2 # SPDX-License-Identifier: ISC
6 # Part of NetDEF Topology Tests
8 # Copyright (c) 2020 by Volta Networks
12 test_bgp_auth.py: Test BGP Md5 Authentication
16 | +------| R1 |------+ |
22 | R2 |------------| R3 |
27 setup is 3 routers with 3 links between each each link in a different vrf
28 Default, blue and red respectively
29 Tests check various fiddling with passwords and checking that the peer
30 establishment is as expected and passwords are not leaked across sockets
33 # pylint: disable=C0413
39 from time
import sleep
41 from lib
import common_config
, topotest
42 from lib
.common_config
import (
43 save_initial_config_on_routers
,
44 reset_with_new_configs
,
46 from lib
.topogen
import Topogen
, TopoRouter
, get_topogen
48 CWD
= os
.path
.dirname(os
.path
.realpath(__file__
))
55 vrf_str
= "vrf {}".format(vrf
)
60 def peer_name(rtr
, prefix
, vrf
):
61 "generate VRF string for CLI"
69 return "TWO_GROUP" + vrf_str
71 return "THREE_GROUP" + vrf_str
80 "print failure disagnostics"
83 router_list
= tgen
.routers()
84 for rname
, router
in router_list
.items():
86 print(router
.vtysh_cmd("show run"))
87 print(router
.vtysh_cmd("show ip route {}".format(vrf_str(vrf
))))
88 print(router
.vtysh_cmd("show bgp {} neighbor".format(vrf_str(vrf
))))
91 @common_config.retry(retry_timeout
=190)
92 def _check_neigh_state(router
, peer
, state
, vrf
=""):
93 "check BGP neighbor state on a router"
95 neigh_output
= router
.vtysh_cmd(
96 "show bgp {} neighbors {} json".format(vrf_str(vrf
), peer
)
99 peer_state
= "Unknown"
100 neigh_output_json
= json
.loads(neigh_output
)
101 if peer
in neigh_output_json
:
102 peer_state
= neigh_output_json
[peer
]["bgpState"]
103 if peer_state
== state
:
105 return "{} peer with {} expected state {} got {} ".format(
106 router
.name
, peer
, state
, peer_state
110 def check_neigh_state(router
, peer
, state
, vrf
=""):
111 "check BGP neighbor state on a router"
113 assertmsg
= _check_neigh_state(router
, peer
, state
, vrf
)
114 assert assertmsg
is True, assertmsg
117 def check_all_peers_established(vrf
=""):
118 "standard check for extablished peers per vrf"
121 r1
= tgen
.gears
["R1"]
122 r2
= tgen
.gears
["R2"]
123 r3
= tgen
.gears
["R3"]
124 # do r1 last as he might be the dynamic one
125 check_neigh_state(r2
, "1.1.1.1", "Established", vrf
)
126 check_neigh_state(r2
, "3.3.3.3", "Established", vrf
)
127 check_neigh_state(r3
, "1.1.1.1", "Established", vrf
)
128 check_neigh_state(r3
, "2.2.2.2", "Established", vrf
)
129 check_neigh_state(r1
, "2.2.2.2", "Established", vrf
)
130 check_neigh_state(r1
, "3.3.3.3", "Established", vrf
)
133 def check_vrf_peer_remove_passwords(vrf
="", prefix
="no"):
134 "selectively remove passwords checking state"
137 r1
= tgen
.gears
["R1"]
138 r2
= tgen
.gears
["R2"]
139 r3
= tgen
.gears
["R3"]
141 check_all_peers_established(vrf
)
144 "conf t\nrouter bgp 65001 {}\nno neighbor {} password".format(
145 vrf_str(vrf
), peer_name("R2", prefix
, vrf
)
149 check_neigh_state(r2
, "1.1.1.1", "Connect", vrf
)
150 check_neigh_state(r2
, "3.3.3.3", "Established", vrf
)
151 check_neigh_state(r3
, "1.1.1.1", "Established", vrf
)
152 check_neigh_state(r3
, "2.2.2.2", "Established", vrf
)
153 # don't check dynamic downed peers - they are removed
155 check_neigh_state(r1
, "2.2.2.2", "Connect", vrf
)
156 check_neigh_state(r1
, "3.3.3.3", "Established", vrf
)
159 "conf t\nrouter bgp 65002 {}\nno neighbor 1.1.1.1 password".format(vrf_str(vrf
))
161 check_all_peers_established(vrf
)
164 "conf t\nrouter bgp 65001 {}\nno neighbor {} password".format(
165 vrf_str(vrf
), peer_name("R3", prefix
, vrf
)
168 check_neigh_state(r2
, "1.1.1.1", "Established", vrf
)
169 check_neigh_state(r2
, "3.3.3.3", "Established", vrf
)
170 check_neigh_state(r3
, "1.1.1.1", "Connect", vrf
)
171 check_neigh_state(r3
, "2.2.2.2", "Established", vrf
)
172 check_neigh_state(r1
, "2.2.2.2", "Established", vrf
)
173 # don't check dynamic downed peers - they are removed
175 check_neigh_state(r1
, "3.3.3.3", "Connect", vrf
)
178 "conf t\nrouter bgp 65003 {}\nno neighbor 1.1.1.1 password".format(vrf_str(vrf
))
180 check_all_peers_established(vrf
)
183 "conf t\nrouter bgp 65002 {}\nno neighbor 3.3.3.3 password".format(vrf_str(vrf
))
185 check_neigh_state(r2
, "1.1.1.1", "Established", vrf
)
186 check_neigh_state(r2
, "3.3.3.3", "Connect", vrf
)
187 check_neigh_state(r3
, "1.1.1.1", "Established", vrf
)
188 check_neigh_state(r3
, "2.2.2.2", "Connect", vrf
)
189 check_neigh_state(r1
, "2.2.2.2", "Established", vrf
)
190 check_neigh_state(r1
, "3.3.3.3", "Established", vrf
)
193 "conf t\nrouter bgp 65003 {}\nno neighbor 2.2.2.2 password".format(vrf_str(vrf
))
195 check_all_peers_established(vrf
)
198 def check_vrf_peer_change_passwords(vrf
="", prefix
="no"):
199 "selectively change passwords checking state"
202 r1
= tgen
.gears
["R1"]
203 r2
= tgen
.gears
["R2"]
204 r3
= tgen
.gears
["R3"]
205 check_all_peers_established(vrf
)
208 "conf t\nrouter bgp 65001 {}\nneighbor {} password change1".format(
209 vrf_str(vrf
), peer_name("R2", prefix
, vrf
)
212 check_neigh_state(r2
, "1.1.1.1", "Connect", vrf
)
213 check_neigh_state(r2
, "3.3.3.3", "Established", vrf
)
214 check_neigh_state(r3
, "1.1.1.1", "Established", vrf
)
215 check_neigh_state(r3
, "2.2.2.2", "Established", vrf
)
216 # don't check dynamic downed peers - they are removed
218 check_neigh_state(r1
, "2.2.2.2", "Connect", vrf
)
219 check_neigh_state(r1
, "3.3.3.3", "Established", vrf
)
222 "conf t\nrouter bgp 65002 {}\nneighbor 1.1.1.1 password change1".format(
226 check_all_peers_established(vrf
)
229 "conf t\nrouter bgp 65001 {}\nneighbor {} password change2".format(
230 vrf_str(vrf
), peer_name("R3", prefix
, vrf
)
233 check_neigh_state(r2
, "1.1.1.1", "Established", vrf
)
234 check_neigh_state(r2
, "3.3.3.3", "Established", vrf
)
235 check_neigh_state(r3
, "1.1.1.1", "Connect", vrf
)
236 check_neigh_state(r3
, "2.2.2.2", "Established", vrf
)
237 check_neigh_state(r1
, "2.2.2.2", "Established", vrf
)
238 # don't check dynamic downed peers - they are removed
240 check_neigh_state(r1
, "3.3.3.3", "Connect", vrf
)
243 "conf t\nrouter bgp 65003 {}\nneighbor 1.1.1.1 password change2".format(
247 check_all_peers_established(vrf
)
250 "conf t\nrouter bgp 65002 {}\nneighbor 3.3.3.3 password change3".format(
254 check_neigh_state(r2
, "1.1.1.1", "Established", vrf
)
255 check_neigh_state(r2
, "3.3.3.3", "Connect", vrf
)
256 check_neigh_state(r3
, "1.1.1.1", "Established", vrf
)
257 check_neigh_state(r3
, "2.2.2.2", "Connect", vrf
)
258 check_neigh_state(r1
, "2.2.2.2", "Established", vrf
)
259 check_neigh_state(r1
, "3.3.3.3", "Established", vrf
)
262 "conf t\nrouter bgp 65003 {}\nneighbor 2.2.2.2 password change3".format(
266 check_all_peers_established(vrf
)