SNMP: Add secret handling from custom_fields

[osfrickler]

Needed to properly decode vault encrypted values.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• Decrypting node_secrets in-place will mutate device.custom_fields['secrets'] for all subsequent users of the device object; consider deep-copying the secrets dict before calling deep_decrypt to avoid side effects.
• The SNMP user passwords now only read from custom_fields['secrets']; if there are existing deployments that still set _segment_snmp_server_userauthpass / _segment_snmp_server_userprivpass in config_context, consider falling back to those keys to preserve backward compatibility.
• You create a vault and decrypt secrets even when no SNMP user is configured; you could lazily initialize and decrypt only when username is set to reduce unnecessary work and potential errors when vault access is not needed.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Decrypting `node_secrets` in-place will mutate `device.custom_fields['secrets']` for all subsequent users of the `device` object; consider deep-copying the secrets dict before calling `deep_decrypt` to avoid side effects.
- The SNMP user passwords now only read from `custom_fields['secrets']`; if there are existing deployments that still set `_segment_snmp_server_userauthpass` / `_segment_snmp_server_userprivpass` in `config_context`, consider falling back to those keys to preserve backward compatibility.
- You create a vault and decrypt secrets even when no SNMP user is configured; you could lazily initialize and decrypt only when `username` is set to reduce unnecessary work and potential errors when vault access is not needed.

## Individual Comments

### Comment 1
<location path="osism/tasks/conductor/sonic/config_generator.py" line_range="2160-2163" />
<code_context>
     if username:
-        userauthpass = device.config_context.get(
-            "_segment_snmp_server_userauthpass", "OBFUSCATEDSECRET1"
+        userauthpass = node_secrets.get(
+            "_segment_snmp_server_userauthpass", "OBFUSCATEDAUTHSECRET"
         )
-        userprivpass = device.config_context.get(
-            "_segment_snmp_server_userprivpass", "OBFUSCATEDSECRET2"
+        userprivpass = node_secrets.get(
+            "_segment_snmp_server_userprivpass", "OBFUSCATEDPRIVSECRET"
         )
</code_context>
<issue_to_address>
**🚨 issue (security):** Using hard-coded default SNMP credentials when secrets are missing is risky and may lead to predictable credentials in production.

Right now, if those keys are missing in `node_secrets`, we silently fall back to `"OBFUSCATEDAUTHSECRET"` / `"OBFUSCATEDPRIVSECRET"`, creating fixed, guessable credentials when secrets are misconfigured. Instead, consider either not configuring the SNMP user when secrets are absent, failing fast with a clear error, or requiring explicit configuration rather than using built‑in defaults.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

🚨 issue (security): Using hard-coded default SNMP credentials when secrets are missing is risky and may lead to predictable credentials in production.

Right now, if those keys are missing in node_secrets, we silently fall back to "OBFUSCATEDAUTHSECRET" / "OBFUSCATEDPRIVSECRET", creating fixed, guessable credentials when secrets are misconfigured. Instead, consider either not configuring the SNMP user when secrets are absent, failing fast with a clear error, or requiring explicit configuration rather than using built‑in defaults.