Add SNMPv3 trap support to snmp_trap input plugin (#7294)

Extend snmp_trap input plugin to support SNMPv3 traps. MD5 and SHA1 authentication protocols are supported, and DES, AES, AES192, AES256, AES192c and AES256c privacy protocols are supported.

plugins/inputs/snmp_trap/README.md

@@ -33,6 +33,24 @@ information.
   # service_address = "udp://:162"
   ## Timeout running snmptranslate command
   # timeout = "5s"
+  ## Snmp version
+  # version = "2c"
+  ## SNMPv3 authentication and encryption options.
+  ##
+  ## Security Name.
+  # sec_name = "myuser"
+  ## Authentication protocol; one of "MD5", "SHA" or "".
+  # auth_protocol = "MD5"
+  ## Authentication password.
+  # auth_password = "pass"
+  ## Security Level; one of "noAuthNoPriv", "authNoPriv", or "authPriv".
+  # sec_level = "authNoPriv"
+  ## Context Name.
+  # context_name = ""
+  ## Privacy protocol used for encrypted messages; one of "DES", "AES", "AES192", "AES192C", "AES256", "AES256C" or "".
+  # priv_protocol = ""
+  ## Privacy password used for encrypted messages.
+  # priv_password = ""
 ```
 
 #### Using a Privileged Port

plugins/inputs/snmp_trap/snmp_trap.go

@@ -31,6 +31,22 @@ type mibEntry struct {
 type SnmpTrap struct {
 	ServiceAddress string            `toml:"service_address"`
 	Timeout        internal.Duration `toml:"timeout"`
+	Version        string            `toml:"version"`
+
+	// Settings for version 3
+	ContextName string `toml:"context_name"`
+	// Values: "noAuthNoPriv", "authNoPriv", "authPriv"
+	SecLevel string `toml:"sec_level"`
+	SecName  string `toml:"sec_name"`
+	// Values: "MD5", "SHA", "". Default: ""
+	AuthProtocol string `toml:"auth_protocol"`
+	AuthPassword string `toml:"auth_password"`
+	// Values: "DES", "AES", "". Default: ""
+	PrivProtocol string `toml:"priv_protocol"`
+	PrivPassword string `toml:"priv_password"`
+	EngineID     string `toml:"-"`
+	EngineBoots  uint32 `toml:"-"`
+	EngineTime   uint32 `toml:"-"`
 
 	acc      telegraf.Accumulator
 	listener *gosnmp.TrapListener
@@ -58,6 +74,24 @@ var sampleConfig = `
   # service_address = "udp://:162"
   ## Timeout running snmptranslate command
   # timeout = "5s"
+  ## Snmp version, defaults to 2c
+  # version = "2c"
+  ## SNMPv3 authentication and encryption options.
+  ##
+  ## Security Name.
+  # sec_name = "myuser"
+  ## Authentication protocol; one of "MD5", "SHA" or "".
+  # auth_protocol = "MD5"
+  ## Authentication password.
+  # auth_password = "pass"
+  ## Security Level; one of "noAuthNoPriv", "authNoPriv", or "authPriv".
+  # sec_level = "authNoPriv"
+  ## Context Name.
+  # context_name = ""
+  ## Privacy protocol used for encrypted messages; one of "DES", "AES", "AES192", "AES192C", "AES256", "AES256C" or "".
+  # priv_protocol = ""
+  ## Privacy password used for encrypted messages.
+  # priv_password = ""
 `
 
 func (s *SnmpTrap) SampleConfig() string {
@@ -78,6 +112,7 @@ func init() {
 			timeFunc:       time.Now,
 			ServiceAddress: "udp://:162",
 			Timeout:        defaultTimeout,
+			Version:        "2c",
 		}
 	})
 }
@@ -105,6 +140,85 @@ func (s *SnmpTrap) Start(acc telegraf.Accumulator) error {
 	s.listener.OnNewTrap = makeTrapHandler(s)
 	s.listener.Params = gosnmp.Default
 
+	switch s.Version {
+	case "3":
+		s.listener.Params.Version = gosnmp.Version3
+	case "2c":
+		s.listener.Params.Version = gosnmp.Version2c
+	case "1":
+		s.listener.Params.Version = gosnmp.Version1
+	default:
+		s.listener.Params.Version = gosnmp.Version2c
+	}
+
+	if s.listener.Params.Version == gosnmp.Version3 {
+		s.listener.Params.ContextName = s.ContextName
+		s.listener.Params.SecurityModel = gosnmp.UserSecurityModel
+
+		switch strings.ToLower(s.SecLevel) {
+		case "noauthnopriv", "":
+			s.listener.Params.MsgFlags = gosnmp.NoAuthNoPriv
+		case "authnopriv":
+			s.listener.Params.MsgFlags = gosnmp.AuthNoPriv
+		case "authpriv":
+			s.listener.Params.MsgFlags = gosnmp.AuthPriv
+		default:
+			return fmt.Errorf("unknown security level '%s'", s.SecLevel)
+		}
+
+		var authenticationProtocol gosnmp.SnmpV3AuthProtocol
+		switch strings.ToLower(s.AuthProtocol) {
+		case "md5":
+			authenticationProtocol = gosnmp.MD5
+		case "sha":
+			authenticationProtocol = gosnmp.SHA
+		//case "sha224":
+		//	authenticationProtocol = gosnmp.SHA224
+		//case "sha256":
+		//	authenticationProtocol = gosnmp.SHA256
+		//case "sha384":
+		//	authenticationProtocol = gosnmp.SHA384
+		//case "sha512":
+		//	authenticationProtocol = gosnmp.SHA512
+		case "":
+			authenticationProtocol = gosnmp.NoAuth
+		default:
+			return fmt.Errorf("unknown authentication protocol '%s'", s.AuthProtocol)
+		}
+
+		var privacyProtocol gosnmp.SnmpV3PrivProtocol
+		switch strings.ToLower(s.PrivProtocol) {
+		case "aes":
+			privacyProtocol = gosnmp.AES
+		case "des":
+			privacyProtocol = gosnmp.DES
+		case "aes192":
+			privacyProtocol = gosnmp.AES192
+		case "aes192c":
+			privacyProtocol = gosnmp.AES192C
+		case "aes256":
+			privacyProtocol = gosnmp.AES256
+		case "aes256c":
+			privacyProtocol = gosnmp.AES256C
+		case "":
+			privacyProtocol = gosnmp.NoPriv
+		default:
+			return fmt.Errorf("unknown privacy protocol '%s'", s.PrivProtocol)
+		}
+
+		s.listener.Params.SecurityParameters = &gosnmp.UsmSecurityParameters{
+			AuthoritativeEngineID:    s.EngineID,
+			AuthoritativeEngineBoots: s.EngineBoots,
+			AuthoritativeEngineTime:  s.EngineTime,
+			UserName:                 s.SecName,
+			PrivacyProtocol:          privacyProtocol,
+			PrivacyPassphrase:        s.PrivPassword,
+			AuthenticationPassphrase: s.AuthPassword,
+			AuthenticationProtocol:   authenticationProtocol,
+		}
+
+	}
+
 	// wrap the handler, used in unit tests
 	if nil != s.makeHandlerWrapper {
 		s.listener.OnNewTrap = s.makeHandlerWrapper(s.listener.OnNewTrap)