Merge branch 'master' into master

.github/codeql/codeql-config.yml

@@ -0,0 +1,4 @@
+name: "CodeQL config"
+queries:
+  - uses: security-and-quality
+  - uses: security-extended

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,43 @@
+# For more infomation, please visit: https://github.com/github/codeql-action
+
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+      - 'master'
+      - '202[0-9][0-9][0-9]'
+  pull_request_target:
+    branches:
+      - 'master'
+      - '202[0-9][0-9][0-9]'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        config-file: ./.github/codeql/codeql-config.yml
+        languages: ${{ matrix.language }}
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"

acl_loader/main.py

@@ -842,8 +842,10 @@ def show_session(self, session_name):
                                          val.get("monitor_port", ""), val.get("src_port", ""), val.get("direction", "").lower()])
 
         print("ERSPAN Sessions")
+        erspan_data = natsorted(erspan_data)
         print(tabulate.tabulate(erspan_data, headers=erspan_header, tablefmt="simple", missingval=""))
         print("\nSPAN Sessions")
+        span_data = natsorted(span_data)
         print(tabulate.tabulate(span_data, headers=span_header, tablefmt="simple", missingval=""))
 
     def show_policer(self, policer_name):

azure-pipelines.yml

@@ -26,7 +26,7 @@ stages:
       vmImage: ubuntu-20.04
 
     container:
-      image: sonicdev-microsoft.azurecr.io:443/sonic-slave-buster:latest
+      image: sonicdev-microsoft.azurecr.io:443/sonic-slave-bullseye:latest
 
     steps:
     - script: |
@@ -58,15 +58,15 @@ stages:
         sudo dpkg -i libyang_1.0.73_amd64.deb
         sudo dpkg -i libyang-cpp_1.0.73_amd64.deb
         sudo dpkg -i python3-yang_1.0.73_amd64.deb
-      workingDirectory: $(Pipeline.Workspace)/target/debs/buster/
+      workingDirectory: $(Pipeline.Workspace)/target/debs/bullseye/
       displayName: 'Install Debian dependencies'
 
     - task: DownloadPipelineArtifact@2
       inputs:
         source: specific
         project: build
         pipeline: 9
-        artifact: sonic-swss-common
+        artifact: sonic-swss-common.bullseye.amd64
         runVersion: 'latestFromBranch'
         runBranch: 'refs/heads/master'
       displayName: "Download sonic swss common deb packages"
@@ -86,14 +86,14 @@ stages:
         sudo pip3 install sonic_yang_models-1.0-py3-none-any.whl
         sudo pip3 install sonic_config_engine-1.0-py3-none-any.whl
         sudo pip3 install sonic_platform_common-1.0-py3-none-any.whl
-      workingDirectory: $(Pipeline.Workspace)/target/python-wheels/buster/
+      workingDirectory: $(Pipeline.Workspace)/target/python-wheels/bullseye/
       displayName: 'Install Python dependencies'
 
     - script: |
         set -ex
         # Install .NET CORE
         curl -sSL https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
-        sudo apt-add-repository https://packages.microsoft.com/debian/10/prod
+        sudo apt-add-repository https://packages.microsoft.com/debian/11/prod
         sudo apt-get update
         sudo apt-get install -y dotnet-sdk-5.0
       displayName: "Install .NET CORE"

config/aaa.py

@@ -2,8 +2,12 @@
 import ipaddress
 import re
 from swsscommon.swsscommon import ConfigDBConnector
+from .validated_config_db_connector import ValidatedConfigDBConnector
+from jsonpatch import JsonPatchConflict
+from jsonpointer import JsonPointerException
 import utilities_common.cli as clicommon
 
+ADHOC_VALIDATION = True
 RADIUS_MAXSERVERS = 8
 RADIUS_PASSKEY_MAX_LEN = 65
 VALID_CHARS_MSG = "Valid chars are ASCII printable except SPACE, '#', and ','"
@@ -13,19 +17,27 @@ def is_secret(secret):
 
 
 def add_table_kv(table, entry, key, val):
-    config_db = ConfigDBConnector()
+    config_db = ValidatedConfigDBConnector(ConfigDBConnector())
     config_db.connect()
-    config_db.mod_entry(table, entry, {key:val})
+    try:
+        config_db.mod_entry(table, entry, {key:val})
+    except ValueError as e:
+        ctx = click.get_current_context()
+        ctx.fail("Invalid ConfigDB. Error: {}".format(e))
 
 
 def del_table_key(table, entry, key):
-    config_db = ConfigDBConnector()
+    config_db = ValidatedConfigDBConnector(ConfigDBConnector())
     config_db.connect()
     data = config_db.get_entry(table, entry)
     if data:
         if key in data:
             del data[key]
-        config_db.set_entry(table, entry, data)
+        try:
+            config_db.set_entry(table, entry, data)
+        except (ValueError, JsonPatchConflict) as e:
+            ctx = click.get_current_context()
+            ctx.fail("Invalid ConfigDB. Error: {}".format(e))
 
 @click.group()
 def aaa():
@@ -246,11 +258,12 @@ def passkey(ctx, secret):
 @click.option('-m', '--use-mgmt-vrf', help="Management vrf, default is no vrf", is_flag=True)
 def add(address, timeout, key, auth_type, port, pri, use_mgmt_vrf):
     """Specify a TACACS+ server"""
-    if not clicommon.is_ipaddress(address):
-        click.echo('Invalid ip address')
-        return
+    if ADHOC_VALIDATION:
+        if not clicommon.is_ipaddress(address):
+            click.echo('Invalid ip address') # TODO: MISSING CONSTRAINT IN YANG MODEL
+            return
 
-    config_db = ConfigDBConnector()
+    config_db = ValidatedConfigDBConnector(ConfigDBConnector())
     config_db.connect()
     old_data = config_db.get_entry('TACPLUS_SERVER', address)
     if old_data != {}:
@@ -268,7 +281,11 @@ def add(address, timeout, key, auth_type, port, pri, use_mgmt_vrf):
             data['passkey'] = key
         if use_mgmt_vrf :
             data['vrf'] = "mgmt"
-        config_db.set_entry('TACPLUS_SERVER', address, data)
+        try:
+            config_db.set_entry('TACPLUS_SERVER', address, data)
+        except ValueError as e:
+            ctx = click.get_current_context()
+            ctx.fail("Invalid ip address. Error: {}".format(e))
 tacacs.add_command(add)
 
 
@@ -278,13 +295,18 @@ def add(address, timeout, key, auth_type, port, pri, use_mgmt_vrf):
 @click.argument('address', metavar='<ip_address>')
 def delete(address):
     """Delete a TACACS+ server"""
-    if not clicommon.is_ipaddress(address):
-        click.echo('Invalid ip address')
-        return
+    if ADHOC_VALIDATION:
+        if not clicommon.is_ipaddress(address):
+            click.echo('Invalid ip address')
+            return
 
-    config_db = ConfigDBConnector()
+    config_db = ValidatedConfigDBConnector(ConfigDBConnector())
     config_db.connect()
-    config_db.set_entry('TACPLUS_SERVER', address, None)
+    try:
+        config_db.set_entry('TACPLUS_SERVER', address, None)
+    except JsonPatchConflict as e:
+        ctx = click.get_current_context()
+        ctx.fail("Invalid ip address. Error: {}".format(e))
 tacacs.add_command(delete)
 
 
@@ -477,15 +499,16 @@ def statistics(option):
 def add(address, retransmit, timeout, key, auth_type, auth_port, pri, use_mgmt_vrf, source_interface):
     """Specify a RADIUS server"""
 
-    if key:
-        if len(key) > RADIUS_PASSKEY_MAX_LEN:
-            click.echo('--key: Maximum of %d chars can be configured' % RADIUS_PASSKEY_MAX_LEN)
-            return
-        elif not is_secret(key):
-            click.echo('--key: ' + VALID_CHARS_MSG)
-            return
+    if ADHOC_VALIDATION:
+        if key:
+            if len(key) > RADIUS_PASSKEY_MAX_LEN:
+                click.echo('--key: Maximum of %d chars can be configured' % RADIUS_PASSKEY_MAX_LEN)
+                return
+            elif not is_secret(key):
+                click.echo('--key: ' + VALID_CHARS_MSG)
+                return
 
-    config_db = ConfigDBConnector()
+    config_db = ValidatedConfigDBConnector(ConfigDBConnector())
     config_db.connect()
     old_data = config_db.get_table('RADIUS_SERVER')
     if address in old_data :
@@ -508,16 +531,24 @@ def add(address, retransmit, timeout, key, auth_type, auth_port, pri, use_mgmt_v
             data['passkey'] = key
         if use_mgmt_vrf :
             data['vrf'] = "mgmt"
-        if source_interface :
-            if (source_interface.startswith("Ethernet") or \
-                source_interface.startswith("PortChannel") or \
-                source_interface.startswith("Vlan") or \
-                source_interface.startswith("Loopback") or \
-                source_interface == "eth0"):
+        if ADHOC_VALIDATION:
+            if source_interface :
+                if (source_interface.startswith("Ethernet") or \
+                    source_interface.startswith("PortChannel") or \
+                    source_interface.startswith("Vlan") or \
+                    source_interface.startswith("Loopback") or \
+                    source_interface == "eth0"):
+                    data['src_intf'] = source_interface
+                else:
+                    click.echo('Not supported interface name (valid interface name: Etherent<id>/PortChannel<id>/Vlan<id>/Loopback<id>/eth0)')
+        else:
+            if source_interface:
                 data['src_intf'] = source_interface
-            else:
-                click.echo('Not supported interface name (valid interface name: Etherent<id>/PortChannel<id>/Vlan<id>/Loopback<id>/eth0)')
-        config_db.set_entry('RADIUS_SERVER', address, data)
+        try:
+            config_db.set_entry('RADIUS_SERVER', address, data)
+        except ValueError as e:
+            ctx = click.get_current_context()
+            ctx.fail("Invalid ConfigDB. Error: {}".format(e))
 radius.add_command(add)
 
 
@@ -528,7 +559,11 @@ def add(address, retransmit, timeout, key, auth_type, auth_port, pri, use_mgmt_v
 def delete(address):
     """Delete a RADIUS server"""
 
-    config_db = ConfigDBConnector()
+    config_db = ValidatedConfigDBConnector(ConfigDBConnector())
     config_db.connect()
-    config_db.set_entry('RADIUS_SERVER', address, None)
+    try:
+        config_db.set_entry('RADIUS_SERVER', address, None)
+    except (JsonPointerException, JsonPatchConflict) as e:
+        ctx = click.get_current_context()
+        ctx.fail("Invalid ConfigDB. Error: {}".format(e))
 radius.add_command(delete)

config/feature.py

@@ -3,6 +3,7 @@
 import click
 from swsscommon import swsscommon
 from utilities_common.cli import AbbreviationGroup, pass_db
+from .validated_config_db_connector import ValidatedConfigDBConnector
 
 SELECT_TIMEOUT = 1000  # ms
 
@@ -24,7 +25,12 @@ def set_feature_state(cfgdb_clients, name, state, block):
         raise Exception("Feature '{}' state is always enabled and can not be modified".format(name))
 
     for ns, cfgdb in cfgdb_clients.items():
-        cfgdb.mod_entry('FEATURE', name, {'state': state})
+        try:
+            config_db = ValidatedConfigDBConnector(cfgdb)
+            config_db.mod_entry('FEATURE', name, {'state': state})
+        except ValueError as e:
+            ctx = click.get_current_context()
+            ctx.fail("Invalid ConfigDB. Error: {}".format(e))
 
     if block:
         db = swsscommon.DBConnector('STATE_DB', 0)
@@ -66,7 +72,12 @@ def _update_field(db, name, fld, val):
     if name not in tbl:
         click.echo("Unable to retrieve {} from FEATURE table".format(name))
         sys.exit(1)
-    db.cfgdb.mod_entry('FEATURE', name, { fld: val })
+    try:
+        config_db = ValidatedConfigDBConnector(db.cfgdb)
+        config_db.mod_entry('FEATURE', name, { fld: val })
+    except ValueError as e:
+        ctx = click.get_current_context()
+        ctx.fail("Invalid ConfigDB. Error: {}".format(e))
 
 
 #
@@ -137,5 +148,10 @@ def feature_autorestart(db, name, autorestart):
         return
 
     for ns, cfgdb in db.cfgdb_clients.items():
-        cfgdb.mod_entry('FEATURE', name, {'auto_restart': autorestart})
+        try:
+            config_db = ValidatedConfigDBConnector(cfgdb)
+            config_db.mod_entry('FEATURE', name, {'auto_restart': autorestart})
+        except ValueError as e:
+            ctx = click.get_current_context()
+            ctx.fail("Invalid ConfigDB. Error: {}".format(e))
 

config/kube.py

@@ -25,7 +25,7 @@ def _update_kube_server(db, field, val):
     def_data = {
         KUBE_SERVER_IP: "",
         KUBE_SERVER_PORT: "6443",
-        KUBE_SERVER_INSECURE: "False",
+        KUBE_SERVER_INSECURE: "True",
         KUBE_SERVER_DISABLE: "False"
     }
     for f in def_data: