[macsec]: Extend MACsec show command to support FIPS POST status option. (#24067)

vikram-nexthop · web-flow · commit 484538adcfb0 · 2025-10-18T13:17:43.000-07:00
Why I did it Extended the MACsec show command to display FIPS POST (Power-On Self-Test) status, enabling network operators to verify cryptographic module compliance and operational readiness in FIPS enabled deployments. Reference HLD: sonic-net/SONiC#2034. How I did it Added --post-status option to existing show macsec command Read and display information from FIPS_MACSEC_POST_TABLE|<module> keys Added unit tests to verify the changes. Updated macsec show command structure show macsec [--profile/--dump-file/--post-status] [interface_name]
diff --git a/dockers/docker-macsec/cli-plugin-tests/test_show_macsec.py b/dockers/docker-macsec/cli-plugin-tests/test_show_macsec.py
@@ -1,5 +1,5 @@
 import sys
-from unittest import mock
+from unittest.mock import MagicMock, patch
 
 from click.testing import CliRunner
 
@@ -9,7 +9,7 @@
 
 class TestShowMACsec(object):
     def test_plugin_registration(self):
-        cli = mock.MagicMock()
+        cli = MagicMock()
         show_macsec.register(cli)
         cli.add_command.assert_called_once_with(show_macsec.macsec)
 
@@ -27,3 +27,250 @@ def test_show_profile(self):
         runner = CliRunner()
         result = runner.invoke(show_macsec.macsec,["--profile"])
         assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info)
+
+    @patch('show_macsec.SonicV2Connector')
+    def test_post_status_success(self, mock_connector):
+        """Test --post-status command with successful data"""
+        with patch('show_macsec.multi_asic_util.MultiAsic') as mock_multi_asic_class:
+            # Setup MultiAsic mock
+            mock_multi_asic_instance = MagicMock()
+            mock_multi_asic_instance.is_multi_asic.return_value = False
+            mock_multi_asic_instance.get_ns_list_based_on_options.return_value = ['']
+            mock_multi_asic_class.return_value = mock_multi_asic_instance
+
+            # Setup database mock
+            def mock_connector_side_effect(use_unix_socket_path=True, namespace=None):
+                mock_db = MagicMock()
+
+                if not namespace or namespace == '':
+                    mock_db.keys.return_value = ['FIPS_MACSEC_POST_TABLE|crypto', 'FIPS_MACSEC_POST_TABLE|sai']
+                    # Mock get_all for different modules
+                    def mock_get_all(db_name, key):
+                        if key == "FIPS_MACSEC_POST_TABLE|crypto":
+                            return {
+                                'status': 'pass',
+                                'timestamp': '2025-09-15 10:30:00 UTC',
+                            }
+                        elif key == "FIPS_MACSEC_POST_TABLE|sai":
+                            return {
+                                'status': 'fail',
+                                'timestamp': '2025-09-15 10:31:30 UTC',
+                            }
+                        return {}
+                    mock_db.get_all.side_effect = mock_get_all
+                else:
+                    mock_db.keys.return_value = []
+                    mock_db.get_all.return_value = {}
+
+                return mock_db
+            mock_connector.side_effect = mock_connector_side_effect
+
+            # Test the CLI
+            runner = CliRunner()
+            result = runner.invoke(show_macsec.macsec, ["--post-status"])
+
+            # Assertions
+            assert result.exit_code == 0
+            assert "Module      : crypto" in result.output
+            assert "Module      : sai" in result.output
+            assert "Status      : pass" in result.output
+            assert "Status      : fail" in result.output
+
+    @patch('show_macsec.SonicV2Connector')
+    def test_post_status_no_entries(self, mock_connector):
+        """Test --post-status command when no POST entries exist"""
+        with patch('show_macsec.multi_asic_util.MultiAsic') as mock_multi_asic_class:
+            # Mock the database connection
+            # Setup MultiAsic mock
+            mock_multi_asic_instance = MagicMock()
+            mock_multi_asic_instance.is_multi_asic.return_value = False
+            mock_multi_asic_instance.get_ns_list_based_on_options.return_value = ['']
+            mock_multi_asic_class.return_value = mock_multi_asic_instance
+
+            # Create separate mock instances for different database connections
+            def mock_connector_side_effect(use_unix_socket_path=True, namespace=None):
+                mock_db = MagicMock()
+                mock_db.keys.return_value = []
+                mock_connector.return_value = mock_db
+                # Return empty dict for any get_all call (no POST data)
+                mock_db.get_all.return_value = {}
+                return mock_db
+
+            mock_connector.side_effect = mock_connector_side_effect
+
+            runner = CliRunner()
+            result = runner.invoke(show_macsec.macsec, ["--post-status"])
+
+            assert result.exit_code == 0
+            assert "No entries found" in result.output
+
+    def test_post_status_mutual_exclusivity(self):
+        """Test that --post-status and other option/argument are mutually exclusive"""
+        runner = CliRunner()
+        result = runner.invoke(show_macsec.macsec, ["Ethernet0", "--post-status"])
+
+        assert result.exit_code == 0
+        assert "POST status is not valid with other options/arguments" in result.output
+
+        result = runner.invoke(show_macsec.macsec, ["--profile", "--post-status"])
+
+        assert result.exit_code == 0
+        assert "POST status is not valid with other options/arguments" in result.output
+
+        result = runner.invoke(show_macsec.macsec, ["--dump-file", "--post-status"])
+
+        assert result.exit_code == 0
+        assert "POST status is not valid with other options/arguments" in result.output
+
+        result = runner.invoke(show_macsec.macsec, ["--profile", "--post-status"])
+
+        assert result.exit_code == 0
+        assert "POST status is not valid with other options/arguments" in result.output
+
+        result = runner.invoke(show_macsec.macsec, ["Ethernet0", "--profile", "--post-status"])
+
+        assert result.exit_code == 0
+        assert "POST status is not valid with other options/arguments" in result.output
+
+    @patch('show_macsec.SonicV2Connector')
+    def test_post_status_multi_asic_success(self, mock_connector):
+        """Test --post-status command in multi-ASIC environment with successful data"""
+        with patch('show_macsec.multi_asic_util.MultiAsic') as mock_multi_asic_class:
+            mock_multi_asic_instance = MagicMock()
+            mock_multi_asic_instance.is_multi_asic.return_value = True
+            mock_multi_asic_instance.get_ns_list_based_on_options.return_value = ['', 'asic0', 'asic1']
+            mock_multi_asic_class.return_value = mock_multi_asic_instance
+
+            # Setup database mock
+            def mock_connector_side_effect(use_unix_socket_path=True, namespace=None):
+                mock_db = MagicMock()
+
+                if namespace == 'asic0':
+                    mock_db.keys.return_value = ['FIPS_MACSEC_POST_TABLE|sai']
+                    mock_db.get_all.return_value = {'status': 'fail', 'timestamp': '2025-09-15 10:31:00 UTC'}
+                elif namespace == 'asic1':
+                    mock_db.keys.return_value = ['FIPS_MACSEC_POST_TABLE|sai']
+                    mock_db.get_all.return_value = {'status': 'inprogress', 'timestamp': '2025-09-15 10:31:30 UTC'}
+                elif not namespace or namespace == '':
+                    mock_db.keys.return_value = ['FIPS_MACSEC_POST_TABLE|crypto', 'FIPS_MACSEC_POST_TABLE|sai']
+                    # Mock get_all for different modules
+                    def mock_get_all(db_name, key):
+                        if key == "FIPS_MACSEC_POST_TABLE|crypto":
+                            return {
+                                'status': 'pass',
+                                'timestamp': '2025-09-15 10:30:00 UTC',
+                            }
+                        elif key == "FIPS_MACSEC_POST_TABLE|sai":
+                            return {
+                                'status': 'pass',
+                                'timestamp': '2025-09-15 10:31:30 UTC',
+                            }
+                            return {}
+                    mock_db.get_all.side_effect = mock_get_all
+                else:
+                    mock_db.keys.return_value = []
+                    mock_db.get_all.return_value = {}
+
+                return mock_db
+
+            mock_connector.side_effect = mock_connector_side_effect
+
+            # Test the CLI
+            runner = CliRunner()
+            result = runner.invoke(show_macsec.macsec, ["--post-status"])
+
+            # Assertions
+            assert result.exit_code == 0
+            assert "Module      : crypto" in result.output
+            assert "Module      : sai" in result.output
+            assert "Namespace (asic0)" in result.output
+            assert "Namespace (asic1)" in result.output
+            assert "Status      : pass" in result.output
+            assert "Status      : fail" in result.output
+            assert "Status      : inprogress" in result.output
+
+    @patch('show_macsec.SonicV2Connector')
+    def test_post_status_multi_asic_specific_namespace(self, mock_connector):
+        """Test --post-status command with specific namespace filter"""
+        with patch('show_macsec.multi_asic_util.MultiAsic') as mock_multi_asic_class:
+            mock_multi_asic_instance = MagicMock()
+            mock_multi_asic_instance.is_multi_asic.return_value = True
+            mock_multi_asic_instance.get_ns_list_based_on_options.return_value = ['asic1']
+            mock_multi_asic_class.return_value = mock_multi_asic_instance
+
+            # Mock database to return keys and data only for asic1
+            def mock_connector_side_effect(use_unix_socket_path=True, namespace=None):
+                mock_db = MagicMock()
+
+                if namespace == 'asic1':
+                    # Only asic1 should have data when filtered
+                    mock_db.keys.return_value = ['FIPS_MACSEC_POST_TABLE|sai']
+                    # Mock get_all for different modules
+                    def mock_get_all(db_name, key):
+                        if key == "FIPS_MACSEC_POST_TABLE|sai":
+                            return {
+                                'status': 'pass',
+                                'timestamp': '2025-09-15 10:31:00 UTC',
+                            }
+                        return {}
+                    mock_db.get_all.side_effect = mock_get_all
+                else:
+                    # No keys for other namespaces (they shouldn't be called with filtering)
+                    mock_db.keys.return_value = []
+                    mock_db.get_all.return_value = {}
+
+                return mock_db
+
+            mock_connector.side_effect = mock_connector_side_effect
+
+            # Test the new approach with namespace filtering
+            runner = CliRunner()
+            result = runner.invoke(show_macsec.macsec, ["--post-status"])
+
+            assert result.exit_code == 0
+            # Check that modules are displayed for asic1 only
+            assert "Module      : sai" in result.output
+            assert "Status      : pass" in result.output
+            assert "Namespace (asic1)" in result.output
+
+    @patch('show_macsec.SonicV2Connector')
+    def test_post_status_multi_asic_partial_entries(self, mock_connector):
+        """Test --post-status command when no POST data is available"""
+        # Setup MultiAsic mock
+        with patch('show_macsec.multi_asic_util.MultiAsic') as mock_multi_asic_class:
+            mock_multi_asic_instance = MagicMock()
+            mock_multi_asic_instance.is_multi_asic.return_value = True
+            mock_multi_asic_instance.get_ns_list_based_on_options.return_value = ['', 'asic0', 'asic1']
+            mock_multi_asic_class.return_value = mock_multi_asic_instance
+            def mock_connector_side_effect(use_unix_socket_path=True, namespace=None):
+                mock_db = MagicMock()
+                if namespace == 'asic0':
+                    # Only asic1 should have data when filtered
+                    mock_db.keys.return_value = ['FIPS_MACSEC_POST_TABLE|sai']
+                    # Mock get_all for different modules
+                    def mock_get_all(db_name, key):
+                        if key == "FIPS_MACSEC_POST_TABLE|sai":
+                            return {
+                                'status': 'pass',
+                                'timestamp': '2025-09-15 10:31:00 UTC',
+                            }
+                        return {}
+                    mock_db.get_all.side_effect = mock_get_all
+                else:
+                    # No keys for other namespaces (they shouldn't be called with filtering)
+                    mock_db.keys.return_value = []
+                    mock_db.get_all.return_value = {}
+
+                return mock_db
+
+            mock_connector.side_effect = mock_connector_side_effect
+
+            # Test the CLI command
+            runner = CliRunner()
+            result = runner.invoke(show_macsec.macsec, ["--post-status"])
+
+            assert result.exit_code == 0
+            assert "No entries found" in result.output
+            assert "Module      : sai" in result.output
+            assert "Status      : pass" in result.output
+            assert "Namespace (asic1)" in result.output
diff --git a/dockers/docker-macsec/cli/show/plugins/show_macsec.py b/dockers/docker-macsec/cli/show/plugins/show_macsec.py
@@ -9,7 +9,7 @@
 from tabulate import tabulate
 
 import utilities_common.multi_asic as multi_asic_util
-from swsscommon.swsscommon import CounterTable, MacsecCounter
+from swsscommon.swsscommon import CounterTable, MacsecCounter, SonicV2Connector
 from utilities_common.cli import UserCache
 
 CACHE_MANAGER = UserCache(app_name="macsec")
@@ -266,8 +266,16 @@ def cache_find(cache: dict, target: MACsecAppMeta) -> MACsecAppMeta:
 @click.argument('interface_name', required=False)
 @click.option('--profile', is_flag=True, required=False, default=False, help="show all macsec profiles")
 @click.option('--dump-file', is_flag=True, required=False, default=False, help="store show output to a file")
+@click.option('--post-status', is_flag=True, required=False, default=False, help="show macsec FIPS POST(Pre-Operational Self-Test) status")
 @multi_asic_util.multi_asic_click_options
-def macsec(interface_name, dump_file, namespace, display, profile):
+def macsec(interface_name, dump_file, namespace, display, profile, post_status):
+    if post_status:
+        if interface_name is not None or profile or dump_file:
+            click.echo('POST status is not valid with other options/arguments')
+            return
+        MacsecContext(namespace, display).show_post_status()
+        return
+
     if interface_name is not None and profile:
         click.echo('Interface name is not valid with profile option')
         return
@@ -329,6 +337,68 @@ def show(self, interface_name, dump_file, profile):
                 pickle.dump(dump_obj, dump_file)
                 dump_file.flush()
 
+    @multi_asic_util.run_on_multi_asic
+    def show_post_status(self):
+        """Show POST (Pre-Operational Self-Test) status"""
+        # Define the table name
+        table_name = "FIPS_MACSEC_POST_TABLE"
+
+        def format_module_status(module, namespace):
+            # Get all fields from the table
+            post_data = state_db.get_all("STATE_DB", table_name+"|"+module)
+
+            # Format according to SONiC CLI guidelines
+            output = []
+            indent = "  " if namespace else ""
+            output.append(f"{indent}{'Module'.ljust(11)} : {module}")
+
+            for field in post_data:
+                value = post_data[field]
+                # Format field name for consistent alignment (capitalize and pad to 11 chars)
+                display_name = field.capitalize().ljust(11)
+                output.append(f"{indent}{display_name} : {value}")
+
+            return "\n".join(output)
+
+        namespace = self.multi_asic.current_namespace
+        # Connect to STATE_DB
+        state_db = SonicV2Connector(use_unix_socket_path=True, namespace=namespace)
+        state_db.connect(state_db.STATE_DB)
+
+        # Get all keys in the FIPS_MACSEC_POST_TABLE
+        all_keys = state_db.keys(state_db.STATE_DB, table_name + "|*")
+        if not len(all_keys):
+            click.echo("")  # Add blank line for separation
+            if namespace:
+                click.echo(f"Namespace ({namespace})")
+                click.echo("  No entries found")
+            else:
+                click.echo("No entries found")
+            return
+
+        # Extract module names from the keys and sort them
+        modules = []
+        for key in all_keys:
+            # Key format is "FIPS_MACSEC_POST_TABLE|module_name"
+            if "|" in key:
+                module = key.split("|", 1)[1]
+                modules.append(module)
+
+        # Sort modules for consistent output
+        modules.sort()
+
+        display_output = [""]
+        if namespace:
+            display_output.append(f"Namespace ({namespace})")
+        for i, module in enumerate(modules):
+            if i > 0:
+                display_output.append("")  # Add separator between modules
+            module_output = format_module_status(module, namespace)
+            display_output.append(module_output)
+
+        if display_output:
+            click.echo("\n".join(display_output))
+
 def register(cli):
     cli.add_command(macsec)
 
