fixtures: Add support for security groups

We're going to want to use this for realistic API samples. The samples
we're using here were taken from a DevStack deployment based on pre-RC1
Train code so they should be fairly reflective of what you'd see in a
real deployment.

Note that this effectively undoes a lot of the changes first introduced
in Ibbee7fd11c1aa254e399d302adbae69126e98262, particularly around the
responses for instances in a down cell, where we previously changed
things so a 'security_groups' field was present in the response. This
is okay since we're not creating interfaces and therefore don't expect
to have security groups present.

Change-Id: I3c94b61fc323fefbd1c8790c4a2f60cada29e86f
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>

doc/api_samples/servers/v2.69/servers-details-resp.json

@@ -5,11 +5,6 @@
             "id": "b6b0410f-b65f-4473-855e-5d82a71759e0",
             "status": "UNKNOWN",
             "tenant_id": "6f70656e737461636b20342065766572",
-            "security_groups": [
-                {
-                    "name": "default"
-                }
-            ],
             "links": [
                 {
                     "href": "http://openstack.example.com/v2.1/6f70656e737461636b20342065766572/servers/b6b0410f-b65f-4473-855e-5d82a71759e0",

nova/tests/fixtures.py

@@ -1246,7 +1246,7 @@ class NeutronFixture(fixtures.Fixture):
         'availability_zones': [
             'nova'
         ],
-        'port_security_enabled': False,
+        'port_security_enabled': True,
         'ipv4_address_scope': None,
         'ipv6_address_scope': None,
         'provider:network_type': 'vxlan',
@@ -1254,6 +1254,77 @@ class NeutronFixture(fixtures.Fixture):
         'provider:segmentation_id': 24,
     }
 
+    security_group = {
+        'id': 'aec9df91-db1f-4e04-8ac6-e761d8461c53',
+        'name': 'default',
+        'description': 'Default security group',
+        'tenant_id': tenant_id,
+        'project_id': tenant_id,
+        'security_group_rules': [],  # setup later
+    }
+    security_group_rule_ip4_ingress = {
+        'id': 'e62268aa-1a17-4ff4-ae77-ab348bfe13a7',
+        'description': None,
+        'direction': 'ingress',
+        'ethertype': 'IPv4',
+        'protocol': None,
+        'port_range_min': None,
+        'port_range_max': None,
+        'remote_group_id': 'aec9df91-db1f-4e04-8ac6-e761d8461c53',
+        'remote_ip_prefix': None,
+        'security_group_id': 'aec9df91-db1f-4e04-8ac6-e761d8461c53',
+        'tenant_id': tenant_id,
+        'project_id': tenant_id,
+    }
+    security_group_rule_ip4_egress = {
+        'id': 'adf54daf-2ff9-4462-a0b0-f226abd1db28',
+        'description': None,
+        'direction': 'egress',
+        'ethertype': 'IPv4',
+        'protocol': None,
+        'port_range_min': None,
+        'port_range_max': None,
+        'remote_group_id': None,
+        'remote_ip_prefix': None,
+        'security_group_id': 'aec9df91-db1f-4e04-8ac6-e761d8461c53',
+        'tenant_id': tenant_id,
+        'project_id': tenant_id,
+    }
+    security_group_rule_ip6_ingress = {
+        'id': 'c4194b5c-3b50-4d35-9247-7850766aee2b',
+        'description': None,
+        'direction': 'ingress',
+        'ethertype': 'IPv6',
+        'protocol': None,
+        'port_range_min': None,
+        'port_range_max': None,
+        'remote_group_id': 'aec9df91-db1f-4e04-8ac6-e761d8461c53',
+        'remote_ip_prefix': None,
+        'security_group_id': 'aec9df91-db1f-4e04-8ac6-e761d8461c53',
+        'tenant_id': tenant_id,
+        'project_id': tenant_id,
+    }
+    security_group_rule_ip6_egress = {
+        'id': '16ce6a83-a1db-4d66-a10d-9481d493b072',
+        'description': None,
+        'direction': 'egress',
+        'ethertype': 'IPv6',
+        'protocol': None,
+        'port_range_min': None,
+        'port_range_max': None,
+        'remote_group_id': None,
+        'remote_ip_prefix': None,
+        'security_group_id': 'aec9df91-db1f-4e04-8ac6-e761d8461c53',
+        'tenant_id': tenant_id,
+        'project_id': tenant_id,
+    }
+    security_group['security_group_rules'] = [
+        security_group_rule_ip4_ingress['id'],
+        security_group_rule_ip4_egress['id'],
+        security_group_rule_ip6_ingress['id'],
+        security_group_rule_ip6_egress['id'],
+    ]
+
     subnet_1 = {
         'id': 'f8a6e8f8-c2ec-497c-9f23-da9616de54ef',
         'name': 'private-subnet',
@@ -1321,8 +1392,9 @@ class NeutronFixture(fixtures.Fixture):
         'device_id': '',
         'binding:vnic_type': 'normal',
         'binding:vif_type': 'ovs',
-        'port_security_enabled': False,
+        'port_security_enabled': True,
         'security_groups': [
+            security_group['id'],
         ],
     }
 
@@ -1345,8 +1417,9 @@ class NeutronFixture(fixtures.Fixture):
         'device_id': '',
         'binding:vnic_type': 'normal',
         'binding:vif_type': 'ovs',
-        'port_security_enabled': False,
+        'port_security_enabled': True,
         'security_groups': [
+            security_group['id'],
         ],
     }
 
@@ -1375,11 +1448,14 @@ class NeutronFixture(fixtures.Fixture):
                     orc.NET_BW_EGR_KILOBIT_PER_SEC: 1000},
             "required": ["CUSTOM_PHYSNET2", "CUSTOM_VNIC_TYPE_NORMAL"]
         },
-        'port_security_enabled': False,
+        'port_security_enabled': True,
         'security_groups': [
+            security_group['id'],
         ],
     }
 
+    # network_2 does not have security groups enabled - that's okay since most
+    # of these ports are SR-IOV'y anyway
     network_2 = {
         'id': '1b70879f-fd00-411e-8ea9-143e7820e61d',
         # TODO(stephenfin): This would be more useful name due to things like
@@ -1574,17 +1650,18 @@ class NeutronFixture(fixtures.Fixture):
                 copy.deepcopy(self.port_with_resource_request)
         }
 
-        # The fixture does not allow network update so we don't have to
-        # deepcopy here
+        # The fixture does not allow network, subnet or security group updates
+        # so we don't have to deepcopy here
         self._networks = {
             self.network_1['id']: self.network_1
         }
-        # The fixture does not allow network update so we don't have to
-        # deepcopy here
         self._subnets = {
             self.subnet_1['id']: self.subnet_1,
             self.subnet_ipv6_1['id']: self.subnet_ipv6_1,
         }
+        self._security_groups = {
+            self.security_group['id']: self.security_group,
+        }
 
     def setUp(self):
         super(NeutronFixture, self).setUp()
@@ -1603,12 +1680,6 @@ class NeutronFixture(fixtures.Fixture):
             'nova.network.neutronv2.api.API.remove_fixed_ip_from_instance',
             lambda *args, **kwargs: network_model.NetworkInfo.hydrate(
                 self.nw_info))
-        # TODO(stephenfin): This is a rubbish mock. We should instead mock the
-        # methods for the neutron client, like 'list_security_groups'
-        self.test.stub_out(
-            'nova.network.security_group.neutron_driver.SecurityGroupAPI.'
-            'get_instances_security_groups_bindings',
-            self.fake_get_instance_security_group_bindings)
 
         # Stub out port binding APIs which go through a KSA client Adapter
         # rather than python-neutronclient.
@@ -1715,6 +1786,10 @@ class NeutronFixture(fixtures.Fixture):
     def list_floatingips(self, retrieve_all=True, **_params):
         return {'floatingips': []}
 
+    def list_security_groups(self, retrieve_all=True, **_params):
+        return {'security_groups': self._list_resource(
+            self._security_groups, retrieve_all, **_params)}
+
     def create_port(self, body=None):
         body = body or {'port': {}}
         # Note(gibi): Some of the test expects that a pre-defined port is

nova/tests/functional/api_sample_tests/api_samples/servers/v2.69/servers-details-resp.json.tpl

@@ -5,11 +5,6 @@
             "id": "%(uuid)s",
             "status": "UNKNOWN",
             "tenant_id": "6f70656e737461636b20342065766572",
-            "security_groups": [
-                {
-                    "name": "default"
-                }
-            ],
             "links": [
                 {
                     "href": "%(versioned_compute_endpoint)s/servers/%(uuid)s",

nova/tests/functional/test_servers.py

@@ -1261,9 +1261,11 @@ class ServerTestV269(ServersTestBase):
                 # server is in the down cell.
                 self.assertEqual('UNKNOWN', server['status'])
                 self.assertIn(server['id'], self.down_cell_insts)
-                # the partial construct will have only 6 keys:
-                # created, tenant_id, security_groups, status, id and links.
-                self.assertEqual(6, len(server))
+                # the partial construct will only have 5 keys: created,
+                # tenant_id, status, id and links. security_groups should be
+                # present too but isn't since we haven't created a network
+                # interface
+                self.assertEqual(5, len(server))
             else:
                 # server in up cell
                 self.assertIn(server['id'], self.up_cell_insts)
@@ -1366,9 +1368,11 @@ class ServerTestV269(ServersTestBase):
                 self.assertEqual('UNKNOWN', server['status'])
                 if server['tenant_id'] != 'faker':
                     self.assertIn(server['id'], self.down_cell_insts)
-                # the partial construct will have only 5 keys:
-                # created, tenant_id, security_groups, status, id and links
-                self.assertEqual(6, len(server))
+                # the partial construct will only have 5 keys: created,
+                # tenant_id, status, id and links. security_groups should be
+                # present too but isn't since we haven't created a network
+                # interface
+                self.assertEqual(5, len(server))
             else:
                 # server in up cell
                 if server['tenant_id'] != 'faker':