ut: add unit test for bfd acl and address_set (kubeovn#4461)

* add unit test for ovn-nb-address_set.go Signed-off-by: zcq98 <[email protected]> * add unit test for ovn-nb-acl.go Signed-off-by: zcq98 <[email protected]> * add unit test for ovn-nb-bfd.go Signed-off-by: zcq98 <[email protected]> --------- Signed-off-by: zcq98 <[email protected]> Signed-off-by: liyh <[email protected]>
liyh-yusur · Sep 10, 2024 · 3299846 · 3299846
1 parent 153c8c8
commit 3299846
Show file tree

Hide file tree

Showing 4 changed files with 784 additions and 13 deletions.
diff --git a/pkg/ovs/ovn-nb-acl_test.go b/pkg/ovs/ovn-nb-acl_test.go
@@ -360,9 +360,6 @@ func (suite *OvnClientTestSuite) testCreateNodeACL() {
 	t.Parallel()
 
 	ovnClient := suite.ovnClient
-	pgName := "test_create_node_acl_pg"
-	nodeIP := "192.168.20.3"
-	joinIP := "100.64.0.2,fd00:100:64::2"
 
 	checkACL := func(pg *ovnnb.PortGroup, direction, priority, match string, options map[string]string) {
 		acl, err := ovnClient.GetACL(pg.Name, direction, priority, match, false)
@@ -376,7 +373,7 @@ func (suite *OvnClientTestSuite) testCreateNodeACL() {
 		require.Contains(t, pg.ACLs, acl.UUID)
 	}
 
-	expect := func(pg *ovnnb.PortGroup, _ string) {
+	expect := func(pg *ovnnb.PortGroup, nodeIP, pgName string) {
 		for _, ip := range strings.Split(nodeIP, ",") {
 			protocol := util.CheckProtocol(ip)
 			ipSuffix := "ip4"
@@ -396,17 +393,41 @@ func (suite *OvnClientTestSuite) testCreateNodeACL() {
 		}
 	}
 
-	err := ovnClient.CreatePortGroup(pgName, nil)
-	require.NoError(t, err)
+	t.Run("create node ACL with single stack nodeIP and dual stack joinIP", func(t *testing.T) {
+		pgName := "test_create_node_acl_pg"
+		nodeIP := "192.168.20.3"
+		joinIP := "100.64.0.2,fd00:100:64::2"
 
-	err = ovnClient.CreateNodeACL(pgName, nodeIP, joinIP)
-	require.NoError(t, err)
+		err := ovnClient.CreatePortGroup(pgName, nil)
+		require.NoError(t, err)
 
-	pg, err := ovnClient.GetPortGroup(pgName, false)
-	require.NoError(t, err)
-	require.Len(t, pg.ACLs, 2)
+		err = ovnClient.CreateNodeACL(pgName, nodeIP, joinIP)
+		require.NoError(t, err)
+
+		pg, err := ovnClient.GetPortGroup(pgName, false)
+		require.NoError(t, err)
+		require.Len(t, pg.ACLs, 2)
+
+		expect(pg, nodeIP, pgName)
+	})
+
+	t.Run("create node ACL with dual stack nodeIP and join IP", func(t *testing.T) {
+		pgName := "test-pg-overlap"
+		nodeIP := "192.168.20.4,fd00::4"
+		joinIP := "100.64.0.3,fd00:100:64::3"
+
+		err := ovnClient.CreatePortGroup(pgName, nil)
+		require.NoError(t, err)
 
-	expect(pg, nodeIP)
+		err = ovnClient.CreateNodeACL(pgName, nodeIP, joinIP)
+		require.NoError(t, err)
+
+		pg, err := ovnClient.GetPortGroup(pgName, false)
+		require.NoError(t, err)
+		require.Len(t, pg.ACLs, 4)
+
+		expect(pg, nodeIP, pgName)
+	})
 }
 
 func (suite *OvnClientTestSuite) testCreateSgDenyAllACL() {
@@ -2145,3 +2166,89 @@ func (suite *OvnClientTestSuite) testNewAnpACLMatch() {
 		})
 	}
 }
+
+func (suite *OvnClientTestSuite) testCreateBareACL() {
+	t := suite.T()
+	t.Parallel()
+
+	ovnClient := suite.ovnClient
+
+	t.Run("create bare ACL successfully", func(t *testing.T) {
+		err := ovnClient.CreateBareACL("test-parent", "from-lport", "1000", "ip4.src == 10.0.0.1", "allow")
+		require.NoError(t, err)
+	})
+
+	t.Run("create bare ACL with empty match", func(t *testing.T) {
+		err := ovnClient.CreateBareACL("test-parent", "from-lport", "1000", "", "allow")
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "new acl direction from-lport priority 1000 match")
+	})
+}
+
+func (suite *OvnClientTestSuite) testUpdateAnpRuleACLOps() {
+	t := suite.T()
+	t.Parallel()
+
+	ovnClient := suite.ovnClient
+
+	expect := func(row ovsdb.Row, action, direction, match, priority string) {
+		intPriority, err := strconv.Atoi(priority)
+		require.NoError(t, err)
+		require.Equal(t, action, row["action"])
+		require.Equal(t, direction, row["direction"])
+		require.Equal(t, match, row["match"])
+		require.Equal(t, intPriority, row["priority"])
+	}
+
+	t.Run("ingress ACL for ANP", func(t *testing.T) {
+		pgName := "test-pg-ingress"
+		asName := "test-as-ingress"
+		protocol := "tcp"
+		aclName := "test-acl"
+		priority := 1000
+		aclAction := ovnnb.ACLActionAllow
+		logACLActions := []ovnnb.ACLAction{ovnnb.ACLActionAllow}
+		rulePorts := []v1alpha1.AdminNetworkPolicyPort{}
+		isIngress := true
+		isBanp := false
+
+		err := ovnClient.CreatePortGroup(pgName, nil)
+		require.NoError(t, err)
+		ops, err := ovnClient.UpdateAnpRuleACLOps(pgName, asName, protocol, aclName, priority, aclAction, logACLActions, rulePorts, isIngress, isBanp)
+		require.NoError(t, err)
+		require.NotEmpty(t, ops)
+		expect(ops[0].Row, ovnnb.ACLActionAllow, ovnnb.ACLDirectionToLport, fmt.Sprintf("outport == @%s && ip && ip4.src == $%s", pgName, asName), "1000")
+	})
+
+	t.Run("egress ACL for BANP", func(t *testing.T) {
+		pgName := "test-pg-egress"
+		asName := "test-as-egress"
+		protocol := "udp"
+		aclName := "test-acl"
+		priority := 2000
+		aclAction := ovnnb.ACLActionDrop
+		logACLActions := []ovnnb.ACLAction{ovnnb.ACLActionDrop}
+		rulePorts := []v1alpha1.AdminNetworkPolicyPort{}
+		isIngress := false
+		isBanp := true
+
+		err := ovnClient.CreatePortGroup(pgName, nil)
+		require.NoError(t, err)
+		ops, err := ovnClient.UpdateAnpRuleACLOps(pgName, asName, protocol, aclName, priority, aclAction, logACLActions, rulePorts, isIngress, isBanp)
+		require.NoError(t, err)
+		require.NotEmpty(t, ops)
+		expect(ops[0].Row, ovnnb.ACLActionDrop, ovnnb.ACLDirectionFromLport, fmt.Sprintf("inport == @%s && ip && ip4.dst == $%s", pgName, asName), "2000")
+	})
+}
+
+func (suite *OvnClientTestSuite) testUpdateACL() {
+	t := suite.T()
+
+	ovnClient := suite.ovnClient
+
+	t.Run("update ACL with nil input", func(t *testing.T) {
+		err := ovnClient.UpdateACL(nil)
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "address_set is nil")
+	})
+}
diff --git a/pkg/ovs/ovn-nb-address_set_test.go b/pkg/ovs/ovn-nb-address_set_test.go
@@ -44,6 +44,27 @@ func (suite *OvnClientTestSuite) testCreateAddressSet() {
 		})
 		require.Error(t, err)
 	})
+
+	t.Run("create address set that already exists", func(t *testing.T) {
+		asName := "existing_address_set"
+		err := ovnClient.CreateAddressSet(asName, nil)
+		require.NoError(t, err)
+
+		// Attempt to create the same address set again
+		err = ovnClient.CreateAddressSet(asName, nil)
+		require.NoError(t, err)
+
+		// Verify that only one address set exists
+		ass, err := ovnClient.ListAddressSets(nil)
+		require.NoError(t, err)
+		count := 0
+		for _, as := range ass {
+			if as.Name == asName {
+				count++
+			}
+		}
+		require.Equal(t, 1, count)
+	})
 }
 
 func (suite *OvnClientTestSuite) testAddressSetUpdateAddress() {
@@ -86,6 +107,62 @@ func (suite *OvnClientTestSuite) testAddressSetUpdateAddress() {
 		require.NoError(t, err)
 		require.Empty(t, as.Addresses)
 	})
+
+	t.Run("update with mixed IPv4 and IPv6 addresses", func(t *testing.T) {
+		addresses := []string{"192.168.1.1", "2001:db8::1", "10.0.0.1", "fe80::1"}
+		err := ovnClient.AddressSetUpdateAddress(asName, addresses...)
+		require.NoError(t, err)
+
+		as, err := ovnClient.GetAddressSet(asName, false)
+		require.NoError(t, err)
+		require.ElementsMatch(t, addresses, as.Addresses)
+	})
+
+	t.Run("update with CIDR notation", func(t *testing.T) {
+		addresses := []string{"192.168.1.0/24", "2001:db8::/64"}
+		err := ovnClient.AddressSetUpdateAddress(asName, addresses...)
+		require.NoError(t, err)
+
+		as, err := ovnClient.GetAddressSet(asName, false)
+		require.NoError(t, err)
+		require.ElementsMatch(t, []string{"192.168.1.0/24", "2001:db8::/64"}, as.Addresses)
+	})
+
+	t.Run("update with duplicate addresses", func(t *testing.T) {
+		addresses := []string{"192.168.1.1", "192.168.1.1", "2001:db8::1", "2001:db8::1"}
+		err := ovnClient.AddressSetUpdateAddress(asName, addresses...)
+		require.NoError(t, err)
+
+		as, err := ovnClient.GetAddressSet(asName, false)
+		require.NoError(t, err)
+		require.ElementsMatch(t, []string{"192.168.1.1", "2001:db8::1"}, as.Addresses)
+	})
+
+	t.Run("update with invalid CIDR", func(t *testing.T) {
+		addresses := []string{"192.168.1.1", "invalid_cidr", "2001:db8::1"}
+		err := ovnClient.AddressSetUpdateAddress(asName, addresses...)
+		require.NoError(t, err)
+
+		as, err := ovnClient.GetAddressSet(asName, false)
+		require.NoError(t, err)
+		require.ElementsMatch(t, []string{"192.168.1.1", "invalid_cidr", "2001:db8::1"}, as.Addresses)
+	})
+
+	t.Run("update with empty address list", func(t *testing.T) {
+		err := ovnClient.AddressSetUpdateAddress(asName)
+		require.NoError(t, err)
+
+		as, err := ovnClient.GetAddressSet(asName, false)
+		require.NoError(t, err)
+		require.Empty(t, as.Addresses)
+	})
+
+	t.Run("update non-existent address set", func(t *testing.T) {
+		nonExistentAS := "non_existent_as"
+		err := ovnClient.AddressSetUpdateAddress(nonExistentAS, "192.168.1.1")
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "get address set")
+	})
 }
 
 func (suite *OvnClientTestSuite) testDeleteAddressSet() {
@@ -146,6 +223,10 @@ func (suite *OvnClientTestSuite) testDeleteAddressSets() {
 	ass, err := ovnClient.ListAddressSets(externalIDs)
 	require.NoError(t, err)
 	require.Empty(t, ass)
+
+	// delete address sets with empty externalIDs
+	err = ovnClient.DeleteAddressSets(map[string]string{})
+	require.NoError(t, err)
 }
 
 func (suite *OvnClientTestSuite) testListAddressSets() {
@@ -239,3 +320,16 @@ func (suite *OvnClientTestSuite) testAddressSetFilter() {
 		require.False(t, out)
 	})
 }
+
+func (suite *OvnClientTestSuite) testUpdateAddressSet() {
+	t := suite.T()
+	t.Parallel()
+
+	ovnClient := suite.ovnClient
+
+	t.Run("update with nil address set", func(t *testing.T) {
+		err := ovnClient.UpdateAddressSet(nil)
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "address_set is nil")
+	})
+}