<fix>[securitygroup]: remove strict sequential priority restriction

[MatheMatrix]

Resolves: ZSTAC-79067\n\nRemove overly strict sequential priority validation for security group rules API.

sync from gitlab !9173

[coderabbitai]

Walkthrough

将安全组规则优先级验证从“必须从1开始且连续”简化为仅验证为正整数（>=1），并保留对全局最大值的检查。该变更影响新增、更新和为 VM NIC 设置安全组的优先级验证逻辑以及相关测试。

Changes

Cohort / File(s)	Summary
安全组 API 验证逻辑 plugin/securityGroup/src/main/java/org/zstack/network/securitygroup/SecurityGroupApiInterceptor.java	移除对优先级序列必须从1开始且连续的校验；统一为仅检查优先级为正整数（>=1），并保留对全局最大优先级的边界校验；更新相关错误提示文本。
测试：允许非连续优先级 test/src/test/groovy/org/zstack/test/integration/networkservice/provider/flat/securitygroup/AddSecurityGroupRuleOptimizedCase.groovy, test/src/test/groovy/org/zstack/test/integration/networkservice/provider/flat/securitygroup/ChangeSecurityGroupRuleCase.groovy	调整测试预期，移除因非连续优先级导致的断言错误，改为允许并验证非连续/超序号优先级的添加与更新；添加注释说明行为变更（ZSTAC-79067）。

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰✨ 优先级不再排长队，
只要为正即可来，
规则随意跳一拍，
小兔鼓掌又欢快，
代码轻盈风也开。

🚥 Pre-merge checks | ✅ 2 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Merge Conflict Detection	⚠️ Warning	❌ Merge conflicts detected (4 files): ⚔️ compute/src/main/java/org/zstack/compute/vm/VmInstanceBase.java (content) ⚔️ plugin/securityGroup/src/main/java/org/zstack/network/securitygroup/SecurityGroupApiInterceptor.java (content) ⚔️ test/src/test/groovy/org/zstack/test/integration/networkservice/provider/flat/securitygroup/AddSecurityGroupRuleOptimizedCase.groovy (content) ⚔️ test/src/test/groovy/org/zstack/test/integration/networkservice/provider/flat/securitygroup/ChangeSecurityGroupRuleCase.groovy (content) These conflicts must be resolved before merging into 5.5.6.	Resolve conflicts locally and push changes to this branch.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title follows the required [scope]: format and is 67 characters, within the 72-character limit. It clearly summarizes the main change: removing strict sequential priority restrictions from security group rules validation.
Description check	✅ Passed	The pull request description is directly related to the changeset, referencing the resolved issue (ZSTAC-79067) and clearly describing the purpose: removing overly strict sequential priority validation for security group rules API.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sync/ye.zou/fix/ZSTAC-79067

⚔️ Resolve merge conflicts (beta)

• Auto-commit resolved conflicts to branch sync/ye.zou/fix/ZSTAC-79067
• Create stacked PR with resolved conflicts
• Post resolved changes as copyable diffs in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In
`@plugin/securityGroup/src/main/java/org/zstack/network/securitygroup/SecurityGroupApiInterceptor.java`:
- Around line 491-493: The priority validation in SecurityGroupApiInterceptor
currently only enforces ao.getPriority() > 0 and misses an upper bound; update
the check in the method that validates ao.getPriority() to also ensure
ao.getPriority() <= SECURITY_GROUP_RULES_NUM_LIMIT and throw an
ApiMessageInterceptionException with a new appropriate error code (instead of
ORG_ZSTACK_NETWORK_SECURITYGROUP_10042) when the value exceeds the limit, using
a clear error message that includes the provided priority and the max allowed
(reference SECURITY_GROUP_RULES_NUM_LIMIT and the validation block around
ao.getPriority()).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

⚠️ 更新优先级缺少最大值上限校验。
当前仅校验 > 0，会绕过 SECURITY_GROUP_RULES_NUM_LIMIT 的上限（新增/变更路径已限制）。建议补齐上限检查并使用合适的新错误码。

🔧 建议补充上限校验

             if (ao.getPriority() < 1) {
                 throw new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10042, "could not update security group rule priority, because priority[%d] must be positive", ao.getPriority()));
             }
+            if (ao.getPriority() > SecurityGroupGlobalConfig.SECURITY_GROUP_RULES_NUM_LIMIT.value(Integer.class)) {
+                throw new ApiMessageInterceptionException(argerr(ORG_ZSTACK_NETWORK_SECURITYGROUP_10042, "could not update security group rule priority, because priority[%d] exceeds the maximum limit[%d]", ao.getPriority(), SecurityGroupGlobalConfig.SECURITY_GROUP_RULES_NUM_LIMIT.value(Integer.class)));
+            }

🤖 Prompt for AI Agents

In
`@plugin/securityGroup/src/main/java/org/zstack/network/securitygroup/SecurityGroupApiInterceptor.java`
around lines 491 - 493, The priority validation in SecurityGroupApiInterceptor
currently only enforces ao.getPriority() > 0 and misses an upper bound; update
the check in the method that validates ao.getPriority() to also ensure
ao.getPriority() <= SECURITY_GROUP_RULES_NUM_LIMIT and throw an
ApiMessageInterceptionException with a new appropriate error code (instead of
ORG_ZSTACK_NETWORK_SECURITYGROUP_10042) when the value exceeds the limit, using
a clear error message that includes the provided priority and the max allowed
(reference SECURITY_GROUP_RULES_NUM_LIMIT and the validation block around
ao.getPriority()).

[coderabbitai]

🧹 Nitpick comments (2)

test/src/test/groovy/org/zstack/test/integration/networkservice/provider/flat/securitygroup/AddSecurityGroupRuleOptimizedCase.groovy (1)

612-617: 建议添加断言验证规则添加结果。

当前代码块添加了混合规则（ingress + egress）在优先级 12，但没有断言验证规则是否成功添加。与上方 594-600 行的处理方式（有 assert sg3.rules.find { it.priority == 13 } != null）保持一致会更好。

♻️ 建议的改进

         // ZSTAC-79067: mixed ingress+egress add at non-consecutive priority is now allowed
         sg3 = addSecurityGroupRule {
             securityGroupUuid = sg3.uuid
             rules = [rule_12, ingressRule]
             priority = 12
         }
+        assert sg3.rules.find { it.dstIpRange == "2.2.2.2-2.2.2.10" && it.priority == 12 } != null
+        assert sg3.rules.find { it.type == "Ingress" && it.dstPortRange == "12-13" } != null

test/src/test/groovy/org/zstack/test/integration/networkservice/provider/flat/securitygroup/ChangeSecurityGroupRuleCase.groovy (1)

234-236: 存在未使用的变量 rule_1。

方法 testChangeRulePriorityError 中，第 232 行获取了 rule_1 变量，但由于移除了连续优先级限制的测试断言，该变量现在未被使用。建议清理未使用的代码。

♻️ 建议的清理

     void testChangeRulePriorityError() {
         sg3 = querySecurityGroup {
             conditions = ["uuid=${sg3.uuid}"]
         }[0]

         assert sg3 != null
-        SecurityGroupRuleInventory rule_1 = sg3.rules.find { it.type == "Ingress" && it.priority == 1 && it.ipVersion == 4 }

         // ZSTAC-79067: priorities beyond current rule count are now allowed
         // (removed consecutive priority restriction)
     }