Merge branch 'master' into alias

sonic-net · Jul 8, 2024 · 0362274 · 0362274
2 parents 6920f80 + fb2e5cd
commit 0362274
Show file tree

Hide file tree

Showing 230 changed files with 1,605,780 additions and 3,568 deletions.
diff --git a/.azure-pipelines/pre-commit-check.yml b/.azure-pipelines/pre-commit-check.yml
@@ -0,0 +1,35 @@
+steps:
+- checkout: self
+  clean: true
+  displayName: 'checkout sonic-utilities repo'
+
+- script: |
+    set -x
+    sudo pip install pre-commit
+    pre-commit install-hooks
+  displayName: 'Prepare pre-commit check'
+
+- script: |
+    # Run pre-commit check and capture the output
+    out=`pre-commit run --color never --from-ref HEAD^ --to-ref HEAD 2>&1`
+    RC=$?
+    if [[ $RC -ne 0 ]]; then
+      echo -e "The [pre-commit](http://pre-commit.com/) check detected issues in the files touched by this pull request.\n\
+    The pre-commit check is a mandatory check, please fix detected issues.\n\
+    \n\
+    To run the pre-commit checks locally, you can follow below steps:\n\
+      1. Ensure that default python is python3.\n\
+      2. Ensure that the 'pre-commit' package is installed:\n\
+         sudo pip install pre-commit\n\
+      3. Go to repository root folder\n\
+      4. Install the pre-commit hooks:\n\
+         pre-commit install\n\
+      5. Use pre-commit to check staged file:\n\
+         pre-commit\n\
+      6. Alternatively, you can check committed files using:\n\
+         pre-commit run --from-ref <commit_id> --to-ref <commit_id>\n"
+    fi
+    echo "Pre-commit check results:"
+    echo "$out"
+    exit $RC
+  displayName: 'Run pre-commit check'
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -18,4 +18,4 @@ jobs:
       - uses: actions/checkout@v3
       - run: semgrep ci
         env:
-           SEMGREP_RULES: p/default
+           SEMGREP_RULES: "p/default r/python.lang.security.audit.dangerous-system-call-audit.dangerous-system-call-audit"
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,9 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+-   repo: https://github.com/PyCQA/flake8
+    rev: 4.0.1
+    hooks:
+    -   id: flake8
+        entry: bash -c 'git diff HEAD^ HEAD -U0 -- "$@" | flake8 --diff "$@"' --
+        args: ["--max-line-length=120"]
diff --git a/acl_loader/main.py b/acl_loader/main.py
@@ -413,17 +413,17 @@ def parse_acl_json(filename):
                 raise AclLoaderException("Invalid input file %s" % filename)
         return yang_acl
 
-    def load_rules_from_file(self, filename):
+    def load_rules_from_file(self, filename, skip_action_validation=False):
         """
         Load file with ACL rules configuration in openconfig ACL format. Convert rules
         to Config DB schema.
         :param filename: File in openconfig ACL format
         :return:
         """
         self.yang_acl = AclLoader.parse_acl_json(filename)
-        self.convert_rules()
+        self.convert_rules(skip_action_validation)
 
-    def convert_action(self, table_name, rule_idx, rule):
+    def convert_action(self, table_name, rule_idx, rule, skip_validation=False):
         rule_props = {}
 
         if rule.actions.config.forwarding_action == "ACCEPT":
@@ -452,13 +452,13 @@ def convert_action(self, table_name, rule_idx, rule):
             raise AclLoaderException("Unknown rule action {} in table {}, rule {}".format(
                 rule.actions.config.forwarding_action, table_name, rule_idx))
 
-        if not self.validate_actions(table_name, rule_props):
+        if not self.validate_actions(table_name, rule_props, skip_validation):
             raise AclLoaderException("Rule action {} is not supported in table {}, rule {}".format(
                 rule.actions.config.forwarding_action, table_name, rule_idx))
 
         return rule_props
 
-    def validate_actions(self, table_name, action_props):
+    def validate_actions(self, table_name, action_props, skip_validation=False):
         if self.is_table_control_plane(table_name):
             return True
 
@@ -481,6 +481,11 @@ def validate_actions(self, table_name, action_props):
         else:
             aclcapability = self.statedb.get_all(self.statedb.STATE_DB, "{}|{}".format(self.ACL_STAGE_CAPABILITY_TABLE, stage.upper()))
             switchcapability = self.statedb.get_all(self.statedb.STATE_DB, "{}|switch".format(self.SWITCH_CAPABILITY_TABLE))
+        # In the load_minigraph path, it's possible that the STATE_DB entry haven't pop up because orchagent is stopped
+        # before loading acl.json. So we skip the validation if any table is empty
+        if skip_validation and (not aclcapability or not switchcapability):
+            warning("Skipped action validation as capability table is not present in STATE_DB")
+            return True
         for action_key in dict(action_props):
             action_list_key = self.ACL_ACTIONS_CAPABILITY_FIELD
             if action_list_key not in aclcapability:
@@ -699,7 +704,7 @@ def validate_rule_fields(self, rule_props):
             if ("ICMPV6_TYPE" in rule_props or "ICMPV6_CODE" in rule_props) and protocol != 58:
                 raise AclLoaderException("IP_PROTOCOL={} is not ICMPV6, but ICMPV6 fields were provided".format(protocol))
 
-    def convert_rule_to_db_schema(self, table_name, rule):
+    def convert_rule_to_db_schema(self, table_name, rule, skip_action_validation=False):
         """
         Convert rules format from openconfig ACL to Config DB schema
         :param table_name: ACL table name to which rule belong
@@ -729,7 +734,7 @@ def convert_rule_to_db_schema(self, table_name, rule):
         elif self.is_table_l3(table_name):
             rule_props["ETHER_TYPE"] = str(self.ethertype_map["ETHERTYPE_IPV4"])
 
-        deep_update(rule_props, self.convert_action(table_name, rule_idx, rule))
+        deep_update(rule_props, self.convert_action(table_name, rule_idx, rule, skip_action_validation))
         deep_update(rule_props, self.convert_l2(table_name, rule_idx, rule))
         deep_update(rule_props, self.convert_ip(table_name, rule_idx, rule))
         deep_update(rule_props, self.convert_icmp(table_name, rule_idx, rule))
@@ -761,7 +766,7 @@ def deny_rule(self, table_name):
             return {}  # Don't add default deny rule if table is not [L3, L3V6]
         return rule_data
 
-    def convert_rules(self):
+    def convert_rules(self, skip_aciton_validation=False):
         """
         Convert rules in openconfig ACL format to Config DB schema
         :return:
@@ -780,7 +785,7 @@ def convert_rules(self):
             for acl_entry_name in acl_set.acl_entries.acl_entry:
                 acl_entry = acl_set.acl_entries.acl_entry[acl_entry_name]
                 try:
-                    rule = self.convert_rule_to_db_schema(table_name, acl_entry)
+                    rule = self.convert_rule_to_db_schema(table_name, acl_entry, skip_aciton_validation)
                     deep_update(self.rules_info, rule)
                 except AclLoaderException as ex:
                     error("Error processing rule %s: %s. Skipped." % (acl_entry_name, ex))
@@ -1149,8 +1154,9 @@ def update(ctx):
 @click.option('--session_name', type=click.STRING, required=False)
 @click.option('--mirror_stage', type=click.Choice(["ingress", "egress"]), default="ingress")
 @click.option('--max_priority', type=click.INT, required=False)
+@click.option('--skip_action_validation', is_flag=True, default=False, help="Skip action validation")
 @click.pass_context
-def full(ctx, filename, table_name, session_name, mirror_stage, max_priority):
+def full(ctx, filename, table_name, session_name, mirror_stage, max_priority, skip_action_validation):
     """
     Full update of ACL rules configuration.
     If a table_name is provided, the operation will be restricted in the specified table.
@@ -1168,7 +1174,7 @@ def full(ctx, filename, table_name, session_name, mirror_stage, max_priority):
     if max_priority:
         acl_loader.set_max_priority(max_priority)
 
-    acl_loader.load_rules_from_file(filename)
+    acl_loader.load_rules_from_file(filename, skip_action_validation)
     acl_loader.full_update()
 
 

diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -21,6 +21,16 @@ variables:
       value: $(Build.SourceBranchName)
 
 stages:
+- stage: Pretest
+  jobs:
+  - job: static_analysis
+    displayName: "Static Analysis"
+    timeoutInMinutes: 10
+    continueOnError: true
+    pool: sonic-ubuntu-1c
+    steps:
+    - template: .azure-pipelines/pre-commit-check.yml
+
 - stage: Build
 
   jobs:
@@ -36,6 +46,13 @@ stages:
       image: sonicdev-microsoft.azurecr.io:443/sonic-slave-bullseye:$(BUILD_BRANCH)
 
     steps:
+    - script: |
+        set -ex
+        sudo apt-get update
+        sudo apt-get install -y python3-pip
+        sudo pip3 install requests==2.31.0
+      displayName: "Install dependencies"
+
     - script: |
         sourceBranch=$(Build.SourceBranchName)
         if [[ "$(Build.Reason)" == "PullRequest" ]];then

diff --git a/clear/main.py b/clear/main.py
@@ -5,14 +5,14 @@
 import click
 import utilities_common.cli as clicommon
 import utilities_common.multi_asic as multi_asic_util
+from sonic_py_common import multi_asic
 from sonic_py_common.general import getstatusoutput_noshell_pipe
 from flow_counter_util.route import exit_if_route_flow_counter_not_support
 from utilities_common import util_base
 from show.plugins.pbh import read_pbh_counters
 from config.plugins.pbh import serialize_pbh_counters
 from . import plugins
 
-
 # This is from the aliases example:
 # https://github.com/pallets/click/blob/57c6f09611fc47ca80db0bd010f05998b3c0aa95/examples/aliases/aliases.py
 class Config(object):
@@ -550,6 +550,28 @@ def route(prefix, vrf, namespace):
 helper = util_base.UtilHelper()
 helper.load_and_register_plugins(plugins, cli)
 
+# ("sonic-clear asic-sdk-health-event")
+@cli.command()
+@click.option('--namespace', '-n', 'namespace', required=False, default=None, show_default=False,
+              help='Option needed for multi-asic only: provide namespace name',
+              type=click.Choice(multi_asic_util.multi_asic_ns_choices()))
+@clicommon.pass_db
+def asic_sdk_health_event(db, namespace):
+    """Clear received ASIC/SDK health events"""
+    if multi_asic.get_num_asics() > 1:
+        namespace_list = multi_asic.get_namespaces_from_linux()
+    else:
+        namespace_list = [multi_asic.DEFAULT_NAMESPACE]
+
+    for ns in namespace_list:
+        if namespace and namespace != ns:
+            continue
+
+        state_db = db.db_clients[ns]
+        keys = state_db.keys(db.db.STATE_DB, "ASIC_SDK_HEALTH_EVENT_TABLE*")
+        for key in keys:
+            state_db.delete(state_db.STATE_DB, key);
+
 
 if __name__ == '__main__':
     cli()
diff --git a/config/aaa.py b/config/aaa.py
@@ -114,9 +114,9 @@ def trace(option):
 
 
 @click.command()
-@click.argument('auth_protocol', nargs=-1, type=click.Choice(["radius", "tacacs+", "local", "default"]))
+@click.argument('auth_protocol', nargs=-1, type=click.Choice(["ldap", "radius", "tacacs+", "local", "default"]))
 def login(auth_protocol):
-    """Switch login authentication [ {radius, tacacs+, local} | default ]"""
+    """Switch login authentication [ {ldap, radius, tacacs+, local} | default ]"""
     if len(auth_protocol) is 0:
         click.echo('Argument "auth_protocol" is required')
         return
@@ -135,9 +135,9 @@ def login(auth_protocol):
             val2 = auth_protocol[1]
             good_ap = False
             if val == 'local':
-                if val2 == 'radius' or val2 == 'tacacs+':
+                if val2 == 'radius' or val2 == 'tacacs+' or val2 == 'ldap':
                     good_ap = True
-            elif val == 'radius' or val == 'tacacs+':
+            elif val == 'radius' or val == 'tacacs+' or val == 'ldap':
                 if val2 == 'local':
                     good_ap = True
             if good_ap == True: