internal/testutils: Change RunWithToken to a subtest API style

This commit changes `RunWithToken` to use a subtest API style. This
is more intuitive to use, over the old style where the caller had to do
an early return if `RunWithToken` returned true.

Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>

Author: dylandreimerink

btf/handle_test.go

@@ -95,29 +95,21 @@ func TestNewHandleFromBTFWithToken(t *testing.T) {
 	buf, err := b.Marshal(nil, nil)
 	qt.Assert(t, qt.IsNil(err))
 
-	t.Run("no-cmd", func(t *testing.T) {
-		if testutils.RunWithToken(t, testutils.Delegated{
-			Cmds: []sys.Cmd{},
-			// We need to delegate at least one permission, so picking a random map type that we don't use in this test.
-			Maps: []sys.MapType{sys.BPF_MAP_TYPE_ARRAY},
-		}) {
-			return
-		}
-
+	testutils.RunWithToken(t, "no-cmd", testutils.Delegated{
+		Cmds: []sys.Cmd{},
+		// We need to delegate at least one permission, so picking a random map type that we don't use in this test.
+		Maps: []sys.MapType{sys.BPF_MAP_TYPE_ARRAY},
+	}, func(t *testing.T) {
 		h, err := btf.NewHandleFromRawBTF(buf)
 		testutils.SkipIfNotSupported(t, err)
 		qt.Assert(t, qt.ErrorIs(err, unix.EPERM))
 		h.Close()
 	})
 
-	t.Run("success", func(t *testing.T) {
-		if testutils.RunWithToken(t, testutils.Delegated{
-			Cmds: []sys.Cmd{sys.BPF_BTF_LOAD},
-			Maps: []sys.MapType{},
-		}) {
-			return
-		}
-
+	testutils.RunWithToken(t, "success", testutils.Delegated{
+		Cmds: []sys.Cmd{sys.BPF_BTF_LOAD},
+		Maps: []sys.MapType{},
+	}, func(t *testing.T) {
 		h, err := btf.NewHandleFromRawBTF(buf)
 		testutils.SkipIfNotSupported(t, err)
 		qt.Assert(t, qt.IsNil(err))

internal/testutils/token_linux.go

@@ -37,38 +37,37 @@ func init() {
 	}
 }
 
-// RunWithToken sets up an environment with a BPFFS with the provided delegated permissions.
-//
-// The calling test is effectively forked, this function returns true in the parent process, and false in the child
-// process. Only the child process with have access to the token, so the parent process should do an early return.
+// RunWithToken runs the provided `fn` in an environment where a BFPFS is setup to provide tokens with the specified
+// delegated permissions. The `name` parameter is used to name the subtest that will run `fn`, and the `delegated`
+// parameter specifies the permissions that will be delegated to the BPF tokens.
 //
 // Example usage:
 //
-//	if testutils.RunWithToken(t, testutils.Delegated{
+//	if testutils.RunWithToken(t, "happy-path-example", testutils.Delegated{
 //		Cmds: []sys.Cmd{sys.BPF_MAP_CREATE},
 //		Maps: []sys.MapType{sys.BPF_MAP_TYPE_HASH},
-//	}) {
-//		return
-//	}
-//	_, err := newMap(t, hashMapSpec, nil)
-//	qt.Assert(t, qt.IsNil(err))
-func RunWithToken(tb testing.TB, delegated Delegated) bool {
-	tb.Helper()
+//	}, func(t *testing.T) {
+//		_, err := newMap(t, hashMapSpec, nil)
+//		qt.Assert(t, qt.IsNil(err))
+//	})
+func RunWithToken(t *testing.T, name string, delegated Delegated, fn func(t *testing.T)) {
+	t.Helper()
 
 	if !platform.IsLinux {
-		tb.Skip("BPF tokens only work on Linux")
+		t.Skip("BPF tokens only work on Linux")
 	}
 
-	SkipOnOldKernel(tb, "6.9", "BPF_TOKEN_CREATE")
+	SkipOnOldKernel(t, "6.9", "BPF_TOKEN_CREATE")
 
-	// Detect when we are running the the child process and bail out.
+	// Detect when we are running the the child process and call fn.
 	if _, ok := os.LookupEnv(TOKEN_SUBTEST); ok {
-		return false
+		t.Run(name, fn)
+		return
 	}
 
 	// Run just the current test in a subprocess
 	args := []string{
-		"-test.run=^" + tb.Name() + "$",
+		"-test.run=^" + t.Name() + "/" + name + "$",
 	}
 
 	// If we are running in verbose mode, pass the flag to the subtest as well.
@@ -80,10 +79,10 @@ func RunWithToken(tb testing.TB, delegated Delegated) bool {
 	// started with a relative path or just the name of the binary, and we want an absolute path to re-exec ourselves.
 	exe, err := os.Executable()
 	if err != nil {
-		tb.Fatal(err)
+		t.Fatal(err)
 	}
 
-	cmd := exec.CommandContext(tb.Context(), exe, args...)
+	cmd := exec.CommandContext(t.Context(), exe, args...)
 
 	// Pass an environment variable to the subtest to indicate that it should run, and not skip.
 	cmd.Env = append(cmd.Environ(), TOKEN_SUBTEST+"=1")
@@ -95,7 +94,7 @@ func RunWithToken(tb testing.TB, delegated Delegated) bool {
 	// Create a socket pair for communication between the parent and child process.
 	pair, err := unix.Socketpair(unix.AF_UNIX, unix.SOCK_STREAM, 0)
 	if err != nil {
-		tb.Fatal(err)
+		t.Fatal(err)
 	}
 	parent, child := pair[0], pair[1]
 	defer unix.Close(parent)
@@ -104,7 +103,7 @@ func RunWithToken(tb testing.TB, delegated Delegated) bool {
 	// So find out all UIDs and GIDs of users on the system and map them into the user namespace of the child process.
 	uidMappings, gidMappings, err := parseUIDsGIDs()
 	if err != nil {
-		tb.Fatal(err)
+		t.Fatal(err)
 	}
 
 	// Let the child process inherit the child's end of the socket pair.
@@ -125,35 +124,33 @@ func RunWithToken(tb testing.TB, delegated Delegated) bool {
 	err = cmd.Start()
 	if err != nil {
 		unix.Close(child)
-		tb.Fatal(err)
+		t.Fatal(err)
 	}
 	unix.Close(child)
 
 	// Receive the bpffs context fd from the child process.
 	fds, err := recvFDs(1, parent)
 	if err != nil {
-		tb.Fatal(err)
+		t.Fatal(err)
 	}
 	bpffs := fds[0]
 
 	err = configureDelegated(bpffs, delegated)
 	if err != nil {
-		tb.Fatal(err)
+		t.Fatal(err)
 	}
 
 	// Send back a message, we don't care about the content, just a signal to tell the child process that the bpffs is
 	// configured and it can proceed with the test.
 	err = unix.Sendmsg(parent, []byte("done"), nil, nil, 0)
 	if err != nil {
-		tb.Fatal(err)
+		t.Fatal(err)
 	}
 
 	err = cmd.Wait()
 	if err != nil {
-		tb.Fatal(err)
+		t.Fatal(err)
 	}
-
-	return true
 }
 
 func parseUIDsGIDs() (uids, gids []syscall.SysProcIDMap, err error) {

internal/testutils/token_other.go

@@ -8,7 +8,6 @@ import (
 	"github.com/cilium/ebpf/internal"
 )
 
-func RunWithToken(tb testing.TB, delegated Delegated) bool {
-	tb.Skip(internal.ErrNotSupportedOnOS)
-	return false
+func RunWithToken(t *testing.T, name string, delegated Delegated, fn func(t *testing.T)) {
+	t.Skip(internal.ErrNotSupportedOnOS)
 }

map_test.go

@@ -1729,38 +1729,26 @@ func TestLoadWrongPin(t *testing.T) {
 }
 
 func TestMapWithToken(t *testing.T) {
-	t.Run("no-cmd", func(t *testing.T) {
-		if testutils.RunWithToken(t, testutils.Delegated{
-			Cmds: []sys.Cmd{},
-			Maps: []sys.MapType{sys.BPF_MAP_TYPE_HASH},
-		}) {
-			return
-		}
-
+	testutils.RunWithToken(t, "no-cmd", testutils.Delegated{
+		Cmds: []sys.Cmd{},
+		Maps: []sys.MapType{sys.BPF_MAP_TYPE_HASH},
+	}, func(t *testing.T) {
 		_, err := newMap(t, hashMapSpec, nil)
 		qt.Assert(t, qt.ErrorIs(err, unix.EPERM))
 	})
 
-	t.Run("no-map", func(t *testing.T) {
-		if testutils.RunWithToken(t, testutils.Delegated{
-			Cmds: []sys.Cmd{sys.BPF_MAP_CREATE},
-			Maps: []sys.MapType{},
-		}) {
-			return
-		}
-
+	testutils.RunWithToken(t, "no-map", testutils.Delegated{
+		Cmds: []sys.Cmd{sys.BPF_MAP_CREATE},
+		Maps: []sys.MapType{},
+	}, func(t *testing.T) {
 		_, err := newMap(t, hashMapSpec, nil)
 		qt.Assert(t, qt.ErrorIs(err, unix.EPERM))
 	})
 
-	t.Run("success", func(t *testing.T) {
-		if testutils.RunWithToken(t, testutils.Delegated{
-			Cmds: []sys.Cmd{sys.BPF_MAP_CREATE},
-			Maps: []sys.MapType{sys.BPF_MAP_TYPE_HASH},
-		}) {
-			return
-		}
-
+	testutils.RunWithToken(t, "success", testutils.Delegated{
+		Cmds: []sys.Cmd{sys.BPF_MAP_CREATE},
+		Maps: []sys.MapType{sys.BPF_MAP_TYPE_HASH},
+	}, func(t *testing.T) {
 		_, err := newMap(t, hashMapSpec, nil)
 		qt.Assert(t, qt.IsNil(err))
 	})

prog_test.go

@@ -917,54 +917,38 @@ func TestProgramLoadBoundToDevice(t *testing.T) {
 }
 
 func TestProgramWithToken(t *testing.T) {
-	t.Run("no-cmd", func(t *testing.T) {
-		if testutils.RunWithToken(t, testutils.Delegated{
-			Cmds:        []sys.Cmd{},
-			Progs:       []sys.ProgType{sys.BPF_PROG_TYPE_SOCKET_FILTER},
-			AttachTypes: []sys.AttachType{sys.BPF_CGROUP_INET_INGRESS},
-		}) {
-			return
-		}
-
+	testutils.RunWithToken(t, "no-cmd", testutils.Delegated{
+		Cmds:        []sys.Cmd{},
+		Progs:       []sys.ProgType{sys.BPF_PROG_TYPE_SOCKET_FILTER},
+		AttachTypes: []sys.AttachType{sys.BPF_CGROUP_INET_INGRESS},
+	}, func(t *testing.T) {
 		_, err := newProgram(t, basicProgramSpec, nil)
 		qt.Assert(t, qt.ErrorIs(err, unix.EPERM))
 	})
 
-	t.Run("no-prog", func(t *testing.T) {
-		if testutils.RunWithToken(t, testutils.Delegated{
-			Cmds:        []sys.Cmd{sys.BPF_PROG_LOAD},
-			Progs:       []sys.ProgType{},
-			AttachTypes: []sys.AttachType{sys.BPF_CGROUP_INET_INGRESS},
-		}) {
-			return
-		}
-
+	testutils.RunWithToken(t, "no-prog", testutils.Delegated{
+		Cmds:        []sys.Cmd{sys.BPF_PROG_LOAD},
+		Progs:       []sys.ProgType{},
+		AttachTypes: []sys.AttachType{sys.BPF_CGROUP_INET_INGRESS},
+	}, func(t *testing.T) {
 		_, err := newProgram(t, basicProgramSpec, nil)
 		qt.Assert(t, qt.ErrorIs(err, unix.EPERM))
 	})
 
-	t.Run("no-attach-type", func(t *testing.T) {
-		if testutils.RunWithToken(t, testutils.Delegated{
-			Cmds:        []sys.Cmd{sys.BPF_PROG_LOAD},
-			Progs:       []sys.ProgType{sys.BPF_PROG_TYPE_SOCKET_FILTER},
-			AttachTypes: []sys.AttachType{},
-		}) {
-			return
-		}
-
+	testutils.RunWithToken(t, "no-attach-type", testutils.Delegated{
+		Cmds:        []sys.Cmd{sys.BPF_PROG_LOAD},
+		Progs:       []sys.ProgType{sys.BPF_PROG_TYPE_SOCKET_FILTER},
+		AttachTypes: []sys.AttachType{},
+	}, func(t *testing.T) {
 		_, err := newProgram(t, basicProgramSpec, nil)
 		qt.Assert(t, qt.ErrorIs(err, unix.EPERM))
 	})
 
-	t.Run("success", func(t *testing.T) {
-		if testutils.RunWithToken(t, testutils.Delegated{
-			Cmds:        []sys.Cmd{sys.BPF_PROG_LOAD},
-			Progs:       []sys.ProgType{sys.BPF_PROG_TYPE_SOCKET_FILTER},
-			AttachTypes: []sys.AttachType{sys.BPF_CGROUP_INET_INGRESS},
-		}) {
-			return
-		}
-
+	testutils.RunWithToken(t, "success", testutils.Delegated{
+		Cmds:        []sys.Cmd{sys.BPF_PROG_LOAD},
+		Progs:       []sys.ProgType{sys.BPF_PROG_TYPE_SOCKET_FILTER},
+		AttachTypes: []sys.AttachType{sys.BPF_CGROUP_INET_INGRESS},
+	}, func(t *testing.T) {
 		_, err := newProgram(t, basicProgramSpec, nil)
 		qt.Assert(t, qt.IsNil(err))
 	})