From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 284821FF14C for ; Fri, 26 Jun 2026 12:54:14 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 1BC19CCFF; Fri, 26 Jun 2026 12:54:12 +0200 (CEST) From: David Riley To: pve-devel@lists.proxmox.com Subject: [PATCH pve-access-control v4 4/5] fix #7520: test: add unit tests for sdn acl migration logic Date: Fri, 26 Jun 2026 12:52:57 +0200 Message-ID: <20260626105258.56914-5-d.riley@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260626105258.56914-1-d.riley@proxmox.com> References: <20260626105258.56914-1-d.riley@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1782471200749 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.142 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: FPQDNBF3NA6OPQT6J6ILDETLR6OVB7P2 X-Message-ID-Hash: FPQDNBF3NA6OPQT6J6ILDETLR6OVB7P2 X-MailFrom: d.riley@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Add unit tests to validate the behavior of the SDN VNet access migration logic. The tests cover multiple migration edge cases: * VNet migration between zones * Subtree retention, moving multiple VLAN tags under a VNet * Unconfigured resources, ensuring empty source paths do not create empty target nodes * Conflict prevention, aborting on destination collisions Link: https://bugzilla.proxmox.com/show_bug.cgi?id=7520 Signed-off-by: David Riley --- src/test/Makefile | 2 + src/test/sdn_acl_migration_test.pl | 183 +++++++++++++++++++++++++++++ 2 files changed, 185 insertions(+) create mode 100644 src/test/sdn_acl_migration_test.pl diff --git a/src/test/Makefile b/src/test/Makefile index 2f44186..7d4267f 100644 --- a/src/test/Makefile +++ b/src/test/Makefile @@ -15,3 +15,5 @@ check: perl -I.. realm_sync_test.pl perl -I.. api-tests.pl perl -I.. sdn_acl_pruning_test.pl + perl -I.. sdn_acl_migration_test.pl + diff --git a/src/test/sdn_acl_migration_test.pl b/src/test/sdn_acl_migration_test.pl new file mode 100644 index 0000000..175e070 --- /dev/null +++ b/src/test/sdn_acl_migration_test.pl @@ -0,0 +1,183 @@ +#!/usr/bin/env perl + +use strict; +use warnings; + +use lib qw(..); + +use PVE::AccessControl; +use PVE::Tools; +use PVE::RPCEnvironment; + +use Test::More; +use Test::MockModule; + +# test cases +my $tests = [ + { + description => 'successful migration of vnets and child vlans', + raw => <<~EOF, + user:user1\@pve:1:0:::::: + role:SDNAdmin:SDN.Allocate,SDN.Audit + acl:1:/sdn/zones/zone1/vnet1:user1\@pve:SDNAdmin: + acl:1:/sdn/zones/zone1/vnet2:user1\@pve:SDNAdmin: + acl:1:/sdn/zones/zone1/vnet2/100:user1\@pve:SDNAdmin: + acl:1:/sdn/zones/zone1/vnet2/200:user1\@pve:SDNAdmin: + EOF + migrations => [ + { + src_path => ['zones', 'zone1', 'vnet1'], + dest_path => ['zones', 'zone2', 'vnet1'], + }, + { + src_path => ['zones', 'zone1', 'vnet2'], + dest_path => ['zones', 'zone2', 'vnet2'], + }, + { + src_path => ['zones', 'zone1', 'vnet4'], + dest_path => ['zones', 'zone2', 'vnet4'], + }, # fictional move + ], + expected_roles => [ + # src paths, should be empty after the migration + ['user1@pve', '/sdn/zones/zone1/vnet1', ''], + ['user1@pve', '/sdn/zones/zone1/vnet2', ''], + ['user1@pve', '/sdn/zones/zone1/vnet2/100', ''], + ['user1@pve', '/sdn/zones/zone1/vnet2/200', ''], + + # dest paths, should have the migrated permissions + ['user1@pve', '/sdn/zones/zone2/vnet1', 'SDNAdmin'], + ['user1@pve', '/sdn/zones/zone2/vnet2', 'SDNAdmin'], + ['user1@pve', '/sdn/zones/zone2/vnet2/100', 'SDNAdmin'], + ['user1@pve', '/sdn/zones/zone2/vnet2/200', 'SDNAdmin'], + + # fictional move, should be empty + ['user1@pve', '/sdn/zones/zone1/vnet4', ''], + ['user1@pve', '/sdn/zones/zone2/vnet4', ''], + ], + }, + { + description => 'conflict without vlan tag', + raw => <<~EOF, + user:user1\@pve:1:0:::::: + user:user2\@pve:1:0:::::: + role:SDNAdmin:SDN.Allocate,SDN.Audit + acl:1:/sdn/zones/zone1/vnet3:user1\@pve:SDNAdmin: + acl:1:/sdn/zones/zone2/vnet3:user2\@pve:SDNAdmin: + EOF + migrations => [ + { + src_path => ['zones', 'zone1', 'vnet3'], + dest_path => ['zones', 'zone2', 'vnet3'], + }, + ], + expected_error => qr/already has permissions configured/, + error_desc => 'Migration must abort if direct target destination node already exists', + }, + { + description => 'conflict with vlan tag', + raw => <<~EOF, + user:user1\@pve:1:0:::::: + user:user2\@pve:1:0:::::: + role:SDNAdmin:SDN.Allocate,SDN.Audit + acl:1:/sdn/zones/zone1/vnet5:user1\@pve:SDNAdmin: + acl:1:/sdn/zones/zone2/vnet5/100:user2\@pve:SDNAdmin: + EOF + migrations => [ + { + src_path => ['zones', 'zone1', 'vnet5'], + dest_path => ['zones', 'zone2', 'vnet5'], + }, + ], + expected_error => qr/already has permissions configured/, + error_desc => + 'Migration must abort if a child of the target destination node already exists', + }, +]; + +# mocking +my $cluster_module = Test::MockModule->new('PVE::Cluster'); +$cluster_module->noop('cfs_update'); + +my $mocked_user_cfg_tree; +my $access_control_module = Test::MockModule->new('PVE::AccessControl'); + +$access_control_module->mock( + 'cfs_read_file', + sub { + my ($filename) = @_; + if ($filename eq 'user.cfg') { + return $mocked_user_cfg_tree; + } + die "mock cfs_read_file: unexpected file $filename"; + }, +); + +$access_control_module->mock( + 'cfs_write_file', + sub { + my ($filename, $cfg) = @_; + if ($filename eq 'user.cfg') { + $mocked_user_cfg_tree = $cfg; + } + }, +); + +$access_control_module->mock( + 'lock_user_config', + sub { + my ($code, $errmsg) = @_; + eval { $code->() }; + if (my $err = $@) { + die "$errmsg: $err\n"; + } + }, +); + +my $rpcenv = PVE::RPCEnvironment->init('cli'); + +# helper +sub check_roles { + my ($user, $path, $expected_result) = @_; + + my $roles = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path); + my $res = join(',', sort keys %$roles); + + is($res, $expected_result, "Roles for $user on $path should be '$expected_result'"); +} + +sub test_migration { + my ($case) = @_; + + $mocked_user_cfg_tree = PVE::AccessControl::parse_user_config("user.cfg", $case->{raw}); + $rpcenv->{user_cfg} = $mocked_user_cfg_tree; + + eval { PVE::AccessControl::migrate_sdn_resource_access($case->{migrations}); }; + my $err = $@; + + if ($case->{expected_error}) { + ok($err, $case->{error_desc}); + like($err, $case->{expected_error}, "Error message matches expected conflict string"); + } else { + is($err, '', "Migration completed without errors"); + + $rpcenv->{user_cfg} = $mocked_user_cfg_tree; + + for my $role_check ($case->{expected_roles}->@*) { + check_roles(@$role_check); + } + } +} + +sub main { + for my $case ($tests->@*) { + subtest $case->{description} => sub { + test_migration($case); + }; + } + + done_testing(); +} + +main(); +exit(0); -- 2.47.3