summaryrefslogtreecommitdiff
path: root/smoketest/scripts/cli/test_interfaces_macsec.py
diff options
context:
space:
mode:
Diffstat (limited to 'smoketest/scripts/cli/test_interfaces_macsec.py')
-rwxr-xr-xsmoketest/scripts/cli/test_interfaces_macsec.py108
1 files changed, 71 insertions, 37 deletions
diff --git a/smoketest/scripts/cli/test_interfaces_macsec.py b/smoketest/scripts/cli/test_interfaces_macsec.py
index d9635951f..e4280a5b7 100755
--- a/smoketest/scripts/cli/test_interfaces_macsec.py
+++ b/smoketest/scripts/cli/test_interfaces_macsec.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2020 VyOS maintainers and contributors
+# Copyright (C) 2020-2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -14,6 +14,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+import os
import re
import unittest
@@ -22,7 +23,9 @@ from netifaces import interfaces
from vyos.configsession import ConfigSessionError
from vyos.ifconfig import Section
+from vyos.util import cmd
from vyos.util import read_file
+from vyos.util import get_interface_config
from vyos.util import process_named_running
def get_config_value(interface, key):
@@ -30,18 +33,26 @@ def get_config_value(interface, key):
tmp = re.findall(r'\n?{}=(.*)'.format(key), tmp)
return tmp[0]
-class MACsecInterfaceTest(BasicInterfaceTest.BaseTest):
- def setUp(self):
- super().setUp()
- self._base_path = ['interfaces', 'macsec']
- self._options = { 'macsec0': ['source-interface eth0', 'security cipher gcm-aes-128'] }
+def get_cipher(interface):
+ tmp = get_interface_config(interface)
+ return tmp['linkinfo']['info_data']['cipher_suite'].lower()
- # if we have a physical eth1 interface, add a second macsec instance
- if 'eth1' in Section.interfaces("ethernet"):
- macsec = { 'macsec1': [f'source-interface eth1', 'security cipher gcm-aes-128'] }
- self._options.update(macsec)
+class MACsecInterfaceTest(BasicInterfaceTest.TestCase):
+ @classmethod
+ def setUpClass(cls):
+ cls._test_ip = True
+ cls._test_ipv6 = True
+ cls._base_path = ['interfaces', 'macsec']
+ cls._options = { 'macsec0': ['source-interface eth0', 'security cipher gcm-aes-128'] }
- self._interfaces = list(self._options)
+ # if we have a physical eth1 interface, add a second macsec instance
+ if 'eth1' in Section.interfaces('ethernet'):
+ macsec = { 'macsec1': [f'source-interface eth1', 'security cipher gcm-aes-128'] }
+ cls._options.update(macsec)
+
+ cls._interfaces = list(cls._options)
+ # call base-classes classmethod
+ super(cls, cls).setUpClass()
def test_macsec_encryption(self):
# MACsec can be operating in authentication and encryption mode - both
@@ -57,31 +68,31 @@ class MACsecInterfaceTest(BasicInterfaceTest.BaseTest):
if option.split()[0] == 'source-interface':
src_interface = option.split()[1]
- self.session.set(self._base_path + [interface] + option.split())
+ self.cli_set(self._base_path + [interface] + option.split())
# Encrypt link
- self.session.set(self._base_path + [interface, 'security', 'encrypt'])
+ self.cli_set(self._base_path + [interface, 'security', 'encrypt'])
# check validate() - Physical source interface MTU must be higher then our MTU
- self.session.set(self._base_path + [interface, 'mtu', '1500'])
+ self.cli_set(self._base_path + [interface, 'mtu', '1500'])
with self.assertRaises(ConfigSessionError):
- self.session.commit()
- self.session.delete(self._base_path + [interface, 'mtu'])
+ self.cli_commit()
+ self.cli_delete(self._base_path + [interface, 'mtu'])
# check validate() - MACsec security keys mandartory when encryption is enabled
with self.assertRaises(ConfigSessionError):
- self.session.commit()
- self.session.set(self._base_path + [interface, 'security', 'mka', 'cak', mak_cak])
+ self.cli_commit()
+ self.cli_set(self._base_path + [interface, 'security', 'mka', 'cak', mak_cak])
# check validate() - MACsec security keys mandartory when encryption is enabled
with self.assertRaises(ConfigSessionError):
- self.session.commit()
- self.session.set(self._base_path + [interface, 'security', 'mka', 'ckn', mak_ckn])
+ self.cli_commit()
+ self.cli_set(self._base_path + [interface, 'security', 'mka', 'ckn', mak_ckn])
- self.session.set(self._base_path + [interface, 'security', 'replay-window', replay_window])
+ self.cli_set(self._base_path + [interface, 'security', 'replay-window', replay_window])
# final commit of settings
- self.session.commit()
+ self.cli_commit()
tmp = get_config_value(src_interface, 'macsec_integ_only')
self.assertTrue("0" in tmp)
@@ -105,23 +116,46 @@ class MACsecInterfaceTest(BasicInterfaceTest.BaseTest):
# Check for running process
self.assertTrue(process_named_running('wpa_supplicant'))
- def test_macsec_mandatory_options(self):
+ def test_macsec_gcm_aes_128(self):
interface = 'macsec1'
- self.session.set(self._base_path + [interface])
+ cipher = 'gcm-aes-128'
+ self.cli_set(self._base_path + [interface])
+
+ # check validate() - source interface is mandatory
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+ self.cli_set(self._base_path + [interface, 'source-interface', 'eth0'])
+
+ # check validate() - cipher is mandatory
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+ self.cli_set(self._base_path + [interface, 'security', 'cipher', cipher])
+
+ # final commit and verify
+ self.cli_commit()
+ self.assertIn(interface, interfaces())
+ self.assertIn(interface, interfaces())
+ self.assertEqual(cipher, get_cipher(interface))
+
+ def test_macsec_gcm_aes_256(self):
+ interface = 'macsec4'
+ cipher = 'gcm-aes-256'
+ self.cli_set(self._base_path + [interface])
# check validate() - source interface is mandatory
with self.assertRaises(ConfigSessionError):
- self.session.commit()
- self.session.set(self._base_path + [interface, 'source-interface', 'eth0'])
+ self.cli_commit()
+ self.cli_set(self._base_path + [interface, 'source-interface', 'eth0'])
# check validate() - cipher is mandatory
with self.assertRaises(ConfigSessionError):
- self.session.commit()
- self.session.set(self._base_path + [interface, 'security', 'cipher', 'gcm-aes-128'])
+ self.cli_commit()
+ self.cli_set(self._base_path + [interface, 'security', 'cipher', cipher])
# final commit and verify
- self.session.commit()
+ self.cli_commit()
self.assertIn(interface, interfaces())
+ self.assertEqual(cipher, get_cipher(interface))
def test_macsec_source_interface(self):
# Ensure source-interface can bot be part of any other bond or bridge
@@ -131,24 +165,24 @@ class MACsecInterfaceTest(BasicInterfaceTest.BaseTest):
for interface, option_value in self._options.items():
for option in option_value:
- self.session.set(self._base_path + [interface] + option.split())
+ self.cli_set(self._base_path + [interface] + option.split())
if option.split()[0] == 'source-interface':
src_interface = option.split()[1]
- self.session.set(base_bridge + ['member', 'interface', src_interface])
+ self.cli_set(base_bridge + ['member', 'interface', src_interface])
# check validate() - Source interface must not already be a member of a bridge
with self.assertRaises(ConfigSessionError):
- self.session.commit()
- self.session.delete(base_bridge)
+ self.cli_commit()
+ self.cli_delete(base_bridge)
- self.session.set(base_bond + ['member', 'interface', src_interface])
+ self.cli_set(base_bond + ['member', 'interface', src_interface])
# check validate() - Source interface must not already be a member of a bridge
with self.assertRaises(ConfigSessionError):
- self.session.commit()
- self.session.delete(base_bond)
+ self.cli_commit()
+ self.cli_delete(base_bond)
# final commit and verify
- self.session.commit()
+ self.cli_commit()
self.assertIn(interface, interfaces())
if __name__ == '__main__':
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-22 08:31:46 +0000