tests: port test_port_presence_prevents_network_rbac_policy_deletion

The test was originally implemented in this form as a tempest api test
case, but there is a problem with it being part of tempest suite,
because the suite should be safe to execute on a running cloud and
shouldn't affect other tenants. But sharing a network with everyone (*)
briefly impacts other tenants because they see a new shared network
popping up for a second in their net-list. It is also an issue because
if we are unlucky enough, some other tenant may start an instance
without specifying a particular port or network to use, in which case
there is a chance that nova allocates a port in this shared network and
attach it to the instance. When the rbac test case then tries to delete
the policy and the network, it fails because it's still in use.

The solution is to stop testing this scenario in tempest suite, instead
moving it into unit test suite.

A follow-up patch in neutron-tempest-plugin will clean up the bad test
case.

Change-Id: I199f639c95e8ae884ede46404370d7b64da3b309
Needed-By: Iba89a53b2715cf3a9c7485f2089f27d547fea308
Related-Bug: #1753209
(cherry picked from commit 6c772de103e469ad17cdbc6a86ed15655aa6b9cc)

neutron/tests/unit/db/test_rbac_db_mixin.py

@@ -79,20 +79,44 @@ class NetworkRbacTestcase(test_plugin.NeutronDbPluginV2TestCase):
                               self.plugin.delete_rbac_policy,
                               self.context, netrbac['id'])
 
-    def test_delete_networkrbac(self):
+    def test_port_presence_prevents_network_rbac_policy_deletion(self):
         with self.network() as net:
             netrbac, port = self._setup_networkrbac_and_port(
-                network=net, target_tenant='test-tenant-4')
+                network=net, target_tenant='alice')
             self.assertRaises(ext_rbac.RbacPolicyInUse,
                               self.plugin.delete_rbac_policy,
                               self.context, netrbac['id'])
 
-            self.plugin.delete_port(self.context, port['id'])
+            # a wildcard policy should allow the specific policy to be deleted
+            # since it allows the remaining port
+            wild_policy = self._make_networkrbac(net, '*')
+            wild_policy = self.plugin.create_rbac_policy(self.context,
+                                                         wild_policy)
             self.plugin.delete_rbac_policy(self.context, netrbac['id'])
 
+            # now that wildcard is the only remaining, it should be subjected
+            # to to the same restriction
+            self.assertRaises(ext_rbac.RbacPolicyInUse,
+                              self.plugin.delete_rbac_policy,
+                              self.context, wild_policy['id'])
+
+            # similarly, we can't update the policy to a different tenant
+            update_policy = {'rbac_policy': {'target_tenant': 'bob'}}
+            self.assertRaises(ext_rbac.RbacPolicyInUse,
+                              self.plugin.update_rbac_policy,
+                              self.context, wild_policy['id'],
+                              update_policy)
+
+            # after port anchor is gone, update and delete should pass
+            self.plugin.delete_port(self.context, port['id'])
+            self.plugin.update_rbac_policy(
+                self.context, wild_policy['id'], update_policy)
+            self.plugin.delete_rbac_policy(self.context, wild_policy['id'])
+
+            # check that policy is indeed gone
             self.assertRaises(ext_rbac.RbacPolicyNotFound,
                               self.plugin.get_rbac_policy,
-                              self.context, netrbac['id'])
+                              self.context, wild_policy['id'])
 
     def test_delete_networkrbac_self_share(self):
         net_id = 'my-network'