",
+	},
+}
+
 func makeConfig(t *testing.T, trapConfig TrapsConfig) config.Component {
 	return makeConfigWithGlobalNamespace(t, trapConfig, "")
 }
@@ -55,16 +103,8 @@ func makeConfigWithGlobalNamespace(t *testing.T, trapConfig TrapsConfig, globalN
 func TestFullConfig(t *testing.T) {
 	logger := fxutil.Test[log.Component](t, logimpl.MockModule)
 	rootConfig := makeConfig(t, TrapsConfig{
-		Port: 1234,
-		Users: []UserV3{
-			{
-				Username:     "user",
-				AuthKey:      "password",
-				AuthProtocol: "MD5",
-				PrivKey:      "password",
-				PrivProtocol: "AES",
-			},
-		},
+		Port:             1234,
+		Users:            usersV3,
 		BindHost:         "127.0.0.1",
 		CommunityStrings: []string{"public"},
 		StopTimeout:      12,
@@ -77,15 +117,7 @@ func TestFullConfig(t *testing.T) {
 	assert.Equal(t, []string{"public"}, config.CommunityStrings)
 	assert.Equal(t, "127.0.0.1", config.BindHost)
 	assert.Equal(t, "foo", config.Namespace)
-	assert.Equal(t, []UserV3{
-		{
-			Username:     "user",
-			AuthKey:      "password",
-			AuthProtocol: "MD5",
-			PrivKey:      "password",
-			PrivProtocol: "AES",
-		},
-	}, config.Users)
+	assert.Equal(t, usersV3, config.Users)
 
 	params, err := config.BuildSNMPParams(logger)
 	assert.NoError(t, err)
@@ -94,14 +126,31 @@ func TestFullConfig(t *testing.T) {
 	assert.Equal(t, "udp", params.Transport)
 	assert.NotNil(t, params.Logger)
 	assert.Equal(t, gosnmp.UserSecurityModel, params.SecurityModel)
-	assert.Equal(t, &gosnmp.UsmSecurityParameters{
-		UserName:                 "user",
-		AuthoritativeEngineID:    expectedEngineID,
-		AuthenticationProtocol:   gosnmp.MD5,
-		AuthenticationPassphrase: "password",
-		PrivacyProtocol:          gosnmp.AES,
-		PrivacyPassphrase:        "password",
-	}, params.SecurityParameters)
+	assert.Equal(t, &gosnmp.UsmSecurityParameters{AuthoritativeEngineID: expectedEngineID}, params.SecurityParameters)
+
+	table := gosnmp.NewSnmpV3SecurityParametersTable()
+	for _, usmUser := range usmUsers {
+		table.Add(usmUser.UserName, usmUser)
+	}
+	var usmConfigTests = []struct {
+		name       string
+		identifier string
+	}{
+		{
+			"identifier: user has 2 entries",
+			"user",
+		},
+		{
+			"identifier: user2 has 1 entry",
+			"user2",
+		},
+	}
+	for _, usmConfigTest := range usmConfigTests {
+		// Compare the security params after initializing the security keys (happens in the add to table)
+		expected, _ := table.Get(usmConfigTest.identifier)
+		actual, _ := params.TrapSecurityParametersTable.Get(usmConfigTest.identifier)
+		assert.ElementsMatch(t, expected, actual)
+	}
 }
 
 func TestMinimalConfig(t *testing.T) {

diff --git a/pkg/snmp/traps/listener/listener_test.go b/pkg/snmp/traps/listener/listener_test.go
@@ -105,7 +105,7 @@ func TestServerV3(t *testing.T) {
 	_, trapListener, status := listenerTestSetup(t, config)
 	defer trapListener.Stop()
 
-	sendTestV3Trap(t, config, &gosnmp.UsmSecurityParameters{
+	sendTestV3Trap(t, config, gosnmp.AuthPriv, &gosnmp.UsmSecurityParameters{
 		UserName:                 "user",
 		AuthoritativeEngineID:    "foobarbaz",
 		AuthenticationPassphrase: "password",
@@ -118,6 +118,97 @@ func TestServerV3(t *testing.T) {
 	assertVariables(t, packet)
 }
 
+var users = []config.UserV3{
+	config.UserV3{Username: "user", AuthKey: "password", AuthProtocol: "sha", PrivKey: "password", PrivProtocol: "aes"},
+	config.UserV3{Username: "user2", AuthKey: "password2", AuthProtocol: "md5", PrivKey: "password", PrivProtocol: "des"},
+	config.UserV3{Username: "user2", AuthKey: "password2", AuthProtocol: "sha", PrivKey: "password", PrivProtocol: "aes"},
+	config.UserV3{Username: "user3", AuthKey: "password", AuthProtocol: "sha"},
+}
+
+func TestServerV3MultipleCredentials(t *testing.T) {
+	tests := []struct {
+		name      string
+		msgFlags  gosnmp.SnmpV3MsgFlags
+		secParams *gosnmp.UsmSecurityParameters
+	}{
+		{"user AuthPriv SHA/AES succeeds",
+			gosnmp.AuthPriv,
+			&gosnmp.UsmSecurityParameters{
+				UserName:                 "user",
+				AuthoritativeEngineID:    "foobarbaz",
+				AuthenticationPassphrase: "password",
+				AuthenticationProtocol:   gosnmp.SHA,
+				PrivacyPassphrase:        "password",
+				PrivacyProtocol:          gosnmp.AES,
+			},
+		},
+		{"user2 (multiple entries) AuthPriv MD5/DES succeeds",
+			gosnmp.AuthPriv,
+			&gosnmp.UsmSecurityParameters{
+				UserName:                 "user",
+				AuthoritativeEngineID:    "foobarbaz",
+				AuthenticationPassphrase: "password",
+				AuthenticationProtocol:   gosnmp.SHA,
+				PrivacyPassphrase:        "password",
+				PrivacyProtocol:          gosnmp.AES,
+			},
+		},
+		{"user2 (multiple entries) AuthPriv SHA/AES succeeds",
+			gosnmp.AuthPriv,
+			&gosnmp.UsmSecurityParameters{
+				UserName:                 "user",
+				AuthoritativeEngineID:    "foobarbaz",
+				AuthenticationPassphrase: "password",
+				AuthenticationProtocol:   gosnmp.SHA,
+				PrivacyPassphrase:        "password",
+				PrivacyProtocol:          gosnmp.AES,
+			},
+		},
+		{"user3 AuthNoPriv SHA succeeds",
+			gosnmp.AuthNoPriv,
+			&gosnmp.UsmSecurityParameters{
+				UserName:                 "user",
+				AuthoritativeEngineID:    "foobarbaz",
+				AuthenticationPassphrase: "password",
+				AuthenticationProtocol:   gosnmp.SHA,
+				PrivacyPassphrase:        "password",
+				PrivacyProtocol:          gosnmp.AES,
+			},
+		},
+	}
+	serverPort, err := ndmtestutils.GetFreePort()
+	require.NoError(t, err)
+
+	config := &config.TrapsConfig{Port: serverPort, Users: users}
+	_, trapListener, status := listenerTestSetup(t, config)
+	defer trapListener.Stop()
+
+	for _, test := range tests {
+		sendTestV3Trap(t, config, test.msgFlags, test.secParams)
+		packet, err := receivePacket(t, trapListener, defaultTimeout, status)
+		require.NoError(t, err)
+		assertVariables(t, packet)
+	}
+}
+
+func TestServerV3BadCredentialsWithMultipleUsers(t *testing.T) {
+	serverPort, err := ndmtestutils.GetFreePort()
+	require.NoError(t, err)
+	config := &config.TrapsConfig{Port: serverPort, Users: users}
+	_, trapListener, _ := listenerTestSetup(t, config)
+	defer trapListener.Stop()
+
+	sendTestV3Trap(t, config, gosnmp.AuthPriv, &gosnmp.UsmSecurityParameters{
+		UserName:                 "user2",
+		AuthoritativeEngineID:    "foobarbaz",
+		AuthenticationPassphrase: "password2",
+		AuthenticationProtocol:   gosnmp.SHA,
+		PrivacyPassphrase:        "wrong_password",
+		PrivacyProtocol:          gosnmp.AES,
+	})
+	assertNoPacketReceived(t, trapListener)
+}
+
 func TestServerV3BadCredentials(t *testing.T) {
 	serverPort, err := ndmtestutils.GetFreePort()
 	require.NoError(t, err)
@@ -126,7 +217,7 @@ func TestServerV3BadCredentials(t *testing.T) {
 	_, trapListener, _ := listenerTestSetup(t, config)
 	defer trapListener.Stop()
 
-	sendTestV3Trap(t, config, &gosnmp.UsmSecurityParameters{
+	sendTestV3Trap(t, config, gosnmp.AuthPriv, &gosnmp.UsmSecurityParameters{
 		UserName:                 "user",
 		AuthoritativeEngineID:    "foobarbaz",
 		AuthenticationPassphrase: "password",

diff --git a/pkg/snmp/traps/listener/test_helpers.go b/pkg/snmp/traps/listener/test_helpers.go
@@ -72,10 +72,10 @@ func sendTestV2Trap(t *testing.T, trapConfig *config.TrapsConfig, community stri
 	return params
 }
 
-func sendTestV3Trap(t *testing.T, trapConfig *config.TrapsConfig, securityParams *gosnmp.UsmSecurityParameters) *gosnmp.GoSNMP {
+func sendTestV3Trap(t *testing.T, trapConfig *config.TrapsConfig, msgFlags gosnmp.SnmpV3MsgFlags, securityParams *gosnmp.UsmSecurityParameters) *gosnmp.GoSNMP {
 	params, err := trapConfig.BuildSNMPParams(nil)
 	require.NoError(t, err)
-	params.MsgFlags = gosnmp.AuthPriv
+	params.MsgFlags = msgFlags
 	params.SecurityParameters = securityParams
 	params.Timeout = 1 * time.Second // Must be non-zero when sending traps.
 	params.Retries = 1               // Must be non-zero when sending traps.