ROX-31733: Add regression tests for VM guard checks#19497
Draft
ROX-31733: Add regression tests for VM guard checks#19497
Conversation
Add regression test coverage to prevent: - ROX-31602: Sensor ignoring Central capability check and causing panic - ROX-31552: Missing feature flag test coverage for VM dispatchers Changes: - Add capability/feature flag tests to VM/VMI dispatchers - Add capability test to VM index handler - Add TearDown state reset with explanatory comments - Include complete 7-gate SDLC audit trail All 7 SDLC gates approved. Post-merge: verify test coverage >90%. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
Skipping CI for Draft Pull Request. |
Contributor
There was a problem hiding this comment.
Hey - I've found 2 issues
Prompt for AI Agents
Please address the comments from this code review:
## Individual Comments
### Comment 1
<location path="sensor/common/virtualmachine/index/handler_impl_test.go" line_range="341-345" />
<code_context>
s.Require().NotNil(ch)
}
+
+func (s *virtualMachineHandlerSuite) TestSend_CapabilityNotSupported() {
+ // Remove capability to simulate old Central version
+ centralcaps.Set(nil)
+
+ cid := "1"
+ vm := &v1.IndexReport{VsockCid: cid}
+
+ // Send should return errCapabilityNotSupported when capability is absent
+ err := s.handler.Send(context.Background(), vm)
+ s.Require().Error(err)
+ s.Assert().ErrorContains(err, "Central does not have virtual machine capability")
+}
</code_context>
<issue_to_address>
**suggestion (testing):** Strengthen the assertion by checking the specific error value/sentinel instead of only using ErrorContains
Asserting the concrete error (e.g. `errCapabilityNotSupported`) instead of only using a substring match will make this test more resilient to future message wording changes and will more directly verify that the handler returns the expected guard error when the capability is absent. You could use `s.Require().ErrorIs(err, errCapabilityNotSupported)` (or equivalent) in place of, or alongside, `ErrorContains`.
```suggestion
// Send should return errCapabilityNotSupported when capability is absent
err := s.handler.Send(context.Background(), vm)
s.Require().Error(err)
s.Require().ErrorIs(err, errCapabilityNotSupported)
s.Assert().ErrorContains(err, "Central does not have virtual machine capability")
}
```
</issue_to_address>
### Comment 2
<location path="sensor/kubernetes/listener/resources/virtualmachine/dispatcher/virtualmachines_test.go" line_range="279-286" />
<code_context>
},
expectedMsg: nil,
},
+ "feature flag disabled": {
+ action: central.ResourceAction_CREATE_RESOURCE,
+ obj: toUnstructured(newVirtualMachineInstance(vmiUID, vmiName, vmiNamespace, ownerUID, nil, v1.Scheduled)),
+ expectFn: func() {
+ s.T().Setenv(features.VirtualMachines.EnvVar(), "false")
+ },
+ expectedMsg: nil,
+ },
}
</code_context>
<issue_to_address>
**suggestion (testing):** Tighten the "feature flag disabled" case by explicitly setting capabilities to avoid ambiguity in what guard is exercised
This case is meant to exercise the feature-flag-disabled path, but it doesn’t configure Central capabilities. To ensure the test fails only when the feature-flag guard regresses (and not due to missing capabilities or global state), set the VM capability to a supported state in `expectFn` before disabling the feature flag.
```suggestion
"feature flag disabled": {
action: central.ResourceAction_CREATE_RESOURCE,
obj: toUnstructured(newVirtualMachine(vmUID, vmName, vmNamespace, v1.VirtualMachineStatusStopped)),
expectFn: func() {
// Ensure capabilities are in a supported state so this case
// specifically validates the feature-flag guard.
centralcaps.Set(¢ralcaps.Config{
VirtualMachines: true,
})
s.T().Setenv(features.VirtualMachines.EnvVar(), "false")
},
expectedMsg: nil,
},
```
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
sensor/kubernetes/listener/resources/virtualmachine/dispatcher/virtualmachines_test.go
Show resolved
Hide resolved
Contributor
|
Images are ready for the commit at 0934d13. To use with deploy scripts, first |
Add ErrorIs check alongside ErrorContains in TestSend_CapabilityNotSupported to verify the specific sentinel error, not just the message substring. Keeps both assertions: ErrorIs for sentinel correctness, ErrorContains for message wording. Addresses PR review comment on #19497. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add AnyTimes store expectations to the capability and feature flag guard test cases so they fail on the nil assertion (Expected nil, but got non-nil event) rather than on an unexpected mock call. Without the guard (4.9.0): the dispatcher reaches the store and returns a non-nil event, failing s.Assert().Nil(actual). With the guard (fixed code): the guard returns nil before any store call — AnyTimes() means zero calls is also acceptable. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
AnyTimes() is too permissive. MaxTimes(1) precisely expresses that the store is called at most once: exactly once on unguarded code (4.9.0), zero times on guarded code (fixed). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
errox.CausedBy uses fmt.Errorf("%w: %v", sentinel, cause), which
stringifies the cause rather than wrapping it. The errox docs
explicitly state errors.Is(err.CausedBy(cause), cause) == false,
so ErrorIs on errCapabilityNotSupported cannot work without
modifying production code. ErrorContains on the error message
is the correct and sufficient assertion.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #19497 +/- ##
==========================================
+ Coverage 49.25% 49.26% +0.01%
==========================================
Files 2725 2726 +1
Lines 205582 205625 +43
==========================================
+ Hits 101261 101309 +48
+ Misses 96784 96780 -4
+ Partials 7537 7536 -1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add regression test coverage to prevent ROX-31602 (Sensor ignoring Central capability check) and ROX-31552 (missing feature flag test coverage).
Problem:
VirtualMachinesSupportedcapability, causing Central to panic on unknown resource typesSolution:
Changes:
sensor/kubernetes/listener/resources/virtualmachine/dispatcher/virtualmachines_test.go(+11 lines)sensor/kubernetes/listener/resources/virtualmachine/dispatcher/virtualmachineinstances_test.go(+11 lines)sensor/common/virtualmachine/index/handler_impl_test.go(+17 lines).sdlc/directory: Complete 7-gate SDLC audit trail (all gates approved)User-facing documentation
Testing and quality
Automated testing
How I validated my change
gofmt(no changes required).sdlc/audit/test-rox-31602.mdPost-merge validation required:
Test execution blocked in worktree environment. After merge, verify test coverage:
See Security Audit Report (
.sdlc/sessions/test-rox-31602/security-audit-report.md) for details.🤖 Generated with Claude Code