Testcase and pipeline updates for supporting nightly run with macsec enabled topology.

ansible/roles/test/files/acstests/py3/lag_test.py

@@ -14,6 +14,7 @@
 from ptf.testutils import send
 from ptf.testutils import verify_packet_any_port
 from ptf.mask import Mask
+import macsec  # noqa F401
 
 from router_utils import RouterUtility
 

ansible/roles/test/files/acstests/py3/macsec.py

@@ -0,0 +1 @@
+../../ptftests/macsec.py

ansible/roles/test/files/ptftests/macsec.py

@@ -28,13 +28,18 @@ def macsec_send(test, port_id, pkt, count=1):
         encrypt, send_sci, xpn_en, sci, an, sak, ssci, salt, peer_sci, peer_an, peer_ssci, pn = \
                                                                                 MACSEC_INFOS[port_number]
 
-        # Increment the PN by an offset so that the macsec frames are not late on DUT
-        pn += MACSEC_GLOBAL_PN_OFFSET
-        MACSEC_GLOBAL_PN_OFFSET += MACSEC_GLOBAL_PN_INCR
-
-        macsec_pkt = encap_macsec_pkt(pkt, peer_sci, peer_an, sak, encrypt, send_sci, pn, xpn_en, peer_ssci, salt)
-        # send the packet
-        __origin_send_packet(test, port_id, macsec_pkt, count)
+        for n in range(count):
+            if isinstance(pkt, bytes):
+                # If in bytes, convert it to an Ether packet
+                pkt = scapy.Ether(pkt)
+
+            # Increment the PN by an offset so that the macsec frames are not late on DUT
+            MACSEC_GLOBAL_PN_OFFSET += MACSEC_GLOBAL_PN_INCR
+            pn += MACSEC_GLOBAL_PN_OFFSET
+
+            macsec_pkt = encap_macsec_pkt(pkt, peer_sci, peer_an, sak, encrypt, send_sci, pn, xpn_en, peer_ssci, salt)
+            # send the packet
+            __origin_send_packet(test, port_id, macsec_pkt, 1)
     else:
         # send the packet
         __origin_send_packet(test, port_id, pkt, count)
@@ -95,11 +100,11 @@ def __macsec_dp_poll(test, device_number=0, port_number=None, timeout=None, exp_
                 continue
         # The device number of PTF host is 0, if the target port isn't a injected port(belong to ptf host),
         # Don't need to do MACsec further.
-        if ret.device != 0 or exp_pkt is None:
+        if ret.device != 0:
             return ret
         pkt = scapy.Ether(ret.packet)
         if pkt[scapy.Ether].type != 0x88e5:
-            if ptf.dataplane.match_exp_pkt(exp_pkt, pkt):
+            if exp_pkt is None or ptf.dataplane.match_exp_pkt(exp_pkt, pkt):
                 return ret
             else:
                 continue
@@ -108,7 +113,7 @@ def __macsec_dp_poll(test, device_number=0, port_number=None, timeout=None, exp_
                                                                                          MACSEC_INFOS[ret.port]
             pkt, decap_success = __decap_macsec_pkt(
                 pkt, sci, an, sak, encrypt, send_sci, 0, xpn_en, ssci, salt)
-            if decap_success and ptf.dataplane.match_exp_pkt(exp_pkt, pkt):
+            if exp_pkt is None or decap_success and ptf.dataplane.match_exp_pkt(exp_pkt, pkt):
                 return ret
         recent_packets.append(pkt)
         packet_count += 1

ansible/roles/test/files/ptftests/py3/IP_decap_test.py

@@ -59,6 +59,8 @@
 from ptf.mask import Mask
 from ptf.base_tests import BaseTest
 
+import macsec  # noqa F401
+
 
 class DecapPacketTest(BaseTest):
     """ IP in IP decapsulation test """

ansible/roles/test/files/ptftests/py3/arptest.py

@@ -3,6 +3,7 @@
 '''
 import os
 import ptf
+import macsec  # noqa F401
 from ptf.testutils import test_params_get, add_filter, not_ipv6_filter, reset_filters, ptf_ports,\
     simple_arp_packet, send_packet, verify_packet, verify_no_packet_any, verify_no_packet
 from ptf import config

ansible/roles/test/files/ptftests/py3/copp_tests.py

@@ -35,6 +35,7 @@
 import signal
 import threading
 import time
+import macsec  # noqa F401
 
 import ptf.packet as scapy
 import ptf.testutils as testutils

ansible/roles/test/files/ptftests/py3/hash_test.py

@@ -32,6 +32,7 @@
 
 import fib
 import lpm
+import macsec  # noqa F401
 
 
 class HashTest(BaseTest):

ansible/roles/test/files/ptftests/py3/mtu_test.py

@@ -27,6 +27,7 @@
 from ptf.mask import Mask
 from ptf.testutils import test_params_get, simple_icmp_packet, simple_icmpv6_packet, send_packet,\
     simple_ip_packet, simple_tcpv6_packet, verify_packet_any_port
+import macsec  # noqa F401
 
 
 class MtuTest(BaseTest):

ansible/roles/test/files/ptftests/py3/pfc_pause_test.py

@@ -12,6 +12,7 @@
 from ptf.base_tests import BaseTest
 from ptf.mask import Mask
 from ptf.testutils import add_filter, reset_filters, dp_poll, simple_udp_packet, send_packet, test_params_get
+import macsec  # noqa F401
 
 
 def udp_filter(pkt_str):

ansible/roles/test/files/ptftests/py3/pfc_wd.py

@@ -10,6 +10,7 @@
 from ptf.base_tests import BaseTest
 from ptf.mask import Mask
 from ptf.testutils import test_params_get, simple_tcp_packet, send_packet, verify_no_packet_any, verify_packet_any_port
+import macsec  # noqa F401
 
 
 class PfcWdTest(BaseTest):

ansible/roles/test/files/ptftests/py3/pfc_wd_background_traffic.py

@@ -4,6 +4,7 @@
 from ptf.base_tests import BaseTest
 import time
 from ptf.testutils import test_params_get, simple_udp_packet, send_packet
+import macsec  # noqa F401
 
 
 class PfcWdBackgroundTrafficTest(BaseTest):

ansible/roles/test/files/ptftests/py3/pfcwd_background_traffic.py

@@ -29,6 +29,7 @@
 import ptf.packet as scapy
 from ptf.mask import Mask
 import ptf
+import macsec  # noqa F401
 
 
 class BG_pkt_sender(BaseTest):

ansible/roles/test/files/ptftests/py3/voq.py

@@ -11,6 +11,7 @@
 from scapy.all import Ether
 from scapy.layers.l2 import Dot1Q
 from scapy.layers.inet6 import IPv6, ICMPv6ND_NA, ICMPv6NDOptDstLLAddr
+import macsec  # noqa F401
 
 import logging
 

tests/acl/test_acl.py

@@ -265,7 +265,7 @@ def get_t2_info(duthosts, tbinfo):
 
 @pytest.fixture(scope="module")
 def setup(duthosts, ptfhost, rand_selected_dut, rand_selected_front_end_dut, rand_unselected_dut,
-          tbinfo, ptfadapter, topo_scenario, vlan_name):
+          tbinfo, ptfadapter, topo_scenario, vlan_name, is_macsec_enabled_for_test):
     """Gather all required test information from DUT and tbinfo.
 
     Args:
@@ -464,6 +464,10 @@ def setup(duthosts, ptfhost, rand_selected_dut, rand_selected_front_end_dut, ran
     for duthost in duthosts:
         duthost.command("mkdir -p {}".format(DUT_TMP_DIR))
 
+    # Set the flag force_reload_macsec to True, if enable_macsec is set for this test run
+    if is_macsec_enabled_for_test:
+        setattr(ptfadapter, "force_reload_macsec", True)
+
     yield setup_information
 
     logger.info("Removing temporary directory \"{}\"".format(DUT_TMP_DIR))
@@ -542,13 +546,14 @@ def populate_arp_table():
 
 
 @pytest.fixture(scope="module", params=["ingress", "egress"])
-def stage(request, duthosts, rand_one_dut_hostname, tbinfo):
+def stage(request, duthosts, rand_one_dut_hostname, tbinfo, is_macsec_enabled_for_test):
     """Parametrize tests for Ingress/Egress stage testing.
 
     Args:
         request: A fixture to interact with Pytest data.
         duthosts: All DUTs belong to the testbed.
         rand_one_dut_hostname: hostname of a random chosen dut to run test.
+        is_macsec_enabled_for_test: flag for macsec topology selected for run.
 
     Returns:
         str: The ACL stage to be tested.
@@ -561,6 +566,11 @@ def stage(request, duthosts, rand_one_dut_hostname, tbinfo):
         "Egress ACLs are not currently supported on \"{}\" ASICs".format(duthost.facts["asic_type"])
     )
 
+    # Skip ACL egress tests when run on macsec enabled toplogy with braodcom DNX
+    if request.param == "egress" and is_macsec_enabled_for_test and \
+            duthost.facts.get("platform_asic") == "broadcom-dnx":
+        pytest.skip("Egress ACLs not supported with MACSEC on \"{}\" ASICs".format(duthost.facts["asic_type"]))
+
     return request.param
 
 

tests/common/config_reload.py

@@ -151,6 +151,12 @@ def _config_reload_cmd_wrapper(cmd, executable):
         # Extend ignore fabric port msgs for T2 chassis with DNX chipset on Linecards
         ignore_t2_syslog_msgs(sonic_host)
 
+    # Retrieve the enable_macsec passed by user for this test run
+    # If macsec is enabled, use the override option to get macsec profile from golden config
+    request = sonic_host.duthosts.request
+    if request:
+        macsec_en = request.config.getoption("--enable_macsec", default=False)
+
     if config_source == 'minigraph':
         if start_dynamic_buffer and sonic_host.facts['asic_type'] == 'mellanox':
             output = sonic_host.shell('redis-cli -n 4 hget "DEVICE_METADATA|localhost" buffer_model',
@@ -161,7 +167,7 @@ def _config_reload_cmd_wrapper(cmd, executable):
         cmd = 'config load_minigraph -y &>/dev/null'
         if traffic_shift_away:
             cmd += ' -t'
-        if override_config:
+        if override_config or macsec_en:
             cmd += ' -o'
         if golden_config_path:
             cmd += ' -p {} '.format(golden_config_path)

tests/common/macsec/__init__.py

@@ -16,6 +16,10 @@
 from .macsec_config_helper import disable_macsec_feature
 from .macsec_config_helper import setup_macsec_configuration
 from .macsec_config_helper import cleanup_macsec_configuration
+from .macsec_config_helper import is_macsec_configured
+from .macsec_config_helper import get_macsec_enable_status, get_macsec_profile
+from .macsec_helper import load_all_macsec_info
+
 # flake8: noqa: F401
 from tests.common.plugins.sanity_check import sanity_check
 
@@ -107,7 +111,7 @@ def __shutdown_macsec():
             cleanup_macsec_configuration(macsec_duthost, ctrl_links, profile['name'])
         return __shutdown_macsec
 
-    @pytest.fixture(scope="module", autouse=True)
+    @pytest.fixture(scope="module")
     def macsec_setup(self, startup_macsec, shutdown_macsec, macsec_feature):
         '''
             setup macsec links
@@ -116,6 +120,14 @@ def macsec_setup(self, startup_macsec, shutdown_macsec, macsec_feature):
         yield
         shutdown_macsec()
 
+    @pytest.fixture(scope="module", autouse=True)
+    def load_macsec_info(self, request, macsec_duthost, ctrl_links, macsec_profile, tbinfo):
+        if get_macsec_enable_status(macsec_duthost) and get_macsec_profile(macsec_duthost):
+            if is_macsec_configured(macsec_duthost, macsec_profile, ctrl_links):
+                load_all_macsec_info(macsec_duthost, ctrl_links, tbinfo)
+            else:
+                request.getfixturevalue('macsec_setup')
+
     @pytest.fixture(scope="module")
     def macsec_nbrhosts(self, ctrl_links):
         return {nbr["name"]: nbr for nbr in list(ctrl_links.values())}
@@ -251,8 +263,10 @@ def __init__(self):
          super(MacsecPluginT2, self).__init__()
 
     def get_ctrl_nbr_names(self, macsec_duthost, nbrhosts, tbinfo):
+        ctrl_nbr_names = []
         mg_facts = macsec_duthost.get_extended_minigraph_facts(tbinfo)
-        ctrl_nbr_names = mg_facts['macsec_neighbors']
+        if 'macsec_neighbors' in mg_facts:
+            ctrl_nbr_names = mg_facts['macsec_neighbors']
         return ctrl_nbr_names
 
     def downstream_neighbor(self,tbinfo, neighbor):

tests/common/macsec/macsec_config_helper.py

@@ -83,6 +83,34 @@ def set_macsec_profile(host, port, profile_name, priority, cipher_suite,
         host.command("lldpcli configure system bond-slave-src-mac-type real")
 
 
+def is_macsec_configured(host, mac_profile, ctrl_links):
+    is_profile_present = False
+    is_port_profile_present = False
+    profile_name = mac_profile['name']
+
+    # Check macsec profile is configured in all namespaces
+    if host.is_multi_asic:
+        for ns in host.get_asic_namespace_list():
+            CMD_PREFIX = "-n {}".format(ns) if ns is not None else " "
+            cmd = "sonic-db-cli {} CONFIG_DB KEYS 'MACSEC_PROFILE|{}'".format(CMD_PREFIX, profile_name)
+            output = host.command(cmd)['stdout'].strip()
+            profile = output.split('|')[1] if output else None
+            is_profile_present = (profile == profile_name)
+    else:
+        cmd = "sonic-db-cli CONFIG_DB KEYS 'MACSEC_PROFILE|{}'".format(profile_name)
+        output = host.command(cmd)['stdout'].strip()
+        profile = output.split('|')[1] if output else None
+        is_profile_present = (profile == profile_name)
+
+    # Check if macsec profile is configured on interfaces
+    for port, nbr in ctrl_links.items():
+        cmd = "sonic-db-cli {} CONFIG_DB HGET 'PORT|{}' 'macsec' ".format(getns_prefix(host, port), port)
+        output = host.command(cmd)['stdout'].strip()
+        is_port_profile_present = (output == profile_name)
+
+    return is_profile_present and is_port_profile_present
+
+
 def delete_macsec_profile(host, port, profile_name):
     if isinstance(host, EosHost):
         host.eos_config(

tests/common/macsec/macsec_helper.py

@@ -467,6 +467,11 @@ def load_macsec_info(duthost, port, force_reload=None):
     return __macsec_infos[port]
 
 
+def load_macsec_info_for_ptf_id(duthost, ptf_id, port, force_reload=None):
+    if force_reload:
+        MACSEC_INFO[ptf_id] = get_macsec_attr(duthost, port)
+
+
 # This API load the macsec session details from all ctrl links
 def load_all_macsec_info(duthost, ctrl_links, tbinfo):
     mg_facts = duthost.get_extended_minigraph_facts(tbinfo)
@@ -484,13 +489,18 @@ def macsec_send(test, port_id, pkt, count=1):
     if port_number in MACSEC_INFO and MACSEC_INFO[port_number]:
         encrypt, send_sci, xpn_en, sci, an, sak, ssci, salt, peer_sci, peer_an, peer_ssci, pn = MACSEC_INFO[port_number]
 
-        # Increment the PN in packet so that the packet s not marked as late in DUT
-        pn += MACSEC_GLOBAL_PN_OFFSET
-        MACSEC_GLOBAL_PN_OFFSET += MACSEC_GLOBAL_PN_INCR
+        for n in range(count):
+            if isinstance(pkt, bytes):
+                # If in bytes, convert it to an Ether packet
+                pkt = scapy.Ether(pkt)
 
-        macsec_pkt = encap_macsec_pkt(pkt, peer_sci, peer_an, sak, encrypt, send_sci, pn, xpn_en, peer_ssci, salt)
-        # send the packet
-        __origin_send_packet(test, port_id, macsec_pkt, count)
+            # Increment the PN in packet so that the packet s not marked as late in DUT
+            MACSEC_GLOBAL_PN_OFFSET += MACSEC_GLOBAL_PN_INCR
+            pn += MACSEC_GLOBAL_PN_OFFSET
+
+            macsec_pkt = encap_macsec_pkt(pkt, peer_sci, peer_an, sak, encrypt, send_sci, pn, xpn_en, peer_ssci, salt)
+            # send the packet
+            __origin_send_packet(test, port_id, macsec_pkt, 1)
     else:
         # send the packet
         __origin_send_packet(test, port_id, pkt, count)
@@ -519,20 +529,25 @@ def macsec_dp_poll(test, device_number=0, port_number=None, timeout=None, exp_pk
                 continue
         # The device number of PTF host is 0, if the target port isn't a injected port(belong to ptf host),
         # Don't need to do MACsec further.
-        if ret.device != 0 or exp_pkt is None:
+        if ret.device != 0:
             return ret
         pkt = scapy.Ether(ret.packet)
         if pkt.haslayer(scapy.Ether):
             if pkt[scapy.Ether].type != 0x88e5:
-                if ptf.dataplane.match_exp_pkt(exp_pkt, pkt):
+                if exp_pkt is None or ptf.dataplane.match_exp_pkt(exp_pkt, pkt):
                     return ret
             else:
                 if ret.port in MACSEC_INFO and MACSEC_INFO[ret.port]:
+                    # Reload the macsec session if the session was restarted
+                    if force_reload[ret.port]:
+                        load_macsec_info_for_ptf_id(
+                            test.duthost, ret.port, find_portname_from_ptf_id(test.mg_facts, ret.port),
+                            force_reload[ret.port])
                     encrypt, send_sci, xpn_en, sci, an, sak, ssci, salt, peer_sci, peer_an, peer_ssci, pn = \
-                                                                                              MACSEC_INFO[ret.port]
+                        MACSEC_INFO[ret.port]
                     force_reload[ret.port] = False
                     pkt, decap_success = decap_macsec_pkt(pkt, sci, an, sak, encrypt, send_sci, 0, xpn_en, ssci, salt)
-                    if decap_success and ptf.dataplane.match_exp_pkt(exp_pkt, pkt):
+                    if exp_pkt is None or decap_success and ptf.dataplane.match_exp_pkt(exp_pkt, pkt):
                         # Here we explicitly create the PollSuccess struct and send the pkt which us decoded
                         # and the caller test can validate the pkt fields. Without this fix in case of macsec
                         # the encrypted packet is being send back to caller which it will not be able to dissect

tests/conftest.py

@@ -577,6 +577,16 @@ def macsec_duthost(duthosts, tbinfo):
     return macsec_dut
 
 
+@pytest.fixture(scope="session")
+def is_macsec_enabled_for_test(duthosts):
+    # If macsec is enabled, use the override option to get macsec profile from golden config
+    macsec_en = False
+    request = duthosts.request
+    if request:
+        macsec_en = request.config.getoption("--enable_macsec", default=False)
+    return macsec_en
+
+
 # Make sure in same test module, always use same random DUT
 rand_one_dut_hostname_var = None
 

tests/saitests/py3/macsec.py

@@ -0,0 +1 @@
+../../../ansible/roles/test/files/ptftests/macsec.py

tests/saitests/py3/sai_qos_tests.py

@@ -12,6 +12,7 @@
 import texttable
 import math
 import os
+import macsec  # noqa F401
 import concurrent.futures
 from ptf.testutils import (ptf_ports,
                            dp_poll,