Don't require passing in port_security=False if security_groups present

If creating a port on a network that is marked as port_security_enabled=False and one passes in a security_group in the port_create request previously an error was raised saying they needed to also pass in port_security_enabled=False. This patch removes that requirement and instead sets port_security_enabled=True internally if a port has an ip_address and a security_group is passed in. This is more convient and does not break backwards compatibility. Closes-bug: #1267249 Change-Id: Ifb5a5511f016a5d8c5b5075c9fdc27279cdd9bb5
2014-01-08 13:10:54 -08:00 · 2014-01-08 13:10:54 -08:00 · a5ccc2358d
commit a5ccc2358d
parent 7fb2d579ae
2 changed files with 29 additions and 0 deletions
--- a/neutron/db/portsecurity_db.py
+++ b/neutron/db/portsecurity_db.py
@ -161,6 +161,13 @@ class PortSecurityDbMixin(object):
        if (psec.PORTSECURITY in port and
            isinstance(port[psec.PORTSECURITY], bool)):
            port_security_enabled = port[psec.PORTSECURITY]
+
+        # If port has an ip and security_groups are passed in
+        # conveniently set port_security_enabled to true this way
+        # user doesn't also have to pass in port_security_enabled=True
+        # when creating ports.
+        elif (has_ip and attrs.is_attr_set('security_groups')):
+            port_security_enabled = True
        else:
            port_security_enabled = self._get_network_security_binding(
                context, port['network_id'])
--- a/neutron/tests/unit/test_extension_portsecurity.py
+++ b/neutron/tests/unit/test_extension_portsecurity.py
@ -263,6 +263,28 @@ class TestPortSecurity(PortSecurityDBTestCase):
                self.assertEqual(len(port['port'][ext_sg.SECURITYGROUPS]), 1)
                self._delete('ports', port['port']['id'])

+    def test_create_port_with_security_group_and_net_sec_false(self):
+        # This tests that port_security_enabled is true when creating
+        # a port on a network that is marked as port_security_enabled=False
+        # that has a subnet and securiy_groups are passed it.
+        if self._skip_security_group:
+            self.skipTest("Plugin does not support security groups")
+        res = self._create_network('json', 'net1', True,
+                                   arg_list=('port_security_enabled',),
+                                   port_security_enabled=False)
+        net = self.deserialize('json', res)
+        self._create_subnet('json', net['network']['id'], '10.0.0.0/24')
+        security_group = self.deserialize(
+            'json', self._create_security_group(self.fmt, 'asdf', 'asdf'))
+        security_group_id = security_group['security_group']['id']
+        res = self._create_port('json', net['network']['id'],
+                                arg_list=('security_groups',),
+                                security_groups=[security_group_id])
+        port = self.deserialize('json', res)
+        self.assertEqual(port['port'][psec.PORTSECURITY], True)
+        self.assertEqual(port['port']['security_groups'], [security_group_id])
+        self._delete('ports', port['port']['id'])
+
    def test_update_port_security_off_with_security_group(self):
        if self._skip_security_group:
            self.skipTest("Plugin does not support security groups")