910e1c6eb4
#### Why I did it
To provide MACsec config and show CLI for manipulating MACsec
#### How I did it
Add `config macsec` and `show macsec`.
#### How to verify it
This PR includes unittest for MACsec CLI, check Azp status.
- Add MACsec profile
```
admin@sonic:~$ sudo config macsec profile add --help
Usage: config macsec profile add [OPTIONS] <profile_name>
Add MACsec profile
Options:
--priority <priority> For Key server election. In 0-255 range with
0 being the highest priority. [default:
255]
--cipher_suite <cipher_suite> The cipher suite for MACsec. [default: GCM-
AES-128]
--primary_cak <primary_cak> Primary Connectivity Association Key.
[required]
--primary_ckn <primary_cak> Primary CAK Name. [required]
--policy <policy> MACsec policy. INTEGRITY_ONLY: All traffic,
except EAPOL, will be converted to MACsec
packets without encryption. SECURITY: All
traffic, except EAPOL, will be encrypted by
SecY. [default: security]
--enable_replay_protect / --disable_replay_protect
Whether enable replay protect. [default:
False]
--replay_window <enable_replay_protect>
Replay window size that is the number of
packets that could be out of order. This
field works only if ENABLE_REPLAY_PROTECT is
true. [default: 0]
--send_sci / --no_send_sci Send SCI in SecTAG field of MACsec header.
[default: True]
--rekey_period <rekey_period> The period of proactively refresh (Unit
second). [default: 0]
-?, -h, --help Show this message and exit.
```
- Delete MACsec profile
```
admin@sonic:~$ sudo config macsec profile del --help
Usage: config macsec profile del [OPTIONS] <profile_name>
Delete MACsec profile
Options:
-?, -h, --help Show this message and exit.
```
- Enable MACsec on the port
```
admin@sonic:~$ sudo config macsec port add --help
Usage: config macsec port add [OPTIONS] <port_name> <profile_name>
Add MACsec port
Options:
-?, -h, --help Show this message and exit.
```
- Disable MACsec on the port
```
admin@sonic:~$ sudo config macsec port del --help
Usage: config macsec port del [OPTIONS] <port_name>
Delete MACsec port
Options:
-?, -h, --help Show this message and exit.
```
Show MACsec
```
MACsec port(Ethernet0)
--------------------- -----------
cipher_suite GCM-AES-256
enable true
enable_encrypt true
enable_protect true
enable_replay_protect false
replay_window 0
send_sci true
--------------------- -----------
MACsec Egress SC (5254008f4f1c0001)
----------- -
encoding_an 2
----------- -
MACsec Egress SA (1)
------------------------------------- ----------------------------------------------------------------
auth_key 849B69D363E2B0AA154BEBBD7C1D9487
next_pn 1
sak AE8C9BB36EA44B60375E84BC8E778596289E79240FDFA6D7BA33D3518E705A5E
salt 000000000000000000000000
ssci 0
SAI_MACSEC_SA_ATTR_CURRENT_XPN 179
SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0
SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0
SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED 0
SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED 0
------------------------------------- ----------------------------------------------------------------
MACsec Egress SA (2)
------------------------------------- ----------------------------------------------------------------
auth_key 5A8B8912139551D3678B43DD0F10FFA5
next_pn 1
sak 7F2651140F12C434F782EF9AD7791EE2CFE2BF315A568A48785E35FC803C9DB6
salt 000000000000000000000000
ssci 0
SAI_MACSEC_SA_ATTR_CURRENT_XPN 87185
SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0
SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0
SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED 0
SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED 0
------------------------------------- ----------------------------------------------------------------
MACsec Ingress SC (525400edac5b0001)
MACsec Ingress SA (1)
--------------------------------------- ----------------------------------------------------------------
active true
auth_key 849B69D363E2B0AA154BEBBD7C1D9487
lowest_acceptable_pn 1
sak AE8C9BB36EA44B60375E84BC8E778596289E79240FDFA6D7BA33D3518E705A5E
salt 000000000000000000000000
ssci 0
SAI_MACSEC_SA_ATTR_CURRENT_XPN 103
SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED 0
SAI_MACSEC_SA_STAT_IN_PKTS_INVALID 0
SAI_MACSEC_SA_STAT_IN_PKTS_LATE 0
SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA 0
SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID 0
SAI_MACSEC_SA_STAT_IN_PKTS_OK 0
SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED 0
SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA 0
SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0
SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0
--------------------------------------- ----------------------------------------------------------------
MACsec Ingress SA (2)
--------------------------------------- ----------------------------------------------------------------
active true
auth_key 5A8B8912139551D3678B43DD0F10FFA5
lowest_acceptable_pn 1
sak 7F2651140F12C434F782EF9AD7791EE2CFE2BF315A568A48785E35FC803C9DB6
salt 000000000000000000000000
ssci 0
SAI_MACSEC_SA_ATTR_CURRENT_XPN 91824
SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED 0
SAI_MACSEC_SA_STAT_IN_PKTS_INVALID 0
SAI_MACSEC_SA_STAT_IN_PKTS_LATE 0
SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA 0
SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID 0
SAI_MACSEC_SA_STAT_IN_PKTS_OK 0
SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED 0
SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA 0
SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0
SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0
--------------------------------------- ----------------------------------------------------------------
MACsec port(Ethernet1)
--------------------- -----------
cipher_suite GCM-AES-256
enable true
enable_encrypt true
enable_protect true
enable_replay_protect false
replay_window 0
send_sci true
--------------------- -----------
MACsec Egress SC (5254008f4f1c0001)
----------- -
encoding_an 1
----------- -
MACsec Egress SA (1)
------------------------------------- ----------------------------------------------------------------
auth_key 35FC8F2C81BCA28A95845A4D2A1EE6EF
next_pn 1
sak 1EC8572B75A840BA6B3833DC550C620D2C65BBDDAD372D27A1DFEB0CD786671B
salt 000000000000000000000000
ssci 0
SAI_MACSEC_SA_ATTR_CURRENT_XPN 4809
SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0
SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0
SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED 0
SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED 0
------------------------------------- ----------------------------------------------------------------
MACsec Ingress SC (525400edac5b0001)
MACsec Ingress SA (1)
--------------------------------------- ----------------------------------------------------------------
active true
auth_key 35FC8F2C81BCA28A95845A4D2A1EE6EF
lowest_acceptable_pn 1
sak 1EC8572B75A840BA6B3833DC550C620D2C65BBDDAD372D27A1DFEB0CD786671B
salt 000000000000000000000000
ssci 0
SAI_MACSEC_SA_ATTR_CURRENT_XPN 5033
SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED 0
SAI_MACSEC_SA_STAT_IN_PKTS_INVALID 0
SAI_MACSEC_SA_STAT_IN_PKTS_LATE 0
SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA 0
SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID 0
SAI_MACSEC_SA_STAT_IN_PKTS_OK 0
SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED 0
SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA 0
SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0
SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0
--------------------------------------- ----------------------------------------------------------------
```
147 lines
7.1 KiB
Python
147 lines
7.1 KiB
Python
import sys
|
|
|
|
from unittest import mock
|
|
from click.testing import CliRunner
|
|
from utilities_common.db import Db
|
|
|
|
sys.path.append('../cli/config/plugins/')
|
|
import macsec
|
|
|
|
|
|
profile_name = "test"
|
|
primary_cak = "01234567890123456789012345678912"
|
|
primary_ckn = "01234567890123456789012345678912"
|
|
|
|
|
|
class TestConfigMACsec(object):
|
|
def test_plugin_registration(self):
|
|
cli = mock.MagicMock()
|
|
macsec.register(cli)
|
|
cli.add_command.assert_called_once_with(macsec.macsec)
|
|
|
|
def test_default_profile(self, mock_cfgdb):
|
|
runner = CliRunner()
|
|
db = Db()
|
|
db.cfgdb = mock_cfgdb
|
|
result = runner.invoke(macsec.macsec.commands["profile"].commands["add"],
|
|
[profile_name, "--primary_cak=" + primary_cak,"--primary_ckn=" + primary_ckn],
|
|
obj=db)
|
|
assert result.exit_code == 0
|
|
profile_table = db.cfgdb.get_entry("MACSEC_PROFILE", profile_name)
|
|
assert profile_table
|
|
assert profile_table["priority"] == "255"
|
|
assert profile_table["cipher_suite"] == "GCM-AES-128"
|
|
assert profile_table["primary_cak"] == primary_cak
|
|
assert profile_table["primary_ckn"] == primary_ckn
|
|
assert profile_table["policy"] == "security"
|
|
assert "enable_replay_protect" not in profile_table
|
|
assert "replay_window" not in profile_table
|
|
assert profile_table["send_sci"] == "true"
|
|
assert "rekey_period" not in profile_table
|
|
|
|
result = runner.invoke(macsec.macsec.commands["profile"].commands["del"], [profile_name], obj=db)
|
|
assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info)
|
|
profile_table = db.cfgdb.get_entry("MACSEC_PROFILE", profile_name)
|
|
assert not profile_table
|
|
|
|
def test_macsec_valid_profile(self, mock_cfgdb):
|
|
runner = CliRunner()
|
|
db = Db()
|
|
db.cfgdb = mock_cfgdb
|
|
|
|
profile_name = "test"
|
|
profile_map = {
|
|
"primary_cak": "0123456789012345678901234567891201234567890123456789012345678912",
|
|
"primary_ckn": "01234567890123456789012345678912",
|
|
"priority": 64,
|
|
"cipher_suite": "GCM-AES-XPN-256",
|
|
"policy": "integrity_only",
|
|
"enable_replay_protect": None,
|
|
"replay_window": 100,
|
|
"no_send_sci": None,
|
|
"rekey_period": 30 * 60,
|
|
}
|
|
options = [profile_name]
|
|
for k, v in profile_map.items():
|
|
options.append("--" + k)
|
|
if v is not None:
|
|
options[-1] += "=" + str(v)
|
|
|
|
result = runner.invoke(macsec.macsec.commands["profile"].commands["add"], options, obj=db)
|
|
assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info)
|
|
profile_table = db.cfgdb.get_entry("MACSEC_PROFILE", profile_name)
|
|
assert profile_table
|
|
assert profile_table["priority"] == str(profile_map["priority"])
|
|
assert profile_table["cipher_suite"] == profile_map["cipher_suite"]
|
|
assert profile_table["primary_cak"] == profile_map["primary_cak"]
|
|
assert profile_table["primary_ckn"] == profile_map["primary_ckn"]
|
|
assert profile_table["policy"] == profile_map["policy"]
|
|
if "enable_replay_protect" in profile_map:
|
|
assert "enable_replay_protect" in profile_table and profile_table["enable_replay_protect"] == "true"
|
|
assert profile_table["replay_window"] == str(profile_map["replay_window"])
|
|
if "send_sci" in profile_map:
|
|
assert profile_table["send_sci"] == "true"
|
|
if "no_send_sci" in profile_map:
|
|
assert profile_table["send_sci"] == "false"
|
|
if "rekey_period" in profile_map:
|
|
assert profile_table["rekey_period"] == str(profile_map["rekey_period"])
|
|
|
|
def test_macsec_invalid_profile(self, mock_cfgdb):
|
|
runner = CliRunner()
|
|
db = Db()
|
|
db.cfgdb = mock_cfgdb
|
|
|
|
# Loss primary cak and primary ckn
|
|
result = runner.invoke(macsec.macsec.commands["profile"].commands["add"], ["test"], obj=db)
|
|
assert result.exit_code != 0
|
|
|
|
# Invalid primary cak
|
|
result = runner.invoke(macsec.macsec.commands["profile"].commands["add"], ["test", "--primary_cak=abcdfghjk90123456789012345678912","--primary_ckn=01234567890123456789012345678912", "--cipher_suite=GCM-AES-128"], obj=db)
|
|
assert result.exit_code != 0
|
|
|
|
# Invalid primary cak length
|
|
result = runner.invoke(macsec.macsec.commands["profile"].commands["add"], ["test", "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912", "--cipher_suite=GCM-AES-256"], obj=db)
|
|
assert result.exit_code != 0
|
|
|
|
|
|
def test_macsec_port(self, mock_cfgdb):
|
|
runner = CliRunner()
|
|
db = Db()
|
|
db.cfgdb = mock_cfgdb
|
|
|
|
result = runner.invoke(macsec.macsec.commands["profile"].commands["add"], ["test", "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"], obj=db)
|
|
assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info)
|
|
result = runner.invoke(macsec.macsec.commands["port"].commands["add"], ["Ethernet0", "test"], obj=db)
|
|
assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info)
|
|
port_table = db.cfgdb.get_entry("PORT", "Ethernet0")
|
|
assert port_table
|
|
assert port_table["macsec"] == "test"
|
|
|
|
result = runner.invoke(macsec.macsec.commands["profile"].commands["del"], ["test"], obj=db)
|
|
assert result.exit_code != 0
|
|
|
|
result = runner.invoke(macsec.macsec.commands["port"].commands["del"], ["Ethernet0"], obj=db)
|
|
assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info)
|
|
port_table = db.cfgdb.get_entry("PORT", "Ethernet0")
|
|
assert not port_table["macsec"]
|
|
|
|
|
|
def test_macsec_invalid_operation(self, mock_cfgdb):
|
|
runner = CliRunner()
|
|
db = Db()
|
|
db.cfgdb = mock_cfgdb
|
|
|
|
# Enable nonexisted profile
|
|
result = runner.invoke(macsec.macsec.commands["port"].commands["add"], ["Ethernet0", "test"], obj=db)
|
|
assert result.exit_code != 0
|
|
|
|
# Delete nonexisted profile
|
|
result = runner.invoke(macsec.macsec.commands["profile"].commands["del"], ["test"], obj=db)
|
|
assert result.exit_code != 0
|
|
|
|
result = runner.invoke(macsec.macsec.commands["profile"].commands["add"], ["test", "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"], obj=db)
|
|
assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info)
|
|
# Repeat add profile
|
|
result = runner.invoke(macsec.macsec.commands["profile"].commands["add"], ["test", "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"], obj=db)
|
|
assert result.exit_code != 0
|