Merge "NFP node driver PTG update notification implementation" into stable/mitaka

2016-12-07 00:55:46 +00:00
parent dd86b4d3ca 14b39d1f6a
commit 66e1845b99
5 changed files with 164 additions and 2 deletions
--- a/gbpservice/neutron/services/grouppolicy/drivers/resource_mapping.py
+++ b/gbpservice/neutron/services/grouppolicy/drivers/resource_mapping.py
@@ -2218,6 +2218,10 @@ class ResourceMappingDriver(api.PolicyDriver, ImplicitResourceOperations,
        try:
            port_id = pt['port_id']
            port = self._get_port(context._plugin_context, port_id)
+            if ('port_security_enabled' in port and
+                    not port['port_security_enabled']):
+                LOG.debug("Port security disabled for port %s " % port_id)
+                return
            cur_sg_list = port[ext_sg.SECURITYGROUPS]
            new_sg_list = cur_sg_list + sg_list
            port[ext_sg.SECURITYGROUPS] = new_sg_list
@@ -2238,6 +2242,10 @@ class ResourceMappingDriver(api.PolicyDriver, ImplicitResourceOperations,
    def _disassoc_sgs_from_port(self, plugin_context, port_id, sg_list):
        try:
            port = self._get_port(plugin_context, port_id)
+            if ('port_security_enabled' in port and
+                    not port['port_security_enabled']):
+                LOG.debug("Port security disabled for port %s " % port_id)
+                return
            cur_sg_list = port[ext_sg.SECURITYGROUPS]
            new_sg_list = list(set(cur_sg_list) - set(sg_list))
            port[ext_sg.SECURITYGROUPS] = new_sg_list
--- a/gbpservice/neutron/services/servicechain/plugins/ncp/node_drivers/nfp_node_driver.py
+++ b/gbpservice/neutron/services/servicechain/plugins/ncp/node_drivers/nfp_node_driver.py
@@ -518,6 +518,7 @@ class NFPNodeDriver(driver_base.NodeDriverBase):
                context.instance['id'])
            raise e

+        self._update_ptg(context)
        self._wait_for_node_operation_completion(context,
                                                 network_function_id,
                                                 nfp_constants.DELETE)
@@ -607,7 +608,30 @@ class NFPNodeDriver(driver_base.NodeDriverBase):
                    operation=nfp_constants.UPDATE)

    def policy_target_group_updated(self, context, old_ptg, current_ptg):
-        pass
+        if not (old_ptg and current_ptg):
+            return
+        if current_ptg['description']:
+            desc = current_ptg['description'].split(':')
+            if 'opflex_eoc' in desc:
+                if (set(old_ptg[
+                        'provided_policy_rule_sets']).symmetric_difference(
+                            set(current_ptg['provided_policy_rule_sets']))):
+                    pts = context.gbp_plugin.get_policy_targets(
+                            context.plugin_context,
+                            filters={'port_id': [desc[-1]]})
+                    (pt,) = pts
+                    filters = {'description': [current_ptg['description']]}
+                    ptgs = context.gbp_plugin.get_policy_target_groups(
+                                context.plugin_context, filters)
+                    prs = []
+                    for ptg in ptgs:
+                        prs += ptg['provided_policy_rule_sets']
+                    context.gbp_plugin.update_policy_target_group(
+                            context.plugin_context,
+                            pt['policy_target_group_id'],
+                            {'policy_target_group':
+                                {'provided_policy_rule_sets':
+                                    dict((x, '') for x in prs)}})

    def _wait_for_network_function_delete_completion(self, context,
                                                     network_function_id):
@@ -1076,3 +1100,26 @@ class NFPNodeDriver(driver_base.NodeDriverBase):
                all())
            for sc_node_instance_ns_map in sc_node_instance_ns_maps:
                session.delete(sc_node_instance_ns_map)
+
+    def _update_ptg(self, context):
+        if hasattr(context, 'provider') and context.provider['description']:
+            gateway_desc = 'opflex_eoc' in context.provider[
+                'description'].split(':')
+            if gateway_desc:
+                pts = context.gbp_plugin.get_policy_targets(
+                        context.plugin_context,
+                        filters={'port_id': [context.provider[
+                            'description'].split(':')][-1]})
+                (pt,) = pts
+                filters = {'description': [context.provider['description']]}
+                ptgs = context.gbp_plugin.get_policy_target_groups(
+                        context.plugin_context, filters)
+                prs = []
+                for ptg in ptgs:
+                    prs += ptg['provided_policy_rule_sets']
+                context.gbp_plugin.update_policy_target_group(
+                        context.plugin_context,
+                        pt['policy_target_group_id'],
+                        {'policy_target_group':
+                            {'provided_policy_rule_sets':
+                                dict((x, '') for x in prs)}})
--- a/gbpservice/neutron/tests/unit/services/grouppolicy/test_grouppolicy_plugin.py
+++ b/gbpservice/neutron/tests/unit/services/grouppolicy/test_grouppolicy_plugin.py
@@ -63,7 +63,8 @@ class GroupPolicyPluginTestBase(tgpmdb.GroupPolicyMappingDbTestCase):
              ml2_options=None, sc_plugin=None):
        if not gp_plugin:
            gp_plugin = GP_PLUGIN_KLASS
-        ml2_opts = ml2_options or {'mechanism_drivers': ['openvswitch']}
+        ml2_opts = ml2_options or {'mechanism_drivers': ['openvswitch'],
+                                   'extension_drivers': ['port_security']}
        for opt, val in ml2_opts.items():
            cfg.CONF.set_override(opt, val, 'ml2')
        core_plugin = core_plugin or test_plugin.PLUGIN_NAME
--- a/gbpservice/neutron/tests/unit/services/grouppolicy/test_resource_mapping.py
+++ b/gbpservice/neutron/tests/unit/services/grouppolicy/test_resource_mapping.py
@@ -1422,6 +1422,50 @@ class TestPolicyTargetGroup(ResourceMappingTestCase):
                simple_rule['id'], policy_actions=[action['id']],
                expected_res_status=200)

+    def test_port_security_group_rules_not_applied(self):
+        allow_rule = self._create_simple_policy_rule()
+        allow_prs = self.create_policy_rule_set(
+                policy_rules=[allow_rule['id']])['policy_rule_set']
+        ptg = self.create_policy_target_group(
+            provided_policy_rule_sets={allow_prs['id']: ''})[
+            'policy_target_group']
+        ctx = nctx.get_admin_context()
+        l2p = self._gbp_plugin.get_l2_policy(self._context,
+                                             ptg['l2_policy_id'])
+        network = self._get_object('networks', l2p['network_id'], self.api)[
+            'network']
+        res_port = self._create_port(
+                self.fmt, network['id'],
+                arg_list=('security_groups', 'port_security_enabled'),
+                port_security_enabled=False)
+        port = self.deserialize(self.fmt, res_port)['port']
+        data = {'port_id': port['id'],
+                'description': '', 'name': '', 'cluster_id': '',
+                'policy_target_group_id': ptg['id'],
+                'proxy_gateway': False, 'group_default_gateway': False}
+        pt = self._gbp_plugin.create_policy_target(
+                ctx, {'policy_target': data})
+        allow_rule2 = self._create_simple_policy_rule(protocol='icmp')
+        allow_prs2 = self.create_policy_rule_set(
+                policy_rules=[allow_rule2['id']])['policy_rule_set']
+        self.update_policy_target_group(
+                ptg['id'], provided_policy_rule_sets={
+                    allow_prs['id']: '', allow_prs2['id']: ''})[
+            'policy_target_group']
+        res_port2 = self._create_port(
+                self.fmt, network['id'],
+                arg_list=('security_groups', 'port_security_enabled'))
+        new_port = self.deserialize(self.fmt, res_port2)['port']
+        data.update(port_id=new_port['id'])
+        pt2 = self._gbp_plugin.create_policy_target(
+                ctx, {'policy_target': data})
+        port_sg_disabled = self._get_object('ports', pt['port_id'], self.api)[
+            'port']
+        port_sg_enabled = self._get_object('ports', pt2['port_id'], self.api)[
+            'port']
+        self.assertEqual([], port_sg_disabled['security_groups'])
+        self.assertTrue(port_sg_enabled['security_groups'])
+

 class TestL2Policy(ResourceMappingTestCase):

--- a/gbpservice/neutron/tests/unit/services/servicechain/ncp/test_nfp_node_driver.py
+++ b/gbpservice/neutron/tests/unit/services/servicechain/ncp/test_nfp_node_driver.py
@@ -750,3 +750,65 @@ class TestServiceChainInstance(NFPNodeDriverTestCase):
                          "policy_target_removed_notification") as pt_removed:
            self.delete_policy_target(pt['id'])
            pt_removed.assert_called_once_with(mock.ANY, mock.ANY, mock.ANY)
+
+    def test_policy_target_group_updated(self):
+        prof = self._create_service_profile(
+                service_type='FIREWALL',
+                vendor=self.SERVICE_PROFILE_VENDOR,
+                insertion_mode='l3', service_flavor='vyos')['service_profile']
+        node = self.create_servicechain_node(
+                service_profile_id=prof['id'],
+                config=self.DEFAULT_FW_CONFIG,
+                expected_res_status=201)['servicechain_node']
+        spec = self.create_servicechain_spec(
+                nodes=[node['id']])['servicechain_spec']
+
+        action = self.create_policy_action(
+                action_type='REDIRECT', action_value=spec['id'])[
+            'policy_action']
+        classifier = self.create_policy_classifier(
+                direction='bi', protocol='icmp')[
+            'policy_classifier']
+        rule = self.create_policy_rule(
+                policy_classifier_id=classifier['id'],
+                policy_actions=[action['id']])['policy_rule']
+        prs = self.create_policy_rule_set(
+                policy_rules=[rule['id']])['policy_rule_set']
+        # allow
+        allow_action = self.create_policy_action(action_type='ALLOW')[
+            'policy_action']
+        allow_rule = self.create_policy_rule(
+                policy_classifier_id=classifier['id'],
+                policy_actions=[allow_action['id']])['policy_rule']
+        allow_prs = self.create_policy_rule_set(
+                policy_rules=[allow_rule['id']])['policy_rule_set']
+        # ref ptg
+        ref_ptg = self.create_policy_target_group()['policy_target_group']
+        ref_pt = self.create_policy_target(
+                policy_target_group_id=ref_ptg['id'])['policy_target']
+
+        with mock.patch.object(nfp_node_driver.NFPClientApi,
+                               "create_network_function") as create_nf:
+            with mock.patch.object(nfp_node_driver.NFPClientApi,
+                                   'get_network_function') as get_nf:
+                get_nf.return_value = {
+                    'id': '126231632163',
+                    'status': 'ACTIVE'
+                }
+                create_nf.return_value = {
+                    'id': '126231632163'
+                }
+                orig_ptg = self.create_policy_target_group(
+                        description="opflex_eoc:%s" % ref_pt['port_id'],
+                        provided_policy_rule_sets={prs['id']: ''})[
+                    'policy_target_group']
+                current_ptg = self.update_policy_target_group(
+                        orig_ptg['id'],
+                        provided_policy_rule_sets={
+                            prs['id']: '', allow_prs['id']: ''})[
+                    'policy_target_group']
+                ref_ptg = self.show_policy_target_group(ref_ptg['id'])[
+                    'policy_target_group']
+                self.assertSetEqual(set(ref_ptg['provided_policy_rule_sets']),
+                                    set(current_ptg[
+                                            'provided_policy_rule_sets']))