Browse Source

Merge "Improve security policy update rules with transactions"

changes/38/744238/1
Zuul 2 weeks ago
committed by Gerrit Code Review
parent
commit
60ebf809d4
3 changed files with 32 additions and 7 deletions
  1. +1
    -0
      vmware_nsxlib/tests/unit/v3/policy/test_resources.py
  2. +18
    -6
      vmware_nsxlib/tests/unit/v3/policy/test_transaction.py
  3. +13
    -1
      vmware_nsxlib/v3/policy/core_resources.py

+ 1
- 0
vmware_nsxlib/tests/unit/v3/policy/test_resources.py View File

@@ -2022,6 +2022,7 @@ class TestPolicyCommunicationMap(NsxPolicyLibTestCase):
update_call.assert_called_once_with(
domain_id, map_id, entries,
category=constants.CATEGORY_APPLICATION,
use_child_rules=True,
tenant=TEST_TENANT)

def test_update_with_entries(self):


+ 18
- 6
vmware_nsxlib/tests/unit/v3/policy/test_transaction.py View File

@@ -393,7 +393,8 @@ class TestPolicyTransaction(policy_testcase.TestPolicyApi):
self.assert_infra_patch_call(expected_body)

@mock.patch('vmware_nsxlib.v3.policy.core_defs.NsxPolicyApi.get')
def test_updating_security_policy_and_dfw_rules(self, mock_get_api):
def _test_updating_security_policy_and_dfw_rules(
self, use_child_rules, mock_get_api):
dfw_rule1 = {'id': 'rule_id1', 'action': 'ALLOW',
'display_name': 'rule1', 'description': None,
'direction': 'IN_OUT', 'ip_protocol': 'IPV4_IPV6',
@@ -451,15 +452,20 @@ class TestPolicyTransaction(policy_testcase.TestPolicyApi):
name=security_policy['display_name'],
domain_id=domain_id,
map_id=map_id,
entries=dfw_rule_entries
entries=dfw_rule_entries,
use_child_rules=use_child_rules
)

dfw_rule1['display_name'] = new_rule_name
dfw_rule1['direction'] = new_direction
child_rules = [{'resource_type': 'ChildRule', 'Rule': dfw_rule1},
{'resource_type': 'ChildRule', 'Rule': dfw_rule2,
'marked_for_delete': True}]
security_policy.update({'children': child_rules})
if use_child_rules:
child_rules = [{'resource_type': 'ChildRule', 'Rule': dfw_rule1},
{'resource_type': 'ChildRule', 'Rule': dfw_rule2,
'marked_for_delete': True}]
security_policy.update({'children': child_rules})
else:
security_policy['rules'] = copy.deepcopy([dfw_rule1, dfw_rule2])

child_security_policies = [{
'resource_type': 'ChildSecurityPolicy',
'SecurityPolicy': security_policy
@@ -473,6 +479,12 @@ class TestPolicyTransaction(policy_testcase.TestPolicyApi):
'children': child_domains}
self.assert_infra_patch_call(expected_body)

def test_updating_security_policy_and_dfw_rules(self):
return self._test_updating_security_policy_and_dfw_rules(True)

def test_updating_security_policy_and_dfw_rules_no_child_rules(self):
return self._test_updating_security_policy_and_dfw_rules(False)

@mock.patch('vmware_nsxlib.v3.policy.core_defs.NsxPolicyApi.get')
def test_updating_security_policy_with_no_entries_set(self, mock_get_api):
dfw_rule1 = {'id': 'rule_id1', 'action': 'ALLOW',


+ 13
- 1
vmware_nsxlib/v3/policy/core_resources.py View File

@@ -3567,14 +3567,17 @@ class NsxPolicySecurityPolicyBaseApi(NsxPolicyResourceBase):

def update_entries(self, domain_id, map_id, entries,
category=constants.CATEGORY_APPLICATION,
use_child_rules=True,
tenant=constants.POLICY_INFRA_TENANT):
self.update_with_entries(domain_id, map_id, entries, category=category,
use_child_rules=use_child_rules,
tenant=tenant)

def update_with_entries(self, domain_id, map_id, entries=IGNORE,
name=IGNORE, description=IGNORE,
category=constants.CATEGORY_APPLICATION,
tags=IGNORE, map_sequence_number=IGNORE,
use_child_rules=True,
tenant=constants.POLICY_INFRA_TENANT):
map_def = self._init_parent_def(
domain_id=domain_id, map_id=map_id,
@@ -3633,7 +3636,16 @@ class NsxPolicySecurityPolicyBaseApi(NsxPolicyResourceBase):
map_def.set_obj_dict(comm_map)
# Update the entire map at the NSX
if transaction:
self._create_or_store(map_def, replaced_entries)
if use_child_rules:
self._create_or_store(map_def, replaced_entries)
else:
if not ignore_entries:
# Add the rules under the map and not as ChildRules for
# improved performance on the NSX side
comm_map['rules'] = [rule.get_obj_dict() for rule in
replaced_entries]
map_def.set_obj_dict(comm_map)
self._create_or_store(map_def)
else:
body = map_def.get_obj_dict()
if not ignore_entries:


Loading…
Cancel
Save