From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gate001.proxmox.com (gate001.proxmox.com [45.144.208.40]) by lore.proxmox.com (Postfix) with ESMTPS id 9D2921FF146 for ; Tue, 07 Jul 2026 14:05:05 +0200 (CEST) Received: from gate001.proxmox.com (localhost.localdomain [127.0.0.1]) by gate001.proxmox.com (Proxmox) with ESMTP id 9E9E021465; Tue, 07 Jul 2026 14:05:04 +0200 (CEST) From: David Riley To: pve-devel@lists.proxmox.com Subject: [PATCH pve-access-control v5 3/7] test: add sdn acl pruning tests Date: Tue, 7 Jul 2026 14:04:00 +0200 Message-ID: <20260707120404.73072-4-d.riley@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260707120404.73072-1-d.riley@proxmox.com> References: <20260707120404.73072-1-d.riley@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1783425886821 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.037 Adjusted score from AWL reputation of From: address DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment (newer systems) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: J2ALFFOTO352HW6VIR4QWCLJLXHKGNRD X-Message-ID-Hash: J2ALFFOTO352HW6VIR4QWCLJLXHKGNRD X-MailFrom: d.riley@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Add unit tests to validate the behavior of the SDN resource ACL pruning logic. The tests cover all designated SDN resource paths including zones, vnets (with/without tags), controllers, prefix-lists, route-maps, and fabrics, ensuring explicit permissions are dropped when resources are deleted. Signed-off-by: David Riley --- src/test/Makefile | 1 + src/test/sdn_acl_pruning_test.pl | 134 +++++++++++++++++++++++++++++++ 2 files changed, 135 insertions(+) create mode 100644 src/test/sdn_acl_pruning_test.pl diff --git a/src/test/Makefile b/src/test/Makefile index 53f2da7..2f44186 100644 --- a/src/test/Makefile +++ b/src/test/Makefile @@ -14,3 +14,4 @@ check: perl -I.. perm-test8.pl perl -I.. realm_sync_test.pl perl -I.. api-tests.pl + perl -I.. sdn_acl_pruning_test.pl diff --git a/src/test/sdn_acl_pruning_test.pl b/src/test/sdn_acl_pruning_test.pl new file mode 100644 index 0000000..f407c89 --- /dev/null +++ b/src/test/sdn_acl_pruning_test.pl @@ -0,0 +1,134 @@ +#!/usr/bin/env perl + +use v5.36; +use strict; +use warnings; + +use lib qw(..); + +use Test::MockModule; +use Test::More; + +use PVE::AccessControl; +use PVE::RPCEnvironment; +use PVE::Tools; + +# test cases +my $tests = [ + { + description => 'successful pruning of sdn resource acls', + raw => <<~EOF, + user:user1\@pve:1:0:::::: + user:user2\@pve:1:0:::::: + user:user3\@pve:1:0:::::: + role:SDNAdmin:SDN.Allocate,SDN.Audit + role:SDNAudit:SDN.Audit + acl:1:/sdn/zones/zone1:user3\@pve:SDNAdmin: + acl:1:/sdn/zones/zone2:user3\@pve:SDNAdmin: + acl:1:/sdn/zones/zone1/vnet1:user1\@pve:SDNAdmin: + acl:1:/sdn/zones/zone1/vnet1/10:user1\@pve:SDNAdmin: + acl:1:/sdn/zones/zone1/vnet2:user1\@pve:SDNAdmin: + acl:1:/sdn/zones/zone1/vnet2/100:user1\@pve:SDNAudit: + acl:1:/sdn/controllers/control:user2\@pve:SDNAdmin: + acl:1:/sdn/prefix-lists/list:user2\@pve:SDNAdmin: + acl:1:/sdn/route-maps/map:user2\@pve:SDNAdmin: + acl:1:/sdn/fabrics/fabric:user2\@pve:SDNAdmin: + EOF + prune_paths => [ + 'zones/zone2', + 'zones/zone1/vnet1', + 'zones/zone1/vnet2/100', + 'controllers/control', + 'prefix-lists/list', + 'route-maps/map', + 'fabrics/fabric', + ], + expected_roles => [ + # zone 1 remains, zone 2 is pruned + ['user3@pve', '/sdn/zones/zone1', 'SDNAdmin'], + ['user3@pve', '/sdn/zones/zone2', ''], + + # vnet1 is completely pruned + ['user1@pve', '/sdn/zones/zone1/vnet1', ''], + ['user1@pve', '/sdn/zones/zone1/vnet1/10', ''], + + # vnet2 remains, but the specific vnet2/100 override (SDNAudit) is removed, + # so it falls back to inheriting SDNAdmin from vnet2 + ['user1@pve', '/sdn/zones/zone1/vnet2', 'SDNAdmin'], + ['user1@pve', '/sdn/zones/zone1/vnet2/100', 'SDNAdmin'], + + # other SDN resources pruned + ['user2@pve', '/sdn/controllers/control', ''], + ['user2@pve', '/sdn/prefix-lists/list', ''], + ['user2@pve', '/sdn/route-maps/map', ''], + ['user2@pve', '/sdn/fabrics/fabric', ''], + ], + }, +]; + +# mocking +my $cluster_module = Test::MockModule->new('PVE::Cluster'); +$cluster_module->noop('cfs_update'); + +my $mocked_user_cfg_tree; +my $access_control_module = Test::MockModule->new('PVE::AccessControl'); + +$access_control_module->mock( + 'cfs_read_file' => sub { + my ($filename) = @_; + if ($filename eq 'user.cfg') { + return $mocked_user_cfg_tree; + } + die "mock cfs_read_file: unexpected file $filename"; + }, + 'cfs_write_file' => sub { + my ($filename, $cfg) = @_; + if ($filename eq 'user.cfg') { + $mocked_user_cfg_tree = $cfg; + } + }, + 'lock_user_config' => sub { + my ($code, $errmsg) = @_; + eval { $code->() }; + if (my $err = $@) { + die "$errmsg: $err\n"; + } + }, +); + +my $rpcenv = PVE::RPCEnvironment->init('cli'); + +# helper +sub check_roles { + my ($user, $path, $expected_result) = @_; + + my $roles = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path); + my $res = join(',', sort keys %$roles); + + is($res, $expected_result, "Roles for $user on $path should be '$expected_result'"); +} + +for my $test ($tests->@*) { + subtest $test->{description} => sub { + $mocked_user_cfg_tree = PVE::AccessControl::parse_user_config("user.cfg", $test->{raw}); + $rpcenv->{user_cfg} = $mocked_user_cfg_tree; + + eval { PVE::AccessControl::remove_sdn_resource_access($test->{prune_paths}); }; + my $err = $@; + + if ($test->{expected_error}) { + ok($err, $test->{error_desc}); + like($err, $test->{expected_error}, "Error message matches expected string"); + } else { + is($err, '', "Pruning completed without errors"); + + $rpcenv->{user_cfg} = $mocked_user_cfg_tree; + + for my $role_check ($test->{expected_roles}->@*) { + check_roles(@$role_check); + } + } + }; +} + +done_testing(); -- 2.47.3