[config] Fix TypeError issue when commit security

Fix code to not try to split a None object when commit a global draft address group with a reference to a project scoped firewall rule in its endpoint 2. Also permits to use the saùe address group in the both firewall rule's endpoints before the draft address group is committed. Change-Id: Iace2995f6b701e87a2fcbdb7a4656775cc639513 Closes-Bug: #1794954
Juniper · Oct 8, 2018 · ad65c5e · ad65c5e
1 parent 585bce2
commit ad65c5e
Show file tree

Hide file tree

Showing 3 changed files with 109 additions and 11 deletions.
diff --git a/src/config/api-server/vnc_cfg_api_server/tests/test_firewall.py b/src/config/api-server/vnc_cfg_api_server/tests/test_firewall.py
@@ -2374,11 +2374,8 @@ def test_commit_updated_global_and_project_resource_with_ref2(self):
                          global_fp.fq_name)
         self.assertEqual(global_fp.display_name, new_name)
 
-    def test_service_group_fq_name_update_in_firewall_rule_endpoints(self):
+    def test_address_group_fq_name_updated_in_firewall_rule_endpoints(self):
         global_pm = self.api.policy_management_read(PolicyManagement().fq_name)
-        global_fp = FirewallPolicy('global-fp-%s' % self.id(),
-                                   parent_obj=global_pm)
-        self.api.firewall_policy_create(global_fp)
         project = Project('project-%s' % self.id())
         self.api.project_create(project)
 
@@ -2387,21 +2384,118 @@ def test_service_group_fq_name_update_in_firewall_rule_endpoints(self):
         self.api.global_system_config_update(gsc)
 
         ag = AddressGroup(
+            name='ag-%s' % self.id(),
+            address_group_prefix=SubnetListType(
+                subnet=[SubnetType('1.1.1.0', 24)]),
+            parent_obj=global_pm,
+        )
+        self.api.address_group_create(ag)
+
+        fr = FirewallRule(
+            parent_obj=project,
+            name='rule-%s' % self.id(),
+            action_list=ActionListType(simple_action='pass'),
+            endpoint_1=FirewallRuleEndpointType(any=True),
+            endpoint_2=FirewallRuleEndpointType(
+                address_group=ag.get_fq_name_str()),
+            direction='<>',
+            service=FirewallServiceType(),
+        )
+        self.api.firewall_rule_create(fr)
+
+        draft_ag = self.api.address_group_read(id=ag.uuid)
+        fr = self.api.firewall_rule_read(id=fr.uuid)
+        self.assertEqual(draft_ag.get_fq_name_str(),
+                         fr.endpoint_2.address_group)
+
+        self.api.commit_security(gsc)
+        ag = self.api.address_group_read(id=ag.uuid)
+        fr = self.api.firewall_rule_read(id=fr.uuid)
+        self.assertNotEqual(draft_ag.get_fq_name_str(),
+                            fr.endpoint_2.address_group)
+        self.assertEqual(ag.get_fq_name_str(), fr.endpoint_2.address_group)
+
+    def test_address_groups_fq_name_updated_in_both_fr_endpoints(self):
+        global_pm = self.api.policy_management_read(PolicyManagement().fq_name)
+        project = Project('project-%s' % self.id())
+        self.api.project_create(project)
+
+        gsc = self.api.global_system_config_read(GlobalSystemConfig().fq_name)
+        gsc.enable_security_policy_draft = True
+        self.api.global_system_config_update(gsc)
+
+        ag1 = AddressGroup(
+            name='ag1-%s' % self.id(),
+            address_group_prefix=SubnetListType(
+                subnet=[SubnetType('1.1.1.0', 24)]),
+            parent_obj=global_pm,
+        )
+        self.api.address_group_create(ag1)
+        ag2 = AddressGroup(
+            name='ag2-%s' % self.id(),
+            address_group_prefix=SubnetListType(
+                subnet=[SubnetType('2.2.2.0', 24)]),
+            parent_obj=global_pm,
+        )
+        self.api.address_group_create(ag2)
+
+        fr = FirewallRule(
+            parent_obj=project,
+            name='rule-%s' % self.id(),
+            action_list=ActionListType(simple_action='pass'),
+            endpoint_1=FirewallRuleEndpointType(
+                address_group=ag1.get_fq_name_str()),
+            endpoint_2=FirewallRuleEndpointType(
+                address_group=ag2.get_fq_name_str()),
+            direction='<>',
+            service=FirewallServiceType(),
+        )
+        self.api.firewall_rule_create(fr)
+
+        draft_ag1 = self.api.address_group_read(id=ag1.uuid)
+        draft_ag2 = self.api.address_group_read(id=ag2.uuid)
+        fr = self.api.firewall_rule_read(id=fr.uuid)
+        self.assertEqual(draft_ag1.get_fq_name_str(),
+                         fr.endpoint_1.address_group)
+        self.assertEqual(draft_ag2.get_fq_name_str(),
+                         fr.endpoint_2.address_group)
+
+        self.api.commit_security(gsc)
+        ag1 = self.api.address_group_read(id=ag1.uuid)
+        ag2 = self.api.address_group_read(id=ag2.uuid)
+        fr = self.api.firewall_rule_read(id=fr.uuid)
+        self.assertNotEqual(draft_ag1.get_fq_name_str(),
+                            fr.endpoint_1.address_group)
+        self.assertNotEqual(draft_ag2.get_fq_name_str(),
+                            fr.endpoint_2.address_group)
+        self.assertEqual(ag1.get_fq_name_str(), fr.endpoint_1.address_group)
+        self.assertEqual(ag2.get_fq_name_str(), fr.endpoint_2.address_group)
+
+    def test_same_address_group_fq_name_updated_in_both_fr_endpoints(self):
+        global_pm = self.api.policy_management_read(PolicyManagement().fq_name)
+        project = Project('project-%s' % self.id())
+        self.api.project_create(project)
+
+        gsc = self.api.global_system_config_read(GlobalSystemConfig().fq_name)
+        gsc.enable_security_policy_draft = True
+        self.api.global_system_config_update(gsc)
+
+        ag = AddressGroup(
+            name='ag-%s' % self.id(),
             address_group_prefix=SubnetListType(
                 subnet=[SubnetType('1.1.1.0', 24)]),
             parent_obj=global_pm,
         )
         self.api.address_group_create(ag)
 
-        vn = VirtualNetwork('vn-%s' % self.id(), parent_obj=project)
-        self.api.virtual_network_create(vn)
         fr = FirewallRule(
             parent_obj=project,
             name='rule-%s' % self.id(),
             action_list=ActionListType(simple_action='pass'),
             endpoint_1=FirewallRuleEndpointType(
                 address_group=ag.get_fq_name_str()),
-            endpoint_2=FirewallRuleEndpointType(any=True),
+            endpoint_2=FirewallRuleEndpointType(
+                address_group=ag.get_fq_name_str()),
             direction='<>',
             service=FirewallServiceType(),
         )
@@ -2411,10 +2505,15 @@ def test_service_group_fq_name_update_in_firewall_rule_endpoints(self):
         fr = self.api.firewall_rule_read(id=fr.uuid)
         self.assertEqual(draft_ag.get_fq_name_str(),
                          fr.endpoint_1.address_group)
+        self.assertEqual(draft_ag.get_fq_name_str(),
+                         fr.endpoint_2.address_group)
 
         self.api.commit_security(gsc)
         ag = self.api.address_group_read(id=ag.uuid)
         fr = self.api.firewall_rule_read(id=fr.uuid)
         self.assertNotEqual(draft_ag.get_fq_name_str(),
                             fr.endpoint_1.address_group)
+        self.assertNotEqual(draft_ag.get_fq_name_str(),
+                            fr.endpoint_2.address_group)
         self.assertEqual(ag.get_fq_name_str(), fr.endpoint_1.address_group)
+        self.assertEqual(ag.get_fq_name_str(), fr.endpoint_2.address_group)
diff --git a/src/config/api-server/vnc_cfg_api_server/vnc_cfg_api_server.py b/src/config/api-server/vnc_cfg_api_server/vnc_cfg_api_server.py
@@ -5041,15 +5041,14 @@ def _holding_backrefs(self, updates, held_refs, scope_type, obj_type,
                         fr = result
                         for ep_type in ['endpoint_1', 'endpoint_2']:
                             if (ep_type in fr and
-                                    fr[ep_type].get('address_group', '').split(
-                                        ':') == obj_dict['fq_name']):
+                                    fr[ep_type].get('address_group', '') ==\
+                                    ':'.join(obj_dict['fq_name'])):
                                 ept = FirewallRuleEndpointType(
                                     address_group=':'.join(fq_name))
                                 updates.append(
                                     ('update',
                                      (FirewallRule.resource_type, fr['uuid'],
                                       {ep_type: vars(ept)})))
-                                break
                     else:
                         held_refs.append(
                             ((backref_type, backref['uuid'], 'ADD', obj_type),

diff --git a/src/config/api-server/vnc_cfg_api_server/vnc_cfg_types.py b/src/config/api-server/vnc_cfg_api_server/vnc_cfg_types.py
@@ -2986,7 +2986,7 @@ def _frs_fix_endpoint_address_group(cls, obj_dict, db_obj_dict=None):
                                                               ag_fq_name)
                     except cfgm_common.exceptions.NoIdError:
                         msg = ('No Address Group object found for %s' %
-                               ref_fq_name)
+                               ag_fq_name_str)
                         return False, (404, msg)
                     ag_refs.append({'to': ag_fq_name, 'uuid': ag_uuid})