Address pairs not allowed with no port security

Config: Address pairs should not be allowed when port security is not enabled Change-Id: I211bd7e89d82633bb6701ddb55d1527633ea246d Closes-Bug: 1685030
Juniper · Jun 7, 2017 · 5c8b568 · 5c8b568
1 parent b23a640
commit 5c8b568
Show file tree

Hide file tree

Showing 3 changed files with 82 additions and 3 deletions.
diff --git a/src/config/api-server/tests/test_crud_basic.py b/src/config/api-server/tests/test_crud_basic.py
@@ -755,14 +755,15 @@ def test_service_interface_type_value(self):
         port_obj = VirtualMachineInterface(
                    str(uuid.uuid4()), parent_obj=Project(),
                    virtual_machine_interface_properties=vmi_prop)
+
         port_obj.uuid = port_obj.name
         port_obj.set_virtual_network(vn)
 
         #creation of port should fail as the valid values for
         #service_interface_type are: management|left|right|other[0-9]*
         with ExpectedException(BadRequest) as e:
             port_id = self._vnc_lib.virtual_machine_interface_create(port_obj)
-       # end test_service_interface_type_value
+    # end test_service_interface_type_value
 
     def test_physical_router_credentials(self):
         phy_rout_name = self.id() + '-phy-router-1'
@@ -785,6 +786,27 @@ def test_physical_router_w_no_user_credentials(self):
         phy_rout_obj = self._vnc_lib.physical_router_read(id=phy_router.uuid)
         # end test_physical_router_w_no_user_credentials
 
+    def test_port_security_and_allowed_address_pairs(self):
+        vn = VirtualNetwork('vn-%s' %(self.id()))
+        self._vnc_lib.virtual_network_create(vn)
+
+        port_obj = VirtualMachineInterface(
+                   str(uuid.uuid4()), parent_obj=Project(),
+                   port_security_enabled=False)
+        port_obj.uuid = port_obj.name
+        port_obj.set_virtual_network(vn)
+
+        port_id = self._vnc_lib.virtual_machine_interface_create(port_obj)
+        addr_pair = AllowedAddressPairs(allowed_address_pair=
+                                        [AllowedAddressPair(
+                                        ip=SubnetType('1.1.1.0', 24),
+                                        mac='02:ce:1b:d7:a6:e7')])
+        # updating a port with allowed address pair should throw an exception
+        # when port security enabled is set to false
+        port_obj.virtual_machine_interface_allowed_address_pairs = addr_pair
+        with ExpectedException(BadRequest) as e:
+            self._vnc_lib.virtual_machine_interface_update(port_obj)
+    # end test_port_security_and_allowed_address_pairs
 # end class TestCrud
 
 

diff --git a/src/config/api-server/vnc_cfg_types.py b/src/config/api-server/vnc_cfg_types.py
@@ -689,6 +689,31 @@ def _check_vrouter_link(cls, vmi_data, kvp_dict, obj_dict, db_conn):
 
     # end _check_vrouter_link
 
+    @classmethod
+    def _check_port_security_and_address_pairs(cls, obj_dict, db_dict={}):
+        if ('port_security_enabled' not in obj_dict and
+            'virtual_machine_interface_allowed_address_pairs' not in obj_dict):
+            return True, ""
+
+        if 'port_security_enabled' in obj_dict:
+            port_security = obj_dict.get('port_security_enabled', True)
+        else:
+            port_security = db_dict.get('port_security_enabled', True)
+
+        if 'virtual_machine_interface_allowed_address_pairs' in obj_dict:
+            address_pairs = obj_dict.get(
+                            'virtual_machine_interface_allowed_address_pairs')
+        else:
+            address_pairs = db_dict.get(
+                            'virtual_machine_interface_allowed_address_pairs')
+
+        if not port_security and address_pairs is not None:
+            msg = "Allowed address pairs are not allowed when port "\
+                  "security is disabled"
+            return (False, (400, msg))
+
+        return True, ""
+
     @classmethod
     def pre_dbe_create(cls, tenant_name, obj_dict, db_conn):
         vn_dict = obj_dict['virtual_network_refs'][0]
@@ -755,6 +780,11 @@ def pre_dbe_create(cls, tenant_name, obj_dict, db_conn):
                              'value': cls.portbindings['VNIC_TYPE_NORMAL']}
                 kvps.append(vnic_type)
 
+        (ok, result) = cls._check_port_security_and_address_pairs(obj_dict)
+
+        if not ok:
+            return ok, result
+
         return True, ""
     # end pre_dbe_create
 
@@ -846,6 +876,11 @@ def pre_dbe_update(cls, id, fq_name, obj_dict, db_conn,
             if new_vlan != old_vlan:
                 return (False, (400, "Cannot change Vlan tag"))
 
+        (ok,result) = cls._check_port_security_and_address_pairs(obj_dict,
+                                                                 read_result)
+        if not ok:
+            return ok, result
+
         return True, ""
     # end pre_dbe_update
 

diff --git a/src/config/vnc_openstack/vnc_openstack/neutron_plugin_db.py b/src/config/vnc_openstack/vnc_openstack/neutron_plugin_db.py
@@ -3767,7 +3767,18 @@ def port_create(self, context, port_q):
 
         # always request for v4 and v6 ip object and handle the failure
         # create the object
-        port_id = self._resource_create('virtual_machine_interface', port_obj)
+        try:
+            port_id = self._resource_create('virtual_machine_interface', port_obj)
+        except BadRequest as e:
+            msg = "Allowed address pairs are not allowed when port "\
+                  "security is disabled"
+            if msg == str(e):
+                self._raise_contrail_exception(
+                   'AddressPairAndPortSecurityRequired')
+            else:
+                self._raise_contrail_exception(
+                   'BadRequest', resource='port', msg=str(e))
+
         self._vnc_lib.chown(port_id, tenant_id)
         # add support, nova boot --nic subnet-id=subnet_uuid
         subnet_id = port_q.get('subnet_id')
@@ -3869,7 +3880,18 @@ def port_update(self, port_id, port_q):
         port_obj = self._port_neutron_to_vnc(port_q, None, UPDATE)
         net_id = port_obj.get_virtual_network_refs()[0]['uuid']
         net_obj = self._network_read(net_id)
-        self._virtual_machine_interface_update(port_obj)
+        try:
+            self._virtual_machine_interface_update(port_obj)
+        except BadRequest as e:
+            msg = "Allowed address pairs are not allowed when port "\
+                  "security is disabled"
+            if msg == str(e):
+                self._raise_contrail_exception(
+                   'AddressPairAndPortSecurityRequired')
+            else:
+                self._raise_contrail_exception(
+                   'BadRequest', resource='port', msg=str(e))
+
         port_obj = self._virtual_machine_interface_read(port_id=port_id)
         ret_port_q = self._port_vnc_to_neutron(port_obj)