NSX|V remove vnic from spoofguard only if port-security is enabled

When detaching a port from a vm, we should remove the vnic from the spoofguard policy only if it was added there before, meaning that the port-security is enabled Change-Id: If6d0c8623214a54825acbc3b1c4be9f9b7dd21d1
2016-07-03 10:48:42 +03:00 · 2016-07-03 10:48:42 +03:00 · 251e164216
parent 69219cd132
commit 251e164216
2 changed files with 35 additions and 2 deletions
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@ -1471,8 +1471,11 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                self._delete_security_groups_port_mapping(
                    context.session, vnic_id, curr_sgids)
                if cfg.CONF.nsxv.spoofguard_enabled:
-                    self._remove_vnic_from_spoofguard_policy(
-                        context.session, original_port['network_id'], vnic_id)
+                    if original_port[psec.PORTSECURITY]:
+                        self._remove_vnic_from_spoofguard_policy(
+                            context.session,
+                            original_port['network_id'],
+                            vnic_id)
                    # remove vm from the exclusion list when it is detached
                    # from the device if it has no port security
                    if not original_port[psec.PORTSECURITY]:
--- a/vmware_nsx/tests/unit/nsx_v/test_plugin.py
+++ b/vmware_nsx/tests/unit/nsx_v/test_plugin.py
@ -3723,6 +3723,36 @@ class TestNSXPortSecurity(test_psec.TestPortSecurity,
        self._del_port_with_vnic(port2['port']['id'], False)
        self._del_port_with_vnic(port1['port']['id'], True)

+    def test_detach_port_no_sec(self):
+        device_id = _uuid()
+        # create a compute port without port security
+        port = self._create_compute_port('net1', device_id, False)
+        # add vnic to the port
+        self._add_vnic_to_port(port['port']['id'], True, 3)
+
+        # detach the port
+        with mock.patch.object(
+            self.fc2,
+            'inactivate_vnic_assigned_addresses') as mock_inactivte:
+            self._del_vnic_from_port(port['port']['id'], True)
+            # inactivate spoofguard should not be called
+            self.assertFalse(mock_inactivte.called)
+
+    def test_detach_port_with_sec(self):
+        device_id = _uuid()
+        # create a compute port without port security
+        port = self._create_compute_port('net1', device_id, True)
+        # add vnic to the port
+        self._add_vnic_to_port(port['port']['id'], False, 3)
+
+        # detach the port
+        with mock.patch.object(
+            self.fc2,
+            'inactivate_vnic_assigned_addresses') as mock_inactivte:
+            self._del_vnic_from_port(port['port']['id'], False)
+            # inactivate spoofguard should be called
+            self.assertTrue(mock_inactivte.called)
+
    def _toggle_port_security(self, port_id, enable_port_security,
                              update_exclude):
        """Enable/disable port security on a port, and verify that the exclude