From ae3b8b33dd349616900a5644f4f859a33516a721 Mon Sep 17 00:00:00 2001
From: Adit Sarfaty <asarfaty@vmware.com>
Date: Tue, 13 Feb 2018 12:05:34 +0200
Subject: [PATCH] TVD Fwaas: prevent adding wrong plugin routers to FW

Validate that the router assigned to the firewall belongs to
the same core plugin

Change-Id: I602660700aaf65408c62e19c66aa812239eb7f98
---
 vmware_nsx/services/fwaas/nsx_tv/plugin_v1.py | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/vmware_nsx/services/fwaas/nsx_tv/plugin_v1.py b/vmware_nsx/services/fwaas/nsx_tv/plugin_v1.py
index 7dfb475277..b1d5855729 100644
--- a/vmware_nsx/services/fwaas/nsx_tv/plugin_v1.py
+++ b/vmware_nsx/services/fwaas/nsx_tv/plugin_v1.py
@@ -13,6 +13,9 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from neutron_lib import exceptions as n_exc
+from neutron_lib.plugins import directory
+
 from neutron_fwaas.services.firewall import fwaas_plugin
 
 from vmware_nsx.plugins.nsx import utils as tvd_utils
@@ -27,3 +30,18 @@ class FwaasTVPluginV1(fwaas_plugin.FirewallPlugin):
     methods_to_separate = ['get_firewalls',
                            'get_firewall_policies',
                            'get_firewall_rules']
+
+    def validate_firewall_routers_not_in_use(
+        self, context, router_ids, fwid=None):
+        # Override this method to verify that the router & firewall belongs to
+        # the same plugin
+        context_plugin_type = tvd_utils.get_tvd_plugin_type_for_project(
+            context.project_id, context)
+        core_plugin = directory.get_plugin()
+        for rtr_id in router_ids:
+            rtr_plugin = core_plugin._get_plugin_from_router_id(
+                context, rtr_id)
+            if rtr_plugin.plugin_type() != context_plugin_type:
+                err_msg = (_('Router should belong to the %s plugin '
+                             'as the firewall') % context_plugin_type)
+                raise n_exc.InvalidInput(error_message=err_msg)