[docker-macsec]: MACsec CLI Plugin (#9390)

#### Why I did it To provide MACsec config and show CLI for manipulating MACsec #### How I did it Add `config macsec` and `show macsec`. #### How to verify it This PR includes unittest for MACsec CLI, check Azp status. - Add MACsec profile ``` admin@sonic:~$ sudo config macsec profile add --help Usage: config macsec profile add [OPTIONS] <profile_name> Add MACsec profile Options: --priority <priority> For Key server election. In 0-255 range with 0 being the highest priority. [default: 255] --cipher_suite <cipher_suite> The cipher suite for MACsec. [default: GCM- AES-128] --primary_cak <primary_cak> Primary Connectivity Association Key. [required] --primary_ckn <primary_cak> Primary CAK Name. [required] --policy <policy> MACsec policy. INTEGRITY_ONLY: All traffic, except EAPOL, will be converted to MACsec packets without encryption. SECURITY: All traffic, except EAPOL, will be encrypted by SecY. [default: security] --enable_replay_protect / --disable_replay_protect Whether enable replay protect. [default: False] --replay_window <enable_replay_protect> Replay window size that is the number of packets that could be out of order. This field works only if ENABLE_REPLAY_PROTECT is true. [default: 0] --send_sci / --no_send_sci Send SCI in SecTAG field of MACsec header. [default: True] --rekey_period <rekey_period> The period of proactively refresh (Unit second). [default: 0] -?, -h, --help Show this message and exit. ``` - Delete MACsec profile ``` admin@sonic:~$ sudo config macsec profile del --help Usage: config macsec profile del [OPTIONS] <profile_name> Delete MACsec profile Options: -?, -h, --help Show this message and exit. ``` - Enable MACsec on the port ``` admin@sonic:~$ sudo config macsec port add --help Usage: config macsec port add [OPTIONS] <port_name> <profile_name> Add MACsec port Options: -?, -h, --help Show this message and exit. ``` - Disable MACsec on the port ``` admin@sonic:~$ sudo config macsec port del --help Usage: config macsec port del [OPTIONS] <port_name> Delete MACsec port Options: -?, -h, --help Show this message and exit. ``` Show MACsec ``` MACsec port(Ethernet0) --------------------- ----------- cipher_suite GCM-AES-256 enable true enable_encrypt true enable_protect true enable_replay_protect false replay_window 0 send_sci true --------------------- ----------- MACsec Egress SC (5254008f4f1c0001) ----------- - encoding_an 2 ----------- - MACsec Egress SA (1) ------------------------------------- ---------------------------------------------------------------- auth_key 849B69D363E2B0AA154BEBBD7C1D9487 next_pn 1 sak AE8C9BB36EA44B60375E84BC8E778596289E79240FDFA6D7BA33D3518E705A5E salt 000000000000000000000000 ssci 0 SAI_MACSEC_SA_ATTR_CURRENT_XPN 179 SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0 SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED 0 ------------------------------------- ---------------------------------------------------------------- MACsec Egress SA (2) ------------------------------------- ---------------------------------------------------------------- auth_key 5A8B8912139551D3678B43DD0F10FFA5 next_pn 1 sak 7F2651140F12C434F782EF9AD7791EE2CFE2BF315A568A48785E35FC803C9DB6 salt 000000000000000000000000 ssci 0 SAI_MACSEC_SA_ATTR_CURRENT_XPN 87185 SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0 SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED 0 ------------------------------------- ---------------------------------------------------------------- MACsec Ingress SC (525400edac5b0001) MACsec Ingress SA (1) --------------------------------------- ---------------------------------------------------------------- active true auth_key 849B69D363E2B0AA154BEBBD7C1D9487 lowest_acceptable_pn 1 sak AE8C9BB36EA44B60375E84BC8E778596289E79240FDFA6D7BA33D3518E705A5E salt 000000000000000000000000 ssci 0 SAI_MACSEC_SA_ATTR_CURRENT_XPN 103 SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED 0 SAI_MACSEC_SA_STAT_IN_PKTS_INVALID 0 SAI_MACSEC_SA_STAT_IN_PKTS_LATE 0 SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA 0 SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID 0 SAI_MACSEC_SA_STAT_IN_PKTS_OK 0 SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED 0 SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA 0 SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0 --------------------------------------- ---------------------------------------------------------------- MACsec Ingress SA (2) --------------------------------------- ---------------------------------------------------------------- active true auth_key 5A8B8912139551D3678B43DD0F10FFA5 lowest_acceptable_pn 1 sak 7F2651140F12C434F782EF9AD7791EE2CFE2BF315A568A48785E35FC803C9DB6 salt 000000000000000000000000 ssci 0 SAI_MACSEC_SA_ATTR_CURRENT_XPN 91824 SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED 0 SAI_MACSEC_SA_STAT_IN_PKTS_INVALID 0 SAI_MACSEC_SA_STAT_IN_PKTS_LATE 0 SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA 0 SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID 0 SAI_MACSEC_SA_STAT_IN_PKTS_OK 0 SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED 0 SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA 0 SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0 --------------------------------------- ---------------------------------------------------------------- MACsec port(Ethernet1) --------------------- ----------- cipher_suite GCM-AES-256 enable true enable_encrypt true enable_protect true enable_replay_protect false replay_window 0 send_sci true --------------------- ----------- MACsec Egress SC (5254008f4f1c0001) ----------- - encoding_an 1 ----------- - MACsec Egress SA (1) ------------------------------------- ---------------------------------------------------------------- auth_key 35FC8F2C81BCA28A95845A4D2A1EE6EF next_pn 1 sak 1EC8572B75A840BA6B3833DC550C620D2C65BBDDAD372D27A1DFEB0CD786671B salt 000000000000000000000000 ssci 0 SAI_MACSEC_SA_ATTR_CURRENT_XPN 4809 SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0 SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED 0 ------------------------------------- ---------------------------------------------------------------- MACsec Ingress SC (525400edac5b0001) MACsec Ingress SA (1) --------------------------------------- ---------------------------------------------------------------- active true auth_key 35FC8F2C81BCA28A95845A4D2A1EE6EF lowest_acceptable_pn 1 sak 1EC8572B75A840BA6B3833DC550C620D2C65BBDDAD372D27A1DFEB0CD786671B salt 000000000000000000000000 ssci 0 SAI_MACSEC_SA_ATTR_CURRENT_XPN 5033 SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED 0 SAI_MACSEC_SA_STAT_IN_PKTS_INVALID 0 SAI_MACSEC_SA_STAT_IN_PKTS_LATE 0 SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA 0 SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID 0 SAI_MACSEC_SA_STAT_IN_PKTS_OK 0 SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED 0 SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA 0 SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0 --------------------------------------- ---------------------------------------------------------------- ```
sonic-net · May 19, 2022 · 910e1c6 · 910e1c6
1 parent 0cc9fdc
commit 910e1c6
Show file tree

Hide file tree

Showing 12 changed files with 57,919 additions and 8 deletions.
diff --git a/Makefile.work b/Makefile.work
@@ -354,6 +354,7 @@ SONIC_BUILD_INSTRUCTION :=  make \
                            SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD=$(SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD) \
                            SONIC_INCLUDE_SYSTEM_TELEMETRY=$(INCLUDE_SYSTEM_TELEMETRY) \
                            INCLUDE_DHCP_RELAY=$(INCLUDE_DHCP_RELAY) \
+                           INCLUDE_MACSEC=$(INCLUDE_MACSEC) \
                            SONIC_INCLUDE_RESTAPI=$(INCLUDE_RESTAPI) \
                            SONIC_INCLUDE_MUX=$(INCLUDE_MUX) \
                            TELEMETRY_WRITABLE=$(TELEMETRY_WRITABLE) \

diff --git a/dockers/docker-macsec/Dockerfile.j2 b/dockers/docker-macsec/Dockerfile.j2
@@ -27,5 +27,6 @@ COPY ["supervisord.conf", "/etc/supervisor/conf.d/"]
 COPY ["files/supervisor-proc-exit-listener", "/usr/bin"]
 COPY ["critical_processes", "/etc/supervisor"]
 COPY ["etc/wpa_supplicant.conf", "/etc/wpa_supplicant.conf"]
+COPY ["cli", "/cli/"]
 
 ENTRYPOINT ["/usr/local/bin/supervisord"]
diff --git a/dockers/docker-macsec/cli-plugin-tests/appl_db.json b/dockers/docker-macsec/cli-plugin-tests/appl_db.json
@@ -0,0 +1,247 @@
+{
+  "MACSEC_EGRESS_SA_TABLE:Ethernet1:5254008f4f1c0001:1": {
+    "type": "hash",
+    "value": {
+      "sak": "1EC8572B75A840BA6B3833DC550C620D2C65BBDDAD372D27A1DFEB0CD786671B",
+      "auth_key": "35FC8F2C81BCA28A95845A4D2A1EE6EF",
+      "next_pn": "1",
+      "ssci": "0",
+      "salt": "000000000000000000000000"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.2301455
+  },
+  "MACSEC_PORT_TABLE:Ethernet5": {
+    "type": "hash",
+    "value": {
+      "enable": "true",
+      "cipher_suite": "GCM-AES-256",
+      "send_sci": "true",
+      "enable_protect": "true",
+      "enable_encrypt": "true",
+      "enable_replay_protect": "false",
+      "replay_window": "0"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.2302043
+  },
+  "MACSEC_EGRESS_SC_TABLE:Ethernet1:5254008f4f1c0001": {
+    "type": "hash",
+    "value": {
+      "encoding_an": "1"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.2302194
+  },
+  "MACSEC_INGRESS_SA_TABLE:Ethernet1:525400edac5b0001:1": {
+    "type": "hash",
+    "value": {
+      "active": "true",
+      "sak": "1EC8572B75A840BA6B3833DC550C620D2C65BBDDAD372D27A1DFEB0CD786671B",
+      "auth_key": "35FC8F2C81BCA28A95845A4D2A1EE6EF",
+      "lowest_acceptable_pn": "1",
+      "ssci": "0",
+      "salt": "000000000000000000000000"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.2302353
+  },
+  "MACSEC_INGRESS_SC_TABLE:Ethernet1:525400edac5b0001": {
+    "type": "hash",
+    "value": {
+      "Null": "Null"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.2302475
+  },
+  "MACSEC_INGRESS_SC_TABLE:Ethernet0:525400edac5b0001": {
+    "type": "hash",
+    "value": {
+      "Null": "Null"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.230258
+  },
+  "MACSEC_EGRESS_SA_TABLE:Ethernet5:5254008f4f1c0001:2": {
+    "type": "hash",
+    "value": {
+      "sak": "3BEBB5BB2539D7231EB95F312B843966180B6C941750B9F1A08AF71BA4508599",
+      "auth_key": "7C59E0CD393A3BA36B8DDC4C663A11FC",
+      "next_pn": "1",
+      "ssci": "0",
+      "salt": "000000000000000000000000"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.2302718
+  },
+  "MACSEC_INGRESS_SA_TABLE:Ethernet0:525400edac5b0001:2": {
+    "type": "hash",
+    "value": {
+      "active": "true",
+      "sak": "7F2651140F12C434F782EF9AD7791EE2CFE2BF315A568A48785E35FC803C9DB6",
+      "auth_key": "5A8B8912139551D3678B43DD0F10FFA5",
+      "lowest_acceptable_pn": "1",
+      "ssci": "0",
+      "salt": "000000000000000000000000"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.230298
+  },
+  "MACSEC_EGRESS_SC_TABLE:Ethernet5:5254008f4f1c0001": {
+    "type": "hash",
+    "value": {
+      "encoding_an": "2"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.2303102
+  },
+  "MACSEC_PORT_TABLE:Ethernet0": {
+    "type": "hash",
+    "value": {
+      "enable": "true",
+      "cipher_suite": "GCM-AES-256",
+      "send_sci": "true",
+      "enable_protect": "true",
+      "enable_encrypt": "true",
+      "enable_replay_protect": "false",
+      "replay_window": "0"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.23036
+  },
+  "MACSEC_INGRESS_SA_TABLE:Ethernet5:5254002003660001:2": {
+    "type": "hash",
+    "value": {
+      "active": "true",
+      "sak": "3BEBB5BB2539D7231EB95F312B843966180B6C941750B9F1A08AF71BA4508599",
+      "auth_key": "7C59E0CD393A3BA36B8DDC4C663A11FC",
+      "lowest_acceptable_pn": "1",
+      "ssci": "0",
+      "salt": "000000000000000000000000"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.2304032
+  },
+  "MACSEC_PORT_TABLE:Ethernet4": {
+    "type": "hash",
+    "value": {
+      "enable": "true",
+      "cipher_suite": "GCM-AES-256",
+      "send_sci": "true",
+      "enable_protect": "true",
+      "enable_encrypt": "true",
+      "enable_replay_protect": "false",
+      "replay_window": "0"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.2304454
+  },
+  "MACSEC_EGRESS_SA_TABLE:Ethernet4:5254008f4f1c0001:1": {
+    "type": "hash",
+    "value": {
+      "sak": "234128B1F6A679E02759D521C1FF448D5CE47B2E691852281EE8E34690B348DD",
+      "auth_key": "575FC253C395DFC3E1EE42C3DB665913",
+      "next_pn": "1",
+      "ssci": "0",
+      "salt": "000000000000000000000000"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.2304764
+  },
+  "MACSEC_INGRESS_SA_TABLE:Ethernet0:525400edac5b0001:1": {
+    "type": "hash",
+    "value": {
+      "active": "true",
+      "sak": "AE8C9BB36EA44B60375E84BC8E778596289E79240FDFA6D7BA33D3518E705A5E",
+      "auth_key": "849B69D363E2B0AA154BEBBD7C1D9487",
+      "lowest_acceptable_pn": "1",
+      "ssci": "0",
+      "salt": "000000000000000000000000"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.230506
+  },
+  "MACSEC_EGRESS_SC_TABLE:Ethernet0:5254008f4f1c0001": {
+    "type": "hash",
+    "value": {
+      "encoding_an": "2"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.2305164
+  },
+  "MACSEC_INGRESS_SA_TABLE:Ethernet4:5254002003660001:1": {
+    "type": "hash",
+    "value": {
+      "active": "true",
+      "sak": "234128B1F6A679E02759D521C1FF448D5CE47B2E691852281EE8E34690B348DD",
+      "auth_key": "575FC253C395DFC3E1EE42C3DB665913",
+      "lowest_acceptable_pn": "1",
+      "ssci": "0",
+      "salt": "000000000000000000000000"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.2305293
+  },
+  "MACSEC_EGRESS_SA_TABLE:Ethernet0:5254008f4f1c0001:2": {
+    "type": "hash",
+    "value": {
+      "sak": "7F2651140F12C434F782EF9AD7791EE2CFE2BF315A568A48785E35FC803C9DB6",
+      "auth_key": "5A8B8912139551D3678B43DD0F10FFA5",
+      "next_pn": "1",
+      "ssci": "0",
+      "salt": "000000000000000000000000"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.2305422
+  },
+  "MACSEC_INGRESS_SC_TABLE:Ethernet5:5254002003660001": {
+    "type": "hash",
+    "value": {
+      "Null": "Null"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.2305527
+  },
+  "MACSEC_INGRESS_SC_TABLE:Ethernet4:5254002003660001": {
+    "type": "hash",
+    "value": {
+      "Null": "Null"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.2305627
+  },
+  "MACSEC_PORT_TABLE:Ethernet1": {
+    "type": "hash",
+    "value": {
+      "enable": "true",
+      "cipher_suite": "GCM-AES-256",
+      "send_sci": "true",
+      "enable_protect": "true",
+      "enable_encrypt": "true",
+      "enable_replay_protect": "false",
+      "replay_window": "0"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.2305753
+  },
+  "MACSEC_EGRESS_SA_TABLE:Ethernet0:5254008f4f1c0001:1": {
+    "type": "hash",
+    "value": {
+      "sak": "AE8C9BB36EA44B60375E84BC8E778596289E79240FDFA6D7BA33D3518E705A5E",
+      "auth_key": "849B69D363E2B0AA154BEBBD7C1D9487",
+      "next_pn": "1",
+      "ssci": "0",
+      "salt": "000000000000000000000000"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.2305882
+  },
+  "MACSEC_EGRESS_SC_TABLE:Ethernet4:5254008f4f1c0001": {
+    "type": "hash",
+    "value": {
+      "encoding_an": "1"
+    },
+    "ttl": -0.001,
+    "expireat": 1651807960.2305987
+  }
+}
diff --git a/dockers/docker-macsec/cli-plugin-tests/conftest.py b/dockers/docker-macsec/cli-plugin-tests/conftest.py
@@ -0,0 +1,33 @@
+import pytest
+import mock_tables # lgtm [py/unused-import]
+from unittest import mock
+
+
+@pytest.fixture()
+def mock_cfgdb():
+    cfgdb = mock.Mock()
+    CONFIG = {
+        'PORT': {
+            'Ethernet0': {
+            }
+        }
+    }
+
+    def get_entry(table, key):
+        if table not in CONFIG or key not in CONFIG[table]:
+            return {}
+        return CONFIG[table][key]
+
+    def set_entry(table, key, data):
+        CONFIG.setdefault(table, {})
+        CONFIG[table].setdefault(key, {})
+        CONFIG[table][key] = data
+
+    def get_keys(table):
+        return CONFIG[table].keys()
+
+    cfgdb.get_entry = mock.Mock(side_effect=get_entry)
+    cfgdb.set_entry = mock.Mock(side_effect=set_entry)
+    cfgdb.get_keys = mock.Mock(side_effect=get_keys)
+
+    yield cfgdb