Fixed SNMPv3 behaviour of check_ifstatus. Added -P to define privprotocol (#2343438 - Robin Schroeder)

check_ifstatus didn't function correctly with SNMPv3. This is fixed now.
Created argument-hash for SNMP session creation. This removes redundant code.
Session creation was moved out of process_arguments() and now takes place
after setting the timeout handler.

Additionally the -P argument was added to specify the privprotocol.

NEWS

@@ -39,8 +39,8 @@ This file documents the major additions and syntax changes between releases.
 	Fixed check_by_ssh interpretation of quotes in -C parameter (#1985246, #2268675)
 	check_snmp now supports standard threshold ranges and doubles (floating numbers) in thresholds
 	check_fping now supports passing target timeout and interval to fping (#2347686 - Martin Foster)
-	Fixed SNMPv3 behaviour of check_ifoperstatus. Added -x to define privprotocol (#2343438 - Robin Schroeder)
-	check_ifoperstatus is now more userfriendly in case of missing arguments
+	Fixed SNMPv3 behaviour of check_ifoperstatus and check_ifstatus. Added -x/-P to define privprotocol (#2343438 - Robin Schroeder)
+	check_ifoperstatus and check_ifstatus are now more user-friendly in case of missing arguments
 
 1.4.13 25th Sept 2008
 	Fix Debian bug #460097: check_http --max-age broken (Hilko Bengen)

plugins-scripts/check_ifstatus.pl

@@ -42,7 +42,8 @@ Getopt::Long::Configure('bundling');
 my $PROGNAME = "check_ifstatus";
 
 sub print_help ();
-sub usage ();
+sub usage ($);
+sub print_usage ();
 sub process_arguments ();
 
 
@@ -63,7 +64,7 @@ my $snmpoid=0;
 my $key=0;
 my $community = "public";
 my $maxmsgsize = 1472 ; # Net::SNMP default is 1472
-my ($seclevel, $authproto, $secname, $authpass, $privpass, $auth, $priv, $context);
+my ($seclevel, $authproto, $secname, $authpass, $privpass, $privproto, $auth, $priv, $context);
 my $port = 161;
 my @snmpoids;
 my $snmpIfAdminStatus = '1.3.6.1.2.1.2.2.1.7';
@@ -92,6 +93,7 @@ my $opt_u;
 my $opt_x ;
 my %excluded ;
 my @unused_ports ;
+my %session_opts;
 
 
 
@@ -115,6 +117,15 @@ if ($status != 0)
 
 
 alarm($timeout);
+($session, $error) = Net::SNMP->session(%session_opts);
+		
+if (!defined($session)) {
+			$state='UNKNOWN';
+			$answer=$error;
+			print ("$state: $answer\n");
+			exit $ERRORS{$state};
+}
+
 
 push(@snmpoids,$snmpIfOperStatus);
 push(@snmpoids,$snmpIfAdminStatus);
@@ -209,19 +220,25 @@ my $perfdata = sprintf("up=%d,down=%d,dormant=%d,excluded=%d,unused=%d",$ifup,$i
 print ("$state: $answer |$perfdata\n");
 exit $ERRORS{$state};
 
+sub usage($) {
+	print "$_[0]\n";
+	print_usage();
+	exit $ERRORS{"UNKNOWN"};
+}
 
-sub usage (){
-	printf "\nMissing arguments!\n";
+sub print_usage() {
 	printf "\n";
+	printf "usage: \n";
 	printf "check_ifstatus -C <READCOMMUNITY> -p <PORT> -H <HOSTNAME>\n";
 	printf "Copyright (C) 2000 Christoph Kron\n";
 	printf "Updates 5/2002 Subhendu Ghosh\n";
-	printf "\n\n";
 	support();
-	exit $ERRORS{"UNKNOWN"};
+	printf "\n\n";
 }
 
-sub print_help (){
+sub print_help() {
+	print_revision($PROGNAME, '@NP_VERSION@');
+	print_usage();
 	printf "check_ifstatus plugin for Nagios monitors operational \n";
 	printf "status of each network interface on the target host\n";
 	printf "\nUsage:\n";
@@ -242,14 +259,15 @@ sub print_help (){
 	printf "                     See the IANAifType-MIB for a list of interface types.\n";
 	printf "   -L (--seclevel)   choice of \"noAuthNoPriv\", \"authNoPriv\", or	\"authPriv\"\n";
 	printf "   -U (--secname)    username for SNMPv3 context\n";
-	printf "   -c (--context)    SNMPv3 context name (default is empty	string)";
+	printf "   -c (--context)    SNMPv3 context name (default is empty string)\n";
 	printf "   -A (--authpass)   authentication password (cleartext ascii or localized key\n";
-	printf "                     in hex with 0x prefix generated by using	\"snmpkey\" utility\n"; 
+	printf "                     in hex with 0x prefix generated by using \"snmpkey\" utility\n"; 
 	printf "                     auth password and authEngineID\n";
-	printf "   -a (--authproto)  Authentication protocol ( MD5 or SHA1)\n";
+	printf "   -a (--authproto)  Authentication protocol (MD5 or SHA1)\n";
 	printf "   -X (--privpass)   privacy password (cleartext ascii or localized key\n";
-	printf "                     in hex with 0x prefix generated by using	\"snmpkey\" utility\n"; 
+	printf "                     in hex with 0x prefix generated by using \"snmpkey\" utility\n"; 
 	printf "                     privacy password and authEngineID\n";
+	printf "   -P (--privproto)  privacy protocol (DES or AES; default: DES)\n";
 	printf "   -M (--maxmsgsize) Max message size - usefull only for v1 or v2c\n";
 	printf "   -t (--timeout)    seconds before the plugin times out (default=$TIMEOUT)\n";
 	printf "   -V (--version)    Plugin version\n";
@@ -269,6 +287,7 @@ sub process_arguments() {
 		"U=s" => \$secname,   "secname=s"   => \$secname,
 		"A=s" => \$authpass,  "authpass=s"  => \$authpass,
 		"X=s" => \$privpass,  "privpass=s"  => \$privpass,
+		"P=s" => \$privproto,  "privproto=s"  => \$privproto,
 		"c=s" => \$context,   "context=s"   => \$context,
 		"p=i" =>\$port, "port=i" => \$port,
 		"H=s" => \$hostname, "hostname=s" => \$hostname,
@@ -280,9 +299,10 @@ sub process_arguments() {
 		);
 		
 	if ($status == 0){
-		print_help() ;
+		print_help();
 		exit $ERRORS{'OK'};
 	}
+
 	if ($opt_V) {
 		print_revision($PROGNAME,'@NP_VERSION@');
 		exit $ERRORS{'OK'};
@@ -297,68 +317,75 @@ sub process_arguments() {
 		$timeout = $TIMEOUT;
 	}
 
+	if ($snmp_version !~ /[123]/){
+		$state='UNKNOWN';
+		print ("$state: No support for SNMP v$snmp_version yet\n");
+		exit $ERRORS{$state};
+	}
+
+	%session_opts = (
+		-hostname   => $hostname,
+		-port       => $port,
+		-version    => $snmp_version,
+		-maxmsgsize => $maxmsgsize
+	);
+
+	$session_opts{'-community'} = $community if (defined $community && $snmp_version =~ /[12]/);
+
 	if ($snmp_version =~ /3/ ) {
 		# Must define a security level even though default is noAuthNoPriv
 		# v3 requires a security username
-		if (defined $seclevel  && defined $secname) {
+		if (defined $seclevel && defined $secname) {
+			$session_opts{'-username'} = $secname;
 		
 			# Must define a security level even though defualt is noAuthNoPriv
-			unless ($seclevel eq ('noAuthNoPriv' || 'authNoPriv' || 'authPriv' ) ) {
-				usage();
-				exit $ERRORS{"UNKNOWN"};
+			unless ( grep /^$seclevel$/, qw(noAuthNoPriv authNoPriv authPriv) ) {
+				usage("Must define a valid security level even though default is noAuthNoPriv");
 			}
 			
 			# Authentication wanted
-			if ($seclevel eq ('authNoPriv' || 'authPriv') ) {
-		
-				unless ($authproto eq ('MD5' || 'SHA1') ) {
-					usage();
-					exit $ERRORS{"UNKNOWN"};
+			if ( $seclevel eq 'authNoPriv' || $seclevel eq 'authPriv' ) {
+				if (defined $authproto && $authproto ne 'MD5' && $authproto ne 'SHA1') {
+					usage("Auth protocol can be either MD5 or SHA1");
 				}
+				$session_opts{'-authprotocol'} = $authproto if(defined $authproto);
 
 				if ( !defined $authpass) {
-					usage();
-					exit $ERRORS{"UNKNOWN"};
+					usage("Auth password/key is not defined");
 				}else{
 					if ($authpass =~ /^0x/ ) {
-						$auth = "-authkey => $authpass" ;
+						$session_opts{'-authkey'} = $authpass ;
 					}else{
-						$auth = "-authpassword => $authpass";
+						$session_opts{'-authpassword'} = $authpass ;
 					}
 				}
-					
 			}
 			
 			# Privacy (DES encryption) wanted
-			if ($seclevel eq  'authPriv' ) {
+			if ($seclevel eq 'authPriv' ) {
 				if (! defined $privpass) {
-					usage();
-					exit $ERRORS{"UNKNOWN"};
+					usage("Privacy passphrase/key is not defined");
 				}else{
 					if ($privpass =~ /^0x/){
-						$priv = "-privkey => $privpass";
+						$session_opts{'-privkey'} = $privpass;
 					}else{
-						$priv = "-privpassword => $privpass";
+						$session_opts{'-privpassword'} = $privpass;
 					}
 				}
+
+				$session_opts{'-privprotocol'} = $privproto if(defined $privproto);
 			}
 
 			# Context name defined or default
-
 			unless ( defined $context) {
 				$context = "";
 			}
 		
-		
-		
 		}else {
-					usage();
-					exit $ERRORS{'UNKNOWN'}; ;
+			usage("Security level or name is not defined");
 		}
 	} # end snmpv3
 
-	# for snmp v1 & v2c we default to community = "public"
-	
 	# Excluded interfaces types (ifType) (backup interfaces, dial-on demand interfaces, PPP interfaces
 	if (defined $opt_x) {
 		my @x = split(/,/, $opt_x);
@@ -380,79 +407,16 @@ sub process_arguments() {
 	}
 
 	if (! utils::is_hostname($hostname)){
-		usage();
+		usage("Hostname invalid or not given");
 		exit $ERRORS{"UNKNOWN"};
 	}
 
-	# create SNMP session handle based on options passed.
-
-	if ( ! $snmp_version ) {
-		$snmp_version =1 ;
-	}else{
-		if ( $snmp_version =~ /[12]/ ) {
-	
-			($session, $error) = Net::SNMP->session(
-						-hostname  => $hostname,
-						-community => $community,
-						-port      => $port,
-						-version	=> $snmp_version,
-						-maxmsgsize => $maxmsgsize
-			 );
-
-		if (!defined($session)) {
-					$state='UNKNOWN';
-					$answer=$error;
-					print ("$state: $answer");
-					exit $ERRORS{$state};
-		}
-
 		
-	}elsif ( $snmp_version =~ /3/ ) {
-
-		if ($seclevel eq 'noAuthNoPriv') {
-			($session, $error) = Net::SNMP->session(
-				-hostname  => $hostname,
-				-port      => $port,
-				-version  => $snmp_version,
-				-username => $secname,
-			);
-
-		}elsif ( $seclevel eq 'authNoPriv' ) {
-			($session, $error) = Net::SNMP->session(
-				-hostname  => $hostname,
-				-port      => $port,
-				-version  => $snmp_version,
-				-username => $secname,
-				-authprotocol => $authproto,
-				$auth
-			);	
-		}elsif ($seclevel eq 'authPriv' ) {
-			($session, $error) = Net::SNMP->session(
-				-hostname  => $hostname,
-				-port      => $port,
-				-version  => $snmp_version,
-				-username => $secname,
-				-authprotocol => $authproto,
-				$auth,
-				$priv
-			);
-		}
-					
-					
-		if (!defined($session)) {
-					$state='UNKNOWN';
-					$answer=$error;
-					print ("$state: $answer");
-					exit $ERRORS{$state};
-		}
-			
-	}else{
+	if ($snmp_version !~ /[123]/) {
 		$state='UNKNOWN';
 		print ("$state: No support for SNMP v$snmp_version yet\n");
 		exit $ERRORS{$state};
 	}
-}
 
 return $ERRORS{"OK"};
-				
 }

plugins-scripts/t/check_ifstatus.t

@@ -0,0 +1,63 @@
+#! /usr/bin/perl -w -I ..
+#
+# SNMP Test via check_ifoperstatus
+#
+#
+
+use strict;
+use Test::More;
+use NPTest;
+
+my $tests = 9;
+plan tests => $tests;
+my $res;
+
+my $plugin = "check_ifstatus";
+SKIP: {
+	skip "$plugin is not created", $tests if ( ! -x $plugin );
+
+	my $host_snmp = getTestParameter( "host_snmp",          "NP_HOST_SNMP",      "localhost",
+	                                   "A host providing an SNMP Service");
+
+	my $snmp_community = getTestParameter( "snmp_community",     "NP_SNMP_COMMUNITY", "public",
+                                           "The SNMP Community string for SNMP Testing (assumes snmp v1)" );
+
+	my $host_nonresponsive = getTestParameter( "host_nonresponsive", "NP_HOST_NONRESPONSIVE", "10.0.0.1",
+	                                           "The hostname of system not responsive to network requests" );
+
+	my $hostname_invalid   = getTestParameter( "hostname_invalid",   "NP_HOSTNAME_INVALID",   "nosuchhost",
+	                                           "An invalid (not known to DNS) hostname" );
+
+	$res = NPTest->testCmd( "./$plugin" );
+	is( $res->return_code, 3, "No arguments" );
+	like( $res->output, '/usage/', "Output contains usage" );
+	
+	$res = NPTest->testCmd( "./$plugin -H fakehost -v 3 --seclevel rubbish --secname foobar" );
+	is( $res->return_code, 3, "invalid seclevel" );
+	like( $res->output, "/Must define a valid security level/", "Output contains 'Must define a valid security level'" );
+
+	SKIP: {
+		skip "no snmp host defined", 2 if ( ! $host_snmp );
+
+		$res = NPTest->testCmd( "./$plugin -H $host_snmp -C $snmp_community ");
+		like($res->output, '/^.*host.*interfaces up/', "String contains host.*interfaces up");
+
+		$res = NPTest->testCmd( "./$plugin -H $host_snmp -C rubbish");
+		cmp_ok( $res->return_code, '==', 2, "Exit CRITICAL for community 'rubbish'" ); 
+
+	}
+
+	SKIP: {
+		skip "no non responsive host defined", 1 if ( ! $host_nonresponsive );
+		$res = NPTest->testCmd( "./$plugin -H $host_nonresponsive -C $snmp_community");
+		cmp_ok( $res->return_code, '==', 2, "Exit CRITICAL with non responsive host" ); 
+	}
+
+	SKIP: {
+		skip "no invalid host defined", 2 if ( ! $hostname_invalid );
+		$res = NPTest->testCmd( "./$plugin -H $hostname_invalid -C $snmp_community");
+		cmp_ok( $res->return_code, '==', 3, "Exit UNKNOWN with invalid host" ); 
+		like($res->output, "/Unable to resolve.*$hostname_invalid/", "String matches unable to resolve.*$hostname_invalid");
+	}
+
+}