aristanetworks · carl-baillargeon · Feb 6, 2025 · Oct 16, 2024 · Nov 29, 2024 · Nov 29, 2024
diff --git a/anta/custom_types.py b/anta/custom_types.py
@@ -226,10 +226,6 @@ def validate_regex(value: str) -> str:
 ]
 BgpUpdateError = Literal["inUpdErrWithdraw", "inUpdErrIgnore", "inUpdErrDisableAfiSafi", "disabledAfiSafi", "lastUpdErrTime"]
 BfdProtocol = Literal["bgp", "isis", "lag", "ospf", "ospfv3", "pim", "route-input", "static-bfd", "static-route", "vrrp", "vxlan"]
-SnmpPdu = Literal["inGetPdus", "inGetNextPdus", "inSetPdus", "outGetResponsePdus", "outTrapPdus"]
-SnmpErrorCounter = Literal[
-    "inVersionErrs", "inBadCommunityNames", "inBadCommunityUses", "inParseErrs", "outTooBigErrs", "outNoSuchNameErrs", "outBadValueErrs", "outGeneralErrs"
-]
 IPv4RouteType = Literal[
     "connected",
     "static",
@@ -259,8 +255,30 @@ def validate_regex(value: str) -> str:
     "Route Cache Route",
     "CBF Leaked Route",
 ]
+DynamicVlanSource = Literal["dmf", "dot1x", "dynvtep", "evpn", "mlag", "mlagsync", "mvpn", "swfwd", "vccbfd"]
+LogSeverityLevel = Literal["alerts", "critical", "debugging", "emergencies", "errors", "informational", "notifications", "warnings"]
+
+
+########################################
+# SNMP
+########################################
+def snmp_v3_prefix(auth_type: str) -> str:
+    """Prefix the SNMP authentication type with 'v3' if it is known."""
+    snmp_auth_types = ["auth", "priv", "noauth"]
+
+    if auth_type.lower() in snmp_auth_types and auth_type.lower() == "noauth":
+        return "v3NoAuth"
+    if auth_type.lower() in snmp_auth_types:
+        return f"v3{auth_type.title()}"
+    msg = f"SNMP authentication type `{auth_type}` is not supported, supported types are {', '.join(snmp_auth_types)}"
+    raise ValueError(msg)
+
+
 SnmpVersion = Literal["v1", "v2c", "v3"]
 SnmpHashingAlgorithm = Literal["MD5", "SHA", "SHA-224", "SHA-256", "SHA-384", "SHA-512"]
 SnmpEncryptionAlgorithm = Literal["AES-128", "AES-192", "AES-256", "DES"]
-DynamicVlanSource = Literal["dmf", "dot1x", "dynvtep", "evpn", "mlag", "mlagsync", "mvpn", "swfwd", "vccbfd"]
-LogSeverityLevel = Literal["alerts", "critical", "debugging", "emergencies", "errors", "informational", "notifications", "warnings"]
+SnmpPdu = Literal["inGetPdus", "inGetNextPdus", "inSetPdus", "outGetResponsePdus", "outTrapPdus"]
+SnmpErrorCounter = Literal[
+    "inVersionErrs", "inBadCommunityNames", "inBadCommunityUses", "inParseErrs", "outTooBigErrs", "outNoSuchNameErrs", "outBadValueErrs", "outGeneralErrs"
+]
+SnmpVersionV3AuthType = Annotated[Literal["auth", "priv", "noauth"], AfterValidator(snmp_v3_prefix)]
diff --git a/anta/input_models/snmp.py b/anta/input_models/snmp.py
@@ -9,7 +9,7 @@
 
 from pydantic import BaseModel, ConfigDict
 
-from anta.custom_types import Hostname, Interface, SnmpEncryptionAlgorithm, SnmpHashingAlgorithm, SnmpVersion
+from anta.custom_types import Hostname, Interface, SnmpEncryptionAlgorithm, SnmpHashingAlgorithm, SnmpVersion, SnmpVersionV3AuthType
 
 
 class SnmpHost(BaseModel):
@@ -72,3 +72,29 @@ def __str__(self) -> str:
         - Source Interface: Ethernet1 VRF: default
         """
         return f"Source Interface: {self.interface} VRF: {self.vrf}"
+
+
+class SnmpGroup(BaseModel):
+    """Model for a SNMP group."""
+
+    group_name: str
+    """SNMP group name."""
+    version: SnmpVersion
+    """SNMP protocol version."""
+    read_view: str | None = None
+    """Optional field, View to restrict read access."""
+    write_view: str | None = None
+    """Optional field, View to restrict write access."""
+    notify_view: str | None = None
+    """Optional field, View to restrict notifications."""
+    authentication: SnmpVersionV3AuthType | None = None
+    """SNMPv3 authentication settings. Required when version is v3."""
+
+    def __str__(self) -> str:
+        """Return a human-readable string representation of the SnmpGroup for reporting.
+
+        Examples
+        --------
+        - Group: Test_Group Version: v2c
+        """
+        return f"Group: {self.group_name}, Version: {self.version}"
diff --git a/anta/tests/snmp.py b/anta/tests/snmp.py
@@ -12,7 +12,7 @@
 from pydantic import field_validator
 
 from anta.custom_types import PositiveInteger, SnmpErrorCounter, SnmpPdu
-from anta.input_models.snmp import SnmpHost, SnmpSourceInterface, SnmpUser
+from anta.input_models.snmp import SnmpGroup, SnmpHost, SnmpSourceInterface, SnmpUser
 from anta.models import AntaCommand, AntaTest
 from anta.tools import get_value
 
@@ -543,3 +543,83 @@ def test(self) -> None:
                 self.result.is_failure(f"{interface_details} - Not configured")
             elif actual_interface != interface_details.interface:
                 self.result.is_failure(f"{interface_details} - Incorrect source interface - Actual: {actual_interface}")
+
+
+class VerifySnmpGroup(AntaTest):
+    """Verifies the SNMP group configurations for specified version(s).
+
+    This test performs the following checks:
+
+      1. Verifies that the SNMP group is configured for the specified version.
+      2. For SNMP version 3, verify that the security model matches the expected value.
+      3. Ensures that SNMP group configurations, including read, write, and notify views, align with version-specific requirements.
+
+    Expected Results
+    ----------------
+    * Success: The test will pass if the provided SNMP group and all specified parameters are correctly configured.
+    * Failure: The test will fail if the provided SNMP group is not configured or if any specified parameter is not correctly configured.
+
+    Examples
+    --------
+    ```yaml
+    anta.tests.snmp:
+      - VerifySnmpGroup:
+          snmp_groups:
+            - group_name: Group1
+              version: v1
+              read_view: group_read_1
+              write_view: group_write_1
+              notify_view: group_notify_1
+            - group_name: Group2
+              version: v3
+              read_view: group_read_2
+              write_view: group_write_2
+              notify_view: group_notify_2
+              authentication: priv
+    ```
+    """
+
+    categories: ClassVar[list[str]] = ["snmp"]
+    commands: ClassVar[list[AntaCommand | AntaTemplate]] = [AntaCommand(command="show snmp group", revision=1)]
+
+    class Input(AntaTest.Input):
+        """Input model for the VerifySnmpGroup test."""
+
+        snmp_groups: list[SnmpGroup]
+        """List of SNMP groups."""
+
+        @field_validator("snmp_groups")
+        @classmethod
+        def validate_snmp_groups(cls, snmp_groups: list[SnmpGroup]) -> list[SnmpGroup]:
+            """Validate the inputs provided to the SnmpGroup class."""
+            for snmp_group in snmp_groups:
+                if snmp_group.version == "v3" and snmp_group.authentication is None:
+                    msg = f"{snmp_group}: `authentication` field is required for `version: v3`"
+                    raise ValueError(msg)
+            return snmp_groups
+
+    @AntaTest.anta_test
+    def test(self) -> None:
+        """Main test function for VerifySnmpGroup."""
+        self.result.is_success()
+        for group in self.inputs.snmp_groups:
+            # Verify SNMP group details.
+            if not (group_details := get_value(self.instance_commands[0].json_output, f"groups.{group.group_name}.versions.{group.version}")):
+                self.result.is_failure(f"{group} - Not configured")
+                continue
+
+            view_types = [view_type for view_type in ["read", "write", "notify"] if getattr(group, f"{view_type}_view")]
+            # Verify SNMP views, the read, write and notify settings aligning with version-specific requirements.
+            for view_type in view_types:
+                expected_view = getattr(group, f"{view_type}_view")
+                # Verify actual view is configured.
+                if group_details.get(f"{view_type}View") == "":
+                    self.result.is_failure(f"{group} View: {view_type} - Not configured")
+                elif (act_view := group_details.get(f"{view_type}View")) != expected_view:
+                    self.result.is_failure(f"{group} - Incorrect {view_type.title()} view - Expected: {expected_view}, Actual: {act_view}")
+                elif not group_details.get(f"{view_type}ViewConfig"):
+                    self.result.is_failure(f"{group}, {view_type.title()} View: {expected_view} - Not configured")
+
+            # For version v3, verify that the security model aligns with the expected value.
+            if group.version == "v3" and (actual_auth := group_details.get("secModel")) != group.authentication:
+                self.result.is_failure(f"{group} - Incorrect security model - Expected: {group.authentication}, Actual: {actual_auth}")
diff --git a/examples/tests.yaml b/examples/tests.yaml
@@ -770,6 +770,20 @@ anta.tests.snmp:
       # Verifies the SNMP error counters.
       error_counters:
         - inVersionErrs
+  - VerifySnmpGroup:
+      # Verifies the SNMP group configurations for specified version(s).
+      snmp_groups:
+        - group_name: Group1
+          version: v1
+          read_view: group_read_1
+          write_view: group_write_1
+          notify_view: group_notify_1
+        - group_name: Group2
+          version: v3
+          read_view: group_read_2
+          write_view: group_write_2
+          notify_view: group_notify_2
+          authentication: priv
   - VerifySnmpHostLogging:
       # Verifies SNMP logging configurations.
       hosts: