From 5724c7725432efc8f6970ac1a69d41f739d92aba Mon Sep 17 00:00:00 2001
From: Michal Kelner Mishali <mkelnermishal@vmware.com>
Date: Thu, 13 Sep 2018 14:31:12 +0300
Subject: [PATCH] NSX|V3: Restrict update of LB port with fixed IP

Setting a fixed IP on the LB port should be avoided,
restricting and sending a message to the user.

Change-Id: I90567591e269b356af03d1abe854c08829e8d954
Signed-off-by: Michal Kelner Mishali <mkelnermishal@vmware.com>
---
 vmware_nsx/plugins/common/plugin.py         | 12 +++++++++---
 vmware_nsx/tests/unit/nsx_v3/test_plugin.py | 17 +++++++++++++++++
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/vmware_nsx/plugins/common/plugin.py b/vmware_nsx/plugins/common/plugin.py
index 70005a7c29..0cde95c894 100644
--- a/vmware_nsx/plugins/common/plugin.py
+++ b/vmware_nsx/plugins/common/plugin.py
@@ -478,6 +478,12 @@ class NsxPluginBase(db_base_plugin_v2.NeutronDbPluginV2,
             msg = _('Can not update/delete VPNaaS port %s') % port_data['id']
             raise n_exc.InvalidInput(error_message=msg)
 
+    def _assert_on_lb_port_fixed_ip_change(self, port_data, orig_dev_own):
+        if orig_dev_own == constants.DEVICE_OWNER_LOADBALANCERV2:
+            if "fixed_ips" in port_data and port_data["fixed_ips"]:
+                msg = _('Can not update Loadbalancer port with fixed IP')
+                raise n_exc.InvalidInput(error_message=msg)
+
     def _assert_on_device_owner_change(self, port_data, orig_dev_own):
         """Prevent illegal device owner modifications
         """
@@ -551,14 +557,14 @@ class NsxPluginBase(db_base_plugin_v2.NeutronDbPluginV2,
             self._assert_on_external_net_with_compute(port_data)
 
         # Device owner validations:
-        self._assert_on_device_owner_change(
-            port_data, original_port.get('device_owner'))
+        orig_dev_owner = original_port.get('device_owner')
+        self._assert_on_device_owner_change(port_data, orig_dev_owner)
         self._assert_on_port_admin_state(port_data, device_owner)
         self._assert_on_port_sec_change(port_data, device_owner)
         self._validate_max_ips_per_port(
             port_data.get('fixed_ips', []), device_owner)
-
         self._assert_on_vpn_port_change(original_port)
+        self._assert_on_lb_port_fixed_ip_change(port_data, orig_dev_owner)
 
     def _process_extra_attr_router_create(self, context, router_db, r):
         for extra_attr in l3_attrs_db.get_attr_info().keys():
diff --git a/vmware_nsx/tests/unit/nsx_v3/test_plugin.py b/vmware_nsx/tests/unit/nsx_v3/test_plugin.py
index 4ce56b1aa2..184a8cdab1 100644
--- a/vmware_nsx/tests/unit/nsx_v3/test_plugin.py
+++ b/vmware_nsx/tests/unit/nsx_v3/test_plugin.py
@@ -997,6 +997,23 @@ class TestPortsV2(test_plugin.TestPortsV2, NsxV3PluginTestCaseMixin,
                 n_exc.InvalidInput,
                 self.plugin.update_port, self.ctx, port['id'], data)
 
+    def test_fail_update_lb_port_with_fixed_ip(self):
+        with self.network() as network:
+            data = {'port': {
+                        'network_id': network['network']['id'],
+                        'tenant_id': self._tenant_id,
+                        'name': 'pair_port',
+                        'admin_state_up': True,
+                        'device_id': 'fake_device',
+                        'device_owner': constants.DEVICE_OWNER_LOADBALANCERV2,
+                        'fixed_ips': []}
+                    }
+            port = self.plugin.create_port(self.ctx, data)
+            data['port']['fixed_ips'] = '10.0.0.1'
+            self.assertRaises(
+                n_exc.InvalidInput,
+                self.plugin.update_port, self.ctx, port['id'], data)
+
     def test_create_port_with_qos(self):
         with self.network() as network:
             policy_id = uuidutils.generate_uuid()