From abca726e405fec960b546319ea81295b0c6adb0c Mon Sep 17 00:00:00 2001
From: Eugene Nikanorov <enikanorov@mirantis.com>
Date: Mon, 17 Feb 2014 16:35:09 +0400
Subject: [PATCH] Validate rule uuids provided for update_policy

Add corresponding validation method to fwaas extension

Change-Id: I643c10a996813d251684d3b5de04c8826729129f
Closes-Bug: #1281083
---
 neutron/extensions/firewall.py                     |  1 +
 neutron/tests/unit/db/firewall/test_db_firewall.py |  4 +++-
 neutron/tests/unit/test_extension_firewall.py      | 11 +++++++++++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/neutron/extensions/firewall.py b/neutron/extensions/firewall.py
index 847914197f..b3279bb431 100644
--- a/neutron/extensions/firewall.py
+++ b/neutron/extensions/firewall.py
@@ -243,6 +243,7 @@ RESOURCE_ATTRIBUTE_MAP = {
                    'is_visible': True, 'required_by_policy': True,
                    'enforce_policy': True},
         'firewall_rules': {'allow_post': True, 'allow_put': True,
+                           'validate': {'type:uuid_list': None},
                            'convert_to': attr.convert_none_to_empty_list,
                            'default': None, 'is_visible': True},
         'audited': {'allow_post': True, 'allow_put': True,
diff --git a/neutron/tests/unit/db/firewall/test_db_firewall.py b/neutron/tests/unit/db/firewall/test_db_firewall.py
index 5a862f6afe..aa7f3efa6f 100644
--- a/neutron/tests/unit/db/firewall/test_db_firewall.py
+++ b/neutron/tests/unit/db/firewall/test_db_firewall.py
@@ -29,6 +29,7 @@ from neutron.db.firewall import firewall_db as fdb
 import neutron.extensions
 from neutron.extensions import firewall
 from neutron.openstack.common import importutils
+from neutron.openstack.common import uuidutils
 from neutron.plugins.common import constants
 from neutron.tests.unit import test_db_plugin
 
@@ -477,7 +478,8 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
                                    self.firewall_rule(name='fwr2',
                                                       no_delete=True)) as fr:
                 fw_rule_ids = [r['firewall_rule']['id'] for r in fr]
-                fw_rule_ids.append('12345')  # non-existent rule
+                # appending non-existent rule
+                fw_rule_ids.append(uuidutils.generate_uuid())
                 data = {'firewall_policy':
                         {'firewall_rules': fw_rule_ids}}
                 req = self.new_update_request('firewall_policies', data,
diff --git a/neutron/tests/unit/test_extension_firewall.py b/neutron/tests/unit/test_extension_firewall.py
index 486f20f03b..be0b3ac2a0 100644
--- a/neutron/tests/unit/test_extension_firewall.py
+++ b/neutron/tests/unit/test_extension_firewall.py
@@ -378,6 +378,17 @@ class FirewallExtensionTestCase(testlib_api.WebTestCase):
         self.assertIn('firewall_policy', res)
         self.assertEqual(res['firewall_policy'], return_value)
 
+    def test_firewall_policy_update_malformed_rules(self):
+        # emulating client request when no rule uuids are provided for
+        # --firewall_rules parameter
+        update_data = {'firewall_policy': {'firewall_rules': True}}
+        # have to check for generic AppError
+        self.assertRaises(
+            webtest.AppError,
+            self.api.put,
+            _get_path('fw/firewall_policies', id=_uuid(), fmt=self.fmt),
+            self.serialize(update_data))
+
     def test_firewall_policy_delete(self):
         self._test_entity_delete('firewall_policy')