Skip to content

SNMP: Add secret handling from custom_fields #2168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
osfrickler wants to merge 1 commit into
base: main
Choose a base branch
from
Open

SNMP: Add secret handling from custom_fields #2168

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 20 additions & 4 deletions osism/tasks/conductor/sonic/config_generator.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@
get_device_oob_ip,
get_device_vlans,
)
from osism.tasks.conductor.utils import (
deep_decrypt,
get_vault,
)
from .bgp import calculate_local_asn_from_ipv4
from .device import get_device_platform, get_device_hostname, get_device_mac_address
from .interface import (
Expand Down Expand Up @@ -2124,12 +2128,23 @@ def _add_snmp_configuration(config, device, oob_ip):
in the config_context of the device.
"""

# Create vault instance for Custom Field decryption
vault = get_vault()

# Decrypt secrets Custom Field
node_secrets = device.custom_fields.get("secrets", {})
if node_secrets is None:
node_secrets = {}
deep_decrypt(node_secrets, vault)

# Configure SNMP location and contact
location = device.config_context.get("_segment_snmp_server_location", "Data Center")
contact = device.config_context.get(
"_segment_snmp_server_contact", "info@example.com"
)
config["SNMP_SERVER"] = {"SYSTEM": {"sysContact": contact, "sysLocation": location}}

# Configure SNMP traps
traps = device.config_context.get("_segment_snmp_server_traps", True)
if traps:
config["SNMP_SERVER"]["SYSTEM"]["traps"] = "enable"
Expand All @@ -2139,13 +2154,14 @@ def _add_snmp_configuration(config, device, oob_ip):
f"{oob_ip}|161|mgmt": {"name": "agentEntry1"}
}

# Configure SNMP user
username = device.config_context.get("_segment_snmp_server_username", None)
if username:
userauthpass = device.config_context.get(
"_segment_snmp_server_userauthpass", "OBFUSCATEDSECRET1"
userauthpass = node_secrets.get(
"_segment_snmp_server_userauthpass", "OBFUSCATEDAUTHSECRET"
)
userprivpass = device.config_context.get(
"_segment_snmp_server_userprivpass", "OBFUSCATEDSECRET2"
userprivpass = node_secrets.get(
Comment on lines +2160 to +2163
Copy link
Copy Markdown

@sourcery-ai sourcery-ai bot Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 issue (security): Using hard-coded default SNMP credentials when secrets are missing is risky and may lead to predictable credentials in production.

Right now, if those keys are missing in node_secrets, we silently fall back to "OBFUSCATEDAUTHSECRET" / "OBFUSCATEDPRIVSECRET", creating fixed, guessable credentials when secrets are misconfigured. Instead, consider either not configuring the SNMP user when secrets are absent, failing fast with a clear error, or requiring explicit configuration rather than using built‑in defaults.

"_segment_snmp_server_userprivpass", "OBFUSCATEDPRIVSECRET"
)
config["SNMP_SERVER_GROUP_MEMBER"] = {}
config["SNMP_SERVER_USER"] = {}
Expand Down