summaryrefslogtreecommitdiff
path: root/smoketest/scripts/cli/test_interfaces_macsec.py
diff options
context:
space:
mode:
authorMarcus Hoff <marcus.hoff@ring2.dk>2020-09-05 09:58:03 +0200
committerMarcus Hoff <marcus.hoff@ring2.dk>2020-09-05 09:58:03 +0200
commit46fb580fa0131f6815bbcfc95631654f6fe999a8 (patch)
tree73ae9fcaa97d5cfab7883bc6fbf3ea036677c2a3 /smoketest/scripts/cli/test_interfaces_macsec.py
parent0377b8e40b0d3e424da11194e97659c5066c0a1d (diff)
parentb6b61bc9ecf1328e67a0c15934f8bf3966a6b66d (diff)
downloadvyos-1x-46fb580fa0131f6815bbcfc95631654f6fe999a8.tar.gz
vyos-1x-46fb580fa0131f6815bbcfc95631654f6fe999a8.zip
Merge remote-tracking branch 'upstream/current' into current
Diffstat (limited to 'smoketest/scripts/cli/test_interfaces_macsec.py')
-rwxr-xr-xsmoketest/scripts/cli/test_interfaces_macsec.py102
1 files changed, 102 insertions, 0 deletions
diff --git a/smoketest/scripts/cli/test_interfaces_macsec.py b/smoketest/scripts/cli/test_interfaces_macsec.py
new file mode 100755
index 000000000..0f1b6486d
--- /dev/null
+++ b/smoketest/scripts/cli/test_interfaces_macsec.py
@@ -0,0 +1,102 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import re
+import unittest
+from psutil import process_iter
+
+from vyos.ifconfig import Section
+from base_interfaces_test import BasicInterfaceTest
+from vyos.configsession import ConfigSessionError
+from vyos.util import read_file
+
+def get_config_value(intf, key):
+ tmp = read_file(f'/run/wpa_supplicant/{intf}.conf')
+ tmp = re.findall(r'\n?{}=(.*)'.format(key), tmp)
+ return tmp[0]
+
+class MACsecInterfaceTest(BasicInterfaceTest.BaseTest):
+ def setUp(self):
+ super().setUp()
+ self._base_path = ['interfaces', 'macsec']
+ self._options = {
+ 'macsec0': ['source-interface eth0',
+ 'security cipher gcm-aes-128']
+ }
+
+ # if we have a physical eth1 interface, add a second macsec instance
+ if 'eth1' in Section.interfaces("ethernet"):
+ macsec = { 'macsec1': ['source-interface eth1', 'security cipher gcm-aes-128'] }
+ self._options.update(macsec)
+
+ self._interfaces = list(self._options)
+
+ def test_encryption(self):
+ """ MACsec can be operating in authentication and encryption
+ mode - both using different mandatory settings, lets test
+ encryption as the basic authentication test has been performed
+ using the base class tests """
+ intf = 'macsec0'
+ src_intf = 'eth0'
+ mak_cak = '232e44b7fda6f8e2d88a07bf78a7aff4'
+ mak_ckn = '40916f4b23e3d548ad27eedd2d10c6f98c2d21684699647d63d41b500dfe8836'
+ replay_window = '64'
+ self.session.set(self._base_path + [intf, 'security', 'encrypt'])
+
+ # check validate() - Cipher suite must be set for MACsec
+ with self.assertRaises(ConfigSessionError):
+ self.session.commit()
+ self.session.set(self._base_path + [intf, 'security', 'cipher', 'gcm-aes-128'])
+
+ # check validate() - Physical source interface must be set for MACsec
+ with self.assertRaises(ConfigSessionError):
+ self.session.commit()
+ self.session.set(self._base_path + [intf, 'source-interface', src_intf])
+
+ # check validate() - MACsec security keys mandartory when encryption is enabled
+ with self.assertRaises(ConfigSessionError):
+ self.session.commit()
+ self.session.set(self._base_path + [intf, 'security', 'mka', 'cak', mak_cak])
+
+ # check validate() - MACsec security keys mandartory when encryption is enabled
+ with self.assertRaises(ConfigSessionError):
+ self.session.commit()
+ self.session.set(self._base_path + [intf, 'security', 'mka', 'ckn', mak_ckn])
+
+ self.session.set(self._base_path + [intf, 'security', 'replay-window', replay_window])
+ self.session.commit()
+
+ tmp = get_config_value(src_intf, 'macsec_integ_only')
+ self.assertTrue("0" in tmp)
+
+ tmp = get_config_value(src_intf, 'mka_cak')
+ self.assertTrue(mak_cak in tmp)
+
+ tmp = get_config_value(src_intf, 'mka_ckn')
+ self.assertTrue(mak_ckn in tmp)
+
+ # check that the default priority of 255 is programmed
+ tmp = get_config_value(src_intf, 'mka_priority')
+ self.assertTrue("255" in tmp)
+
+ tmp = get_config_value(src_intf, 'macsec_replay_window')
+ self.assertTrue(replay_window in tmp)
+
+ # Check for running process
+ self.assertTrue("wpa_supplicant" in (p.name() for p in process_iter()))
+
+if __name__ == '__main__':
+ unittest.main()