all lists on lists.proxmox.com
 help / color / mirror / Atom feed
From: David Riley <d.riley@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-access-control v5 6/7] test: add sdn acl migration tests
Date: Tue,  7 Jul 2026 14:04:03 +0200	[thread overview]
Message-ID: <20260707120404.73072-7-d.riley@proxmox.com> (raw)
In-Reply-To: <20260707120404.73072-1-d.riley@proxmox.com>

Add unit tests to validate the behavior of the SDN VNet ACL migration
logic.

The tests cover multiple migration edge cases:
* VNet migration between zones
* Subtree retention, moving multiple VLAN tags under a VNet
* Unconfigured resources, ensuring empty source paths do not create
  empty target nodes
* Conflict prevention, aborting on destination collisions

Signed-off-by: David Riley <d.riley@proxmox.com>
---
 src/test/Makefile                  |   2 +
 src/test/sdn_acl_migration_test.pl | 171 +++++++++++++++++++++++++++++
 2 files changed, 173 insertions(+)
 create mode 100644 src/test/sdn_acl_migration_test.pl

diff --git a/src/test/Makefile b/src/test/Makefile
index 2f44186..7d4267f 100644
--- a/src/test/Makefile
+++ b/src/test/Makefile
@@ -15,3 +15,5 @@ check:
 	perl -I.. realm_sync_test.pl
 	perl -I.. api-tests.pl
 	perl -I.. sdn_acl_pruning_test.pl
+	perl -I.. sdn_acl_migration_test.pl
+
diff --git a/src/test/sdn_acl_migration_test.pl b/src/test/sdn_acl_migration_test.pl
new file mode 100644
index 0000000..a9323a4
--- /dev/null
+++ b/src/test/sdn_acl_migration_test.pl
@@ -0,0 +1,171 @@
+#!/usr/bin/env perl
+
+use v5.36;
+use strict;
+use warnings;
+
+use lib qw(..);
+
+use Test::MockModule;
+use Test::More;
+
+use PVE::AccessControl;
+use PVE::RPCEnvironment;
+use PVE::Tools;
+
+# test cases
+my $tests = [
+    {
+        description => 'successful migration of vnets and child vlans',
+        raw => <<~EOF,
+        user:user1\@pve:1:0::::::
+        role:SDNAdmin:SDN.Allocate,SDN.Audit
+        acl:1:/sdn/zones/zone1/vnet1:user1\@pve:SDNAdmin:
+        acl:1:/sdn/zones/zone1/vnet2:user1\@pve:SDNAdmin:
+        acl:1:/sdn/zones/zone1/vnet2/100:user1\@pve:SDNAdmin:
+        acl:1:/sdn/zones/zone1/vnet2/200:user1\@pve:SDNAdmin:
+        EOF
+        migrations => [
+            {
+                src_path => 'zones/zone1/vnet1',
+                dest_path => 'zones/zone2/vnet1',
+            },
+            {
+                src_path => 'zones/zone1/vnet2',
+                dest_path => 'zones/zone2/vnet2',
+            },
+            {
+                src_path => 'zones/zone1/vnet4',
+                dest_path => 'zones/zone2/vnet4',
+            }, # fictional move
+        ],
+        expected_roles => [
+            # src paths, should be empty after the migration
+            ['user1@pve', '/sdn/zones/zone1/vnet1', ''],
+            ['user1@pve', '/sdn/zones/zone1/vnet2', ''],
+            ['user1@pve', '/sdn/zones/zone1/vnet2/100', ''],
+            ['user1@pve', '/sdn/zones/zone1/vnet2/200', ''],
+
+            # dest paths, should have the migrated permissions
+            ['user1@pve', '/sdn/zones/zone2/vnet1', 'SDNAdmin'],
+            ['user1@pve', '/sdn/zones/zone2/vnet2', 'SDNAdmin'],
+            ['user1@pve', '/sdn/zones/zone2/vnet2/100', 'SDNAdmin'],
+            ['user1@pve', '/sdn/zones/zone2/vnet2/200', 'SDNAdmin'],
+
+            # fictional move, should be empty
+            ['user1@pve', '/sdn/zones/zone1/vnet4', ''],
+            ['user1@pve', '/sdn/zones/zone2/vnet4', ''],
+        ],
+    },
+    {
+        description => 'conflict without vlan tag',
+        raw => <<~EOF,
+        user:user1\@pve:1:0::::::
+        user:user2\@pve:1:0::::::
+        role:SDNAdmin:SDN.Allocate,SDN.Audit
+        acl:1:/sdn/zones/zone1/vnet3:user1\@pve:SDNAdmin:
+        acl:1:/sdn/zones/zone2/vnet3:user2\@pve:SDNAdmin:
+        EOF
+        migrations => [
+            {
+                src_path => 'zones/zone1/vnet3',
+                dest_path => 'zones/zone2/vnet3',
+            },
+        ],
+        expected_error => qr/already has permissions configured/,
+        error_desc => 'Migration must abort if direct target destination node already exists',
+    },
+    {
+        description => 'conflict with vlan tag',
+        raw => <<~EOF,
+        user:user1\@pve:1:0::::::
+        user:user2\@pve:1:0::::::
+        role:SDNAdmin:SDN.Allocate,SDN.Audit
+        acl:1:/sdn/zones/zone1/vnet5:user1\@pve:SDNAdmin:
+        acl:1:/sdn/zones/zone2/vnet5/100:user2\@pve:SDNAdmin:
+        EOF
+        migrations => [
+            {
+                src_path => 'zones/zone1/vnet5',
+                dest_path => 'zones/zone2/vnet5',
+            },
+        ],
+        expected_error => qr/already has permissions configured/,
+        error_desc =>
+            'Migration must abort if a child of the target destination node already exists',
+    },
+];
+
+# mocking
+my $cluster_module = Test::MockModule->new('PVE::Cluster');
+$cluster_module->noop('cfs_update');
+
+my $mocked_user_cfg_tree;
+my $access_control_module = Test::MockModule->new('PVE::AccessControl');
+
+$access_control_module->mock(
+    'cfs_read_file' => sub {
+        my ($filename) = @_;
+        if ($filename eq 'user.cfg') {
+            return $mocked_user_cfg_tree;
+        }
+        die "mock cfs_read_file: unexpected file $filename";
+    },
+    'cfs_write_file' => sub {
+        my ($filename, $cfg) = @_;
+        if ($filename eq 'user.cfg') {
+            $mocked_user_cfg_tree = $cfg;
+        }
+    },
+    'lock_user_config' => sub {
+        my ($code, $errmsg) = @_;
+        eval { $code->() };
+        if (my $err = $@) {
+            die "$errmsg: $err\n";
+        }
+    },
+);
+
+my $rpcenv = PVE::RPCEnvironment->init('cli');
+
+# helper
+sub check_roles {
+    my ($user, $path, $expected_result) = @_;
+
+    my $roles = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
+    my $res = join(',', sort keys %$roles);
+
+    is($res, $expected_result, "Roles for $user on $path should be '$expected_result'");
+}
+
+sub test_migration {
+    my ($case) = @_;
+
+    $mocked_user_cfg_tree = PVE::AccessControl::parse_user_config("user.cfg", $case->{raw});
+    $rpcenv->{user_cfg} = $mocked_user_cfg_tree;
+
+    eval { PVE::AccessControl::migrate_sdn_resource_access($case->{migrations}); };
+    my $err = $@;
+
+    if ($case->{expected_error}) {
+        ok($err, $case->{error_desc});
+        like($err, $case->{expected_error}, "Error message matches expected conflict string");
+    } else {
+        is($err, '', "Migration completed without errors");
+
+        $rpcenv->{user_cfg} = $mocked_user_cfg_tree;
+
+        for my $role_check ($case->{expected_roles}->@*) {
+            check_roles(@$role_check);
+        }
+    }
+}
+
+for my $case ($tests->@*) {
+    subtest $case->{description} => sub {
+        test_migration($case);
+    };
+}
+
+done_testing();
+
-- 
2.47.3





  parent reply	other threads:[~2026-07-07 12:06 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-07 12:03 [PATCH access-control/network v5 0/7] fix #7520: sdn: prune orphaned ACLs and handle VNet migrations David Riley
2026-07-07 12:03 ` [PATCH pve-access-control v5 1/7] permission: add acl tree node parent lookup without node creation David Riley
2026-07-07 12:03 ` [PATCH pve-access-control v5 2/7] fix #7520: sdn: add pruning SDN resources ACLs David Riley
2026-07-07 12:04 ` [PATCH pve-access-control v5 3/7] test: add sdn acl pruning tests David Riley
2026-07-07 12:04 ` [PATCH pve-access-control v5 4/7] permission: add helper to check for active permissions David Riley
2026-07-07 12:04 ` [PATCH pve-access-control v5 5/7] fix #7520: sdn: add VNet ACL migration David Riley
2026-07-07 12:04 ` David Riley [this message]
2026-07-07 12:04 ` [PATCH pve-network v5 7/7] fix #7520: config: prune orphaned and relocate moved VNet ACLs David Riley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260707120404.73072-7-d.riley@proxmox.com \
    --to=d.riley@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal