# Barix configuration interface
# (c) 2023 Barix AG
#
# meta-file for automatic config-file generation

# destination file for the configuration (absolute path)
DST_FILE[0]=/etc/snmp/snmpd.conf

# template file located in /barix/config/templates/templates
TEMPLATE_FILE[0]=snmpd

# comments are prefixed with this character
COMMENT_PREFIX[0]="#"

# function to create dynamic content
DYNAMIC_CONTENT_FN[0]=create_dynamic_config_snmpd

# function to create dynamic content
function create_dynamic_config_snmpd()
{
	get_user_params()
	{
		local user=$1
		local with_options=$2
		username=$(cfg_print_param snmp.$user.username)
		if [[ "$username" != "" ]]; then
			auth_type=$(cfg_print_param snmp.$user.auth_type)
			if [ "$auth_type" == "" ]; then
				auth_type="SHA"
			fi
			# set upper case"
			auth_type=${auth_type^^}

			auth_passphrase=$(cfg_print_param snmp.$user.auth_passphrase)
			if [[ "$with_options" != "" && "$auth_passphrase" != "" ]]; then
				auth_passphrase="-A $auth_passphrase"
			fi

			enc_type=$(cfg_print_param snmp.$user.enc_type)
			if [ "$enc_type" == "" ]; then
				enc_type="AES"
			fi
			enc_type=${enc_type^^}

			enc_passphrase=$(cfg_print_param snmp.$user.enc_passphrase)
			if [[ "$with_options" != "" && "$enc_passphrase" != "" ]]; then
				enc_passphrase="-X $enc_passphrase"
			fi

			if [ "$with_options" != "" ]; then
				echo "-u $username -a $auth_type $auth_passphrase -x $enc_type $enc_passphrase"
			else
				echo "$username $auth_type $auth_passphrase $enc_type $enc_passphrase"
			fi
		fi
	}

# get SNMP version. Default is version 1.
	snmp_version=$(cfg_print_param snmp.main.snmp_version)
	if [ "$snmp_version" == "" ]; then
		snmp_version="1"
	fi

# get community strings
	ro_com=`cfg_print_param snmp.security.ro_community`
	rw_com=`cfg_print_param snmp.security.rw_community`
	if [ "$ro_com" == "" ] ; then
		ro_com="public"
	fi

# get system params
	sys_contact=`cfg_print_param snmp.system.syscontact`
	if [ "$sys_contact" == "" ] ; then
		sys_contact='Unknown (configure /etc/snmp/snmpd.local.conf)'
	fi
	sys_name=`cfg_print_param snmp.system.sysname`
	sys_location=`cfg_print_param snmp.system.syslocation` 
	if [ "$sys_location" == "" ] ; then
		sys_location='<root@localhost> (configure /etc/snmp/snmpd.local.conf)'
	fi
	barix_product_oid=`cat /barix/info/SYS-ID`
	flexa_app_snmp="/mnt/data/package/snmp/app-snmp-entries.py"
	use_snmp_traps=$(jq -r .show_snmp_traps /tmp/device_features 2> /dev/null)

# Now configure the entries
	echo "###############################################################################"
	echo "# Access Control"
	echo "###############################################################################"
	echo "#       sec.name  source          community"
	echo "com2sec  paranoid   default        $ro_com"
	if [ "$rw_com" != "" ] ; then
		echo "com2sec  readwrite  default        $rw_com"
	fi 

	echo "####"
	echo "# Second, map the security names into group names:"
	echo "#                sec.model  sec.name"
	if [ "$snmp_version" == "1" ]; then
		echo "group MyROSystem v1        paranoid"
		echo "group MyROGroup v1         readonly"
		echo "group MyRWGroup v1         readwrite"
	elif [ "$snmp_version" == "2c" ]; then
		echo "group MyROSystem v2c       paranoid"
		echo "group MyROGroup v2c        readonly"
		echo "group MyRWGroup v2c        readwrite"
	else
		echo "group MyROSystem usm       paranoid"
		echo "group MyROGroup usm        readonly"
		echo "group MyRWGroup usm        readwrite"
	fi
	echo "####"

	echo "####"
	echo # Third, create a view for us to let the groups have rights to:"
	echo
	echo "#           incl/excl subtree                          mask"
	echo "view all    included  .1                               80"
	echo "view system included  .iso.org.dod.internet.mgmt.mib-2.system"
	echo
	echo "view system included .iso.org.dod.internet.mgmt.mib-2.ip"
	echo "view system included .iso.org.dod.internet.mgmt.mib-2.icmp"
	echo "view system included .iso.org.dod.internet.mgmt.mib-2.tcp"
	echo "view system included .iso.org.dod.internet.mgmt.mib-2.udp"
	echo 
	echo "#BARIX specific MIBS"
	echo "view system included .1.3.6.1.4.1.17491.3.1.1"
	echo "view system included .1.3.6.1.4.1.$barix_product_oid"
	if [ "$use_snmp_traps" == "true" ]; then
		echo "view system included .1.3.6.1.4.1.17491.1.1"
	fi
	echo
	echo "####"
	echo "# Finally, grant the 2 groups access to the 1 view with different"
	echo "# write permissions:"
	echo
	echo "#                context sec.model sec.level match  read   write  notif"
	echo "access MyROSystem \"\"     any       noauth    exact  system none   none"
	echo "access MyROGroup \"\"      any       noauth    exact  all    none   none"
	echo "access MyRWGroup \"\"      any       noauth    exact  all    all    none"
	echo
	echo "###############################################################################"
	echo "# System contact information"
	echo "#"
	echo "syslocation \"$sys_location\"" 
	echo "syscontact \"$sys_contact\""
	if [ "$sys_name" != "" ] ; then
		echo "sysname \"$sys_name\""
	fi
	echo
	echo "####"
	echo "# Set engine id or leave it empty so the system can generate one"
	engineid=$(cfg_print_param snmp.security.engineid)
	if [ "$engineid" != "" ]; then
		echo "engineID $engineid"
	fi
	echo
	echo "####"
	echo "# Add SNMP users to be used under V3 version"
	for idx in 1 2 3; do
		params=$(get_user_params "user$idx")
		if [ "$params" != "" ]; then
			echo "createUser $params"

			username=$(cfg_print_param snmp.user$idx.username)

			access=$(cfg_print_param snmp.user$idx.access)
			if [ "$access" == "" ]; then
				access="ro"
			fi
			access="${access,,}user"

			security_level=$(cfg_print_param snmp.user$idx.security_level)
			if [ "$security_level" == "" ]; then
				security_level="priv"
			fi
			security_level=${security_level,,}

			echo "$access $username $security_level"
		fi
	done
	echo
	echo "# show nethost"
	echo "pass_persist    .1.3.6.1.4.1.17491.3 /usr/bin/python3 /usr/share/snmp/flexa/flexa-snmp-nethost.py"
	echo "#show default Flexa SNMP entries" vi 
	echo "pass_persist    .1.3.6.1.4.1.$barix_product_oid.1 /usr/bin/python3 /usr/share/snmp/flexa/flexa-snmp-defaults.py"
	if [ -e "$flexa_app_snmp" ] ; then
		echo "#show current Flexa app specific SNMP entries"
		echo "pass_persist    .1.3.6.1.4.1.$barix_product_oid.2 /usr/bin/python3 $flexa_app_snmp"
	fi

	if [ "$use_snmp_traps" == "true" ]; then
		echo "dlmod barionetPluginObject /usr/lib/libbarionetMibModule.so"

		traps_community=$(cfg_print_param snmp.traps.community)

		traps_destinations=$(cfg_print_param snmp.traps.destinations)
		for dest in $traps_destinations; do
			if [ "$snmp_version" == "3" ]; then
				user=$(cfg_print_param snmp.traps.user)
				if [ "$user" != "" ]; then
					params=$(get_user_params $user 1)
					security_level=$(cfg_print_param snmp.$user.security_level)
					if [ "$security_level" == "" ]; then
						security_level="priv"
					fi
					security_level=${security_level,,}
# syntax for security level on trapsess is different
					if [ "$security_level" == "priv" ]; then
						security_level="authPriv"
					elif [ "$security_level" == "auth" ]; then
						security_level="authNoPriv"
					elif [ "$security_level" == "noauth" ]; then
						security_level="noAuthNoPriv"
					fi

					echo "trapsess -v 3 $params -l $security_level $dest"
				fi
			elif [ "$snmp_version" == "2c" ]; then
				echo "trapsess -v 2c -c $traps_community $dest"
			else
				echo "trapsess -v 1 -c $traps_community $dest"
			fi
		done

		traps_inputs=$(cfg_print_param snmp.traps.barionet_inputs)
		if [ "$traps_inputs" != "" ]; then
			echo "trapbarionet inputs $traps_inputs"
		fi

		traps_repeat=$(cfg_print_param snmp.traps.barionet_repeat)
		if [ "$traps_repeat" != "" ]; then
			echo "trapbarionet repeat $traps_repeat"
		fi

		traps_sendonboot=$(cfg_print_param snmp.traps.barionet_sendonboot)
		if [ "$traps_sendonboot" == "true" ]; then
			echo "trapbarionet sendonboot"
		fi

	fi
}



