1 files changed, 81 insertions, 28 deletions

diff --git a/smoketest/scripts/cli/test_interfaces_macsec.py b/smoketest/scripts/cli/test_interfaces_macsec.py
index f141cc6d3..ea0f00071 100755
--- a/smoketest/scripts/cli/test_interfaces_macsec.py
+++ b/smoketest/scripts/cli/test_interfaces_macsec.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2020-2022 VyOS maintainers and contributors
+# Copyright (C) 2020-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -23,10 +23,10 @@ from netifaces import interfaces
 
 from vyos.configsession import ConfigSessionError
 from vyos.ifconfig import Section
-from vyos.util import cmd
-from vyos.util import read_file
-from vyos.util import get_interface_config
-from vyos.util import process_named_running
+from vyos.utils.process import cmd
+from vyos.utils.file import read_file
+from vyos.utils.network import get_interface_config
+from vyos.utils.process import process_named_running
 
 PROCESS_NAME = 'wpa_supplicant'
 
@@ -42,9 +42,6 @@ def get_cipher(interface):
 class MACsecInterfaceTest(BasicInterfaceTest.TestCase):
     @classmethod
     def setUpClass(cls):
-        cls._test_dhcp = True
-        cls._test_ip = True
-        cls._test_ipv6 = True
         cls._base_path = ['interfaces', 'macsec']
         cls._options = { 'macsec0': ['source-interface eth0', 'security cipher gcm-aes-128'] }
 
@@ -142,15 +139,9 @@ class MACsecInterfaceTest(BasicInterfaceTest.TestCase):
         # final commit and verify
         self.cli_commit()
         self.assertIn(interface, interfaces())
-        self.assertIn(interface, interfaces())
-        self.assertEqual(cipher, get_cipher(interface))
 
-        # check that we use the new macsec_csindex option (T4537)
-        tmp = get_config_value(src_interface, 'macsec_csindex')
-        self.assertIn("0", tmp)
-
-        # Check for running process
-        self.assertTrue(process_named_running(PROCESS_NAME))
+        # Verify proper cipher suite (T4537)
+        self.assertEqual(cipher, get_cipher(interface))
 
     def test_macsec_gcm_aes_256(self):
         src_interface = 'eth0'
@@ -171,18 +162,12 @@ class MACsecInterfaceTest(BasicInterfaceTest.TestCase):
         # final commit and verify
         self.cli_commit()
         self.assertIn(interface, interfaces())
-        self.assertEqual(cipher, get_cipher(interface))
 
-        # check that we use the new macsec_csindex option (T4537)
-        tmp = get_config_value(src_interface, 'macsec_csindex')
-        self.assertIn("1", tmp)
-
-        # Check for running process
-        self.assertTrue(process_named_running(PROCESS_NAME))
+        # Verify proper cipher suite (T4537)
+        self.assertEqual(cipher, get_cipher(interface))
 
     def test_macsec_source_interface(self):
         # Ensure source-interface can bot be part of any other bond or bridge
-
         base_bridge = ['interfaces', 'bridge', 'br200']
         base_bond = ['interfaces', 'bonding', 'bond200']
 
@@ -208,9 +193,77 @@ class MACsecInterfaceTest(BasicInterfaceTest.TestCase):
             self.cli_commit()
             self.assertIn(interface, interfaces())
 
-        # Check for running process
-        self.assertTrue(process_named_running(PROCESS_NAME))
+    def test_macsec_static_keys(self):
+        src_interface = 'eth0'
+        interface = 'macsec5'
+        cipher1 = 'gcm-aes-128'
+        cipher2 = 'gcm-aes-256'
+        tx_key_1 = '71a82a48eddfa12c08a19792ca20c4bb'
+        tx_key_2 = 'dd487b2958e855ea35a5d43a5ecb3dcfbe7889ffcb877770252feb13b734478d'
+        rx_key_1 = '0022d00f57e75241a230cdf7118dfcc5'
+        rx_key_2 = 'b7d6d7ad075e02323fdeb845217b884d3f93ff36b2cdaf6b07eeb189b877245f'
+        peer_mac = '00:11:22:33:44:55'
+        self.cli_set(self._base_path + [interface])
 
-if __name__ == '__main__':
-    unittest.main(verbosity=2, failfast=True)
+         # Encrypt link
+        self.cli_set(self._base_path + [interface, 'security', 'encrypt'])
 
+        # check validate() - source interface is mandatory
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_set(self._base_path + [interface, 'source-interface', src_interface])
+
+        # check validate() - cipher is mandatory
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_set(self._base_path + [interface, 'security', 'cipher', cipher1])
+
+        # check validate() - only static or mka config is allowed
+        self.cli_set(self._base_path + [interface, 'security', 'static'])
+        self.cli_set(self._base_path + [interface, 'security', 'mka', 'cak', tx_key_1])
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_delete(self._base_path + [interface, 'security', 'mka'])
+
+        # check validate() - tx-key required
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+
+        # check validate() - tx-key length must match cipher
+        self.cli_set(self._base_path + [interface, 'security', 'static', 'key', tx_key_2])
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_set(self._base_path + [interface, 'security', 'static', 'key', tx_key_1])
+
+        # check validate() - at least one peer must be defined
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+
+        # check validate() - enabled peer must have both rx-key and MAC defined
+        self.cli_set(self._base_path + [interface, 'security', 'static', 'peer', 'TESTPEER'])
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_set(self._base_path + [interface, 'security', 'static', 'peer', 'TESTPEER', 'mac', peer_mac])
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_delete(self._base_path + [interface, 'security', 'static', 'peer', 'TESTPEER', 'mac'])
+        self.cli_set(self._base_path + [interface, 'security', 'static', 'peer', 'TESTPEER', 'key', rx_key_1])
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_set(self._base_path + [interface, 'security', 'static', 'peer', 'TESTPEER', 'mac', peer_mac])
+
+        # check validate() - peer rx-key length must match cipher
+        self.cli_set(self._base_path + [interface, 'security', 'cipher', cipher2])
+        self.cli_set(self._base_path + [interface, 'security', 'static', 'key', tx_key_2])
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_set(self._base_path + [interface, 'security', 'static', 'peer', 'TESTPEER', 'key', rx_key_2])
+
+        # final commit and verify
+        self.cli_commit()
+        self.assertIn(interface, interfaces())
+        self.assertEqual(cipher2, get_cipher(interface))
+        self.assertTrue(os.path.isdir(f'/sys/class/net/{interface}'))
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)