From 64ca3e610f83b3d08673a85f14001fe93498caf6 Mon Sep 17 00:00:00 2001
From: Russell Bryant <rbryant@redhat.com>
Date: Fri, 10 Feb 2012 19:01:10 -0500
Subject: [PATCH] Don't allow EC2 removal of security group in use.

Fix bug 817872.

This patch modifies the behavior of removing security groups via the EC2
API to better match the EC2 API spec. The EC2 documentation says that a
group that is still in use can not be removed.

A new function has been added to the db API to find out whether a
particular security group is still in use.  "In use" is defined as
applied to an active instance, or applied to another group that has not
been deleted.

Unit tests have been updated to ensure that an error is raised when
these conditions are hit.

Change-Id: I5b3fdf1da213b04084fe266c1a6ed92e01cf1e19
---
 nova/exception.py          |  4 ++++
 nova/tests/test_api.py     | 10 ++++++++++
 nova/tests/test_libvirt.py |  2 ++
 3 files changed, 16 insertions(+)

diff --git a/nova/exception.py b/nova/exception.py
index dfa20dd25..a6941549c 100644
--- a/nova/exception.py
+++ b/nova/exception.py
@@ -294,6 +294,10 @@ class InvalidAggregateAction(Invalid):
                 "%(aggregate_id)s. Reason: %(reason)s.")
 
 
+class InvalidGroup(Invalid):
+    message = _("Group not valid. Reason: %(reason)s")
+
+
 class InstanceInvalidState(Invalid):
     message = _("Instance %(instance_uuid)s in %(attr)s %(state)s. Cannot "
                 "%(method)s while the instance is in this state.")
diff --git a/nova/tests/test_api.py b/nova/tests/test_api.py
index f7548ceb4..a6bc737dd 100644
--- a/nova/tests/test_api.py
+++ b/nova/tests/test_api.py
@@ -570,6 +570,15 @@ class ApiEc2TestCase(test.TestCase):
         self.expect_http()
         self.mox.ReplayAll()
 
+        # Can not delete the group while it is still used by
+        # another group.
+        self.assertRaises(EC2ResponseError,
+                          self.ec2.delete_security_group,
+                          other_security_group_name)
+
+        self.expect_http()
+        self.mox.ReplayAll()
+
         rv = self.ec2.get_all_security_groups()
 
         for group in rv:
@@ -583,3 +592,4 @@ class ApiEc2TestCase(test.TestCase):
         self.mox.ReplayAll()
 
         self.ec2.delete_security_group(security_group_name)
+        self.ec2.delete_security_group(other_security_group_name)
diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py
index 66a8db2b5..b6135bc8f 100644
--- a/nova/tests/test_libvirt.py
+++ b/nova/tests/test_libvirt.py
@@ -1753,6 +1753,8 @@ class NWFilterTestCase(test.TestCase):
         self.fw.prepare_instance_filter(instance, network_info)
         self.fw.apply_instance_filter(instance, network_info)
         _ensure_all_called(mac)
+        db.instance_remove_security_group(self.context, inst_uuid,
+                                          self.security_group.id)
         self.teardown_security_group()
         db.instance_destroy(context.get_admin_context(), instance_ref['id'])